wireguard works well enough, without a google account component

not if your home network has a dynamic IP or CG-NAT

if i'm using a jail based on a zfs snapshot and an update to freebsd is released, i can either run freebsd-update from within the jail or make a new snapshot based on the newly-released version and then re-create the jail. are there any other methods i'm missing?

thorongil: Shutting it down and doing it from within a chroot can be more successful sometimes.

mason: thank you

tehpeh: i never said you need to wireguard directly home

good for you

i mean, wg does work well, there

it's cheap and easy to put up a small machine to coordinate

vpns are cheap, and if you're paranoid enough you could probably layer wireguard over wireguard to add a layer of encryption through the coordinator

(insert "yo dawg, I heard you like wireguard [...]")

kevans: your MTU: <crying face emoji>

how do i get pkg contents but remote? i need to find out which pkg provides certain header

angry_vincent: pkg-rquery(8) can query metadata

You can find who probides a shared library, but not a specific file

G'day all. FreeBSD router/firewall running isc-dhcp server is not sending the dhcp server address to clients. Or it does and gets no response.

tehpeh: use ipv6, so that you don't have a cg-nat problem and dns with proper automation because of the dynamic ip, so you don't use ip addresses directly

babz_: that's the question. i know about shlibs but not individual file.

well, you can grep the pkg-plist files in the ports tree, then if a port only has a few files they are somethimes defined in the Makefile, but there are also some ports that generate the plist fully dynamic while building

There's less discussion here than I'm used to. Have people found a new placce to hang out? Slack, Discord, Mattermost? Or is it just that we all agree on everything and theere's nothing left to fix?

ivy: yeah, but the MTU drop seems like a reasonable trade-off if you really feel like you need protection from the VPN host itself

kevans!

I saw your ECC stuff landed some time ago - nice

yep

how's life?

does someone have the answer to if it is possible to run nvidia-drivers on a arm-system?

angry_vincent: that information is not indexed on the pkg repository

ok, so is there a tunable to cleanup the laundry before there is memory pressure?

how do i load graphics cards drivers?

the installer downloaded them but i cant figure out how to load them?

morpho: have you found the freebsd handbook?

morpho: specifically docs.freebsd.org/en/books/handbook/x11/#x-graphic-card-drivers

yes! it says to install krm-kmod which is what i have done before

oh, i downloaded drm-61-kmod, kldload i915kms, and now its hanging on that :I

morpho: you're saying `kldload i915kms` does not return?

yes, it just hangs on boot now

morpho: oh. you added it to kld_list? :/

yeah

im in single user mode

thanks for helping

well the installer driver detection did work with my wifi

morpho: the expected behaviour of loading the module would be no hang, and i think my console font gets changed. dunno what do to in your case. am out of my depth there.

yeah, can i change /etc/rc.conf from single user mode

fixing it...

why would it just hang though

i tried installing drm-kmod but it does not work either

it really shouldn't just hang. that's most likely a bug.

yeah kind of annoying because it worked last time

oh. how complete is the new installation? would it be worth installing an older release to see whether it works again then, then upgrading and see where it breaks?

pretty new

i usually use openbsd on my laptops

drm-kmod comes from ports, so it might be unlikely to be affected by the version of base, right?

i might have done something wrong

its a pretty standard install though

when it worked last time, was that on the same hardware?

yes

do you think i can get a log of before it hangs?

and i will upload

:I sorry i cant help out

morpho: by the way. you're definitely sure the kernel hangs? it's not still possible to access the machine using the network or a serial console?

i did not try

morpho: give it a try. i'll need to go afk, i'm afraid.

Is there a way to print the color settings for 'ls -G'?

hmm not sure if this is better for #bhyve or not, but if you jail bhyve I am trying to figure out the networking setup. So the simple one is a bridge and tap interface, but this isn't the most secure or extensible way. So epair would be useful, so epair the jail networking, assign it a RFC 1918 block and NAT it within pf.conf perfect, but what then for the bhyve VM? jails share the network stack

iirc, ideally you want an epair within the jail with its own block, which then passes through pf there, and then after leaving the jail it passes through host pf giving nested networking, at each level the packets are filtered

suggestions!?!?

:D

uh

polarian: that sounds complicated

but i did run all my VMs on their own vlan for time, that worked well

and should work if you route at the host or the firewall,

polarian: you can create a bridge in the jail, put the tap interface and a dedicated epair interface in it, then the host end of the epair will be directly connected to the vm (via the bridge) but as rtprio says, this sounds somewhat overcomplicated to me

ivy: hmm true

bhyve is already capsicumised so i'm not convinced putting it in a jail offers a significant security benefit (although i haven't looked at this in detail so i may be wrong there)

unless you are running multiple vm's in the same jail, then bridging is not a problem

so I guess its a valid point

wait, what

wait hold up laptop on 2%

lol

jailing bhyve? what is the point of that, hermanoher?

ime jailing bhyve is more common than you might expected but for most people i'm not convinced it's worth the hassle

there was one capsicum bypass vulnerability in bhyve a few months back but that kind of thing is pretty uncommon

unrelatedly, it looks like multimedia/jellyfin is maintained again (by bapt@), maybe i should have another go at moving that off linux

ivy: extra layers don't hurt

jails are not that resource intensive

in order to break into the host you would need a bhyve bypass and a jail bypass

but increased complexity and management overhead is an inherent negative by itself. not to say you shouldn't do it (it's up to you) but...

and some vuln within the software in the jail as well

well originally I was running bhyve on the host, but then I thought "if I am going through all this hassle, why not use all the security features on the table"

if you are going to virtualise, why not throw in the extra security from the jail?

but yeah back to the original point if the jail is being filtered on the epair interface by the host, then having a bridge with a single vm inside is not an issue as there cant be talk between vms unless you run two inside the same jail (which you wouldn't do anyways)

so is all the traffic from all bhyve hosts going through that epair?

that sounds... not as fast as it could be

CrtxReavr: The default is "exfxcxdxbxegedabagacad"

rtprio, Yeah - I found that a little further down in ls(1). Thanks though.

It was easier to start with that, then change the one thing I wanted to change.

(Blue dir names on a black background can often be problematic.)

I went with export LSCOLORS=gxfxcxdxbxegedabagacad