hrm, i think i figured it out, just had to :duck: it

guys, im trying to install freebsd on virt-manager kvm, the mouse dont work

hmm, well I was about an hour late on responding to that question LOL

SponiX: Erm?

I have always had the virt-manager defaults be okay. But if the mouse is not working then almost certainly it is missing a device. For KVM the best device is the tablet driver because it uses absolute X-Y coordinates instead of the mouse drivers relative motion coordinates. It works better through the layers that way.

it's not really designed for that is it

?

is ntt in .jp engaged in freebsd much?

I'm getting confused by binat rules in pf. I'm getting this error: 'binat' source mask and redirect mask must be the same. I'm really not sure what this means, because that's not true in any of the examples in pf.conf(5).

Zerock, If you want a review you will need to pastebin your pf.conf file so that others can see it.

binat is mapping 192.168.3.0/24 to 100.50.3.0/24

one ip to one ip, so they'd need the same mask or it would no longer be 1:1

ohh, I think I see what you mean

how can i restart my laptop that has no power button.. i forgot to make install clean dwm and now its stuck with the curour in the to left corner

i can't ctrl +alt delete ntohing

ssh into it?

oo

ctrl-alt-f3 for a tty and log in there

dam don't know the ip

yea ttys aren't working either

nmap -p 22

its stuck

can i nmap the whole network for port 22 ?

okay then what's the best way to do what I'm trying to do? I want to use this machine as a gateway between a VPN and one particular other host inside my LAN. I have a rdr rule set up to accept a connection from the VPN and redirect it to the other machine on the LAN, but that other host doesn't have a route back to the client on the VPN. So I want to NAT the traffic from the VPN to the LAN address

of my gateway and vice versa so the return traffic is properly received.

yep. nmap -p 22 192.168.0.1/24

nice

oxbar: if your laptop has no power button, how do you even turn it on?

open the lid.. its a lenova it just turns on

its an old yoga

also there is a lenova button thing when its kinda charged you can press and it tries to go to the bios and stuff

what a strange design

yep.. sound dosen't work i've liltterally tried everyting and so have the people on the forums so i need to file a bug.. need to get info off the lpatop for logs

Zerock: you could binat the single /32

?

oh maybe that would work

oh wait... no, because the source can be anything on a /24 VPN

well, I did just get it working by adding two regular NAT rules

annoying to have the extra step but it does seem to work

Doesn't the Lenovo Yoga have a power button on the side? Pretty sure it does.

rtprio: Thanks for the sshd recommendations.. rebooted :D

rwp: my son broke it like a year ago.. its all smashed in

waiting on authorization so i can file a bug for this sound issue

is there a script i need to fill out when i file the bug ?

If anyone is using TheLounge in a 14.x-RELEASE jail, can I please see your rc script? I previously could run this software via daemon(8) in 13.x-RELEASE, and now I can't figure out why I am having issues on 14.3-RELEASE.

im using thelounge but i don't have any rc script or jail

sorry

running it in tmux or something? that's what i'm resorting to for the moment

scoobybejesus_tl: how daemon works shouldn't have changed very much between 13 and 14

depends on the versions of 13 and 14 you're talking about

we did a lot of refactoring of daemon(8) after 14 branched that was backported to both 13 and 14 at varying stages of their life. it should've all been non-functional-change, but mistakes do happen (and we caught a few)

what is the command to properly shut down a freebsd system? `shutdown now` gets me to a rescue shell prompt

shutdown -p now

^^

or just poweroff which is alias of shutdown -p now

how about removing the 10 second wait from the boot menu?

but the reboot is not the same, it doesn't wait for services to stop

autoboot_delay

2

^^

(see loader.conf(5))

in /boot/loader.conf - autoboot_delay="-1"

wavefunction, kevans: ty

is there something to do to boot into multi-user mode when no autoboot delay is set? like in grub, when shift is pressed.

not boot into multi&

i mean how to enter single-user mode when you have autoboot_delay-2

nope, not really an escape hatch there

i see, ty

you probably want =0 if you're worried there

so with 0, you've the chance to spam 2 key to load into single?

Yeah: `If set to “0”, no delay is inserted, but any keys pressed while the kernel and modules are loaded will enter interactive mode.`

allegedly, but now that I write this out I don't really remember implementing that in lualoader

I wonder if it's implemented in the C bits

ok ty, dunno bout 'c bits' and 'lualoader'

good night

Hi! Just a newbie question... I have a BIOS computer with GPT, with a freebsd-boot type partition and a freebsd-zfs type partition containing a zfs-native-encrypted root dataset. I bootstrap the system with "gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot". Is it possible for freebsd with bectl to boot the zfs-native-encrypted root dataset? Do I need to create an unencrypted dataset and move the

files from /boot in the encrypted dataset to / in the unencrypted dataset?

i do not think /boot can be encrypted... furthermore i do not recall /boot even lives in the pool

andreas303: so far it's not possible to boot from zfs-native-encrypted

...dataset

but you can have zfs-native-encrypted datasets within bootable zpool

mzar: I see. I've searched the internet for info about it, but it feels as if I've found contradictory information, so I felt a little confused.

mzar: A related question, is it possible for freebsd with bectl to boot a GELI-encrypted root dataset instead?

loader can do GELI, yes

andreas303: no worries, please feel free to do some experimentation, perhaps it's possible to boot from zfs-native-encrypted dataset using grub2

I am not using GELI-encrypted zpool, but yes, it should be doable

kevans: Ah, OK, I think I'll try the GELI approach then. A just wonder about /boot. After my recent install (for an unencrypted zfs dataset), /boot is just an ordinary directory in the root dataset, and it boots just fine. Should I move /boot to it's own dataset or its own partition anyway?

Or, in other words, should I move /boot/* to a partition outside of the GELI-encrypted one when I install the GELI-encrypted root dataset?

andreas303: i'd tend to recommend setups where you can both meet your security goals and still keep /boot within the domain of the boot environment

GELI allows it to work because all of our boot programs can speak GELI now

so even in the gptzfsboot -> /boot/loader case, it should be fine (but this is admittedly a relatively recent innovation, past ~8 years or so)

:D

we used to have to do a horrid bootpool setup (and still do in some cases) where you have your main pool and a separate bootpool, then the bootpool gets mounted and symlinked to /boot and it's... all kind of gross

for exactly the reasons you've hit, we couldn't always read /boot

nobody has taken the time to teach loader about zfs encryption, and there's a non-zero chance that the BIOS bootloader/programs still wouldn't support it due to space issues

ha... that would be a real bummer

kevans: Hmm, sorry for another newbie question (I come from the linux world where bootstuff are a bit different), but how do you mean with "within the domain of the boot environment"? Do you mean that I should keep /boot as an ordinary directory in the GELI-encrypted root dataset, or do you mean that I should create a separate dataset for the contents of /boot within the root pool, or do you mean

that I should create a separate GPT partition with an unencrypted zfs-dataset containing the contents of /boot?

andreas303: yeah, that first one

it's better to keep it all under GELI encryption

kevans & mzar: I see. Sounds reasonable. OK, I'll try it and get back to this channel if I mess up. :) Thx for the advice!

good luck, happy booting

+1

FWIW, grub2 probably still doesn't support booting native encrypted zfs dataset

andreas303, I recommend doing a test install using the ISO installer so that you can see how it sets up an encrypted system using GELI. That would be a painless way to give you a look at the default fully encrypted system.

Such as this install iso: download.freebsd.org/releases/amd64…reeBSD-14.3-RELEASE-amd64-disc1.iso

That would set up rather of a base reference system of the current style.

However GELI pretty much requires you to be on the console which is fine if this is your laptop. No ability to do a remote boot. That's a problem on server systems.

In which case there is the freebsd-outerbase project. It boots a small system unencrypted and then uses that to bootstrap a second system that is fully encrypted.

rwp: Thanks for the suggestions! It's not necessary to have remote unlocking functionality, even though it would be nice to have. For me it's more important to be able to rollback to earlier snapshots or other boot environments if I mess up. I will checkout the freebsd-outerbase though.

rwp: Currently, I use github.com/Sec42/freebsd-remote-crypto to unlock a geli-encrypted root from the console or via dropbear (by means of rerooting), which works well. Unfortunately it doesn't support booting a zfs-native-encrypted root. I'm not sure if it supports snapshot rollback, so I want to try out other approaches to see which one is most suitable for me.

andreas303, Ah! That looks like yet another approach to solve the same problem of remote rebooting. I was unaware of that one and am adding it to my notes.

If you don't need remote rebooting then the standard installation using GELI is the best way to go. It's secure, robust, and well understood. Can't go wrong with it.

unless you forget your passphrase

Forgetting your passphrase does make it even more secure as even you won't be able to decrypt it.

Xe: Anubis is running flawlessly (freebsd+nginx+cgit+fcgiwrap) thanks to your instructions.

wavefunction: yay, happy to hear!

i'm working on automated BSD testing soon enough, gonna use dch's podman magic