Hi, I am looking into hardware for wireguard to setup some VPNs on FreeBSD 14 and single internet exit point. Anyone knows some cheap hardware for this use case?

drg99: a rpi4+ or i3-class cpu will probably do fine depending how fast your internet speeds and how many rules you want to maintain

deimosBSD: I want to have some sort of redundancy too: 2 x hardware per site. I think I will need 3 Ethernet ports for this: 1 for LAN, 1 to WAN and 1 port for keepalived between devices and I am looking into options since 1 site will need 100 Mbps but one site will require 1.5 Gbps

you could buy 2 cheap protectli devices and run opensense on them

opnsense being based on freebsd

interesting

deimosBSD would it allow my keepalived, I never used OPNSense thats why I ask

n/exit

drg99: it uses freebsd CARP, docs.opnsense.org/manual/how-tos/carp.html

deimosBSD thanks, I will check it

deimosBSD, one more question please: why not pfsense?

drg99: personal choice

I see

deimosBSD, but would it be a struggle to buy 2x protectli per location and use it with only pure FreeBSD 14? I only need IPSec VPN or wireguard and single internet exit point

I can't get vnet jail networking to function. I just get nothing back from pings, or any attempts to send packets. configuration: paste.debian.net/plain/1324209

but the high level: I set up a bridge in rc.conf and give it 192.168.0.128/24. I have an epair where the host ('a') gets 192.168.0.1 and the jail ('b') gets 192.168.0.129, and I give the jail "route add default 192.168.0.128" in an exec.start script

strangely I can get a single packet through (for example "ping google.com") but only right after the jail starts up

but after that, nothing from ping whether to a domain name or a known IP address (such as 192.168.0.128 - the gateway)

I've enabled the sysctl net.inet.ip.forwarding as well

I swear to ***, linux is a post. you want to install a package, you search for it, it just prints dumb stuff like 'apache2'

no version, no subversion

need to remember 10 000 switches for what should be a simple operation

the "value" of flexibility right there.. at the cost of simplicity

they are just retarded, plus you need to know apt, dpkg, rpm, zypper or whatnot

pkg search apache2 apache24-2.4.62 Version 2.4.x of Apache web server

FreeBSD is just beautiful

not to mention that 6 days after some major cve's, and 2.4.62 being out, Debian still sports 2.4.61

last1: its just a little bit behind, not much, actually 2.4.61-1~deb12u1. Debian package search does not seem to work now but if we look at Ubuntu is almost the same changelogs.ubuntu.com/changelogs/po…apache2_2.4.58-1ubuntu8.4/changelog with downloads.apache.org/httpd/CHANGES_2.4.62

it only misses one CVE, CVE-2024-40898

yeah but it's a pretty big cve

big enough to have compliance/audit companies breathe down your neck if their automated scanning tools detect you are out of compliance

drg99: obviously, yes you can do what you want in pure freebsd. it's a matter of time to do it yourself vs having preconfigured tools to make it quicker and possibly less error prone

ok I have a minimal reproduction of my problem, and I've confirmed that I can do this successfully on other freebsd machines: paste.debian.net/plain/1324253

interfaces just can't find each other between host/jail across an epair

since i can do this successfully on other machines I can only imagine it's a problem with this vm? but how could I even go about diagnosing that?

last1, deimosBSD, yes, just was thinking about it

Ive got an odd one im trying to sort out. Vm-bhyve, freebsd 14 and now 14.1. Debian Cli/images that were made to boot under uefi, zfs on root, zbm bootloader so was easy to roll back a kernel.

What imhave mostly works. However often i have to restart it several times.. or connect with vnc abort the boot countdown and either let it sit a bit or just keep retrying becsuse it just dies when it tries to boot root off the zfs pool.

Ive dd'd the inage to real hardware. It boots every time. Fiddled in the efi partition.. csnt get it to reliably boot under bhyve

Not really seeing it as a debian problem with it always working on physical hardware.

For grins, i took a manjaro linux install. And set that up same it boots every time. Just isnt ideal as i was avoiding the X desktopmoverhead..

Could be zbm bootloader strangenes i suppose.. ive used a stock compiled release and gone the route of a custom compile.

Guess i could give booting it with qemu and virtualbox a shot.

When it dies it the vnc session dies. No errors ever make it to a screen, see nothing in any logs.

tjpcc: are you supposed to be giving the bridge an IP address? i don't recall why that might be problematic, but i seem to remember you're only supposed to give an IP to either the bridge or the .. something else.. and it's usually the something else and not the bridge ... but my memory is failing.. hope that helps

scoobybejesus: yeah I think you're right, I removed that

I isolated it to something in my jail.conf, because if I move that file out of place I can get that minimal test to work

current jail.conf: paste.debian.net/plain/1324254

#debian points at bhyve.. i am almost there agreeing. Theres a lot of parts in motion here to point fingers at.

mrelcee: are those images public? i'd try one. i run debian in bhyve but not with a zroot

No just exists on my server

Id need to scrub some things from it to be comfortable sharing

i understand

I had set it up as a template vm i could clone and create a new copy quickly if i needed to deploy a new vm.

pre-installed?

Yes. With a shell script to go through and generate new system ssh keys and everything else to set a hostname and make it a unique machine when i needed one.

That part works, once it boots.

When root has an sh shell, some rc.d scripts don't start (PATH related) - with a csh shell, those broken rc.d scripts start. Now I'm searching how to adjust the PATH on an sh shell to include (what I think is missing:) /usr/local/bin /usr/local/sbin - ideas?

do they run properly when started with 'service'

?

rtprio: That is what I am using: "sudo service foo restart"

i have never seen that before

log_in_vain="YES"

is this option goood?

Juliaaa: depends on what you're trying to accomplish

net.inet.tcp.log_in_vain: Log all incoming TCP segments to closed ports

i presonally don't think it would be useful

tcp(4) defines it as a sysctl, so setting it as a variable for rc(8) isn't going to do much good.

its one of those too: ./defaults/rc.conf:log_in_vain="0"

i was told its good security habit

"you should log

connection attempts to ports without listeners/daemons. To do this

simply add the following line to /etc/rc.conf"

"Now, failed connection attempts to ports without listeners will be

recorded to /var/log/messages."

but it's not really actionable is it?

i dunno

thats why im asking u guys

I do that in special circumstances, but not as a "habit"

ok

Reading the recent scrollback... I always configure a firewall on hostile Internet facing systems. That way malicious agents can't poke at anything except what is allowed. To protect accidents from installing something or exposing something that I wasn't thinking about malicious agents when I installed it.

I have always assumed that everyone installed one of the firewalls just as a standard operating practice when operating on the Internet. No?

I always test my systems using nmap to scan my own systems too. That way it will report to me and then I can review the ports and catch anything surprising.

dvl, Your report of PATH problems surprises me and makes me suspicious. "service" sets PATH to the same path that is used at boot time. If an rc script fails due to PATH when using service then it would also fail at boot time for the same reason.

rwp:It was confirmed, changing the root shell affected the success/fail of that rc.d script/service.

Ports installing rc scripts in /usr/local/etc/rc.d/foo and needing PATH set I presume will be required to set PATH and when I look on my systems I see that those installing there (such as git-daemon in the git pkg) do.

rwp: they set PATH within their rc.d script?

Yes. I assume you will have git installed as a pkg somewhere: /usr/local/etc/rc.d/git_daemon

Confirmed, just tested it again. service foo restart; success. vipw, change root shell from csh to sh; service foo restart; fails (because 'env ruby' as the shebang fails).

That's specifically due to git being a wrapper and the actual commands being in libexec but still.

^ ruby? Not sure yet that it's ruby failing, I just know that the restart fails to launch the restart.

What's the exact error message from env ruby?

I would expect "#!/usr/bin/env ruby" to work for example.

Without revealing much: Could not find a JavaScript runtime

Thats the problem so far, tracking down the exact cause.

rwp: s/hostile internet facing// ftfy

I will happily run away from node.js stuff without too much curiosity.

The "change root shell from csh to sh" is an interesting fact though.

ridcully, You don't like capitalizing the word Internet? It's a defined named thing.

It's like if someone were facing me and described as "hostile Bob facing". :-)

Which would be different from "hostile bob facing" as I think that would be more generic. But yet if someone had a hostile internal LAN such as between two companies working together but not trusting each other than "hostile internet facing" would apply to the other entitity. Sure.

s/than/then/ But on IRC we type in the moment and one can't get too obsessed with always correct syntax and grammar. We don't when we are talking face to face with people.

dvl, That is fascinating! I am very curious as to the detail of the problem. Please let me know! :-)

If the file is not executable and the shell is interpreting it itself then that would make different results.

dvl, Does it depend upon the setting of SHELL in the environment?

rwp: I do not know. The rc.d script runs a command, that command launches some ruby processes into the background. The rc.d is /bin/sh, which launches a bash script, which runs some rails stuff.

Ahem... /bin/sh would be a shell script and /bin/bash or /usr/local/bin/bash would be a bash script.

If it is /bin/sh then there is no bash involved there at all.

rwp: the rc.d script is a /bin/sh script. In there, it runs a bash script i.e. it run /usr/local/bin/foobar

Okay. Apologies.

The other thing I think of is that it would be an abomination and therefore likely if something is obtaining the user's login shell and running it on something.

We shall see. But not today. On to more urgent items.

Good hunting!

dvl, the same happened to me (well, maybe you described differently). script ran normally in FreeBSD 13-RELEASE. in 14-RELEASE, i kept getting something like daemon: error php doesn't exist, or something like that. eventually i realized it literally wasn't finding /usr/local/bin/php anymore. the PATH within rc changed.

but i think i'm surprised it happened to you now, since i thought you were on 15-CURRENT

scoobybejesus: This is at work and it's 13.2 (doing OK) and 13.3 (hit the problem with /bin/csh -> /bin/sh)

At this point I am suspicious of SHELL interaction since that's another likely offender.

I connect the /bin/csh -> /bin/sh issue with the upgrade from 13-RELEASE to 14-RELEASE, though I suppose that *only* changed the default root shell, so i suppose it shouldn't be related to changes in how rc scripts behave.. though i think there were changes to /bin/sh that made it capable enough to serve as the default shell

"capable enough to serve as the default shell" is what was said elsewhere too but I am curious exactly what subjective features these were? (Can't be objective about UI features.)

service(8) was fixed to operate in an environment closer to what scripts would run in at init time

i don't remember which release that aws, though

I think "service" behaving as closely as possible to boot init time is the correct behavior.

Hallo. Some general advice, please. I've built a tool that creates and manages jail configs. I want to run it in different environments without having to customize the code. Should I add something like ansible ot terraform as a dependency, or write something bespoke?

gh00p, There is no simple answer. It depends. For me personally I do not use ansible or terraform but am using my own infrastructure. If something were to depend upon ansible or terraform then that would block me from using it. I imagine the same would be true of people using salt or puppet or chef.

However someone using ansible or terraform would probably like it because they are using ansible or terraform.

Those types of dependencies do make systems more rigid and inflexible though. So regardless my opinion is to avoid requiring such dependencies.