what is pubnix?

why do i get kernel: swap_pager: cannot allocate bio messages in /var/log/messages sometimes when there's heavyish swap pressure but there's plenty of free swap pls?

rtprio: a community tryimg to have a home, building it themselves. pubnix, there you have it

Hey, freensd community, (the music loving part) David Coverdale called it a day, retired

s/freensd/freebd

ant-x, As a good debug step if you log into pubnix and then "nc localhost 5119" do you see the ssh banner from your home system? If so then that part is definitely working. Now you just need to connect up to it.

ant-x, As to why you can't just "ssh -p 5119 pubnix" the answer is that you might actually be able to do so. But probably not since most admins will have all ports firewalled off blocking external access to it.

If that works you might try "ssh -oProxyCommand='ssh -W 127.0.0.1:5119 pubnix' homemachine" and see if you log into the home machine through it.

And if _that_ works then try the shorter -J option to jumphost through "ssh -J pubnix:5119 localhost" and see if that works. And then configure it in the ~/.ssh/config file so that it just works with a simple "ssh homemachine".

Hi, I just installed FreeBSD in a VM using the netboot iso and configured it for ports support. I'd like to remove said support, how does one do that? Are there files to remove? I looked at the handbook but only found ports install instructions. Thanks in advance, and happy to be here and explore this system :3

just delete /usr/ports

Thanks! That was fast lol

ezpz

JetpackJackson, Ports installs into /usr/local which starts out empty of files. If you want to remove installed ports then remove everything from the /usr/local tree.

What's the least-worst linux distro for someone who actually just wants FreeBSD? 🤔

(subjective answers obviously welcome)

Gentoo

but it is a topic more suited for #freebsd-social.

Arch or Slackware as well, maybe?

... if they're even still around.

ek: Both are alive and kicking. (Since you're not on -social.)

mason: I figured this much. Kinda glad to hear it, honestly. I liked those Linuxseses.

ek: I've been enjoying chimera-linux.org for a little bit. Tested it on a old laptop.

rtprio, "what is pubnix"> a public Unix system, e.g. <sdf.org> .

rwp, ports 5000-5500 are open on that pubnix, so that (for example) my instance of Subversion listening to port 5120 there is available from the outside. Yes, I will test 'nc localhost 5119' later today, while the tunnel is open.

rwp: "As to why you can't just "ssh -p 5119 pubnix" the answer is that you might actually be able to do so." I asked because 1) you did not mention this, but proposed more complicated mechanisms such as -J and -W . 2) Yesteday, I failed to SSH directly to publnx:5119 after opening the tunnel.

ive heard about a high availability architecture where server appliances and daemons are deployed in an a/b setup, (software, not hardware HA like with routers) and say A is running, B is upgraded, started, and if it fails it switches back to A. anyone know the term for that?

kerneldove_: there are loads of different ha solutions, but if you are talking specifically about firewalls / packet filtering in a bsd specific context you might want to read up on carp and pf (although i only have experience of that wrt openbsd, and ive forgotten pretty much everything i knew about it)

found it, a/b swap

used in firmware updates

that sounds like how some junos switches have dual root filesystems

ya

CARP/VRRP, LACP, lagg(4)

kerneldove_: we call the process of doing this blue/green deploys, if you have actual separate servers/routers involved

redeploy A, if it comes up cleanly & responds to healthchecks, then redeploy B as well.

no it's software, not hardware

it's all on 1 device

it's called a/b swap

ok

we have docs.freebsd.org/en/articles/nanobsd for this (as one example)

sounds like blue-green and a/b are the same concept in a different context

similar ya

what's the distinction between hardware and software?

you can run virtual NICs in jails behind CARP

Koston: at some point its all just electrons and stardust

hardware is a thing I can throw out a window when I'm angry with it.

well I meant what's the distinction that's relevant to this context

in this context IDK. The blue/green thing is about ordering of deployment, whereas a/b is about partitions you can switch between.

but they both are equally software in this context

i guess they're the same concept just different by context, because operationally, they do the same. have 2 operating contexts (networks or partitions) and switch between them

rwp: oh ok, I think I put my doas config in there

So there's a wlans_<interface> and a vlans_<interface> but what about wireguard?

looks like you can abuse cloned_interfaces for this

reminds me that i need to work on my ifupdown-ng fork

it isn't an abuse, that is what it is for

is cloned a term that makes sense in this case?

it is how the device driver is implemented

i see

I can see two ways to actually configure the wireguard side, devd or /etc/start_if.<interface>. Is there a preference? Does it matter?

looks like the devd approach is strictly less maintenance

why am i getting "limiting icmp unreach response" messages in /var/log/messages when i have set net.inet.tcp.blackhole=3 and net.inet.udp.blackhole=1 ??

kerneldove_, because. . . you're limiting it even more?

what?

the point of blackhole is to not send responses

on which side do you see that message? it looks like it just logs what blackhole is doing

no

backlog 1024 coz unprivileged

kerneldove_: ICMP responses are not only responses to UDP received on wrong port

kerneldove_: you can silence them net.inet.icmp.icmplim_output=0 net.inet6.icmp6.icmp6lim_output=0

mzar, i don't want to limit them i want to not send them at all

ha.. so you have to firewall outgoing ICMP

it's pretty normal nowadays to see Limiting icmp unreach response from 95012 to 209 packets/sec, we see it 24/7

ok but my point is, isn't setting net.inet.tcp.blackhole=3 supposed to stop sending them?

but in the place where it bothers you, you can silence it with the above sysctl knobs

nope

what do you mean nope?

wtf does it do if not that

the docs said it does

TCP is rejected with TCP

UDP is rejected with ICMP, or rather politely declined with ICMP

nah tcp is rejected with icmp too

?!

how so ?

who told you that ?

that is how it works.. connect to a closed port, receive an icmp unreach in return

try starting wireshark or tcpdump and see for yourself :)

tykling: have you ever run tcpdump on wirshark to see what's going on closed port ?

*TCP closed port

I have spent half my life in wireshark and tcpdump

(can recommend)

that's probably not BSD TCP stack but other

TCP is rejected with TCP, but UDP with ICMP, you have to check it guys

nonsense

this is easily tested

I guess that it depeds of how deep are on the stack, could be ICMP host unreachable or a TCP SYN to a closed port returns TCP RST

it depends on how you configure your system

and the system

just wanna say despite freebsd's flaws, it's still better than linux feces. imagine running debian and when you ssh into a new server, it saves key to .ssh/known_hosts with no domain/ip attached so when you need to remove it later you can't correlate. looool

i am foricified to linux coz freebsd does not run docker

That has nothing to do with debian, it's a feature of OpenSSH.

presented by openssl

well freebsd attaches ip/domain to .ssh/known_hosts entries

so?

no, freebsd doesn't do that, OpenSSH does that

because on FreeBSD OpenSSH is not configured with HashKnownHosts by default.

so... freebsd's defaults?

opentheo found only 1 vuln

in earlier coding ears

skel/

There are advantages and disadvantages to either default, but if you don't feel like the security benefit of not storing the host information directly is worth it then just disable it on Debian.

nah i'll just keep using and prefering freebsd's defaults

echo "HashKnownHosts=no" >>~/.ssh/config

working in dream but i can proof my dreams comes truella at rate more than 70%

rwp, "log into pubnix and then "nc localhost 5119" do you see the ssh banner from your home system?" nc shows: "SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.14", but I can if fact "ssh -p 5119 user@localhost" and land on the computer where I opened the tunnel. Connecting at user@pubnix, however, fails with: connection refused.

Hello Everyone - I see Freebsd 15.0 RC1 is going to be released soon - today - I wonder if I install it - can I keep pkg update upgrade --- until the RELEASE ? - means that I would not need to reinstall it - and repositories are kept constant ?

It means that opening the tunnel: "ssh -R 5119:localhost:22 user@pubnix" opens port 5119 from within pubnix, but not from without...

rwp, "If GatewayPorts=clientspecified is needed but you can't set it up" > looks like my case.

rwp, "you can use a second program such as socat or nc to stitch yet another software layer into the pipeline of communication tunnel." > Can nc alone do it, but listinging to another open port and forwarding to localhost:5119 ?

paste.rs/Tad7T - there, I wrote another one - you're welcome

tk, what does the colon (:) do in the begining of the script?

nothing

it's a no-op in shell scripting, it's just there to make the heredoc valid syntax

Ah, used as a block comment.

Trying to build the updated version of jujutsu in my VM makes me realize how much I dislike like many dependencies that this project needs... I guess I'll wait for now and tinker with other things in this vm

It is easier to include a dependency (even if it uses 1% of the dependent library) than to deal with it for the lifetime of the program...

acu: yes you can keep using pkg

/10

er

JetpackJackson, JFTR, doas is also a port. So if you want to remove all ports then that would include doas which is also a port.

why are you avoiding dependancies ?

ant-x, It sounds like you are successfully setting up a quick ssh port forwarding tunnel back to your home system and are successfully able to use it to log into your home system remotely from other places. Right? You will need to say more about the user@pubnix problem which seems unrelated.

rwp, not successfully, because the sshd on the pubnix has `GatewayPorts no', which means I need to use socat or nc (as you mentioned previosly) to complete the setup. My test setup is: 1) open a reverse SSH tunnel from my home machine to the pubnix:5119, 2) try to SSH to pubnix:5119 from other places.

(are you unable to ssh directly home without the reverse tunnel?)

rtprio, I am unable to SSH to pubnix:5119, because the reverse tunnel opens port 5119 only locally, but not to the outside, due to the `GatewayPorts no' setting in the sshd config. I can SSH to pubnix, and then, from inside that pubnix, I can ssh to my home machine, specifying the tunnel's port: localhost:5119 .

What is pubnix?

TommyC, a public Unix server -- a multiuser Unix (actually, Linux) server.

rwp: oh alright. I installed it using pkg so I thought it was a binary rather than something part of ports

rtprio, It was established earlier that ant-x can't directly ssh home due to blocking, I think it was CG-NAT? Don't remember now.

rwp, Yes: direct SSH home is impossible because of CGNAT.

how set are you on using pubnix ?

JetpackJackson, binary pkgs are simply precompiled ports. No difference.

rwp, Yes: direct SSH home is impossible because of CGNAT.

ant-x: Is pubnix free?

rtprio, "How set am I" -- what does that mean? Yes, that pubnix is free. There are many free pubnixes, e.g. freeshell.de .

are you willing to use a provider that doesn't have that GatewayPorts setting

JetpackJackson, If you are mixing pkgs and ports that is okay but also mixing two things that have no way to easily unmix them. As far as I know there is no tracking of installs by ports other than that you remember in your head. With pkgs there is the pkg database which will remember what pkgs are installed.

rtprio, yes.

ant-x: or a vps where you can run wireguard

One could run pkg which on every file and compile a list of files and packages that are installed by pkg and then assume that all other files are installed either by the admin creating them or by a ports make install.

rtprio, no VPS for me so far. It is a completely different kettle of cod.

Speaking of, Black Friday & Cyber Monday are coming up. You might be able to get a good deal on a cheap VPS that you can do whatever you want on.

i don't know about that

TommyC, probably, but I have not looked into VPSes so far. I could rather buy a static IP from my ISP.

ant-x: Hold up, why not a VPS? You'd be in full control of it.

ant-x, ssh itself has a -W option which is like nc or socat itself. Since you can log into pubnix and you can see the banner from your home system then you can use ssh itself to connect to it. I mentioned the series of sneaking up on it commands earlier.

TommyC, learning from smaller and simpler things.

Ok...

ant-x: some cgnat isps still have routable ipv6, not sure if that applies to you

rwp, yes: I have not tried ssh -W> is it to be invoked on the pubnix to set up redirection?

One of the problems of running a system on the Internet is that it is like owning your own home versus renting an apartment. You are then responsible for *everything* all at once. It can be a challenge.

rtprio, all I know is that my ISP is selling a static IP for a monthly payment.

ant-x, Invoke it from any remote location not on pubnix over to pubnix.

ant-x: if it's a couple of bucks it might be worth it

rwp, that's why my server is a toy one. I am not using it seriously (yet).

treefrob, about 2$ a month, yes.

rwp, OK> will test later this evening, from home: 1) reverse SSH tunnel from home machine to pubnix, 2) ssh -W to pubnix, on another machine .

TommyC, it helps against learned helplessness.

ant-x, Other than confusion you can do the full loop from your home machine. Set up the tunnel from your home machine. Then use the tunnel to log into your home machine from your home machine but going through the bastion host system. (pubnix is the bastion host in this diagram)

rwp, 1) and 2) do not seem sufficient, as I fail to see how they will get connected, gonna read about -W.

By using ssh to log into the bastion host it avoids any firewalls because it will use the loopback device and that is not (usually) firewalled. It avoids the GatewayPorts=no configuration by using the loopback device which is where the ssh port will be listening.

Just answering the questions I saw asked about it earlier.

So, I connect to the bastion host twice: once to establish a reverse tunnel, and once again to use that tunnel, with ssh -W ?

Yes.

I see, thanks. Will try it.

Each of the two end locations meet in the middle on the bastion host.

And there is a 3rd ssh too, the one that you use to connect through those two to get to the home system.

The second ssh -W connection goes to port 22, and somehow must link with the tunnel on port 5119.

yo dawg, i heard you like ssh

Ah, so the two ssh connections are needed for service setup. OK.

You got it!

Hope I can implement it.

One the client side there are two ssh processes in one invocation: "ssh -oProxyCommand='ssh -W 127.0.0.1:5119 pubnixbastion' homemachinearbitraryname"

it would be a shame to switch ISPs after all this effort

That client ssh is told to use ssh -W to connect to the bastion host for the connection back to the home machine. The name of the home machine is pretty arbitrary there.

OS: 64 bit Windows 11 Professional (Version 10.0 2009 Build 26100.6725)

rwp: ah ok. I'll stick with just pkg for now then so I don't muck up the system on my first day lol. I'll keep that in mind when I find myself wanting a newer version of a package

rwp, can this be simplified into independent invocations, or is that nested invocation necessary? For example, I could open a session from pubnix to my home machine (over the reverse tunnel), and then I could connect to that session from wherever I liked, except that it would be a bit indirect on the user level 1) ssh to pubnix 2) establish or restore (from screen) the session to the home machine.

JetpackJackson: my laptop has more than 1000 packages and my server has 400. it's just how modern software works

JetpackJackson, The standard solution for that is to set up poudriere to compile locally compiled pkgs from local source and then everything are precompiled binary pkgs.

rtprio, I am not switching ISP. They are offering a static IP as a service.

it was a joke

With a grain of truth in it, however.

rwp: oh OK I'll check that out, thanks!

I am going home now, stay tuned.

ant-x: any isp that does weird things like that should be avoided

JetpackJackson, Since you are just getting going I recommend going slow so as not to overwhelm the learning curve and just use FreeBSD pkgs for a while until you get comfortable with things.

cpet, weird things like CGNAT?

Yes. CG-NAT is truly a problem!

shouldn't have ssh issues with that my ISP uses it as well

my isp will charge between 22,000 and $42,000 for installation :|

i pay 151/m for a biz line with a /29

which hosts my dumb beer brewing website

:P

that seems like a lot

the only other ISP is ATT and no

rwp: alright fair

I am contemplating to upgrade it to RC1 and play with pkgbase

On the user side CG-NAT creates another problem for incoming connections such as ssh that we want to have work but are then blocked.

On the server side I block with fail2ban and other tools and will automatically block tens of thousands of users behind CG-NAT because there are bad actors launching abuse attacks sharing the same IP address.

this is why I just got the biz line residential lines aren't made to host anything

as they want you to pay for the biz line

I should test out one of my zig programs to see how well it works on FreeBSD for funsies

well atleast thats how it is with CableOne

residntal lines host just fine

Not residential lines behind CG-NAT!

when you want to host your own email they dont

I have only ever seen the CG-NAT problem with IPv4. IPv6 doesn't need NAT and so avoids the problem. And creates the new problem that everything needs to be firewalled! Otherwise light bulb IoT devices get compromised by hostile bad actors that can now poke at them.

you could get a tunnel from he.net

and see if that fixes your issues

Oh, and you can't send email if you are listed in the ISP Policy as a DUL "dial up line" address.

yeap but you can if you have a biz line

oh yeah, email

Right. A biz line is by policy allowed for those things.

so you pay for the 151/m to do all that

That cost is why renting a VPS from a cloud vendor at USD$5/month is so attractive.

i like to do all the things myself

:)

Me too. I am renting a shared office with a computer rack and paying for a business ISP connection too.

i just have a mini computer, running freebsd nothing that fancy

I am a little more spread out. I have my own personal machines. I have paid client systems. I have community project systems that I am a volunteer admin. It's a fun little empire of systems all in total. :-)

2 VPS's and the mini PC

I need to run off. Later!

Holy moly FreeBSD works on my janky no-name spare laptop

This is awesome

Granted I have to tether with my phone and I haven't tested sound but still, im excited

congratulations! i hope it does well for ya

Well for some reason niri says it can't find a GPU but I have the firmware installed lol. I'll tinker with it later, gonna work on some HW now

if there is no hwid in the firmware

that wont help you

Got it, had to install drm-kmod per the handbook

Weird, I had installed sway to test it out and went to uninstall it and when I ran niri again the system just did an unresponsive black screen, couldn't switch ttys, had to power it off. Reinstalled sway and niri worked again, so I'll have to look at what packages sway is adding. Or maybe its my hardware lol. But I'm glad I have a WM now. Next test is audio

always the integrated gfx cause issues

however if that PC has been sitting aorund for a long time could have leaking caps as sometimes they use polymer closer to the CPU and lquid for the rest as they are cheaper, start to get weird issues as well

how can I tell my wpa_supplicant to move to nearest AP ?

found out I can use wpa_cli :)

the router itself is the one that deal with that

looks like I can use wpa_cli -i wlan0 scan -> wpa_cli -i wlan0 scan_results -> wpa_cli -i wlan0 reassociate

i have a mesh system with a AP on each floor so router does that for me I have some clients on the second floor and some cameras on the first i dont use wifi so 3rd level is basically useless

after that I saw it was moved to the AP in the same room Im in at the moment, and not the otherone in the room across the house :P

you cant use scan on some cards

cpet: here's a hwprobe: bsd-hardware.info/?probe=b6263c96a9

I have found that embedded gfx always cause issues

so I force my system to default to the AMD card

doesnt fix my issue with X though

After typing on the spare laptop for a while, I remember that my current laptop is just way nicer and more powerful lol

Ah

i have to force X to probe the AMD and leave the other alone

system is old but I dont have the reaosn to upgrade it if all I do on it is KDE and youtube

Fair

it has 64 GBG of ram a ryzen 7 5700H and a 4 x zfs z2

so yeah more than enough :P

ok now I Know what niri is thought it was something like sheep.exe

:P

Lol

isnt sway wayland stuff ?

So basically I forgot the spare laptop needs sof-firmware to do sound shenanigans so I'm out of luck for now re: sound.

Yeah

ill try wayland when I have too

go pickup a USB sound card

make sure its supported by usound or whatever that is called

The spare laptop also only has ~50GB storage and 4GB ram, its just for distrohopping

But ill look into that

uaudio*

I guess later I can boot a live USB for my nice laptop and probe it

i couldnt get BT to work so I went out and got some SRS THX speakers

go big opr go home when it comes to sound

so im stuck with 500 watt speakers vs the 1500 watt theater sound system connected to the TV

now if I comapre freebsd sound back in the 90's vs what it is now it sounds quit nice

JetpackJackson: cant you do something magic like using the sof-firmware from linux ?

such as archlinux.org/packages/extra/x86_64/sof-firmware

or is that not the same ?

the .bin file should be readbale by the driver

I could try

yeap youre better off just getting a USB sound card

accordsing to google your SOL in *BSD

jA&dib_tag=se&keywords=USB%2Bsound%2Bcard&qid=1763416548&sprefix=usb%2Bsound%2Bcard%2Caps%2C137&sr=8-3&th=1

something like that

That one is compatible?

no was just showing what i meant

Oh

well amazon does offer free returns so

could always try a few and see which one works cause the hardware notes doesnt specify any

now if I was you I would try the Creative Labs one first

but dont come yelling at me if it doesn't work :)

rwp, the method you propsed works: 1) open a reverse SSH tunnel from home machine to pubnix, 2) use ssh -oProxyCommand='ssh -W 127.0.0.1 pubnix' home_machine . Thanks.

cpet: haha I won't yell at you

wiki.archlinux.org/title/Lenovo_IdeaPad_Flex_5_14IAU7 this is my current Linux laptop btw

Couldn't find a Probe for it

I like Lenovo but my last Lenovo Legion didn't work very well as it had that dual gfx card that X didn't like

this was back with 12 i think I sold it so cant test it with 14 or 15

hrm

pubnix sure is expensive

I need to take this slow and not get all crazy with looking at framework laptops lol

freebsd works fine just need to get HW it supports

Right right

I have two other spare laptops I can check for compatibility

JetpackJackson: if this will be your main system not having sound kinda sucks more than not having a printer

heh

Haha I mean I can't switch now cause I'm still in college but ill look into it more when I get closer to being able to switch

Want to get more experience with the system first too before I go all in

run it in a VM

yeah im doing that too i just had the idea to plunk it on one of the spares

great plan

I know one is an old Toshiba and the other is another Lenovo so hopefully they'll work better

JetpackJackson: I would check the Toshiba next

Oh how come? Better support?

Cause why not ?

Ah

It's at the bottom of the stack so I was gonna do the Lenovo first lol