Zyxer: recently cryptography package in Python has been moved to Rust backend

because it's "safe" and whatever

but yeah now it's a rust dependency if you're installing from source

lately I got a Belkin OmniView Pro2 KVM switch that has PS/2 & USB... but unfortunately it takes <SCROLL LOCK> to do something with it (I don't use) so is there any way I can get shell history back? The only other PS/2 & USB ones I saw by a company are out of production and cost several/many thousands dollars for eight-port ones

that mean every time you install that pkg you gotta install the huge rust toolchain?

_zip100

it probably has rust version pinned at some reasonable defaults, I highly doubt they're using nightly

also I believe you can cheat and install binary toolchain

how can we install a pkg that's made in rust without having to install the giant toolchain to build it?

that's all still huge no?

they should have binary builds

at least they do for Linux

probably someone is doing them for BSD, you just have to find the right package registry (and trust their authors :) )

or you can install pre-rust versions, but that's insecure in itself

I found binary build for FreeBSD

Also, why are they moving to rust? This angers me. If done properly C is better. Rust eats like 5MB for a hello world

And every dev things already needs C

Bah, I am trying to run etherpad on server but it gave me brain damage. Nodejs is 5 nightmares distillied into one dose

rust is like node.js applied to C

I don't know why. because it's next best thing?

I guess people get really hooked on "secure" motto, no matter what costs

npm uninstall *

How can I remove a package and all dependencies (that nothing else needs)=

?

Wrong chat

pkg remove <packagename> && pkg autoremove

Uh... Thanks. oh, the autoremove is for that. Good to know

Caveat: "pkg autoremove" will remove all dependencies no longer needed, not just the ones for <packagename>.

:)

polyex: no, you only need rust if you want to build it yourself, it isn't a runtime dependency

darwin: according to vt(4), it looks like that should be possible using a custom keymap file (/usr/share/vt/keymaps)

great!

my first thought was change it to <SHIFT><PAGEUP|DOWN> like GNU/Linux but I'd rather also hear alternative KVM switch options

<SCROLL LOCK> is quicker of course

is it possible for traffic to leak while pf is reloading? like service pf reload

polyex Can you paste link to the rules?

Anyone get there function keys working with there laptop or desktop ? Looking for a guide

jb1277976: what laptop, and does it provide an option in the bios to enable/disable those keys?

Define "function keys working"? I can use mine to switch between VTYs using alt-Fn (or ctrl-alt-Fn from the X session).

polyex, IIRC I remember the pf documentation saying that "pfctl -ef /etc/pf.conf" is an automic update switching from the old rules to the new rules. There should not be leakage.

tyvm rwo

rwp

speaking of keyboard, I think the best and most reliable way to get all things working is to find a keyboard that the system supports... For desktop computers running freebsd, UHK is the best to my opinion... with it, I don't even need a mouse, execpt when gaming :P

Jelly Comb worked well for me. Inexpensive to boot

jb1277976, I didn't need to do anything. My keyboard function keys Just Work. But if you are asking about multimedia keys on a laptop keyboard then those usually need help to work on my linux systems and I haven't figured them out on FreeBSD myself yet.

( hunh. Jelly Comb is closing: jellycomb.com/pages/protoarc )

Title: Introducing ProtoArc – Jelly Comb

( ... "Under ProtoArc's innovative and agile structure" does not exactly inspire confidence, especially if I were a past customer )

Past experience of mergers and acquisitions does not inspire future confidence. :-(

yup

Hm, the discord invite link on wiki.freebsd.org/Discord is invalid or has expired.

Title: Discord - FreeBSD Wiki

Ah, stupid me.

There is a second link that works...

debdrup: thx for the reply

Hi, anyone know how to register xfe as default file manager? Such that I click on the open in folder in download of chromium of firefox, it will open the location in xfe... Didn't find anything online... any tips where to look?

or firefox... typo there~

_0pr_: xfce4-mime-settings when you are running the xfce4 desktop?

running dwm... I don't know if xdg-mime is the right way to do it...

ah wait, xfe is not part of xfce4… but browsers should respect mime settings, at least firefox does, i think

Not something I must have but... since long I want to have it right~ So... When click on the Show in Folder icon in firefox, nothing happened, click it in chromium, it opens firefox... hahahaha weirdo

why the heck are all the files in .local/share/applications prefixed with wine...

I think I'm in the right place, have to play with it a little.

Done it, just create a destop entry answering to mime type inode/direcotry in .local/share/applications folder, and chromium works just fine, firefox still has no reaction to this.

Done it in firefox too. follow forum.manjaro.org/t/browsers-like-f…-use-os-default-file-manager/106933 and firefox is good to go.

Title: Browsers like Firefox require xdg-desktop-portal package to use OS default file manager - Software & Applications - Manjaro Linux Forum

Parfait~

hello hello g'mrning :)

hi

\o

\o/

am I the only one to have issues with Xorg and FreeBSD 14? (cmus colors disapeard, libreoffice doesn't show, etc)

this is with Enlightenment and i915kms.ko loaded

also keys to raise/lower brightness don't work (despite acpi_video being loaded)

now theres a wm I haven't heard in a while. Nice

i liked that gui platform

Good day

Zyxer: \o

running 13.2 on host and guest vm. just ran freebsd-update fetch and install, and pkg upgrade, rebooted. now on the host system i can press command + enter to open a terminal like normal, but in the vm that key combo doesn't do anything anymore

anyone else run into that?

are you sure the keys get passed to the vm correctly?

it was all working perfectly until i did these updates

i'd think so because meta + d brings up rofi

but meta + enter doesn't do anything

Is there a favorite howto for IPFW's in-kernel NAT?

I've been looking at this section of the handbook: docs.freebsd.org/en/books/handbook/firewalls/#in-kernel-nat

Title: Chapter 33. Firewalls | FreeBSD Documentation Portal

But it seems a little spotty on information. . .

Like right near the top, they talk about this shell script with an ipfw command and some variables being set but there's not mention of what the filename should be.

"The example below builds upon the firewall ruleset shown in the previous section. It adds some additional entries and modifies some existing rules in order to configure the firewall for in-kernel NAT." so it should have a description in a previous section that explains how to use ipfw via the rc script in general?

Maybe I should just stick to natd.

It's served me well and and I actually wrote a howto for it that used to get a lot of downloads.

hm, I expect it to be /etc/ipfw.rules "This section demonstrates how to create an example stateful firewall ruleset script named /etc/ipfw.rules"

enh

I have a bunch of pf rules, where I need the rdr to happen before the NAT

the rdr is more specific, but the nat seems to grab it too early

dch: is that the thing that dfr fixed recently, or unrelated?

meena: unrelated, this is just me not good enough at pf

i wonder why /usr/local/bin/ping_exporter is setuid. it presumably needs to run as root to use raw sockets, but it should be started by root... except the rc.d script starts it as nobody, but then it becomes root because it's setuid?

Not familiar with ping exporter, but that seems like a feasible theory.

That some component of Ping(tm) Authentication?

unixwitch: that seems silly altogether. especially because nobody is not a user that should actually be used

Says who?

nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin

nobody is the NFS fallback user. if you somehow gain control over that user on a server with (badly) mounted NFS, you can read all of it

meena: yes, it seems like a very convoluted way to just run something as root... maybe i should file a bug because having it setuid at all seems like an unnecessary security risk

ls -l /usr/local/bin/ping_exporter

-rwsr-xr-x 1 root wheel 10107456 Dec 8 19:40 /usr/local/bin/ping_exporter*

unixwitch: please do

dch, i'm curious what you're trying to do. nat is generally for egress, whereas rdr is generally for ingress. but maybe you have a jail that you want to be rdr'd to another jail?

scoobybejesus: aah maybe thats what I'm doing wrong

PC <> firewall running a custom proxy <> proxy talks to internet

traffic coming from internal network port 443 -> rdr to the custom proxy running on the firewall

i see what you mean. i'm no whiz. was hoping the rubberducking would help. but i'm thinking. seems like you still need nat, but the proxy should do it, or it should come after the proxy. ummm

meena: bugs.freebsd.org/bugzilla/show_bug.cgi?id=275705

Title: 275705 – net-mgmt/ping_exporter: should not install setuid root

it should work like squid does, wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdPf

Title: Intercepting traffic with PF on FreeBSD | Squid Web Cache wiki

my local conf must be too special by now

(incidentally, this is the first time in years i've ever had a useful outcome from the daily setuid check... so i'm glad i didn't just get annoyed and disable it)

unixwitch, what port is that from?

net-mgmt/ping_exporter

it's an agent for the Prometheus monitoring system that sends ICMP pings to various configured hosts and reports statistics over HTTP

Germans. . .

it would actually be a perfect example of something that should be rewritten to use capsicum... kind of a shame that seems to have no traction on platforms other than FreeBSD

also mildly surprised we have no port for postgres_exporter? maybe i should look up how to become a ports committer

dch, it looks like rdr rules can be listed prior to nat, since they are both translation rules. it also seems like the nat rule could have `! port http` to ignore 443/80. also i didn't know about bridge-to, but maybe it could be used if the proxy has it's own interface

i hope you figure it out. i have had similar things that I failed to get to work. nothing mission critical for me, though. i just love to tinker

scoobybejesus: when the rules are loaded, all NAT come before RDR (see `pfctl -nvf /etc/pf.conf` and watch the rule ordering

you could just become a port maintainer by creating the port and submitting it via bugzilla

interesting. gotcha. if pfctl re-orders things, there goes that idea. but excluding port 443 from the nat rule should still work, i would think

mmmm its definitely the nat rule screwing things up, but despite that the rdr rule doesn't work

rule 0/0(match): nat out on ng0: 172.16.1.4.18934 > 199.232.168.81.443

thats me going out to bbc.co.uk

it could be worth putting pfsense in a vm, installing some other proxy, and spitting out its rules

TIL, for NAT & RDR changes I need to flush the rules. easiest via `service pf restart`

its still not working but at least it makes more sense now

heh

Agreed. I don't like them either.

tcpdump is another offender.

'Couse I also remember when bind wouldn't allow an @ sign in SOA records, and the part of my work E-mail address on the left side of the @ had a period in it.

CrtxReavr: i sort of like that with IPv6 though. because there's no need to quote anything. but usage of : is probably so ingrained that it's not worth the effort of being different...

Proto Recv-Q Send-Q Local Address Foreign Address (state)

tcp6 0 0 2001:8b0:aab5:10.45199 2001:8b0:aab5:10.5432 ESTABLISHED

I thought the @ sign in SOA was still reserved for the domain part. No? One can put an at in the rhs fields now? Well will wonders never cease.

i'm also really curious about an email address with @ in the user part, i didn't think that was legal. aren't you supposed to rewrite it as %, like internal.gateway%user⊙ih?

oh, nvm... you mean the email address had a '.' in and that doesn't work in SOA records, right.

unixwitch: According to the RFC, any character is valid for the local part, even an @

bahamat: does that required quoting? "a@b"@c?

unixwitch: No, the right most @ delimits the domain, since we know that domain names can't have @ in them.

"@ IN SOA doom.proulx.com. hostmaster.proulx.com. (" I am still doing it this way. But you say I can have it hostmaster⊙pc now?

so a@b@c, we know that the local part is a@b and the domain part is c.

bahamat: TIL. thanks

Yeah, it's weird.And it makes it really fucked up writing a *valid* email address parser.

For that matter, spaces and quote marks are also valid.

i wondered if this was changed recently but i checked RFC822 and according to the grammar it seems like it's always been valid

The RFC was written when you didn't know if you were delivering to UNIX, a mainframe, or Windows for Workgroups.

It used to be when email routing was allowed that only one @ was allowed at a time and left @ were converted to % like joe%lab42⊙ec where upon delivery the right most @ was removed and the next % was promoted to an @.

But email routing has been forbidden as an anti-spam strategy for years and years now.

So they were just like the local part will be: ¯\_(ツ)_/¯

if i'm reading it correctly unquoted space aren't allowed though, you still haven to write "/CN=John Doe/OU=People"@x500domain.com

rwp: that's what i thought but as bahamat says that's not true. @ is permitted in the local part

Yeah, but there's also like "Miles O'Brien"@foo, which was considered extremely common.

user⊙a@b.com might not routed correctly but it is syntactically valid

Back in the Sendmail days I am pretty sure that would have been kicked out as invalid. It would have needed user%a.com⊙b to route.

yeah, if you want to do source routing you need to use %, but you *could* have a local user called foo@bar and their mail would be accepted

Yeah, lots of address validators aren't compliant with the RFC, and not even all MTAs are. So YMMV if that's really your email address. But according to the RFC, it's required to be accepted.

... that would probably be a terrible idea though, i have enough issues with a '+' in my email address

The local delivery agent can impose any restrictions it wants to. But MTAs need to deal.

MTAs have always been operated as a "my server, my rules" thing which means they do what they want and there isn't anything you can say about the remote end.

That's why Google and the other too big to block folks do what they want and we all must react.

obligatory: youtube.com/watch?v=nq-dchJPXGA&t=1s

Title: Your Name? | A Bit Of Fry And Laurie | BBC Comedy Greats - YouTube

ooi is there a solution to the problem that started this discussion, of putting an email address where the local part contains '.' in a DNS SOA? i guess everyone just uses hostmaster@ so this doesn't really come up very much

or for about month, many years ago, "hoistmaster"

unixwitch: It's probably best not to make it a real human's address anyway. You don't want to have to go changing your domains if that person leaves the org.

yeah, i agree

Even if it's a purely personal domain, that email address is likely going to end up with a lot of spam, so I wouldn't want my real address in there.

i could use myname.hostmaster⊙mc but ironically i can't because it contains '.'... wonder if '+' is allowed in SOA

I think it's limited to what's valid for domain hostnames, so I don't think either + or _ will work.

bahamat, CrtxReavr: i asked #dns and got a surprising answer: john\.doe.domain.com

Interesting. Worth a try.

real life example: powerdns.com. 3600 IN SOA pdns-public-ns1.powerdns.com. peter\.van\.dijk.powerdns.com. 2023120701 10800 3600 604800 3600

Although, tbf, I don't know anyone or anything (other than spammers) that actually use that for sending an email to.

I think that you can safely assume that any human who saw peter.van.dijk.powerdns.com would assume peter.van.dijk⊙pc and not peter⊙vdpc

hostmaster@ just forwards to me@ anyway so might try changing it just to see how it goes. it feels more friendly to have a real name there

The domain part of the RHS does not need to match the domain of the dns zone.

I always thought it was documented as a hint field for humans and was not intended to be machine parsed. Any human who sees it is expected to be able to figure it out. The backslashed dots feels like an afterthought on an afterthought to me.

I suggest using an alias of hostmaster (or hoistmaster if you like, knock yourself out!) and not put an actual person in there.

rwp: i imagine it would matter if, for example, you have some sort web-based "domain report" tool and it wants to format the contact address as a mailto: link so you can click on it

I would always get that data from the whois database records.

that's not very useful nowadays as nearly all registrars hide registrant info by default. Registrant Email: tieredaccess.com/contact/acf0dd48-ac1f-488e-ba9e-4d4ac7f26db2

Title: Tiered Access

If one is going to hide their whois data (which are most) then why would they not hide their SOA address behind an alias or other too?

because it's not about people who specifically make the effort to hide their whois data, it's that it happens for *everyone* by default even if they don't care either way

like my domains have valid SOA email addresses but hidden registrant data because i don't care enough to change the default

also, i care less about my email address being public than my home address, which is in whois but not in SOA

That last about home address is definitely true. It's a thing to watch for certainly.

It is interesting that "whois powerdns.com -h whois.ripe.net | less" shows very little but "host -t soa powerdns.com" lists Peter's name out right there. Wonder if Peter is an NPC role name there.

i'm pretty sure that is his real name, /whois habbie

i just experienced linux users callinig unix "sh*t"

XD

It happens. Keep cool and smile.

that what i though to do :DD

i got mocked for liking bsd

even tho the distro they use would not exist without ports and they even had a fbsd kernel branch

no one cares

:D Most of the time we know better than they are.

"i got mocked for liking BSD" sounds like something that would happen at a high school, not somewhere you'd actually choose to be...

well that just happened on libera ^^"

but i guess it was just something they can pick on me for :D

XD

if i wes eating an orange they would pick on me for eating an orange

mane: i highly recommend listening to unixwitch, and not hang out in places where people are mean to you

yeah that's just a brit and his buttpals

but many people over therte are legit

it's just the the chat is taken by a small troll group

yesterday it was all ok but today they decided it's over

XD