02:02:24 Is there an up-to-date guide for configuring openldap26-server? Following the steps in the handbook [1] does not result in a server that will run, in my recent experience. 02:02:24 [1] https://docs.freebsd.org/en/books/handbook/network-servers/#network-ldap 02:02:26 Title: Chapter 31. Network Servers | FreeBSD Documentation Portal 02:34:34 Kalten: what was the last thing you said? i lost the buffer 02:41:01 vtcat -vvv @vlf44:1 -- -,f4 | vtwrite -L /mnt/nas/vlf44/log/vtwrite_32k.log -G 3600 /mnt/nas/vlf44/vlf_32k 02:41:38 vtcat fails with a syntax error. is there anything that would indicate there is a syntax error with that pipe? 15:46:48 Hi, I am trying to understand FreeBSD firewall features (pf, ipfw and ipf). I understand they complement and can work together (based on modules of each one is offering) Is that so? Is there any detal docs you indicate to read? 15:48:26 cybercrypto: Have you read the handbook? 15:49:47 vkarlsen: I am exactly on it. I am looking to understand pro/conn. Still reading... but apparently they not suppose to run in parallel. 15:50:02 Yes, choose one 15:53:11 I find pf is easiest to read/write.. but that's just me 15:53:23 since it's most common across all BSDs 15:54:08 pertho: did you start with pf? 16:01:19 vkarlsen: I believe PF would allow me to test/dig more. ipf also present in some legacy juniper equipments... is juniper still investing/developing ipf? 16:08:13 suddenly wondering what blocklistd integration would look like in GoToSocial… 16:45:55 IIRC the only person working on IPF is Cy Schubert who's a FreeBSD developer. 16:47:29 netpfil lets you dynamically select a firewall at runtime, whether it's ipfw, ipf, or pf - but if you can manage to use more than one firewall at a time (which I'm not sure of), I'm sure it'd result in more trouble than its worth (as I'm not sure what you'd get ouit of it). 16:47:31 cybercrypto: while ipf is still alive, my impression is that it's not nearly as active as the other two. I'm not sure how much this matters of course. 16:48:01 That said, all three have lots of similarities so if you like one I suspect you'd be okay with any of them. 16:48:11 ipfw, ipf, and pf are all mature pieces of software that are unlikely to get much change because there's only a limited amount of things that firewalls need to do. 16:49:17 The only notable exceptions to this is redoing rules syntax, which does require a fair bit of rewriting, as well as depressimization of performance. 16:50:01 Both ipfw and pf are at a point where most of the easy w ays to achieve performance improvements have already been achieved. 16:50:29 ..which is why they're fairly equivalent in terms of performance. ;) 16:53:21 Both of them can handle +10Gbps bidirectionally both statefully and statelessly on a modern (within 5 years) ~3GHz processor with 16 cores. 16:56:35 What was the FreeBSD thing that allowed you to "compile" your firewall rules into a kernel module for faster performance? 16:57:20 I always thought ipfw had the most "plain English" rule syntax. 16:57:35 That's an ipfw-exclusive feature that comes from BPF being able to JIT rules into bytecode. 16:58:19 Ahh yes - that sounds right. 16:59:07 Last I was working with extensive ipfw rule sets though, was before I grok'd the significance of JIT. 16:59:08 For the next step up speed-wise, I _think_ ipfw can do 25Gbps bidirectionally both statefully and statelessly (and pf can get darned close, if it can't hit it) - but that's getting to the point where it's hard to imagine software doing things any faster without much faster processors because of the time required to process a packet. 16:59:41 heh 17:00:04 Just-in-time compilation isn't really anything new nowadays, but when it was introduced to BSD/OS' ipfw back in the early 2000s, it was _amazing_ - and when it was ported to FreeBSD from BSD/OS shortly after, it was just as amazing. 17:01:07 I remember how revolutionary it was for Cisco Catalist 6500E Firewall Switch Modules (FWSM) to be able to process filtered traffic at 4.5 Gbit. 17:02:11 Though. . . they never could clear-up the bugs with the processing of truely large rulesets. 17:02:17 That was hardware based, though. 17:02:39 Yeah. 17:02:59 Hardware firewalling can do multi-Tbps nowadays. 17:03:36 (We ended-up frisbeeing our FWSMs into the fountain on the RTP Cisco campus.) 17:04:26 They later took that fountain out, claiming it was to conserve water. 17:04:32 mason thanks. 17:04:45 Though I know they had to fish a lot of hardware out of that fountain. 17:05:18 vkarlsen: thanks. good feedback and inputs, as usual. thanks everyone. 17:05:44 ays thought ipfw had the most "plain English" rule syntax. 17:06:05 Try out both, see which one you like. 17:06:22 s/out both/them all/ 17:08:59 I started with ipfw back in the 2000s because the company I worked for needed the speed advantage it had (there was much more of a disparity back then), so the ipfw syntax is what I learned first. 17:09:27 I have a strong suspicion that whichever syntax you learn first is the one you find easiest to remember. 17:12:09 I learned some ipfw because natd relied on it. 17:13:25 And dummynet, which I also implemented for a couple things. 17:22:34 If memory serves, Luigi Rizzo was responsible both for the BPF and JIT work in ipfw, as well as dummynet (though initially the latter was more of a way of handling TCP congestion, until it was integrated into ipfw). 20:45:44 debdrup, I used dummynet to build a "WAN emultor." 21:13:14 tcpdump on FreeBSD (12.3) isn't capturing any traffic on one specific interface. Traffic is indeed being generated and returning. Any ideas? 21:15:14 elysweyr: have you tried simplifying your filter expression to confirm, or perhaps running tcpdump with no filter at all to verify this behaviour? 21:16:51 If it really is the interface and not the filter, then I have no idea why you might be seeing that behaviour, all I can offer is workarounds. What about setting up a bridge with that interface in it, then running tcpdump on the bridge? 21:18:45 ghoti: yes already simplified the expression 21:18:51 Removed any filter 21:18:57 (tcpdump) 21:19:36 What's the exit code when you stop tcpdump with a signal? 21:20:15 Also, which driver? 21:22:20 Actually this machine is a router. The traffic is passing through it and returning 21:22:34 debdrup: tested it using "printf '%d\n' $?"  exit code is 0 21:23:09 "link-type NULL (BSD loopback)" 21:24:24 fem0 ln0 bge0 21:24:35 rl0 re0 etc :) 21:24:37 which driver 21:24:56 tailscale0 21:25:28 It's entirely possible tailscale is missing BPF hooks. 21:25:30 well no idea what that even is 21:25:47 tailscale is a orchestration thingymajigger for wireguard 21:25:54 ah 21:26:07 spanning up mesh-vpn on top of wg 21:26:31 Seems like you'll want to report this bug upstream. 21:26:46 I assume you've tested with other interfaces, and that they work? 21:27:27 capturing traffic on tun_wg0 works fine 21:27:44 ...wait, what's tailscale0 doing then? 21:28:38 The plist for the security/tailscale port doesn't indicate that it includes a network interface driver.. 21:29:22 For reference, plists are lists of files that keep track of the files installed by a port, so that they can be cleaned up on uninstallation (unless the file has been modified, in which case they're kept). 21:30:01 So I'm not sure what tailscale0 is supposed to do. 21:30:53 this machine is interconnection networks. I do have legacy wg tunnels and tailscale tunnels. Some sites don't support tailscale. That's the reason for this setup 21:31:25 *interconnecting 21:31:40 https://bsd.to/WdCV 21:31:41 Title: dpaste/WdCV (Plain Text) 21:32:06 Are you sure tailscale0 should be sending traffic? My understanding of the protocol would suggest that tailscale0 is used for communication with the company-run instance of headscale (their orchestration software that you can self-host if you want). 21:34:10 Anyway, I still think it's an upstream issue with tailscale missing BPF hooks, as BPF hooks are what tcpdump uses to introspect interfaces. 21:35:34 (I run headscale btw) Besides that: in case I directly ping the tailscale vpn address on this router I do capture traffic on tailscale0 21:36:53 Routing issue? 21:37:09 Kinda late to mention that, though... 21:37:34 Sure but traffic is returning to the router again 21:37:49 So there must be traffic arriving at this router but I just don't capture it 21:38:34 I'm not sure I understand the problem description anymore, but I'm definitely too tired to think about network debugging tonight. 21:40:04 site01 <(1)----(tailscale)----(2)> edge01 <(3)----(wg)----(4)> site02 21:41:20 edge01 is this router. Use case: ping site02 from site01. I do see the ping leaving on int (3) and returning (echo reply) on int (3) 21:41:38 int (2) is the interface causing the trouble 21:42:12 So I don't see anyting on (2) even though traffic from (1) is leaving and returning on (3) 21:42:24 Hope this helps 21:42:39 Right, that's not doing anything to make me think it's not a lack of BPF hooks. 21:52:33 Hello! It's me again with a newbie question. Before installing an operating system, I continue to read the FreeBSD Handbook. Now I have a question about choosing a file system. For many years I used a computer and never thought or knew what a file system was. I just installed Windows and chose ntfs, or installed some Linux distribution and chose ext4 as the file system. I find zfs to be difficult for me to set up and manage (although I 21:52:33 liked the snapshot and system restore feature). I'm thinking of installing FreeBSD on a single hard drive, in which case I shouldn't choose zfs? If possible, can you give advice to a person who is not familiar with the FreeBSD operating system which file system to choose for a home computer? Thank you. 21:53:26 ZFS is still better than any other filesystem on a single-disk system. 21:54:44 Even if it can't self-heal, the ability to zfs send|receive as a way of backing up, along with metadata-checksumming and the ability to know exactly which file has failed (in case the disk encounters a non-catastrophic failure) is still valuable, even if there isn't sufficient data availability to avoid a file getting corrupted. 21:55:04 Thanks a lot debdrup 21:56:09 elysweyr: you might try some variant of truss (truss is in base, dtruss is in sysutils/dtrace-toolkit) to find out the difference between tailscale0 and another interface on the same box that has network traffic on it. 21:56:12 copies=2 21:56:34 You can self-heal on a single disk if you spend the space to do it. 21:56:39 mason: I mean, yes - dittoblocks are an option, but not for someone's first installation of FreeBSD, as it requires dropping to the installation shell during disk partitioning. 21:57:04 Maybe not as a first install unless they're feeling ambitious. 21:57:37 The problem with dittoblocks is that they halve all IOPS and as a result everything takes double the amount of time. 21:58:51 Kit_Leopold: all the above being said, UFS isn't a bad filesystem if you can't see yourself wanting to learn ZFS (which you will need to, to get the most out of it). 21:59:21 Granted that ZFS isn't new anymore, it's still a pretty radical departure from traditional filesystems. 22:00:22 Yes, everything was new to me when I read about volumes and about the possibility of combining several different media into one volume. 22:00:40 debdrup 18 years in public soon. 22:01:43 Kit_Leopold: That part isn't new (FreeBSD has been able to do this with GEOM and UFS) - it's more conceptual about how ZFS is a combination of a logical volume manager as well as a filesystem, and how it uses the strengths of both to achieve things that traditional filesystems can't. 22:02:43 Bouh 22:03:09 debdrup: I haven't read about what GEOM is yet. 22:03:14 tsoome: two decades since Matthew, Bill and Jeff began working on it, iirc. 22:03:23 Kit_Leopold: it's in the handbook, you'll get to it :) 22:03:36 ofc. 22:03:43 Chapter 20, if memory serves. 22:07:16 debdrup: Thanks, I think I'll get to that chapter soon. 22:29:43 any idea why `service routing restart` would print this to my screen repeatedly? "got only -1 for rlen route: write to routing socket: Operation not supported" 22:32:05 fwiw `service netif restart` works, although it doesn't appear to fix the routes, I can ping machines in my local network but can't reach anything else 22:36:20 I've run into the past and I know a reboot can fix it, but I'm in an awkward spot right now where I really want to avoid a reboot if possible 22:49:18 I figured it out, but I'm still not sure what went wrong 22:49:48 I ran `service routing restart` in one terminal, and `service netif restart` in another, which seemed to terminate the endless loop of being unable to flush the route 22:50:07 then ran `route add default ...` and it fixed the problem 23:51:01 ok silly jail question. i have a jail configured, it starts, but no networking. I don't see the jail's IP address under ifconfig in either the host or the jail. Was I supposed to configure the IP alias myself rather than expect "service jail start" to do it? 23:53:07 ceri: what kind of networking do you have configured? vnet or no? 23:53:58 in the jail? no idea. whatever the default is. 23:54:10 I have just set ip4.addr in jail.conf