hi all.

Im thinking about install 14 in my laptop, which is a lenovo legion 2021. anyone tried to already ?

hcl doesnt say much, probably is outdated :\

I am interested in running pi hole in a linux jail, is this feasible or should I be looking into running a linux vm through bhyve?

I see some forum posts of people setting up linux jails.

pedrohex: I don't know about Lenovo Legion. But 14 runs well on my Lenovo Thinkpad L14. I get by without wifi support. I'd suggest to try it and see :P If there's any problems it is usually wifi or graphics card, and there's usually alternatives depending on your requirements.

[0x1eef], thought 14 did fix the wifi problems. graphics, isnt the nvidia driver available ?

it is..

beastwick: You can do fancy things with jail networking and vnet.

beastwick: I've been thinking about this myself just today, as I need to get a test environment running, and Chromium under FreeBSD appears to be a bit fragile.

mason I have seen linux chrome in a jail as the use case

mason I will probably attempt the jail first, if that proves too hard then I will move on to the vm

mason I can't see the jail not working though for this use case, the linux compat layer runs some really interesting/good stuff these days, really cool

list of native linux games that work is suprisingly more than I would of expected if that's your thing, so I can't see pi hole not functioning, unless for some reason it requires messing around with pf for packet routing, which I doubt

beastwick: I need Chrome (or Chromium) in a jail, and OpenConnect. I can do OpenConnect in a straight FreeBSD jail. Curious if it'll work in a Linuxulator jail.

Ideally my stuff will work just in FreeBSD but it's not just at the moment.

is openconnect related to openvpn? I just tried to do openvpn in a jail, stopped because of the aforementioned must do some pf fu for packet routing

ironically, might be easiest for me to put openvpn in a light vm

i really would like to isolate it

beastwick: Different. It's Cisco's VPN.

And it works nicely in jails.

gotcha, I will take a look at that

beastwick: I don't think you want it if you've not got Cisco's AnyConnect on the other side.

oh yeah true, I don't :D - I take it that anyconnect isn't free

my microphone doesn't seem to work in freebsd

Dang. 13.3p1 was hard to install on a 512M ec2 instance. heh.

morning

morning

Morning

morning

Evening.

Anyone see why bsd.network seems to be offline?

Because the like to be offline, of course!

No seriously, except for the server admins, nobody knows unless they publicly announce something.

remiliascarlet: Seriously, yes, I was hoping someone had heard something. :) Say, from the server admins. :)

Hi, I need to move/delete one file that's on a broken sector (o whatever it's called in zfs). When I try mv I get Input/Output error, how can I force its deletion?

hi!, can anyone take a look at this? github.com/bazelbuild/bazel/discussions/21734

Title: no template named 'enable_if_t' in namespace 'std' · bazelbuild/bazel · Discussion #21734 · GitHub

I'm trying to build the library OpenXLA, that uses Bazel and it seems to be having issues detecting the right gcc version

I have @work a FreeBSD host that we are using for forwarded logs from many systems. The log file for that data is between 155 GB and 165 GB daily. The newsyslog log rotation is set to archive up to 5 of these and is using bzip2 compression. The log compression is taking over 15 hours each day. I have been pinged about the extended CPU usage by our VMware team. Will I gain any compression speed using one of the other compression options available

with newsyslog?

unixman_home: yes - try the 'Y' flag to use zstd, which is much faster than bzip2 and should still provide good compression

zstd(1) allows quite a bit of configuration over the speed:compression ratio balance but i'm not sure if newsyslog exposes that

lw, okay thanks. In hindsight I should have looked to see if I could find any comparison data for these compression algorithms, mea culpa. I'll do that now. :)

zstd has an adaptative mode, which is supposed to adapt the compression strengh to max out the throughtput

unixman_home: another option would be to use ZFS compression - overall compression ratio might be lower, but since it compresses on the fly, cpu usage is smoothed over the day with no spikes

Got it.

This host is using UFS.

unixman_home, u can try xz too - even with default options it's faster than bzip2 and have better compression.

VVD: amusing timing for that :D

?

VVD: openwall.com/lists/oss-security/2024/03/29/4

Title: oss-security - backdoor in upstream xz/liblzma leading to ssh server compromise

your sshd might become slower though ;P

Hi good evening #freebsd I hope you're all well

I've got a new motherboard with a AMD 7840HS CPU, and I'm not getting any thermals with 13.1-RELEASE-p9 ... anyone know what could be wrong please?

[diablo]: i can't remember which temperature sensors are built into the kernel, but try 'kldload amdtemp' and see if it helps

> Due to the working of the injected code (see below), it is likely the backdoor can only work on glibc based systems.

xz -V

xz (XZ Utils) 5.4.5

liblzma 5.4.5

hi lw good evening, yeah that module is loaded

it's in the kernel

VVD: this particular issue depends on systemd as well, and freebsd imports xz without the autotools required for the backdoor and the tests

there might be more things that weren't caught that we are vulnerable to, however. but this particular issue isn't one on freebsd at least

[diablo]: and you don't have the dev.amdtemp sysctl nodes? in that case not sure, sorry :-/ (that driver works for me, but this is a 7800X3D on 15.0 so quite possibly needs a different driver)

er, 5800X3D

nope, nothing

TBH this FWIW is TrueNAS, but as its kernel module I jumped in here

on x11vnc it's not possible to close port 5900 in ipv6 ?

dstolfa, my understanding from our security team is the sshd vulnerability does not affect FreeBSD. TBH, I have not looked into it personally and am just relying on an e-mail our sec team sent out.

unixman_home: it doesn't, see my comments above. there are a number of reasons why this doesn't work on freebsd

unixman_home: it doesn't... but there's some concern the user might have done similar things to other projects

(for example they worked on libarchive, but apparently those commits have been audited and are fine)

Okay, my apologies for not reading all the things before jumping in, dstolfa. :D Thanks, lw.

Hi

how to debug service restart ? 0x0.st/Xzik.txt

-v doesn't help much

can thermal paste on a laptop go bad after only 3 years?

as5

not cheap stuff by any means

i had freebsd do an emergency shutdown while not doing anything particularly intensive

due to acpi thermal trip

Dust, bad fan

Bad sensor

i don't get something, i manually edit /etc/passwd, but changes are ignored

vipw...

wt

eoli3n37: don't edit /etc/passwd, use vipw(8). on BSD, /etc/passwd is generated from /etc/master.passwd, vipw does that for you

thanks

sfox, Unusual. Not impossible. Dirt blocking airflow more likely. Failing fan more likely. But physically something wrong with the cpu cooler attachment maybe. I do this work a lot so I would be comfortable removing and inspecting.

hm, how do I debug local-unbound? I only get SERVFAILs, upstream dns server works

nimaje, I hear that and I must ask if your clock is set? unbound by default will check DNSSEC and that depends upon time being correct. Resulting in what you are describing. One possible way from the many ways things might fail.

nimaje: the only advice i can offer is to not use local_unbound; install it from ports and configure it normally. i found local_unbound opaque and hard to manage and i'm not really sure why it even exists (i guess so DHCP magically works...)

which reminds me - does freebsd include a DHCPv6 client nowadays?

man -k dhcp and dhclient(8) suggests not

I found the logs meanwhile, it says "local-unbound[45068]: [45068:0] notice: init module 0: validator" and "local-unbound[45068]: [45068:0] notice: init module 1: iterator" but no idea what those mean

clock is correct

nimaje: 'validator' means it loaded the DNSSEC validator module and 'iterator' means it loaded the normal recursive DNS module, both of those are normal

to rule out a DNSSEC issue, you could temporarily remove 'validator' from unbound.conf's module-config

I also am not using local-unbound because for some reason it does not install correctly for me. Therefore I am using unbound (not local-unbound) and just configuring it normally.

Additionally sometimes I am debugging because DNS Is not working but what is not working is the domain I am looking up and DNSSEC is bodged up. Now I always start with dnsviz.net and look at the report on the domain first. If it is broken then I will know why DNSSEC is failing. Seen that problem several times. DNSViz site FTW!

Title: DNSViz | A DNS visualization tool

dnsviz is great but it's more for debugging authorative server issues than local recursors

authoritative? idk how to spell that

Yes. But if the upstream domain is broken then the downstream unbound can't validate it and sometimes that is the problem I see rather than local resolving being entirely borken.

Basically there are an infinite number of ways for things to fail. But only one way for things to work correctly.

ok, seems like the upstream dns server in this network doesn't support dnssec

If there is no DNSSEC then that can be scratched off as not the problem.

nimaje: did turning off DNSSEC in local-unbound fix it? i am interested in this issue since i haven't run into it before

i would have thought unbound would fall back to recursing itself if its forwarders returned invalid dnssec data or didn't support it at all

If the upstream domain does not have any DNSSEC records then everything works using traditional DNS without it. DNSSEC is not (yet) required.

I know you are reviewing the /var/log/messages logs but there are no other clues to a problem in there?

rwp: yes, i think the issue here though is that unbound is configured to use a forwarder, and the forwarder doesn't support DNSSEC, which is different to the domain itself not having DNSSEC records

... which is not a situation i've run into since all my recursors support dnssec (and run unbound :-)

Where was the data point of DNS being forwarded stated? I don't see it. I don't think we know the exact unbound configuration yet.

no, maybe not. i think that's how local_unbound is configured by default in the rc script though, right? it takes the contents of /etc/resolv.conf and turns it into unbound config

All we know is "I only get SERVFAILs, upstream dns server works" and I don't know exactly what that means.

(tbh this is why i don't like local_unbound, you really have no idea what it's doing behind the scenes...)

Hmm... I guess I don't remember what local-unbound tries to do by default. I just know it failed to work for me. So I fell back to the regular unbound pkg.

i remember having some issues with it too but i don't think that was dnssec related, i don't remember what the problem was now

I am using unbound with forwarding for my own domain and it works okay for me with forwarding.

yeah, i just set up anycast unbound here and it's working well, i think i'm still going to deploy a local unbound from ports (not local_unbound) to get DNSSEC validation on the local host though

maybe if i do that i'll give local_unbound another try and see how it goes

lw: yes, disabling validator "fixed" it

nimaje, As I understand it when using forwarding the local nameserver has no sec information and is relying upon the upstream nameserver to perform validation.

the config here sets the dns server given via dhcp as forwarder for "."

Therefore with BIND I must set "forwarders { 192.168.230... }; forward only; dnssec-validation no;" for named. But for unbound it seemed to do this automatically.

possibly related: ctrl.blog/entry/unbound-tls-forwarding.html

Title: Actually secure DNS over TLS in Unbound | Ctrl blog

(DoH + DNSSEC-validatoring resolver should be end-to-end secure...)

in another network it works fine, not sure what the problem here is, but shouldn't dnssec work to, even if passed thrught multiple recursive dns servers?

nimaje: it should, but some broken resolvers might reject recursive queries with the dnssec flag set. interested to know what dig says?

"dig example.com @resolver.ip.address +do" or something

actually maybe delv is better for this since it provides more explicit output

% delv le-fay.uk ns @dns.svc

; fully validated

no dig in freebsd, but drill gives back some RRSIG if I pass the -D flag, which should make drill use dnssec if I understand that correctly

drill is the same syntax as dig.

hm, if I replace dig with drill in that command I get NXDOMAIN, does that mean dnssec validation fails? I can't find +do in drills man page

nimaje, as to lw's request, this is what I see here using my local resolver: termbin.com/ae1c

(since bsd.to is still ofline)

And this for dig: termbin.com/s5ue

I have always used dig. I had heard that drill was supposed to be dig compatible. But, I guess it is not!

after a bit of fighting with pkg I installed bind-tools and tried delv, yes, that upstream dns server doesn't do DNSSEC correctly

With drill -D here: termbin.com/kfa5

So... Time to use a local caching server? Or to switch to a different upstream nameserver?

Good hunting! I am run IRL. BBIAB.

well, local_unbound is a local caching server, but maybe time to let it do all the resolving, instead of using whatever dhcp gives me as upstream

seems like drill is compatible with dig, just the man page is incomplete (+do made a diffrence, NOERROR vs NXDOMAIN)

Number of packages to be removed: 25 ...whenever I see this doing a pkg upgrade, it always induces a slight panic. /py37 stuff, nothing to actually panic about

x11vnc -rfbportv6 0

to disable listening all ipv6 port 5900

not documented

hm, py37; forgot to run pkg autoremove for some while?