thanks mason

!ztquote

A diamond with a flaw is worth more than a pebble without imperfections. -Chinese Proverb [zerotime collection]

zerotime: The quoting is a bit off-topic. There's #freebsd-social for that if you want. Regardless, you're welcome.

it was more of a reference to your answer. flawed but useful enough to get me in the right direction

openzfs-2.2 wasn't introduced in 13.x

hmmm

yeah I think there might be a bug here

IPv6 only jail, no bridge, attempting routed

NS is being ignored by tap, despite having the address

which isnt too much of a surprise, tap doesn't have a LLA

now iirc all ifaces should have an IP address, but this is mainly with IPv4, if an interface has a LLA then this can be used between two devices, however I just used global addresses

::4 is vm, ::3 is jail ::2 is host

sorry ::3 is tap

I have also tried with ::2, but this also ignores the NS

any ideas? I use a routed setup with IPv4 only

works fine there...

no NDP, no routing

this DOES work when bridged though, if I bridge tap0 to host works just fine

Does it make me a coward if I don't use PF on my AWS EC2 instance and just use the VPC security group inbound rules?

PF is frustrating me right now, as I try to learn it

imo not really

I just started reading about PF today, and I did kinda rush through building out my pf.conf. So maybe I'll learn to love it. But as of now, it seems like a pain.

look up firewallbuilder - it's a cool older piece of software that did a decent job making pf rules. fwbuilder.sourceforge.net I used this when I first started playing with pf trying to learn rules. If nothing else, you can generate a great starting point!

polarian: poudriere just creates jails in the way it wants to use then, for example you can mix the jails with ports trees, so the choosen ports tree is null mounted when doing a build, if you just want to create a clean jail for building packages, there aren't specific requirements for that, just that you should clean it up for every package you build, poudriere uses zfs snapshots for that if you

are on zfs

I'm trying to zfs umount and I'm getting cannot unmount '/jails/foobar': pool or dataset is busy .. is there a way to find what is using the fs ?

# fstat -m /jails/foobar doesn't report anything

also what's the danger/implications of doing zfs umount -f ?

as with any other forced umount - possible loss of application state resulting from app internal state getting lost.

a/win 48

hm, I have configured my system to place coredumps under /var/coredumps/<uid>/ is there a way to automatically create that dir when a new user is added, be it by pw or by pkg? (/var/coredumps itself is only writeable by root)

what deficiencies did you work around with that daemon? is the code somewhere public?

there's a port: freshports.org/sysutils/ucored -- but git.kevans.dev/kevans/ucored

most of my annoyances were with coredumps in jails

it works better on freebsd 15.0+ because i improved the kernel side to allow a kmod to handle coredumps, so it's paired with a kmod that I wrote that exfiltrates more information about the core

before that you'd have to look for a devd notification, but devd notifications are limited to < 1024 bytes in total

the other nice bit about that is that it actually pipes the core to ucored, so you can discard the core without it ever hitting the disk or move it elsewhere

that tool sounds nice, any plans to replace the coredump handling with it in base? for that the default config probably has to read kern.corefile for where to put corefiles because of POLA

not offhand, since it does introduce complexity

firefox seems to make the kernel leak memory until it's closed

nimaje: hmm... thats fine the thing is I want to use the base I compile myself

so can I just install a jail and poudriere will snapshot and restore it after building?

or does poudriere do any config to jails it makes itself

not sure which expectations poudriere has for jails, but to manage jails it writes config on the host. You should look at man.freebsd.org/cgi/man.cgi?query=poudriere-jail especially -c -b -m src=<path> and -c -m null -M <path> could be intersting for you

nimaje: thx

will look into it

imma jail bhyve and then virtualise freebsd 15.0 then run poudriere :p

will prob IPv6 only and then NAT64 on host because some sources might be cringe and not support IPv4

as bhyve is mostly a program to configure vmm.ko I don't think jailing it will improve much, if it is even possible

agreed, i don't see any value in that

nimaje: rtprio: bhyve device emulation happens in userland, not the kernel

(the contested bit being that the parts hand-waved over as 'the stuff that is not about configuring vmm.ko' is actually pretty important)

Hey all. I'm pretty new to pf. Is it possible to specify timers with tables in pf, such that any entry added will be automatically removed after some amount of time?

I'm specifically looking for an equivalent to the ipset: create blocklist hash:ip family inet hashsize 2048 maxelem 65536 timeout 604800

(Which see, any entry added will expire on its own after a week.)

mason, I have been (softly) looking for the same thing myself. We are all blocking a lot of bad actor addresses these days. AFAIK I haven't found an implementation of a self expiring pf block yet.

I do set up fail2ban on FreeBSD though and fail2ban will keep track of expiration itself in its own sqlite database and then remove them later.

It's definitely not as clean of a solution as available with Linux ipset timeout expiration. It would be really great to have something like that available.

Hrm, hrm. Alright. Thank you.

Plus side, PF is really clean and quick to set up otherwise.

I also like pf quite a bit. It's missing this feature (until we find it or create it). And pf has other features which Linux does not have. (I must run afk now... Later!)

I was having a REALLY hard time getting PF to work. I work with Palo Alto firewalls every day at work, and have a lot of experience crafting Cisco ACL's, and PF just didn't make sense to me.

Then I read about adding 'quick' to rules.

BOOM, mind blown

it's just last match vs first match

Yeah, the gear I've used before would stop at the first match. So I assumed that's how it worked in PF

rwp: You might find that nft has some missing features. I remember when I moved from ipf to iptables I was dismayed at how many features were missing.

I had my Default Deny rule at the bottom of the rulebase lmao

Is there any issue with using a compressed vdev as a swap device?

topcat001: There have historically been problems with using zvols for swap under memory pressure.

Compressed or otherwise.

cool thanks! I'll just use a partition then.

Safer.

Note that using GELI for it is unproblematic.

y definitely will encrypt it.

I have a new FreeBSD 15.0 host. The boot drive has both a freebsd-boot partition and an efi partition

2048 348 1 freebsd-boot (174K)

2396 66584 2 efi (33M)

I'm not familiar with this layou. I've only seen one or the other before.

*layout

not sure but i guess freebsd installer does try to support both UEFI/BIOS booting methods soo there are 2 partitions.

dvl: Having both is fine.

dvl: With that you can boot legacy *or* UEFI.

I set that up by default.

dvl: In fact, I document it here: wiki.freebsd.org/MasonLoringBliss/ZFSandGELIbyHAND