00:00:56 maybe "sudo /etc/netstart" 00:09:06 i don't think netstart would clear pending SYN packets, because why would it 00:09:30 but also a syn flood won't cause ping times to increase unless you're actually running out of bandwidth, in which case a reboot won't help 00:10:11 i find it bizarre that you "get lots of synfloods" - do you have any why? syn flood is pretty ineffective nowadays and it would be unusual to see that in a DDoS 00:10:26 s/any why/any idea why/ 07:42:31 its a very popular website thats been around for decades 07:42:56 aaand people are assholes 08:05:44 All of the public servers I admin get SYN flood attacks routinely. Because people are the problem. 08:06:58 https://en.wikipedia.org/wiki/SYN_cookies 08:07:19 i know there are several systems you can use to resist synfloods 08:07:34 i'm specifically looking for what i can do when all else fails 08:08:55 So far the use of syncookies has been sufficient to mitigate the attacks. (shrug) 08:10:39 thats good, hopefully once i switch to a freebsd server, i don' thave any trouble anymore 08:12:39 The Linux kernel also implements syncookies and should also not have any problems. I fear that because you have had problems even on Linux that the problem is actually something different and therefore the problem will persist. 08:12:59 you incorrectly assume i use linux 08:13:06 Not that moving to FreeBSD isn't an excellent choice regardless. 08:13:36 Oh! Okay. Sorry. Most people switching to FreeBSD are coming from GNU/Linux so that is a typical path. 08:13:46 i'm coming from macos x 08:14:10 the only syn flood protection on this os is in the pf firewall, but surprise, it is broken 08:14:13 I know little to nothing about Mac OS X but thought they used a form of BSD kernel too. So I am surprised. 08:14:15 so i'm basically wide open 08:14:21 GoSox: have a look at https://man.freebsd.org/syncookies this may help you 08:14:36 they used a bsd kernel when it forked 25 years ago, but they didnt' carry over many updates over the years 08:14:47 IIRC syncookies are also available on Linux, so maybe you can experiment there before 08:15:25 Linux kernel definitely implements syncookies. FreeBSD does too. 08:15:45 if i were using linux, that would be useful for me :P 08:16:14 Which "that" is the that to which you are referring? 08:16:28 GoSox: and also https://freebsdfoundation.org/wp-content/uploads/2022/03/Porting-OpenBSDs-pf-syncookie-Code-to-FreeBSDs-pf.pdf for some newer tricks 08:16:32 the fact that linux has syn cookies 08:17:09 dch, Interesting article! Now I am off to read it. 08:17:10 so my overall question here is not 'how do i resist synfloods', it is - is there a way i can fully halt and reset my tcp stack on the fly if i need to, for any reason 08:17:27 hopefully syncookies works perfectly and i never have to use this ability 08:19:39 on macosx, i have to take both ethernet interfaces down using weird mac specific commands, then wait a few seconds, then bring them back up. but it all happens slow, i assume because its waiting for connections to either close or timeout. 08:25:54 GoSox: if thats what you want to do, just `ifconfig igb0 down; sleep 3; ifconfig igb0 up` for whatever your interface name is 08:26:25 for what its worth in 14 or more years of running public facing BSD systems I've never needed to "reset the tcp stack" 08:26:46 and this includes dealing with real-world DDOS and similar attacks 08:26:49 i never did for many many years, until the syn floods started 08:27:00 if i never have to reset it, that will be great 08:27:44 I would run pf firewall, and restart pf, this will be (a) fast, (b) common practice, (c) drop all stateful connections 08:27:47 `service pf restart` 08:28:18 will that instant-axe all connections? 08:29:23 all tcp connections yes 08:29:32 udp, icmp etc being stateless, no 08:29:45 more to the point syncookie handling is done in pf 08:29:50 hmm maybe ill try that on my current server just to see what happens 08:29:57 that PDF I linked above is good 08:30:49 if you really want to restart the network stack, which I would not advise, then something like this probably is sufficient 08:31:10 run in a tmux or similar so you don't lose the connection partway through 08:31:22 i REALLY need to find the time to set up a new bsd server 08:33:30 I have never needed to "restart the network stack" either. 08:36:01 <[tj]> GoSox: dch it will remove the connection state from the firewall, but not kill the connections on the host 08:36:12 <[tj]> tcp should recover 08:42:32 [tj]: I tried kldunloading my nic, but thats not very successful either 08:42:51 damn network is awfully good at reconnecting after transient intended outages 15:29:55 dch: just now reading your link, this is pretty interesting. I don't use bootenvs currently but might try them. 15:32:28 egwynn: zfs + boot environments are pure sysadmin crack, you'll never go back. 15:32:46 I'm currently git bisecting a kernel panic with each branch ending up as a boot env 15:33:02 it would be almost impossible on any other setup to do this without being onsite 15:33:06 yeah, the only thing stopping me is being too lazy to move/split-up all of my data to match the required layout 15:33:19 default freebsd install is all you need 15:33:28 zroot/ROOT/default -> this is "/" 15:34:00 and then yeah your own data needs to be split up 15:34:21 the rest of the zfs mountpoints are niceties 15:34:26 I'll investigate again 15:34:57 you're welcome to post questions & get some help migrating 15:35:26 ah, that's right, I don't have a dataset that root sits under. it sits right on the pool. `tank/root` 15:36:30 I followed a zfs migration guide back in the 10.X days before zfs was part of the default 15:37:05 but honestly it wouldn't be THAT big a deal to move root 16:52:44 i'm trying out iocage, vnet for a jail is 0, ifconfig shows the host adapters, but netstat -rn is empty and i can't get packets out... what am i missing? when i make the jail with jail(8) and ip4=inherit it works fine 16:57:25 ah, set ip4=inherit in iocage too, it's new by default 19:34:58 did freebsd just drop support for SPARC? 19:43:12 UltraSPARC is a Tier 2 architecture through FreeBSD 12.x. It is no longer supported in FreeBSD 13.0 and later. 19:43:18 i wouldn't say "just" 19:43:27 On the platform page I only see a reference to SPARC where it mentions that SPARCv9 was dropped after 12.4 (which was EoL end of 2022) 19:44:51 ah, no the EOL list is confusing, it lists the release date there 19:49:41 mmm 19:49:51 yeah I guess it's for the best instead of letting it rot 19:50:23 i can't remember what version i tried last, maybe 9.2? but i had it dual booting with Solaris 8 19:51:07 after logging in, i'd get program loading errors on basic utilities included from /bin 19:51:24 i just expected more from tier 2 heh 19:52:51 cautionary tale of what would probably happen if i were to port bsd to some random obscure platform. it's already been done before, rotted away, and got dropped. :/ 20:08:52 Hmm, I'm having some problems with the bird routing daemon doing BGP on FreeBSD. After an hour or two, my routes stop being announced. bird says "Socket: Connection closed" when I look at the protocol status. If I restart bird, it reconnects just fine and comes back up. 20:08:59 Any way I can make it... not do that, or tell it to autoreconnect? 20:10:04 and you're having this problem "on FreeBSD" 20:10:21 Yes? 20:10:23 implying that on other platforms, you've done BGP with BIRD in the past and not had this problem 20:10:28 Nope 20:10:38 so then do a diff on the packaged versions of default config files 20:10:45 this sounds like some kind of inactivity timeout 20:10:51 I'm saying I've never used it on other platforms :p 20:11:09 then it's not really a freebsd question, is it... 20:11:35 If you can't help me, just don't say anything. 20:11:43 wouldn't be the first time we've found someone helpful with software available on freebsd here 20:12:09 i can't help you but i can offer some helpFUL advice 20:13:31 try /j #bird ? 20:31:05 ivy was doing some bird stuff.. sorry for the ping if not a good time 23:49:04 hello, what's up 23:50:43 appledash: i've never seen that, but i'd start by looking at tcpdump. also, make sure you're specifying the local address 23:56:19 Is anybody successfully using dl_iterate_phdr(3)? 23:56:19 For me it hangs when acquiring a mutex, although I don't call it multiple times. 23:57:22 cracauer: in waht context are you trying to use it? 23:58:05 there may be some, e.g., pthread or fork scenarios where you recurse on the lock 23:58:11 The Clasp Common Lisp compiler uses it to find the base of loaded libraries. 23:58:24 let me look up a github link.