00:02:20 jmnbtslsQE: a TCP connection to port 443 can be established, but then it immediately gets reset. 00:03:39 jmnbtslsQE: stunnel is not running. only openvpn is. but as I said, as soon as the TCP connection to port 443 gets established, it immediately resets. 00:19:23 Oleg: sorry i was AFK 00:23:16 your vpn server prepared to use the openvpn protocol only, so i don't see how stunnel can help. at best, if your ISP is filtering based on DPI, if openvpn uses TLS in the way that stunnel is able to, you might successfully negotiate a TLS session using stunnel. but to the extent that this resembles what you would already get with openvpn, it won't work, since it's already blocked by your ISP. 00:25:32 we don't know if the that reset is coming from expressvpn (who are blocking it in a weird way by allowing a connection then resetting) or if your ISP is interfering and injecting that reset. not sure how broken your ISP is 00:28:10 i would think unless something indicates otherwise that the 443 is reset is coming from that remote host (from your vpn provider) 00:28:46 is this host in China? 00:29:59 jmnbtslsQE: at home, I can successfully connect to Express VPN using the default ovpn file it provides. in its default file, the connection is established on port 1195 over udp. but when I am not home, but at the location where I need to connect to express vpn, I can't use that default file. I guess it means at that location, the ISP's firewall rules prevent me from connecting to express vpn over 00:30:01 that udp port. 00:31:28 OK, that sounds plausible 00:31:56 i think you should contact your VPN provider's support to ask about alternatives to connect based on your specific situation 00:32:25 and/or consult the networking channel on this network 00:35:27 re-reading what you said above, 443 is probably reset because you're running openvpn over it and whatever application is on the other end (such as webserver) does not accept that and immediately closes 00:36:08 hmm actually no that's wrong. if you get a RST then it's different 00:37:01 anyway, ask your vpn provider 01:07:19 jmnbtslsQE: a customer representative just wrote to me: "ExpressVPN servers listen on a range of different ports, and our apps might try connecting to any of these ports. Please set your firewall to allow outgoing connections to the following destination ports: 01:07:21 • tcp443 01:07:23 • udp1195 01:07:25 • udp1198 01:07:27 • udp10088 to udp10098 01:07:29 • udp10188 to udp10198 01:07:31 • tcp10288 to tcp10298" 01:14:41 I don't know anything about this particular VPN but normally I would use a UDP protocol for a VPN if possible. But if your ISP is blocking you then TCP on port 443 is the usual escape since if they block it then people can't use the web and complain. 01:15:30 I assume this means you got past the Linuxator problems of it being a Linux specific binary and now have it running on FreeBSD okay? 01:19:24 rwp: at home, I was always able to use the default ovpn file (whose configuration settings establish a connection to port 1195 over udp) and had no problems connecting to express vpn. but at the location where its ISP has its own firewall rules, I wasn't able to establish a connection to this port. And yes, I stopped thinking about anything linuxulator-related and now want to try to use native 01:19:26 FreeBSD tools to establish a connection to the vpn when I am at the location where that evil ISP rules. 01:21:39 rwp: I am at home now, and having problems connecting to port 443 over tcp 01:22:44 But the web works with https to sites? That's TCP to port 443. 01:23:35 And https is encrypted so the ISP should not be able to deep packet inspect it. (Probably.) 01:24:26 rwp: you are asking me if I can browse web pages at that location controlled by that evil ISP? Yes, I can, though many web pages are still inaccessible because of the firewall rules 01:25:08 This does truly sound like an Evil ISP. 01:27:09 that useless express vpn customer representative I just spoke with doesn't even know what modifications I should make to their ovpn file in order to connect to port 443 01:27:12 I also don't know exactly what you mean when you say TCP connection fails. I give an example of an https connection. One can use "openssl s_client www.freebsd.org:443" to connect to the https port encrypted using openssl's s_client for handling the encryption. Then one can say "GET /" which is HTTP protocol syntax to get the root web page. It will then emit the top level web page. 01:27:49 In between there the program will dump out all of the debug details of the encryption to the https certificate. 01:29:04 As far as how to configure OpenVPN to use TCP instead of UDP that's just a matter of saying "proto tcp" in the OpenVPN configuration file rather than "proto udp". 01:30:17 I gave that manual openssl s_client example just as an example of a manual way of "connecting" to port 443 on a web server system. But ExpressVPN presumably will have an OpenVPN server listening on that port 443 rather than a web server. And then another OpenVPN client can connect there. Presumably. 01:31:10 rwp: the customer representative claimed tcp port 443 is accessible. but after adding "proto tcp-client" to ovpn file and adding "remote usa-newyork-ca-version-2.expressnetw.com 443", I still can't connect to the vpn. and this is at home, where there are no evil firewall rules. 01:31:38 Hmm... Sorry. No idea. 01:31:39 getting called afk bbiab 02:14:15 those fucking assholes confidently claim that a connection can be established to tcp port 443. and yet they can't even tell me how to modify an ovpn file if I want such a connection to happen. 02:15:19 I don't have any stupid firewall rules at the location where I am now (home), and yet I can't establish such a connection 02:44:01 okay, now they told me that openvpn clients only support connections over udp 04:00:38 https://openvpn.net/community-resources/how-to/ search down for TCP 06:13:11 i keep reading OpenVPN as OpenVMS and being briefly interested 06:16:24 Honestly I would be briefly terrified. 06:41:52 hi, there my freebsd server is not booting properly in multiuser mode: i get this: 06:41:54 https://ibb.co/TcmyPjr 06:41:56 https://ibb.co/PjwHJjS 06:41:58 can somebody help 06:42:07 it boots into single user mode though 06:56:22 You are getting a kernel panic at boot in multiuser mode but not in single user mode. That makes me think that one of the kernel drivers being loaded is out of sync with the kernel. 06:57:15 If you are loading drivers with kld_list in /etc/rc.conf I would boot single user mode and then comment out or otherwise remove that line from rc.conf. Same thing for any non-base drivers in /boot/loader.conf file. 06:57:28 Then it should boot into multiuser mode successfully. 06:58:18 Then assuming that's the problem and fix then debug the driver problem. Probably loading a driver from ports. What freebsd-version -kru is installed and running? 06:59:23 Also assuming you have ZFS then Boot Environments can help. At the "Beastie" boot dialog select the previous Boot Environment to return to a file system clone fork of what was previously running and it should boot, running the previous system before the upgrade which broke things. 06:59:51 That's all making some assumptions. And that's all I have. It's very late here and I must sleep. Good night! 07:00:00 And also good luck! :-) 09:52:50 Hi, I've got an IPC running FreeBSD with two network interfaces, igb0 and igb1. igb0 is being used for EtherCAT. igb1 is connected to a router. The default router is binding to igb0 and so I have no internet access. If I manually delete the route and readd it I can access the internet by passing `-ifp igb1`, but I can't get this to work from my rc.conf. Anyone know how to get it to bind on the right interface please? 10:08:56 Got to the point where it doesn't work at boot, but if I manually restart networking and routing it then works. =/ 10:54:05 I have an embedded device which uses FreeBSD 12.2 as an OS. This device has two serial ports: https://paste.debian.net/plainh/9bd747ca As seen in the dmesg output, the "uart1" is considered as "console" and "uart0" is not. /etc/ttys has lines "ttyu0 "/usr/libexec/getty 3wire" vt100 onifconsole secure" and "ttyu1 "/usr/libexec/getty 3wire" vt100 onifconsole secure". I can change the 10:54:06 "onifconsole" to "onifexists" for ttyu0 in order to have serial access on both serial ports, but what might be the reason that by default, only one of the serial ports is considered as "console"? Could this be set in the kernel configuration? Somewhere else? 11:05:08 mrtnt: serial port requires 0x10 flag and by default it's set on uart 0 11:06:13 AFAIK only one serial can be configured as console 11:27:13 mzar: oh, ok. I was hoping that perhaps it's possible to configure multiple serial ports as "console". I did try with https://paste.debian.net/plainh/cb1468fb configuration where I added the 'hw.uart.console="io:0x2f8"' line, but looks like it is simply ignored. 11:34:51 hello everyone, i was recommended freebsd and just wanted to come here to see what the community is like 11:42:20 welcome to the jungle 11:46:44 bool: cool, who recomends FreeBSD to you ? 12:36:31 i'm trying to run a script from devd when my usb audio detaches, but it doesn't appear to run. i'm trying to stop the errors of "pcm: waiting for sound to exit" by changing inputs 12:36:38 i'm running the setup on attach 12:36:46 but, detach is happening out of order? 12:37:20 anyone else noticed a memory leak on 14.1 with zfs ? 12:37:25 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=280671 12:52:59 no, userland leaks are more my thing 13:01:07 hrm, well if i use a notify action in devd, then it works, jsut spams the disconnect command a few times 15:00:04 Sep 26 10:55:07 shodan sshd[30193]: error: Fssh_kex_exchange_identification: client sent invalid protocol identifier "GET / HTTP/1.1" 15:00:24 So someone's attempting to do HTTP on my SSH daemon? 15:00:32 Who are these morons? 15:02:58 CrtxReavr: Are you on a non-standard SSH port? 15:03:45 Nope. 15:15:54 CrtxReavr, that's bog standard port scanning. I see it often. 15:39:13 just script kiddies bangin on your door 15:39:53 there's an old script which lets you bang back 16:37:00 damn. wish intersystems iris (formerly cache) was supported on freebsd 17:00:08 * Ober ponders why firefox has no openh264 plugin. 17:08:18 Install vlc. 17:17:17 for webes 17:17:20 webex 17:17:56 Have you tried the WebEx client? 17:19:00 the linux one? 17:19:08 Yeah. 17:22:26 I've not tried it. . . though they have both a .deb & .rpm package: https://www.webex.com/downloads.html 17:22:56 yeah it wants libc.so.6 17:23:26 In the linux environment, you mean? 17:23:49 yeah I've had it in /compat/linux/opt/Webex/bin and it wants a newer glibc 17:26:39 if I chroot as root it seems to try to do the right thing, but exits 17:28:49 oddly chromium works, but won't articulate the audio devices, as it once did. e.g. no selection choices for usb mic, or audio devices. Firefox does however, but it's lacking openh264, which is installed. 21:10:25 do you use some sort of fail2ban for SSH? 21:10:41 I only disabled root login, and disabled password login 21:10:49 I think that should be safe, as long as SSHD is new enough 21:11:03 also i run a non-standard port, just to get fewer tries :P 21:36:20 rwp: it looks like this thing will be a solution to my problem: https://www.amazon.com/Aircove-Portable-Protect-Unlimited-ExpressVPN/dp/B0CM6VL4PS 21:38:10 Uhm... Sure. I know nothing about it. But it seems that a hardware device should do it. It would certainly avoid the Linux only binary executable problem. 21:39:07 If the ISP is blocking ports through, and that seemed to be what was reading in the scrollback buffer, then ISP port blocking will still be a problem. 21:42:51 rwp: this router makes use of the lightway protocol. Express VPN doesn't allow openvpn connections to port 443, but lightway can connect to port 443, which that ISP permits connections to. 21:43:24 I know nothing. But good luck! :-) 21:43:30 yeah 21:45:10 Oleg: is your magic port > 1024? 21:45:52 pretty neat. freebsd affected, it seems. https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/?s=09 21:47:04 yourfate: the advice tends to be to use blacklistd, since it's integrated and more efficient. no log parsing by a python process 21:47:25 i feel like it would be easier to change vpn providers 21:47:32 and probably cheaper than $169 21:47:35 but sure 23:33:44 Hi!, I did this many times without issues, but in this 14.1 server I cannot. I simply can't change the default shell of one user to /usr/local/bin/bash. I mean, I can execute: chsh -s /usr/local/bin/bash my_user and it looks like it works, but after re-login I run echo $SHELL and it still shows /bin/sh 23:34:26 martinrame: 1) show output of 'getent passwd my_user' 2) try 'pw usermod my_user -s /usr/local/bin/bash' which is the more normal way to do that 23:35:13 ivy: yes, it shows /usr/local/bin/bash 23:35:29 but I don't understand why the SHELL environment var isn't showing that. 23:35:34 how are you logging in? 23:35:41 ivy: from ssh 23:35:54 anything unusual like LDAP/AD/sssd/...? 23:36:12 ivy: no, just plain old ssh my_user@server 23:36:47 when you log in, is it actually running /bin/sh, or is it just $SHELL that's wrong? `echo $BASH_VERSION` should confirm if it's bash or not 23:37:21 ivy: echo $BASH_VERSION is empty. It's running /bin/sh 23:37:41 that's strange 23:37:52 do you have other users using bash where it works? 23:38:35 if you're running nscd, try `service nscd restart` and see if that fixes it 23:38:44 ivy: wait. I did went to root with: sudo su, then, from ther su my_user, and then echo $SHELL and it shows /usr/local/bin/bash. 23:39:03 ivy: it only has two users, root and my_user. 23:40:29 hmm 23:40:44 can you reboot? just to check it's not being cached somewhere weird 23:41:32 ivy: yes, rebooting did the trick. 23:42:10 that's strange though, reboot should not really affect that 23:42:23 nscd is the only thing i can think of that might cache the user's shell 23:43:17 ivy: yes, and it never should be the way to fix this. 23:43:46 ivy: anyway, it works.