Is there an up-to-date guide for configuring openldap26-server? Following the steps in the handbook [1] does not result in a server that will run, in my recent experience.

[1] docs.freebsd.org/en/books/handbook/network-servers/#network-ldap

Title: Chapter 31. Network Servers | FreeBSD Documentation Portal

Kalten: what was the last thing you said? i lost the buffer

vtcat -vvv @vlf44:1 -- -,f4 | vtwrite -L /mnt/nas/vlf44/log/vtwrite_32k.log -G 3600 /mnt/nas/vlf44/vlf_32k

vtcat fails with a syntax error. is there anything that would indicate there is a syntax error with that pipe?

Hi, I am trying to understand FreeBSD firewall features (pf, ipfw and ipf). I understand they complement and can work together (based on modules of each one is offering) Is that so? Is there any detal docs you indicate to read?

cybercrypto: Have you read the handbook?

vkarlsen: I am exactly on it. I am looking to understand pro/conn. Still reading... but apparently they not suppose to run in parallel.

Yes, choose one

I find pf is easiest to read/write.. but that's just me

since it's most common across all BSDs

pertho: did you start with pf?

vkarlsen: I believe PF would allow me to test/dig more. ipf also present in some legacy juniper equipments... is juniper still investing/developing ipf?

suddenly wondering what blocklistd integration would look like in GoToSocial…

IIRC the only person working on IPF is Cy Schubert who's a FreeBSD developer.

netpfil lets you dynamically select a firewall at runtime, whether it's ipfw, ipf, or pf - but if you can manage to use more than one firewall at a time (which I'm not sure of), I'm sure it'd result in more trouble than its worth (as I'm not sure what you'd get ouit of it).

cybercrypto: while ipf is still alive, my impression is that it's not nearly as active as the other two. I'm not sure how much this matters of course.

That said, all three have lots of similarities so if you like one I suspect you'd be okay with any of them.

ipfw, ipf, and pf are all mature pieces of software that are unlikely to get much change because there's only a limited amount of things that firewalls need to do.

The only notable exceptions to this is redoing rules syntax, which does require a fair bit of rewriting, as well as depressimization of performance.

Both ipfw and pf are at a point where most of the easy w ays to achieve performance improvements have already been achieved.

..which is why they're fairly equivalent in terms of performance. ;)

Both of them can handle +10Gbps bidirectionally both statefully and statelessly on a modern (within 5 years) ~3GHz processor with 16 cores.

What was the FreeBSD thing that allowed you to "compile" your firewall rules into a kernel module for faster performance?

I always thought ipfw had the most "plain English" rule syntax.

That's an ipfw-exclusive feature that comes from BPF being able to JIT rules into bytecode.

Ahh yes - that sounds right.

Last I was working with extensive ipfw rule sets though, was before I grok'd the significance of JIT.

For the next step up speed-wise, I _think_ ipfw can do 25Gbps bidirectionally both statefully and statelessly (and pf can get darned close, if it can't hit it) - but that's getting to the point where it's hard to imagine software doing things any faster without much faster processors because of the time required to process a packet.

heh

Just-in-time compilation isn't really anything new nowadays, but when it was introduced to BSD/OS' ipfw back in the early 2000s, it was _amazing_ - and when it was ported to FreeBSD from BSD/OS shortly after, it was just as amazing.

I remember how revolutionary it was for Cisco Catalist 6500E Firewall Switch Modules (FWSM) to be able to process filtered traffic at 4.5 Gbit.

Though. . . they never could clear-up the bugs with the processing of truely large rulesets.

That was hardware based, though.

Yeah.

Hardware firewalling can do multi-Tbps nowadays.

(We ended-up frisbeeing our FWSMs into the fountain on the RTP Cisco campus.)

They later took that fountain out, claiming it was to conserve water.

mason thanks.

Though I know they had to fish a lot of hardware out of that fountain.

vkarlsen: thanks. good feedback and inputs, as usual. thanks everyone.

ays thought ipfw had the most "plain English" rule syntax.

Try out both, see which one you like.

s/out both/them all/

I started with ipfw back in the 2000s because the company I worked for needed the speed advantage it had (there was much more of a disparity back then), so the ipfw syntax is what I learned first.

I have a strong suspicion that whichever syntax you learn first is the one you find easiest to remember.

I learned some ipfw because natd relied on it.

And dummynet, which I also implemented for a couple things.

If memory serves, Luigi Rizzo was responsible both for the BPF and JIT work in ipfw, as well as dummynet (though initially the latter was more of a way of handling TCP congestion, until it was integrated into ipfw).

debdrup, I used dummynet to build a "WAN emultor."

tcpdump on FreeBSD (12.3) isn't capturing any traffic on one specific interface. Traffic is indeed being generated and returning. Any ideas?

elysweyr: have you tried simplifying your filter expression to confirm, or perhaps running tcpdump with no filter at all to verify this behaviour?

If it really is the interface and not the filter, then I have no idea why you might be seeing that behaviour, all I can offer is workarounds. What about setting up a bridge with that interface in it, then running tcpdump on the bridge?

ghoti: yes already simplified the expression

Removed any filter

(tcpdump)

What's the exit code when you stop tcpdump with a signal?

Also, which driver?

Actually this machine is a router. The traffic is passing through it and returning

debdrup: tested it using "printf '%d\n' $?"  exit code is 0

"link-type NULL (BSD loopback)"

fem0 ln0 bge0

rl0 re0 etc :)

which driver

tailscale0

It's entirely possible tailscale is missing BPF hooks.

well no idea what that even is

tailscale is a orchestration thingymajigger for wireguard

ah

spanning up mesh-vpn on top of wg

Seems like you'll want to report this bug upstream.

I assume you've tested with other interfaces, and that they work?

capturing traffic on tun_wg0 works fine

...wait, what's tailscale0 doing then?

The plist for the security/tailscale port doesn't indicate that it includes a network interface driver..

For reference, plists are lists of files that keep track of the files installed by a port, so that they can be cleaned up on uninstallation (unless the file has been modified, in which case they're kept).

So I'm not sure what tailscale0 is supposed to do.

this machine is interconnection networks. I do have legacy wg tunnels and tailscale tunnels. Some sites don't support tailscale. That's the reason for this setup

*interconnecting

Title: dpaste/WdCV (Plain Text)

Are you sure tailscale0 should be sending traffic? My understanding of the protocol would suggest that tailscale0 is used for communication with the company-run instance of headscale (their orchestration software that you can self-host if you want).

Anyway, I still think it's an upstream issue with tailscale missing BPF hooks, as BPF hooks are what tcpdump uses to introspect interfaces.

(I run headscale btw) Besides that: in case I directly ping the tailscale vpn address on this router I do capture traffic on tailscale0

Routing issue?

Kinda late to mention that, though...

Sure but traffic is returning to the router again

So there must be traffic arriving at this router but I just don't capture it

I'm not sure I understand the problem description anymore, but I'm definitely too tired to think about network debugging tonight.

site01 <(1)----(tailscale)----(2)> edge01 <(3)----(wg)----(4)> site02

edge01 is this router. Use case: ping site02 from site01. I do see the ping leaving on int (3) and returning (echo reply) on int (3)

int (2) is the interface causing the trouble

So I don't see anyting on (2) even though traffic from (1) is leaving and returning on (3)

Hope this helps

Right, that's not doing anything to make me think it's not a lack of BPF hooks.

Hello! It's me again with a newbie question. Before installing an operating system, I continue to read the FreeBSD Handbook. Now I have a question about choosing a file system. For many years I used a computer and never thought or knew what a file system was. I just installed Windows and chose ntfs, or installed some Linux distribution and chose ext4 as the file system. I find zfs to be difficult for me to set up and manage (although I

liked the snapshot and system restore feature). I'm thinking of installing FreeBSD on a single hard drive, in which case I shouldn't choose zfs? If possible, can you give advice to a person who is not familiar with the FreeBSD operating system which file system to choose for a home computer? Thank you.

ZFS is still better than any other filesystem on a single-disk system.

Even if it can't self-heal, the ability to zfs send|receive as a way of backing up, along with metadata-checksumming and the ability to know exactly which file has failed (in case the disk encounters a non-catastrophic failure) is still valuable, even if there isn't sufficient data availability to avoid a file getting corrupted.

Thanks a lot debdrup

elysweyr: you might try some variant of truss (truss is in base, dtruss is in sysutils/dtrace-toolkit) to find out the difference between tailscale0 and another interface on the same box that has network traffic on it.

copies=2

You can self-heal on a single disk if you spend the space to do it.

mason: I mean, yes - dittoblocks are an option, but not for someone's first installation of FreeBSD, as it requires dropping to the installation shell during disk partitioning.

Maybe not as a first install unless they're feeling ambitious.

The problem with dittoblocks is that they halve all IOPS and as a result everything takes double the amount of time.

Kit_Leopold: all the above being said, UFS isn't a bad filesystem if you can't see yourself wanting to learn ZFS (which you will need to, to get the most out of it).

Granted that ZFS isn't new anymore, it's still a pretty radical departure from traditional filesystems.

Yes, everything was new to me when I read about volumes and about the possibility of combining several different media into one volume.

debdrup 18 years in public soon.

Kit_Leopold: That part isn't new (FreeBSD has been able to do this with GEOM and UFS) - it's more conceptual about how ZFS is a combination of a logical volume manager as well as a filesystem, and how it uses the strengths of both to achieve things that traditional filesystems can't.

Bouh

debdrup: I haven't read about what GEOM is yet.

tsoome: two decades since Matthew, Bill and Jeff began working on it, iirc.

Kit_Leopold: it's in the handbook, you'll get to it :)

ofc.

Chapter 20, if memory serves.

debdrup: Thanks, I think I'll get to that chapter soon.

any idea why `service routing restart` would print this to my screen repeatedly? "got only -1 for rlen route: write to routing socket: Operation not supported"

fwiw `service netif restart` works, although it doesn't appear to fix the routes, I can ping machines in my local network but can't reach anything else

I've run into the past and I know a reboot can fix it, but I'm in an awkward spot right now where I really want to avoid a reboot if possible

I figured it out, but I'm still not sure what went wrong

I ran `service routing restart` in one terminal, and `service netif restart` in another, which seemed to terminate the endless loop of being unable to flush the route

then ran `route add default ...` and it fixed the problem

ok silly jail question. i have a jail configured, it starts, but no networking. I don't see the jail's IP address under ifconfig in either the host or the jail. Was I supposed to configure the IP alias myself rather than expect "service jail start" to do it?

ceri: what kind of networking do you have configured? vnet or no?

in the jail? no idea. whatever the default is.

I have just set ip4.addr in jail.conf