I'm trying to learn about FreeBSD pf and firewalls. I setup a lab with 3 machines host0, host1, fw. host0 has the address 10.0.0.2/24 and is connected to network0. host1 has address 10.0.1.2/24 and is connected to network1. fw host is attached to both networks and has addresses 10.0.0.1/24 for net0 and 10.0.1.1/24 for net1.

I created a simple pf.conf with this syntax. nat on vtnet0 from 10.0.0.0/24 to any -> (vtnet0)

I am not able to get a TCP connection established from host0 to host1. I'm completely lost with where to start trying to troubleshoot this. I thought this should be enough.

Any ideas?

how is net0 talking to net1 directly in this case?

the freebsd fw host is in both networks. I would like it to pass the packets and manage connections between to two isolated networks.

try bridging the networks on fw

creating the bridge would only bridge the two segments. The two hosts are still in different subnets.

I need to route packets between two different subnets.

the fw has its own ip in both subnets and set as the gateway

Sakara: do you have net.inet.ip.forwarding=1 ?

test with firewall off and icmp first to confirm that works

Yes. sysrc gateway_enable="YES" was run.

ICMP packets make it.

i haven't used pf in a while, so i'm not sure about what might be wrong there, sorry

The syn packet makes it from one side to the other but for some reason the listening machine does not send back the syn-ack to the fw.

"make it" meaning it returns also?

Yes.

ping gets replies from host0 to host1 and vice versa.

sounds like a problem with the listening host

ah, you said "does not send" but maybe the issue is that it does send it, but it's not being processed by your firewall properly?

if I use nc from the fw the syn arrive and syn-ack response and it connects but if the syn packet is through NAT from the other machine it doesnt reply. I have no idea what I am doing wrong here.

if the listening host is in fact sending the reply, then it should be related to the contents of your pf conf and something related to tcp state tracking

The "server" is on host 0. I'm running nc -nkl 8080. The client is on host1 and run nc 10.0.0.2 8080. I see the syn packet arrive to host0. I see a state table entry in the fw but its state is "SYN_SENT:CLOSED"

is that a state table output that pf provides?

Yes.

pfctl -ss

did you define the gateway routes?

Yes. host0 has 10.0.0.1 as default gw. host1 has 10.0.1.1 as default gw

he said icmp works so routing is good

so first of all you're certain host0 is sending a reply?

host0 does not send a syn-ack back.

Thats where I think i'm getting to.

then surely it's some problem with host0, not sure what though. what is the differnce between the syn packet when the firewall sends it vs when the host1 sends it?

SYN_SENT:CLOSED usually means nothing is replying so it wasn't safe to assume that it wasn't routing issue

Using the phsyical console in virt-manager so hard to copy/paste. I will try see if I can spot what is different.

it could be that the firewall is translating the packet wrong, but if the address is in fact host1's address it can't be a routing issue

(if ping works)

ping just means the box is up, not the service running on 8080

sounds like we meant different things. agreed that host0 may not even be listening

oh, well, he did say that he was able to connect from the firewall, so it's probably listening

your view is also valid

host0 is listening "nc 10.0.0.2 8080" from the fw itself works. I connect and can send data from the fw two host0

maybe try to port forward from fw ip

Sakara: by the way, as i said i haven't used pf as much, but maybe your syntax is not doing what you want? don't you want to change net1 addresses to be 10.0.0.1? but you're applying your nat rule to packets in net0

maybe host0 is actually sending a reply but it's being translated to 10.0.0.1 (firewall) and then being dropped by host1?

I've tried so many combinations of interface, networks and address in pf.conf. I must have done something wrong. I just don't know what.

I'm tracing with tcpdump -i vtnet0 tcp on host0. I see the [S] but don't see [S.] Its not replying.

I don't know why.

oh I think I'm onto somthing.

I add some extra debugging and I see incorrect chksum.

ifconfig vtnet0 -hwcsum maybe...

Yup... Its a bug.... bugs.freebsd.org/bugzilla/show_bug.cgi?id=235607 I think I'm getting stung by this.

Omg now I don't feel like such a noob :) It wasn't me.

ah right..TSO not hwcsum...

not sure where i even got that from

then you can try ifconfig vtnet0 -tso ...

Dudes! ITS WORKING!

i would not think that would be a problem here during connection establishment, but maybe that's what it is

good

The [S] packet was getting dropped at host0 becuase the TCP chksum wasn't correct.

what did you change then?

ifconfig vtnet0 -rxcsum -txcsum -tso4 -lro on all the mahcines.

OK

yeah rxcsum txcsum was what i was trying to remember...

This lab is a bunch of qemu vms on a Linux host and this is some bug in the virt-io virtual nic I think.

in this case i think it would be one of the *csum that's causing it but not sure..

(well, txcsum)

i would be curious to know if you can check if just doing -rxcsum and -txcsum fixes it?

to establish the connection

Probably would be enough I think.

another kitten / baby seal dies to the virtio inet offload issue

That was rough man. I have dumped 4 or 5 hours of my life into trying to debug that.

well, it should have been quick to see with tcpdump that host0 was not replying. but as far as figuring out why that was clearly more subtle

I had to add the -v flag to tcpdump to make it clear the chksum was incorrect.

interesting find from where it was

I was using only "tcpdump -i vtnet0 tcp" to follow what was happening.

yeh, that's the subtle part

in any case i guess it wasn't fixed in "zero time", if you will

does that disable the checksum verification?

I wouldn't say it's fixed

lol

it just disables the virtio interface from asking the hypervisor to compute the checksums

It makes the TCP stack use the CPU to compute the checksum instead of offloading it to the virtual NIC

Physical NICs have physical integrated circuits for computing the checksum so you can save the CPU on the host.

in other words, increasing load on cpu instead of having the NIC do it's job

unfortunately, hence my comment about baby seals dying

Yup. Its what I have to do at the moment because the virtio doesnt work. It doesnt matter to me that much for this lab. virtio would still use the CPU on the host probably to compute the checksum.

I'm also just using this for some learning so no actual data moving around here.

enjoy

try docker

jmnbtslsQE: the checksum is part of the packet which ends up being a network routing issue of trust

Now onto the next mystery. I tried to make my firewall have very very short TCP connection timeouts. I add set timeout tcp.estalished 1 and this rules makes the timer change in pfctl -st output but never lower than 6 hours. Lets see if I can work this out.

sounds motivated

Can I ask what the stance by FreeBSD (core dev team and community) is about XLibre?

When looking at this list ( gist.github.com/probonopd/301319568a554abe7426c02eb5e19b5a ), FreeBSD is marked as "unclear" with the forum thread being very mixed, but ports appear to be in progress.

definitely not going to skim through 17 pages of forum threads, but I'd be surprised if a port is both created and actually gets off the ground

it's hard to take the project seriously when one of their major marketing points is "anti-DEI" bullshit

anywho, this probably won't be a productive discussion, so heading out this way ->

If Xlibre had just been calm and forked the project in order to keep it going I think all would have been okay. But instead they behave and act rather immature like an eleven year old not yet even a teenager about society and social items that it is hard to work with them after that point. If you can't work with them then they are going to have a hard time moving things forward.

kevans: First off, the fork is made by the only guy willing to maintain X11 for all these years. Second, the whole point of "anti-DEI" is exactly to keep politics out of open source, and then you get all those mentally ill individuals claiming that that's political whereas being "pro-DEI" isn't, the exact opposite of reality!

rwp: Any evidence of that though? The only immature behavior I've been able to find are far leftists complaining about Enrico's apolitical stance in the issue tracker and on blogs. And I've been following this project since it was announced.

And if it's not about the apolitical stance, then they REE about it just because Brian Lunduke likes it, which is even more childish.

remiliascarlet: please read and reflect on the replies given. i doubt anyone here will engage in arguing.

|cos|: I'm only pointing out the irrational/illogical reasons for rejection, not even trying to pick a fight.

And there's people telling everyone how much of a dick and/or immature Enrico is without ever providing any evidence, so I asked for evidence.

m

Methinks the reactions to the announcement of the Xlibre form were far more telling than those from the fork-initiator himself.

It would be nice to see a port. But I suppose he'll have to first prove he has an actual project with more people than just him

It's all political. It's political to say you want to make sure minorities aren't underrepresented, it's political to say you'll kick people out for racism, homophobia and transphobia and it's political to say you'll let them stay

is this really 500MB? archive.org/details/WinXPProSP3x86

no kidding

bill gates maybe knew how to code

if you say you're "anti-DEI" that's not simply something you've intelligently reasoned your way to with your specifically oversized brain as being the world's most neutral stance, it's repeating a MAGA slogan, that's sending a very specific signal about who you want to welcome in your project. It's not a surprise it's caused a fuss.

If you really want to keep it to collegiate conversations about the merits of the code you don't start with a slogan that's widely understood to mean a specific thing

i don't know, man. no idea. please no politics to me

zip: it wasn't the brightest way of expressing it, indeed. I can understand where it comes from, but it could have been phrased in a slightly less prone-to-flamewar way.

Regardless, the reaction to it was more telling to me. A single person acting out - eh, daily business. A corporate heavyweight like RedHat going out and wiping a developer's accesses, code and commits because of the creation of a fork - that is troubling.

oh well, now the guy has folks pulling him up for patches where he did an xor instead of an exponent

I hadn't heard about the RedHat side of it, not that I especially want to run off and read about it in depth

We'll see where it goes after the dust settles and he manages to push out a release or two with actual improvements. Or not.

If he manages to get it out, all the better. Xorg has been in a rut, and I'm not excited about Wayland.

A lot depends on how much he can do on his own and how much he needs to build a functioning community

if it's the latter, this has not been an auspicious start

Judging by the commits, he was already doing most of Xorg updates on his own. But "most of" is not "all".

Still, I seem to remember the birth of Xorg itself also started with some serious dissonant notes. :°)

I'm half surprised nobody's attempted to build X in rust

zip: probably because there's not much of a point in it, but that hasn't stopped other projects from trying to re-invent the wheel in rust.

I don't really understand the Wayland hate. Sure I miss the networky half, running a remote Firefox session on my mac or whatever was neat, but also I can totally see why they'd drop it and the session security stuff seems more important these days

I don't particularly hate it. It just appears less than complete and stable - the times when I tried it, granted, a while back, it didn't offer me much.

My main concern with Wayland is adding too many Linux-only dependencies

I thought that session security was one of the things the Xlibre dude wanted to look at.

oh yeah, from a FreeBSD perspective it's annoying as hell :D

We've already had stuff like hald and dbus

I just logged out the void machine and told it to log in with gnome on x and the whole thing crashed, RIP

oh fuck, now it's defaulting to x11 and crashing on boot. great.

zip: It's not like I hate Wayland, it's just a project that was set up to replace Xorg because "too old". 17 years later, and it's still lacking fundamental functionality, it's still buggy, it's still slow, and it's very Linux-specific at times.

Alver: XLibre already has its first release, and already has implemented the security features he promised.

And I actually want both XLibre and Wayland to exist, it's called user choice.

_phew_, single user mode saves the day. Once I figured out where the hell gdm stores its data these days.

remiliascarlet: agreed.

mm, I'm not against it either

oh fuck me I just worked out why it's called bastille

Ha :°)

je croyais que c'etait assez evident

I'm sorta kinda being forced to use vnet jails because I want to do things with tun devices, which in a non-vnet jail appears... troublesome

ouias mais je ne suis pas française :P

Bof, moi non plus

any idea why cve.org/CVERecord?id=CVE-2025-4517 is not listed in pkg audit -F ?

(I have python311-3.11.12_1 installed)

Hi, i ran freebsd-update -r 14.3-RELEASE upgrade, but i lost my term when it asked for resolving sshd_config conflicts

i killed the process and restarted it in screen, is that safe ?

i always run that in screen

i mean is that safe to brut restart without cleaning anything ?

not the screen part

zip: gdm stores its stuff in a dconf database which takes its values from various conf files :p

Hrm. In a vnet jail I can create a tun device, but I cannot give it an IP. Empty IFA_LOCAL/IFA_ADDRESS, ioctl (SIOCAIFADDR): permission denied

Anyone have an idea? I thought that after creation, the tun would be easy, but... no.

g

Pauli1: youtube.com/watch?v=7Sh5_p9gpws

how fast does your scrub go? this seems... pretty slow?

14.8T / 28.8T scanned at 213M/s, 12.6T / 28.8T issued at 181M/s

0B repaired, 43.69% done, 1 days 02:02:30 to go

i think thats normal for that much terabytes

rtprio: with 8x 7200rpm disks, it fluctuates a bit, but typically i see around 500MB/s

nxjoseph: it's not related to the size of the pool, but to the speed of the storage

ivy: hmm i see

i would have thought sata3 would have been faster than this

or maybe i bought the wrong controller

I think I got X11 working. I want to test 'Awesome wm'. But I am not sure if Awesome reads the default config or not, because I don't know what I am supposed to get onscreen with default rc.lua...

I get 3 Xterm windows and a clock no matter what I do

your default config is probably twm, if you didn't set something with `.xinitrc`

I do believe you hit the head on the nail so to speak. I think I named that file something else :)

thx :)

there's .xsession* (can't remember exactly) but that's only if you use a display manager

Btw, where can I report that there's a newer version of a package? Freecad 1.0.1 has been out for a while

pike: it's already above 1.0.1

pike: freshports.org/cad/freecad

quarterly likely has not it yet

ah right quarterly. Still a newbie here

I read that you should not mix pkg and ports and I stay on pkg for now

i took the redpill and went full ports way with poudriere

xD

nxjoseph: how many systems do you build ports for?

rtprio: it's just my system

i build on the same machine that i use the ports

74 prime packages in my poudriere to-be-built list. 1076.pkg files (deps, primes) at total in my package repository.

611 installed

i still fail to understand why you'd use poudriere for a single system

rtprio: because if i use remote repo, i won't be using poudriere in my daily usage, this means i will not have 'already built' ports in my local repository, if you maintain ports, you eventually need to use poudriere to build the dependencies of your ports. if you use poudriere already, it becomes easier imo.

poudriere's binary package fetching didn't work me back then, later i switched to poudriere all the way

and i feel like this is better than pkg

but how is a poudirere config different than just setting the options for the ports

and rebuilding the ports when you want to

rtprio: i didn't got you. when you just configure any port on your host system, it just creates a file containing what's turned on or off in /var/db/ports. it's the same with poudriere

so i get it, you have too much free space and want to burn a bit with packages that are only ever installed once

it's 3gb where built package files are stored.

i don't have much space

NAME AVAIL USED USEDSNAP USEDDS USEDREFRESERV USEDCHILD

zroot 117G 82.3G 0B 96K 0B 82.3G

what do you mean by 'only ever installed once'

everything i built is needed either for me or for my ports

ok great

rtprio: are you interested in something like ports?

i mean do you contribute anything to freebsd, i.e maintaining ports. i don't say not contributing is bad here

i've submitted patches in the past

rtprio: i see, were they about ports?

i've submitted patches for ports in the past

rtprio: gotcha

Anyone know how to allow a vnet jail to assign an IP to a tun device it created?

I can do ifconfig tun0 create just fine - but putting an IP on it gives a permission denied.

Hi so I have a BCM4311 wifi chipset am trying to get going...

I've added src/sys to components in the freebsd-update.conf file how do I get it to pull them...

And kernel naturally as need them to build the /usr/ports driver

Daboone72: do you mean this port?: net/bwn-firmware-kmod

Yes that one I've checked my card is present in the list

From here wiki.freebsd.org/dev/bwn%284%29

Daboone72: but you would still need internet access to fetch the sources that this port requires

Yes it's plugged into ethernet via a long 5m cable

I'd like to lose the cable it's on a netbook after all

Daboone72: great then, why don't you use pkg?

ok great how do I install kernel sources using pkg?

kernel sources?

don't you only need the firmware package

Though it is annoying freebsd-update doesn't have an examples

Well bwm lives in /usr/ports/net/ and has a make file

I have no wlan0 device

yes it seems you need this firmware to make your system see it.

that's not bwn, it's the firmware files for bwn. bwn itself is in the kernel, you just need to install the firmware

ivy: bwn(4): This driver requires firmware to be loaded before it will work. The

ports/net/bwn-firmware-kmod port needs to be installed before

ifconfig(8) will work.

nxjoseph: right, that's what i said?

ivy: dang, sorry, i read wrong, i thought you said you don't need to install it...

Well pkg search bwn-firmware doesn't exist as a package anyway

Daboone72: so you should be able to just do "pkg install bwn-firmware-kmod", this doesn't require kernel sources

ivy: maybe it would if it's not built for their kernel version

If it was in a package already can't imagine they'd bother with ports

ah, it's NO_PACKAGE

ivy: great catch

i think it would require source tree to be installed in /usr/src to be built

because it's a kernel module

nxjoseph you got it I tried building it but it dies as it needs kernel sources.

Someone suggested adding the components to freebsd-update.conf which is great

But I don't know how to tell it to pull them

i'd recommend using devel/git

to pull the sources

don't know about freebsd-update way

Ahh ok so no easy way as the tutorial for that route is very long

git is easy

we can help you here

Have you seen setup for kernel build docs.freebsd.org/en/books/handbook/cutting-edge/#makeworld

you don't need to build anything on your own

i did compile base from source before

I know git I use it daily it's the rest that bothers me

the port will handle it for you

Ahh well perhaps it'll be useful for other drivers. Laptop power management

you don't need to build the whole source

the port just needs it for some info i guess

it should be a quick process

you won't have a new kernel because of that port either

it just needs to know your source files

With any luck it doesn't need much

there's nothing to bother you, believe me

If I run into too many headache's it's a freshish install will just reimage and add the sources

i think you won't but good thing you can do a reinstall

Hey this is nice. "fetch -o /tmp ftp://ftp.freebsd.org/pub`uname -s`/releases/`uname -m`/`uname -r | cut -d'-' -f1,2`/src.txz"

Daboone72: indeed, dependency free

Yay firmware images built let's see if we have a network interface

Daboone72: let's see

nxjoseph winning I have interface up and can scan and see my router

Daboone72: nice!

hope it connects too

Typical I had a supplicant example but can't find it

there is /usr/share/examples/etc/wpa_supplicant.conf

but it's a sample file, don't know if it would work out of the box after entering network credentials

nxjospeh Don't worry I used a bit of google ai and some common sense. I have a wlan0 connected woohoo

Daboone72: haha, nice

how's the speed, is it enough?

Yes that will be of concern will do some speed tests somehow maybe finish next task get xfce4 installed and xrdp

Daboone72: ok. what are you going to do with rdp

Remote desktop to it from my work pc todo scripting and the like.

With freebsd being so good with databases it's going to be a largely standalone database machine.

Daboone72: i see, would you be able to connect to it from work? CGNAT things... maybe you have a real ipv4, i don't know.

Keep personal journals and use that Symphytum database

Well I work from home but yes with an ISP that does give me a static and supports ipv6

Daboone72: i see, i thought it was at the office

This will be my second freebsd box the other being a Raspberry pi 3 that will run a Dns

Daboone72: great, i have a rpi 3 model b too, ran adguard on it once but not anymore.

I'm warming to free bsd I especially liked when it checked package consistency and I see it will sanity check downloads

from third parties too

It was going to be netbsd on my netbook but after it dropped me into single user mode twice and has a installer that makes things hard work

Loved freebsd installer never installed with an encrypted disk before that made it childs play

There must be a tool to make x windows an easy install?

Anyway nxjoseph goal achieved for today thanks for your help.

Time I retired name's Daniel btw

Daboone72: you're welcome, yes, there's a tool, it's called pkg :)

Daniel:

gotta sleep, good night - 1:50 am here.

When you move from Windows to *nix there's always software you need to give up. One software that I would like to find an alternative for is 'Platinum Notes'

pike: What's it do?

It performs a lossy normalization operation on musicfiles to make them sound similar loudness. I use it on flac files for use in my car.

I will try and make it work with Wine before I give up

pike: Hm. You can do something like that with Audacity.

pike: Maybe audio/sox would work?

I, a command line person, sox for various podcast audio things. But I would be surprised if Audacity did not do the job easily too.

As a more extreme fallback option... Many people keep a MS-Windows VM Virtual Machine running in bhyve for software that they want to run there.

pike: you could look at rsgain, which sets ReplayGain metadata for FLAC files (among others), but perhaps your car doesn't support that

Here's the basic idea behind Platinum Notes. It scans the file, then it applies the normalizing you've choosen. I use -12.5dB. It also has clip repair.

correct, my car can't handle replaygain

it feels like converting a directory of flac files with replaygain metadata into a directory of normalised flac files should not be very difficult, but i can't think of anything that can do that off hand. i'd probably look at sox too...

I will look into sox for sure. thx for the tip.