Is there an easy way to tell if I have something installed from ports vs pkg? I don't believe there is, but just wanted to check.

mns: may be use `pkg info pkgname` and check annotations, it should show the built by string

yuripv: thanks! I'll try that out

mns: e.g. zsh that I installed using `pkg install` has 'built_by : poudriere-git-3.4.1-30-g79e3edcd' and portconfig that came from ports simply doesn't have the line

as well as repository, repo_type, and other fields

ahhhh so look for missing repository, repo_type and built_by and that should tell me.

well, ports are build into packages and then installed via pkg, but yes if you use the ports tree via make then it won't come from some pkg repo

We're currently trying to understand the impact of FreeBSD-SA-24:14.umtx. To my current understandig, there is a malicious software needed, which has to be run on the host itself (local user). Therefor it would, usually, run in the context of the user and priv escalation would be quite hard i guess?

Any other insights / opinions?

Demosthenex: "poetteringfnurt has moved on to M$" He did confirm that he'll continue working on systemd and all his other Linuxism tools whole he's at Microsoft.

well, find some RCE somewhere and chain it in front, like with most priv escalations

Not like it even makes any difference anyway, because the Linux space is already mostly controlled by Microsoft's billions of dollars anyway.

Greetings

Hello

I am upgrading 13.2 to 14.0 (and then 14.1) -RELEASE VM (proxmox , bios, zroot) and I read for 14.0 that updating bootcode was necessary. I just finished the upgrade without updating the bootcode (I fear to not being able to boot in previous release Boot Environment) , and the 14.0 BE has booted flawessy.

Is it really mandatory to upgrade the bootcode ?

yes

and if I do so , will I be able to boot previous 12.X / 13.X BE ?

maybe less so for BIOS, but UEFI for sure. we're starting to have to annoy people because of old as shit loader.efi

i can't think of any backwards incompatible changes we've made in the bootcode in a while

ok

thanks you kevans

Where are example configs generally stored? Like for prosody for example?

/usr/local/share/examples might have what you want. \

Ah thank you, looks like the prosody port doesn't provide an example config file though

Can I ask someone to install audio/fooyin and check if it gives them database errors when launching?

example configs are often stored where the real one would be stored, but get a .sample postfix

mikewilzn: pkg list can sometimes show them if they're not stored in /usr/local/share/examples/ (though that is where they're intended to go, so it's a good chance to get your feet wet with a fix)

hello I am having trouble connecting via ssh

this is the client side

that's the client side

is PermitRootLogin turned on?

yes

It's failing on receing a reply on a key exchange, so I'm guessing there's some MTU fuckery going on?

'yes' or 'prohibit-password' ?

That's purely speculation at this point.

it was working for years and all of a sudden it stopped the last day with no reason

Alternatively, I suppose, it could be because the machines don't agree on which keys are supported, possibly because the client was updated while the server wasn't (or the other way around, though that's more unusual in my experience).

yeah, perhaps try a different client?

If it's the latter, you need to specify a keyalgorithm with the -o flag that they can both agree upon.

Usually ssh is a bit better about informing about not being able to negotiate an algorithm they both agree upon, but it's possible it can fall through the cracks.

sixpiece: did you bump server side recently? it has a lot newer SSH (9.7 vs. 8.1 on the client)

the only thing I did that could have upset things really was installing opendkim and pkg update

and I rebooted also

Jim and Allan on 2.5Admins have a great point; OpenSSH is one of those things that could benefit from having a version and a protocol version tied to years, because that makes it a lot easier to see when something's old.

OpenSSH 8.1 is approaching 5 years.

so what can I do?

update your ssh client to start with

it's all microsoft clients as far as I know

then go yell at them and stop asking in #freebsd ?

lol I meant I think it's a freebsd server error

that's yet to be determined

anyway, there's much newer versions of openssh for windows out, so update your client first.

the only somewhat relevant errors I can see in that log are for trying to find ssh keys, have you got keys in this path? C:/Users/pkagan/.ssh

no worries I am trying now on a freebsd virtual machine

same issue

OK, your SSH key, is it rsa?

how to find out?

I'm not sure

beginning of your public key will tell you

ssh-rsa, ssh-ed25519 for example

aren't those errors normal when not using ssh keys?

wait, sixpiece you are not using ssh keys?

I am not using keys no

sshing to root usaully means someone isn't using best practices like using ssh keys...

not judging, it just surprised me

question about PermitRootLogin was already asked

can you check what is it set to in sshd config file?

Hi, i downloaded the memstick .img of FreeBSD and im trying to boot it with Ventoy. It starts and says a ton of stuff, but then eventually I'm left at a prompt called mountpoint>

a mechanism like fail2ban is a must when not using keys to log in as root

It wants me to enter the path of the root device

At the freebsd boot menu i typed `lsdev` and it showed the FreeBSD_Install partition was at disk3-2a

DusXMT: fail2ban isn't necessary, support for blocklistd is built-in

it's also a lot more efficient than fail2ban, since it doesn't rely on essentially just grep'ing log files

debdrup: Good to know! I've only ever used fail2ban in this situation, at my previous job

blocklistd is just general good practice, because security isn't just accomplished by doing one thing, it's about defense in depth

The mountpoint> prompt gave some examples like "ufs:/dev/da0s1" and "iso9660:/dev/da0s1" so I tried to convert disk3-2a to this format and I typed "ufs:/dev/da3s2a" to no avail. And there are no cmdline utilities that work on this prompt.

well I require that the ssh user have my ip address

noobaroo: if you're being dropped to a mountroot prompt on the install medium, it sounds like something got messed up (by Ventoy?); can you try booting the image directly?

debdrup: That is true, I'll investigate it when I'll have some free time

debdrup Not anytime soon, its a 64GB USB and it has lots of other ISOs I use for rescuing... I definitely don't overwrite the drive

noobaroo: might be worth trying one of the other images, then?

Also the speeds avg at 7.7 MB/s so it's not easy to swap stuff around

Okay. That sucks because I downloaded this overnight.

Maybe they should put a warning that the images are not compatible with Ventoy?

Well, I don't know that we know that's the case for certain.

If it is an issue, I'm guessing it's with ventoy, rather than FreeBSD.

What version of ventoy are you running? ventoy/Ventoy 4527e1db7923 seems to have made changes fairly recently.

what can i do?

seriously nobody has an answer? I moved the server up to debug3 or something nothing is giving a hint

error : Fssh_kex_exchange_clarification red connection reset by peer

connection reset by peer sounds like a firewall issue

natd not running give a hint?

Im using the latest... i doubt its a ventoy thing. Maybe my img file is corrupted. I extracted the .img.xz and I kept trying to mount the .img, to look at the rootfs layout, but it kept saying "bad superblock". and when I checked with parted /path/to/freebsdimagefile.img , it said it had 2 partitions, the first was fat32, and the second unknown

I figured that maybe its just some freebsd specific filesystem type and thats why it didnt recognize

But maybe its corrupt.

any other ideas

?

sixpiece: what's your root password, let us try? ;) nah. seriously though, have you tried from different networks? can you login to other servers? from other clients?

yes good question

my root password is 7Gq%9yCztQhOzpRCDj but don't tell anyone

try it only once I guess

...

at least it includes a non-alphanumeric character? :V

and to answer your question I just signed into a different server in Hamburg so it works with other networks

so, mtu or firewall issue is more likely then

also, natd has nothing to do with firewalling, that's port translation

ok thank you

I reported bug a day ago but for some reason didnot fin (closed) duplicate. thing is, the header file 'setjmp.h' needs deleting (but there are two...?) this also should be in UPDATING. Anyway: "this is because the old copy of /usr/include/c++/v1/setjmp.h must be deleted upon an upgrade" (starting with FBSD 14.

if updating to 14 a lot of graphics ports break

(unless you delete the header)

Before I decide to try poudriere may I check - is there an online generic amd64 binary repository which parallels the ports? I'm aware I'd miss the chance of changing options but I'd do that too if I were compiling on this slow laptop.

johnbristol: you mean like pkg.freebsd.org ?

shbrngdo: the bug report (from June?) mentions a lack of running `make delete-old`, so I'm not sure what the issue is?

rtprio: yes, like that. Except that one has the base system and I'd like to use pkg to install binaries of anything from the ports tree. And if there's a bigger repository out there that someone's maintaining that would do it. Otherwise I have a lot of compiling to do.

rtprio: I installed fbsd yesterday, I know I'm uninformed but I'm reading the documentation.

johnbristol: Unless I'm misunderstanding, pkg.freebsd.org does deliver binary distributed builds of the ports tree, not base.

johnbristol: yes, the base system is not (yet) distributed with pkg

what are you trying to do?

johnbristol: try `pkg install hello` and compare it with what you find in /usr/ports/misc/hello on any machine with the ports tree installed.

so I just upgraded the boot zpool on my 14.1 server, now it says I have to upgrade. just to double check: I think I have a GPT scheme, so I'd use this: `gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada0` from GPTZFSBOOT(8)

where ada0 is the partition labled freebsd-boot in gpart show?

rtprio,|cos|:I'm trying to install several browsers instead of just firefox, so I tried waterfox. That's not found on pkg but it exists on the ports tree. pkg search browser only shows firefox. I assumed the pkg system had access to significantly fewer packages than the ports tree - I may just have missed something though.

johnbristol: some don't build in the ports cluster for whatever reason

you can also install packages on some of the requirements so you'd have less to build yourself

johnbristol: Are you sure it's in ports? `find /usr/ports -name "*waterfox*"` returns empty for me. It might be versioning at play, perhaps?

cd /usr/ports/*/waterfox; make install-missing-packages; make install;

rtprio: I was trying to stick to "pkg or ports but not mixed except for edge cases" as a philosophy. If pkg really does have several gui browsers I'll stick with that but I couldn't find any other than firefox.

i don't know who started that philosophy but it is wholly unnecessary

rtprio: there are extensive battles when I google around it, that's all I have to go on really.

if it's something you want to limit yourself with, then okay

otherwise, depending on your system speed, prepare to heat up your cpu

rtprio:No, I'm just learning a bit at a time. Are there in fact several browsers available with pkg and I just haven't found them?

If I can acquire perhaps four with pkg I'll be happy.

I'm quite used to compiling, I use Slackware on seval machines

pkg search browser

that's what I did, it shwed me just firefox

surf-browser-2.1_3 Simple Web browser based on WebKit2/GTK

qutebrowser-3.2.1 Keyboard-focused browser with a minimal GUI

otter-browser-1.0.03_2 Browser based on Qt 5

johnbristol: www/chromium, www/firefox-esr www/badwolf www/ladybird

rtprio:and lynx and links, yes. I suspect I was expecting to find gui browsers I'd heard of.

but thank you both, I clearly did something wrong when installing fbsd. I'll do it again and see what changes. Thank you both.

hello I am getting a signal term 15 on my ssh server being sent

any ideas what to do?

what makes you think you did something wrong when installing?

I want to be able to connect to my ssh server

sixpiece: you might need to use the console to see what's up

what do I do?

I'm on the computer nwo

rtprio:because I can't see the browsers you've both displayed when I type pkg search browser

which version did you install?

did you `pkg bootstrap` and `pkg update` ?

johnbristol: i did `pkg search www/ | grep browser`

FreeBSD-14.1-RELEASE-amd64-memstick.img

it's maybe an update that failed

badwolf? is that a bad fork of librewolf?

`pkg bootstrap` no, `pkg update` yes

ZedHedTed: I've honestly never heard of it. As far as I simplify the world there are only two browsers, and the web is dead.

that fixed it

also, it's not like the browser offering are that much different than say linux. there's nothing novel about it.

sixpiece: what fixed it?

freebsd-update install

oh, great

yes was an easy fix

does anyone know why an email sent to me via sendmail used a different ip address from an email sent to someone else?

how many people actually main freebsd on their desktop?

rtprio:I use several browsers to conveniently allow me to log into a forum I admin with several logins active at once. I've looked at bsd installs every couple of years to see where they stand, this is my latest look. I got on quite well up until this.

sorry to get on the less major issue but curious on this

trying to make a contact form

I'm really surprised this channel is the most active channel I'm I'm currently in over the past 1hr, and im in 5-6

noobaroo: i used to, when i had the hardware for it

johnbristol: oh. i use chrome profiles for that sort of thing

johnbristol: While I admire you for running multiple alternatives, your life might become easier if using user profiles. Are you aware of them? Both chrom* and firefox has such stuff.

noobaroo: i'm in 18 channels and some are almost as active as this one rn

|cos|: it's basically mozilla vs screwgle now. mozilla's the winner only bcuz it's not forcing manifest v3, so adblockers will still work.

ZedHedTed: With a bit of luck LadyBird will cut a piece out of webkits market share once it matures. Inshallah.

rtprio,|cos|:It's a habit I fell into. They're useful for testing my web code too, and SeaMonkey is my email client. Having a small battery of them active just grew.

ZedHedTed: wow. so how many people are using on desktops?

do you personally main freebsd for desktop use ZedHedTed ?

Tbh I only downloaded freebsd to format a ZFS partition. On Linux, the whole_disk=1 label is only applied on actual whole disks. On FreeBSD it gets set to 1 even on partitions

noobaroo: i'm actually planning on dualbooting w/ ghostbsd once i buy a supported wifi dongle.

What are the benefits of FreeBSD compared to Linux?

no systemd, and linux is comparatively scattered - the kernel & packages come from 2 different teams for example

noobaroo: Having an understandable and documented environment, possible to debug. As opposed to having systemd and friends which seemingly to 90% is a dice rolling art project of curated bugs.

ah yes, the documentation is for freebsd (and openbsd) is great too.

As far as practical differences, FreeBSD is just much more organized in my experience. Things are where you'd expect them to be, there are clearly defined methods of doing things, and boot environments and jails are awesome

I still run Arch on my desktop and laptop and love it

That's the beauty, you don't have to choose one and never falter on that choice

It'd be nice if we could talk more about FreeBSD, and less about Linux, in #freebsd.

ok how about answering my mail question

:)

or giving me a lead on that at least

I'm trying to send mail and it seems like it sends it from many different ip addresses I don't get it maybe the packet filter off

let me see

hello sorry I was logged out if I missed anything

any word on the use of email ip addresses?

for the `gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada0` command, do I just specify the drive, or do I specify the freebsd-boot partition?

freebsd-boot

What networking strategy do you guys generally use for jails? Like do you keep most things internal and only have like your reverse proxy use host networking or what?

yourfate, The -i 1 part is the partition index of the partition.

mikewilzn: you can use variety of srategies, from isolated jails, through jails with shared IPs, running in different FIBs to VNET jails

mikewilzn, I mostly create full VNET jails with their own network stack and a full LAN facing IP address.

Yeah ik and the options are overwhelming me

Start small. Gain experience. Work up to more complicated configurations.

rwp: aaah so ada0 would be the device

makes sense, <3

And -i 1 will be ada0p1 on that device.

rwp, so the whole VNET has a single LAN facing IP? Like not per jail?

btw shoutout to this community here, very helpful and active

Uhm... It's per jail. Each vnet jail is more like a full virtual machine. Each has it's own networking. And IP address.

I have been using virtualization for years on other systems. My initial use for jails was to create an isolated lab environment for devel and testing. This pulled me naturally into using vnet jails with a full network stack. So I could create several systems and test and develop them talking to each other on a truly private LAN that is all virtualized.

So you might conceptually think of a vnet jail as a full virtual machine with regards to networking. But otherwise the jail is lightweight like a chroot.

A non-vnet jail is the original type of jail. It shares the network stack with the host. It's really more like a chroot with regards to networking. The host and the jailed processes all see the same network.

Ohh ok makes sense thanks. So like when I run `bastille create prosody 14.1-RELEASE 10.0.0.9`, that's creating a VNET?

I have not used bastille, though it is very popular, and I don't know what type of jail it creates.

bastille.readthedocs.io/en/latest/c…etworking.html#virtual-network-vnet says "To create a VNET based container use the -V option..." therefore I presume it is not a vnet jail because I do not see a -V option being used.

Reading bastille.readthedocs.io/en/latest/chapters/subcommands/create.html that looks to create a standard jail with the shared network stack assigning 10.0.0.9 to it.

Oh ok, I suppose I need to read up more on how the networking stack actually works generally

So... Just because one can assign a private IP address such as a 10.* or a 172.16 or a 192.168 address to a network interface that the address is "routable" on your network. That depends upon what subnet and gateway your network is already using.

*does not mean that the address is "routable"

The jail and the host can always connect. Two jails on the same private subnet can always connect. But they can only connect out to the LAN if they are using a compatible address and gateway assignment with the LAN.

If I am on a LAN using 192.168.7.0/24 and I assign 10.0.0.9 to a jail then that 10.* address won't be routable off the LAN. But if a 192.168.7.9 address were assigned with the appropriate associated gateway then it would.

cos I don't use systemd

err, |cos|

ill brb later

rwp, ohh I see so a VNET is essentially like having another physical device on the network, whereas a standard jail is the same interface but routes traffic for multiple IPs

Exactly! You have it!

At first I thought a VNET was just an internal subnet

It might be an internal device. It depends upon how it is plumbed into things using software bridges and such.

vnet is a facility to have multiple completely isolated netstacks, which is useful when doing containers like jails.

Without vnet, it's conceptually possible to escape a jail through a shared netstack - though so far as I'm aware there's no known exploits, let alone proof-of-concepts.

Similarly, SysV IPC is also possible to completely isolate per-jail.

That's poking at the security of the system looking at it as a fancy high functioning chroot.

chroot wasn't really meant for isolation, though

As far as escaping through the jail networking the usual way is using it as a jumphost from a public network to the private LAN and then probing other hosts on the private LAN which are normally not otherwise on the public host.

What I'm talking about is exploiting the ability of running as root in a jail and using that to (theoretically, so a lot of handwaving is involved) get access to the kernel of the host, thereby escaping the jail isolation.

When learning these concepts it is useful to start small, build some fundamentals, and then build upon them. The chroot is the lowest fundamental concept-thing. It's focus is on exactly one thing. The root directory of the file system. That's all.

In concept, jails have always been about isolating things (hence "confining the omnipotent root" being the title of the paper, as on a traditional unix-like has access to everything).

Then jails come along and namespace everything else. Which is why they are called fancy-chroots. And when learning these things it is useful to layer up from simple to more complicated.

We don't really know why chroot was designed, though - no notes on it survive.

I am not aware of any jail shared network stack direct exploits to escape the jail but I am very much aware of cases where people have done things like put word press web sites in a jail and then wordpress is exploited and then attackers gain ability to probe the LAN from the jail and then used it to compromise other LAN hosts that were not expecting to be attacked from the hostile Internet.

Meanwhile mikewilzn is trying to get an understanding of networking with regards to jails and we are dragging the conversation off to advanced security issues.

😂 so yeah basically I am planning to run nginx, a prosody server, and a few services that will only be accessible to the LAN, so I'm thinking VNETs for all WAN facing jails, and then just have the LAN only services on normal jails in like a 172 subnet

If that makes sense. Eventually I wanna improve with actual VLANs for various stuff but I wanna start out fairly simple haha

Where will this service be hosted? Your basement underground facility? :-) A VPS at a hosting provider? Elsewhere.

Yes my basement underground facility 😂

I can't afford 100 TB in a VPS lol

I know several people who rent a VPS at the least expensive rate and then use it as a caching proxy for their larger storage at their house. Such as for hosting a family photo album and such. It's often done. And it works well that way.

Well I should say I also prefer to truly self host rather than rely on another third party

Because to hosting providers adding cpu and ram is relatively cheap. It's just initial investment and it is done. But adding storage is expensive. Because storage requires ongoing maintenance. It needs RAID for reliability. It needs backup. And therefore hosted storage is always going to be more expensive than self-hosted storage.

The reason for the hosted VPS is to get a public static IP address which is not in a consumer dynamic address block.

I don't technically have a static IP but it hasn't changed in over a year so

For context I'm not new to self hosting. I just run everything on Docker>Alpine>Proxmox right now

Since you are planning on hosting in your own network then in the context of local jails and local VMs then you should be aware of the security ramifications that I mentioned above. If an attacker can wedge into the jail and the jail has access to your network then the attacker can probe your network too. From a direction that is not expected.

It would certainly be worse without a jail. But having it in a jail is not a complete security solution.

Yeah I definitely plan to set up VLANs shortly after this

Personally I just think friends should not let friends run their own Wordpress site.

Don't worry I'd never use wordpress 😂

Planning to build a personal site with zola and host with nginx

I probably run about 4 WP sites on one server right now

It's not great

any emacs users able to test the patch here for erlang mode? bugs.freebsd.org/bugzilla/show_bug.cgi?id=260041

hi all.. Thinking of giving freebsd another shot. i stopped using it becasue i could never get sound working. hopefully things have changed.

jb1277976: Might try one of the FreeBSD versions that come with a GUI and desktop environment to easily check compatibility with your hardware. I put NomadBSD on a USB drive and then installed on my hard drive and my graphics works, sound works, wired internet works.

Thanks

JustBleedFan: how about wifi ?

Oder Pentium D desktop I installed it on didn't have Wireless card anyway.

Boot NomadBSD from USB is an easy way to check. I have a couple of old Linksys wireless-G USB devices I could use I suppose if I had to. But that old desktop is wired anyway.

Thanks

JustBleedFan: wait, you installed NomadBSD on your hard drive, or FreeBSD? (i didn't think you could install NomadBSD)

I installed NomadBSD on a USB and it can run the OS from the USB. You can also then install it directly on your hard drive if you like.

basically the only thing i need is sound on my chromebook. sound works on all linux distros i know the BSD's aren't linux but it would be nice to have it

Well this is one easy and quick way to check that. NomadBSD is supposedly pretty much FreeBSD but comes with the installer and GUI and a large suite of great software. I consider it like the Linux Mint of FreeBSD.

Don't have to touch the command line or know much of anything to install it in case you are new to BSD.

Got it. Currently backing up this usb stick and will try

Naw i actually have installed freebsd and ran it for about 2 months straight. i had to purcahse a sound/spliter to get sound working for speakers and headphones. just want to come back to see if anything has changed.. was about a year ago

I tried out of of curiosity on my oldest desktop and I was a bit daunted to try the regular FreeBSD install manually. Seemed like a bunhc of esoteric teakingneeded in many cases.