would anyone want a tool that lets you direct all of your servers to start ddosing any unauthorized IP that attempts to ssh into any of the servers?

no that is likely illegal and is a dumb idea for many reasons

isn't it good for an active defense system?

why is it illegal if they're doing something wrong first? jc

the assumption that the source system doing the "unauthorized ssh" personally belongs to the attacker and is not just an innocent victim is a poor one

oh ya

ok nvm

if you want to reduce attack surface dont expose ssh at all, setup wireguard or similar which wont even respond to unauthorized clients

There is always tarsnap.com/spiped.html for hiding ssh.

good ideas ty guys

i know wireguard is awesome. spiped also looks interesting never heard of it

it is okay

kerneldove_: bro that is kind of like vengence-based defence mechanism

don't recommend that. I know random ssh attempts happen all the time. you can set a banner to be displayed on their terminal if they fail.

I used to say stuff like "stop trying to log into my server"

the most effective yet also the simplest way to avoid such things is to use a non-conventional port ideally above 1000, since port scanning is a time consuming task they can't afford to perform.

per personal experiences, that eliminates 99% of login attempts

vengeance* sorry

ya i do that

advice needed: I run FreeBSD on a 3TB hdd, but want to migrate to a 8TB (hdd) mirror. Is it feasable to add those disk to the system, create a mirror with the first, after resilvering add the second, and again after resilvering remove the original disk from that (now) three-way mirror?

Afterglow: so it's zfs?

Afterglow: the last time i did this, i just installed fresh and zfs imported the old drive, do import things out of /usr/local/etc and /etc

Just wondering, is there a reason why there are so many Firefox clones on the BSD's, but only 1 Chrome clone (ungoogled-chromium)?

I mean native builds, so excluding Linuxulator.

how many do you need[root@freebsd-test ~]# podman run -i -t --rm --os=linux docker.io/library/debian:latest uname -a

rtprio, zfs indeed, but also rootonzfs

Afterglow, Yes. What you propose is feasible. Many people upgrade storage that way.

thanks rwp

After I´ve put my laptop into sleep-mode, and resume it I need to restart netif to get network access again, (wireless) is it someone else that has this kind of problem with Wifi AX210/AX1675 cards?

nwe, I don't know about suspend-resume nor wifi but if you need to run netif again then you probably also need to run routing again too.

nwe: i have the same issue

not with AX210, though

AX210 is what i want to upgrade to. but i will use wifibox. iwlwifi is unreliable for me.

wifibox does restart connection automatically but there is a some second delay before it is up

Note that in 14.3-RELEASE FreeBSD made a HUGE improvement in the wifi drivers. HUGE! So might want to try them again now.

Though if you have wifibox working then I hear it works so well that it scratches the itch pretty well.

well. it wasn't to good in stable/15 so i am not sure it is ok anyway

but i have not received ax210 yet to make a judge on that

angry_vincent: do you have a workaround to share? ;) I changed to AX210 (from Intel 7265 (because bad performance with that) bought ax210 for (260 swedish kr) 26 usd :)

i don't have a workaround. wifibox does restart on it's own. when using wifi drivers i need to restart netif

angry_vincent: ah

my old card is 8265

it works only in 2Ghz mode and only in g mode aswell.

even with iwlwifi

but it does work in 5GHz mode and very reliable with wifibox. so that's it

i am not grumpy at this. i know limitations and that is is a complex subject. just a facts. wifi is little bit of a problem on FreeBSD.

like I said if you not sure about how to get wifi to work, just buy a mini SOHO router running openWRT

it's half the size of a Rubik's cube, and runs on USB power supply.

saves the hassle of getting wifi to work on native hardware

just found that in RC.CONF you can place FIB at for each service, eg: syscrc named_fib=1 && service named restart

sockstat -fl4 => bind will sit in fib 1 ...

also it is possible to specify `nice` parameter for each daemon ! WOOW

sure, you can

no the question, can I run multiple instances of same daemon in different fibs ?

*now

nerozero: not via rc.d, unless the rc.d script is one that has built-in support for multiple instances (e.g., unbound)

so I literally should make a separate daemon run script like in /u/l/etc/rc.d/bind-fib2 ?

bsd should rather should go towards rc.conf format like: `fib_1_named_enable="YES"` much more logical and that could lead to a possibility to run multiple daemons in proper fibs

nerozero: patches welcome

yep, good point ivy, nerozero, maybe it's good opportunity to contribute ?

ok, will think about it and make a draft, then put it in the freebsd forum, then will share link here ...

ivy, mzar thank you for quick replies

welp

today is the day, I am moving from quarterly on laptop to latest

I have considered this for over a year, as some cves can take a month to patch

s/patch/backport/

polarian: you could always become a ports committer and mfh those fixes

ivy: I do not have the skill, would if I could :P

maybe sometime in the future :P

I usually do a shoddy backport myself, but this time to address all the cves (and they are all about 5 in severity) I would need to recompile most of the system, so yeah

iirc I saw python as one of the major blockers :P

98% of it is just typing "git cherry-pick -x"

well, maybe 50% of it is that, and 48% is actually getting the change landed

ivy: what about dependencies, and the hell they cause

its not abnormal for python to differ in the latest, and quarterly, and sometimes patches require the latest version, which means security patches can't be backported unless python is updated, which then means updating all the python packages...

polarian: the latest quarterly branch is at most 3 months out of date, in general dependencies won't be a problem. in rare cases, maybe...

welp anyways, future issue :P

updating Python should not require updating all python ports

although last I checked some of these packages are still vulnerable in latest

and then the build for pkg can sometimes take a day or two

thats quite a few security patches missing from latest too :/

lets check bugzilla

bugs.freebsd.org/bugzilla/show_bug.cgi?id=273161 I wonder if this is what causes xorg to segfault when securelevel is used

hmmm

alright quite a few of the vulns is just pkg being slow :)

polarian: do you mean pkg being slow, or the ports package builders being slow?

ivy: both :P

pkg isn't the fastest, but it works :P

but anyways it was the latter I was talking about ;)

hm, "pkg audit" just downloads the latest VuXML and reports it, even if it's slow to do that for some reason, that shouldn't affect the results

i mean, it always uses the latest vuxml and local system pkg database

ivy: mate, I I was joking how pkg can take a while to update packages :)

its not a big deal

the latter is the thing I was actually talking about though

port builders get clogged up

I did say about 6 months ago that it would be cool if the port builders could use vulxml to prioritise compiling what is security patches, and do feature updates after...

but I know nothing about the port building infrastructure so not like I can simply send a patch

that isn't feasible with how ports currently works

you aren't the first person to suggest it though

or the problem could be brute forced

throw more compute at the problem :P

but I doubt the foundation wants to fund something like that :P

the foundation literally just added a new builder which is ~4x faster than the old one

the problem is you can't build just some ports, you need a way to work out the dependents and dependencies and rebuild those too

ivy: in other words its difficult to parallelise

polarian: on a single machine, no, it's trivial. across multiple machines, yes -- clearly we can't just keep adding faster hardware, the proper fix is to support distributed builds

patches wanted! :P

yes? are you saying that because you would like to work on this?

goto "I haven't the skill" :P

I am not even familiar with the porting process very much yet... theres two things on my todo list to port and then submit on phab

I was meant to port them at the devsummit in Zagreb but I got caught up in other business

ended up sending a doc patch instead...

say I executed `ifconfig rl0 down`, how can I find it is down?

the `ifconfig rl0` shows nothing about it is down or up, just active

nevermind it in the flags ... `flags=8863<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 9000`, the flag "UP"

I'm having some trouble with linking to libunwind. It says it's missing symbols like unw_getcontext, unw_init_local, etc.

'nm -D /usr/local/lib/libunwind* | grep unw_' yields nothing

Is there something I'm doing wrong?

hi

o/ <3

\o

Is there a bootc / immutable image based way to run FreeBSD?

Xe, as an option - use zfs + rollback

nerozero: is that able to detect if boot fails and automatically rollback without human intervention?

i guess so, the beadm - also creates boot environment snapshots ..

so you can rollback at any point

nerozero: does a human have to touch the keyboard to force it to roll back?

never dive deep into it, but for sure - you can do some flagging like boot-successful and if flag is not set - rollback ...

better phrasing: if i install FreeBSD with ZFS on a computer today, will that configuration combination be set out of the box for me without me having to configure it myself?

Xe - you can run an entire installer script including specific partitions to be readonly or with snapshots ...

so I have to configure things manually, gotcha

but this will require deep dive and understanding, yes

Xe, yes, as a side effect, *nix platforms require the use of the brain, and as a result, they prevent the transformation into a plant, as, for example, users of M$

:V

I'm just trying to figure out what the difficulty of doing something like that for a NAS is so I can weigh multiple options (Fedora/Rocky Linux 10 + bootc, TrueNAS SCALE, etc) tbh

a day or so smoking man and reading forums and some (posix) SH scripting experience

the benefit of BSD is that THERE IS NO DAMN SYSTEMD there, and everything (mostly) is a text file

ah, okay, i see, thank you for your time

windows user ..

nope

Just wondering, is there a reason why there are so many Firefox clones on the BSD's, but only 1 Chrome clone (ungoogled-chromium)?

I mean native builds, so excluding Linuxulator.

no ones bothered to port them

hard to blame them, porting one chromium is shit enough looking

take a look just at the magnitude of patches applied to each: cgit.freebsd.org/ports/tree/www/chromium/files cgit.freebsd.org/ports/tree/www/firefox/files

even if every single one of those patches was trivial, that's a lot of sledge to drag around

(at the risk of being a dick, I'm not going to analyze ~1500 patches to determine average complexity, but let's just agree that it sucks)

hey weird question, what is poweroff?

which poweroff shows nothing

I know its equal to running shutdown -p now

/sbin/poweroff

hm weird

oh its because I wasn't escalation privileges

my user cant see it

Did you run which poweroff without having /sbin in your path?

sbin should be in path

yeah /sbin is the first path entry as it should be

works when I doas, but not when I dont

sbin directory has r for anyone so idk

'which' searches the dirs in your $PATH

yes... I have sbin in path

I can also view the dir without root

but which returns nothing

That's strange. It does for me (as a user too).

even weirder, which returns /sbin/reboot for reboot

its only shutdown and poweroff

they do exist too, they arent deleted or anything

which zfs, returns /sbin/zfs

Oh wait, poweroff is not executable for you unless you're root or a member of operator

yeah

I just realised :P

was literally typing that :P:

it needs the execute bit :P

vkarlsen: however... my user is in wheel and the group is wheel

and wheel does have the execute bit

For reboot, yes, but not for poweroff

-r-sr-xr-- 2 root operator 16168 25 Jun 11:54 shutdown

hm well

hi, does ntftp support TLS ?

it doesn't seem to try and use it

I'm on a Linux machine, but I wanted to use ntftp because I found out it can be made to execute commands from a file

that's not really a freebsd question; what does your documentation say?

sorry, I meant tnftp

my manpage has no mention of TLS... but it does mention an env variable "FTPSSLNOVERIFY"

I went to ask here because it tnftp seems to originally be a BSD FTP client, and FreeBSD to me is the most popular BSD

anyway, thanks, maybe it's the wrong place

Fall 2025 FreeBSD Vendor Summit - Day 2

jonesmeier: check the source or ask the author of the program

jonesmeier: original ftp server and client in FreeBSD doesn't support TLS

they both don't

thank you mzar! Okay

and those would have been options rtprio

glad I got an answer, thank you very much, now I can look for sometehing else

jonesmeier: maybe you can stay longer, have you ever used FreeBSD ?

no, I haven't ever used a BSD

you could have just googled it; forums.freebsd.org/threads/netbsds-…compared-to-other-ftp-servers.95259

please don't hesitate to give it a try

I was always a bit curious, but then... I'm happy I know what I do about Linux, and then alot of that I would have to "duplicate"

tbh i'm amazed that people still use ftp these days

yeah, I have to in this case, it's backup space provided by a VPS host

thanks for the link rtprio, I did not see that

rtprio: what would they do on daily basis struggling with this mess in networks gear ?

well thanks alot, I'll keep this open and maybe see what's going on here with BSD :)

also, if I can add anything, there is a nicely scriptable FTP client called lftp but it could not cope with quota exceeded and ignored it's max-retries setting, can very much not recommend

what is there to script? put file. get file. goodbye

you know, scp does that all also, and can be scripted

I want it to remove a list of single files

and the vps doesn't offer ssh

which bizarro world are we living in

no the backup space is only FTP

1998 called and they want their webhosting back

yeah, that's what it is.. it's a nice amount of space, but it is getting annoying right now

you might look into rclone, it might abstract the ftp space into something less... stupid

hehe I don't know, they like to do it with FTP..

oh OK, I have heard of rclone before! Thank you, I should look at rclone next

how much space do you consider 'a decent amount of space' ?

like a few tb?

well it's 30 GB of space, for an already good value VPS

so no, it's not much, but for cheap VPS plans I haven't seen many even give you any backup space

so I'm happy with it ;)

if you say so

hehe yes

wow FTP-only

\o/

rclone definitely works as an FTP client, that's cool, and it uses TLS. Thanks rt, it's a good option

i wonder if i should write my new driver as gpioaddrled or perhaps some generic tight timing bitbanger

because i actually want latter eh

and here i was trying to figure out Alexays/Waybar #2676

btw, who said that touchscreens won't work

wmt(5) exists

my main zfs pool just works. i boot up, reboot, and it's fine. but i'm adding a 2nd internal drive so i gpart it, zpool create on it, but how do i make it automatically export on shutdown/reboot, and import on bootup, just like the existing internal drive?

i don't wanna have to manually import/export every reboot

why would you do that

why not? it's an internal drive, why wouldn't i want it to be automatically imported/exported?

kerneldove_: I'm really confused why you have to "do" anything across boots. It's not automatically imported/exported -- it's just part of the zfs service start

what are you trying to accomplish by exporting it? is it a second pool on a single drive or what

2 drives. 1 has main OS pool on it. 2nd drive has new pool and it's mounted into my home dir for extra space

and are you sometimes pulling the drive and slapping it into another system?

kerneldove_: if your zroot already has a "$HOME" defined, that might be an issue?

wavefunction: not what he's asking

no, internal drive, permanent

kerneldove_: perhaps you're using the wrong terminology; are you saying your zhome pool is missing when you reboot ?

kerneldove_: it sounds like you have "zfs root, exluding $HOME" on one drive, and you want to add a second drive as "$HOME" ? Is that correct?

it's weird how impossible it is to get this across

If so, you have to `zfs destroy` the old zroot/home dataset and create your new pool as `zfs create -o mountpoint=/home newpool/datasetname`

i have a system working fine with 1 drive and zfs. i installed a 2nd drive that i now want automatically mounted on reboots into my home dir

Right, so, when you run `zfs list` do you get an entry like `zroot/home`?

ya

kerneldove_: it will by default, come back when you boot

ok, what's the name of the second drive pool, and have you created a dataset on it yet?

i just called it storage

have you done a `zfs create` on the storage pool yet?

after the gpart stuff, i ran zpool create storage /dev/ada1p1, mkdir /home/kerneldove/storage

okay,

maybe i did zpool create wrong because i didn't home it in my /home/kerneldove/storage dir?

zfs list shows its name storage, but mountpoint is /storage

It sounds like you missed the part where you create a dataset. (`zfs create ...` vs `zpool create`)

i want it to be at /home/kerneldove/storage

kerneldove_: Oh that's perfect, okay,

well i did gpart add -l storage -t freebsd-zfs is that ok?

zfs create -o mountpoint=/home/kerneldove/storage storage/kerneldove

you don't need to gpart nonbootable disks

You did the partitioning and the zpool just fine --

you have to create a zfs dataset -on the pool-

you could have just zpool create storage /dev/ada1

What rtprio sent you (zfs create...) is what you need

that should auto-mount across reboots

ok so zfs list stuff pertaining to this 2nd drive/pool is:

storage .. .. .. /storage \n storage/kerneldove ... .. .. /home/kerneldove/storage

Looks right to me.

:thumbs up:

for some reason running `kldload ipmi` causes my system to freeze

ok cool i'll try rebooting now and see if it's auto, ty!

kerneldove_: Good luck!

it'll do this from single user mode, and it does not display anything else

zip: what?

am I doing something stupid here or something? It's a mini desktop, I think it has the hardware

oh. i wasn't aware there was an ipmi kernel module; i always have used ipmitool

it worked!

ty guys

zip: i'm not aware of any desktops having ipmi

weirdly, it seems to think it does

I assume this is what the BIOS calls "system management"

oh well, this was in the category of "oh that's neat" rather than something I desperately need

rtprio: desktops as in boards?

i have an asrock x570d4u that uses a ryzen that has ipmi... that may be considered a workstation / server board though. supports ecc too (advertised).

I think the BIOS option might be AMD DASH, which was off. And which I should proably leave off.

i don't suppose anyone wants to buy a bunch of dell ddr4 server mem?

kerneldove_, put it in your own server and enjoy?

it's not fitting i assume

ya

got larger modules and been sitting on the smaller stuff. now that ram prices are exploding it's a good time to sell

if any regulars in this chan want it, i'll give a good deal and send first then you can just btc me

if you're not a regular and a regular vouches for you i'll consider that too