docs.freebsd.org/en/books/handbook/jails/#creating-vnet-jail in the "ADD TO bridge INTERFACE" part of the sample jail config, where do i set 'private' on the epair#a interface?

Title: Chapter 17. Jails and Containers | FreeBSD Documentation Portal

Ltning, It would be nice if FreeBSD had something equiv to Debian's security-tracker.debian.org/tracker/status/release/stable

Title: Vulnerable source packages in the stable suite

alepzi: i don't see why you can't just add it in the exec.prestart. exec.prestart += "ifconfig ${bridge} private ${epair}a"

ifconfig ${bridge} private addm ${epair}a up?

you'd need to set it more like i gave, but you could also do: ifconfig ${bridge} addm ${epair}a private ${epair}a

oh weird

lemme try

and keep the up at the end?

ifconfig ${bridge} private addm ${epair}a private ${epair}a up?

i'm not sure what that up is doing there, other than setting the bridge up. but that works

it's copied from the jail handbook page. maybe that's quirky?

yeah i do see it there. there isn't any harm in setting the bridge up repeatedly unless there's some reason you want it down

ok lemme try

if the epaira interface has the 'private' flag, what can i look for in ifconfig to verify that?

it's noted on the bridge

oh ya i see it there. so did i set bridge as private or epaira?

it's property that's defined in the context of the bridge. the ifconfig manpage has some info

it may be more convenient to implement your policy in your firewall

debdrup: when was that introduced? and how does it detect a VM?

is a "bridge" considered an interface?

(as in, which version?)

jmnbtslsQE: termbin.com/b1nt the private flag is registering on the epaira interface but vtnet0 doesn't show private even though line 13 makes it private. know what i'm doing wrong?

alepzi: not sure. not sure if you will be able to set private in that way

Can BSD run in a Single-System Image configuration?

Like share process namespaces and all that among nodes in a cluster and etc, etc.

if i set private on vtnet0 and epaira, the traffic can still in theory pass in on vtnet0, through the bridge, to epaira, and back out?

i just want to isolate vtnet0 from epaira

alepzi: according to the documentation if private is set, then that traffic will be dropped as you desire. but i think implementing in a firewall (even within your jail) would be a more robust solution

i have it in the fw too, i just want to enforce security policy everywhere i can

fair. i don't know if i've used it other than messing around, so i think you're correct

can i add private to an interface from the commandline adhoc?

you use the same syntax as given in the jail exec.prestart commands above. those are just shell invocations

well, they might not actually specifically be shell invocations, not sure. but those commands are written as they are if you are in a shell

ifconfig vtnet0 private --> 'private' requires argument

see the syntax given above. you want ifconfig $bridge private vtnet0

oh so private is on an interface ONLY IN the context of a bridge?

yeh

ahaaaaa

OH i see now. i misunderstood the ifconfig man page for MONTHS. but private is an option in the Bridge Interface Parameters

right, it does have many sections

k i added private to epaira and vnet0, and i couldn't ping jail anymore. so i guess that means vtnet0 needed to forward traffic for epaira

we can't get /usr/src to compile

it runs out of RAM

Soni: you could possibly try WITHOUT_LLVM if that's not needed, and if that's what is causing the memory rise

hmm, maybe that's not exactly the variable

maybe WITHOUT_CLANG actually

Soni, Regarding "runtime went backwards" it's been reported on VMs that adding kern.hz=100 to /boot/loader.conf switches the kernel from "tickless" to traditional ticks and avoids the problem.

Probably should check with "sysctl kern.hz" that it is otherwise first in order to see if it makes a difference though.

passing through a GPU to bhyve is so much less hassle than doing the equivalent with linux+qemu. it's my favorite thing of the week.

Ltning: I'd shoot an e-mail to secteam@ and ask for it; they're already inserting the CVE into the SA templates, I don't think it's a crazy ask to also make those visible in the index since they're a commonly-used identifier

(it's also not crazy to single out the CVE number, since these do often come from a FreeBSD CVE pool as assigned by so@)

((unlike other possible identifiers))

rwp: do you search for vuxml.freebsd.org/freebsd ?

Title: FreeBSD VuXML - entry date index

Hi, looking around the tests of freebsd utils and noticed that c_flag_body in src/usr.bin/du/du_test.sh tests nothing, seems like an error.

Title: du_test.sh « tests « du « usr.bin - src - FreeBSD source tree

oh, it's not llvm, it crashed at lib/msun/tests

nimaje, Thanks for sharing that vuxml.freebsd.org reference as I was unaware of it. But looking at it now I still don't find it satisfying. It is not as nice as the Debian security-tracker.debian.org site for example. It would be nice if FreeBSD had a site that was similarly good and useful.

nimaje, Oh! As I bang around I find vuxml.freebsd.org/freebsd/index-cve.html which does list by CVE number. kevans and Ltning check it out!

Title: FreeBSD VuXML - CVE name index

rwp: Yeah, but that doesn't really scale well as the number of CVEs grows.. the page is already pretty big. But it means the data exists (although as debdrup said, CVEs aren't necessarily always useful)

But I guess that page doesn't need much more than a search box, really. And perhaps a way to limit the search to base os or ports.

Ltning, I simply Control-F and use the browser to search. It's all local at that point. No need for a search box on the server side for that page.

As a by-the-by it's also possible to "fetch -o- -q vuxml.freebsd.org/freebsd/index-cve.html | grep CVE-2024-38709" to get the FreeBSD VuXML ID from the relative link and to do further scripted querying.

Title: FreeBSD VuXML - CVE name index

rwp: Yes, *I* can find it. My point is I want to point the so-called security testers to a useful source of this information without requiring they actually know the up and down of a command line :P

Control-F is core graphical user interface. If a security researcher can't handle Control-F then they are not much of a security researcher.

I only included the command line as an afterthought. And apparently am burned by it. I shouldn't have done it. I should have known better.

Hahaha :D

Yea .. I pity anyone who has to deal with these so-called experts. Turns out, I am a master of self-pity.

Hey just an hour ago I was trying to help a web development company a friend of mine is using hosting his Wordpress based commercial site that sends email with 8-bit emoji without encoding it and then the email is not being delivered because my friend is using Comcast which does not support SMTPUTF8 and therefore requires a clean transmission path so has been rejecting the email.

The web company should have een using PHP iconv_mime_encode() but has not.

kevans, Now that I know about vuxml.freebsd.org/freebsd/index-cve.html I don't think anything more is actually required. It might be *prettier*. But all of the information that I had said I wanted from the Debian page is available there.

Title: FreeBSD VuXML - CVE name index

kevans: Yep, will do, just want to make sure I'm making sense. :)

Note that I am not arguing against an email to the secteam. Communication there seems perfectly cromulent.

(though I have more flammable issues to bring up with the secteam, as soon as I can muster the courage)

the SA listing could use some more text to fill in whitespace anyways

im trying to set up jail's dns so why do i get cannot write to /var/run/resolvconf/lock when i run jexec -l testjail echo 'nameserver 1.2.3.4' | resolvconf -a epair42b?

im trying to set up jail's dns so why do i get cannot write to /var/run/resolvconf/lock when i run jexec -l testjail echo 'nameserver 1.2.3.4' | resolvconf -a epair42b?

That runs echo within the jail, but resolvconf outside the jail. Is that what you want?

no

i want it all to run inside the jail

do i need quotes around the whole command?

Yes, and you also need to invoke sh explicitly. Something like (untested): jexec -l testjail /bin/sh -c "echo 'nameserver 1.2.3.4' | resolvconf -a epair42b"

know why i need to run /bin/sh?

Because jexec itself won't set up the pipe.

ty!!

can i make tar create the dir at -C path if it doesn't exist or do i gotta mkdir -p path first?

yay i have a working laptop again

YAY

framework?