00:02:52 did you check that it isn't just your browser giving you a cached image instead of making that request? 00:13:27 nimaje: I'm seeing the request arrive in the logs. 00:13:55 Also tried appending ?things to the URL 01:03:34 So, I started again from the Bastille example pf.conf and ended up with this: https://termbin.com/4xh5 I don't get why this prevents my machine to reach tty login or start sshd. 01:09:39 zilti: It does not start sshd? 01:11:06 dvl: I mean, I have sshd_enable=YES. But as soon as I set pf_enable=YES and reboot, the machine will get stuck somewhere in the boot process after activating the network. No tty login prompt on the machine itself shows up, nor is it accessible over ssh 01:11:44 zilti: might be dns related, how long do you wait? 01:13:00 dvl: definitely not dns related, no amount of waiting fixes this 01:13:10 ouch 01:15:13 (yes, before identifying what causes this, I indeed let it be stuck in the boot process for 12 hours) 01:15:58 So it's nothing in the pf.conf? 01:17:57 Here's additionally my rc.conf: https://termbin.com/my1y 01:22:09 zilti: press ^T and check where it's stuck? 01:24:52 cyric: Would that be Ctrl+T? I can't send these kinds of keycodes to the console. But the last thing it shows is "Security policy loaded: MAC/ntpd (mac_ntpd)". 01:30:25 yes, control-t which sends SIGINFO and should show you the current process running 01:32:59 other than that, you could try enabling rc_debug in rc.conf 01:35:03 zilti: enable logging in pf.conf, setup pflogd, reboot, wait for breakage, examine log, profit 01:43:02 zi: okay. I enabled pflogd. Where do I put the logging statement in pf.conf? 01:43:14 https://termbin.com/4xh5 01:45:48 It seems s3backer that is running on my server is getting blocked, as well as ntp, but I have a "pass out quick keep state" 01:45:56 zilti: man pf.conf, search for log 01:46:32 zi: I can't put log on the "block" statement. PF complains when I try that. 01:50:27 Okay. Seems my pf config blocks all outgoing traffic. 01:58:28 reminds me that I need to play the pf game again myself 01:58:35 not feeling it tonight though 01:59:07 So, no idea how to allow outgoing traffic. That rule used to work, now it does not. 01:59:11 but yeah, pretty sure pf default is "deny all" and you have to write rules on what to actually allow/pass 02:02:40 when I was tinkering with pf my router was having problems. So I was setting there beating myself over pf rules when they might not even have been the issue 02:04:38 They definitely are here, though. When I turn on pf on the running machine, outgoing traffic stops to work. Stopping it makes it work again. I tried half a dozen variants on "pass out". "pass out all", "pass out keep state", "pass out all keep state", "pass out on $ext_if", "pass out on $ext_if keep state", all of them with and without "quick". 02:04:38 Nothing works. 02:10:48 ...so, is there a solution to this, or is this a breaking bug in PF? 02:38:43 what branch are you on? 08:13:57 is there a way to run a one-off command in a sandboxed way? 08:14:23 eg. letting it access only certain places on the filesystem 08:21:22 capsicum or jails 08:22:21 is there a capsicum utility? 08:22:43 something like `capsicum-run prog` 08:26:28 makr: i've wished for this before, but i've never found such a thing. i did find a research paper discussing a prototype of it, but it didn't come with source code... 08:33:41 Morning. Is there any interest in adding the QUIC network protocol to the FreeBSD kernel? Some folks are working on that for Linux 08:52:58 makr Jails would make more sense, and you can do that with the jail command if needed. 08:54:07 jails are not really ideal for sandbox a single command (although you can use them for that), we do need a better solution here 08:54:29 like, i don't really want to spawn a new jail just to run elinks every time i render an HTML email in mutt 08:54:38 ivy: thee is somr prior art here, gimme a few minutes to find it 08:57:03 aah yes val did some (awesome) work on this already https://github.com/valpackett/capsicumizer 08:57:50 ah, i think i've seen this before but never got around to trying it - i wonder why it's archived 08:59:32 ivy: IIRC val moved to codeberg & argentina https://val.packett.cool/ reach out and ask 09:00:22 if this works it would be nice to have it in base :-) 09:03:26 if you (or val ofc) is interested in picking this up I'm sure there would be a lot of interest 09:04:09 and help too 09:04:51 i have enough stuff in progress at the moment i'm running out of disk space for source trees, but i will add it to my ever-expanding todo list :-) 09:11:33 * dch knows the feeling 09:19:18 I found this talk too by Ryan Stone demoing a tool called caprun - https://www.youtube.com/watch?v=TGA4wbjbqXc 09:19:21 i can't find the code though 13:23:58 i use the repo pkg+https://pkg.FreeBSD.org/FreeBSD:14:amd64/latest but i can't find newer go than go121, shouldnt up to go124 be available there? 14:03:52 leah2: Looks like there's a problem with it: https://portsfallout.com/fallout/1116443/ 14:04:01 ah! 14:04:07 I guess it didn't go 14:04:22 hehe 14:37:58 Where does the named ports store the hints file? 14:46:34 Nevermind. 17:10:35 oh next to nim binary ? 17:10:49 or nimble binary 17:12:41 since the path is /usr/local/bin/nimble I have the cacert.pem in /usr/local/bin/ 17:53:57 hi there. i'm running 13.4-RELEASE-p3. an update was released, and i ran freebsd-update fetch and then freebsd-update install. the latter spit out a few errors: "install: ///usr/src/secure/caroot/blacklisted/INS@LId18q: No such file or directory" and three other files. is this something to worry about? 18:13:00 Hey, i am trying to use texi2dvi but it throws an error about not finding a `tex' binary. https://paste.rs/i69cB 18:14:22 i have the package texlive-base installed but it doesn't provide a tex binary either 18:17:30 rwp: you may or not recall I had an external usb drive having issues, I finally got round to fishing out a s-ata cable and testing the drive directly, it is still working luckily. Just need a new usb enclosure 18:21:02 apparently tex is in tex-basic-engines 19:48:00 any wine experts around? 19:49:25 would a cider expert do? 19:50:30 potentially 19:50:41 I'm trying to run factorio under wine. I had that working a few months back 19:51:03 now this (new/different machine): https://paste.jvnv.net/view/I5hQr 19:51:32 fairly sure that factorio.exe is a 64-bit executable 19:53:34 can't even run winetricks: https://paste.jvnv.net/view/4fZ4B 20:03:06 does the native linux version not work on freebsd? 20:05:26 no idea, never tried 20:12:16 Anyone running zfsd? Did you do anything in particular to configure it? I just added my first hot-spare to a zpool. 20:12:59 dvl: noooooooo don't use hot spares!! 20:13:32 dvl: keep a cold spare or at least an online device not attached to a pool. otherwise your zpool will randomly decide to attach its hot spare due to a temporary cabling issue or something like that 20:15:11 the only reason you need a hot spare is if you're sending a system to Antarctica and literally can't monitor it or log in to replace a failed disk with the spare 20:17:52 ivy: are you OK with me quoting you in https://dan.langille.org/2025/04/13/adding-in-a-hot-spare-for-zfs-on-freebsd/ ? 20:20:02 dvl: sure 20:20:37 ivy: thanks, please reload. 20:21:41 i'm not sure the way you've quoted it adds anything to the content, but ok :-) 20:21:55 OK, with that, it's time for off-computer stuff. Later. Thanks again. 20:23:57 dvl: there's better reasoning at point 12 here: https://nex7.blogspot.com/2013/03/readme1st.html 20:24:26 dvl: I have not hot spares, but responded on the media 20:24:47 anyway, zfsd could be handy 20:25:09 oh, was there any disagreement with my advice to not use hot spares? i assumed this was simply common knowledge nowadays 20:25:51 I don't know; who objected ? 20:27:27 I like to reason with dvl on the media, but I am still missing TechSnap series where he was the host 20:28:07 mzar: i don't know, but i have the impression dvl was not taking my suggestion seriously. which it was meant to be even if i phrased it in an IRC-like way 20:28:32 there is basically zero to ever use a hot spare in a modern storage environment except in very unusual circumstances 20:28:49 yep, at some point you stop to take all the suggestions seriously ;-) 20:29:54 It does seem that, say, if someone were to use a hotspare with raidz1 then instead raidz2 is preferred. And if someone were going to use a hotspare with raidz2 then raidz3 is preferred. 20:30:54 rwp: i think there's a more persuasive argument for using hot spares with mirror-stripes, where you can't just "add another disk", but i don't think it's a good argument because asking the system to make an objective assessment of its own state is just never going to be reliable 20:32:28 what about cold spares ? aren't they useful ? 20:32:48 yes, cold spares and/or warm spares are very useful and everyone should have those 20:35:42 keeping your spares cold is 100% conformant with the paradigm of green computing 20:37:02 well, you can have a 'warm' spare that you keep powered down if you're concerned about that 20:37:50 the power use of a single is pretty minor though, in most systems which are likely to care enough about their data to have sparess 20:37:59 s/single/single disk/ 20:41:22 but you can always hotplug cold spare, it's what hotswap was invented for 20:41:44 yes, but you need physical access to that, so whether you use cold or warm spare depends on that 20:41:50 dvl, If you search for "sudo sudo" in that article you might make an edit as that seems to be a sudo too many. :-) 20:42:26 good point, I believe that dvl still has this access ? 20:43:02 It's his other diary, so yes. :-) 20:43:50 Keeping the hotspare warmed up also adds spinning hours to the drive the same as the other drives. Now maybe that does not matter at all if the head remains parked. But the simple measure of using power on hours to determine aproximate age of the drive is fuzzier in that case. 20:45:16 I have this vision of somehow keeping a stack of storage devices in a box magazine such that they are available and ready to be inserted into a system on one side of it while another device removes failed drives from the other side. 20:48:11 agreed, so we can draw the conclusions for dvl: running zfsd could be useful anytime, but you'd better keep your spares cold 20:51:04 mzar: i disagree, running zfsd is never useful, use warm or cold spares instead 20:51:36 that is the point i was making originally 20:56:03 ivy: zfsd could be handy if the children have access to hot swap bays and randmoly replug the drives 20:56:23 a rifle might be more useful in that situation 20:56:32 how so ? 20:56:40 shoot the children, problem solved 20:57:22 But then there is the Hansel & Gretel rebuttal. 20:57:47 that's against the spirit of this channel, in the past debdrup or koobs banned for weeks for such the suggestions ivy 20:57:49 if the children shoot you, the problem is also solved, in that you no longer need to worry about your disks 20:58:03 good night 20:58:21 Let's move on to happier topics. 21:45:53 I'm wondering if people are using zstd to its fullest effect? Admittedly it does require you to use SAS enclosures with SES, and have autoexpand and autoreplace enabled as well - but if setup properly, zstd allows you to pull out a drive, insert another drive, have the zpool automatically replace the old vdev with the new one, and once you've done that with all the disks in a vdev, the vdev will expand. 21:47:17 what has zstd to do with autoexpand? 21:48:06 s/zstd/zfsd/ 21:48:51 does freebsd work on any SBCs 21:49:33 looking for recommendations to be honest, something with opengl or vulkan drivers would be great, if somebody knows of something like that