Lovis_IX, 13.2-RELEASE is available already through the mirrors

$ uname -a

FreeBSD mercury 13.2-RELEASE FreeBSD 13.2-RELEASE releng/13.2-n254617-525ecfdad597 GENERIC amd64

hey, bsdinstall chokes on distextract with "can't create 'root/.profile'", but i can create that file manually in /mnt/root/.profile

what gives? is there a more verbose log somewhere, than /tmp/bsdinstall_log

Mercury is a hot name for a computer, RoyalYork

iswydt

ixmpp: no, you don't

I like it, nothing more, nothing less

Reinhilde, you think mercury is hot, wait till you checkout VENUS on my lan

atmosphere of acid

relevant...

uh?

aha, did it manually, cross-device link...

hello

how do I upgrade to version 13.2?

nevermind I found the answer

At least on update2.freebsd.org, 13.2-RELEASE is already available, so if you want to try something fancy, just be aware `freebsd-update -r 13.2-RELEASE upgrade` works fine.

yes it's working sorry about the question I found a link online with the answer, thank you..

Release notes are also already published, even if not linked: freebsd.org/releases/13.2R/relnotes

Title: FreeBSD 13.2-RELEASE Release Notes | The FreeBSD Project

ok thank you

RIP OPIE

also RIP DSL

my memory is hazy, can i have nfs exports rw for one host, and ro for another subnet? can i just chain together -r[ow] -network -mask as many times as i need on one line?

Reinhilde: I think last time I played with OPIE was 2011

I think i'd it deployed on some systems as late as '20?

but yeah reading the notes I was like snif one weird OTP less (OK with SSH keys proper management we don't need that anymore...)

it seemed like it could be cool when i used a sketchy internet cafe full of spyware in 2005

but in practice ... yeah

there was also a Python 2 implementation, code.google.com/archive/p/orthrus

hmmm it's documented to be a regular PAM module in C

site_scons/site_tools/hashfile.py ok the Python dependency was pretty minor

There is also a security/opie port

redmine.org/projects/redmine/wiki/RedmineInstall <-- any one have time to help me to install it to zero, i can't arrive since one month

Title: RedmineInstall - Redmine

fusefs-lkl is such an awesome project

does the Fdn have a legal retainer?

What the hell is a "Fdn"?

foundation

what is a legal retainer?

I see. So "FreeBSD Foundation"

meena: a lawyer kept on standby

listening to last weeks BSD Now, been busy watching demoparties over easter

Happy Easter!

ox1eef_: same to you

RoyalYork: ok thanks, I just have to be patient.

i am strangely excited over all the bugs zlei is finding in if_bridge(4) and epair(4): bugs.freebsd.org/bugzilla/show_bug.cgi?id=270559#c10

Title: 270559 – if_bridge: does not forward packets properly for vlan 1

When it comes to FreeBSD and nginx&php 8.x performance, what CPU would you prefer for building a server? Intel Xeon Gold 6312U - 24c/48t - 2.4 GHz/3.6 GHz - or AMD Epyc 7413 - 24c/48t - 2.65 GHz/3.6 GHz? And why? Thanks a lot.

performance depends on the workload

more than anything else

I would always choose AMD over Intel. Because Intel have had too many security issues with their chips lately. I can't speak to Intel Xeon, but that would be my first thoughts going into it.

meena: Well, a busy Wordpress website with big PDF files (>20 MB per each).. Maria-DB running behind, as well, on the same server.

they also so disgustingly stupi about cpu instructions

heh i personally prefer AMD for more insidious reasons.. AMD hasn't been proven to have put an NSA backdoor into their CPUs, unlike Intel..

if I do a freebsd-update fetch followed by a freebsd-update install and then reboot should uname -a return then new patched version, I am not seeing freebsd13.0 RELEASE p7 but p6 however freebsd version shows p7

freebsd-version -ru

There's the kernel version, and the userland version.

If you're up to date, -r should return p6, and -u should return p7.

tercaL: so then the question isn't just CPU, it's also about RAM and storage (size, speed and latencies)

cheers

No worries.

tercaL: You have three applications (nginx, php, and mariadb) doing three different things. WordPress will be CPU and RAM bound, MariaDB will be RAM and disk bound, and nginx will hopefully just be bandwidth bound and disk bound (you can flip that towards CPU, RAM *and* Disk bound if you disregard caching…)

ah, yeah, next one bugs.freebsd.org/bugzilla/show_bug.cgi?id=270736 !

Title: 270736 – if_epair(4): Unexpected double tagged ICMP requests

and, BTW, these are just my (educated) guesses as to where which application will have their bottleneck.

meena: Important details. Thanks a lot.. Should read and research further on all these.

5hr30 minute uptime of trying to speedrun configure my system before my wife starts yelling at me

tercaL: first find out where the bottleneck(s) is right now, and figure out if scaling vertically (getting bigger Hardware) is cheaper than scaling horizontally (spreading the components onto smaller more specialised machines)

ls

oops

/lib /etc /root /sbin /bin /lib

lmao

ha!

at least it wasn't a login pass this time

passwd:

:-)

is there a guide for recommended options to secure FreeBSD ? I've read man.freebsd.org/cgi/man.cgi?security but towards the bottom there's like 20 sysctl variables and I'm unsure if I should touch them

Title: security

stuff like: security.bsd.conservative_signals

it depends on your threat model

there's an entire industry built around this, it's impossible to sum up in a single article.

Just becaust you thing that "they" are not out to get yoy does not mean that "they" are not out to get you.

😎

I want the best combo of options to make my server the most secure possible :)

I'll enable them all and see if anything breaks

well, the good news is that if you enable MAC without understanding things, you will break things.

that's generally how security systems work.

last1: Why not start with to only enable the services that you really need. Once you have done that you can rate limit connections to those services with pf.

That will give most people that just brute forece a hard time

You can then move on to run "nasty" things like IRC-clients in jails so that when, not if, they get hacked you can just discard the jail and start over without a lot of hastle.

you should, at minimum, run everything in a jail.

"everything" :-)

last1: another good thing to do, at least in my opinion, is to install a monitoring software like "monit" on your system and use it to send push notifications via "pushover.net" or similar to your mobile if files change checksum, processes die or there are not security patches available for your system.

last1: Security is more about being engaged instead of putting in much effort in to a single effort.

last1: sudo rkhunter --check --report-warnings-only --pkgmgr BSDng

there is so much "fun" things to do onece you have a machine that is directly connected to the internet.

Whatever you do do not start to use a IDS, that will get your paranoid.

hi im having trouble getting cuse to work. the module loads without errors and i can see it in kldstat but every time a program tries to interface with it i get an eror. i wrote a little test program to see which error i'm getting and it seems to be CUSE_ERR_INVALID for both init and uninit, signifying that /dev/cuse can't be opened for rw. i cant find anything about this online, does anyone else have any ideas?

here's the program incase i did anything wrong during testing: termbin.com/q1g2

Zenithium: what's the ownership of /dev/cuse look like?

meena: crw------- 1 root operator 0x4 Apr 10 18:46 /dev/cuse

 

Zenithium: my gut feeling tells me that should belong to group cuse, and be rw for that group

meena: maybe, but i tried to `chmod +rw /dev/cuse` and after that `cat /dev/cuse` returns `cat: /dev/cuse: Device not configured`. so idk if it would make a difference

thorre: thanks for the advice!

hello everyone how can I debug xfce-panel ?

my biggest worry is crap applications that I *have* to allow like wordpress

it seems they find 0-day exploits for it every other day

for example, looking at this option: hw.mds_disable : amd64 and i386. Controls Microar-architectural Data Sampling hardware information leak mitigation.

is this still relevant, if so, is it just for physical machines or also vms ?

Title: FreeBSD - a lesson in poor defaults

this guy doesn't seem to like the FreeBSD defaults too much

imagine how long that would have been if talking about a linux distro

imagine how long it would be if it actually took the claims of security seriously

it'd have to cover jails, MAC, securelevel, capsicum, firewalling, and probably a bunch of things i'm forgetting because i haven't been in infosec in about a decade

oh wait, most of those are covered in the handbook

trying to change randompid: sysctl -w kern.randompid=1 => kern.randompid: 0 -> 0

I also tried putting it in /etc/sysctl.conf but it's still on 0

well, wordpress is not a good idea indeed

maybe we will see some kind of automatized 0day testing for wordpress

fuzzing by generative model?

last1: that's weird, what version? (BTW, -w is no-op for like 20+ years)

Don't think I came across vez.mrsk.me/freebsd-defaults.html before. He/She must be an OpenBSD developer

Title: FreeBSD - a lesson in poor defaults

puffi: correct, he is (was?) an OpenBSD docs dev

Just joined the channel again a few minutes ago, so I may be missing context

yuripv: I guess I must have been using FreeBSD a long time :)

xtile: I think it came from discussion around hardening to prevent wordpress 0-day exploits

yes, I am the one that started this thread, in trying to harden up the base system

It didn't come across as someone who just wanted to provide advice on hardening. More Theo light rant

I don't know the guy, was just googling for advice

wasn't there in FreeBSD some file in /var or somewhere that holds old/stale rpc/nfs info ?

like old mounts or something ?

is there a quick way to upgrade to current now that up.bsd.lv is out of commission?

every time i run freebsd-update, i get flashbacks to Solaris