dnsmasq is a bit more than unbound

dnsmasq does a whole suite of things, including a dhcp server etc, where unbound is just a caching resolver

both will work fine

kind of depends if you want only dns, or more of an all-in-one solution

looks like unbound it is.. i am NOT happy witt this TP-LINK er605.. it does not have DNS capabilities built in

quite surpirsed.. i have to use ip addresses for whole network

voy4g3r2: run openwrt on that tp-link? :)

yuripv: haha, it would make my life easier.. maybe but losing internet is not an option.. this is "safer"

i work from home and if the internet is not available, then no bueno

does anyone have enlightenment window manager working on FreeBSD? it starts when I startx, but there is no backlight or the thing goes black after I finish the config wizard

voy4g3r2, unbound is a good choice for a caching nameserver for Internet names. If you have a small number of systems on the land LAN then using /etc/hosts for those is probably simplest.

if you have a sensible mechanism of putting files on a machine / its jail

if it's between local unbound or unbound on the gateway, i pick the latter

assuming a residential setup with NAT, of course - if you've got a publicly routed IP, you'll need either local unbound, your service providers DNS, or a third-party DNS

I always put a "house router" that I build behind the ISP modem-router and my LAN. Then I don't need to trust my ISP modem-router.

Hi all, I just did a routine upgrade of my tiny nextcloud instance. After pkg upgrade, I run the `php occ upgrade` that takes care of changes to the DB, etc. but this time it failed with: `ld-elf.so.1: /usr/local/lib/php/20220829/apcu.so: Undefined symbol "php_pcre2_match_data_create_from_pattern"`

hmmmm `pkg -j nextcloud install -f php82-pecl-APCu-5.1.23` as suggested here bugs.freebsd.org/bugzilla/show_bug.cgi?id=275361 did the trick

Title: 275361 – devel/pecl-APCu: Undefined symbol "php_pcre2_match_data_create_from_pattern"

rwp: double-NATing is terrible, though.

Anyone successfully got enlightenment to run as desktop on FreeBSD?

debdrup, How will anyone ever know?

just set the ISP modem to bridge mode

Yes bridge mode works. But I prefer routed modes. They are easier to debug.

what

I am pretty sure double NAT with ISP routers is one of the worst scenarios to debug

due to how bad the firmware is for most of those

What? Surely you are joking.

how the heck can bridge mode be an issue

rwp: If you're only doing HTTP(S) traffic it isn't much of a problem, I guess - but there's quite a few protocols that historically struggle.

moviuro: pkg-upgrade has an -f flag.

I am not doing IPSEC with a shared UDP port 500. I am not insane.

Oh, welp, didn't see the follow-up line somehow.

rwp: bridge mode is always preferable if you're using your own gear and can't terminate things yourself for whatever reason.

Getting a GPON SFP+ module was the best decision I ever made.

Let's say someone else forces me to debug their crazy laptop running some program problem. Right now I can plug their laptop directly into the ISP modem and go, Not My Problem, the happiest words in the world. But if it is in bridge mode then that does not work. I have to put them on my NAT, and then listen to them tell me how I am doing it wrong. No thank you.

kernel CPU load 105%, vnlru 60%, nice

rwp: is that something that's likely to occur on a residential setup?

time to reboot with -p1 and wait for this to happen again

Not sure I understand the issue.

rwp: what is insane about using the specified default port?

debdrup, It's something that infrequently occurs here. Yes.

rwp: welp.

crest, I see you have never worked with the insanity that is IPSEC. It's problematic by design. They use a shared UDP port 500 that causes several different insurmountable problems. Don't just run from IPSEC. Run away as as you can.

I use IPsec

running a tunnel for a decade now

rwp: bold of you to assume that. I use IPsec ond FreeBSD and OpenBSD in production and know the pain and suffering it can cause well

have not had any issues

but i wondered how having a well known port became the issue

Remilia, You must have exactly one then. That's the only case without a conflict.

it's not like 4500 for IKE with NAT-T is a magical number that solves the port conflict

At one time I totaled up the number of RFCs that define IPSEC and some ten years ago there were at least 55 RFCs that were needed in the definition of what is IPSEC. Gack!

Hi

how to downgrade a package, if i can't find it in /var/cache/pkg ?

yes it's the curse design by committee

eoli3n: find it somewhere else. which package are you looking to downgrade?

bastille

are you on the latest or the quarterly branch?

maybe the mirrors just happen to have a version that works for you in the quarterly branch?

i face this : BastilleBSD/bastille #645

Title: [BUG] bastille_network_pf_ext_if (ext_if) not defined in pf.conf · Issue #645 · BastilleBSD/bastille · GitHub

645 – "install -c -s" can't install shell scripts bugs.freebsd.org/bugzilla/show_bug.cgi?id=645

crest i'm in latest, so yes

where could i find it ? which url ?

crest, There are (or at least were) two of us that need to use VPNs from the house. Both with the same company. It created a conflict because both IPSEC VPNs needed to use the same UDP port and the simplest way to explain it is that it would get confused. Only one of the VPNs could operate at a time.

first time I hear of a company using non-encapsulated IPsec where the other side is not an office

but I guess the world is vast

normally you'd encapsulate it in L2TP

the problem is that as a UDP protocol normal IKE without the NAT-T extension requires unique endpoint IP addresses for the (initiator addr, responder addr) pair

Title: Index of /FreeBSD:13:amd64/quarterly/

Remilia: it's the other way around

i can't explore this : pkg.freebsd.org/FreeBSD:13:amd64/quarterly/All

L2TP+IPsec uses IPsec (in transport mode) on the outside encrypt an L2TP tunnel

-> the L2TP tunnel doesn't help you around the port conflict

can I install a specific package from quarterly from commandline ?

crest, Fortunately neither of us work for that company anymore. So don't need to worry about that problem at all anymore

And for me it has been since 2007 making the details of the problem somewhat vague in my memory. Sorry if I just don't remember the exact details now.

i know the problem you're describing. it happens when two IKEv1 initiators are behind the same NAT gateway

2007 means before widespread NAT-T adoption

the other problem is that without aggressive dead peer detection timeouts the UDP firewall state will be dropped between rekeyings

crest, Your description mentioning that it requires different IP addresses sounds familiar. I think you have it understood.

and before IKEv2 really

which means that both devices get to use the same source port a few minutes apart

the IPsec responder sees a new session from the same source address and port as it's established session

since the NAT router found in every home will now send the packet to the new state it causes a perfect storm because the old one doesn't even get the error message

if your DPD (dead peer detection) timers are short enough to the UDP flow alive in its NAT state table both can be connected with NAT-T because the second one will be remapped which is allowed at least for NAT-T

the first one gets to use the default source port any additional sessions have their source port remapped, the state is kept alive on all the damn middle boxes and things work

but to get there you'll have to read half the RFCs and spend more time staring at packet traces than is healthy

unless you suffered from low blood pressure before that is

I am very happy I don't need to worry about it! As I said, Not My Problem, are the happiest words! :-)

eoli3n, Your client seems to be hopping around. Were you able to get an answer to your package archive question? Since you had a real problem to solve, and I don't.

rwp, i edited Freebsd.conf to set quarterly, then pkg update, then pkg install -f bastille, then revert to latest :)

eoli3n: i see you already filed a bug report with the bastillebsd repo

i did

Title: [BUG] bastille_network_pf_ext_if (ext_if) not defined in pf.conf · Issue #645 · BastilleBSD/bastille · GitHub

645 – "install -c -s" can't install shell scripts bugs.freebsd.org/bugzilla/show_bug.cgi?id=645

if you still have the problematic version installed somewhere try the following

pkg query %Fp bastillebsd | xargs grep bastille_network_pf_ext_if

i downgraded to 0.9

bastille host my bouncer, and many other services

can't test right now

i will in a jail

eoli3n: it looks like you're missing a macro in your pf.conf

Title: bastille/usr/local/bin/bastille at 3a4ebc63bb84b66d456713e608be86e4cba3b637 · BastilleBSD/bastille · GitHub

is the name of the *shell* variable referencing the name of the the pf.conf macro for your external interface

and ext_if is the default value which matches your pf.conf from the github issue

do you know if the pf.conf has been loaded into the kernel by pfctl?

can you run pfctl -n -v -f /etc/pf.conf to parse the pf.conf without changing the running configuration to rule out syntax errors in your pf.conf?

-n = don't really load, -v = verbose, -f <path> = where to find the pf.conf

my `git pull` is hanging when trying to fetch the current source and ports tree. anyone know what that's about?

nvm, that just resolved itself

mtu: at which stage of the pull? at the very beginning after a connection has been established?

if at the beginning check if both ipv6 and ipv4 work for you. well implemented happy eyeballs logic isn't common outside of webbrowsers and if the preferred first address doesn't work it manifests as a noticeable delay

especially if you don't get a quick TCP reset for your broken path

if it hangs afterward the most common case is just a slow git mirror in my experience and you can't do much about. if it's too bad you can attempt to override dns or route along a different path

crest: it was at the very beginning. it's likely that ipv6 connectivity is the problem. could you suggest a few commands to allow me to see whether my freebsd box even has ipv6 connectivity?

host git.freebsd.org

ping git.freebsd.org

ping -6 git.freebsd.org

ping -4 git.freebsd.org

git.freebsd.org is a cname pointing to gitmir.geo.freebsd.org.

the actual answer would be to try traceroute6

Remilia: that is the next step, but the mirros should respond to ping

to see if it *attempts*

if you have resolution and route but not connectivity, traceroute will show you

imo ping gives less, but easier to interpret information to debug this

traceroute gives you 'no route to host' and the like if you have a spurious default gateway for v6

ping would just 'request timed out' at first

if you have no route to the mirror tcp connection attempts won't "hang"

if you have a default gateway but it does not route farther, they will timeout

but the getaddrinfo() result set will be tried

exactly

and traceroute helps find that out

i prefer mtr for that but that's not part of the base system

`ping -6 git.freebsd.org` and `traceroute6 git.freebsd.org` both give "No route to host", though `host git.freebsd.org` yields "gitmir.geo.freebsd.org has IPv6 address 2604:1380:4091:a001::24ca:1"

so something's mucked up on my side for sure

iirc git doesn't have any special handling to quickly find a working connection, but does the normal thing: call getaddrinfo() and try all answers one after the other until one works or none are left

is simple and works, but can be annoying for frequent interactive use if you can't fix your network

i had noticed before that i couldn't get connections to that server over ipv6 from the outside, even though the router should manage forwarding. i'll have to dig into that when i find the time.

as ugly workaround you shouldn't forget you can put a working address into /etc/hosts to bypass dns

crest: good idea

but that will break if the address stops working and disables any logic the CDN may perform to find you a good mirror

e.g. if you travel between different regions of the (networking) world

another (Linux) machine on the same network can ping6 gitmir.geo.freebsd.org no problem. so i must have mis-configured FreeBSD

how did you configure the freebsd host?

just said "use DHCP" at install, for all i know. never did anything to specifically get ipv6 working.

if you suspect an unreliable network link try to add the -m flag to rtsold, enable it and (re)start it

do you even have ipv6 addresses on the freebsd system?

could be that i don't. how to check?

unless it's a very old installation bsdinstall should've asked you if you want to autoconfigure ipv6 as well

run netstat -rnfinet6 to check

13.0-RELEASE iirc, then progressively updated to 13.2-RELEASE

i don't remember which version added ipv6 to bsdinstall's setup screens, but it should've been before 13.0

`netstat -rnfinet6` just lists a bunch of "lo0" loopback-looking addresses. probably means the machine has received no ipv6 address on the network, eh?

in that case your freebsd system isn't configured to take advantage of ipv6

well that explains it x)

i know that my router handles ipv6 well for all the other machines on the network, so ... i guess i just need to enable DHCP6(?) on that server, is that about it?

Does anyone have any idea what I need to do to make Wayland recognise when I connect a monitor to my running laptop? With X.org this has worked reliably and it is the last building block for my switch from X to Wayland...

mtu: not really

it depends on what your router does

check your ifconfig output for non-LL v6 prefixes

you do not need DHCP6 for v6 to work, but depending on your set-up you might want it

err

wrong formatting

mtu: if your RAs do not include managed config flag, your system should have routing as long as you have enabled SLAAC

Remilia: on the machine in question, i see no non-LL v6 prefixes. i can check in the router's config interface to see what it does for ipv6, and i can check the linux machines which have it working. i just am not familiar with the terminology

mtu: freebsd doesn't include a DHCPv6 client, but if you need DHCPv6 you can install dhcpcd from ports/packages and get a good DHCP v4 and v6 client in a single piece of software

mtu: check if you have SLAAC enabled

but the most common way to get IPv6 isn't DHCPv6

it's SLAAC and FreeBSD has rtsol/rtsold to request IPv6 routers to announce their prefixes and additional configuration e.g. DNS servers

dhcpcd is hopefully going to be in base at some point

mtu: you can explicitly enable SLAAC by using "inet6 autoconf accept_rtadv" for your ifconfig_XXX_ipv6 line

debdrup: that would be a welcome improvement. i would like to see it become the default dhcp client for new installs

DHCPv6 does have its uses, but it's nice not to have to use it when SLAAC is available.

and you probably want to use rtsold

crest: it'll likely replace dhclient

my router's ipv6 config page doesn't mention "SLAAC", but it says: "provide a DHCPv6 server for the local net: YES, but only for DNS"

that's SLAAC

debdrup: the removing dhclient part is the one that will start the worst bikeshedding

crest: *shrug*

mtu: ipv6 lets you have several possible combinations of things: stateless, stateful, both, or none

what to use depends on the router advertisements

stateless is SLAAC, stateful is DHCP6

your current settings indicate SLAAC

man, i should have familiarized myself with all this years ago. is there a configuration that is likely to get my server connected to ipv6 as things stand?

i would just leave the old patched up isc dhclient in for at one additional major release with deprecation warnings etc. and if someone care enough about it they can preserve it as a port for decades to come

mtu: does your interface have accept_rtadv set?

Calling DHCPv6 stateful only makes sense if you know that SLAAC is short for "stateless address autoconfiguration"

because no matter if you use DHCP6 or SLAAC, you get gateway from RAs

Remilia: "re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500"; "options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>" -- i guess not?

section 7.3.5. Configuring Dynamic IPv6 Address of the freebsd handbook

mtu: [11:10:58] <Remilia> mtu: you can explicitly enable SLAAC by using "inet6 autoconf accept_rtadv" for your ifconfig_XXX_ipv6 line

you probably do not need autoconf if you already are getting addresses in non-LL (non-fe80) prefixes

sysrc ifconfig_<NIC>_ipv6="inet6 accept_rtadv" rtsold_enable="YES"

okay, i'll try: sysrc ifconfig_em0_ipv6="inet6 accept_rtadv" as per the handbook

`ifconfig re0 accept_rtadv` && service rtsold start

what does rtsold_enable="yes" do again?

that ` is in the wrong spot

mtu: enables router solicitation daemon?

enable the rc.d script that start rtsold

ipv6 routers send RAs periodically, but you can solicit them

rtsol and rtsold are for that

ah :) sort of like a "DHCP request", but for ipv6

rtsold is a daemon that asks routers to send router advertisements contains the IPv6 prefix and optional but useful extras like DNS resolvers

sort of like ARP who-has

i see :)

it extracts those extras and feeds them to resolvconf to generate a merged resolv.conf

IPv6 NDP and SLAAC make IPv6-only networks like mine very nice.

most routers will send RAs every X seconds

(where X can easily be 300 in some cases)

with $X in the range of 5 to 600 seconds

and you don't want to wait (up to) 10 minutes for your ipv6 configuration

what is fundamentally different about SLAAC and DHCP is that there is nothing specific about the host in the announcements

the router just tells you the prefixes it wants you to know about and the IPv6 host is expected to do the rest in a stateless manner

Well, SLAAC also don't have DHCP options, so it isn't suitable for a lot of campus-like networks where you have VoIP phones and all sorts of fun stuff.

# ifconfig re0 accept_rtadv --> "ifconfig: ioctl(SIOCGIFINFO_IN6): Invalid argument"

basically with SLAAC you cannot have the router populate your DNS zone

mtu: inet6

you're missing the inet6 from your ifconfig invocation

SLAAC _does_ have an advantage of Privacy Extensions, which gives you a whole /64 so that each single program can get its own set of addresses to send and receive data on.

if you need additional DHCP options you can use SLAAC for the address and DHCP for additional information

ah yes, `ifconfig re0 inet6 accept_rtadv` did work#

remember that if you use ifconfig like that it's a onetime thing and won't be reapplied after a reboot

if you want to run a server on your LAN you have to either use static assignment or DHCP6, as even without Privacy Extensions SLAAC will differ with a different hardware address

so, now i can either wait for an announcement to cross the network, or use rtsol(d), right?

which is a good thing for testing stuff out

mtu: yes

crest: yeah, that's why i also did `sysrc ifconfig_em0_ipv6="inet6 accept_rtadv"`

`service rtsold onestart` will help you

Remilia: it won't reconfigure your interfaces to enabled IPv6 but it will start rtsold

with ipv6 disabled on the interfaces rtsold will just quietly log its inablity to do anything useful to syslog

crest: I do not understand what the first part relates to

the first part of what?

of your line that highlit me

what I said applies to a v6 enabled system where you just enabled accept_rtadv on an interface

rtsold requires the interfaces to have ipv6 enabled (both the protocol and the kernel processing of router advertisements)

I know

thank you for informing me, thoghu

though*

and to do that it's not enough to start rtsold

sorry, I assumed that since the interface already has IPv6 prefixes

hmm². `ifconfig re0` now shows "nd6 options=2b<PERFORMNUD,ACCEPT_RTADV,IFDISABLED,AUTO_LINKLOCAL>" and i've onestarted rtsold, but no ipv6 config shows up in ifconfig re0 (and ping6 doesn't work)

ipv6 is already enabled

you have to enable it either through the rc.d scripts or a manual invocation of ifconfig

i just wanted to point this out because the warnings can easily be missed unless you already know to look for them

crest: [11:08:51] <mtu> Remilia: on the machine in question, i see no non-LL v6 prefixes

this implies link-local fe80:: are present

and if they are, ipv6 is enabled, am I wrong?

which means that ipv6 isn't completely disabled and auto_linklocal is probably set

but it doesn't mean that the accept_rtadv flag is configured

and that is why I said to configure it

and run rtsold afterwards

was I wrong?

because if it was the periodic ipv6 rtadv messages should've already configured ipv6 unless he just rebootet

without that flag rtsold can't do it's job

only running rtsold isn't enough to get you a working ipv6 configuration

I am sorry, my instructions were 'assuming fe80 are present, ifconfig ..... accept_rtadv then start rtsold'

as you can see above

where in these was I wrong?

because I am sort of lost

i didn't say you're wrong. i wanted document all the steps

because it's easy to miss or skip a step in an irc channel

i must have missed something, because ACCEPT_RTADV is now active, and rtsold is running, but no ipv6 config shows up and ping6 still doesn't work ...

only to loose a lot of time

mtu: route -6rn still shows no default?

er

netstat

nope, only lo0-stuff

the entry is "default fe80::........%re0 UG re0" like this

hmm

anything i can check on my Linux machines to clear this up?

you can just check if you have proper RA traffic for now

`tcpdump -ni re0 'ip6 and ((udp and (port 546 or port 547)) or (icmp6 and ((ip6[40] == 133) or (ip6[40] == 134))))'`

run this in a separate terminal, maybe with -vni

this filters DHCP6 + rsol + radv

once running, try `service rtsold restart`

or onerestart

what you should see is router solicitations from your fe80:: address and router advertisements from the router

the router's config says that Advertisements are active. your tcpdump command on a linux box doesn't pick up anything, though.

(interface is set correctly)

I am not talking about linux

run it on the FreeBSD system in a separate terminal and restart rtsold

though I guess it should see stuff on Linux too if your FreeBSD host sends a solicitation

i see. still nothing, not even the outgoing solicitation. you know what, imma reboot the machine because why not.

haha

do you have ipv6_enable="YES" btw

oh wait

that was old

or I am misremembering the syntax, it was something else, just the ifconfig_ipv6 is enough now

yeah just having ifconfig_re0_ipv6="accept_rtadv" should be enough

wait, does ifconfig_em0_ipv6="inet6 accept_rtadv" go in /etc/rc.conf or /etc/sysctl.conf ?

mtu: rc.conf of course

but I thought your interface was re0

from [11:15:01] <mtu> Remilia: "re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500";

yeah, i had that mixed up. imma correct the line in rc.conf and reboot again

well, well, well :) having ifconfig_re0_ipv6="inet6 accept_rtadv" in rc.conf and rebooting did the trick!

the box is all ipv6'ed up now, with routes and an inet6 address and working ping6 and all :)

I guess ipv6 was not properly enabled

probably

Remilia: crest: thanks for your patience, this was very helpful and i've learned a bunch

if you had no ifconfig_xxx_ipv6 lines it might not have been

this will make many things easier now, especially with ipv6 connectivity from the outside to that box

mtu: note that SLAAC without privacy extensions uses addresses based on hardware address

Remilia: yeah, the previous time the box booted, it hadn't had a prober such line in rc.conf

ah ... that's the whole "you MAC shows up on the internet" deal, right?

not like it matters?

if it is not a laptop

at some emotional Edward-Snowden level, it feels bad, but you're probably right

also some systems might use something other than the MAC or scramble it

just compare what you have in ifconfig inet6 prefix vs the hardware address

I do not have v6 from my ISP here but where I did I typically ran privacy extensions + DHCP6

where the latter assigned easily remembered IPs of the prefix::X variety

hm. powerdxx didn't start on boot even though it's enable in rc.conf

Macer: maybe it wants a kernel module to be loaded?

and quit with an error on startup

well to start it i didn't have to do much other than service powerdxx start

which i figured was handled by rc.conf

yeah it should be

i just upgraded for the zfs patch

if you could use 'start' to start it it is enabled

and when it reboot my cores were running at 3GHz instead of 1.6GHz and powerdxx wasn't started

yah that's what i did

maybe it has some kind of dependency on something else which started later? you'd need to monitor your boot process to see if it threw an error, or maybe it logged something in syslog?

it sucks because i was working on so many other things i never noticed for years that the xeons were running maxed out lol

yeah i'll take a look at that and see what happened

i just happened to check htop to take a look at something and noticed the cores were maxed again

i'll definitely have to take a harder look at that

does bzip3 work with bz2?

the 'spiritual successor' heh

thanks again, Remilia and crest :) bye!

there is nothing wrong with using (onetime) randomized MAC address with SLAAC to get a stable hostid for a server

this way your address isn't tied to the NIC e.g. if the hardware dies and you restore from backups to new hardware

crest: that would be a matter of setting a custom MAC to the device on boot, right?

yes

the Windows IPv6 stack uses DUIDs to build SLAAC addresses

of course this doesn't prevent someone from tracking the lower 64 bit of the EUI-64 derived IPv6 address across networks e.g. online add companies tracking a laptop

but for a servers that's not a problem

(and also insists on using privacy extensions)

for systems that shouldn't expose a stable host id in outgoing connections set the net.inet6.ip6.use_tempaddr and net.inet6.ip6.prefer_tempaddr sysctls from 0 to 1

cool, i'll read up on what that does

Macer: tangentially related nondeterministic.computer/@mjg59/111504383320657948

Title: Matthew Garrett: "the cpu is very tired. it is eepy. the cpu has ha…" - Nondeterministic Computer

LOL

in my case it isn't 'racing' to an idle state. haha

which is why I said tangentially

hello! Newbie here. I have freebsd running on cpu with 4 cores (4 threads). When I run "top" what does the "system %" means? Is it capped at 100%, or at 400% ?

the CPU line is 100% for all CPUs together

the CPU column in the process list is for separate CPUs

you can see it in the line for idle if you run top -S

thanks! then I've found that my benchmark is CPU capped somewher inside the System % count. Is it possible to get more info about system processes to find out which system part is the bottleneck in my benchmark?

CPU: 3.0% user, 0.0% nice, 2.0% system, 0.2% interrupt, 94.8% idle

11 root 10 187 ki31 0B 160K CPU0 0 23.1H 950.52% idle

'system' is kernel

use top -S to see kernel threads

use dtrace-tools' hotkernel to trace it

er, dtrace-toolkit

you can install it with pkg or through ports, it includes the hotkernel script that will show you what the kernel is spending CPU time on

anyone here unbound "experts" i have this configuration: bsd.to/H9B5 and for the live of me it will NOT let me do harley.home for ssh no matter what i do.. i have a feeling tehre is "something" wrong but can nto "see it"

Title: dpaste/H9B5 (Plain Text)

voy4g3r2: why do you need a record for the loopback address?

this does not seem to make much sense to me, just use localhost

and you do not need that PTR too

you have /etc/hosts

... stupid redhat network manager overwrote it's root given /etc/resolv.conf yesterday.

how dare it second guess root

voy4g3r2: can you elaborate on what you are trying to do? there is no reason to use unbound's local-data for loopback, /etc/hosts is a better option

i want to be able to have each of the host names in the small network can be referenced by hostname so like ssh johngalt.home

i want to add other ip address / hostnames and was just testing out the localhost.. to see if it works

voy4g3r2: is this unbound running on your router?

and are you editing /usr/local/etc/unbound/unbound.conf?

this is on a machine, yes i am

it was suggested to openwrt my router but i can noit right now as i work from home

so i figure i try this out first then see other options.. after i get it working here

eoli3n: what crest said is right, except it's the other way around. you need to add additional lines to bastille.conf (look at the sample/default file they provide) and use the interface macro you defined in pf.conf on the appropriate line in bastille.conf

voy4g3r2: there are several things to consider

you need to be sure you have unbound installed from ports/packages and you should disable local_unbound

unless you are experimenting with local_unbound

FreeBSD base system comes with unbound set up in a certain way to be your local resolver, and I do not recommend changing that configuration

(in /etc/unbound)

you can add stuff like local-data in there in the dedicated files

but anything related to interfaces etc. is best left untouched

if you need customisation, use the package/port

pf.conf gurus, is there such a thing as `rdr pass quick ...` or do I need 2 separate rules

dch: what are you trying to do?

there is no 'rdr pass'

if you want to limit redirect to certain hosts you can use the usual syntax

Remilia: `rdr pass` is a thing, its in man page, and grammar

rdr pass on $ext_if proto tcp from any to any port 80 -> 127.0.0.1 port 8080

is legit

but I would prefer pass quick

atm I can only do this with 2 rules, in different places

I never used pass in my configuration

hmm

the pf.conf is long, and the gap makes this very confusing and easy to forget that these 2 rules are related

hence `rdr pass quick ...` would be better

what is the other rule?

oh, found it, rdr pass skips firewall, guess that is why I never used it

Remilia: okay, i will start over.. i just used tutorials which may have burned me.. but thanks

voy4g3r2: your syntax seems correct but you need to consider your local configuration

I feel like you may be configuring the package/port but your requests are hitting the local_unbound that listens on localhost only

yeah, i had a toss up.. use unbound or dnsmasq.. i picked unbound as "looked" easier

it is easy

check `sockstat -4l` for port 53

do you see unbound there? if yes, which address is it bound to? are there two?

the package will default to all interfaces iirc, so *:53

unbound local-unbo 578 5 udp4 127.0.0.1:53 *:*

^ this one is /etc/unbound

and check /etc/resolv.conf nameserver lines

voy4g3r2: btw you do not need local-zone

for example, I do not have any local-zone lines, just local-data: "_vlmcs._tcp.lan. IN SRV 0 0 1688 kms.hinamizawa.loc." and it works just fine

only reason you might want local-zone is for SOA requests I guess?..

# If you configure local-data without specifying local-zone, by # default a transparent local-zone is created for the data.

anyone here that have been upgrading to 14.0 ?

many of us

n30: I did.

all done, just a few stray jails remain

I hope you do not hit the issue I got with it

and if you do, I hope you have more than 3 cores/CPUs

did it work fine ?

i have 2 x 6core

Remilia: what was the issue you ran into ? with jails or with zfs ?

with vnlru

vnlru ?

vnlru.

what's vnlru ?

mns: I think you can find the explanation via a google search because I am not confident I can describe it well

is it expected that "freebsd-version -kru" not all match after some patches? e.g., 14.0 p1?

markmcb: yes that is expected

Specifically, there can be a kernel-userland mismatch if only one was affected by the patch.

Remilia: you didn't figure it out?

thanks for the clarification

yuripv: nope

I updated to 14.0p1 today just in case, to avoid suggestions to update should I report this somewhere

yuripv: I feel like vfs.vnode.stats.count: 372745 is a lot

and it just keeps growing

probably best reported on stable@?

still trying to convince myself it is not a user error haha

also this is -RELEASE, not -STABLE, I am using freebsd-update

well, there's no shame in asking something that will turn out to be a user error, at least answers could provide some hints allowing you to understand that :D (or find out real issue)

Remilia: stable@ is for releases too

I guess I will try that, much better than posting to bugzilla

for stable@ there is a bigger chance it will get ignored which would take the weight off my shoulders too

Hi, I am trying to install freebsd 13.2 with some space left for other use. How can I create a default ZFS hierarchy, is there a script for this? or is forums.freebsd.org/threads/boot-env…system-hierarchy.83364/#post-547012 correct? I noted that zfsboot seems contains some code, but I failed to make it skipping earlier steps.

Title: ZFS - Boot environment and filesystem hierarchy | The FreeBSD Forums

OstCollector, That looks ok from here.

parv, thank you!

i wonder what PR#275447 is... listed as a dependency of the 14.0 EN tracking bug bugs.freebsd.org/bugzilla/show_bug.cgi?id=275215 but presumably a security issue wouldn't be an EN

Bug Access Denied bugs.freebsd.org/bugzilla/show_bug.cgi?id=275447

Title: 275215 – (14.0-erratas) tracking bug for 14.0 errata

I would assume anything assigned to secteam@ in bugzilla would start out hidden, for rather obvious reasons.

kevans: Link to that issue regarding pkg signing?

er, pkg-repo signing.

kevans: Let me know if there's a new link for that or any other updates. I'm currently running pkg-repo over NFS to get around the 13.x/14.x issue. Can look into it further, but wouldn't mind getting an update on current status before I do.

_xor: not sure there is one

All righty. Where did we leave off again? You said something about a file descriptor being rewound as being the "fix" for incompatible signature?

I'd check my chat history, but not sure how best to do that with this client and I'll be moving to a new one anyway.

_xor: yeah, but the version you have should already do that

Right, that's what I thought. I remember seeing the link you sent. I figured I'd look into it on my side and see what's going on.

Cool, will dig into it later today. Gotta run some errands right now. Will let you know if I find anything useful.

this might be off topic (is there a better place to ask?) but has anyone had success using 4x unbuffered ECC DIMMs in an AM4 motherboard? i'd like to add some more memory to our ZFS fileserver, but i've heard AM4 has some issues using 4 DIMMs in general... not sure if that's specific to memory overclocking though

So there's the OpenBSD dhclient in base, plus I have the isc-dhclient installed from ports. . .

How do I specify which manpage I'm looking at?

unixwitch, #hardware likely has people who've argued every point of that.

CrtxReavr: thanks

CrtxReavr, As a first guess, specify "man -a dhclient" and it will walk through all of the available man pages of that name.

CrtxReavr, For more control you can force one or the other using manpath. "man -M /usr/share/man dhclient" would force the one in base instead of the one earlier in manpath from ports.

rwp, thanks.

I was looking at 'man man' but it was like drinking from the firehose.

I was looking for an example of something that I would have installed that appears both places. I found only pkg so far.

For the example of pkg the one in base is "man 7 pkg" and the one in ports is "man 8 pkg" which I am sure was carefully crafted to make it possible to differentiate.

Another way is that if you know the full file path then man can read that file path directly. So for example if I know the full path because I used "find" to find it then I can do this example "man /usr/obj/usr/src/amd64.amd64/usr.sbin/pkg/pkg.7.gz" and look at the man page from that location, which is a locally compiled one.

And that works for "man /usr/share/man/man7/pkg.7.gz" too.

whoever made the fix for 3d rendering that got into the official pkg repos today: THANK YOU – this fixed an issue which made blender entirely unusable on my machine for months. <3

might've been the last update to mesa-libs, not entirely sure. i'm just super grateful it works now.

CrtxReavr: apropos dhclient, then choose the section

though I guess if they are in the same section, you have to -a

``man -M /usr/local/man dhclient`` seems to get me there.

I forget where I encountered it but there was something that had diffrent man sections for installed over base software

CrtxReavr, Check "manpath", run that, it should report to you your current man search path. Isn't /usr/local/share/man first?

Oh! You said /usr/local/man not /usr/local/share/man my bad. I misread it.

There's a TUI app that helps browse man pages. Need to find that and make a port for it.