i got a vps i set up to toy around with and i'm getting console messages "sshd: error: Fssh_kex_exchange_identification: read: Connection reset by peer" what did i mess up pls? can't find a clear answer searching web

demido, that's nothing you're doing.

If you connect ssh to the internet, it's going to get probed, scanned, & dictionary attacked.

That specific error usually occurs when something connects to your SSH port that doens't know how to speak SSH.

ie, they establish a TCP connection and send a: GET HTML/1.0

$standard_key_authentication_or_strong_af_passwords_lecture

ahhhh

tyvm CrtxReavr

crtxreavr@shodan-/home/crtxreavr$ sudo grep -c [F]ssh_kex_exchange_identification /var/log/auth.log

18

I've gotten 18 of them just today.

CrtxReavr is absolutely correct.

demido: Consider installing and configuring something like SSHGuard or Fail2Ban to block these.

i'm trying to set up a wireguard server that basically just directly passes everything from wg client out, and everything in to wg client. termbin.com/1em5 are those rules right?

ty

This is what a dictionary attack looks like: termbin.com/4oy8

wow lol

I just set: MaxAuthTries 4

Makes the attacks more time-consuming and annoying.

Hell, I should set that to 2.

demido: The rules look okay as long as the interface and ports are correct. Might need to finagle them a bit if you run into problems. But, it's a solid foundation.

CrtxReavr: Yep. I used to limit mine to 5. Then, changed to 4, then 3, now set to 2.

If someone can't get it right in two tries, they're obviously screwing something up and need help.

ek so help me understand something pls, how can i ssh into server? shouldn't rdr pass redirect ssh into 192.168.0.15?

demido: It looks like it should if SSH on 192.168.0.15 is running on port 2200.

is it because rdr only applies to udp?

Oh, yes. More than likely. I didn't even notice that was only forwarding UDP packets.

Change "udp" to "{tcp, udp}" and see if that helps?

must be the case because i just disconnected wg client then tried to reconnect and it won't pass traffic anymore. i guess it's like an infinite loop going on where the wg udp connection into server on port 6000 is being redirected to wg client ip that isn't connected anymore?

demido: It's possible. I'm not really sure how you have your stuff set up, so I'm not sure exactly what you would need to allow or re-direct. Is this firewall on a VM guest on a host?

Or is it on the host itself?

lemme add some details brb

demido: Are you saying you're able to connect to both SSH and the WG server (with the client) but just not route out the WG client from the server?

didn't understand that but i'm going to rebuild config from ground up to better understand things

from pf.conf "When the interface    name  is  sur-

         rounded  by  parentheses, the rule    is automatically updated when-

         ever the interface    changes    its address.   The  ruleset  does  not

         need to be    reloaded.  This    is especially useful with nat." why is that useful with nat?

Not sure what is meant by nat there, but the most common scenario is a dynamic WAN IP on a natting router, and parentheses allow network uplink to survive when DHCP changes the WAN IP

Note that "self" is also an interface name in this context, and often requires parentheses

I wonder why are the parentheses even needed and why isn't this the default behaviour, but I'm sure there is some historical reason

demido: Well, that's kind of why I was asking. I don't understand what would need to be NAT'd (if anything.) If the firewall is running on the host that will directly get the request, there's no reason to NAT anything.

You just pass in on the interface to whatever port you want to listen and pass simply pass out all. I would start simple and work your way up.

i thought wireguard server required a nat rule so traffic out of wg server from wg client appeared to come from wg server's ip?

The only time I've had to NAT (and it's outbound) is if I'm running WG and OVPN at the same time (just because of pfSense automated rules.)

It certainly can't hurt anything to outbound NAT from wg0 to vtnet0. If it needs it, that's fine.

But, you shouldn't need to NAT (or even rdr) anything if the WG server is accepting the connections directly.

In your example, is 192.168.0.15 the server running both PF and WG?

no that's the wg client

Ah, that may be your problem then. You're going to want something more like "from any to any" for clients that are already connected. 192.168.0.15 won't necessarily be the only limitation from the server once the client is connected.

PF will still need to be able to talk to the client on the public IP address.

huh? sorry didn't follow that

pass in quick proto tcp to port 2200

pass in quick proto udp to port 6000

pass out quick proto all from $WG to $WAN

pass out quick all

Basically opening up the server firewall to allow connections on TCP 2200 (for SSH) and UDP 6000 (for WG.)

Then, allow $WG to $WAN interface.

is $WG an ip or if?

And then pass out all requests.

$WG is an interface. So is $WAN.

ok i'll try those tyvm

demido: That's only a simple example to work with what you already have. But, you should keep it as simple as you can. Have you seen this?: forums.freebsd.org/threads/wireguard-setup-with-pf-problems.72623

Good examples of how simple it really should be (with variables, which I would suggest.)

see that's using nat but you said not not needed?

That's outbound NAT, though. Which may be needed between the wireguard interface to WAN. But, otherwise, that should be it.

Basically, just allowing the WG LAN to talk to the WAN and pass it through.

but isn't that just what i was using nat for?

to let wg lan out to wan and out to inet

If this WG server isn't listening on a public interface, you don't even need the "pass in" rules. Just leave everything open (or work your up to only opening what you need.)

demido: Yes. But, you were listing a single IP and not utilizing the interface:network.

Again, the WG server will still need to talk to the IP making the connection via UDP. Not just the WG client LAN IP.

Unless, that's not the problem?

i think i'm too tired to think and i don't wanna waste your time. i crash now and we pick it up tomorrow when i can do better?

If public IP of client is 1.2.3.4 and WG client assigned IP is 192.168.0.15, it'll still need to be able to talk to both.

Not just 192.168.0.15.

Yes. You can go whenever you want. :)

ok i saved your messages tho i'll read when i wake up. tyvm and sorry hehe

Nothing to be sorry about. Have a great rest!

g'nite

hi folks. I'm writing some jail customizations to be applied  to any new jail I build; things like `sysrc sshd_enable=yes` and install packages. I currently run these by copying them to the jail's /tmp and running with jexec. Is there a better way? Specifically, is there a way to run through jexec a script saved on the host system without

copyiing?

I want tobe able to do a `jexev [command]` where the command is on the host system but not inside the jail.

gh00p: not directly. in general the thing that runs in the jail needs to be in the jail, at least via jexec.

gh00p: what you *can* do though, is write a script (e.g. flua) that runs as root, then jails *itself* into the target jail, and runs itself from memory.

once your script/command/tool enters the jail, it loses access to any filesystem stuff outside the jail

so you need to load/import/require all your dependencies prior to jailing

im trying to set zfs arc max and i can't figure out why it's being rejected as invalid argument. in /etc/sysctl.conf i have a line vfs.zfs.arc.max=2147483648

if i run sysctl vfs.zfs.arc.max i can see it's a valid oid, and that value seems right (2GB in bytes) so wtf?

gh00p: I might have misunderstood you. but you are able to run commands from the host, like sysrc -j Jail_name or pkg -j jail_name and so on.

ok i figured it out. in 14.1 i can set vfs zfs arc max even if vfs zfs arc min is 0. but in 14.2 i have to set min > 0 in order to set max. pretty breaking change to put in a point release imo

demido: I'm pretty sure it's vfs.zfs.arc_max - not vfs.zfs.arc.max

demido: And also yes, it needs to be bigger than arc_min

Or am I mistaken?

I have both arc.max and arc_max

And they have the same value. If I change one, the other follows.

Also, the corresponding "min" ctls are set to 0, this doesn't prevent me from setting max

Yeah.. Any max value will of course be greater than 0. So it will allow to set the value.

i will need some help with getting my freebsd back in shape

mainly i need ot fix rc.conf

and i want to start uing ezjail after i had non-ez jails installed

when will 15.0 release engineering start?

anyone get g_dev_taste failed to g_attach error=6?

ivy: freebsd.org/releng mentions a december 2025 release schedule, so probably a few months prior to that?

if you were asking for a more specific answer than that, i dunno sorry

dstolfa: no worries :-) yeah i saw the planned release date

just curious really (mostly so i can start tracking it once it's available, but i guess it'll show up in git)

yeah, i think colin makes sure to send emails out so that as many people as possible test it

so it'll probably be loud enough :P

running current has been exciting but i think i could do with a bit less excitement, so i'll probably switch to stable

I keeping thinking about a pf reference to an interface.. One reference means the interface, another references means any IP address on that interce... something like that. I keep thinking $ext versus <ext> but can't remember what it is/does. ... there I found it: "The name of a network interface or group in parentheses ( ). This tells PF to update the rule if the IP address(es) on the named interface change. This is useful on an interface that gets its IP address

via DHCP or dial-up as the ruleset doesn't have to be reloaded each time the address changes."

dvl: $ext is a variable, so you would have to say ext="cxl0" or whatever at the top of the file. a variable can be anything, it doesn't need to be an interface. <ext> is a table, not an interface, which is defined with the 'table' statement and contains a list of IP addresses (pre-defined or updated using pfctl)

ivy: thank you

this reminds me that i've recently been annoyed that the 'self' keyword doesn't update when IP addresses change, i should probably report that as a bug

ivy: Please. :)

particularly as it can be a security issue if you're doing something like 'block in from any to self'...

ah... bugs.freebsd.org/bugzilla/show_bug.cgi?id=146832 suggests that (self) is supposed to do this

however the bug is that it doesn't actually work :-)

just noticed pkg is now 2.0. what's the occasion? :)

phryk, a bigger number?

CrtxReavr: i'm assuming semantic versioning, which indicates a bigger, incompatible change. :P

not sure if libpkg is actually part of pkg or versioned as its own project, but maybe the api got nicer for people wanting to interface with it programmatically. at least, that'd be my hope. :P

phryk: github.com/freebsd/pkg/releases/tag/2.0.0

ivy: aye, that's what i just found. :)

the pkgbase library support is quite nice

that was base and kernel as packages (i.e. debian-like os updates), right?

yes, supposed to become the default installation method for 15.0

I just hope they did it smartly and didn't change syntax for pre-existing functionality.

i'm not sure i like that yet. always liked the strict seperation of base/kernel from the rest of the system. guarantees that no matter how fucked my packages are, the base OS remains working.

you can continue to build from source if you want that, but no one wants to maintain freebsd-update anymore so another method was needed

this feels like it would open the doors for weird dependencies in base and packages that litter outside of /usr/local/. maybe i'm just paranoid, but the voices in my head are usually right in the long run. :P

also, i think freebsd-update bugs broke a lot more systems than pkg ever did :-)

mhh, that will complicate my thinjail setup tho.

I think the biggest part of that separation was different prefixes for boot/fileysystem/network, ie., /, broader OS tools in /usr, and, pkg/ports managed stuff in /usr/local/

Linux never figured that out.

i have a custom ezjails like thing with a shared base system which isn't rw on any jail, so updating that through pkg might be complicated.

"We'll just toss everything in /usr/! YOLO!"

phryk: pkg -r / pkg -j? that works the same way as how you were using freebsd-update, probably

ivy: the shared base system isn't a jail, so -j won't work unless i set up yet another special jail only used for managing the shared base and skeleton.

ok, so pkg -r

oh, i thought -r was to select a pkg repo.

yeah, that sounds like it might work. :)

fwiw, pkgbase is really nice for building small jails as you don't need to install 100s of MB of crap you don't want in every jail

if it does that already eliminates one footgun. for freebsd-update you have to pass -b *and* -d otherwise you can get conflicting update metadata when you try to update host and thinjail base in one go.

well, i have just base and kernel split up over the shared base that gets nullfs-ro mounted and a "skeleton" which is the basis of new jails for their rw parts.

this is about as minimal as things get, i think.

maybe more relevant is whether i can block pkgbase on the jails because that would explode with attempted writes to the ro mount.

good morning everyone! is there an easy way to list the descriptions of every package in a particular category of the ports tree?

mountainman1312: cd /usr/ports/<category>; for a in *; do echo "$a: "; cat $a/pkg-descr; done

some awk magic in the INDEX file?

like: awk -F\| '$2 ~ /accessibility/ {print $1, $4}' INDEX-14

s/accessibility/<category of your choice/

vkarlsen: thanks, that did the trick :)

mountainman1312: i'd just have used pkg query ¯\_(ツ)_/

i'm getting jail: conduit0: /sbin/ifconfig lo0 127.0.0.1 up: failed

when i try to start a jail created with ezjail, anyone knows what's up?

% pkg query '¯\_(ツ)_/'

Invalid query: query should contain a format string

(:

wsky: 127.0.0.1 is likely already bound to lo0; check ifconfig

might need to give the jail an actual ip

(or 127.0.0.2)

epair11a

14

jail: conduit0: /sbin/ifconfig lo0 127.0.0.2 up: failed

does this interface exist? ifconfig -a

i destroyed it

i ean no

i destroyed lo1

tbh, I only use ezjail to create the jail, but configure it through /etc/jail.conf, since ezjail didn't support vnet (and maybe still doesn't)

Afterglow: you do know that 'creating' a jails is just having a config in /etc/jail.conf.d/ and then service start jail $jail_name?

since you open up its conf file after creation to edit it, you could just edit it and then start the jail without using ezjail to begin with

SKull, I know, but it's easier for updating/upgrading the jails, and it automagically creates the zfs'

Afterglow: freebsd-update has a -j parameter, so does pkg. even zfs is jail aware.

Afterglow: but whatever works for you

Afterglow: it supports vnet, it always supported vnet, but it's not docummented

Afterglow: i used iocage in the beginning, thinking that it was easier. and it was. until i removed a jail that other jails apparently depended upon.

ok i've managed to make it run

wsky: replace line 'export jail_fastnetmon_ip="..."' with 'export jail_JAILNAME_vnet_interface="epairNUMBERb"' and you will be able to run it from ezjail

s/'export jail_fastnetmon_ip="..."''export jail_JAILNAME_ip="..."'

to make epair devices reusable after jail shutdown you have also to change shutdown script for ezjail to '"export jail_JAILNAME_exec_stop="/bin/sh /etc/rc.shutdown jail"'

VNET jails work under ezjail just fine

I don't know where is the upstream of the ezjail project hosted, if it ever exists, it will be nice to fix a few things with ezjail

good night

jbo: not too bad, just busy as shit. you?

kevans, same here

drobban: thanks, I know about the -f options for various tools, but those run on the host and there are a few things without -f. My hope is to have as few things as possibly have to run outside the jail itself.

dch: my hope was there might be a way to say, load a shell script into the interpreter, drop into the jail, then run the script. Like maybe `sudo sh -j foo /path/outside.sh` though that's just dreaming I guess.

drobban: sorry, I meant -j or course

i know it's freebsd related too somehow, but i am trying to get it to work for pfsense.. pastie.org/p/3hMR3EUYBB4ypqbmxG8dHp <-- this works fine for ZFS but i rather have UFS now.. how can i change it? any installerconfig experts here?

i tried search solutions, it's very very hard to find

anyone get g_dev_taste failed to g_attach error=6 in console?