Going to do a secondary machine for FreeBSD. If I get good enough with it, probably going to ditch Linux in favor of it

One FreeBSD machine is a gateway drug to having two FreeBSD machines.

ls

oohhhhhh I think I've worked out why zfs is so handy for jails. `zfs send | zfs receive` is going to straightforwardly catch things like file flags, and on top of that, you can do differential updates between snapshots

for a moment there I was like "why not just tarball the sucker when you want to move it", and while that'd probably work, it'd probably also be more of a pain in the ass

zip: Depending on how much tooling you write yourself, you can also keep jail-specific metadata in ZFS properties, so the metadata ships with the storage.

mason: clever idea; do you know if any existing jail management does that?

rtprio: My own internal stuff does it. I think... iocage? does it?

I also do it for local libvirt-based VMs.

It's a useful trick.

mason: oooh, that's neat

I'm still not sure I won't eventually put my home server setup on a linux box with zfs, but certainly FreeBSD agrees with my sensibilities more than anything with systemd

might just bhyve a linux for the awkward stuff

zip: if you like freebsd and don't use systemd, you could look at alpine or chimera (if you don't already know them... i guess everyone knows alpine)

s/don't use/don't like/

zip: Well, given the channel we're in I won't recommend anything other than FreeBSD, but it's entirely possible to use a range of Linux systems without systemd.

alpine's pretty fun

I also like void

Ah, you're aware then.

my thinkpad has void on it, and other than my idiotic decision to not add any swap space it's been pretty great

can't linux swap to a file? or is this some void-specific thing?

linux can swap to a file but it's a very bad idea to have that file in zfs

ah they have the same problem as us

i wonder what they did to make it work on solaris

next time I partition a disk I'll probably put swap at the end, then a boot and a small zpool at the start, and then if I find my partition filling up it's not that painful to expand either of those

at some point I asked in #voidlinux what the secret sauce was with xbps compared to other package management systems, and they told me that the secret sauce is that the maintainers put in the leg work to make sure things don't break

hello

I have jails where nginx proxys some of servers in some jails and all seems to work except it doesn't when i set antispoof in pf

what could be the cause?

luke_jobless_sb: if the proxy destination is on the local host you may be running into this from pf.conf(5):

Caveat: Rules created by the antispoof directive interfere with packets

sent over loopback interfaces to local addresses. One should pass these

explicitly.

not really sure though, i don't use antispoof because i prefer to write my own rules for that

the pf on fbsd is pretty old though isn't it?

it's diverged a bit from openbsd since it was imported

ivy: I am easy going. I often try if something is recommended. I don't need it though(do i?).

ivy: it sounds like some directives can be achieved by longer line of pass drop. does it?

ivy: * many lines of pass/drop

luke_jobless_sb: i usually define a table with my public addresses and then do something like `block in quick on $inet_if from <local-networks> to any` which effectively achieves the same thing for Internet traffic

could consider adding set skip on lo to have pf ignore the loopback activity, right?

whatever stupid thing you assume I have. it is nice starting point. I touch pf rarely once a month.

ivy

ivy: do you have builtin flow chart in your head or may use something when it comes to new configuration\?

i don't really understand the question

ivy: ignore previous please. do you know and if you know, can you show me your favorite documentation covering nat and rdr in detail?

also can they also be expressed in plain table like you do for antispoofing?

i do not use rdr and have only a single nat rule so unfortunately, i do not know of any documentation for that other than pf.conf(5), sorry

in openbsd you can write rdr and nat in 'pass' rules, i am not sure if freebsd pf supports this

ivy: oh dear. ok. I read both of them. and I thought they are the same thing until you just said so

it doesn't mean that I suddenly realize everything turns into pf expert, you know?

I messed it up. so openbsd does not even support some of syntax found in freebsd it makes sense now

it's more like openbsd had a particular syntax when freebsd pf forked and later openbsd changed their syntax

imo the new openbsd syntax is better, but it requires someone to port it over to freebsd since our pf is a hard fork

we are also missing some features like nat64 :-(

ivy: I think that's gonna be future problem when I copy paste my pf to later openbsd machine

luke_jobless_sb: yeah, you'll run into some problems with that

rtprio: the realistic(that does not full-porting) solution would be someone writes a guideline for users about using only the intersection set of syntax in pf.conf

if you have written in those, how to change to similar and so forth

unless you plan to switch between openbsd and freebsd every week, using only the commonly supported syntax doesn't really make sense

just use the syntax for freebsd and if you decide to move to openbsd at some point you just need to rewrite the ruleset once

ivy: i don't really use openbsd.

ivy: can FreeBSD pf translate packets between ipv4 and ipv6 as you mention nat64?

when will freeBSD finally replace that junk sendmail with postfix by default

it's replaced sendmail with something else

psionic: never, because now we have DMA which is fine for 99% of systems, and you can install whatever MTA you want from ports

the only thing left is to remove sendmail, which will happen at some point

(i wish it would happen sooner, but a lot of people still use it..)

also if you use pkgbase, just `pkg remove FreeBSD-sendmail\*`

I am okay with having the MTA in ports. It's update is decoupled from base then. And base is smaller. Having dma in base is more reasonable.

exactly

dma is already in base, it's already the default mta, problem solved

actually is it the default mta? i never even install sendmail on any of my systems so i'm not sure there

I still know two people in real life who use Sendmail for their systems.

It's easier to justify Sendmail moving to ports when Postfix is also in ports.

Hmm... Good question. I have had sendmail_enable="NONE" in my /etc/rc.conf for a while and so wouldn't notice regardless.

Yes. dma is default. Look at /etc/mail/mailer.conf file and it has "sendmail /usr/libexec/dma" and the rest as a default now.

yeah i thought so

And just a reminder that one never needs to modify /etc/mail/mailer.conf as installing /usr/local/etc/mail/mailer.conf will override it.

i was not sure because the postfix pkg-message still tells you to disable sendmail

That's the problem with stuff that is distributed across multiple places. It's hard to keep all of those places updated.

netbsd imported postfix into base and imo this is the wrong solution. i also dislike that they imported nsd into base.

i get that they're trying to replace old software (sendmail, bind) while preserving functionality but the world is different nowadays

it's not like you have to order a copy of /usr/contrib on tape from CSRG in order to install postfix nowadays

The one that I have to think three times about is ssh. Because ssh is in base. But one can also surf the wave of ssh in ports.

postfix is just really the to go mta on linux these days for large and small deployments as well what else u gonna use exim, qmail lol?

psionic: dma, as we already said

But sshd is special in that most of us need it to log into remote systems. I wonder about the people who install sshd as a port. It then requires special handling at major release upgrade time.

dma is perfectly fine for 99% of systems, if you really need a proper mta, just type "pkg install postfix" and wait 10 seconds

I know several people who learned exim and don't want to use anything else. Meanwhile I do not like the configuration of exim and so I guess I am the opposite.

rwp: i'd be fine with removing sshd from base, except i think it does have an actual use which is that for a lot of people installing freebsd on remote systems (VPS, colo, cloud, ...) it's the one thing you need to set up everything else, so it's sort of justified

like, you can tell your colo provider 'just put the freebsd cd in and select sshd during install'

a bit more effort if you have to explain to them how to install and configure it from packages

I just think sshd being our connection tool makes it special. Whereas we can install and then bootstrap up without an MTA installed no problem.

also i do use openssh-portable from ports but i can't remember why now

i think it was something to do with Kerberos support? but i'm not sure exactly what since base sshd supports Kerberos also

You might be using openssh client from ports and sshd server from base. It's reasonable to split that. Better actually because it avoids the pitfall of sshd libs in base changing out from under it.

speaking of which i really do hope we can replace Heimdal with MIT Kerberos sooner rather than later

still using sha1 tickets everywhere because this is all freebsd supports is awful

rwp: no, i use both, i don't install freebsd base ssh packages at all

ivy: at least it's not qmail

rtprio: at least what's not qmail?

the mta in freebsd base

i don't entirely follow your comment as i think the mta in freebsd base (dma) is the best possible option out of all available options

so basically, at least it's not anything else at all :-)

ivy, I think rtprio 's comment was simply a fun jab "throwing shade" on qmail. I would not read more into it.

yes. MTA is one of those places where everyone seems to have strong opinions

At one time I started to read through the Exim configuration documentation. And then decided I didn't like it enough to spend the brain cells to learn it. Postfix is much more logically constructed and a better impedance match for the way I think about things.

my path was qmail -> exim -> postfix, but it was walk taken many years ago

exim and nginx are both so inspired by perl they are both wonderful :D

I really like nginx. I don't think nginx and exim are in any way similar configuration thinking. I am on opposite ends of them.

i also like nginx, but having a single line for a proxy config sold me on Caddy

have my use of nginx contributed for my joblessness? I haven't use others for years

I should though

I don't really know about smtp by the way. I should do some project

There's a #exim channel - but if I'm here, I can try to help so long as it's not *really* freebsd-specific

for webservers my path was apache -> lighttpd and that was that. Much better configuration setup, etc. For MTA, it was sendmail -> postfix. I did look at exim as debian used that out of the box at the time, but like rwp, didn't like it enough to pursue it further. postfix made far more sense configuration wise and seemed less error prone.

i went sendmail -> qmail -> postfix because i was alive during the brief period when anyone used qmail

(like 1995 to 1998 or something?)

If qmail had been published with an acceptable license then probably we all would be running it now. But it was not. And so here we are. Fortunately postfix is very good.

yeah, the config and file layout patterns were bonkers

i agree with rtprio, the idea behind qmail was good and it well written but it was also terrible

postfix is qmail done right

i think even if qmail had had a better license we'd still all be using postfix