;n

sorry.

Demosthenex: you can go 13.2->13.4 , I would just drop the UEFI loader in just before you reboot into new kernel. also, rustdate.over-yonder.net (in ports as freebsd-rustdate) is a lot faster than freebsd-update in base.

slow & trusted, vs new and shiny

Soni: why would you choose to use ipsec over wireguard? its 2024 and wireguard in userland is a well established thing, vs ipsec which is the Cthulhu of protocols

anybody familiar with apache24 or similar?

I have some noob questions (or, not really noob, but its been 20 years and I forgot everything)

Hi.

hey, how do i flush pf tables?

`pfctl -t badactors -T flush` ?

why badsectors?

i want to flush this table scrub in on tun0 fragment reassemble max-mss 1420 no-df random-id

I have problem with vm-bhyve. When I want to install almalinux, vm immediately bacomes locked. I use this template dpaste.com/2FF4V7F6T

I don't know how to debug it.

*becomes

I have created network switch services: vm switch create -t manual -b vlan998bridge services, when instalation starts tap0 interface is created

and whole process is stopped. I have to kill this dpaste.com/5Z74ULPPU process to even stop VM

dch: we don't want a fucking vpn

yes if we wanted a vpn there are better options, but that's not what we want

Soni: no need for profanity. you can have a user-space point-to-point wireguard library in your app, ipsec just seems ... so much more work.

and to go through the IANA/IETF aspect of it seems ... even more work

dch: that's because everyone got ipsec wrong

I guess you have a good reason to want all that pain

I think everybody agrees on that Soni

ipsec is an address family, like ip

you run tcp/ipsec or udp/ipsec

just like tcp/ip or udp/ip

anyway it's purely an API impedance mismatch problem, the wire protocol is mostly fine

(and the IETF doesn't do APIs)

not true

ietf has written lots of api documents, and has a very mixed history on "having a single point on anything"

[tj]: they're mostly on the independent stream, which isn't IETF standard

yes there's value to having them published as RFC, as a way to inform other participants of how someone does it

as an author of an rfc covering apis, and significant contributor to a working group on apis I feel I know what I'm talking about here

but removing stuff I did, there are a bunch on ipv6 documents which are api descriptions

[tj]: ipv6 OS APIs are informational, not standard

that distinction is meaningless

anyway, this is off topic for #freebsd

yes, so, back on topic, we can do more or less whatever we want with the socket API in freebsd

so we'd like to experiment with treating ipsec as a first-class address family

complete with sockaddr_ipsec

anyone wanna participate?

dch: i'll take slow and trusted over let's rewrite the world in the latest fad and start over gaining trust.

Soni: a good place to ask this question is the freebsd-arch mailing list. Or possibly the transport one.

freebsd-network would be the place

oh yes even better

alright

is it possible to do filesystem compression?

(not to be confused with transparent file compression)

you mean some abstraction over the drive, that does compression and then write the filesystem on top of that?

blacklistd has me beat today

no we mean something like how git has a garbage collector and delta compression

what is freebsd-network? freebsd-net?

Where does the /usr/local/openssl/cert.pem file come from?

pkg which says: /usr/local/openssl/cert.pem was not found in the database

The full path is in the database, but not the symlink.

nm

Soni: lists.freebsd.org

we'll just assume they meant freebsd-net

Soni: we have TCP-MD5 working, it will probably suit your needs, whtat do you thik ?

mzar: what is tcp-md5

TCP MD5 Signature Option

from your email it appears that you want to protect the connection

we want to protect the endpoint

OK

for example if you run an sshd, you'd need the endpoint key, which you get via dns and not via scanning the internet, this would protect sshd from network-scanning malware

keeps the logs quiet

this is a low-work thing you can do that makes things high-work for them

that;s /14

err

that's probably what TCP-MD5 and TCP-AO was invented for

but why is it TCP-only?

we'd rather use ipsec authentication header

ipsec lets us use it as an address family, which has benefits if we ever manage to expand this to DNS

(and to URIs, ideally)

OK

ideally we should be able to treat different keys as different hosts, too

Soni: can you explain a bit more what you want there

what layer would do the compression? on what data? do you mean something like CoW or dedup?

Soni, UDP and specifically IPsec can be especially problematic over NAT'd connections.

arg, isn't there a command to check the checksums of the core os files?

freebsd-update IDS

Demosthenex: what if you are not running RELEASE ?

mzar: no idea. i just wanted to make sure specific files hadn't changed.

and not packages, system.

CrtxReavr: that's why we don't care about supporting ipv4

nimaje: we mean something like git. we would happily use git as a filesystem if we could make it work.

CrtxReavr: also, lists.freebsd.org/archives/freebsd-net/2025-January/006299.html

Soni, I'm all for ditching "LegacyIP."

CrtxReavr: rename AF_INET to AF_INET_LEGACY when :v

(okay, not a serious suggestion, but anyway)

Hi, I am trying to launch X in a fresh new install of FreeBSD14. It is a system running under qemu. I get this error:

(EE) xf86OpenConsole: No console driver found Supported drivers: pccons (with X support), syscons, pcvt Check your kernel's console driver configuration and /dev entries(EE)

Does anyone what could I try?

know*

is your user a part of the video group? are you using drm-kmod?

drewlander: drm-kmod? that's qemu

i didnt see qemu i apologize

I am trying with root

to avoid any permission issues

no worries

since it is qemu console is redirected to a telnet port (I guess it might be related to this issue)

so I have to telnet my apple to access the console of the virtualized FreeBSD

also, I do not have any /dev/ttyvx file, just /dev/ttyu0 (which I understnad it is the serial -redirected by qemu to telnet-

Soni: so a blocklevel CAS for the filesystem?

nimaje: CAS?

i have security/py-cryptography installed, but i can't seem get a venv to use it. i tried python3.11 -m venv myproj; source myproj/bin/activate; pip install <app>, and it keeps trying to build py-cryptography. i thought maybe because it required a newer version, so i did -c constraints.txt but with cryptography<=43.0.0 (i have 42.0.8)... but it just goes and tries to get 42.0.0 and build it again

er, i did use --system-site-packages

Soni: content addressed storage

nimaje: uh no? we want delta compression and stuff

cross-file compression for the filesystem

(on top of regular compression)

just like git does

but really, any filesystem that can cope with multiple gigabytes of build artifacts would be fine

(because we keep running out of storage while trying to compile the freebsd)

wcarson: well, you have installed on your system then, venvs are there to seperate from your system, you can tell it to also use system modules when creating the venv, but I don't remember the argument

Soni: where does git does compression for storage? afaik it only has a store were all objects (files, trees, commits, …) are stored by their hash, so you can reference some object by its hash

what do you use yubikeys for on FreeBSD?

nimaje: the "pack" is delta-compressed and also deflate compressed

haroldp: 2fa on everything :p

I use mine on websites via my browser

and as a third factor on my password manager

you doing other cool stuff?

just ykman/browser stuff

wasn't aware of ykman. thanks.

haroldp: yeah the browser works fine., just cli stuff for sites that don't support webn, but require fido. :[

wondering if I should try to shoehorn it in as another factor for ssh or something

I recently got an M4 iPad and discovered I couldn't log into *anything* because it doesn't have NFC and wouldn't talk to my YubiKey over USC-C

but they fixed it about a month ago with an iPadOS update

Hey, anyone got experience using the collectd package?

It returns with exit code 1 for me

Immediately upon starting, it doesn't print or log any error

It would be helpful to run a command like strace on it, but I am not sure how to do that on FreeBSD

ktrace

yeah, ktrace or truss depending on how much extra output you feel like dealing with

and if it is not enought for you, you can use dtrace

ahh issue was pcscd was having issues with polkit. disabling that fixed it

figured it out

with collectd