00:28:53 https://docs.freebsd.org/en/books/handbook/jails/#creating-vnet-jail in the "ADD TO bridge INTERFACE" part of the sample jail config, where do i set 'private' on the epair#a interface? 00:28:54 Title: Chapter 17. Jails and Containers | FreeBSD Documentation Portal 00:44:58 Ltning, It would be nice if FreeBSD had something equiv to Debian's https://security-tracker.debian.org/tracker/status/release/stable 00:45:00 Title: Vulnerable source packages in the stable suite 00:46:45 alepzi: i don't see why you can't just add it in the exec.prestart. exec.prestart += "ifconfig ${bridge} private ${epair}a" 00:47:52 ifconfig ${bridge} private addm ${epair}a up? 00:49:26 you'd need to set it more like i gave, but you could also do: ifconfig ${bridge} addm ${epair}a private ${epair}a 00:49:51 oh weird 00:49:54 lemme try 00:50:37 and keep the up at the end? 00:50:58 ifconfig ${bridge} private addm ${epair}a private ${epair}a up? 00:52:29 i'm not sure what that up is doing there, other than setting the bridge up. but that works 00:53:09 it's copied from the jail handbook page. maybe that's quirky? 00:53:38 yeah i do see it there. there isn't any harm in setting the bridge up repeatedly unless there's some reason you want it down 00:53:58 ok lemme try 00:58:34 if the epaira interface has the 'private' flag, what can i look for in ifconfig to verify that? 00:59:17 it's noted on the bridge 00:59:49 oh ya i see it there. so did i set bridge as private or epaira? 01:00:26 it's property that's defined in the context of the bridge. the ifconfig manpage has some info 01:00:58 it may be more convenient to implement your policy in your firewall 01:03:21 debdrup: when was that introduced? and how does it detect a VM? 01:05:21 is a "bridge" considered an interface? 01:05:45 (as in, which version?) 01:07:32 jmnbtslsQE: https://termbin.com/b1nt the private flag is registering on the epaira interface but vtnet0 doesn't show private even though line 13 makes it private. know what i'm doing wrong? 01:14:09 alepzi: not sure. not sure if you will be able to set private in that way 01:14:27 Can BSD run in a Single-System Image configuration? 01:14:46 Like share process namespaces and all that among nodes in a cluster and etc, etc. 01:14:59 if i set private on vtnet0 and epaira, the traffic can still in theory pass in on vtnet0, through the bridge, to epaira, and back out? 01:15:12 i just want to isolate vtnet0 from epaira 01:16:54 alepzi: according to the documentation if private is set, then that traffic will be dropped as you desire. but i think implementing in a firewall (even within your jail) would be a more robust solution 01:17:24 i have it in the fw too, i just want to enforce security policy everywhere i can 01:18:40 fair. i don't know if i've used it other than messing around, so i think you're correct 01:19:25 can i add private to an interface from the commandline adhoc? 01:19:47 you use the same syntax as given in the jail exec.prestart commands above. those are just shell invocations 01:20:35 well, they might not actually specifically be shell invocations, not sure. but those commands are written as they are if you are in a shell 01:20:54 ifconfig vtnet0 private --> 'private' requires argument 01:22:25 see the syntax given above. you want ifconfig $bridge private vtnet0 01:22:56 oh so private is on an interface ONLY IN the context of a bridge? 01:23:22 yeh 01:23:25 ahaaaaa 01:24:03 OH i see now. i misunderstood the ifconfig man page for MONTHS. but private is an option in the Bridge Interface Parameters 01:24:30 right, it does have many sections 01:25:36 k i added private to epaira and vnet0, and i couldn't ping jail anymore. so i guess that means vtnet0 needed to forward traffic for epaira 02:28:54 we can't get /usr/src to compile 02:29:28 it runs out of RAM 03:31:53 Soni: you could possibly try WITHOUT_LLVM if that's not needed, and if that's what is causing the memory rise 03:33:04 hmm, maybe that's not exactly the variable 03:35:22 maybe WITHOUT_CLANG actually 04:27:53 Soni, Regarding "runtime went backwards" it's been reported on VMs that adding kern.hz=100 to /boot/loader.conf switches the kernel from "tickless" to traditional ticks and avoids the problem. 04:31:11 Probably should check with "sysctl kern.hz" that it is otherwise first in order to see if it makes a difference though. 04:56:49 passing through a GPU to bhyve is so much less hassle than doing the equivalent with linux+qemu. it's my favorite thing of the week. 05:10:15 Ltning: I'd shoot an e-mail to secteam@ and ask for it; they're already inserting the CVE into the SA templates, I don't think it's a crazy ask to also make those visible in the index since they're a commonly-used identifier 05:12:57 (it's also not crazy to single out the CVE number, since these do often come from a FreeBSD CVE pool as assigned by so@) 05:13:10 ((unlike other possible identifiers)) 09:27:48 rwp: do you search for https://vuxml.freebsd.org/freebsd/ ? 09:27:49 Title: FreeBSD VuXML - entry date index 10:05:40 Hi, looking around the tests of freebsd utils and noticed that c_flag_body in src/usr.bin/du/du_test.sh tests nothing, seems like an error. 10:05:42 https://cgit.freebsd.org/src/tree/usr.bin/du/tests/du_test.sh#n100 10:05:44 Title: du_test.sh « tests « du « usr.bin - src - FreeBSD source tree 11:41:55 oh, it's not llvm, it crashed at lib/msun/tests 14:31:07 nimaje, Thanks for sharing that vuxml.freebsd.org reference as I was unaware of it. But looking at it now I still don't find it satisfying. It is not as nice as the Debian security-tracker.debian.org site for example. It would be nice if FreeBSD had a site that was similarly good and useful. 14:33:08 nimaje, Oh! As I bang around I find https://vuxml.freebsd.org/freebsd/index-cve.html which does list by CVE number. kevans and Ltning check it out! 14:33:09 Title: FreeBSD VuXML - CVE name index 18:13:03 rwp: Yeah, but that doesn't really scale well as the number of CVEs grows.. the page is already pretty big. But it means the data exists (although as debdrup said, CVEs aren't necessarily always useful) 18:17:03 But I guess that page doesn't need much more than a search box, really. And perhaps a way to limit the search to base os or ports. 18:35:28 Ltning, I simply Control-F and use the browser to search. It's all local at that point. No need for a search box on the server side for that page. 18:38:25 As a by-the-by it's also possible to "fetch -o- -q https://vuxml.freebsd.org/freebsd/index-cve.html | grep CVE-2024-38709" to get the FreeBSD VuXML ID from the relative link and to do further scripted querying. 18:38:26 Title: FreeBSD VuXML - CVE name index 18:40:26 rwp: Yes, *I* can find it. My point is I want to point the so-called security testers to a useful source of this information without requiring they actually know the up and down of a command line :P 18:43:42 Control-F is core graphical user interface. If a security researcher can't handle Control-F then they are not much of a security researcher. 18:44:35 I only included the command line as an afterthought. And apparently am burned by it. I shouldn't have done it. I should have known better. 18:45:04 Hahaha :D 18:45:22 Yea .. I pity anyone who has to deal with these so-called experts. Turns out, I am a master of self-pity. 18:46:06 * kevans still thinks this is easily solved with an e-mail to secteam 18:47:41 Hey just an hour ago I was trying to help a web development company a friend of mine is using hosting his Wordpress based commercial site that sends email with 8-bit emoji without encoding it and then the email is not being delivered because my friend is using Comcast which does not support SMTPUTF8 and therefore requires a clean transmission path so has been rejecting the email. 18:47:50 The web company should have een using PHP iconv_mime_encode() but has not. 18:48:27 kevans, Now that I know about https://vuxml.freebsd.org/freebsd/index-cve.html I don't think anything more is actually required. It might be *prettier*. But all of the information that I had said I wanted from the Debian page is available there. 18:48:28 Title: FreeBSD VuXML - CVE name index 18:48:33 kevans: Yep, will do, just want to make sure I'm making sense. :) 18:49:10 Note that I am not arguing against an email to the secteam. Communication there seems perfectly cromulent. 18:50:08 (though I have more flammable issues to bring up with the secteam, as soon as I can muster the courage) 18:50:54 the SA listing could use some more text to fill in whitespace anyways 19:53:58 im trying to set up jail's dns so why do i get cannot write to /var/run/resolvconf/lock when i run jexec -l testjail echo 'nameserver 1.2.3.4' | resolvconf -a epair42b? 22:34:18 im trying to set up jail's dns so why do i get cannot write to /var/run/resolvconf/lock when i run jexec -l testjail echo 'nameserver 1.2.3.4' | resolvconf -a epair42b? 22:36:31 That runs echo within the jail, but resolvconf outside the jail. Is that what you want? 22:43:55 no 22:44:01 i want it all to run inside the jail 22:44:16 do i need quotes around the whole command? 22:51:50 Yes, and you also need to invoke sh explicitly. Something like (untested): jexec -l testjail /bin/sh -c "echo 'nameserver 1.2.3.4' | resolvconf -a epair42b" 22:52:20 know why i need to run /bin/sh? 22:52:56 Because jexec itself won't set up the pipe. 22:54:37 ty!! 23:34:39 can i make tar create the dir at -C path if it doesn't exist or do i gotta mkdir -p path first? 23:35:10 yay i have a working laptop again 23:35:16 YAY 23:35:20 framework?