01:32:18 If you want more secure NFS then look at NFSv4. Netapp has a good document on it: https://www.netapp.com/media/16398-tr-3580.pdf 01:38:17 unixman_home: nice stuff 01:38:26 ty 01:38:45 I'd like to know if there's a way to make NFSv4 on windows as transparent as what Windows shares are... :D 01:38:55 but I guess you need to access it via a special application or some such 02:44:54 I have a set of USB headphones that work in VLC when I manually specify the pcm device. Pulseaudio is also running, and the headphones show up in --list-sinks. How do I get audio from, say, Chromium or Firefox to come out my headphones? 03:45:13 ghoti, what is the output of: cat /dev/sndstat 06:06:38 does user mounting of nfsv4 shares always use (insecure>1024) ports on freebsd ? 06:30:25 well, if it's a user they can't use priv ports. 06:40:49 took a long time to figure out as it is not clearly documented , nfs clients like linux use privileged most of the time 07:19:30 jauntyd: /dev/sndstat lists my headphones at pcm4. pcm0 to pcm2 are "NVIDIA (0x0080) (HDMI/DP 8ch)" and pcm3 is "Realtek ALC899" which seems to be the mic and headphone jack on the front of the case. 07:19:45 The same list is in the output of `pamixer --list-sinks`. 07:20:34 chroot man says it should be noted that chroot() has no effect on the process's current dir. so isn't that a sec risk? you chroot a process and think it's sandboxed but sounds like it can still access current dir? 07:22:46 polyex: where exactly are you reading that? The manpage for chroot(8) on my system says "The chroot utility changes its current and root directories"... 07:23:28 chroot (2) 13.2 release and ports man page 07:29:12 I see it. Interesting question. I don't know. I'm sure it's just lack of clarity in the man page, and chroot does work and has had A LOT of eyes on it over the decades. 12:08:51 any wireguard users here? 12:12:15 I tried, and quit, jbo 12:12:44 veg, how come (why)? 12:13:29 I found it utterly confusing to be honest, and never made it through the firewall client-side (macOS) 12:13:57 it probably deserves a better look, I may have approached it with too {ipsec,openvpn}-centric a mindset 12:15:32 veg, I used openvpn in the past but wireguard looks promising 12:35:31 hrm, running lacp i have to disable strict or i get 30% packet loss 12:40:59 must be a flakey switch, its a small biz cisco. 13:41:17 jbo: i've used it 13:41:36 veg: i agree it's confusing 15:14:11 if i do a freebsd-update, i get a message that sshd_config changed but not installed since ive made modifications. 1. is there a way to see the diff, 2. i am supposed to edit that file, right? or should i create a /usr/local version? 15:14:43 you are supposed to edit it, yes 15:17:02 thanks. and 3. is there a way to dismiss that notification? it shows every time i run freebsd-update 15:17:32 freebsd-update.conf lets you exclude the file 15:17:53 The version that (I think) would have been merged should be in /var/db/etcupdate/current/etc/ssh/sshd_config. 15:18:13 what should be happening by default (I don't use freebsd-update much myself) is that it tries a 3-way merge, 15:18:16 (To answer your first question.) 15:18:30 but if your local changes result in a merge conflict, it won't be able to do that automatically 15:20:53 ah, that makes sense. thanks for the insights! 15:31:40 odd, my changes are trivial compared to the original. is there a preferred way to manually merge? i can do it in an editor easy enough but not sure if that skips some backend bookkeeping 15:35:20 I don't know what the actual difference is. 15:38:31 have you locally changed the value of PasswordAuthentication ? 15:38:54 or PermitEmptyPasswords ? 16:11:08 I just uncommented "#PasswordAuthentication no". same for PermitRootLogin and flipped KbdInteractiveAuthentication from commented yes to no 16:12:51 only other change was changing the default port 16:14:10 the PasswordAuthentication one is probably the one triggering the merge conflict 16:14:36 try commenting it out again and seeing if it updates 16:17:00 note that uncommenting that line doesn't actually disable passwords as long as PAM is enabled, you have to modify pam.d/sshd for that 16:21:43 i still get the message with only the "Port" and "KbdInteractiveAuthentication" changed (and the FreeBSD "VersionAddendum" change) 16:24:47 as for PAM, doesn't KbdInteractiveAuthentication stop that anyway? 16:29:21 uh, probably 16:43:25 so only reverting back to default makes it go away. i tried only changing the port, or only changing KbdI... and i always get the message on update 16:45:17 huh 17:10:05 looks like merging changes is only for release upgrades 17:13:34 well that sucks 17:19:14 Interesting data point: git clone git.freebsd.org vs. github.com: FreeBSD gets me 7MB/s (pretty much theoretical max for my connection) whereas github only delivers 2.5MB/s. 17:53:29 @jbo I haven't used wireguard directly. We use tailscale a bunch, which is built on wireguard, and have been generally happy with it. 18:01:45 patmaddox, lets assume there are two LANs (one "at home" and one "at company"). Can I setup wireguard for a machine-to-machine network instead of being able to access the entire company network from the home network? I assume if so I'll need port forwarding on the respective firewalls? 18:13:27 I don't have experience with direct wireguard, so I can't say for sure. I believe the first answer is yes, and in fact that's how it works by default: you have to set up key pairs for each nodes that you want to be connected. So there's no direct access to the local network just by enabling wireguard. For the second part, yes I believe you need to open ports on the respective firewalls. 18:14:35 Both of those items are things that Tailscale addresses. From the key standpoint, they're basically dropbox for keys so that you don't have to configure key pairs for each pair of nodes you want to be connected. They also have various NAT traversal techniques, and fall back to a proxy server if you want. 18:15:30 If you just have two machines that you want to talk with each other, and you can configure the firewalls, then I've heard good things about plain wireguard. I still need to test it myself. 18:45:12 thanks for all the info, patmaddox :) 18:49:24 you're welcome 19:06:44 is it not possible to have jails using network iov and bhyve iov using vfs from the same pf? when i attempt, jails start after boot, but if i attempt using a passthru vf (ie one with ppt) all vfs die, including non-ppt, which impacts all jails 19:07:52 i get a memory error (17) when using the bhyve command 19:08:12 at that point i have to reboot to get things back to normal 19:08:31 for now, i just dont use bhyve with iov 19:08:33 iov/vfs from same pf 19:08:42 what's all that gonna do with it? 19:10:09 not sure i follow your question. i have a intel X710. one pf has 14 vfs enabled. id like to use 10 for jails, 4 for vms 19:10:25 the jails work fine 19:10:33 pf as in pf(4)? 19:11:03 physical function / virtual function 19:11:12 ahh 19:11:18 pf=hardware port of the NIC 19:11:36 vf=virtual NICs via iov 19:12:29 iovctl.conf(5) 19:13:08 that descibes pf/vf a bit better 19:35:27 crest: Thoughts on markmcb’s situation? 22:09:56 <_xor> ghoti: If you don't need to use PulseAudio, then OSS that comes with FreeBSD should work fine with both Firefox and Chrome (though it might take a couple of tweaks, don't remember off-hand). I do remember turning off SNDIO, PULSEAUDIO, etc in port builds. 22:10:26 <_xor> micdud: There's a sysctl for that, I believe. 22:10:43 <_xor> Or no, wait, might have been a rc knob for one of the NFSv4 daemons. 22:12:53 _xor: you wanted me earlier? 22:13:14 <_xor> Yeah, don't remember now why though. No biggie. 22:13:18 heh 22:14:07 <_xor> On a different note though, any recent status updates on more efficient file watching? (i.e. kqueue) 22:14:15 no