02:21:59 Going to do a secondary machine for FreeBSD. If I get good enough with it, probably going to ditch Linux in favor of it 04:21:51 One FreeBSD machine is a gateway drug to having two FreeBSD machines. 06:39:00 ls 11:19:35 oohhhhhh I think I've worked out why zfs is so handy for jails. `zfs send | zfs receive` is going to straightforwardly catch things like file flags, and on top of that, you can do differential updates between snapshots 11:19:54 for a moment there I was like "why not just tarball the sucker when you want to move it", and while that'd probably work, it'd probably also be more of a pain in the ass 15:47:16 zip: Depending on how much tooling you write yourself, you can also keep jail-specific metadata in ZFS properties, so the metadata ships with the storage. 15:55:13 mason: clever idea; do you know if any existing jail management does that? 16:01:52 rtprio: My own internal stuff does it. I think... iocage? does it? 16:02:13 I also do it for local libvirt-based VMs. 16:02:18 It's a useful trick. 16:37:11 https://freebsdfoundation.org/blog/strengthening-freebsd-addressing-vulnerabilities-through-synacktivs-code-audit/ 17:01:35 mason: oooh, that's neat 17:02:46 I'm still not sure I won't eventually put my home server setup on a linux box with zfs, but certainly FreeBSD agrees with my sensibilities more than anything with systemd 17:03:04 might just bhyve a linux for the awkward stuff 17:03:22 zip: if you like freebsd and don't use systemd, you could look at alpine or chimera (if you don't already know them... i guess everyone knows alpine) 17:03:27 s/don't use/don't like/ 17:03:30 zip: Well, given the channel we're in I won't recommend anything other than FreeBSD, but it's entirely possible to use a range of Linux systems without systemd. 17:03:30 alpine's pretty fun 17:03:32 I also like void 17:03:46 Ah, you're aware then. 17:03:50 my thinkpad has void on it, and other than my idiotic decision to not add any swap space it's been pretty great 17:04:06 can't linux swap to a file? or is this some void-specific thing? 17:04:47 linux can swap to a file but it's a very bad idea to have that file in zfs 17:05:02 ah they have the same problem as us 17:05:09 i wonder what they did to make it work on solaris 17:06:06 next time I partition a disk I'll probably put swap at the end, then a boot and a small zpool at the start, and then if I find my partition filling up it's not that painful to expand either of those 17:07:10 at some point I asked in #voidlinux what the secret sauce was with xbps compared to other package management systems, and they told me that the secret sauce is that the maintainers put in the leg work to make sure things don't break 19:06:34 hello 19:07:43 I have jails where nginx proxys some of servers in some jails and all seems to work except it doesn't when i set antispoof in pf 19:07:57 what could be the cause? 19:09:02 luke_jobless_sb: if the proxy destination is on the local host you may be running into this from pf.conf(5): 19:09:04 Caveat: Rules created by the antispoof directive interfere with packets 19:09:04 sent over loopback interfaces to local addresses. One should pass these 19:09:05 explicitly. 19:09:16 not really sure though, i don't use antispoof because i prefer to write my own rules for that 19:09:41 the pf on fbsd is pretty old though isn't it? 19:11:03 it's diverged a bit from openbsd since it was imported 19:11:08 ivy: I am easy going. I often try if something is recommended. I don't need it though(do i?). 19:13:18 ivy: it sounds like some directives can be achieved by longer line of pass drop. does it? 19:15:54 ivy: * many lines of pass/drop 19:17:44 luke_jobless_sb: i usually define a table with my public addresses and then do something like `block in quick on $inet_if from to any` which effectively achieves the same thing for Internet traffic 19:24:32 could consider adding set skip on lo to have pf ignore the loopback activity, right? 19:25:48 whatever stupid thing you assume I have. it is nice starting point. I touch pf rarely once a month. 19:27:46 ivy 19:28:46 ivy: do you have builtin flow chart in your head or may use something when it comes to new configuration\? 19:29:00 i don't really understand the question 19:31:06 ivy: ignore previous please. do you know and if you know, can you show me your favorite documentation covering nat and rdr in detail? 19:31:38 also can they also be expressed in plain table like you do for antispoofing? 19:31:43 i do not use rdr and have only a single nat rule so unfortunately, i do not know of any documentation for that other than pf.conf(5), sorry 19:32:20 in openbsd you can write rdr and nat in 'pass' rules, i am not sure if freebsd pf supports this 19:33:06 ivy: oh dear. ok. I read both of them. and I thought they are the same thing until you just said so 19:35:51 it doesn't mean that I suddenly realize everything turns into pf expert, you know? 19:38:41 I messed it up. so openbsd does not even support some of syntax found in freebsd it makes sense now 19:39:47 it's more like openbsd had a particular syntax when freebsd pf forked and later openbsd changed their syntax 19:40:03 imo the new openbsd syntax is better, but it requires someone to port it over to freebsd since our pf is a hard fork 19:40:34 we are also missing some features like nat64 :-( 19:45:56 ivy: I think that's gonna be future problem when I copy paste my pf to later openbsd machine 19:46:19 luke_jobless_sb: yeah, you'll run into some problems with that 19:51:02 rtprio: the realistic(that does not full-porting) solution would be someone writes a guideline for users about using only the intersection set of syntax in pf.conf 19:51:49 if you have written in those, how to change to similar and so forth 19:57:44 unless you plan to switch between openbsd and freebsd every week, using only the commonly supported syntax doesn't really make sense 19:58:05 just use the syntax for freebsd and if you decide to move to openbsd at some point you just need to rewrite the ruleset once 19:59:37 ivy: i don't really use openbsd. 20:17:56 ivy: can FreeBSD pf translate packets between ipv4 and ipv6 as you mention nat64? 20:20:12 when will freeBSD finally replace that junk sendmail with postfix by default 20:21:50 it's replaced sendmail with something else 20:34:16 psionic: never, because now we have DMA which is fine for 99% of systems, and you can install whatever MTA you want from ports 20:34:26 the only thing left is to remove sendmail, which will happen at some point 20:35:17 (i wish it would happen sooner, but a lot of people still use it..) 20:41:58 also if you use pkgbase, just `pkg remove FreeBSD-sendmail\*` 20:42:35 I am okay with having the MTA in ports. It's update is decoupled from base then. And base is smaller. Having dma in base is more reasonable. 20:42:56 exactly 20:43:04 dma is already in base, it's already the default mta, problem solved 20:44:48 actually is it the default mta? i never even install sendmail on any of my systems so i'm not sure there 20:44:56 I still know two people in real life who use Sendmail for their systems. 20:44:56 It's easier to justify Sendmail moving to ports when Postfix is also in ports. 20:45:45 Hmm... Good question. I have had sendmail_enable="NONE" in my /etc/rc.conf for a while and so wouldn't notice regardless. 20:46:30 Yes. dma is default. Look at /etc/mail/mailer.conf file and it has "sendmail /usr/libexec/dma" and the rest as a default now. 20:46:57 yeah i thought so 20:47:04 And just a reminder that one never needs to modify /etc/mail/mailer.conf as installing /usr/local/etc/mail/mailer.conf will override it. 20:47:08 i was not sure because the postfix pkg-message still tells you to disable sendmail 20:48:33 That's the problem with stuff that is distributed across multiple places. It's hard to keep all of those places updated. 20:48:59 netbsd imported postfix into base and imo this is the wrong solution. i also dislike that they imported nsd into base. 20:49:17 i get that they're trying to replace old software (sendmail, bind) while preserving functionality but the world is different nowadays 20:49:48 it's not like you have to order a copy of /usr/contrib on tape from CSRG in order to install postfix nowadays 20:50:18 The one that I have to think three times about is ssh. Because ssh is in base. But one can also surf the wave of ssh in ports. 20:50:19 postfix is just really the to go mta on linux these days for large and small deployments as well what else u gonna use exim, qmail lol? 20:50:53 psionic: dma, as we already said 20:51:01 But sshd is special in that most of us need it to log into remote systems. I wonder about the people who install sshd as a port. It then requires special handling at major release upgrade time. 20:51:25 dma is perfectly fine for 99% of systems, if you really need a proper mta, just type "pkg install postfix" and wait 10 seconds 20:52:33 I know several people who learned exim and don't want to use anything else. Meanwhile I do not like the configuration of exim and so I guess I am the opposite. 20:52:35 rwp: i'd be fine with removing sshd from base, except i think it does have an actual use which is that for a lot of people installing freebsd on remote systems (VPS, colo, cloud, ...) it's the one thing you need to set up everything else, so it's sort of justified 20:53:18 like, you can tell your colo provider 'just put the freebsd cd in and select sshd during install' 20:53:28 a bit more effort if you have to explain to them how to install and configure it from packages 20:54:50 I just think sshd being our connection tool makes it special. Whereas we can install and then bootstrap up without an MTA installed no problem. 20:55:13 also i do use openssh-portable from ports but i can't remember why now 20:55:30 i think it was something to do with Kerberos support? but i'm not sure exactly what since base sshd supports Kerberos also 20:56:04 You might be using openssh client from ports and sshd server from base. It's reasonable to split that. Better actually because it avoids the pitfall of sshd libs in base changing out from under it. 20:56:05 speaking of which i really do hope we can replace Heimdal with MIT Kerberos sooner rather than later 20:56:18 still using sha1 tickets everywhere because this is all freebsd supports is awful 20:56:30 rwp: no, i use both, i don't install freebsd base ssh packages at all 21:05:05 ivy: at least it's not qmail 21:07:52 rtprio: at least what's not qmail? 21:15:29 the mta in freebsd base 21:15:53 i don't entirely follow your comment as i think the mta in freebsd base (dma) is the best possible option out of all available options 21:16:01 so basically, at least it's not anything else at all :-) 22:15:29 ivy, I think rtprio 's comment was simply a fun jab "throwing shade" on qmail. I would not read more into it. 22:17:24 yes. MTA is one of those places where everyone seems to have strong opinions 22:24:40 At one time I started to read through the Exim configuration documentation. And then decided I didn't like it enough to spend the brain cells to learn it. Postfix is much more logically constructed and a better impedance match for the way I think about things. 22:26:16 my path was qmail -> exim -> postfix, but it was walk taken many years ago 22:28:39 exim and nginx are both so inspired by perl they are both wonderful :D 22:44:58 I really like nginx. I don't think nginx and exim are in any way similar configuration thinking. I am on opposite ends of them. 22:47:49 i also like nginx, but having a single line for a proxy config sold me on Caddy 22:49:07 have my use of nginx contributed for my joblessness? I haven't use others for years 22:49:17 I should though 22:50:31 I don't really know about smtp by the way. I should do some project 22:53:44 There's a #exim channel - but if I'm here, I can try to help so long as it's not *really* freebsd-specific 23:01:10 for webservers my path was apache -> lighttpd and that was that. Much better configuration setup, etc. For MTA, it was sendmail -> postfix. I did look at exim as debian used that out of the box at the time, but like rwp, didn't like it enough to pursue it further. postfix made far more sense configuration wise and seemed less error prone. 23:02:59 i went sendmail -> qmail -> postfix because i was alive during the brief period when anyone used qmail 23:03:39 (like 1995 to 1998 or something?) 23:05:44 If qmail had been published with an acceptable license then probably we all would be running it now. But it was not. And so here we are. Fortunately postfix is very good. 23:06:06 yeah, the config and file layout patterns were bonkers 23:10:35 i agree with rtprio, the idea behind qmail was good and it well written but it was also terrible 23:10:39 postfix is qmail done right 23:10:58 i think even if qmail had had a better license we'd still all be using postfix