00:28:07 thanks mason 00:28:40 !ztquote 00:28:42 A diamond with a flaw is worth more than a pebble without imperfections. -Chinese Proverb [zerotime collection] 00:51:28 zerotime: The quoting is a bit off-topic. There's #freebsd-social for that if you want. Regardless, you're welcome. 00:55:38 it was more of a reference to your answer. flawed but useful enough to get me in the right direction 00:56:06 openzfs-2.2 wasn't introduced in 13.x 02:40:19 hmmm 03:01:53 yeah I think there might be a bug here 03:01:55 https://bpa.st/EVBQ 03:02:03 IPv6 only jail, no bridge, attempting routed 03:02:30 NS is being ignored by tap, despite having the address 03:02:50 which isnt too much of a surprise, tap doesn't have a LLA 03:03:54 now iirc all ifaces should have an IP address, but this is mainly with IPv4, if an interface has a LLA then this can be used between two devices, however I just used global addresses 03:04:03 ::4 is vm, ::3 is jail ::2 is host 03:04:09 sorry ::3 is tap 03:04:32 I have also tried with ::2, but this also ignores the NS 03:05:01 any ideas? I use a routed setup with IPv4 only 03:05:06 works fine there... 03:06:32 no NDP, no routing 03:07:13 this DOES work when bridged though, if I bridge tap0 to host works just fine 03:43:28 Does it make me a coward if I don't use PF on my AWS EC2 instance and just use the VPC security group inbound rules? 03:43:37 PF is frustrating me right now, as I try to learn it 03:43:52 imo not really 03:47:53 I just started reading about PF today, and I did kinda rush through building out my pf.conf. So maybe I'll learn to love it. But as of now, it seems like a pain. 04:04:44 look up firewallbuilder - it's a cool older piece of software that did a decent job making pf rules. https://fwbuilder.sourceforge.net/ I used this when I first started playing with pf trying to learn rules. If nothing else, you can generate a great starting point! 08:35:56 polarian: poudriere just creates jails in the way it wants to use then, for example you can mix the jails with ports trees, so the choosen ports tree is null mounted when doing a build, if you just want to create a clean jail for building packages, there aren't specific requirements for that, just that you should clean it up for every package you build, poudriere uses zfs snapshots for that if you 08:35:58 are on zfs 11:08:10 I'm trying to zfs umount and I'm getting cannot unmount '/jails/foobar': pool or dataset is busy .. is there a way to find what is using the fs ? 11:10:40 # fstat -m /jails/foobar doesn't report anything 11:16:28 also what's the danger/implications of doing zfs umount -f ? 12:10:32 as with any other forced umount - possible loss of application state resulting from app internal state getting lost. 15:18:29 a/win 48 16:04:31 hm, I have configured my system to place coredumps under /var/coredumps// is there a way to automatically create that dir when a new user is added, be it by pw or by pkg? (/var/coredumps itself is only writeable by root) 16:15:28 * kevans wrote a whole ass daemon to get around the default coredump deficiencies 16:20:34 what deficiencies did you work around with that daemon? is the code somewhere public? 16:21:17 there's a port: https://www.freshports.org/sysutils/ucored -- but https://git.kevans.dev/kevans/ucored 16:21:33 most of my annoyances were with coredumps in jails 16:22:58 it works better on freebsd 15.0+ because i improved the kernel side to allow a kmod to handle coredumps, so it's paired with a kmod that I wrote that exfiltrates more information about the core 16:23:33 before that you'd have to look for a devd notification, but devd notifications are limited to < 1024 bytes in total 16:25:41 the other nice bit about that is that it actually pipes the core to ucored, so you can discard the core without it ever hitting the disk or move it elsewhere 16:31:36 that tool sounds nice, any plans to replace the coredump handling with it in base? for that the default config probably has to read kern.corefile for where to put corefiles because of POLA 16:42:15 not offhand, since it does introduce complexity 16:44:12 firefox seems to make the kernel leak memory until it's closed 17:23:20 nimaje: hmm... thats fine the thing is I want to use the base I compile myself 17:23:45 so can I just install a jail and poudriere will snapshot and restore it after building? 17:23:58 or does poudriere do any config to jails it makes itself 17:36:24 not sure which expectations poudriere has for jails, but to manage jails it writes config on the host. You should look at https://man.freebsd.org/cgi/man.cgi?query=poudriere-jail especially -c -b -m src= and -c -m null -M could be intersting for you 18:06:06 nimaje: thx 18:06:10 will look into it 18:06:40 imma jail bhyve and then virtualise freebsd 15.0 then run poudriere :p 18:07:50 will prob IPv6 only and then NAT64 on host because some sources might be cringe and not support IPv4 18:09:15 as bhyve is mostly a program to configure vmm.ko I don't think jailing it will improve much, if it is even possible 18:09:44 agreed, i don't see any value in that 19:25:06 nimaje: rtprio: bhyve device emulation happens in userland, not the kernel 19:27:02 (the contested bit being that the parts hand-waved over as 'the stuff that is not about configuring vmm.ko' is actually pretty important) 19:56:06 Hey all. I'm pretty new to pf. Is it possible to specify timers with tables in pf, such that any entry added will be automatically removed after some amount of time? 19:56:55 I'm specifically looking for an equivalent to the ipset: create blocklist hash:ip family inet hashsize 2048 maxelem 65536 timeout 604800 19:57:31 (Which see, any entry added will expire on its own after a week.) 20:36:57 mason, I have been (softly) looking for the same thing myself. We are all blocking a lot of bad actor addresses these days. AFAIK I haven't found an implementation of a self expiring pf block yet. 20:37:32 I do set up fail2ban on FreeBSD though and fail2ban will keep track of expiration itself in its own sqlite database and then remove them later. 20:38:02 It's definitely not as clean of a solution as available with Linux ipset timeout expiration. It would be really great to have something like that available. 20:43:58 Hrm, hrm. Alright. Thank you. 20:44:14 Plus side, PF is really clean and quick to set up otherwise. 20:48:36 I also like pf quite a bit. It's missing this feature (until we find it or create it). And pf has other features which Linux does not have. (I must run afk now... Later!) 20:49:17 I was having a REALLY hard time getting PF to work. I work with Palo Alto firewalls every day at work, and have a lot of experience crafting Cisco ACL's, and PF just didn't make sense to me. 20:49:29 Then I read about adding 'quick' to rules. 20:49:32 BOOM, mind blown 20:49:45 it's just last match vs first match 20:50:47 Yeah, the gear I've used before would stop at the first match. So I assumed that's how it worked in PF 20:50:55 rwp: You might find that nft has some missing features. I remember when I moved from ipf to iptables I was dismayed at how many features were missing. 20:50:56 I had my Default Deny rule at the bottom of the rulebase lmao 20:52:34 Is there any issue with using a compressed vdev as a swap device? 20:56:19 topcat001: There have historically been problems with using zvols for swap under memory pressure. 20:56:26 Compressed or otherwise. 20:57:08 cool thanks! I'll just use a partition then. 20:59:02 Safer. 20:59:17 Note that using GELI for it is unproblematic. 21:00:50 y definitely will encrypt it. 21:33:50 I have a new FreeBSD 15.0 host. The boot drive has both a freebsd-boot partition and an efi partition 21:33:51 2048 348 1 freebsd-boot (174K) 21:33:51 2396 66584 2 efi (33M) 21:34:10 I'm not familiar with this layou. I've only seen one or the other before. 21:34:16 *layout 21:44:30 not sure but i guess freebsd installer does try to support both UEFI/BIOS booting methods soo there are 2 partitions. 23:20:07 dvl: Having both is fine. 23:20:23 dvl: With that you can boot legacy *or* UEFI. 23:20:28 I set that up by default. 23:20:57 dvl: In fact, I document it here: https://wiki.freebsd.org/MasonLoringBliss/ZFSandGELIbyHAND