Looking at the User-Agent is as nimaje said not the entire solution. We do block a lot of bad-bots based upon it though.

Tools like nephenthes and iocaine are good if *other* people run them. When you have a server that is overwhelmed with bots then running a bot tarpit on the same server is counter productive. You don't want to keep them there. You want to shed the load of them.

So what we want is for everyone else to run nephenthes and iocaine and trap them distributed around across the net evenly dispersed everywhere else.

We also have some AI scrapers that are solving the Javascript proof of work challenge now too. So tools such as Anubis are no longer quite as effective. There are still a lot of older ones that do not. But newer scrapers do. I think those are mostly all browser plugin bots now.

Because yes there are browser plugins where you get a kickback for running your browser as part of the AI botnet scraping army now. Sigh. And that is like using human shields. It's even harder to identify and therefore harder to block.

I often look at logs and go, this is definitely a bot, how many times has this IP address hit with this pattern? grep. See only 5 queries total in the last week! It's part of a huge botnet and addresses are spread out like a snowshoe. We call it a snowshoe attack.

It's actually much easier to run your own mail server these days by comparison. (I have always run my own mail server since the beginning.)

yes

(to the question of running my own mail server)

Lots of spam fighting.

i had an ISP which disabled the ONT for any outbound mail on. like they assumed all outgoing mail was a window worm.

found out the hard way

cracauer: it's not spam fighting

independent mail server has been made infeasible by whatever reputation system they forced onto all of us

and they even have whitelists to filter your email depending on many factors

I do love self-hosting, but not e-mail in a long, long time

I want to say "the main thing" about self-hosting email but actually the list of main-things is a sizeable list of things.

But a typical first mistake is that people try to run them from their residential networking. And no one else is going to accept mail from a residential address block.

i need advice on an off-topic anti-AI thing, if anyone's got a couple minutes to spare and willing to hear me out plz pm :( tl;dr functionality vs integration tradeoff

Almost all sites block using DNSBLs and one of them is the DUL which was the Dial Up List for residential addresses. No one is on dial-up anymore but the concept is the same. So you can't use a residential address block to host an email server.

Matt|home, If it is light I would just mention it here but if it is very off topic then /join #freebsd-social and it can be talked about socially there.

i have súper offtopic thoughts about email

i’m confused, if i do `pkg search peazip` is find three items, but if i do “pkg install peazip”, it says no items found?

arghhh i really liked xfce4 the best but everything about customi9zing seems like its half assed mystery

so frustrating things don’t just work

heres a question that is more answerable:

what is the best-practices location to start making my own folders for server stuff. Not user-specific files, like web root folders and custom log folders?

right at the root level of the file system? or somewhere else?

What is the idea behind pkgbase install on FreeBSD? I realize it merges freebsd-udpate with pkg and maybe removes redundancy but is this the only idea behind this approach?

GoSox: as usuall it debends. ;-) I tend to use /usr/local/www for webfiles and otherwise I've the habit to create /srv (from serve or server) and structure stuff beneath that.

for many years, my web servers would have the web folder right at the root level of the hard drive. But then apple made that not-user writeable, not even as root. so all of that kind of non-user-specific stuff had to move to /Users/Shared/

GoSox, There is no package peazip. There are three packages peazip-gtk2, peazip-qt5, and peazip-qt6.

Well, FreeBSD isn't going to do that unless you use chflags or something.

rwp what do those mean?

You said: i’m confused, if i do `pkg search peazip` is find three items, but if i do “pkg install peazip”, it says no items found?

right

so

But there is no package named peazip so that can't be installed.

what does “peazip-gtk2, peazip-qt5, and peazip-qt6” mean?

I showed the names of those other packages. They are peazip-gtk2, peazip-qt5, and peazip-qt6.

If you want to install the gtk2 version then "pkg install peazip-gtk2" will do it.

If you want to install the qt5 package then "pkg install peazip-qt5". You have to use the package name to install it.

Maybe it will make more sense if you try searching for a smaller string. Try: pkg search peaz

anyone have experience with the 13.5 to 14.3 upgrade? I'd be interested to understand issues to watch out for

I upgraded many machines from 13 to 14 and had no problems. Always read the release notes though.

i don’t know what “the qt5 package” means

gtk and qt are different graphics libraries. They have slightly different looks.

thanks rwp - will check on those

GTK is used by Gnome and Qt is used by KDE.

do you know of any major zfs issues in 14.3 that isn't patched yet

I don't know of any but note that zfs is upgraded separately and I recommend upgrading zfs later after you are confident you will never return to 13 using a Boot Environment. Because once zfs is upgraded then you can't Boot Environment back to rescueit.

Honestly I usually hold off zfs upgrades until just /before/ I upgrade to the next release.

does zfs have solid backward compatibility?

a zfs upgrade is optional, right?

rwp: with "upgrading zfs" you mean activating new features on your pool? because the kernel module is in base and will be upgraded with it

are there any compelling and solid zfs features in 14.3 that would encourage upgrading?

I am talking about "zpool upgrade" which you can read about with "man zpool-upgrade".

I am on 14.3R now and thinking about upgrading to 15.1R "soon". I have not upgraded zfs since I was running 13. Before I upgrade to 15 I will "zpool upgrade" and then upgrade to 15. Because even right now a couple of years later I can still use my old 13 Boot Environment and can boot it. But after I upgrade to the 14 level zpool then I can't.

TIL zpool-upgrade

nice, is 15.1 released already?

I thought 15.0 was the latest

As for new zfs features there is the copy-ref (I don't remember the spelling or exact feature name, look it up) that allows a copy to be like a hard link in that it just copies a ref pointer to it internally. It was a hot topic some time ago when it first came out. It had bugs. But the Linux crowd was all hot for it.

15.1 is not yet released. That's why I have not upgraded to it. I am in the community that never upgrades to a .0 release. I am waiting for the .1 release.

heh, I'm typically on n-2

I can't figure out a use case for copyref in my work environment. Does anyone have a good example of use of it? I am interested in knowing. But I just don't have a use case to benefit from it.

but 13.5 is eol soon

Yep. It is time to move forward to 14 which has been out for a while and has lots of time on it.

15 has been solid for me

So in theory with copyref I could take a 7.5GB DVD ISO image and copy it from A to B and it would be almost instant because it would be a ref copy rather than a full data content copy. But... Why would I be doing this? I would normally just be mv'ing it from place to place and that is also instant.

Like I said I just don't have a use case to benefit from it. But there must be one out there since people were all excited about the feature when it was first released. I would be interested in hearing about useful cases for it.

I heard IO deadlocks were an issue for write workloads that lasted days - anyone know if that is that still an issue?

And of course being a new feature it had data corruption bugs when it first released. So that's a good reason not to be an early adopter of these new features.

s/that is that/that is/

What is your environment? Are you a storage engineer supporting 1000 lab engineers doing VLSI chip design with 5000 compute servers hammering away on the storage array doing simulations? Then that might be a worry. No? Are you upgrading your home NAS where you have your music and video collection? Then it's not a worry.

heh

!inspire

Hardly anybody recognizes the most significant moments of their life at the time they happen. -W.P. Kinsella [zenquotes.io]

Notably Netflix runs their entire infrastructure on 15-CURRENT the bleeding edge and we thank them for it because they find and fix many bugs before the rest of us hit them. But note that it works well for them.

Interesting!

so when i do sudo shutdown now, it doesn’t shut down. it logs me out and leaves me at a root prompt

is there a trick to actually shutting the machine down

So if you are bigger than Netflix then you probably should not be the lone engineer working this problem. If you are a lone engineer working this problem then you probably don't have an environment where you need to worry about it. Just saying! :-)

GoSox, Are you shutting down to single user mode?

are you asking my intention, or what is happening? My intention is to shut the computer down, so it is no longer running

"man shutdown" ... "When run without options, the shutdown utility will place the system into single user mode ..."

oh is it -h ?

GoSox: Read the man page for shutdown, there are some options you'll want to look into

good to know that netflix is on the engineering team

-r will reboot. -h will halt with the power on. -p will halt and power off.

Most of us only ever type in "shutdown -r now" when we reboot. And then a very few times "shutdown -p now" when we are bringing a machine offline unplugging the power cord and opening up the server box.

apparently on macs -h and -p are the same

rwp: thank you for the insights

!ztquote

A rat who gnaws at a cat's tail invites destruction. -Chinese Proverb [zerotime collection]

zerotime, I was just rambling with egregious editorial remarks. :-)

heh

On GNU/Linux systems the shutdown options depends upon the init system that is installed. It's actually kind'a annoying that the systemd folks have been messing with the options lately. :-(

!stoic

Our life is what our thoughts make it. -Marcus Aurelius [zerotime collection]

Interesting fact: if you boot into a real single user mode on systemd Linux, with init=/bin/bash, then there is no way to cleanly shut down the machine. Because reboot, halt, shutdown and friends are just systemd frontends and yoou don't have systemd running.

I thought there were still ways to bypass that, but maybe those are all gone

You can echo something to the power file

hodapp: I would be interested to know what these workarounds were. Hate to hit the (virtual) reset button.

I had thought that 'shutdown' was lower level, but hmmmm, now that I think about it, when I had systemd just stop responding altogether on my workstation some years back, none of this worked

cracauer: seems I am wrong about this one

Cattttttttttttty: are you the same catty I met on discord some time ago?

i doubt it

had weird problem, routing got clogged up somehow about ab hour and a half ago, with natd conuming 100% CPU time. hsd to restart natd. Anyone else ever see this? Using 15 from a couple of months ago

Cattttttttttttty: i mean do you use discord?

or maybe I should ask to whom does your current pet cat belong? Cattttttttttttty

the catty i met told me his ex-girlfriend gave him the cat

from the number of reconnects last night I have to wonder if natd caused that, or id all of those disconnects [and the cause] led up to natd eating 100% CPU time...

looks like all fsy ysterdsy too. strange...

DAY nit fsy

If anyone knows someone with port commit privs, we have a major port (powerdns) sitting here for months waiting on security updates to be approved by a committer: bugs.freebsd.org/bugzilla/show_bug.cgi?id=291543

spork_css_: Send an email to ports@ requesting a review/commit if it's been a long time.

I figured out why natd got hung up - I'm being syn flooded by several netblocks in brazil - added to ipfw reject table, cpu dropped to 1% on natd [it eas bouncing around 20%]

anyone else getting syn flooded from brazil? Just curious...

it looks like several net blocks are involverd with 2 different ISPs

they're all syn-flooding port 443 so web server crack or ?

interesting

shbrngdo, nothing over here, seems pretty targetted

after a powercut, a previously working config for adding an aliased IP to a bridge interface for my nextcloud iocage built jail has stopped working. I tried issueing the command manually and it doesn't work either. Jail is started, I restarted it and it still can't apply it's IP configuration be it v4 or v6. Message is : ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address . I'm out of ideas,

would anyone know?

Running FBSD on a KVM VM. BIOS. I cannot get the console to use a higher resolution than the 800x600 or so fallback. I have tried virtio, qxl, a million different settings, asked all AIs, and nothing works.

For what I get, the only way to get better resolution is to either use X or UEFI

(OVMF). But I don't want to install X. Machine is meant to be a server. And I would really avoid uefi. Hate the thing, and makes the VM fragile and harder to port.

err. if it's a server, why do you need a higher resolution?

lol

qop see man loader.conf screen.textmode and vbe command.

tsoome: tried it. Also tried vesa and virtio_gpu

it still goes back to a tiny console n reboot. other S can resize just fine

hodapp: so that I can work on it lol. Too small to see ful text some times. I don't do ssh on any of my servers.

just kvm/console/spice.

I guess there is just no way unless I switch to ovmf =\

daemon - thanks. I added them tp permaban list, whichj reminds me to improve the way I set up the list. This happened months ago as well, different IPs [currently banned] so I do not know what is going on in Brazil for ISPs to be compromised or used for nefarious puirposes...

currently looks like ~30 connection attempts per second.

wireshark shows the attermpt and then firewall blocks it.

blokcked packets approaching 200k

drop will save you some bandwith and maybe some cpu

better, you can throttle attackers trapping them in a blacklist if you have the ram

unless its syn obvi

and did you also see vbe_max_resolution?

tsoome: vbe comes in blank. No output

ah, well, you have been bitten by "lets not compile it in by default".

you need to build it with BOOT_FRAMEBUFFER_MODE="yes"

tsoome: mmm, I've never compiled a bsd kernel...

that will be an interesting task. Worth the try!

should prolly be the default iyam

problem is, bios version of boot loader is on the edge of its size limit, so anything non-essential is disabled on its build.

Did anyone ever use iPXE in bhyve?

tsoome: oh, I see. Thank you!

cracauer: pxe, many times. bhyve, never.

'cause I usually run my bsds on a linux hypervisor

I seem not to get packets from the physical ethernet back into the vm through the software bridge.

dhcp request reaches the server and it replies. But the ipxe instance doesn't get it.

pxe is simple stuff. Just a bootloader listening to tftp, remote finds it via dhcp. Have you verified that the pxe server port can be reached? Are you connecting the clients directly or through some convoluted network setup?

The server gets the request and replies according to tcpdump.

ah, if dhcp works then the failing part is either misconfigured pxe, but most likely something with tftpd.

Does tcpdump give you anything after dhcp handshake?

The cliengt is inside a bhyve VM which is bridged to the physical ethernet

No, iPXE (not generic pxe) says it never gets anything. So it never reaches a state where tftp would be attempted.

well, why use pxe for comms between hyp and vms? Why not just direct disk?

I'm yak-shaving. The journey started with trying to debug FreeBSD's pxeboot.

To debug it I want it in bhyve.

are you using a different protocol from ftp? http, sci maybe?

no

scsi*

well, then we go back to: "if you packet capture/tcpdump, what do you see after dhcp handshake?"

The handshake is incomplete and there is nothing afterwards.

so the dhcp handshake does not complete? Interesting. What part 'breaks'? Meaning, what is the thing that works?

What works is ipxe sending the dhcp request to the server. and the server replies as I can see on the ethernet.

But ipxe never gets that dhcp reply.

ipxe will rarely fail to send a query, but sounds like your dhcp server is not working at all.

I know it works because it pxe-boots physical machines with BIO pxe.

BIOS

review your dhcp server why is not working. make sure you have no firewall in between

The same dhcp+pxe works successfully on physical machines but fails on VMs then?

yes

And qemu on -current is broken so I can only test bhyve.

Ah... then that's probably a bhyve thingy. I dunno anything about bhyve, sorry.

I am looking at the bridge for the virtual network interface, but it seems to be fine, too.

Anybody here familiar with libelf?

It breaks qemu right now.

Never mind, found the problem. Old libelf.so.1 from base system.