If you want more secure NFS then look at NFSv4. Netapp has a good document on it: netapp.com/media/16398-tr-3580.pdf

unixman_home: nice stuff

ty

I'd like to know if there's a way to make NFSv4 on windows as transparent as what Windows shares are... :D

but I guess you need to access it via a special application or some such

I have a set of USB headphones that work in VLC when I manually specify the pcm device. Pulseaudio is also running, and the headphones show up in --list-sinks. How do I get audio from, say, Chromium or Firefox to come out my headphones?

ghoti, what is the output of: cat /dev/sndstat

does user mounting of nfsv4 shares always use (insecure>1024) ports on freebsd ?

well, if it's a user they can't use priv ports.

took a long time to figure out as it is not clearly documented , nfs clients like linux use privileged most of the time

jauntyd: /dev/sndstat lists my headphones at pcm4. pcm0 to pcm2 are "NVIDIA (0x0080) (HDMI/DP 8ch)" and pcm3 is "Realtek ALC899" which seems to be the mic and headphone jack on the front of the case.

The same list is in the output of `pamixer --list-sinks`.

chroot man says it should be noted that chroot() has no effect on the process's current dir. so isn't that a sec risk? you chroot a process and think it's sandboxed but sounds like it can still access current dir?

polyex: where exactly are you reading that? The manpage for chroot(8) on my system says "The chroot utility changes its current and root directories"...

chroot (2) 13.2 release and ports man page

I see it. Interesting question. I don't know. I'm sure it's just lack of clarity in the man page, and chroot does work and has had A LOT of eyes on it over the decades.

any wireguard users here?

I tried, and quit, jbo

veg, how come (why)?

I found it utterly confusing to be honest, and never made it through the firewall client-side (macOS)

it probably deserves a better look, I may have approached it with too {ipsec,openvpn}-centric a mindset

veg, I used openvpn in the past but wireguard looks promising

hrm, running lacp i have to disable strict or i get 30% packet loss

must be a flakey switch, its a small biz cisco.

jbo: i've used it

veg: i agree it's confusing

if i do a freebsd-update, i get a message that sshd_config changed but not installed since ive made modifications. 1. is there a way to see the diff, 2. i am supposed to edit that file, right? or should i create a /usr/local version?

you are supposed to edit it, yes

thanks. and 3. is there a way to dismiss that notification? it shows every time i run freebsd-update

freebsd-update.conf lets you exclude the file

The version that (I think) would have been merged should be in /var/db/etcupdate/current/etc/ssh/sshd_config.

what should be happening by default (I don't use freebsd-update much myself) is that it tries a 3-way merge,

(To answer your first question.)

but if your local changes result in a merge conflict, it won't be able to do that automatically

ah, that makes sense. thanks for the insights!

odd, my changes are trivial compared to the original. is there a preferred way to manually merge? i can do it in an editor easy enough but not sure if that skips some backend bookkeeping

I don't know what the actual difference is.

have you locally changed the value of PasswordAuthentication ?

or PermitEmptyPasswords ?

I just uncommented "#PasswordAuthentication no". same for PermitRootLogin and flipped KbdInteractiveAuthentication from commented yes to no

only other change was changing the default port

the PasswordAuthentication one is probably the one triggering the merge conflict

try commenting it out again and seeing if it updates

note that uncommenting that line doesn't actually disable passwords as long as PAM is enabled, you have to modify pam.d/sshd for that

i still get the message with only the "Port" and "KbdInteractiveAuthentication" changed (and the FreeBSD "VersionAddendum" change)

as for PAM, doesn't KbdInteractiveAuthentication stop that anyway?

uh, probably

so only reverting back to default makes it go away. i tried only changing the port, or only changing KbdI... and i always get the message on update

huh

looks like merging changes is only for release upgrades

well that sucks

Interesting data point: git clone git.freebsd.org vs. github.com: FreeBSD gets me 7MB/s (pretty much theoretical max for my connection) whereas github only delivers 2.5MB/s.

@jbo I haven't used wireguard directly. We use tailscale a bunch, which is built on wireguard, and have been generally happy with it.

patmaddox, lets assume there are two LANs (one "at home" and one "at company"). Can I setup wireguard for a machine-to-machine network instead of being able to access the entire company network from the home network? I assume if so I'll need port forwarding on the respective firewalls?

I don't have experience with direct wireguard, so I can't say for sure. I believe the first answer is yes, and in fact that's how it works by default: you have to set up key pairs for each nodes that you want to be connected. So there's no direct access to the local network just by enabling wireguard. For the second part, yes I believe you need to open ports on the respective firewalls.

Both of those items are things that Tailscale addresses. From the key standpoint, they're basically dropbox for keys so that you don't have to configure key pairs for each pair of nodes you want to be connected. They also have various NAT traversal techniques, and fall back to a proxy server if you want.

If you just have two machines that you want to talk with each other, and you can configure the firewalls, then I've heard good things about plain wireguard. I still need to test it myself.

thanks for all the info, patmaddox :)

you're welcome

is it not possible to have jails using network iov and bhyve iov using vfs from the same pf? when i attempt, jails start after boot, but if i attempt using a passthru vf (ie one with ppt) all vfs die, including non-ppt, which impacts all jails

i get a memory error (17) when using the bhyve command

at that point i have to reboot to get things back to normal

for now, i just dont use bhyve with iov

iov/vfs from same pf

what's all that gonna do with it?

not sure i follow your question. i have a intel X710. one pf has 14 vfs enabled. id like to use 10 for jails, 4 for vms

the jails work fine

pf as in pf(4)?

physical function / virtual function

ahh

pf=hardware port of the NIC

vf=virtual NICs via iov

iovctl.conf(5)

that descibes pf/vf a bit better

crest: Thoughts on markmcb’s situation?

ghoti: If you don't need to use PulseAudio, then OSS that comes with FreeBSD should work fine with both Firefox and Chrome (though it might take a couple of tweaks, don't remember off-hand). I do remember turning off SNDIO, PULSEAUDIO, etc in port builds.

micdud: There's a sysctl for that, I believe.

Or no, wait, might have been a rc knob for one of the NFSv4 daemons.

_xor: you wanted me earlier?

Yeah, don't remember now why though. No biggie.

heh

On a different note though, any recent status updates on more efficient file watching? (i.e. kqueue)

no