00:16:51 I'm trying to learn about FreeBSD pf and firewalls. I setup a lab with 3 machines host0, host1, fw. host0 has the address 10.0.0.2/24 and is connected to network0. host1 has address 10.0.1.2/24 and is connected to network1. fw host is attached to both networks and has addresses 10.0.0.1/24 for net0 and 10.0.1.1/24 for net1. 00:17:40 I created a simple pf.conf with this syntax. nat on vtnet0 from 10.0.0.0/24 to any -> (vtnet0) 00:18:10 I am not able to get a TCP connection established from host0 to host1. I'm completely lost with where to start trying to troubleshoot this. I thought this should be enough. 00:18:13 Any ideas? 00:31:02 how is net0 talking to net1 directly in this case? 00:32:45 the freebsd fw host is in both networks. I would like it to pass the packets and manage connections between to two isolated networks. 00:33:18 try bridging the networks on fw 00:38:08 creating the bridge would only bridge the two segments. The two hosts are still in different subnets. 00:38:18 I need to route packets between two different subnets. 00:43:38 the fw has its own ip in both subnets and set as the gateway 00:51:16 Sakara: do you have net.inet.ip.forwarding=1 ? 00:51:34 test with firewall off and icmp first to confirm that works 00:51:54 Yes. sysrc gateway_enable="YES" was run. 00:52:00 ICMP packets make it. 00:52:35 i haven't used pf in a while, so i'm not sure about what might be wrong there, sorry 00:52:55 The syn packet makes it from one side to the other but for some reason the listening machine does not send back the syn-ack to the fw. 00:52:56 "make it" meaning it returns also? 00:53:00 Yes. 00:53:12 ping gets replies from host0 to host1 and vice versa. 00:53:40 sounds like a problem with the listening host 00:54:32 ah, you said "does not send" but maybe the issue is that it does send it, but it's not being processed by your firewall properly? 00:54:32 if I use nc from the fw the syn arrive and syn-ack response and it connects but if the syn packet is through NAT from the other machine it doesnt reply. I have no idea what I am doing wrong here. 00:56:53 if the listening host is in fact sending the reply, then it should be related to the contents of your pf conf and something related to tcp state tracking 00:57:07 The "server" is on host 0. I'm running nc -nkl 8080. The client is on host1 and run nc 10.0.0.2 8080. I see the syn packet arrive to host0. I see a state table entry in the fw but its state is "SYN_SENT:CLOSED" 00:58:11 is that a state table output that pf provides? 00:58:27 Yes. 00:58:30 pfctl -ss 00:58:55 did you define the gateway routes? 00:59:31 Yes. host0 has 10.0.0.1 as default gw. host1 has 10.0.1.1 as default gw 00:59:38 he said icmp works so routing is good 01:02:17 so first of all you're certain host0 is sending a reply? 01:02:36 host0 does not send a syn-ack back. 01:02:41 Thats where I think i'm getting to. 01:03:21 then surely it's some problem with host0, not sure what though. what is the differnce between the syn packet when the firewall sends it vs when the host1 sends it? 01:03:37 SYN_SENT:CLOSED usually means nothing is replying so it wasn't safe to assume that it wasn't routing issue 01:04:08 Using the phsyical console in virt-manager so hard to copy/paste. I will try see if I can spot what is different. 01:04:18 it could be that the firewall is translating the packet wrong, but if the address is in fact host1's address it can't be a routing issue 01:04:50 (if ping works) 01:07:40 ping just means the box is up, not the service running on 8080 01:10:40 sounds like we meant different things. agreed that host0 may not even be listening 01:11:13 oh, well, he did say that he was able to connect from the firewall, so it's probably listening 01:11:14 your view is also valid 01:11:40 host0 is listening "nc 10.0.0.2 8080" from the fw itself works. I connect and can send data from the fw two host0 01:13:51 maybe try to port forward from fw ip 01:18:23 Sakara: by the way, as i said i haven't used pf as much, but maybe your syntax is not doing what you want? don't you want to change net1 addresses to be 10.0.0.1? but you're applying your nat rule to packets in net0 01:19:33 maybe host0 is actually sending a reply but it's being translated to 10.0.0.1 (firewall) and then being dropped by host1? 01:19:35 I've tried so many combinations of interface, networks and address in pf.conf. I must have done something wrong. I just don't know what. 01:20:07 I'm tracing with tcpdump -i vtnet0 tcp on host0. I see the [S] but don't see [S.] Its not replying. 01:20:11 I don't know why. 01:21:17 oh I think I'm onto somthing. 01:21:41 I add some extra debugging and I see incorrect chksum. 01:22:29 ifconfig vtnet0 -hwcsum maybe... 01:22:50 Yup... Its a bug.... https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235607 I think I'm getting stung by this. 01:23:01 Omg now I don't feel like such a noob :) It wasn't me. 01:24:08 ah right..TSO not hwcsum... 01:24:24 not sure where i even got that from 01:24:34 then you can try ifconfig vtnet0 -tso ... 01:25:12 Dudes! ITS WORKING! 01:25:14 i would not think that would be a problem here during connection establishment, but maybe that's what it is 01:25:22 good 01:25:42 The [S] packet was getting dropped at host0 becuase the TCP chksum wasn't correct. 01:26:12 what did you change then? 01:26:41 ifconfig vtnet0 -rxcsum -txcsum -tso4 -lro on all the mahcines. 01:26:55 OK 01:27:07 yeah rxcsum txcsum was what i was trying to remember... 01:27:09 This lab is a bunch of qemu vms on a Linux host and this is some bug in the virt-io virtual nic I think. 01:27:37 in this case i think it would be one of the *csum that's causing it but not sure.. 01:28:12 (well, txcsum) 01:28:49 i would be curious to know if you can check if just doing -rxcsum and -txcsum fixes it? 01:28:59 to establish the connection 01:29:26 Probably would be enough I think. 01:41:16 another kitten / baby seal dies to the virtio inet offload issue 01:42:34 That was rough man. I have dumped 4 or 5 hours of my life into trying to debug that. 01:43:59 well, it should have been quick to see with tcpdump that host0 was not replying. but as far as figuring out why that was clearly more subtle 01:44:22 I had to add the -v flag to tcpdump to make it clear the chksum was incorrect. 01:44:25 interesting find from where it was 01:44:41 I was using only "tcpdump -i vtnet0 tcp" to follow what was happening. 01:44:48 yeh, that's the subtle part 01:45:03 in any case i guess it wasn't fixed in "zero time", if you will 01:45:59 does that disable the checksum verification? 01:46:09 I wouldn't say it's fixed 01:46:12 lol 01:46:30 it just disables the virtio interface from asking the hypervisor to compute the checksums 01:46:35 It makes the TCP stack use the CPU to compute the checksum instead of offloading it to the virtual NIC 01:47:16 Physical NICs have physical integrated circuits for computing the checksum so you can save the CPU on the host. 01:47:55 in other words, increasing load on cpu instead of having the NIC do it's job 01:48:16 unfortunately, hence my comment about baby seals dying 01:48:51 Yup. Its what I have to do at the moment because the virtio doesnt work. It doesnt matter to me that much for this lab. virtio would still use the CPU on the host probably to compute the checksum. 01:49:21 I'm also just using this for some learning so no actual data moving around here. 01:51:01 enjoy 01:58:13 try docker 02:11:05 jmnbtslsQE: the checksum is part of the packet which ends up being a network routing issue of trust 02:13:30 Now onto the next mystery. I tried to make my firewall have very very short TCP connection timeouts. I add set timeout tcp.estalished 1 and this rules makes the timer change in pfctl -st output but never lower than 6 hours. Lets see if I can work this out. 02:24:44 sounds motivated 03:42:29 Can I ask what the stance by FreeBSD (core dev team and community) is about XLibre? 03:43:27 When looking at this list ( https://gist.github.com/probonopd/301319568a554abe7426c02eb5e19b5a ), FreeBSD is marked as "unclear" with the forum thread being very mixed, but ports appear to be in progress. 03:49:16 definitely not going to skim through 17 pages of forum threads, but I'd be surprised if a port is both created and actually gets off the ground 03:50:37 it's hard to take the project seriously when one of their major marketing points is "anti-DEI" bullshit 03:50:56 anywho, this probably won't be a productive discussion, so heading out this way -> 04:08:26 If Xlibre had just been calm and forked the project in order to keep it going I think all would have been okay. But instead they behave and act rather immature like an eleven year old not yet even a teenager about society and social items that it is hard to work with them after that point. If you can't work with them then they are going to have a hard time moving things forward. 07:15:39 kevans: First off, the fork is made by the only guy willing to maintain X11 for all these years. Second, the whole point of "anti-DEI" is exactly to keep politics out of open source, and then you get all those mentally ill individuals claiming that that's political whereas being "pro-DEI" isn't, the exact opposite of reality! 07:17:10 rwp: Any evidence of that though? The only immature behavior I've been able to find are far leftists complaining about Enrico's apolitical stance in the issue tracker and on blogs. And I've been following this project since it was announced. 07:20:56 And if it's not about the apolitical stance, then they REE about it just because Brian Lunduke likes it, which is even more childish. 07:21:56 <|cos|> remiliascarlet: please read and reflect on the replies given. i doubt anyone here will engage in arguing. 07:24:48 |cos|: I'm only pointing out the irrational/illogical reasons for rejection, not even trying to pick a fight. 07:26:53 And there's people telling everyone how much of a dick and/or immature Enrico is without ever providing any evidence, so I asked for evidence. 07:30:28 m 07:34:04 Methinks the reactions to the announcement of the Xlibre form were far more telling than those from the fork-initiator himself. 07:35:06 It would be nice to see a port. But I suppose he'll have to first prove he has an actual project with more people than just him 08:40:31 It's all political. It's political to say you want to make sure minorities aren't underrepresented, it's political to say you'll kick people out for racism, homophobia and transphobia and it's political to say you'll let them stay 08:41:11 is this really 500MB? https://archive.org/details/WinXPProSP3x86 08:41:34 no kidding 08:42:04 bill gates maybe knew how to code 08:46:27 if you say you're "anti-DEI" that's not simply something you've intelligently reasoned your way to with your specifically oversized brain as being the world's most neutral stance, it's repeating a MAGA slogan, that's sending a very specific signal about who you want to welcome in your project. It's not a surprise it's caused a fuss. 08:46:52 If you really want to keep it to collegiate conversations about the merits of the code you don't start with a slogan that's widely understood to mean a specific thing 08:48:01 i don't know, man. no idea. please no politics to me 08:49:26 zip: it wasn't the brightest way of expressing it, indeed. I can understand where it comes from, but it could have been phrased in a slightly less prone-to-flamewar way. 08:50:35 Regardless, the reaction to it was more telling to me. A single person acting out - eh, daily business. A corporate heavyweight like RedHat going out and wiping a developer's accesses, code and commits because of the creation of a fork - that is troubling. 08:50:37 oh well, now the guy has folks pulling him up for patches where he did an xor instead of an exponent 08:51:32 I hadn't heard about the RedHat side of it, not that I especially want to run off and read about it in depth 08:51:57 We'll see where it goes after the dust settles and he manages to push out a release or two with actual improvements. Or not. 08:52:24 If he manages to get it out, all the better. Xorg has been in a rut, and I'm not excited about Wayland. 08:52:43 A lot depends on how much he can do on his own and how much he needs to build a functioning community 08:52:49 if it's the latter, this has not been an auspicious start 08:53:08 Judging by the commits, he was already doing most of Xorg updates on his own. But "most of" is not "all". 08:54:05 Still, I seem to remember the birth of Xorg itself also started with some serious dissonant notes. :°) 08:55:33 I'm half surprised nobody's attempted to build X in rust 09:21:09 zip: probably because there's not much of a point in it, but that hasn't stopped other projects from trying to re-invent the wheel in rust. 09:27:12 I don't really understand the Wayland hate. Sure I miss the networky half, running a remote Firefox session on my mac or whatever was neat, but also I can totally see why they'd drop it and the session security stuff seems more important these days 09:29:52 I don't particularly hate it. It just appears less than complete and stable - the times when I tried it, granted, a while back, it didn't offer me much. 09:30:03 My main concern with Wayland is adding too many Linux-only dependencies 09:30:07 I thought that session security was one of the things the Xlibre dude wanted to look at. 09:30:16 oh yeah, from a FreeBSD perspective it's annoying as hell :D 09:30:23 We've already had stuff like hald and dbus 09:35:46 I just logged out the void machine and told it to log in with gnome on x and the whole thing crashed, RIP 09:36:30 oh fuck, now it's defaulting to x11 and crashing on boot. great. 09:36:38 zip: It's not like I hate Wayland, it's just a project that was set up to replace Xorg because "too old". 17 years later, and it's still lacking fundamental functionality, it's still buggy, it's still slow, and it's very Linux-specific at times. 09:38:27 Alver: XLibre already has its first release, and already has implemented the security features he promised. 09:39:16 And I actually want both XLibre and Wayland to exist, it's called user choice. 09:47:25 _phew_, single user mode saves the day. Once I figured out where the hell gdm stores its data these days. 09:48:36 remiliascarlet: agreed. 09:49:03 mm, I'm not against it either 09:49:30 * Alver is fighting bastille and vnet jails 09:50:09 oh fuck me I just worked out why it's called bastille 09:50:43 Ha :°) 09:51:17 je croyais que c'etait assez evident 09:51:41 I'm sorta kinda being forced to use vnet jails because I want to do things with tun devices, which in a non-vnet jail appears... troublesome 09:51:48 ouias mais je ne suis pas française :P 09:52:01 Bof, moi non plus 09:52:48 * Alver only has vnet jails with external IPs, so now the whole dance of setting up the bridging infra for that one non-public vnet jail 09:56:31 any idea why https://www.cve.org/CVERecord?id=CVE-2025-4517 is not listed in pkg audit -F ? 09:57:05 (I have python311-3.11.12_1 installed) 10:48:59 Hi, i ran freebsd-update -r 14.3-RELEASE upgrade, but i lost my term when it asked for resolving sshd_config conflicts 10:49:14 i killed the process and restarted it in screen, is that safe ? 10:56:16 i always run that in screen 10:56:39 i mean is that safe to brut restart without cleaning anything ? 10:56:49 not the screen part 12:43:10 zip: gdm stores its stuff in a dconf database which takes its values from various conf files :p 14:29:01 Hrm. In a vnet jail I can create a tun device, but I cannot give it an IP. Empty IFA_LOCAL/IFA_ADDRESS, ioctl (SIOCAIFADDR): permission denied 14:29:33 Anyone have an idea? I thought that after creation, the tun would be easy, but... no. 16:17:10 g 16:17:31 Pauli1: https://www.youtube.com/watch?v=7Sh5_p9gpws 17:26:51 how fast does your scrub go? this seems... pretty slow? 17:26:52 14.8T / 28.8T scanned at 213M/s, 12.6T / 28.8T issued at 181M/s 17:26:53 0B repaired, 43.69% done, 1 days 02:02:30 to go 17:27:18 i think thats normal for that much terabytes 17:30:45 rtprio: with 8x 7200rpm disks, it fluctuates a bit, but typically i see around 500MB/s 17:31:08 nxjoseph: it's not related to the size of the pool, but to the speed of the storage 17:35:19 ivy: hmm i see 17:48:56 i would have thought sata3 would have been faster than this 17:49:02 or maybe i bought the wrong controller 18:35:20 I think I got X11 working. I want to test 'Awesome wm'. But I am not sure if Awesome reads the default config or not, because I don't know what I am supposed to get onscreen with default rc.lua... 18:36:17 I get 3 Xterm windows and a clock no matter what I do 18:38:03 your default config is probably twm, if you didn't set something with `.xinitrc` 18:39:09 I do believe you hit the head on the nail so to speak. I think I named that file something else :) 18:40:52 thx :) 18:41:31 there's .xsession* (can't remember exactly) but that's only if you use a display manager 18:44:04 Btw, where can I report that there's a newer version of a package? Freecad 1.0.1 has been out for a while 18:47:49 pike: it's already above 1.0.1 18:47:53 pike: https://www.freshports.org/cad/freecad 18:47:58 quarterly likely has not it yet 18:48:15 ah right quarterly. Still a newbie here 18:48:33 I read that you should not mix pkg and ports and I stay on pkg for now 18:48:56 i took the redpill and went full ports way with poudriere 18:49:00 xD 18:49:25 nxjoseph: how many systems do you build ports for? 18:49:32 rtprio: it's just my system 18:49:50 i build on the same machine that i use the ports 18:50:55 74 prime packages in my poudriere to-be-built list. 1076.pkg files (deps, primes) at total in my package repository. 18:51:08 611 installed 18:52:38 i still fail to understand why you'd use poudriere for a single system 18:53:54 rtprio: because if i use remote repo, i won't be using poudriere in my daily usage, this means i will not have 'already built' ports in my local repository, if you maintain ports, you eventually need to use poudriere to build the dependencies of your ports. if you use poudriere already, it becomes easier imo. 18:54:38 poudriere's binary package fetching didn't work me back then, later i switched to poudriere all the way 18:54:51 and i feel like this is better than pkg 18:55:02 but how is a poudirere config different than just setting the options for the ports 18:55:18 and rebuilding the ports when you want to 18:57:09 rtprio: i didn't got you. when you just configure any port on your host system, it just creates a file containing what's turned on or off in /var/db/ports. it's the same with poudriere 18:57:46 so i get it, you have too much free space and want to burn a bit with packages that are only ever installed once 18:58:47 it's 3gb where built package files are stored. 18:58:50 i don't have much space 18:58:59 NAME AVAIL USED USEDSNAP USEDDS USEDREFRESERV USEDCHILD 18:59:00 zroot 117G 82.3G 0B 96K 0B 82.3G 18:59:38 what do you mean by 'only ever installed once' 19:00:11 everything i built is needed either for me or for my ports 19:00:20 ok great 19:02:01 rtprio: are you interested in something like ports? 19:02:26 i mean do you contribute anything to freebsd, i.e maintaining ports. i don't say not contributing is bad here 19:03:24 i've submitted patches in the past 19:03:53 rtprio: i see, were they about ports? 19:04:07 i've submitted patches for ports in the past 19:04:14 rtprio: gotcha 19:19:54 Anyone know how to allow a vnet jail to assign an IP to a tun device it created? 19:20:22 I can do ifconfig tun0 create just fine - but putting an IP on it gives a permission denied. 21:13:04 Hi so I have a BCM4311 wifi chipset am trying to get going... 21:13:56 I've added src/sys to components in the freebsd-update.conf file how do I get it to pull them... 21:14:37 And kernel naturally as need them to build the /usr/ports driver 21:15:20 Daboone72: do you mean this port?: net/bwn-firmware-kmod 21:15:42 Yes that one I've checked my card is present in the list 21:15:55 From here https://wiki.freebsd.org/dev/bwn%284%29 21:16:03 Daboone72: but you would still need internet access to fetch the sources that this port requires 21:16:22 Yes it's plugged into ethernet via a long 5m cable 21:16:31 I'd like to lose the cable it's on a netbook after all 21:16:38 Daboone72: great then, why don't you use pkg? 21:16:57 ok great how do I install kernel sources using pkg? 21:17:10 kernel sources? 21:17:25 don't you only need the firmware package 21:17:40 Though it is annoying freebsd-update doesn't have an examples 21:17:57 Well bwm lives in /usr/ports/net/ and has a make file 21:18:02 I have no wlan0 device 21:18:15 yes it seems you need this firmware to make your system see it. 21:18:20 that's not bwn, it's the firmware files for bwn. bwn itself is in the kernel, you just need to install the firmware 21:18:49 ivy: bwn(4): This driver requires firmware to be loaded before it will work. The 21:18:49 ports/net/bwn-firmware-kmod port needs to be installed before 21:18:49 ifconfig(8) will work. 21:18:58 nxjoseph: right, that's what i said? 21:19:18 ivy: dang, sorry, i read wrong, i thought you said you don't need to install it... 21:19:37 Well pkg search bwn-firmware doesn't exist as a package anyway 21:19:40 Daboone72: so you should be able to just do "pkg install bwn-firmware-kmod", this doesn't require kernel sources 21:20:06 ivy: maybe it would if it's not built for their kernel version 21:20:32 If it was in a package already can't imagine they'd bother with ports 21:20:54 ah, it's NO_PACKAGE 21:21:14 ivy: great catch 21:21:53 i think it would require source tree to be installed in /usr/src to be built 21:22:00 because it's a kernel module 21:22:52 nxjoseph you got it I tried building it but it dies as it needs kernel sources. 21:23:10 Someone suggested adding the components to freebsd-update.conf which is great 21:23:23 But I don't know how to tell it to pull them 21:23:40 i'd recommend using devel/git 21:23:48 to pull the sources 21:23:58 don't know about freebsd-update way 21:24:21 Ahh ok so no easy way as the tutorial for that route is very long 21:24:44 git is easy 21:25:12 we can help you here 21:25:38 Have you seen setup for kernel build https://docs.freebsd.org/en/books/handbook/cutting-edge/#makeworld 21:25:51 you don't need to build anything on your own 21:26:00 i did compile base from source before 21:26:11 I know git I use it daily it's the rest that bothers me 21:26:21 the port will handle it for you 21:26:24 Ahh well perhaps it'll be useful for other drivers. Laptop power management 21:26:35 you don't need to build the whole source 21:26:42 the port just needs it for some info i guess 21:26:57 it should be a quick process 21:27:26 you won't have a new kernel because of that port either 21:27:33 it just needs to know your source files 21:28:34 With any luck it doesn't need much 21:29:24 there's nothing to bother you, believe me 21:29:26 If I run into too many headache's it's a freshish install will just reimage and add the sources 21:30:12 i think you won't but good thing you can do a reinstall 21:37:16 Hey this is nice. "fetch -o /tmp ftp://ftp.freebsd.org/pub/`uname -s`/releases/`uname -m`/`uname -r | cut -d'-' -f1,2`/src.txz" 21:37:41 Daboone72: indeed, dependency free 21:48:52 Yay firmware images built let's see if we have a network interface 22:07:14 Daboone72: let's see 22:07:49 nxjoseph winning I have interface up and can scan and see my router 22:07:57 Daboone72: nice! 22:08:07 hope it connects too 22:08:38 Typical I had a supplicant example but can't find it 22:12:02 there is /usr/share/examples/etc/wpa_supplicant.conf 22:12:14 but it's a sample file, don't know if it would work out of the box after entering network credentials 22:15:25 nxjospeh Don't worry I used a bit of google ai and some common sense. I have a wlan0 connected woohoo 22:15:42 Daboone72: haha, nice 22:15:49 how's the speed, is it enough? 22:16:41 Yes that will be of concern will do some speed tests somehow maybe finish next task get xfce4 installed and xrdp 22:17:12 Daboone72: ok. what are you going to do with rdp 22:17:46 Remote desktop to it from my work pc todo scripting and the like. 22:18:08 With freebsd being so good with databases it's going to be a largely standalone database machine. 22:18:48 Daboone72: i see, would you be able to connect to it from work? CGNAT things... maybe you have a real ipv4, i don't know. 22:18:50 Keep personal journals and use that Symphytum database 22:19:18 Well I work from home but yes with an ISP that does give me a static and supports ipv6 22:20:06 Daboone72: i see, i thought it was at the office 22:21:50 This will be my second freebsd box the other being a Raspberry pi 3 that will run a Dns 22:22:28 Daboone72: great, i have a rpi 3 model b too, ran adguard on it once but not anymore. 22:23:59 I'm warming to free bsd I especially liked when it checked package consistency and I see it will sanity check downloads 22:24:03 from third parties too 22:24:51 It was going to be netbsd on my netbook but after it dropped me into single user mode twice and has a installer that makes things hard work 22:25:49 Loved freebsd installer never installed with an encrypted disk before that made it childs play 22:27:45 There must be a tool to make x windows an easy install? 22:28:49 Anyway nxjoseph goal achieved for today thanks for your help. 22:29:03 Time I retired name's Daniel btw 22:36:26 Daboone72: you're welcome, yes, there's a tool, it's called pkg :) 22:36:41 Daniel: 22:50:16 gotta sleep, good night - 1:50 am here. 23:00:03 When you move from Windows to *nix there's always software you need to give up. One software that I would like to find an alternative for is 'Platinum Notes' 23:07:30 pike: What's it do? 23:08:56 It performs a lossy normalization operation on musicfiles to make them sound similar loudness. I use it on flac files for use in my car. 23:09:14 I will try and make it work with Wine before I give up 23:09:57 pike: Hm. You can do something like that with Audacity. 23:10:12 pike: Maybe audio/sox would work? 23:37:34 I, a command line person, sox for various podcast audio things. But I would be surprised if Audacity did not do the job easily too. 23:38:13 As a more extreme fallback option... Many people keep a MS-Windows VM Virtual Machine running in bhyve for software that they want to run there. 23:50:06 pike: you could look at rsgain, which sets ReplayGain metadata for FLAC files (among others), but perhaps your car doesn't support that 23:50:16 Here's the basic idea behind Platinum Notes. It scans the file, then it applies the normalizing you've choosen. I use -12.5dB. It also has clip repair. 23:50:32 correct, my car can't handle replaygain 23:52:51 it feels like converting a directory of flac files with replaygain metadata into a directory of normalised flac files should not be very difficult, but i can't think of anything that can do that off hand. i'd probably look at sox too... 23:54:17 I will look into sox for sure. thx for the tip.