did you check that it isn't just your browser giving you a cached image instead of making that request?

nimaje: I'm seeing the request arrive in the logs.

Also tried appending ?things to the URL

So, I started again from the Bastille example pf.conf and ended up with this: termbin.com/4xh5 I don't get why this prevents my machine to reach tty login or start sshd.

zilti: It does not start sshd?

dvl: I mean, I have sshd_enable=YES. But as soon as I set pf_enable=YES and reboot, the machine will get stuck somewhere in the boot process after activating the network. No tty login prompt on the machine itself shows up, nor is it accessible over ssh

zilti: might be dns related, how long do you wait?

dvl: definitely not dns related, no amount of waiting fixes this

ouch

(yes, before identifying what causes this, I indeed let it be stuck in the boot process for 12 hours)

So it's nothing in the pf.conf?

Here's additionally my rc.conf: termbin.com/my1y

zilti: press ^T and check where it's stuck?

cyric: Would that be Ctrl+T? I can't send these kinds of keycodes to the console. But the last thing it shows is "Security policy loaded: MAC/ntpd (mac_ntpd)".

yes, control-t which sends SIGINFO and should show you the current process running

other than that, you could try enabling rc_debug in rc.conf

zilti: enable logging in pf.conf, setup pflogd, reboot, wait for breakage, examine log, profit

zi: okay. I enabled pflogd. Where do I put the logging statement in pf.conf?

It seems s3backer that is running on my server is getting blocked, as well as ntp, but I have a "pass out quick keep state"

zilti: man pf.conf, search for log

zi: I can't put log on the "block" statement. PF complains when I try that.

Okay. Seems my pf config blocks all outgoing traffic.

reminds me that I need to play the pf game again myself

not feeling it tonight though

So, no idea how to allow outgoing traffic. That rule used to work, now it does not.

but yeah, pretty sure pf default is "deny all" and you have to write rules on what to actually allow/pass

when I was tinkering with pf my router was having problems. So I was setting there beating myself over pf rules when they might not even have been the issue

They definitely are here, though. When I turn on pf on the running machine, outgoing traffic stops to work. Stopping it makes it work again. I tried half a dozen variants on "pass out". "pass out all", "pass out keep state", "pass out all keep state", "pass out on $ext_if", "pass out on $ext_if keep state", all of them with and without "quick".

Nothing works.

...so, is there a solution to this, or is this a breaking bug in PF?

what branch are you on?

is there a way to run a one-off command in a sandboxed way?

eg. letting it access only certain places on the filesystem

capsicum or jails

is there a capsicum utility?

something like `capsicum-run prog`

makr: i've wished for this before, but i've never found such a thing. i did find a research paper discussing a prototype of it, but it didn't come with source code...

Morning. Is there any interest in adding the QUIC network protocol to the FreeBSD kernel? Some folks are working on that for Linux

makr Jails would make more sense, and you can do that with the jail command if needed.

jails are not really ideal for sandbox a single command (although you can use them for that), we do need a better solution here

like, i don't really want to spawn a new jail just to run elinks every time i render an HTML email in mutt

ivy: thee is somr prior art here, gimme a few minutes to find it

aah yes val did some (awesome) work on this already github.com/valpackett/capsicumizer

ah, i think i've seen this before but never got around to trying it - i wonder why it's archived

ivy: IIRC val moved to codeberg & argentina val.packett.cool reach out and ask

if this works it would be nice to have it in base :-)

if you (or val ofc) is interested in picking this up I'm sure there would be a lot of interest

and help too

i have enough stuff in progress at the moment i'm running out of disk space for source trees, but i will add it to my ever-expanding todo list :-)

I found this talk too by Ryan Stone demoing a tool called caprun - youtube.com/watch?v=TGA4wbjbqXc

i can't find the code though

i use the repo pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/latest but i can't find newer go than go121, shouldnt up to go124 be available there?

leah2: Looks like there's a problem with it: portsfallout.com/fallout/1116443

ah!

I guess it didn't go

hehe

Where does the named ports store the hints file?

Nevermind.

oh next to nim binary ?

or nimble binary

since the path is /usr/local/bin/nimble I have the cacert.pem in /usr/local/bin/

hi there. i'm running 13.4-RELEASE-p3. an update was released, and i ran freebsd-update fetch and then freebsd-update install. the latter spit out a few errors: "install: ///usr/src/secure/caroot/blacklisted/INS@LId18q: No such file or directory" and three other files. is this something to worry about?

Hey, i am trying to use texi2dvi but it throws an error about not finding a `tex' binary. paste.rs/i69cB

i have the package texlive-base installed but it doesn't provide a tex binary either

rwp: you may or not recall I had an external usb drive having issues, I finally got round to fishing out a s-ata cable and testing the drive directly, it is still working luckily. Just need a new usb enclosure

apparently tex is in tex-basic-engines

any wine experts around?

would a cider expert do?

potentially

I'm trying to run factorio under wine. I had that working a few months back

now this (new/different machine): paste.jvnv.net/view/I5hQr

fairly sure that factorio.exe is a 64-bit executable

can't even run winetricks: paste.jvnv.net/view/4fZ4B

does the native linux version not work on freebsd?

no idea, never tried

Anyone running zfsd? Did you do anything in particular to configure it? I just added my first hot-spare to a zpool.

dvl: noooooooo don't use hot spares!!

dvl: keep a cold spare or at least an online device not attached to a pool. otherwise your zpool will randomly decide to attach its hot spare due to a temporary cabling issue or something like that

the only reason you need a hot spare is if you're sending a system to Antarctica and literally can't monitor it or log in to replace a failed disk with the spare

ivy: are you OK with me quoting you in dan.langille.org/2025/04/13/adding-in-a-hot-spare-for-zfs-on-freebsd ?

dvl: sure

ivy: thanks, please reload.

i'm not sure the way you've quoted it adds anything to the content, but ok :-)

OK, with that, it's time for off-computer stuff. Later. Thanks again.

dvl: there's better reasoning at point 12 here: nex7.blogspot.com/2013/03/readme1st.html

dvl: I have not hot spares, but responded on the media

anyway, zfsd could be handy

oh, was there any disagreement with my advice to not use hot spares? i assumed this was simply common knowledge nowadays

I don't know; who objected ?

I like to reason with dvl on the media, but I am still missing TechSnap series where he was the host

mzar: i don't know, but i have the impression dvl was not taking my suggestion seriously. which it was meant to be even if i phrased it in an IRC-like way

there is basically zero to ever use a hot spare in a modern storage environment except in very unusual circumstances

yep, at some point you stop to take all the suggestions seriously ;-)

It does seem that, say, if someone were to use a hotspare with raidz1 then instead raidz2 is preferred. And if someone were going to use a hotspare with raidz2 then raidz3 is preferred.

rwp: i think there's a more persuasive argument for using hot spares with mirror-stripes, where you can't just "add another disk", but i don't think it's a good argument because asking the system to make an objective assessment of its own state is just never going to be reliable

what about cold spares ? aren't they useful ?

yes, cold spares and/or warm spares are very useful and everyone should have those

keeping your spares cold is 100% conformant with the paradigm of green computing

well, you can have a 'warm' spare that you keep powered down if you're concerned about that

the power use of a single is pretty minor though, in most systems which are likely to care enough about their data to have sparess

s/single/single disk/

but you can always hotplug cold spare, it's what hotswap was invented for

yes, but you need physical access to that, so whether you use cold or warm spare depends on that

dvl, If you search for "sudo sudo" in that article you might make an edit as that seems to be a sudo too many. :-)

good point, I believe that dvl still has this access ?

It's his other diary, so yes. :-)

Keeping the hotspare warmed up also adds spinning hours to the drive the same as the other drives. Now maybe that does not matter at all if the head remains parked. But the simple measure of using power on hours to determine aproximate age of the drive is fuzzier in that case.

I have this vision of somehow keeping a stack of storage devices in a box magazine such that they are available and ready to be inserted into a system on one side of it while another device removes failed drives from the other side.

agreed, so we can draw the conclusions for dvl: running zfsd could be useful anytime, but you'd better keep your spares cold

mzar: i disagree, running zfsd is never useful, use warm or cold spares instead

that is the point i was making originally

ivy: zfsd could be handy if the children have access to hot swap bays and randmoly replug the drives

a rifle might be more useful in that situation

how so ?

shoot the children, problem solved

But then there is the Hansel & Gretel rebuttal.

that's against the spirit of this channel, in the past debdrup or koobs banned for weeks for such the suggestions ivy

if the children shoot you, the problem is also solved, in that you no longer need to worry about your disks

good night

Let's move on to happier topics.

I'm wondering if people are using zstd to its fullest effect? Admittedly it does require you to use SAS enclosures with SES, and have autoexpand and autoreplace enabled as well - but if setup properly, zstd allows you to pull out a drive, insert another drive, have the zpool automatically replace the old vdev with the new one, and once you've done that with all the disks in a vdev, the vdev will expand.

what has zstd to do with autoexpand?

s/zstd/zfsd/

does freebsd work on any SBCs

looking for recommendations to be honest, something with opengl or vulkan drivers would be great, if somebody knows of something like that