What can i do to resolve this issue?<= /div>

P.D: Im still new to these mailing lists, so if im not following whatev= er convention that is appropiate here, feel free to let me know.

And thanks for the attention!

--000000000000693aef0631baf0ad-- From nobody Wed Apr 2 08:15:32 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZSHk50P80z5rvt0 for ; Wed, 02 Apr 2025 08:15:41 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) by mx1.freebsd.org (Postfix) with ESMTP id 4ZSHk40YmDz4CyQ for ; Wed, 02 Apr 2025 08:15:40 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd-doc@fjl.co.uk designates 84.45.41.196 as permitted sender) smtp.mailfrom=freebsd-doc@fjl.co.uk Received: from [192.168.1.109] (host86-173-148-176.range86-173.btcentralplus.com [86.173.148.176]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id 5328Fc9s035088 for ; Wed, 2 Apr 2025 09:15:38 +0100 (BST) (envelope-from freebsd-doc@fjl.co.uk) Content-Type: multipart/alternative; boundary="------------3RzSfic7k0b1p0X5nmHVh0xT" Message-ID: <5ae22d3b-77c9-4dcf-9656-b113e49ba48d@fjl.co.uk> Date: Wed, 2 Apr 2025 09:15:32 +0100 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Problems with WiFi networks - HP 255 G7, FreeBSD 14.2 Content-Language: en-GB To: freebsd-questions@freebsd.org References: From: Frank Leonhardt In-Reply-To: X-Spamd-Result: default: False [0.02 / 15.00]; RBL_SENDERSCORE_REPUT_9(-1.00)[84.45.41.196:from]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; NEURAL_HAM_SHORT(-0.98)[-0.984]; R_SPF_ALLOW(-0.20)[+ip4:84.45.41.196:c]; ONCE_RECEIVED(0.20)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; RCVD_NO_TLS_LAST(0.10)[]; ARC_NA(0.00)[]; ASN(0.00)[asn:25577, ipnet:84.45.0.0/17, country:GB]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; DMARC_NA(0.00)[fjl.co.uk]; R_DKIM_NA(0.00)[] X-Rspamd-Queue-Id: 4ZSHk40YmDz4CyQ X-Spamd-Bar: / This is a multi-part message in MIME format. --------------3RzSfic7k0b1p0X5nmHVh0xT Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit On 01/04/2025 18:33, Mauricio wrote: > Hey! : ) > > I have decided to install FreeBSD 14.2 in my laptop (HP 255 G7). > This model use a WiFi card detected as rtw880 in the system. > > Ive used FreeBSD 14.1 in this laptop before, and i had to add the line > "compat.linuxkpi.skb.mem_limit=1" > in my /boot/loader.conf file for the WiFi card to work. > > I did the same for this 14.2 installation. And my WiFi card is > recognized when looking at the ifconfig output. > > I proceeded to add the lines needed at > /etc/rc.conf and /etc/wpa_supplicant.conf for the system to connect to > my desired network. > (As shown in the robonuggie youtube channel which has been appropiate > for me in the 14.1 system version. > > Anyways, when i use "ping 1.1.1.1" to check the status of my > connection, last lines indicate "No route to host" > so i guess system didnt make the connection. > > I also tried to configure the network in bsdconfig, but i cannot > select any network that appear as scanned in the interface. > > What can i do to resolve this issue? > > > P.D: Im still new to these mailing lists, so if im not following > whatever convention that is appropiate here, feel free to let me know. > And thanks for the attention! Hi Maurico, I don't know about the WiFi aspect specifically but if ping this is your only test for an IPv4 connection some more debugging information would be useful. What's the output of ifconfig ? What's the output of netstat -r ? Regards, Frank. --------------3RzSfic7k0b1p0X5nmHVh0xT Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit

On 01/04/2025 18:33, Mauricio wrote:

Hey! : )

I have decided to install FreeBSD 14.2 in my laptop (HP 255 G7).

This model use a WiFi card detected as rtw880 in the system.

Ive used FreeBSD 14.1 in this laptop before, and i had to add the line "compat.linuxkpi.skb.mem_limit=1"

in my /boot/loader.conf file for the WiFi card to work.

I did the same for this 14.2 installation. And my WiFi card is recognized when looking at the ifconfig output.

I proceeded to add the lines needed at

/etc/rc.conf and /etc/wpa_supplicant.conf for the system to connect to my desired network.

(As shown in the robonuggie youtube channel which has been appropiate for me in the 14.1 system version.

Anyways, when i use "ping 1.1.1.1" to check the status of my connection, last lines indicate "No route to host"

so i guess system didnt make the connection.

I also tried to configure the network in bsdconfig, but i cannot select any network that appear as scanned in the interface.

What can i do to resolve this issue?

P.D: Im still new to these mailing lists, so if im not following whatever convention that is appropiate here, feel free to let me know.

And thanks for the attention!

Hi Maurico,

I don't know about the WiFi aspect specifically but if ping this is your only test for an IPv4 connection some more debugging information would be useful.

What's the output of ifconfig ?

What's the output of netstat -r ?

Regards, Frank.

--------------3RzSfic7k0b1p0X5nmHVh0xT-- From nobody Wed Apr 2 08:29:49 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZSJ2q5w3Sz5rx7n for ; Wed, 02 Apr 2025 08:30:11 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from fout-a4-smtp.messagingengine.com (fout-a4-smtp.messagingengine.com [103.168.172.147]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZSJ2q45Rgz4FVP for ; Wed, 02 Apr 2025 08:30:11 +0000 (UTC) (envelope-from dch@skunkwerks.at) Authentication-Results: mx1.freebsd.org; none Received: from phl-compute-08.internal (phl-compute-08.phl.internal [10.202.2.48]) by mailfout.phl.internal (Postfix) with ESMTP id 2D5621380145; Wed, 2 Apr 2025 04:30:10 -0400 (EDT) Received: from phl-imap-15 ([10.202.2.104]) by phl-compute-08.internal (MEProxy); Wed, 02 Apr 2025 04:30:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1743582610; x=1743669010; bh=Riqg51Fo9o/2ybY6yIpRy1i7DKYzK1oCZMXRf9EjMps=; b= Fu4k1UyeNia1h/Yergs7Awr8XFK7A1FgxUqEqUVBkwRVdJ2QSqXWqmpGNhgKndH4 5KI/A8A1Uv088UyGS+qd79hq5/tRQ9td8rYs2T6okZuVr5gCZ8qwaTuAPRL/Vig7 TFvvjfP/NlIK0DfrsvHevlzD2gXsbKPqVB47CxQwCaJnmCXBUOH6WkTrEhrE9q2w Adb9LWVbd8Ru41XAMGbtG65wn21myyA0UOmsB9RP5YQsOlDlQErVxx70U+MNeine 4hiHID3iuGOx5YLeiGl2HU310n97+tz9Z8d/vg5EEbsKqDTEpMFqHoQUgvBT5zlq zYA/vzgpXU6gJPxa6VW3Yw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; t=1743582610; x=1743669010; bh=R iqg51Fo9o/2ybY6yIpRy1i7DKYzK1oCZMXRf9EjMps=; b=iKlFPMXSfoUe13k+Z zwcd8vbV3rLPY8fY/gZ95PDkRs7J2IfLrLS4QHOmtQdIYB4wnZ6FxHhzu+2SB8Nz lHJYdsRoKHDZA3VK1AScaDT+JfotMEz8NjjboT/75bTr88H2isNE9uCCh6o1e4TV +lO3WFLsQvT082B4JyBLn0b2VnIUz6kp/oLYzRAsnT7upAy73F9s9BMnSUtsJO0+ 3y2/MwEtdoa0ELfzUUP3euXfCaH+hc6LfpCGtKClUlqbv821lJtlvEbd0dHrQuwJ R8avlfBV3KLeKEvEK6PjVBbRGWat7I3/W1paDsXlOgvZTtArAaXFQP9WB4U/OJxp yGDow== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddukeehudelucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefogg ffhffvkfgjfhfutgfgsehtjeertdertddtnecuhfhrohhmpedfffgrvhgvucevohhtthhl vghhuhgsvghrfdcuoegutghhsehskhhunhhkfigvrhhkshdrrghtqeenucggtffrrghtth gvrhhnpeegieeltdejjeekueeftdeukeehfeevkedvueeutdffhfehkeegleeggfejiefg tdenucffohhmrghinheplhgvrghsvghsrdhonhgvnecuvehluhhsthgvrhfuihiivgeptd enucfrrghrrghmpehmrghilhhfrhhomhepuggthhesshhkuhhnkhifvghrkhhsrdgrthdp nhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepfhhrvg gvsghsugdqqhhuvghsthhiohhnshesfhhrvggvsghsugdrohhrghdprhgtphhtthhopehh uhhmoheffedtvdesghhmrghilhdrtghomh X-ME-Proxy:

Feedback-ID: ic0e84090:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 7C4EE78006A; Wed, 2 Apr 2025 04:30:09 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 X-ThreadId: Td9e8b6f32610bd47 Date: Wed, 02 Apr 2025 08:29:49 +0000 From: "Dave Cottlehuber" To: Mauricio , freebsd-questions Message-Id: <093f0f3a-c9dc-4817-9be7-1d0c285f8e5c@app.fastmail.com> In-Reply-To: References: Subject: Re: Problems with WiFi networks - HP 255 G7, FreeBSD 14.2 Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:209242, ipnet:103.168.172.0/24, country:US] X-Rspamd-Queue-Id: 4ZSJ2q45Rgz4FVP X-Spamd-Bar: ---- On Tue, 1 Apr 2025, at 17:33, Mauricio wrote: > Hey! : ) > > I have decided to install FreeBSD 14.2 in my laptop (HP 255 G7). > This model use a WiFi card detected as rtw880 in the system. Welcome Mauricio! > I did the same for this 14.2 installation. And my WiFi card is > recognized when looking at the ifconfig output. A general suggestion is to provide the relevant info: - the section of dmesg - rc.conf if its not obvious what you'd have - any output like ifconfig wlan0 > Anyways, when i use "ping 1.1.1.1" to check the status of my > connection, last lines indicate "No route to host" > so i guess system didnt make the connection. other that `ifconfig wlan0` what's in `netstat -r4n` ? This will show if you got an IP at all, and also if a default route has been created. There should be a file in /var/db/dhclient.leases.* One possibility is that the DHCP client either didn't run, or did not get an answer in time. Try deleting /var/db/dhclient.leases.* and running `service dhclient restart wlan0` or in the foreground: # service dhclient stop wlan0 $ dhclient -d wlan0 This should produce output like this: DHCPREQUEST on igc0 to 255.255.255.255 port 67 DHCPACK from 172.16.1.1 bound to 172.16.1.4 -- renewal in 150000 seconds. and it should also run the hook script which sets the default route. A+ Dave From nobody Wed Apr 2 16:16:27 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZSVP84HrHz5sTg5 for ; Wed, 02 Apr 2025 16:16:44 +0000 (UTC) (envelope-from humo3302@gmail.com) Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZSVP771rfz3pl5 for ; Wed, 02 Apr 2025 16:16:43 +0000 (UTC) (envelope-from humo3302@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pj1-x102f.google.com with SMTP id 98e67ed59e1d1-30155bbbed9so8943787a91.1 for ; Wed, 02 Apr 2025 09:16:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1743610602; x=1744215402; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=U97Xd1z5KGQrKgLzfnGBqBCEXi6UwjT0JJNBLgBLYUs=; b=mo6Z1TBBL4V0BHvOFdcLHINx56ubp2IsQRbyCpVOxen7BWt3MQnl2NZdMtzl6lE+pv 71DuJQi8nUe8ezzUS8dB3VFYYBTdgfkHTzaGVmhOq3XUdFUtNVL3fBvbSqVt/81qGPIz hFldyYhfYCR7OxgS7hgt6EkfnZ8Gfn3ThZ3L+C33lqTgK+7NfckXiEdYlv04v2u29pGU GbqiNv4pAGpoP2q6nYDUfdpI+b90rVz9xqUeekwtb1YF35Lreywoj1cyEoRp1qP9d0Q7 YPn3vJCI7QNJGGusE18+rL8wAJiu012RWFaqF/OB8I9QC05gQ1RG7RDcODKGK/n4GWk3 pNyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743610602; x=1744215402; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=U97Xd1z5KGQrKgLzfnGBqBCEXi6UwjT0JJNBLgBLYUs=; b=UiFdaytsxhJzIc1W04zj+v+rmmzyGblCGTNJb70Tvabz2iDL4X/QiZwH3EcGGVFdIR Ee0VS7LPsujE6wbMJuZ3ZTnCniZ6p8tJYIkWrqTVSaiZBHl+QxZAy+2deOk4CkcCrg2P IFIu5v2f2uovSdNzIyUsK+Jdf0lF+eJaj/eR2lsJ2oTOE5W1cFDQlpTdYiXICRCqAfyz VyK1UESyXEz20PWDbiLDtCSJIeYjxNc8DK9r9VgceMB6vWaepRSHe1nhLDuDXev0bIOH 18XqltF9wDbZ5kCmHq9UY7LzFBlgSaqmcnt90gh1UWkFxiy7KhJa1/G0oLh0R4AipMsB x55A== X-Gm-Message-State: AOJu0YwJSYX76GvP/l9xoNJ3Nf/fbVvPAAmn0LVn7REjFQ342RjicRN/ LxYTCRSIQrTEtwBU+V8aUKC42DOyEPmSAPodzNCjXMsnqpcHlH+WxYhPGQ3982kVvDdhimhSKU1 TXZJxCjFqHw68re1H5mVyJDF9O+SxeXQK X-Gm-Gg: ASbGncv2NdC3OqJooW2SDM3YmPDqnLEaYIvE/f/8Mx/la72py/sKjxSz1zCmERgmg84 SoUBUZnetwf2rzRO05KuC15zKKl1fCkgVLTZTQnj4FcfBXP9XRKs57JRIp9xDE6cQJqz9baFmVv KJFA2M4JBpMKNksQH4aAObTTEOvuo= X-Google-Smtp-Source: AGHT+IFWKmM+MhX2gKf0PFra+s4rrzloDERlffWyoLhZAujFGNSwgk5END6iL76f+47fkcE3lEwxsVni922VYEozWes= X-Received: by 2002:a17:90b:4ec6:b0:2fe:b470:dde4 with SMTP id 98e67ed59e1d1-30560878f12mr11964772a91.12.1743610601605; Wed, 02 Apr 2025 09:16:41 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 References: <093f0f3a-c9dc-4817-9be7-1d0c285f8e5c@app.fastmail.com> In-Reply-To: <093f0f3a-c9dc-4817-9be7-1d0c285f8e5c@app.fastmail.com> From: Mauricio Date: Wed, 2 Apr 2025 12:16:27 -0400 X-Gm-Features: AQ5f1JpZlkHwFsDOsYhKl1oqbktp-yMcrCEfmxS4iRkhEV-ntwa2RGpOCnDDXjU Message-ID: Subject: Re: Problems with WiFi networks - HP 255 G7, FreeBSD 14.2 To: Dave Cottlehuber Cc: freebsd-questions Content-Type: multipart/alternative; boundary="000000000000893cb80631cdfa75" X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4ZSVP771rfz3pl5 X-Spamd-Bar: ---- --000000000000893cb80631cdfa75 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Thanks for the attention, both of you. Here i share the output of the commands you requested: dmesg: https://pastebin.com/pYWAkSed ifconfig: https://pastebin.com/JcETgrGU netstat -r: https://pastebin.com/298KabLG netstat -r4n: https://pastebin.com/5kMhuFB6 And my rc.conf file: https://pastebin.com/55Gt0yGG > There should be a file in /var/db/dhclient.leases.* I could not find it, everything mentioned after /var/db was not in the location. So i could not delete it as you suggested. Running $ dhclient -d wlan0 outputs: https://pastebin.com/VSRPTUD2 On Wed, Apr 2, 2025 at 4:30=E2=80=AFAM Dave Cottlehuber = wrote: > On Tue, 1 Apr 2025, at 17:33, Mauricio wrote: > > Hey! : ) > > > > I have decided to install FreeBSD 14.2 in my laptop (HP 255 G7). > > This model use a WiFi card detected as rtw880 in the system. > > Welcome Mauricio! > > > I did the same for this 14.2 installation. And my WiFi card is > > recognized when looking at the ifconfig output. > > A general suggestion is to provide the relevant info: > > - the section of dmesg > > - rc.conf if its not obvious what you'd have > > - any output like ifconfig wlan0 > > > Anyways, when i use "ping 1.1.1.1" to check the status of my > > connection, last lines indicate "No route to host" > > so i guess system didnt make the connection. > > other that `ifconfig wlan0` what's in `netstat -r4n` ? > > This will show if you got an IP at all, and also if a default > route has been created. > > There should be a file in /var/db/dhclient.leases.* > > One possibility is that the DHCP client either didn't run, or > did not get an answer in time. > > Try deleting /var/db/dhclient.leases.* and running > > `service dhclient restart wlan0` > > or in the foreground: > > # service dhclient stop wlan0 > $ dhclient -d wlan0 > > This should produce output like this: > > DHCPREQUEST on igc0 to 255.255.255.255 port 67 > DHCPACK from 172.16.1.1 > bound to 172.16.1.4 -- renewal in 150000 seconds. > > and it should also run the hook script which sets the > default route. > > A+ > Dave > --000000000000893cb80631cdfa75 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

Thanks for the attention, both of you.

Here i share the output of the commands you requested:

dmesg: https://pa= stebin.com/pYWAkSed

ifconfig: https://pastebin.com/JcETgrGU

<= /div>

netstat -r: https://pas= tebin.com/298KabLG

netstat -r4n: https://pastebin.com/5kMhuFB6

And my rc.conf file: https://pastebin.com/55Gt0yGG

> There shou= ld be a file in /var/db/dhclient.leases.*

I could= not find it, everything mentioned after /var/db was not in the location.

So i could not delete it as you suggested.

Running $ dhclient -d wlan0 outputs: https://pastebin.com/VSRPTUD2

On Wed, Apr 2, 2025 at 4:30=E2=80=AFAM Dave Cottlehub= er <dch@skunkwerks.at> wrote= :

On Tue, 1 Apr = 2025, at 17:33, Mauricio wrote:
> Hey! : )
>
> I have decided to install FreeBSD 14.2 in my laptop (HP 255 G7).
> This model use a WiFi card detected as rtw880 in the system.

Welcome Mauricio!

> I did the same for this 14.2 installation. And my WiFi card is
> recognized when looking at the ifconfig output.

A general suggestion is to provide the relevant info:

- the section of dmesg

- rc.conf if its not obvious what you'd have

- any output like ifconfig wlan0

> Anyways, when i use "ping 1.1.1.1" to check the status of my=
> connection, last lines indicate "No route to host"
> so i guess system didnt make the connection.

other that `ifconfig wlan0` what's in `netstat -r4n` ?

This will show if you got an IP at all, and also if a default
route has been created.

There should be a file in /var/db/dhclient.leases.*

One possibility is that the DHCP client either didn't run, or
did not get an answer in time.

Try deleting /var/db/dhclient.leases.* and running

`service dhclient restart wlan0`

or in the foreground:

# service dhclient stop wlan0
$ dhclient -d wlan0

This should produce output like this:

DHCPREQUEST on igc0 to 255.255.255.255 port 67
DHCPACK from 172.16.1.1
bound to 172.16.1.4 -- renewal in 150000 seconds.

and it should also run the hook script which sets the
default route.

A+
Dave

--000000000000893cb80631cdfa75-- From nobody Wed Apr 2 23:30:06 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZSh1b5Mjlz5s4Fp for ; Wed, 02 Apr 2025 23:30:27 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from fhigh-a8-smtp.messagingengine.com (fhigh-a8-smtp.messagingengine.com [103.168.172.159]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZSh1b37mmz44Lw for ; Wed, 02 Apr 2025 23:30:27 +0000 (UTC) (envelope-from dch@skunkwerks.at) Authentication-Results: mx1.freebsd.org; none Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailfhigh.phl.internal (Postfix) with ESMTP id CD6981140202; Wed, 2 Apr 2025 19:30:26 -0400 (EDT) Received: from phl-imap-15 ([10.202.2.104]) by phl-compute-12.internal (MEProxy); Wed, 02 Apr 2025 19:30:26 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm3; t=1743636626; x=1743723026; bh=2sgMPhiAAlHZts3yYysfITNwPnohn50T wR13iEGEziw=; b=SYcJrpbEGf8KDzrf567meTN228nOhpGEsAAVTolS0lGwPpKp EzHstm+pwO/+FGb6fLexmgi9Zq7oPjSCDyDEI8kODhC2uugpzFPOSdtS7583ZJsT TBPHe2wuL8YPSJ/HxbDfrYptZZygzknfmrREJML74+EFfYoQUzsSnMyeHnh22a7O g0PgtNqsuZQN6NFXgLeLd6DKGVT+x2hXmpQcKUxM8Jcf7SRAzyWfaquKRHY6sfF1 FcTRSq+RiEOjE9sTdcEkhjmMAaFtCwPyAgotryMnaR9h2jA+FRkdskz91UtuQL+3 l5ZXGy/rkotXouanQ0zDHWTLeO9jTD5/mfJ1KA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1743636626; x= 1743723026; bh=2sgMPhiAAlHZts3yYysfITNwPnohn50TwR13iEGEziw=; b=L HIS/am0QZTY0p1V613gR64arSdtPeTDYQNUmr/ijdWrZskOVrBsjgk2NyE/xI1Ov hQ5Qjde5Xw7+O8oAiG0L9J8JYZj63jOFBWvo+9cEC6n0l6z2phDjt1NA7U7EdNlt k2n57Stb7MIMLEy74d76jbTNsL8RZOINqsq32NP41dx6u8J4/FPiBhh+atgcr6p4 BhrKVr2ltJScmIO7lnOoemoWZC7PqVClPfofHQsEUswHgOVNiohCR1akJRu7+krz 88l7NrwuXq4mIsMaEgGkAP1TtEPJewbrYvH12EkmIgQwna6C2j0FHdKf7KiPd3he cY4nrLpakW/X5PEeZR1zg== X-ME-Sender:

X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgddukeeileekucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefogg ffhffvvefkjghfufgtgfesthhqredtredtjeenucfhrhhomhepfdffrghvvgcuvehothht lhgvhhhusggvrhdfuceouggthhesshhkuhhnkhifvghrkhhsrdgrtheqnecuggftrfgrth htvghrnheptdeigfeuleefvdelvdfgkeejtdehgeeiudefkedtheffgeevvdfgheeljeek ffdvnecuffhomhgrihhnpehfrhgvvggsshgurdhorhhgpdhprghsthgvsghinhdrtghomh enucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegutghh sehskhhunhhkfigvrhhkshdrrghtpdhnsggprhgtphhtthhopedvpdhmohguvgepshhmth hpohhuthdprhgtphhtthhopehfrhgvvggsshguqdhquhgvshhtihhonhhssehfrhgvvggs shgurdhorhhgpdhrtghpthhtohephhhumhhofeeftddvsehgmhgrihhlrdgtohhm X-ME-Proxy:

Feedback-ID: ic0e84090:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 5E75778006A; Wed, 2 Apr 2025 19:30:26 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 X-ThreadId: Td9e8b6f32610bd47 Date: Thu, 03 Apr 2025 01:30:06 +0200 From: "Dave Cottlehuber" To: Mauricio Cc: freebsd-questions Message-Id: In-Reply-To: References: <093f0f3a-c9dc-4817-9be7-1d0c285f8e5c@app.fastmail.com> Subject: Re: Problems with WiFi networks - HP 255 G7, FreeBSD 14.2 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:209242, ipnet:103.168.172.0/24, country:US] X-Rspamd-Queue-Id: 4ZSh1b37mmz44Lw X-Spamd-Bar: ---- > On Wed, Apr 2, 2025 at 4:30=E2=80=AFAM Dave Cottlehuber wrote: >> On Tue, 1 Apr 2025, at 17:33, Mauricio wrote: >> > Hey! : ) >> > >> > I have decided to install FreeBSD 14.2 in my laptop (HP 255 G7). >> > This model use a WiFi card detected as rtw880 in the system. >>=20 >> Welcome Mauricio! >>=20 >> > I did the same for this 14.2 installation. And my WiFi card is=20 >> > recognized when looking at the ifconfig output. TLDR try installing 14-STABLE to see if this is resolved. I wrote most of the notes below before finding PR283142, so just use it to refer to in future. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272145 seems relevant with https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D283903 as does https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D283142 which looks like a fix may already be in 14-STABLE, my suggestion would be to see if 14-STABLE works or not. > dmesg: https://pastebin.com/pYWAkSed rtw880: port 0x2000-0x20ff mem 0xc0600000-0xc060ffff at dev= ice 0.0 on pci1 rtw880: successfully loaded firmware image 'rtw88/rtw8821c_fw.bin' rtw880: Firmware version 24.8.0, H2C version 12 > ifconfig: https://pastebin.com/JcETgrGU wlan0: flags=3D8843 metric 0 mtu= 1500 options=3D0 ether 00:e9:3a:db:06:fb groups: wlan ssid "" channel 11 (2462 MHz 11g). <--------- regdomain FCC country US authmode WPA1+WPA2/802.11i privacy ON deftxkey UNDEF txpower 30 bmiss 7 scanvalid 60 protmode CTS wme roaming MANUAL parent interface: rtw880 media: IEEE 802.11 Wireless Ethernet autoselect (autoselect) status: no carrier <------------------------- So you're not getting an IP address from DHCP server because no connection is being established to the access point (no carrier). While I can't diagnose this, you should grab output of wifi scan, and run wpa_supplicant in debug mode, and update one of the=20 tickets above if its still an issue on 14-STABLE. # ifconfig -v wlan0 list scan # pkill -ilf wpa_supplicant # wpa_supplicant -tddi wlan0 -c /etc/wpa_supplicant.conf You may need to sanitise this file, it may contain your wifi password A+ Dave From nobody Thu Apr 3 20:36:52 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTD763SP1z5sRtB for ; Thu, 03 Apr 2025 20:37:06 +0000 (UTC) (envelope-from humo3302@gmail.com) Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTD761p1Mz3qSJ for ; Thu, 03 Apr 2025 20:37:06 +0000 (UTC) (envelope-from humo3302@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-pj1-x1036.google.com with SMTP id 98e67ed59e1d1-301302a328bso1469411a91.2 for ; Thu, 03 Apr 2025 13:37:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1743712625; x=1744317425; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=okikkG2+9dEleXGo5UJFPzPq1CV3C6w9d+Vt41PW3w0=; b=l4+L6bg6n1M2/733uBZ1ZbjEhTUCr5Z0kww4Jua5jJ1VcTay73NCMXTY6h7HP3ORie XhyAZmqWTnKJve2auGXQEieu/OOOZOaBaTLr2HrFb6PcxLsNPjywSWjXgvy0xhfHeMh2 fTCmJwSCxWZhafpDvswRf/k6FxFmUK3DqxqrvwdLGprEYt29sm3/wGnP7hFFyyujRj7J EsuafUVya+5S5TMzLgidvLyoLTGmVEX5Xzi9ZeXrtYZa9Yl2aoCu/XvwTB895cMSVlFS sElj+CxQF2VQxP60AzzL+KvG6qLEvnPr0PDXFQpjThOgud03ZxJM35/hDxOfaSd91nDN rCMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743712625; x=1744317425; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=okikkG2+9dEleXGo5UJFPzPq1CV3C6w9d+Vt41PW3w0=; b=u4ST2x9vPgZKmjmtN/cKsK0+x0dQVZvnHxcnWhUlObfybW0ETLgVVPXx9t70K5bTCB W44w5rccQjInqAdNh4ToTyXRgLJz2Jt78C+NlFRPkCx11+Iub7S3rXLO5ZcYyMLnFm5Q ZDZ5LzboYJ94RcKxk7Da8+quftwn/fwUrKIAuv1NJponn5i465NXXAUD+mYv3A0twUCj HxH1d7+Ql0Yh4bKP/B7QprpmWU7sUrksmxd3Oxoris0eqs868wejlsc2uFrJAFTh4Hpl p8iNf/TotR7M3CL3vn1mRdQ11ixPIMR6J9EOUmfl1vnl18/2NJHJzMbaFC3xUFF+uup1 Nm7Q== X-Gm-Message-State: AOJu0YwI8jiPd6YCRP/srkbaFCzFiA/unDot4Ak/h8w9qn2cxqLSaNNk GDYjr4CCb4k1FwYxmnlU2wlQDaFN1HHKWbO4BK+76+cGErDh4oLYriNfiluhG9GM8hBgllnSCNf QZdI6pJRX2XxVH0yuxsTDZHgD5uCjgQ== X-Gm-Gg: ASbGncuenEULXpnC+RoAkinHy6Tnfz3tWV3LEhrhwfk0KfRmQs+DabI7vRrPKKnDFtc TKcnhMhYY+HpXWmyFMavk0oG/hthWMTg3Ja4Ti1GqXna8FtBnQ+mkLhLuYMmdecDLodNHTOgm2q CvFyNHgPPTsnvjjeiQ1ycnrieiOg== X-Google-Smtp-Source: AGHT+IEcEffyD7n2n9sWoejThTb24za4V6jkG1cH87+rpkG4BXQumfXyFcrOfFDyxkWdhFHeuea420gsUtnHX74kLSA= X-Received: by 2002:a17:90a:c887:b0:2ff:5c4e:5acd with SMTP id 98e67ed59e1d1-306a62967bcmr158319a91.35.1743712624823; Thu, 03 Apr 2025 13:37:04 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 References: <093f0f3a-c9dc-4817-9be7-1d0c285f8e5c@app.fastmail.com>

In-Reply-To: From: Mauricio Date: Thu, 3 Apr 2025 16:36:52 -0400 X-Gm-Features: ATxdqUHdvxWVQoef7UuJogDquZ1aWaUW9OBk6Qu6ijlMT6qPF3tLwElIrph_yYE Message-ID: Subject: Re: Problems with WiFi networks - HP 255 G7, FreeBSD 14.2 To: Dave Cottlehuber Cc: freebsd-questions Content-Type: multipart/alternative; boundary="00000000000097d9840631e5bb00" X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4ZTD761p1Mz3qSJ X-Spamd-Bar: ---- --00000000000097d9840631e5bb00 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable The suggestion of trying FreeBSD 14 STABLE ended with success. I can use WiFi correctly now. One good thing i noticed is that i dont need to type anymore that "linuxkpi..." in /boot/loader.conf anymore for the WiFi card to work correctly. I'm really thankful for all your help. I want to keep digging on this system and now its more easy. By the way, thanks for made me know about the risks of one of my text files, however, i tought about it beforehand, and found that i had reasons to not care about that for now. Again, thanks for the help. El mi=C3=A9, 2 abr. 2025 7:30 p. m., Dave Cottlehuber escribi=C3=B3: > > On Wed, Apr 2, 2025 at 4:30=E2=80=AFAM Dave Cottlehuber > wrote: > >> On Tue, 1 Apr 2025, at 17:33, Mauricio wrote: > >> > Hey! : ) > >> > > >> > I have decided to install FreeBSD 14.2 in my laptop (HP 255 G7). > >> > This model use a WiFi card detected as rtw880 in the system. > >> > >> Welcome Mauricio! > >> > >> > I did the same for this 14.2 installation. And my WiFi card is > >> > recognized when looking at the ifconfig output. > > TLDR try installing 14-STABLE to see if this is resolved. > > I wrote most of the notes below before finding PR283142, so just > use it to refer to in future. > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D272145 seems relevant > with https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D283903 > as does https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D283142 which > looks like a fix may already be in 14-STABLE, my suggestion would be > to see if 14-STABLE works or not. > > > dmesg: https://pastebin.com/pYWAkSed > > rtw880: port 0x2000-0x20ff mem 0xc0600000-0xc060ffff at > device 0.0 on pci1 > rtw880: successfully loaded firmware image 'rtw88/rtw8821c_fw.bin' > rtw880: Firmware version 24.8.0, H2C version 12 > > > ifconfig: https://pastebin.com/JcETgrGU > > wlan0: flags=3D8843 metric 0 mtu = 1500 > options=3D0 > ether 00:e9:3a:db:06:fb > groups: wlan > ssid "" channel 11 (2462 MHz 11g). <--------- > regdomain FCC country US authmode WPA1+WPA2/802.11i privacy ON > deftxkey UNDEF txpower 30 bmiss 7 scanvalid 60 protmode CTS wme > roaming MANUAL > parent interface: rtw880 > media: IEEE 802.11 Wireless Ethernet autoselect (autoselect) > status: no carrier <------------------------- > > So you're not getting an IP address from DHCP server because no > connection is being established to the access point (no carrier). > > While I can't diagnose this, you should grab output of wifi scan, > and run wpa_supplicant in debug mode, and update one of the > tickets above if its still an issue on 14-STABLE. > > # ifconfig -v wlan0 list scan > # pkill -ilf wpa_supplicant > # wpa_supplicant -tddi wlan0 -c /etc/wpa_supplicant.conf > > You may need to sanitise this file, it may contain your wifi password > > A+ > Dave > --00000000000097d9840631e5bb00 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable

The suggestion of trying FreeBSD 14 STABLE ended with succes= s.
I can use WiFi correctly now.

One good thing i noticed is that i dont need to type anymore= that "linuxkpi..." in /boot/loader.conf anymore for the WiFi car= d to work correctly.

I'm really thankful for all your help.
I want to keep digging on this system and now its more easy.

By the way, thanks for made me know about the risks of one o= f my text files, however, i tought about it beforehand, and found that i ha= d reasons to not care about that for now.
Again, thanks for the help.

El mi=C3=A9, 2 abr. 2025 7:30 p.=C2=A0m., Dave Cottlehuber = <dch@skunkwerks.at> escribi= =C3=B3:

> On Wed, Apr 2, 2025 at= 4:30=E2=80=AFAM Dave Cottlehuber <dch@skunkwerks.at> wrote:
>> On Tue, 1 Apr 2025, at 17:33, Mauricio wrote:
>> > Hey! : )
>> >
>> > I have decided to install FreeBSD 14.2 in my laptop (HP 255 G= 7).
>> > This model use a WiFi card detected as rtw880 in the system.<= br> >>
>> Welcome Mauricio!
>>
>> > I did the same for this 14.2 installation. And my WiFi card i= s
>> > recognized when looking at the ifconfig output.

TLDR try installing 14-STABLE to see if this is resolved.

I wrote most of the notes below before finding PR283142, so just
use it to refer to in future.

https://bugs.freebsd.org/bugzi= lla/show_bug.cgi?id=3D272145 seems relevant
with https://bugs.freebsd.org/b= ugzilla/show_bug.cgi?id=3D283903
as does https://bugs.freebsd.or= g/bugzilla/show_bug.cgi?id=3D283142 which
looks like a fix may already be in 14-STABLE, my suggestion would be
to see if 14-STABLE works or not.

> dmesg: https://pastebin.com/pYWAkSed

rtw880: <rtw_8821ce> port 0x2000-0x20ff mem 0xc0600000-0xc060ffff at = device 0.0 on pci1
rtw880: successfully loaded firmware image 'rtw88/rtw8821c_fw.bin'<= br> rtw880: Firmware version 24.8.0, H2C version 12

> ifconfig: https://pastebin.com/JcETgrGU

wlan0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 = mtu 1500
=C2=A0 =C2=A0 =C2=A0 =C2=A0 options=3D0
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ether 00:e9:3a:db:06:fb
=C2=A0 =C2=A0 =C2=A0 =C2=A0 groups: wlan
=C2=A0 =C2=A0 =C2=A0 =C2=A0 ssid "" channel 11 (2462 MHz 11g). &l= t;---------
=C2=A0 =C2=A0 =C2=A0 =C2=A0 regdomain FCC country US authmode WPA1+WPA2/802= .11i privacy ON
=C2=A0 =C2=A0 =C2=A0 =C2=A0 deftxkey UNDEF txpower 30 bmiss 7 scanvalid 60 = protmode CTS wme
=C2=A0 =C2=A0 =C2=A0 =C2=A0 roaming MANUAL
=C2=A0 =C2=A0 =C2=A0 =C2=A0 parent interface: rtw880
=C2=A0 =C2=A0 =C2=A0 =C2=A0 media: IEEE 802.11 Wireless Ethernet autoselect= (autoselect)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 status: no carrier <------------------------= -

So you're not getting an IP address from DHCP server because no
connection is being established to the access point (no carrier).

While I can't diagnose this, you should grab output of wifi scan,
and run wpa_supplicant in debug mode, and update one of the
tickets above if its still an issue on 14-STABLE.

# ifconfig -v wlan0 list scan
# pkill -ilf wpa_supplicant
# wpa_supplicant -tddi wlan0 -c /etc/wpa_supplicant.conf

You may need to sanitise this file, it may contain your wifi password

A+
Dave

--00000000000097d9840631e5bb00-- From nobody Thu Apr 3 21:55:35 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTFss4VKvz5sY2f for ; Thu, 03 Apr 2025 21:55:45 +0000 (UTC) (envelope-from mlist@jarasoft.net) Received: from nl.netnl.net (nl.netnl.net [194.145.195.57]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "netnl.net", Issuer "E5" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTFsr1wDHz40Cp for ; Thu, 03 Apr 2025 21:55:44 +0000 (UTC) (envelope-from mlist@jarasoft.net) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=reject) header.from=jarasoft.net; spf=pass (mx1.freebsd.org: domain of mlist@jarasoft.net designates 194.145.195.57 as permitted sender) smtp.mailfrom=mlist@jarasoft.net Received: from [10.10.10.160] (nl.netnl.net [194.145.195.57]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "", Issuer "Sectigo RSA Client Authentication and Secure Email CA" (verified OK)) by nl.netnl.net (Postfix) with ESMTPSA id 4E28310EFD for ; Thu, 03 Apr 2025 23:55:41 +0200 (CEST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 1.4.2 at nl.netnl.net Message-ID: <781b8841-a08b-4eb4-9df6-5bcf683f7e7d@jarasoft.net> Date: Thu, 3 Apr 2025 23:55:35 +0200 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Reply-To: mlist@jarasoft.net Content-Language: nl To: questions@freebsd.org From: Jack Raats Subject: ipv6 over an ipv4 tunnel Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [1.83 / 15.00]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; DMARC_POLICY_ALLOW(-0.50)[jarasoft.net,reject]; NEURAL_SPAM_SHORT(0.43)[0.435]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:206238, ipnet:194.145.194.0/23, country:NL]; RCVD_COUNT_ONE(0.00)[1]; RCPT_COUNT_ONE(0.00)[1]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_ALL(0.00)[]; R_DKIM_NA(0.00)[]; HAS_REPLYTO(0.00)[mlist@jarasoft.net]; REPLYTO_ADDR_EQ_FROM(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; REPLYTO_DOM_NEQ_TO_DOM(0.00)[] X-Rspamd-Queue-Id: 4ZTFsr1wDHz40Cp X-Spamd-Bar: + Hi, I have two servers, both running FreeBSD 14.2 Server A has only one ipv4 address, no ipv6. Server B has one ipv4 address and an ipv6 subnet. Is it possible to give Server A an ipv6 address from server B ipv6 subnet and ipv6 connectivity and how? Gr., Jack Raats From nobody Fri Apr 4 00:16:25 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTJy40rNGz5sjBZ for ; Fri, 04 Apr 2025 00:14:36 +0000 (UTC) (envelope-from security@csrc.com) Received: from mtasvr.csrc.com (mtasvr.csrc.com [98.115.148.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTJy32zlPz3Cb2 for ; Fri, 04 Apr 2025 00:14:35 +0000 (UTC) (envelope-from security@csrc.com) Authentication-Results: mx1.freebsd.org; none Date: Thu, 3 Apr 2025 18:16:25 -0600 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=csrc.com; s=CSRC; t=1743725669; bh=b0erGeiZe2deGmz4AAe5lgtunor5sqit7ReRkG3ntPo=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=QVKKYRC2CxTpMnnIKr+4cClZPFH7VDnrTR8sTePdXoSNH7+e+he9LSC6ochGC3C1y a94n3biSVY/wDHHLmt3wNiXfHr1eiLoMraKFvE/ebeKkkKouMLhXq0VGQ2W2Qj1/26 EhyKETagJt0lQD8AwxgZhTVaiakvHUQkAL/AvkHg= From: katphish To: mlist@jarasoft.net Cc: questions@freebsd.org Subject: Re: ipv6 over an ipv4 tunnel Message-Id: <20250403181625.6f95006ce4335c017a3a1281@csrc.com> In-Reply-To: <781b8841-a08b-4eb4-9df6-5bcf683f7e7d@jarasoft.net> References: <781b8841-a08b-4eb4-9df6-5bcf683f7e7d@jarasoft.net> List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Score: -0.10 X-Spam-Status: No, score=-0.10 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:701, ipnet:98.115.0.0/16, country:US] X-Rspamd-Queue-Id: 4ZTJy32zlPz3Cb2 X-Spamd-Bar: ---- Hi Jack, 6in4, that was the hotness back in the day. On FreeBSD the gif[1] interface is purpose built to tunnel the IP protocols. I don't know if/how it still applies but here are plenty of guides[2] and of course the handbook[3] to get you started: Have fun! [1] https://man.freebsd.org/cgi/man.cgi?gif(4) [2] https://hack.org/mc/blog/ipv6-tunnel-dynamic.html [3] https://docs.freebsd.org/en/books/developers-handbook/ipv6/ On Thu, 3 Apr 2025 23:55:35 +0200 Jack Raats wrote: > Hi, > > I have two servers, both running FreeBSD 14.2 > > Server A has only one ipv4 address, no ipv6. > > Server B has one ipv4 address and an ipv6 subnet. > > Is it possible to give Server A an ipv6 address from server B ipv6 > subnet and ipv6 connectivity and how? > > Gr., > Jack Raats > > -- Security From nobody Fri Apr 4 15:42:26 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTjXr3Mfwz5ryWg for ; Fri, 04 Apr 2025 15:42:36 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (mailserver.netfence.it [78.134.96.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailserver.netfence.it", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTjXq2dxfz4Jc7 for ; Fri, 04 Apr 2025 15:42:35 +0000 (UTC) (envelope-from ml@netfence.it) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=netfence.it; spf=pass (mx1.freebsd.org: domain of ml@netfence.it designates 78.134.96.152 as permitted sender) smtp.mailfrom=ml@netfence.it Received: from [10.1.2.18] (alamar.local.netfence.it [10.1.2.18]) (authenticated bits=0) by soth.netfence.it (8.18.1/8.17.2) with ESMTPSA id 534FgQmL042608 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Fri, 4 Apr 2025 17:42:27 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host alamar.local.netfence.it [10.1.2.18] claimed to be [10.1.2.18] Message-ID: <6aeb488d-b3c3-4393-80ca-0b89c1ebc446@netfence.it> Date: Fri, 4 Apr 2025 17:42:26 +0200 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: freebsd-questions@freebsd.org From: Andrea Venturoli Subject: Sudden zpool checksums errors Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-1.63 / 15.00]; NEURAL_HAM_LONG(-0.98)[-0.977]; NEURAL_SPAM_MEDIUM(0.86)[0.864]; NEURAL_HAM_SHORT(-0.72)[-0.720]; DMARC_POLICY_ALLOW(-0.50)[netfence.it,none]; R_SPF_ALLOW(-0.20)[+ip4:78.134.96.152]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:35612, ipnet:78.134.0.0/17, country:IT]; RCVD_COUNT_ONE(0.00)[1]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; FROM_HAS_DN(0.00)[]; HAS_XAW(0.00)[]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4ZTjXq2dxfz4Jc7 X-Spamd-Bar: - Hello. I've got a box with two zpools: _ 1 mirror on 2 SSDs; _ 1 raidz1 on 12 HDDs. Suddenly one daily run showed the following: > pool: backup > state: ONLINE > status: One or more devices has experienced an unrecoverable error. An > attempt was made to correct the error. Applications are unaffected. > action: Determine if the device needs to be replaced, and clear the errors > using 'zpool clear' or replace the device with 'zpool replace'. > see: https://openzfs.github.io/openzfs-docs/msg/ZFS-8000-9P > scan: scrub repaired 3.18M in 16:53:16 with 0 errors on Tue Apr 1 20:16:55 2025 > config: > > NAME STATE READ WRITE CKSUM > backup ONLINE 0 0 0 > raidz1-0 ONLINE 0 0 0 > da4 ONLINE 0 0 0 > da10 ONLINE 0 0 0 > da5 ONLINE 0 0 57 > da2 ONLINE 0 0 0 > da8 ONLINE 0 0 25 > da0 ONLINE 0 0 0 > da1 ONLINE 0 0 49 > da12 ONLINE 0 0 8 > da6 ONLINE 0 0 6 > da11 ONLINE 0 0 0 > da9 ONLINE 0 0 56 > da13 ONLINE 0 0 73 > > errors: No known data errors I'm finding it hard to believe that 7 disks out of 12 are failing or just happened to misbehave all on the same day. BTW, SMART says they are OK. I'm reluctant to blame RAM (since it's ECC) and power supply (as it's redundant 2x800W). Disks are 16TB TOSHIBA MG09ACA1 connected to a MegaRAID SAS-3 3108 (of course not operating as RAID and with mrsas driver). % freebsd-version 14.2-RELEASE-p2 % zfs --version zfs-2.2.6-FreeBSD_g33174af15 zfs-kmod-2.2.6-FreeBSD_g33174af15 Is there a known ZFS bug that could explain this? I've "zpool clear"ed the errors and waiting to see if they come up again. bye & Thanks av. P.S. Also, I'm quite sure no "administrator accidentally wrote over a portion of the disk using another program" :) From nobody Fri Apr 4 16:05:37 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTk3Z34bXz5s18q for ; Fri, 04 Apr 2025 16:05:46 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTk3Y3TqLz4NdG for ; Fri, 04 Apr 2025 16:05:45 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; none Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.18.1/8.18.1) with ESMTPS id 534G5dtZ001799 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL); Fri, 4 Apr 2025 12:05:39 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:a057:b7c2:3f78:a2fe] ([IPv6:2607:f3e0:0:4:a057:b7c2:3f78:a2fe]) by pyroxene2a.sentex.ca (8.18.1/8.15.2) with ESMTPS id 534G5bLM063809 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Fri, 4 Apr 2025 12:05:39 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: Date: Fri, 4 Apr 2025 12:05:37 -0400 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Sudden zpool checksums errors To: Andrea Venturoli , freebsd-questions@freebsd.org References: <6aeb488d-b3c3-4393-80ca-0b89c1ebc446@netfence.it> Content-Language: en-US From: mike tancsa Autocrypt: addr=mike@sentex.net; keydata= xsBNBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB AAHNHW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+wsCOBBMBCAA4FiEEmuvCXT0aY6hs 4SbWeVOEFl5WrMgFAl+pQfkCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQeVOEFl5W rMiN6ggAk3H5vk8QnbvGbb4sinxZt/wDetgk0AOR9NRmtTnPaW+sIJEfGBOz47Xih+f7uWJS j+uvc9Ewn2Z7n8z3ZHJlLAByLVLtcNXGoRIGJ27tevfOaNqgJHBPbFOcXCBBFTx4MYMM4iAZ cDT5vsBTSaM36JZFtHZBKkuFEItbA/N8ZQSHKdTYMIA7A3OCLGbJBqloQ8SlW4MkTzKX4u7R yefAYQ0h20x9IqC5Ju8IsYRFacVZconT16KS81IBceO42vXTN0VexbVF2rZIx3v/NT75r6Vw 0FlXVB1lXOHKydRA2NeleS4NEG2vWqy/9Boj0itMfNDlOhkrA/0DcCurMpnpbM7ATQRcsMzk AQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4axtKRSG1 t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1qzAJweEt RdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6cLm0EiHPO l5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5o9KKu4O7 gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQABwsB2BBgB CAAgFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAl+pQfkCGwwACgkQeVOEFl5WrMiVqwf9GwU8 c6cylknZX8QwlsVudTC8xr/L17JA84wf03k3d4wxP7bqy5AYy7jboZMbgWXngAE/HPQU95NM aukysSnknzoIpC96XZJ0okLBXVS6Y0ylZQ+HrbIhMpuQPoDweoF5F9wKrsHRoDaUK1VR706X rwm4HUzh7Jk+auuMYfuCh0FVlFBEuiJWMLhg/5WCmcRfiuB6F59ZcUQrwLEZeNhF2XJV4KwB Tlg7HCWO/sy1foE5noaMyACjAtAQE9p5kGYaj+DuRhPdWUTsHNuqrhikzIZd2rrcMid+ktb0 NvtvswzMO059z1YGMtGSqQ4srCArju+XHIdTFdiIYbd7+jeehg== In-Reply-To: <6aeb488d-b3c3-4393-80ca-0b89c1ebc446@netfence.it> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.86 X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA] X-Rspamd-Queue-Id: 4ZTk3Y3TqLz4NdG X-Spamd-Bar: ---- On 4/4/2025 11:42 AM, Andrea Venturoli wrote: > Hello. > > I've got a box with two zpools: > _ 1 mirror on 2 SSDs; > _ 1 raidz1 on 12 HDDs. > > Suddenly one daily run showed the following: >> pool: backup >> state: ONLINE >> status: One or more devices has experienced an unrecoverable error. An >> attempt was made to correct the error. Applications are unaffected. >> action: Determine if the device needs to be replaced, and clear the >> errors >> using 'zpool clear' or replace the device with 'zpool replace'. >> see: https://openzfs.github.io/openzfs-docs/msg/ZFS-8000-9P >> scan: scrub repaired 3.18M in 16:53:16 with 0 errors on Tue Apr 1 >> 20:16:55 2025 >> config: I have had marginal power supplies, backplane issues or break out cables from the controller manifest errors like that. I would check the power supply first, backplane next, controller 3rd. Common firmware bugs can cause issues too, but thats relatively rare and usually with SSDs, not HDDs from what I have seen in the past. ---Mike From nobody Fri Apr 4 17:13:36 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTlYy13Mqz5s5td for ; Fri, 04 Apr 2025 17:13:42 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Received: from mx-p1.obspm.fr (mx-p1.obspm.fr [145.238.193.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "*.obspm.fr", Issuer "GEANT OV RSA CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTlYx1xgQz3Ltj for ; Fri, 04 Apr 2025 17:13:41 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=obspm.fr header.s=mail header.b=FzZlHJZ+; dmarc=pass (policy=none) header.from=obspm.fr; spf=pass (mx1.freebsd.org: domain of Albert.Shih@obspm.fr designates 145.238.193.20 as permitted sender) smtp.mailfrom=Albert.Shih@obspm.fr X-AuthUser: jas DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=obspm.fr; s=mail; t=1743786817; bh=2LC/jYmsvYajVvg3eUs9uKty79qnEKMJe2zML7draAU=; h=Date:From:To:Subject:From; b=FzZlHJZ+foX7Iv34mIaBgf4QgcGMl5aAs5E3Y41V8IyqnwjcN6f4BNS0/1cl3+2b/ bw08Y1sVWbbnYeYAAI0TGEcsauC6FflQBUtSAO/MelyfgOgPmkNOkz8kT6TJfLEAbg pACKmjxQuqRIceZoIsgeCpepd2B3shO5RN7xN5W84cgXbMs2Tm89YDtkbCG62NzACg cZfaU92rZ781XmdkG+7RxWM+DG/z0ryBr+ziY+nDdZg+Y1EzA2YOdgNR4pbXtTn7qN 1SOKzzOWd/5hxoMku+iqqVl6mP3Dm8hXUzMPV7im3undmJkoTCPSLeDNbT/SZjHF2M 6953R3ZoJ7+kw== Received: from io.chezmoi.fr (vpn.obspm.fr [145.238.186.39]) (authenticated bits=0) by mx-p1.obspm.fr (8.15.2/8.15.2/DIO Observatoire de Paris - 15/04/10) with ESMTPSA id 534HDak23368112 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Fri, 4 Apr 2025 19:13:37 +0200 Date: Fri, 4 Apr 2025 19:13:36 +0200 From: Albert Shih To: freebsd-questions@freebsd.org Subject: Securing FreeBSD. Message-ID: List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (mx-p1.obspm.fr [145.238.193.20]); Fri, 04 Apr 2025 19:13:37 +0200 (CEST) X-Virus-Scanned: clamav-milter 1.0.7 at mx-p1 X-Virus-Status: Clean X-Spamd-Result: default: False [-3.75 / 15.00]; DWL_DNSWL_LOW(-1.00)[obspm.fr:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.993]; NEURAL_SPAM_MEDIUM(0.94)[0.944]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; DMARC_POLICY_ALLOW(-0.50)[obspm.fr,none]; RCVD_IN_DNSWL_MED(-0.40)[145.238.193.20:from,145.238.186.39:received]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+ip4:145.238.193.20]; R_DKIM_ALLOW(-0.20)[obspm.fr:s=mail]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; RCVD_TLS_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; DKIM_TRACE(0.00)[obspm.fr:+]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:2200, ipnet:145.238.0.0/16, country:FR]; MISSING_XM_UA(0.00)[]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4ZTlYx1xgQz3Ltj X-Spamd-Bar: --- Hi everyone. Is they are any way to secure a FreeBSD to prevent destroying data ? I find out even with kern.securelevel=2 root can still do something like umount /data gpart delete -i 1 dev_under_data then create something different with for example gpart add -t something -a somethingdifferentfrominit dev_under_data I also try zfs, but zpool can still be use to destroy every pool. Currently the only solution I find is to create a huge / and store data under / (no a partition), because I'm guessing it would be hard to umount / Any other solution ? For example, I see with securelevel=2 the «bad guy» would be unable to create a new filesystem, so is they are any way to backup the «partition table» ? And put them back after he create another ? Regards -- Albert SHIH 🦫 🐸 Heure locale/Local time: ven. 04 avril 2025 19:06:58 CEST From nobody Fri Apr 4 17:23:38 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTlng5PFQz5s7Jy for ; Fri, 04 Apr 2025 17:23:51 +0000 (UTC) (envelope-from pprocacci@gmail.com) Received: from mail-ed1-x535.google.com (mail-ed1-x535.google.com [IPv6:2a00:1450:4864:20::535]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTlnf5Lcmz3Nt5 for ; Fri, 04 Apr 2025 17:23:50 +0000 (UTC) (envelope-from pprocacci@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ed1-x535.google.com with SMTP id 4fb4d7f45d1cf-5eb5ecf3217so4014577a12.3 for ; Fri, 04 Apr 2025 10:23:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1743787429; x=1744392229; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=wynw3FBj1i4ogFzBR06AOOnbMmpu6Zu/e6SBzV9u7O0=; b=JTd6eDpfcafO9GNGP60K5fhEhZONO41wrIjPbdoyP96V+gcaQeXuD2NSRQr1eWw1ji xQH4dkzQZb09Zc/HVDq2zKKdFVpwmpmQN61StViR7sW55Bn5OluHoataPTVJyJw6s5DD 1rFZLR/V44rwVDy0GcdHcUKHNQcGjp+eZj376lcXIbJQyoB5XLxogj3CNfYSwOzO0ALf Vyub5s+2y4r12DNLT+69xz+QV2wY79VDGt58oTswNp19ATxVB2fB2XIk8T5QaWwgLfNL iKc/t1JtBwE6E36+N0aJIUYzqMPqqHB2dugas7y5keo64nSHuKG2X89QGGFUsNhYyQMC OEnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743787429; x=1744392229; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=wynw3FBj1i4ogFzBR06AOOnbMmpu6Zu/e6SBzV9u7O0=; b=l1mHmtW1vGjuP7AmnjIYmFxd3eH/AT3Iox9AFfhLJDwMXMqaK+Vi2ez7bnbO3XBtdy BM3/v+GCZSTHbZsEFeKZUaquqvoDBPOZZm0jwonXyAoUd7CGxp157K/R7EL8qInMFEkb dIZJMO1lq+Qi0EF9UVhthuuEGzPdHUWASsE5ufukrDfwMJzBx4bifgWWvXKu9pwn0kI6 jmpWPvjJCalJJOIv7OEKog7aYxcbUF8JN//B+4B4V4H0od8xpxz7vl4vVqFhkPYSuVCk pVyDpRtjHur6Fl1a5ChcbAErbHy37aycDefC/jBuzdD8eqnoItY0yL6aJlOK4DlIL/88 8rww== X-Gm-Message-State: AOJu0Yz3IeXj4W3g6CLqmjBxi5rryenisJ7JD4a+O5ub5d7bHgiYqWeQ riDfbyBzmDwmXKuZ3JbWqJLaMwzlIFEs/qHoKkode+y+Yc13JsIvu1XcfNLjkNZbaa5c2FkTb/u IcPA2q1+jntDc/8B8UmRJNsIYXA== X-Gm-Gg: ASbGncsfsSJ86b+KTEv3znTNa4NsFDmim+w4isPOxxFUucHgcdMvScEx6ysYCzbChv4 dgfsTryF9aSaEBIRXizUOqv9lK6LMd9+AK6I0ZYjQBk/MTceMQzFHv4YGF2sPgFZWIN1RNJtTVS 9BnCsuu1F72qsOKgim8kg2AgGb X-Google-Smtp-Source: AGHT+IGisLGjDloqjYVw+s1+9zVD5qXqctB1ZpTEkAMM6eGfPbeKEbK4CxqnklrFSlyBschkcJfWJHS8RMFe69e5mow= X-Received: by 2002:a17:907:97c3:b0:ac1:fb27:d3a2 with SMTP id a640c23a62f3a-ac7d1859bcbmr403784966b.5.1743787428832; Fri, 04 Apr 2025 10:23:48 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 References: In-Reply-To: From: Paul Procacci Date: Fri, 4 Apr 2025 13:23:38 -0400 X-Gm-Features: ATxdqUGX3l6j7BXbMmZ5oTFKkheu4hXyg2a0bghAxJMsUopcoMoyMcJZza2lw9s Message-ID: Subject: Re: Securing FreeBSD. To: Albert Shih Cc: freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] X-Rspamd-Queue-Id: 4ZTlnf5Lcmz3Nt5 X-Spamd-Bar: ---- On Fri, Apr 4, 2025 at 1:14=E2=80=AFPM Albert Shih w= rote: > > Hi everyone. > > Is they are any way to secure a FreeBSD to prevent destroying data ? > > I find out even with > > kern.securelevel=3D2 > > root can still do something like > > umount /data > gpart delete -i 1 dev_under_data > > then create something different with for example > > gpart add -t something -a somethingdifferentfrominit dev_under_data > > I also try zfs, but zpool can still be use to destroy every pool. > > Currently the only solution I find is to create a huge / and store data > under / (no a partition), because I'm guessing it would be hard to umount= / > > Any other solution ? > > For example, I see with securelevel=3D2 the =C2=ABbad guy=C2=BB would be = unable to > create a new filesystem, so is they are any way to backup the =C2=ABparti= tion > table=C2=BB ? And put them back after he create another ? > > Regards > > -- > Albert SHIH =F0=9F=A6=AB =F0=9F=90=B8 > Heure locale/Local time: > ven. 04 avril 2025 19:06:58 CEST > So you want to be root, without having the power of root. Try logging into the system with a different user and the problem is solved -- tongue and cheek. Anything root can do, it can also undo. There's no way around that. ~Paul --=20 __________________ :(){ :|:& };: From nobody Fri Apr 4 18:36:04 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTnP531ydz5sD7f for ; Fri, 04 Apr 2025 18:36:09 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Received: from mx-p1.obspm.fr (mx-p1.obspm.fr [145.238.193.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "*.obspm.fr", Issuer "GEANT OV RSA CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTnP45Xryz3btm for ; Fri, 04 Apr 2025 18:36:08 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Authentication-Results: mx1.freebsd.org; none X-AuthUser: jas DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=obspm.fr; s=mail; t=1743791766; bh=gaBNaW95gPVUi77CENU3KT5pC28pcckfYnZr2RSa8fA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=hQhnAy6x2Ght3rrqwylD5pDzaldJ1GcNFsMdiux5YIsuquGkighkPnduWGEVIY4fL IfJ8PqBCyle7+oJ1d3iw1KfjVm1x+YeVFeQihFppmErvUQqXxfyGnanQF/mPmEaP+y LEm2/hWDfqBH1ezsynPBANJUTgAgrRSdu0UXZO0NamFLz024K6Y0P6djJd23wHbtX3 sIDoZbCNncj3vSt6eJooGn1T7TKstriG2467E5cTN+yVgqS7ZDHc2e7qCWN6zUy01A u2fTfwx6StnvBU3NyJT5XYAG/PXixud1mtaa4jUPevz+lRN0pGCdCvODac/Qa8bCGU GTvrqDOebxOOQ== Received: from io.chezmoi.fr (vpn.obspm.fr [145.238.186.39]) (authenticated bits=0) by mx-p1.obspm.fr (8.15.2/8.15.2/DIO Observatoire de Paris - 15/04/10) with ESMTPSA id 534Ia41L3382842 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Fri, 4 Apr 2025 20:36:06 +0200 Date: Fri, 4 Apr 2025 20:36:04 +0200 From: Albert Shih To: Paul Procacci Cc: freebsd-questions@freebsd.org Subject: Re: Securing FreeBSD. Message-ID: References: List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (mx-p1.obspm.fr [145.238.193.20]); Fri, 04 Apr 2025 20:36:06 +0200 (CEST) X-Virus-Scanned: clamav-milter 1.0.7 at mx-p1 X-Virus-Status: Clean X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:2200, ipnet:145.238.0.0/16, country:FR] X-Rspamd-Queue-Id: 4ZTnP45Xryz3btm X-Spamd-Bar: ---- Le 04/04/2025 à 13:23:38-0400, Paul Procacci a écrit > On Fri, Apr 4, 2025 at 1:14 PM Albert Shih wrote: > > > > > > So you want to be root, without having the power of root. > Try logging into the system with a different user and the problem is > solved -- tongue and cheek. No, I want to make the system in a state where root *cannot* remove some file. If I put a file under / with adhoc chflags, put the system in securelevel 2 you cannot (or I really like to know how) easily remove the file. In other term I would like to create a system where it's impossible (I'm not talking about a security problem) to remove file without be physically in the front of the server. Regards -- Albert SHIH 🦫 🐸 France Heure locale/Local time: ven. 04 avril 2025 20:31:58 CEST From nobody Fri Apr 4 18:40:28 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTnVK4n3Kz5sDns for ; Fri, 04 Apr 2025 18:40:41 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: from mail-ua1-x92b.google.com (mail-ua1-x92b.google.com [IPv6:2607:f8b0:4864:20::92b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTnVK0nfBz3cqd for ; Fri, 04 Apr 2025 18:40:41 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Authentication-Results: mx1.freebsd.org; none Received: by mail-ua1-x92b.google.com with SMTP id a1e0cc1a2514c-86d42f08135so1093108241.0 for ; Fri, 04 Apr 2025 11:40:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1743792040; x=1744396840; darn=freebsd.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=Cy+MK1vJzUMlZXj3srTX9DzHUX08vNrciW6O6AAF9dA=; b=MP0YRItWxeAvFveF9UZUIuW6EwmX/KxfBNJOmGcL/TECE9L44UZ+2o0VDKPfE0/r2y 9LWkL6nDRg2Vz2Opr1IPuiFI6ty0ptvKdoY9pNMzW2M/c/Z6yX7thP0nyOFr885CKA5C vb4YeKCXg4vN33YHwAyDV9oHwl2x/jAzepqFVMkKUt1Cr96xuIC8KOaib5v+wEm1kXx9 Y08geleHcr1Wn5j/sEdqMGWIHFLkTuJ6QvepeKO4SCFb5OSBO4A3T5B5iEnnqjlK/WUB DdL901+UP980pwncxebOOcE9JP57EU0vDgtCHBT5qkHNMvNtuYhK5DfXALCRubxzvRKX Fh5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743792040; x=1744396840; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Cy+MK1vJzUMlZXj3srTX9DzHUX08vNrciW6O6AAF9dA=; b=q//lHta7JWoOymPnAbacD4cH338Vlp5ax226mnb+wCBhTQuZV0bBdUalRDcUIJe52p jBaKXo0TAUcvQST62w1g3NoE9y0bzP3R/yeNh53VyNmVSyEG/ZvoOvzAH/WsHHt7RdFc tKBI2BiMel89nMPGEhJqKbeNwIIE9Pns+A1EiWB0wSPv3ltBaXvZhxw5J3X2TSRFFw5l fP3+Y08AkjGbGP3pJ/HHTZ4kTA/Ji6i6OpxEvotvv5egVYuhH+QiIXbSunvY1OvuM9P/ Juv4yl1byH4bpnEQZ/mWriEUqhfrHp4qKDHAz434HyDWos2rCuPXF0b0MkgXLy9dQv05 91mA== X-Forwarded-Encrypted: i=1; AJvYcCVgeVZsG3qE9fsD6qk8UWwM44hcfBEPMgbBCNDt0wQmuvjq8t7nsqngvKyNsLFV567a7PXYOBM8mRAg4gAUovO//w==@freebsd.org X-Gm-Message-State: AOJu0YysxEO6Gb1FAv3dJSgwNQdG+Anw65KxYEmdrDjWIDmtfCUcLCQ5 p/6JWolMOQlBYAlalcGyOpW5So36Y6BcoV5KxAzhKnUezxbN5q0CA3gS3DU8IT1MCQj6YZqhfxF lqp6GRPF81pAPe8ApOTtWG4Ljr4Q= X-Gm-Gg: ASbGncvob7UiLUb7bPlX3RSFmyXV/wnK9L2f+N5azLO/+dpqBSkqoG0ZkKcQonNCWvT dYe57TLF8WqBRYS5aczEo/OnYlNYoGYoC7lFgfg5bjTcm5LI+g/gcWFqEk8EZX5p4gZfSL5fG7x 4scv4QWCX1ZZCgx99E9cFXlEDmXX0nqLhpemIsxUA= X-Google-Smtp-Source: AGHT+IG7fn4RKfUx3HEivuFQhKa/IsPj0D6Pw/8Dr1M/2la9O5YO3mj2o8c/lsvVrfSEMbNqrmbRiL6nZAgmFcBZ11g= X-Received: by 2002:a05:6102:91c:b0:4c1:801e:deb2 with SMTP id ada2fe7eead31-4c86365fe4emr623882137.7.1743792040022; Fri, 04 Apr 2025 11:40:40 -0700 (PDT) List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 References:

In-Reply-To: From: Aryeh Friedman Date: Fri, 4 Apr 2025 14:40:28 -0400 X-Gm-Features: ATxdqUHZL9l2OkZvj1QQamR-rlAbHhFXykSR4d0FaPIFI0Bdv3OQFcnQMxCkn0A Message-ID: Subject: Re: Securing FreeBSD. To: Albert Shih Cc: Paul Procacci , freebsd-questions@freebsd.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; TAGGED_FROM(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US] X-Rspamd-Queue-Id: 4ZTnVK0nfBz3cqd X-Spamd-Bar: ---- On Fri, Apr 4, 2025 at 2:36=E2=80=AFPM Albert Shih w= rote: > > Le 04/04/2025 =C3=A0 13:23:38-0400, Paul Procacci a =C3=A9crit > > On Fri, Apr 4, 2025 at 1:14=E2=80=AFPM Albert Shih wrote: > > > > > > > > > > So you want to be root, without having the power of root. > > Try logging into the system with a different user and the problem is > > solved -- tongue and cheek. > > No, I want to make the system in a state where root *cannot* remove some > file. Isn't the very definition of root (superuser) is that they can do *ANYTHING= *? --=20 Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org From nobody Fri Apr 4 18:45:16 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTnc25FKCz5sF4s for ; Fri, 04 Apr 2025 18:45:38 +0000 (UTC) (envelope-from dpchrist@holgerdanske.com) Received: from holgerdanske.com (holgerdanske.com [184.105.128.27]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "holgerdanske.com", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTnbz1JSnz3fKT for ; Fri, 04 Apr 2025 18:45:35 +0000 (UTC) (envelope-from dpchrist@holgerdanske.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=holgerdanske.com header.s=nov-20210719-112354 header.b=RFYSJ55B; dmarc=pass (policy=none) header.from=holgerdanske.com; spf=pass (mx1.freebsd.org: domain of dpchrist@holgerdanske.com designates 184.105.128.27 as permitted sender) smtp.mailfrom=dpchrist@holgerdanske.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=holgerdanske.com; s=nov-20210719-112354; t=1743792325; bh=IdHCHtfnssjjNqrA5vsq0Pn6xQYbe7OmPAKairIs7fY=; h=Received:Message-ID:Date:MIME-Version:User-Agent:Subject:To: References:Content-Language:From:In-Reply-To:Content-Type: Content-Transfer-Encoding; b=RFYSJ55BqDWQhP5+B1ZoPDXPRnhAopK0S98Lz8thjKoErdyvFcV6/YYfB6JNF89Zs uvBZPYlMCzFLvsBV6IpGyKdmxw9OyrhhVNfUs21VWb8w2PV930/Nn7FQahxiN5u5nt DjBYayntDfukNJ1PQS5nqEELd3WJYqbt+wGumJiVwiqBxfurvHElEDfZjnavA9ekew eKCHVWy7IrsquE73EfnuD/IfRaZPYgX9Lmxo1w6Iez2VT3jK7vRiDyU84u0atweAYU EuUnyPRlayNITRnoQ52Zqg5n4Ro7d7TQuouQhxG3cfDIAQis9iIwiyjcz/zNMK74V/ My/qgSCSCi3xeR2CqwLrfGUiF4H9pHrpWaVsdz7ne9pW8O44T06DAy3axMgnlWmaVc tDyYzz1eS8osmn1La/unJK/iwebqvQkV8rRgdA7fv/c03HN8efr5tzQWTTr9PuDYCT Ccd56LxFTBFNZVBr5v46wCB2+tk4S1CjpfYGJ2yE7mCbmLjH/o6Hi1Zf5ReToq4qsY GXi3mKjiEXd7GLfAxowGny3wPAMBco18nxO4YslBC6IFf95w1FIcD26Ccq+HHa9PIW 5SLvDrnNN6JbeqL1J46P/sHqoClQYTxQBp+eapafjxOxBDRyuwkRYtywfV+zGdCtiB hI/8h2YlnIPkJp6uVw1ZO90U= Received: from 99.100.19.101 (99-100-19-101.lightspeed.frokca.sbcglobal.net [99.100.19.101]) by holgerdanske.com with ESMTPSA (TLS_AES_128_GCM_SHA256:TLSv1.3:Kx=any:Au=any:Enc=AESGCM(128):Mac=AEAD) (SMTP-AUTH username dpchrist@holgerdanske.com, mechanism PLAIN) for ; Fri, 4 Apr 2025 11:45:25 -0700 Message-ID: Date: Fri, 4 Apr 2025 11:45:16 -0700 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Securing FreeBSD. To: questions@freebsd.org References: Content-Language: en-US From: David Christensen In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [-3.15 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.74)[-0.736]; NEURAL_HAM_MEDIUM(-0.61)[-0.613]; DMARC_POLICY_ALLOW(-0.50)[holgerdanske.com,none]; R_DKIM_ALLOW(-0.20)[holgerdanske.com:s=nov-20210719-112354]; R_SPF_ALLOW(-0.20)[+a]; ONCE_RECEIVED(0.20)[]; MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; RCVD_VIA_SMTP_AUTH(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6939, ipnet:184.104.0.0/15, country:US]; MID_RHS_MATCH_FROM(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; RCVD_TLS_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; DKIM_TRACE(0.00)[holgerdanske.com:+] X-Rspamd-Queue-Id: 4ZTnbz1JSnz3fKT X-Spamd-Bar: --- On 4/4/25 10:13, Albert Shih wrote: > Hi everyone. > > Is they are any way to secure a FreeBSD to prevent destroying data ? > > I find out even with > > kern.securelevel=2 > > root can still do something like > > umount /data > gpart delete -i 1 dev_under_data > > then create something different with for example > > gpart add -t something -a somethingdifferentfrominit dev_under_data > > I also try zfs, but zpool can still be use to destroy every pool. > > Currently the only solution I find is to create a huge / and store data > under / (no a partition), because I'm guessing it would be hard to umount / > > Any other solution ? > > For example, I see with securelevel=2 the «bad guy» would be unable to > create a new filesystem, so is they are any way to backup the «partition > table» ? And put them back after he create another ? > > Regards It sounds like you want read-only storage media (?). Burning your data to a CD-R/DVD-R/BD-R disc comes to mind. Another option is a USB flash drive with a physical write-protect switch: https://www.kanguru.com/products/defender-elite30-usb-3-0-hardware-encrypted-flash-drive https://www.kanguru.com/products/kanguru-defender-elite300-fips-140-2-certified-secure-superspeed-usb-3-0-hardware-encrypted-flash-drive?variant=41077736833139 Searching Amazon, I found external disk drive enclosures with various features; including write-protect: https://www.iodd.shop/all-products David From nobody Fri Apr 4 18:56:05 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTnrB03Cvz5sFyd for ; Fri, 04 Apr 2025 18:56:10 +0000 (UTC) (envelope-from infoomatic@gmx.at) Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (3072 bits) client-digest SHA256) (Client CN "mout.gmx.net", Issuer "Telekom Security ServerID OV Class 2 CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTnr85YKzz3jR1 for ; Fri, 04 Apr 2025 18:56:08 +0000 (UTC) (envelope-from infoomatic@gmx.at) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmx.at header.s=s31663417 header.b="aATDP/Rp"; dmarc=pass (policy=quarantine) header.from=gmx.at; spf=pass (mx1.freebsd.org: domain of infoomatic@gmx.at designates 212.227.15.15 as permitted sender) smtp.mailfrom=infoomatic@gmx.at DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.at; s=s31663417; t=1743792967; x=1744397767; i=infoomatic@gmx.at; bh=CSid9kI8gU00PzyQLw8gQw6BfhfufW7Ujodpzd746co=; h=X-UI-Sender-Class:Message-ID:Date:MIME-Version:Subject:To: References:From:In-Reply-To:Content-Type: Content-Transfer-Encoding:cc:content-transfer-encoding: content-type:date:from:message-id:mime-version:reply-to:subject: to; b=aATDP/RptWlIh1u4DgkJr9/ek4a5i7lnBJmzXuMIz2u/9N6GLL3m0o9pdV24niEs cq03/xzINKgXnMMIVPL5Svgey+1o2EbyCys1xpy+c154X+h5Q9Hg1en6hWTXoL9De poyv1x9qEVGwImHisP+X1XUZvv/CiQn9dG3aLXlhS/WeRludfWmX7aW3sa0H4T2G3 9R2ZKyZlAgjNZTjTks/aAkO+xYUGI65M5DAXqJ9YQ/9UgfFrxPeKP4rUfzs9fJ/Lq N619EBxtpBa9zJIF3Wp9ZqIrH06Zpfq4cg+2ZJikTHoeWyrTwmb7bc2k+DUqXqrFK 2MhzMdxNorL38tLHFg== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from [10.0.1.209] ([178.114.191.61]) by mail.gmx.net (mrgmx005 [212.227.17.190]) with ESMTPSA (Nemesis) id 1Mqb1W-1tEV6c4772-00gvqt for ; Fri, 04 Apr 2025 20:56:07 +0200 Message-ID: <0c320b2b-b65f-4223-bfaf-a06af5ca8136@gmx.at> Date: Fri, 4 Apr 2025 20:56:05 +0200 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Securing FreeBSD. To: questions@freebsd.org References:

Content-Language: en-US From: infoomatic In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K1:Z/Ns8ql7KF53e1IetPK+IHTzA0rb6yAcQYbICkKUwpo6q7pklrF X+7tLzhvdPGzC0zxhpzvFdl7dIDnheFCdg2c8FJxWplYdgTnN85beudh2cfR+rWekhVoODg z18VV7Lb1H14MBkuFa4OF5Kb1PL5MKymDIYm9zzM3ouIIeMefO+tPjSwpyfhVfcvUmB2AIj QTIHqclYHaaj3igW7kYKQ== X-Spam-Flag: NO UI-OutboundReport: notjunk:1;M01:P0:MJYxshg21TA=;jY8WVFbENEM2xU/QfQ7MQyWdS51 mMmnLDSfnlxWaTFl4G3aYzlPmgXGJI+LNf5+k8oMH1bUiVex7yehSI3Aa/2jwGA/G0UbPGAgM LAIojBzUdjL1tOSpnh9r3BDEw45Z/MjI0bSXIOS9TGOPEtdDDF8lBvDVQC66VKxL98zipsFji TJmu86UXTNsZU61o08an2yActNRcftZv7/TvM/BEWidRSU4p3mnH3S83C8uqcgrTjFIF2o2j+ 8YtpwQtm3mQBxMOpo8K+lVRa+izvoVEsg+bjAREcvsOieebEKmg7Ha2xMGcYGH94QRnJEUCpP qzY1ixz6OIXrA6krNNt27KzzCFBmvLQjXCWeINCCLkudwRoDjl900g5Rq5e8CMX5TUDMEmUia onaKVLmWXRQzJth28yU9ndmSHAdoqWas/EkK46egc6IS+bfTB2ucZxjGWZDY5iY4AtqctvfsZ yur9GgbbghQMnweL+lk23wIzfIbyUH6ZXBXCjpWqqSXUq7Y+vFoZ/iZaWJPL4Nw6/SP7rFLtJ VH8i/57VsKNAbNmvBEdSTpBGNV20gyAJ9jECaZ9VHtixHv1+pdtq8QB276gZD5DP0tHxwlXo6 p00rH+/9vUFmXCiZTL+MypHJbFsrQBYfd15c0gBP4QCfJvLK/9p+tbGq47GhO1iCCrtBgAyT4 CBU7Jyn5VYeBSsnPijhZZoGe8Os46YkRLg3o4sj0JOlaAtYcTJkj/HzJkGo+maN4Yo8lujzsR 80ufCVKr+yhItY3edwVU+0sqvwT9FNHc0b8KaAtdRdKzM5qYKteptDMnud4lhr66QxYGG6XnN AcA6A9N/B4zLv5LdRFoDaEfTmEAcEMByBdDIO7hp4Z1wRywWI9oo69cSM3n8Vy0tts3TPDFl6 jurGeGO581POEyV7UDfjMk7E4KqfF4eA+9E5iKROCkNLjaTJSLSmy4x3rHpsHThzxXTpYlcRN P55mVir5fMWz8hgwecv91Pl49T3wlLrh8htqmAmCT8Xnyf7RrKfH+XRrCUMRmOWP3ETWPNWLn iyMzW6dXIYjp8T0mBo65yZVpsU7l1yBZOd863pgx2a6l767e1jTQ8dhCZSTVs7kVg+LfrIsJu Xfln++1/u+h3FAn+G1/jA+Q+I9pwuCS/ERgm9axauXyeZFW7rIU3CLn1C2wBm1fXxLMYIs4hM mmYvrns/b8XiTNpX+fsOx00eql0baAJs4Hvy55B9Iyij8y9gL2u4qM6qH8F2+0IZtn3GOL7Hn UgsESbMkuy0R8VbxnsRVEhSQySVCQSWCerz132/gjgARTsrwCA2dcB5TkXQ/eeEYZURetwnVX tRbd0vYYa85GEEk5OsjocW3yG6J+6uUJcEzLXBrz+gpdjg9nG8zCykbrv9GyZlNUWqdvmnre7 7czn5USGVUajWZRQ6BIQU0MS6Rf00HadNhUz8kDLPJspz0+ay29k0+1WOQlCknc7WdcZSuqKH lTC/3yd2tfhB2etOeQd+wfu9JTPQ= X-Spamd-Result: default: False [1.55 / 15.00]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; NEURAL_SPAM_SHORT(0.93)[0.927]; NEURAL_SPAM_LONG(0.72)[0.722]; DMARC_POLICY_ALLOW(-0.50)[gmx.at,quarantine]; ONCE_RECEIVED(0.20)[]; R_DKIM_ALLOW(-0.20)[gmx.at:s=s31663417]; R_SPF_ALLOW(-0.20)[+a:mout.gmx.net]; RWL_MAILSPIKE_VERYGOOD(-0.20)[212.227.15.15:from]; RCVD_IN_DNSWL_LOW(-0.10)[212.227.15.15:from]; MIME_GOOD(-0.10)[text/plain]; FROM_EQ_ENVFROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_ONE(0.00)[1]; FREEMAIL_FROM(0.00)[gmx.at]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:8560, ipnet:212.227.0.0/16, country:DE]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; DKIM_TRACE(0.00)[gmx.at:+]; FREEMAIL_ENVFROM(0.00)[gmx.at]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4ZTnr85YKzz3jR1 X-Spamd-Bar: + > In other term I would like to create a system where it's impossible (I'm > not talking about a security problem) to remove file without be physically > in the front of the server. You can just disable the network interfaces From nobody Fri Apr 4 18:59:35 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTnwZ6YdTz5sFxQ for ; Fri, 04 Apr 2025 18:59:58 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from fout-b7-smtp.messagingengine.com (fout-b7-smtp.messagingengine.com [202.12.124.150]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTnwZ47MNz3kgx for ; Fri, 04 Apr 2025 18:59:58 +0000 (UTC) (envelope-from dch@skunkwerks.at) Authentication-Results: mx1.freebsd.org; none Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailfout.stl.internal (Postfix) with ESMTP id 5971B114018F; Fri, 4 Apr 2025 14:59:57 -0400 (EDT) Received: from phl-imap-15 ([10.202.2.104]) by phl-compute-12.internal (MEProxy); Fri, 04 Apr 2025 14:59:57 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=cc:cc:content-transfer-encoding:content-type:content-type :date:date:from:from:in-reply-to:in-reply-to:message-id :mime-version:references:reply-to:subject:subject:to:to; s=fm3; t=1743793197; x=1743879597; bh=pfK3m3eiJwfs7D/igHKPotxr0FizeLcY 4H9rFQwfHF0=; b=A8FnxvvKKcC6CIzvESi0YMZajPUjjP820yxHobpe1prcLG/V 4RJrzI9knRNilQ4PKVH52K88R23OQJb79cqAUN8DelOGsrIyuCwFRcB1tUMtCN9H 5lz5UI3I8VpsW0dubshIRX3CxoQCC615j+p+c984u/ccYA0gU8XqR98wEcw6p8h/ e56PpTEUKwzHUWCZ/8UBBKTbJd86r3ZdGaXGBW7MVu0/1SBeaKtW7vNuRDrP1WCM 8/6bCluCiZwxndzpixVuLMFfEW3YlGBQZyxc12Ensjz/NBtERS9rLNLR5OCXNfmJ N4RjMl+92iXbrpwHP1mg6hfEOk14cBTmeRyjmQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:content-type:date:date:feedback-id:feedback-id :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1743793197; x= 1743879597; bh=pfK3m3eiJwfs7D/igHKPotxr0FizeLcY4H9rFQwfHF0=; b=A qAGsSVXUMsHTVGrFDUxCtDMnXB6Tm8XzrRTdsKAtidwH7wHszQ8RtnXfgxhvB1SI ydwY0EQduGdav+r8/XcxLWg+6B/T2kdSPBTdz9K3hQ7BM4vJehJTPQTAmAzmm655 g0N26cQ2JWur6dPRIzoACVQtAYEuI+SRzZsgOlpVtb0HP+7HbyoKu3owjQ5qR+Xp 3rmbCVyu0Okk8vGDQ1FhKwG5p0sSYHd/ni50WYnLAAJ7MPx8wVAh6iIUusjLXNA6 XZpkWvqIxx86CLP0ocC54MIaDA39dMgnLpZInB4gSD+0QYwEGcWVdueZZhzffAao P2wzgi/mTjkhpxv5Vq69Q== X-ME-Sender:

X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduledvvddvucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefogg ffhffvvefkjghfufgtgfesthejredtredttdenucfhrhhomhepfdffrghvvgcuvehothht lhgvhhhusggvrhdfuceouggthhesshhkuhhnkhifvghrkhhsrdgrtheqnecuggftrfgrth htvghrnhepieffhfdujeelieekueehgfeigeekleeljeeigefgudeuheetgfdtgeffieev uedvnecuffhomhgrihhnpehfrhgvvggsshgurdhorhhgnecuvehluhhsthgvrhfuihiivg eptdenucfrrghrrghmpehmrghilhhfrhhomhepuggthhesshhkuhhnkhifvghrkhhsrdgr thdpnhgspghrtghpthhtohepvddpmhhouggvpehsmhhtphhouhhtpdhrtghpthhtohepfh hrvggvsghsugdqqhhuvghsthhiohhnshesfhhrvggvsghsugdrohhrghdprhgtphhtthho pehmlhesnhgvthhfvghntggvrdhith X-ME-Proxy:

Feedback-ID: ic0e84090:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 5152078006B; Fri, 4 Apr 2025 14:59:56 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 X-ThreadId: T35d1ea0024b92151 Date: Fri, 04 Apr 2025 18:59:35 +0000 From: "Dave Cottlehuber" To: "Andrea Venturoli" Cc: freebsd-questions Message-Id: <3ddfecf7-2cb3-472c-bfce-93356e57b898@app.fastmail.com> In-Reply-To: <6aeb488d-b3c3-4393-80ca-0b89c1ebc446@netfence.it> References: <6aeb488d-b3c3-4393-80ca-0b89c1ebc446@netfence.it> Subject: Re: Sudden zpool checksums errors Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:151847, ipnet:202.12.124.0/24, country:AU] X-Rspamd-Queue-Id: 4ZTnwZ47MNz3kgx X-Spamd-Bar: ---- On Fri, 4 Apr 2025, at 15:42, Andrea Venturoli wrote: > Hello. > I'm finding it hard to believe that 7 disks out of 12 are failing or > just happened to misbehave all on the same day. > BTW, SMART says they are OK. Not saying its not zfs, but its probably not zfs.... fingers crossed! > I'm reluctant to blame RAM (since it's ECC) and power supply (as it's > redundant 2x800W). If its memory, and your mainboard supports it, you'll see failures in dmesg, MCA ... some good examples: https://lists.freebsd.org/pipermail/freebsd-hackers/2015-January/046878.html https://forums.freebsd.org/threads/mca-errors.88909/ https://forums.freebsd.org/threads/solved-weird-mca-errors.94800/ > Disks are 16TB TOSHIBA MG09ACA1 connected to a MegaRAID SAS-3 3108 (of > course not operating as RAID and with mrsas driver). Look for SCSI or CAM errors in your logs too, disconnects. I have seen storms of checksum errors in at least these situations: - faulty or failing storage / scsi controller - insufficient power (or failing power supplies) under load - overclocking - overheating on mainboard, or controller, or drives - actually really bad ECC memory - drive cables that have worked loose over time - over 50 disks failing within 2 days in a 200+ disk array - all disks failing within 20 days of deployment in 24 disk chassis Sometimes, vendors produce batches of Bad Disks - firmware bugs, physical defects, unexpected dust inside the sealed platters. Failures are far more correlated than you'd want to believe. External vibrations can cause problems. A slow process of upgrading firmware & checking each component, resetting all cables, is the best way to deal with this. A+ Dave From nobody Fri Apr 4 19:05:45 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTp3R1Ftxz5sGbd for ; Fri, 04 Apr 2025 19:05:55 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTp3P2D42z3mHp for ; Fri, 04 Apr 2025 19:05:53 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of mike@sentex.net designates 2607:f3e0:0:1::12 as permitted sender) smtp.mailfrom=mike@sentex.net Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.18.1/8.18.1) with ESMTPS id 534J5lxK074740 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL); Fri, 4 Apr 2025 15:05:47 -0400 (EDT) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:a057:b7c2:3f78:a2fe] ([IPv6:2607:f3e0:0:4:a057:b7c2:3f78:a2fe]) by pyroxene2a.sentex.ca (8.18.1/8.15.2) with ESMTPS id 534J5jdU014436 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Fri, 4 Apr 2025 15:05:47 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <45f4188c-d8ac-4ebe-ba84-d20fc84c9ce9@sentex.net> Date: Fri, 4 Apr 2025 15:05:45 -0400 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Sudden zpool checksums errors To: Andrea Venturoli Cc: freebsd-questions References: <6aeb488d-b3c3-4393-80ca-0b89c1ebc446@netfence.it> <3ddfecf7-2cb3-472c-bfce-93356e57b898@app.fastmail.com> Content-Language: en-US From: mike tancsa Autocrypt: addr=mike@sentex.net; keydata= xsBNBFywzOMBCACoNFpwi5MeyEREiCeHtbm6pZJI/HnO+wXdCAWtZkS49weOoVyUj5BEXRZP xflV2ib2hflX4nXqhenaNiia4iaZ9ft3I1ebd7GEbGnsWCvAnob5MvDZyStDAuRxPJK1ya/s +6rOvr+eQiXYNVvfBhrCfrtR/esSkitBGxhUkBjOti8QwzD71JVF5YaOjBAs7jZUKyLGj0kW yDg4jUndudWU7G2yc9GwpHJ9aRSUN8e/mWdIogK0v+QBHfv/dsI6zVB7YuxCC9Fx8WPwfhDH VZC4kdYCQWKXrm7yb4TiVdBh5kgvlO9q3js1yYdfR1x8mjK2bH2RSv4bV3zkNmsDCIxjABEB AAHNHW1pa2UgdGFuY3NhIDxtaWtlQHNlbnRleC5uZXQ+wsCOBBMBCAA4FiEEmuvCXT0aY6hs 4SbWeVOEFl5WrMgFAl+pQfkCGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQeVOEFl5W rMiN6ggAk3H5vk8QnbvGbb4sinxZt/wDetgk0AOR9NRmtTnPaW+sIJEfGBOz47Xih+f7uWJS j+uvc9Ewn2Z7n8z3ZHJlLAByLVLtcNXGoRIGJ27tevfOaNqgJHBPbFOcXCBBFTx4MYMM4iAZ cDT5vsBTSaM36JZFtHZBKkuFEItbA/N8ZQSHKdTYMIA7A3OCLGbJBqloQ8SlW4MkTzKX4u7R yefAYQ0h20x9IqC5Ju8IsYRFacVZconT16KS81IBceO42vXTN0VexbVF2rZIx3v/NT75r6Vw 0FlXVB1lXOHKydRA2NeleS4NEG2vWqy/9Boj0itMfNDlOhkrA/0DcCurMpnpbM7ATQRcsMzk AQgA1Dpo/xWS66MaOJLwA28sKNMwkEk1Yjs+okOXDOu1F+0qvgE8sVmrOOPvvWr4axtKRSG1 t2QUiZ/ZkW/x/+t0nrM39EANV1VncuQZ1ceIiwTJFqGZQ8kb0+BNkwuNVFHRgXm1qzAJweEt RdsCMohB+H7BL5LGCVG5JaU0lqFU9pFP40HxEbyzxjsZgSE8LwkI6wcu0BLv6K6cLm0EiHPO l5G8kgRi38PS7/6s3R8QDsEtbGsYy6O82k3zSLIjuDBwA9GRaeigGppTxzAHVjf5o9KKu4O7 gC2KKVHPegbXS+GK7DU0fjzX57H5bZ6komE5eY4p3oWT/CwVPSGfPs8jOwARAQABwsB2BBgB CAAgFiEEmuvCXT0aY6hs4SbWeVOEFl5WrMgFAl+pQfkCGwwACgkQeVOEFl5WrMiVqwf9GwU8 c6cylknZX8QwlsVudTC8xr/L17JA84wf03k3d4wxP7bqy5AYy7jboZMbgWXngAE/HPQU95NM aukysSnknzoIpC96XZJ0okLBXVS6Y0ylZQ+HrbIhMpuQPoDweoF5F9wKrsHRoDaUK1VR706X rwm4HUzh7Jk+auuMYfuCh0FVlFBEuiJWMLhg/5WCmcRfiuB6F59ZcUQrwLEZeNhF2XJV4KwB Tlg7HCWO/sy1foE5noaMyACjAtAQE9p5kGYaj+DuRhPdWUTsHNuqrhikzIZd2rrcMid+ktb0 NvtvswzMO059z1YGMtGSqQ4srCArju+XHIdTFdiIYbd7+jeehg== In-Reply-To: <3ddfecf7-2cb3-472c-bfce-93356e57b898@app.fastmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.86 X-Spamd-Result: default: False [0.70 / 15.00]; NEURAL_SPAM_LONG(1.00)[0.999]; NEURAL_SPAM_MEDIUM(0.98)[0.976]; NEURAL_HAM_SHORT(-0.88)[-0.879]; R_SPF_ALLOW(-0.20)[+ip6:2607:f3e0::/32]; RCVD_IN_DNSWL_LOW(-0.10)[2607:f3e0:0:1::12:from]; MIME_GOOD(-0.10)[text/plain]; ARC_NA(0.00)[]; FREEFALL_USER(0.00)[mike]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA]; RCVD_IN_DNSWL_NONE(0.00)[199.212.134.19:received]; RCPT_COUNT_TWO(0.00)[2]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DMARC_NA(0.00)[sentex.net]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4ZTp3P2D42z3mHp X-Spamd-Bar: / On 4/4/2025 2:59 PM, Dave Cottlehuber wrote: > On Fri, 4 Apr 2025, at 15:42, Andrea Venturoli wrote: >> Hello. >> I'm finding it hard to believe that 7 disks out of 12 are failing or >> just happened to misbehave all on the same day. >> BTW, SMART says they are OK. does ipmitool sel list show anything btw ? (kldload ipmi and pkg install ipmitools if you dont have it already) ---Mike From nobody Fri Apr 4 19:55:56 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTq9G2pm5z5sLRr for ; Fri, 04 Apr 2025 19:56:02 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Received: from mx-p1.obspm.fr (mx-p1.obspm.fr [145.238.193.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "*.obspm.fr", Issuer "GEANT OV RSA CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTq9F2DL6z3wK2 for ; Fri, 04 Apr 2025 19:56:01 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=obspm.fr header.s=mail header.b=OURKJSJ8; dmarc=pass (policy=none) header.from=obspm.fr; spf=pass (mx1.freebsd.org: domain of Albert.Shih@obspm.fr designates 145.238.193.20 as permitted sender) smtp.mailfrom=Albert.Shih@obspm.fr X-AuthUser: jas DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=obspm.fr; s=mail; t=1743796558; bh=Yb4OKTqJXvs1BxLpCv+O9hVwaNIi5uxQx+0sNoK6lXA=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=OURKJSJ8Gc2vV4di1vFv3eU/aTuvTQ61YNXUjGnXnt2sYM3nfc72EJ7mHlRVjsFJ9 ckOdCIBjhgN9Uz8Uh6l9A6ONOftxwjB2pImt2aAqJ2KvisPnU/DH0/SwpBys1b0prO 61Q+SXu1qqsDQdghIHyMfouolddRa4xEcfv5lUz2PXDbi9ltCirpXNgFvV0IHsM5pa YMPPagP+KxTUHues1pm8ByHV/gCvL0rrnwmb8ZKIBQHlhMWjp0Gjz7fH7zB4j69cwh rBjduoYUXwMRFJud4UY+z7jdluaQThgntNO9pKe9H5JtPH6P9nYlhxbOkSJyai7A6M +yI8GJ20KWPEw== Received: from io.chezmoi.fr (vpn.obspm.fr [145.238.186.39]) (authenticated bits=0) by mx-p1.obspm.fr (8.15.2/8.15.2/DIO Observatoire de Paris - 15/04/10) with ESMTPSA id 534JtuXb3397793 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Fri, 4 Apr 2025 21:55:58 +0200 Date: Fri, 4 Apr 2025 21:55:56 +0200 From: Albert Shih To: Aryeh Friedman Cc: Paul Procacci , freebsd-questions@freebsd.org Subject: Re: Securing FreeBSD. Message-ID: References:

List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (mx-p1.obspm.fr [145.238.193.20]); Fri, 04 Apr 2025 21:55:58 +0200 (CEST) X-Virus-Scanned: clamav-milter 1.0.7 at mx-p1 X-Virus-Status: Clean X-Spamd-Result: default: False [-5.69 / 15.00]; DWL_DNSWL_LOW(-1.00)[obspm.fr:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.986]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; DMARC_POLICY_ALLOW(-0.50)[obspm.fr,none]; RCVD_IN_DNSWL_MED(-0.40)[145.238.193.20:from,145.238.186.39:received]; ONCE_RECEIVED(0.20)[]; R_DKIM_ALLOW(-0.20)[obspm.fr:s=mail]; R_SPF_ALLOW(-0.20)[+ip4:145.238.193.20]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_ALL(0.00)[]; FREEMAIL_TO(0.00)[gmail.com]; FREEMAIL_CC(0.00)[gmail.com,freebsd.org]; ARC_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; DKIM_TRACE(0.00)[obspm.fr:+]; RCVD_COUNT_ONE(0.00)[1]; MISSING_XM_UA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; TAGGED_RCPT(0.00)[]; ASN(0.00)[asn:2200, ipnet:145.238.0.0/16, country:FR]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DN_SOME(0.00)[]; FROM_HAS_DN(0.00)[] X-Rspamd-Queue-Id: 4ZTq9F2DL6z3wK2 X-Spamd-Bar: ----- Le 04/04/2025 à 14:40:28-0400, Aryeh Friedman a écrit > On Fri, Apr 4, 2025 at 2:36 PM Albert Shih wrote: > > > > Le 04/04/2025 à 13:23:38-0400, Paul Procacci a écrit > > > On Fri, Apr 4, 2025 at 1:14 PM Albert Shih wrote: > > > > > > > > > > > > > > So you want to be root, without having the power of root. > > > Try logging into the system with a different user and the problem is > > > solved -- tongue and cheek. > > > > No, I want to make the system in a state where root *cannot* remove some > > file. > > Isn't the very definition of root (superuser) is that they can do *ANYTHING*? Well....not always...try this : echo 'kern.securelevel=2' >> /etc/sysctl.conf chflags schg /etc/sysctl.conf sysctl kern.securelevel=2 touch /root/file chflags schg /root/file and tell me how you will remove the file /root/file without be in the front of the server (no IPMI, no drac etc.) Regards -- Albert SHIH 🦫 🐸 France Heure locale/Local time: ven. 04 avril 2025 21:20:38 CEST From nobody Fri Apr 4 20:01:42 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTqHv0J4Lz5sLR0 for ; Fri, 04 Apr 2025 20:01:47 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Received: from mx-p1.obspm.fr (mx-p1.obspm.fr [145.238.193.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "*.obspm.fr", Issuer "GEANT OV RSA CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTqHt64MVz3xtG for ; Fri, 04 Apr 2025 20:01:46 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Authentication-Results: mx1.freebsd.org; none X-AuthUser: jas DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=obspm.fr; s=mail; t=1743796904; bh=pHTgSyU3zrwqiDX3L1Z3qJFZtIIQNvdwZaHbAnz6zjc=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=BFSYvGtv8SzROaKMfh8AaDjRo6JjKnEznIHWFQwRVeKE6kb0eYHJ35f/bzUWoctFU eBtRoP260MpewMnSNNmO8TsnJdBCy6l3hwhUjGefnTe9ZshqIasM2laP3CtfI/qkq+ TXakxm1uJ9NQjph2FH26WGitGtHvqp/+e570Xw+1gAdCrQjHhgxPLYmRt5r5SHlx2c zcV7LdDk2AeOvzkkvOcQe4IubklYBCuI7n4RvtU8l59GC8AaCdydtzWhP2zzQ3B1Ir ljhSaQqMA+PGR183EWqgug+MhgCWYs6wrcX75oivHEHmQQimEeALS0j7b/ri+3ICcu C8BCEK0/SmNqA== Received: from io.chezmoi.fr (vpn.obspm.fr [145.238.186.39]) (authenticated bits=0) by mx-p1.obspm.fr (8.15.2/8.15.2/DIO Observatoire de Paris - 15/04/10) with ESMTPSA id 534K1gjD3398387 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Fri, 4 Apr 2025 22:01:44 +0200 Date: Fri, 4 Apr 2025 22:01:42 +0200 From: Albert Shih To: David Christensen Cc: questions@freebsd.org Subject: Re: Securing FreeBSD. Message-ID: References:

List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (mx-p1.obspm.fr [145.238.193.20]); Fri, 04 Apr 2025 22:01:44 +0200 (CEST) X-Virus-Scanned: clamav-milter 1.0.7 at mx-p1 X-Virus-Status: Clean X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:2200, ipnet:145.238.0.0/16, country:FR] X-Rspamd-Queue-Id: 4ZTqHt64MVz3xtG X-Spamd-Bar: ---- Le 04/04/2025 à 11:45:16-0700, David Christensen a écrit > On 4/4/25 10:13, Albert Shih wrote: > > Hi everyone. > > > > Is they are any way to secure a FreeBSD to prevent destroying data ? > > > > I find out even with > > > > kern.securelevel=2 > > > > It sounds like you want read-only storage media (?). Yeah...exactly. The purpose is to recycle some old server to create some «non erasable» backup in addition to our «normal» backup. They are two thing I will not consider in the equation : Security problem in FreeBSD. Physical access to the server. beside that I want to make the server safest as possible. > Burning your data to a CD-R/DVD-R/BD-R disc comes to mind. well....not possible. Too many To. And the data change daily. > Another option is a USB flash drive with a physical write-protect switch: > > https://www.kanguru.com/products/defender-elite30-usb-3-0-hardware-encrypted-flash-drive > > https://www.kanguru.com/products/kanguru-defender-elite300-fips-140-2-certified-secure-superspeed-usb-3-0-hardware-encrypted-flash-drive?variant=41077736833139 > Same issue. Not possible. Regards. -- Albert SHIH 🦫 🐸 France Heure locale/Local time: ven. 04 avril 2025 21:56:07 CEST From nobody Fri Apr 4 21:56:00 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTsr34Vr5z5sTqY for ; Fri, 04 Apr 2025 21:56:19 +0000 (UTC) (envelope-from dpchrist@holgerdanske.com) Received: from holgerdanske.com (holgerdanske.com [IPv6:2001:470:0:19b::b869:801b]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "holgerdanske.com", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTsr16xtWz3J19 for ; Fri, 04 Apr 2025 21:56:17 +0000 (UTC) (envelope-from dpchrist@holgerdanske.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=holgerdanske.com header.s=nov-20210719-112354 header.b=s0PbjNcM; dmarc=pass (policy=none) header.from=holgerdanske.com; spf=pass (mx1.freebsd.org: domain of dpchrist@holgerdanske.com designates 2001:470:0:19b::b869:801b as permitted sender) smtp.mailfrom=dpchrist@holgerdanske.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=holgerdanske.com; s=nov-20210719-112354; t=1743803769; bh=fwgDlJNWzIc3AgRFuNvz2BCtLpGzuhS8xVOJYeMsj1Y=; h=Received:Message-ID:Date:MIME-Version:User-Agent:Subject:To: References:Content-Language:From:In-Reply-To:Content-Type: Content-Transfer-Encoding; b=s0PbjNcM1bQlIQ5mrdoV4znIAT1hlTtuJTyuaAyas/N/dDx1sgJ2+5XIVQE/Aw93f UG1Qtt4GJv96lyjVcri8sL1gOl5LkdLfy+Y04Bc8PVeTsGNmA98RaiHwLvz7+VP5Xi J1DahbVPoXo9tDGXvDdkqiR1JkCXMWIl4O8SwpzMUVso6qZrboGzAcQpUsX3Js8lBw nXV5b07VCmlshgtkSHNf6xKQ7xOUyJLd7dqSlvKHPnJNnoaaN/0llrPNx8XkYoG6Nc aXW2Ptp+R+SwNvQ8IqtVzbPf0Ris0915cOyUzb6+IdqiRTfL6CiiTTzkcpG+M0FnFf CO8ZC4IEDiuJ8Nsk0kMH4/hT01UMjUb9e37IwMmeD/rYjjWuh9O5TyiQ+t0mq1QeNi hwrlEriae5KxspaoSfrLRZYTsPZu5yXA435fLkGKosoBCbFdVO6JKmL1Lfc+o04X+k sZS6Y/6nBFs4IxaYD/OAaNsi92Oe9/iw5C9OeK0OdBNE47HVKSM9wcykvmYqngHsNt Tak8FJCrHPtXITXLpMnskhEXQZ4PTzCnN+D+HnZzVvzKrOYxTZhQ4F9n2974Z9Uqfy IcLM5SqRa8WC+Biyubcpb5oRCXvOVpis2R++7x7ywgA4iHsxXejDPmeFMoJYNQuIbZ DNNHExhHkqQIJGBXWcgKYLYo= Received: from 99.100.19.101 (99-100-19-101.lightspeed.frokca.sbcglobal.net [99.100.19.101]) by holgerdanske.com with ESMTPSA (TLS_AES_128_GCM_SHA256:TLSv1.3:Kx=any:Au=any:Enc=AESGCM(128):Mac=AEAD) (SMTP-AUTH username dpchrist@holgerdanske.com, mechanism PLAIN) for ; Fri, 4 Apr 2025 14:56:09 -0700 Message-ID: <419a92a3-6d5b-44cb-8edf-6e65373ae72d@holgerdanske.com> Date: Fri, 4 Apr 2025 14:56:00 -0700 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Securing FreeBSD. To: questions@freebsd.org References:

Content-Language: en-US From: David Christensen In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [-3.42 / 15.00]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.99)[-0.989]; NEURAL_HAM_MEDIUM(-0.63)[-0.631]; DMARC_POLICY_ALLOW(-0.50)[holgerdanske.com,none]; R_DKIM_ALLOW(-0.20)[holgerdanske.com:s=nov-20210719-112354]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+a:november.he.net]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]; RCVD_TLS_ALL(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[holgerdanske.com:+] X-Rspamd-Queue-Id: 4ZTsr16xtWz3J19 X-Spamd-Bar: --- On 4/4/25 13:01, Albert Shih wrote: > Le 04/04/2025 à 11:45:16-0700, David Christensen a écrit >> On 4/4/25 10:13, Albert Shih wrote: >>> Is they are any way to secure a FreeBSD to prevent destroying data ? >> >> It sounds like you want read-only storage media (?). > > Yeah...exactly. The purpose is to recycle some old server to create some > «non erasable» backup in addition to our «normal» backup. Please clarify how you will create the "«non erasable» backup" and how you will use it. > They are two thing I will not consider in the equation : > > Security problem in FreeBSD. If you wish to defend against security problems in FreeBSD, then I suggest that you run the oldest supported release of FreeBSD -- 13.4-RELEASE. > Physical access to the server. If you wish to defend against an intruder who has physical access to the server, then I suggest that you select drives that have self-encryption (in addition to write-protection). > beside that I want to make the server safest as possible. > >> Burning your data to a CD-R/DVD-R/BD-R disc comes to mind. > > well....not possible. Too many To. What is the size of the "«non erasable» backup"? What devices is it currently stored on? Do you want to keep using those device(s)? If not, what are your expectations for new devices? > And the data change daily. "non erasable" and "change daily" are contradictory goals. Please clarify. >> Another option is a USB flash drive with a physical write-protect switch: >> >> https://www.kanguru.com/products/defender-elite30-usb-3-0-hardware-encrypted-flash-drive >> >> https://www.kanguru.com/products/kanguru-defender-elite300-fips-140-2-certified-secure-superspeed-usb-3-0-hardware-encrypted-flash-drive?variant=41077736833139 >> > > Same issue. Not possible. > > Regards. What about the IODD external drive enclosures? On 4/4/25 11:45, David Christensen wrote: > Searching Amazon, I found external disk drive enclosures with various > features; including write-protect: > > https://www.iodd.shop/all-products David From nobody Sat Apr 5 01:40:53 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTysb0qzLz5sm66 for ; Sat, 05 Apr 2025 01:42:59 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Received: from heuristicsystems.com.au (hermes.heuristicsystems.com.au [203.41.22.115]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2560 bits) client-digest SHA256) (Client CN "hermes.heuristicsystems.com.au", Issuer "Heuristic Systems Type 4 Host CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTysV6VDpz3xf1 for ; Sat, 05 Apr 2025 01:42:54 +0000 (UTC) (envelope-from dewayne@heuristicsystems.com.au) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=heuristicsystems.com.au header.s=hsa header.b="SyGhpi/4"; dmarc=none; spf=pass (mx1.freebsd.org: domain of dewayne@heuristicsystems.com.au designates 203.41.22.115 as permitted sender) smtp.mailfrom=dewayne@heuristicsystems.com.au Received: from [10.0.5.4] (bigears.hs [10.0.5.4]) (authenticated bits=0) by heuristicsystems.com.au (8.15.2/8.15.2) with ESMTPA id 5351eqAd047756 for ; Sat, 5 Apr 2025 12:40:55 +1100 (AEDT) (envelope-from dewayne@heuristicsystems.com.au) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=heuristicsystems.com.au; s=hsa; t=1743817255; x=1744422056; bh=R3H6VarA64pAwWJjHBEr2YO1/3ztNQhKw6DEL1b1JsM=; h=Message-ID:Date:Subject:To:From; b=SyGhpi/4VhWMEwNvZ/RR0l605PPkqxWdAOO/ujAL6arL6daT3RF49b8sLesYud36Z UMm+tcG2Y1rhy4JxpVnxjle+z8ZoCBMtQloqsvzvwY8iJNCn+QcEeIEcKLfK/x240W 3AmHvpERxqs4HQcb1hasZDCjDAPEM3W2Bxks3SNFRdpFT6cvs20P6 X-Authentication-Warning: b3.hs: Host bigears.hs [10.0.5.4] claimed to be [10.0.5.4] Message-ID: <71d82eaf-40dd-46ab-9baf-5cf1a438d49d@heuristicsystems.com.au> Date: Sat, 5 Apr 2025 12:40:53 +1100 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Securing FreeBSD. To: questions@freebsd.org References:

Content-Language: en-GB From: Dewayne Geraghty In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [-5.95 / 15.00]; DWL_DNSWL_MED(-2.00)[heuristicsystems.com.au:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.95)[-0.947]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; R_DKIM_ALLOW(-0.20)[heuristicsystems.com.au:s=hsa]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+mx]; RCVD_IN_DNSWL_MED(-0.20)[203.41.22.115:from]; MIME_GOOD(-0.10)[text/plain]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[heuristicsystems.com.au:+]; RCVD_TLS_LAST(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; DMARC_NA(0.00)[heuristicsystems.com.au]; RCVD_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:1221, ipnet:203.40.0.0/13, country:AU]; TO_DN_NONE(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; HAS_XAW(0.00)[] X-Rspamd-Queue-Id: 4ZTysV6VDpz3xf1 X-Spamd-Bar: ----- Good advise Albert. If you really want to prevent root access then, the next step is kldload mac_bsdextended and use ugidfw. Refer to handbook example: https://docs.freebsd.org/en/books/handbook/book/#mac-bsdextended I use this for some files. >> Isn't the very definition of root (superuser) is that they can do *ANYTHING*? > > Well....not always...try this : > > echo 'kern.securelevel=2' >> /etc/sysctl.conf > chflags schg /etc/sysctl.conf > sysctl kern.securelevel=2 > touch /root/file > chflags schg /root/file > > and tell me how you will remove the file > > /root/file > > without be in the front of the server (no IPMI, no drac etc.) > > Regards From nobody Sat Apr 5 07:24:10 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZV6RN6KPkz5rRTY for ; Sat, 05 Apr 2025 07:24:16 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Received: from mx-p1.obspm.fr (mx-p1.obspm.fr [145.238.193.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "*.obspm.fr", Issuer "GEANT OV RSA CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZV6RN2Dsbz43Hf for ; Sat, 05 Apr 2025 07:24:16 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Authentication-Results: mx1.freebsd.org; none X-AuthUser: jas DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=obspm.fr; s=mail; t=1743837852; bh=Nqc4Yj8beFSMs1wFQvE//lXPebP8xugzgP8TOYNDwA8=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Hw/TNlljQgbEgmvv9NzndYgEE3eryOSJ5efWIhg8dK2tG7v+ajtH8ISoEpmh8piIE GEM1dLJW1Ef/YKoAq8+bY+WTKz0gIoXV+HO/Ipz0XqNs9MTAZWrgvVkJu2cUaL6Aam jnn0xVH5LcwR8Syax+jqbnBXrRoK1Bk0jeiWm2XJIef2tAVY8BF3EmkV2ifn69clKj 7r7a3JToG9s9x9tuMVx0wd/5ppZEMvIpif8Nr71yqM/ntyKZmZcDC5w5GhiwfGKkM3 SwPzGfV+W0a/i4mtpr31uUobNJvgVDdgL396/6et4FUTp/7fnLMHNvfkZ56TFZwnWh u1uJd/LrsLZLg== Received: from io.chezmoi.fr (vpn.obspm.fr [145.238.186.39]) (authenticated bits=0) by mx-p1.obspm.fr (8.15.2/8.15.2/DIO Observatoire de Paris - 15/04/10) with ESMTPSA id 5357OAuE3518597 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Sat, 5 Apr 2025 09:24:12 +0200 Date: Sat, 5 Apr 2025 09:24:10 +0200 From: Albert Shih To: Dewayne Geraghty Cc: questions@freebsd.org Subject: Re: Securing FreeBSD. Message-ID: References:

<71d82eaf-40dd-46ab-9baf-5cf1a438d49d@heuristicsystems.com.au> List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <71d82eaf-40dd-46ab-9baf-5cf1a438d49d@heuristicsystems.com.au> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (mx-p1.obspm.fr [145.238.193.20]); Sat, 05 Apr 2025 09:24:12 +0200 (CEST) X-Virus-Scanned: clamav-milter 1.0.7 at mx-p1 X-Virus-Status: Clean X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:2200, ipnet:145.238.0.0/16, country:FR] X-Rspamd-Queue-Id: 4ZV6RN2Dsbz43Hf X-Spamd-Bar: ---- Le 05/04/2025 à 12:40:53+1100, Dewayne Geraghty a écrit Hi, > Good advise Albert. If you really want to prevent root access then, the > next step is > kldload mac_bsdextended > and use ugidfw. > > Refer to handbook example: > https://docs.freebsd.org/en/books/handbook/book/#mac-bsdextended > I use this for some files. Thanks I know that exist...but never read it. Do you think with that I can prevent root to destroy a zpool (or format a disk) ? Regards > > > Isn't the very definition of root (superuser) is that they can do *ANYTHING*? > > > > Well....not always...try this : > > > > echo 'kern.securelevel=2' >> /etc/sysctl.conf > > chflags schg /etc/sysctl.conf > > sysctl kern.securelevel=2 > > touch /root/file > > chflags schg /root/file > > > > and tell me how you will remove the file > > > > /root/file > > > > without be in the front of the server (no IPMI, no drac etc.) > > > > Regards > > -- Albert SHIH 🦫 🐸 France Heure locale/Local time: sam. 05 avril 2025 09:22:30 CEST From nobody Sat Apr 5 07:38:31 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZV6lt4Tk5z5rSDL for ; Sat, 05 Apr 2025 07:38:34 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Received: from mx-p1.obspm.fr (mx-p1.obspm.fr [145.238.193.20]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "*.obspm.fr", Issuer "GEANT OV RSA CA 4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZV6lt2YrNz45GP for ; Sat, 05 Apr 2025 07:38:34 +0000 (UTC) (envelope-from Albert.Shih@obspm.fr) Authentication-Results: mx1.freebsd.org; none X-AuthUser: jas DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=obspm.fr; s=mail; t=1743838712; bh=7H3lBUphZijuR0LNfkXWRqpeGiMV3Ao0iqQMi072Iq4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=jX4R2KHLljMrTGqI7btD+pong7k5CWFkV3Dow1tpUw9EDFnZ0xgH38bj603/1Le83 fE355eB6Q8OrXGDD5TE2nmKPutR5jFClpovBqAOaPWatsnwUd8mJb3loPbOSl26XaV s1olf1rFuo6lN0DkuzcBsYRgPPf6DVQj0yw9mHnEu/V2JEY2q93t3gHrUk/5MWw7in 7/0R0lF6sYkRmJGSROUdVplnc9xxGAt4lORslfJcHH1zWelN1dmu/4+0wAU0vs1mXA 7ZYU32ww7mhgsvQLrqb1wz7zsNAfC518+mQ3LxM1t8xtojpy7cX7ecQaaaC6sCHFl7 LuiYiLMbHlEKQ== Received: from io.chezmoi.fr (vpn.obspm.fr [145.238.186.39]) (authenticated bits=0) by mx-p1.obspm.fr (8.15.2/8.15.2/DIO Observatoire de Paris - 15/04/10) with ESMTPSA id 5357cVKn3520059 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Sat, 5 Apr 2025 09:38:32 +0200 Date: Sat, 5 Apr 2025 09:38:31 +0200 From: Albert Shih To: David Christensen Cc: questions@freebsd.org Subject: Re: Securing FreeBSD. Message-ID: References:

<419a92a3-6d5b-44cb-8edf-6e65373ae72d@holgerdanske.com> List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <419a92a3-6d5b-44cb-8edf-6e65373ae72d@holgerdanske.com> X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (mx-p1.obspm.fr [145.238.193.20]); Sat, 05 Apr 2025 09:38:32 +0200 (CEST) X-Virus-Scanned: clamav-milter 1.0.7 at mx-p1 X-Virus-Status: Clean X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:2200, ipnet:145.238.0.0/16, country:FR] X-Rspamd-Queue-Id: 4ZV6lt2YrNz45GP X-Spamd-Bar: ---- Le 04/04/2025 à 14:56:00-0700, David Christensen a écrit Hi > > > It sounds like you want read-only storage media (?). > > > > Yeah...exactly. The purpose is to recycle some old server to create some > > «non erasable» backup in addition to our «normal» backup. > > > Please clarify how you will create the "«non erasable» backup" and how you > will use it. The initial idea is to 1/ Put the server in kern.securelevel=2 2/ cron + rsync + find . -type f -exec chflags schg {} \; for the data For the use : 1/ Pray not have to ;-) 2/ rsync in the other way ;-) > > They are two thing I will not consider in the equation : > > > > Security problem in FreeBSD. > > > If you wish to defend against security problems in FreeBSD, then I suggest > that you run the oldest supported release of FreeBSD -- 13.4-RELEASE. Well I say I will «not» consider. > > If you wish to defend against an intruder who has physical access to the > server, then I suggest that you select drives that have self-encryption (in > addition to write-protection). > Yes. I know that. But the assumption is : FreeBSD don't have security problem The physical access is safe. > > > > well....not possible. Too many To. > > > What is the size of the "«non erasable» backup"? Currently I got around 8 To of data to backup (every day) in this «backup safe». And the server for this «backup safe» would have «lot of To» (around 450 To). So no problem to just daily mkdir `date +%Y%M%d` rsync data `date +%Y%M%d` find `date +%Y%M%d` -type f -exec chflags schg {}\; and each 6 months (or before if need a run of freebsd-update) to boot in single, change the securelevel and erase manually the oldest backup > > What devices is it currently stored on? > Standard HDD. > > > And the data change daily. > > > "non erasable" and "change daily" are contradictory goals. Please clarify. Yeah....I mean the data I need to backup change daily. So it's not humanly possible to write that optical device. We already think about WORM tapes (we have LTO-8 library) but that's is very expansive. And the point is to use some old server who run perfectly but no longer under warranty to do this «backup safe» because we already have standard backup. > > Same issue. Not possible. > > > > Regards. > > > What about the IODD external drive enclosures? > > Didn't know that thing. I will check that. Thanks Regards -- Albert SHIH 🦫 🐸 France Heure locale/Local time: sam. 05 avril 2025 09:24:20 CEST From nobody Sat Apr 5 09:01:15 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZV8bM46rLz5rYxX for ; Sat, 05 Apr 2025 09:01:19 +0000 (UTC) (envelope-from ml@netfence.it) Received: from soth.netfence.it (mailserver.netfence.it [78.134.96.152]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mailserver.netfence.it", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZV8bL2ssWz3Jlj for ; Sat, 05 Apr 2025 09:01:18 +0000 (UTC) (envelope-from ml@netfence.it) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=pass (policy=none) header.from=netfence.it; spf=pass (mx1.freebsd.org: domain of ml@netfence.it designates 78.134.96.152 as permitted sender) smtp.mailfrom=ml@netfence.it Received: from [10.1.2.18] (alamar.local.netfence.it [10.1.2.18]) (authenticated bits=0) by soth.netfence.it (8.18.1/8.17.2) with ESMTPSA id 53591FaU049628 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for ; Sat, 5 Apr 2025 11:01:15 +0200 (CEST) (envelope-from ml@netfence.it) X-Authentication-Warning: soth.netfence.it: Host alamar.local.netfence.it [10.1.2.18] claimed to be [10.1.2.18] Message-ID: <032776db-a8a1-4134-a395-a59effbc4c30@netfence.it> Date: Sat, 5 Apr 2025 11:01:15 +0200 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Sudden zpool checksums errors Content-Language: en-US To: freebsd-questions References: <6aeb488d-b3c3-4393-80ca-0b89c1ebc446@netfence.it> <3ddfecf7-2cb3-472c-bfce-93356e57b898@app.fastmail.com> From: Andrea Venturoli In-Reply-To: <3ddfecf7-2cb3-472c-bfce-93356e57b898@app.fastmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spamd-Result: default: False [0.26 / 15.00]; NEURAL_SPAM_MEDIUM(0.99)[0.988]; NEURAL_SPAM_LONG(0.95)[0.953]; NEURAL_HAM_SHORT(-0.88)[-0.884]; DMARC_POLICY_ALLOW(-0.50)[netfence.it,none]; R_SPF_ALLOW(-0.20)[+ip4:78.134.96.152]; MIME_GOOD(-0.10)[text/plain]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:35612, ipnet:78.134.0.0/17, country:IT]; RCVD_COUNT_ONE(0.00)[1]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; MID_RHS_MATCH_FROM(0.00)[]; R_DKIM_NA(0.00)[]; MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org]; FROM_HAS_DN(0.00)[]; HAS_XAW(0.00)[]; ARC_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; TO_DN_ALL(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4ZV8bL2ssWz3Jlj X-Spamd-Bar: / On 4/4/25 20:59, Dave Cottlehuber wrote: Thanks to all. I'll answer here collectively. > I have had marginal power supplies, backplane issues or break out cables from the controller manifest errors like that. I would check the power supply first, backplane next, controller 3rd. How would I go about this? How do I check these components? Does IPMI provide something useful? > If its memory, and your mainboard supports it, you'll see failures in dmesg, > MCA ... some good examples: No such things. Either the MB does not support it (is it possible? likely?) or it's not RAM. > Look for SCSI or CAM errors in your logs too, disconnects. No such thing either. > - overclocking No overclocking. > - overheating on mainboard, or controller, or drives I monitor temperature with Nagios and received no alarm. > - actually really bad ECC memory Any way to test? > - drive cables that have worked loose over time Server is quite new (not even an year), but I can eventually check. > External vibrations can cause problems. This is possible, since the building is being expanded and construction of a new block is underway. However, there are four servers which still have hard disks and only this one showed the problem. > A slow process of upgrading firmware I checked on Toshiba website and found no download; I'll eventually check with the supplier. Is there a way I can check the controller firmware version via software? I mean in FreeBSD, without rebooting? dmesg.boot doesn't say. > does ipmitool sel list show anything btw ? (kldload ipmi and pkg install ipmitools if you dont have it already) > # ipmitool sel list > 1 | 05/06/24 | 18:16:23 CEST | Temperature #0xcc | Upper Non-critical going high | Asserted > 2 | 05/06/24 | 21:25:42 CEST | Temperature #0xcc | Upper Critical going high | Asserted > 3 | 05/07/24 | 15:49:00 CEST | Temperature #0xcc | Upper Critical going high | Deasserted > 4 | 05/07/24 | 16:00:43 CEST | Temperature #0xcc | Upper Non-critical going high | Deasserted > 5 | 06/13/24 | 11:54:52 CEST | Drive Slot / Bay #0x77 | Drive Present | Asserted > 6 | 06/13/24 | 11:55:24 CEST | Drive Slot / Bay #0x73 | Drive Present | Asserted > 7 | 06/13/24 | 14:21:04 CEST | Drive Slot / Bay #0x73 | Drive Present | Deasserted > 8 | 06/13/24 | 14:21:04 CEST | Drive Slot / Bay #0x77 | Drive Present | Deasserted Logs are from May/June, but the problem I'm talking about appeared some days ago, so it's not related. bye & Thanks av. From nobody Sat Apr 5 09:27:21 2025 X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZV99q4XyBz5rcPX for ; Sat, 05 Apr 2025 09:27:43 +0000 (UTC) (envelope-from dch@skunkwerks.at) Received: from fhigh-a4-smtp.messagingengine.com (fhigh-a4-smtp.messagingengine.com [103.168.172.155]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZV99q1mmQz3N0m for ; Sat, 05 Apr 2025 09:27:43 +0000 (UTC) (envelope-from dch@skunkwerks.at) Authentication-Results: mx1.freebsd.org; none Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailfhigh.phl.internal (Postfix) with ESMTP id EB72E114018F; Sat, 5 Apr 2025 05:27:41 -0400 (EDT) Received: from phl-imap-15 ([10.202.2.104]) by phl-compute-12.internal (MEProxy); Sat, 05 Apr 2025 05:27:41 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=skunkwerks.at; h=cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1743845261; x=1743931661; bh=yN8kqk+O24PeMmEj6YbZk9HyH0gB0gWGviAjlFSiaWc=; b= K5BWJs+DEZK0jBiUfjdmVz18Ri3wNzAKfSq9D/x8XUVxGuWcDyvQC8HQMTa0fWUe IbMeVuBq86IBal3oCxprE6Vn1RP17guK/Lte9WIqo4yrLr0/05RnS4NWF0r+5+Om QccPlKS+Kj1sJ6DhSlgDQk0u6A+MIWNQfmpveGpRCVKslBchSrUBy9mJpkLc+rJn gDmd3O+uC1x+vyDPKAye5bi9Sd6moqGD9lAOtC3V8FLoqDYXUkV1jN8h+5rLvA90 ErLgmPPbvm+tFI5IHnuz1KtowmvJLo9dGZ6uE8Esa5gevZqkOVoRZ2BUIsjn7p/Q vNjwWgtmXwx3PiJyj7oS8A== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; t=1743845261; x=1743931661; bh=y N8kqk+O24PeMmEj6YbZk9HyH0gB0gWGviAjlFSiaWc=; b=w8BBM43qaglNuBO+p lU55u0tK8jxnBcACEjow2HsIYz9+YB6nwq897JeB6N1R5IL1b0SX7ihxW//vz3IF ZITK7PoD2jKc7hmOjOlKPVIIIZkk2SUOb0bgGGL7Y6WR77X0RKfUnGjNy0+2UvIr Uc5sKyhWT2DvomuXEY+kdm6q/bkabf3IuP9vLPYJddtfj+YocK8XyXTZZvR6GL2V ElDIcTYg1UTNM97vJtaxmYl0G1LNsgXaKFk/CdLLnPSOutsBPSDbE+m+zheadCuH SMIGb7ymAbeLVN8ogHJ2Z2QsijPaH8EeBKbtU5HzpB06bdScO3lXbpPvkxmlBS+7 LRBaA== X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeefvddrtddtgdduleefleekucetufdoteggodetrf dotffvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggv pdfurfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucenucfjughrpefogg ffhffvkfgjfhfutgfgsehtqhertdertdejnecuhfhrohhmpedfffgrvhgvucevohhtthhl vghhuhgsvghrfdcuoegutghhsehskhhunhhkfigvrhhkshdrrghtqeenucggtffrrghtth gvrhhnpeehhfeuffevgfeiffelleethefgvdeffeehveduvddtgeelvedtvdffgeelgeej ueenucffohhmrghinhepmhgvmhhtvghsthdrohhrghdpmhgvmhhtvghsthekiedrtghomh enucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegutghh sehskhhunhhkfigvrhhkshdrrghtpdhnsggprhgtphhtthhopedvpdhmohguvgepshhmth hpohhuthdprhgtphhtthhopehfrhgvvggsshguqdhquhgvshhtihhonhhssehfrhgvvggs shgurdhorhhgpdhrtghpthhtohepmhhlsehnvghtfhgvnhgtvgdrihht X-ME-Proxy:

Feedback-ID: ic0e84090:Fastmail Received: by mailuser.phl.internal (Postfix, from userid 501) id 58DBE78006B; Sat, 5 Apr 2025 05:27:41 -0400 (EDT) X-Mailer: MessagingEngine.com Webmail Interface List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 X-ThreadId: T35d1ea0024b92151 Date: Sat, 05 Apr 2025 11:27:21 +0200 From: "Dave Cottlehuber" To: "Andrea Venturoli" , freebsd-questions Message-Id: In-Reply-To: <032776db-a8a1-4134-a395-a59effbc4c30@netfence.it> References: <6aeb488d-b3c3-4393-80ca-0b89c1ebc446@netfence.it> <3ddfecf7-2cb3-472c-bfce-93356e57b898@app.fastmail.com> <032776db-a8a1-4134-a395-a59effbc4c30@netfence.it> Subject: Re: Sudden zpool checksums errors Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:209242, ipnet:103.168.172.0/24, country:US] X-Rspamd-Queue-Id: 4ZV99q1mmQz3N0m X-Spamd-Bar: ---- On Sat, 5 Apr 2025, at 11:01, Andrea Venturoli wrote: > Either the MB does not support it (is it possible? likely?) or it's no= t RAM. consumer grade hardware might not have the necessary firmware to inform= FreeBSD about ECC corrections even if the ram supports it; I=E2=80=99m = not very confident on this info though. >> - actually really bad ECC memory > Any way to test? https://memtest.org/ or https://www.memtest86.com/download.htm I forget = but I think I used the latter free version and booted via uefi. It can t= ake a few days on larger systems to check memory. Dave From nobody Sat Apr 5 10:40:16 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZVBnx6h2Mz5rxpD for ; Sat, 05 Apr 2025 10:40:37 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Received: from bs1.fjl.org.uk (bs1.fjl.org.uk [84.45.41.196]) by mx1.freebsd.org (Postfix) with ESMTP id 4ZVBnw3Ytbz3YCr for ; Sat, 05 Apr 2025 10:40:36 +0000 (UTC) (envelope-from freebsd-doc@fjl.co.uk) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of freebsd-doc@fjl.co.uk designates 84.45.41.196 as permitted sender) smtp.mailfrom=freebsd-doc@fjl.co.uk Received: from [192.168.1.109] (host86-173-148-176.range86-173.btcentralplus.com [86.173.148.176]) (authenticated bits=0) by bs1.fjl.org.uk (8.14.4/8.14.4) with ESMTP id 535AeSx9063340 for ; Sat, 5 Apr 2025 11:40:28 +0100 (BST) (envelope-from freebsd-doc@fjl.co.uk) Message-ID: <0fbd2584-6e07-40bf-b0e0-8d9198db100b@fjl.co.uk> Date: Sat, 5 Apr 2025 11:40:16 +0100 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Sudden zpool checksums errors Content-Language: en-GB To: questions@freebsd.org References: <6aeb488d-b3c3-4393-80ca-0b89c1ebc446@netfence.it> From: Frank Leonhardt In-Reply-To: <6aeb488d-b3c3-4393-80ca-0b89c1ebc446@netfence.it> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [0.55 / 15.00]; RBL_SENDERSCORE_REPUT_9(-1.00)[84.45.41.196:from]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; NEURAL_HAM_SHORT(-0.45)[-0.451]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+ip4:84.45.41.196]; MIME_GOOD(-0.10)[text/plain]; RCVD_NO_TLS_LAST(0.10)[]; RCPT_COUNT_ONE(0.00)[1]; ASN(0.00)[asn:25577, ipnet:84.45.0.0/17, country:GB]; RCVD_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; MLMMJ_DEST(0.00)[questions@freebsd.org]; DMARC_NA(0.00)[fjl.co.uk]; R_DKIM_NA(0.00)[] X-Rspamd-Queue-Id: 4ZVBnw3Ytbz3YCr X-Spamd-Bar: / On 04/04/2025 16:42, Andrea Venturoli wrote: > Hello. > > I've got a box with two zpools: > _ 1 mirror on 2 SSDs; > _ 1 raidz1 on 12 HDDs. > > Suddenly one daily run showed the following: >> pool: backup >> state: ONLINE >> status: One or more devices has experienced an unrecoverable error. An >> attempt was made to correct the error. Applications are unaffected. >> action: Determine if the device needs to be replaced, and clear the >> errors >> using 'zpool clear' or replace the device with 'zpool replace'. >> see: https://openzfs.github.io/openzfs-docs/msg/ZFS-8000-9P >> scan: scrub repaired 3.18M in 16:53:16 with 0 errors on Tue Apr 1 >> 20:16:55 2025 >> config: >> >> NAME STATE READ WRITE CKSUM >> backup ONLINE 0 0 0 >> raidz1-0 ONLINE 0 0 0 >> da4 ONLINE 0 0 0 >> da10 ONLINE 0 0 0 >> da5 ONLINE 0 0 57 >> da2 ONLINE 0 0 0 >> da8 ONLINE 0 0 25 >> da0 ONLINE 0 0 0 >> da1 ONLINE 0 0 49 >> da12 ONLINE 0 0 8 >> da6 ONLINE 0 0 6 >> da11 ONLINE 0 0 0 >> da9 ONLINE 0 0 56 >> da13 ONLINE 0 0 73 >> >> errors: No known data errors > > Assuming you've checked the logs etc as you say I'd be suspicious of the HBA and cabling, and presumably a SAS expander. But IME it's well worth testing the drives. Just dd them to /dev/null and see if anything sqwalks. There's nothing stopping you doing this on a live ZFS pool, although maybe do them one at a time if the array is busy :-) Given the nature of SCSI you may find the only indication that a drive isn't 100% is an unusually slow read rate. I agree it would be a coincidence 50% of the drives were flaky but it does happen, or it might be there're on one flaky HBA connecting half of them. I can't help being drawn to the fact it's exactly half that are throwing errors. Anyway, checking the drives out by reading is minimal effort before diving into more esoteric reasons. ZFS isn't as good as people think about detecting failing drives until they're actually on fire (see my posts passim on this matter). Regards, Frank. From nobody Sat Apr 5 14:40:28 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZVJ6t0FJzz5sGkt for ; Sat, 05 Apr 2025 14:40:38 +0000 (UTC) (envelope-from jason@infinitebubble.com) Received: from forward501b.mail.yandex.net (forward501b.mail.yandex.net [178.154.239.145]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZVJ6r2d1Mz46tw for ; Sat, 05 Apr 2025 14:40:36 +0000 (UTC) (envelope-from jason@infinitebubble.com) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of jason@infinitebubble.com designates 178.154.239.145 as permitted sender) smtp.mailfrom=jason@infinitebubble.com Received: from mail-nwsmtp-smtp-production-main-55.sas.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-55.sas.yp-c.yandex.net [IPv6:2a02:6b8:c23:2db2:0:640:9334:0]) by forward501b.mail.yandex.net (Yandex) with ESMTPS id 9558261010 for ; Sat, 5 Apr 2025 17:40:32 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-55.sas.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id TebgH0JLguQ0-7llYT2XB; Sat, 05 Apr 2025 17:40:31 +0300 X-Yandex-Fwd: 1 Message-ID: Date: Sat, 5 Apr 2025 10:40:28 -0400 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 User-Agent: Betterbird (Windows) Subject: Re: Securing FreeBSD. To: questions@freebsd.org References:

<419a92a3-6d5b-44cb-8edf-6e65373ae72d@holgerdanske.com> From: Jason Taylor Content-Language: en-US In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spamd-Result: default: False [0.82 / 15.00]; RBL_SENDERSCORE_REPUT_9(-1.00)[178.154.239.145:from]; NEURAL_SPAM_MEDIUM(0.98)[0.978]; NEURAL_SPAM_LONG(0.93)[0.928]; NEURAL_SPAM_SHORT(0.20)[0.202]; R_SPF_ALLOW(-0.20)[+ip4:178.154.239.144/28]; MIME_GOOD(-0.10)[text/plain]; XM_UA_NO_VERSION(0.01)[]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[178.154.239.145:from]; MIME_TRACE(0.00)[0:+]; FREEFALL_USER(0.00)[jason]; ASN(0.00)[asn:200350, ipnet:178.154.224.0/19, country:RU]; MID_RHS_MATCH_FROM(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; FROM_HAS_DN(0.00)[]; R_DKIM_NA(0.00)[]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[questions@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DMARC_NA(0.00)[infinitebubble.com]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4ZVJ6r2d1Mz46tw X-Spamd-Bar: / If offsite/cloud storage is an option, Ootbi has immutable storage. AWS, Azure, and Google all supposedly (I haven't verifid) offer immutable storage options. On 2025-04-05 03:38, Albert Shih wrote: > Le 04/04/2025 à 14:56:00-0700, David Christensen a écrit > > Hi >>>> It sounds like you want read-only storage media (?). >>> Yeah...exactly. The purpose is to recycle some old server to create some >>> «non erasable» backup in addition to our «normal» backup. >> >> Please clarify how you will create the "«non erasable» backup" and how you >> will use it. > The initial idea is to > > 1/ Put the server in kern.securelevel=2 > 2/ cron + rsync + find . -type f -exec chflags schg {} \; for the data > > For the use : > > 1/ Pray not have to ;-) > > 2/ rsync in the other way ;-) > >>> They are two thing I will not consider in the equation : >>> >>> Security problem in FreeBSD. >> >> If you wish to defend against security problems in FreeBSD, then I suggest >> that you run the oldest supported release of FreeBSD -- 13.4-RELEASE. > Well I say I will «not» consider. > >> If you wish to defend against an intruder who has physical access to the >> server, then I suggest that you select drives that have self-encryption (in >> addition to write-protection). >> > Yes. I know that. But the assumption is : > > FreeBSD don't have security problem > The physical access is safe. > >>> well....not possible. Too many To. >> >> What is the size of the "«non erasable» backup"? > Currently I got around 8 To of data to backup (every day) in this «backup safe». And > the server for this «backup safe» would have «lot of To» (around 450 To). > > So no problem to just daily > > mkdir `date +%Y%M%d` > rsync data `date +%Y%M%d` > find `date +%Y%M%d` -type f -exec chflags schg {}\; > > and each 6 months (or before if need a run of freebsd-update) to boot in > single, change the securelevel and erase manually the oldest backup > >> What devices is it currently stored on? >> > Standard HDD. > >>> And the data change daily. >> >> "non erasable" and "change daily" are contradictory goals. Please clarify. > Yeah....I mean the data I need to backup change daily. So it's not humanly > possible to write that optical device. > > We already think about WORM tapes (we have LTO-8 library) but that's is > very expansive. And the point is to use some old server who run perfectly > but no longer under warranty to do this «backup safe» because we already > have standard backup. > >>> Same issue. Not possible. >>> >>> Regards. >> >> What about the IODD external drive enclosures? >> >> > Didn't know that thing. I will check that. > > Thanks > > Regards From nobody Sat Apr 5 18:02:07 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZVNbX4H9Gz5sYDx for ; Sat, 05 Apr 2025 18:02:16 +0000 (UTC) (envelope-from martin.m@suddenlink.net) Received: from altprdrgo01.altice.prod.cloud.openwave.ai (altprdrgo01.altice.prod.cloud.openwave.ai [65.20.63.171]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZVNbW4pgkz3ZV6 for ; Sat, 05 Apr 2025 18:02:15 +0000 (UTC) (envelope-from martin.m@suddenlink.net) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=suddenlink.net header.s=dkim-001 header.b="LERI/eHr"; dmarc=pass (policy=none) header.from=suddenlink.net; spf=pass (mx1.freebsd.org: domain of martin.m@suddenlink.net designates 65.20.63.171 as permitted sender) smtp.mailfrom=martin.m@suddenlink.net DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suddenlink.net; s=dkim-001; t=1743876135; bh=OKsMbdEDynYdcWDF1KGhP+PyGjNRF1Gja+qh4skfvwk=; h=From:To:Subject:MIME-Version:Content-Type:Date:Message-Id; b=LERI/eHrR19bIGjUeUC9c8TmGGhcfjM+3rAevF4tZ1jzeQ+cHfHQUArjXb2zWeKOCcYt7bf9n7qnT4RM8SGkj1TdulGdBfIOpn1935LEfJiPji/+21p9kv9QpfzbdoPo9YjLM/06h+cU8vemner9WjaBLHNLu2OWSUL/UaDy4eBnh8P/a/4Arj5NAU7ewEaRdhnOpPD/bvphSI1E98PtxmZB4aPHCBO1oKyqSDfBZeo3H75sSI0zflAKE9baSwU2GElhdwlm9MDRyknlac3VuvyPh1ISF6W5X3kTfspmIegQRpuYYjH2HmxoSqbVFrpq+tSl/Ua+jRnrEwUMVAfIHQ== X-RG-VS-CS: clean X-RG-VS-SC: 0 X-RG-VS: Clean X-Originating-IP: [47.217.105.81] X-RG-Env-Sender: martin.m@suddenlink.net X-RG-Rigid: 67B7373C06AFE3B8 X-RazorGate-Vade: dmFkZTGcAzooq3xOYdBIGhblI5Dz04s6fjIPDFRmfWXFHuUzLcurSjHqxRdH8ywJmPqdiB8p3Qk5GuHT5vbot3iVdID7ikk7oeqy1AoeWFa64YwqlbApArvaBpf2Ug8ScxM0Lo+n7R98ZpWFXhZ0pHl0UuSY+U4vcaBgE4+pD5XW3F7lkuU+zpR2O3ApGpsksn1J3Taxwi/Ycyx0scMco9EXbvlk1yUvN99RWUSGLKZW+76AG+9ynyZY9BBcFhOROxEbQkz7QX54lrA2tLrOH6kmHDoVx+v3OuA3jK/TBqUktlANbKB0kJrCokFR7ic96oY+ItEZy64920W07cwZHxHWAiqdfRNq6ZPKrpanUHgGHjmLo/A+RUI/7UkWeOm5UoriKtR3hEm0OUS5LW0cQzIsR71dnlbEDz+4WMVx6VDajRoKO0QY0UOrBxiu15r0hC5XTPaWzmAaYd9GyEYsr83AA/pWMoSk+55cHs9+kakemWTk4TcfF5L6GXwmF65jmzDwMb4H4D9eQDk2Bmg/6gbxPZ3HD9adCKpVkmqkzgWKCJnnIG4cr+aFM981yCjJkFGNz3eUSZHiv8L8ha9ybGiD5X+KAEB31li9voanPZjwqMj0qJvUmQ9ztVxFOvSapeb3+jsmzRgLvy6AgA6mVd7uHPfiL81KvxDexppaaTf5jHDGkQ X-RazorGate-Vade-Verdict: clean 0 X-RazorGate-Vade-Classification: clean Received: from wb5agz (47.217.105.81) by altprdrgo01.altice.prod.cloud.openwave.ai (5.8.812) (authenticated as martin.m@suddenlink.net) id 67B7373C06AFE3B8 for questions@freebsd.org; Sat, 5 Apr 2025 14:02:13 -0400 Received: from martin by wb5agz with local (Exim 4.96) (envelope-from ) id 1u17qJ-000CWa-1L for questions@freebsd.org; Sat, 05 Apr 2025 13:02:07 -0500 From: "Martin McCormick" To: questions@freebsd.org Subject: A FreeBSD-based Router List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <48146.1743876127.1@wb5agz.lan> Date: Sat, 05 Apr 2025 13:02:07 -0500 Message-Id: X-Spamd-Result: default: False [-2.19 / 15.00]; RBL_SENDERSCORE_REPUT_6(1.00)[65.20.63.171:from]; DWL_DNSWL_LOW(-1.00)[suddenlink.net:dkim]; NEURAL_HAM_SHORT(-0.96)[-0.956]; NEURAL_HAM_MEDIUM(-0.94)[-0.943]; NEURAL_HAM_LONG(-0.79)[-0.793]; MID_RHS_NOT_FQDN(0.50)[]; MIME_GOOD(-0.10)[text/plain]; BAD_REP_POLICIES(0.10)[]; SUSPICIOUS_AUTH_ORIGIN(0.00)[]; DMARC_POLICY_ALLOW(0.00)[suddenlink.net,none]; DKIM_TRACE(0.00)[suddenlink.net:+]; R_DKIM_ALLOW(0.00)[suddenlink.net:s=dkim-001]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; ASN(0.00)[asn:31898, ipnet:65.20.63.0/24, country:US]; MIME_TRACE(0.00)[0:+]; TO_DN_NONE(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]; MISSING_XM_UA(0.00)[]; HAS_XOIP(0.00)[]; RWL_MAILSPIKE_POSSIBLE(0.00)[65.20.63.171:from]; MLMMJ_DEST(0.00)[questions@freebsd.org]; R_SPF_ALLOW(0.00)[+ip4:65.20.63.0/24]; RCVD_IN_DNSWL_NONE(0.00)[65.20.63.171:from] X-Rspamd-Queue-Id: 4ZVNbW4pgkz3ZV6 X-Spamd-Bar: -- We have been using a Netgear wndr3400v2 router since February of 2013 and it is probably time to take advantage of newer technology especially since there have been no new software updates for it in years. It also has a web GUI interface that must have, at one time, worked for somebody, but nobody here because I have thrown every browser at it I can get my hands on and the best way to describe it is that each browser does okay with some web pages on it but not others and anything related to passwords or the changing there of seems to always make the most destructive changes but never any beneficial adjustments so one doesn't really know what got changed until later when this or that function no longer works. If I do the factory default reset, that will certainly set things back to originals while also deleting the dhcp table so I don't really want to do that. What I really want is a modern router with a command-line method of control which allows for good old text-base configuration files for changing router settings as well as the dhcpd server which it would also be running. My idea is to load a mini PC with FreeBSD and a router engine which means that the mini PC would need to have at least 2 NICS. Is there any particular mini PC with a good track record on running FreeBSD? I just put our Netgear router on a UPS so that the occasional power glitches aren't as easily passed through to our home network and hopefully a mini PC would not run the UPS battery down as quickly as a full-sized work station might. Before I retired in 2015, I ran the FreeBSD-based bind name servers along with ISC Dhcpd for my employer and we had virtually no issues at all with that particular scheme so that's why I want to use FreeBSD in our house for this purpose even though I use debian Linux for most hobby activities so I can say good things about both unixen (I believe that is a correct form of speech.) Our router is still working, knock on wood, but we recently had issues with our ISP that so choked the router that I thought it had crashed only to find out that it came back to life when whatever traffic the ISC was throwing on to their system went away and things got back to what passes for normal. The FreeBSD/dhcp environment we had for over 20 years was run on Dell servers and we had one FreeBSD box that ran continuously without a reboot for over a year so I know FreeBSD gets things done. Thanks for any suggestions. Martin McCormick From nobody Sat Apr 5 18:08:32 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZVNky0GxNz5sYk9 for ; Sat, 05 Apr 2025 18:08:42 +0000 (UTC) (envelope-from fatty.merchandise677@aceecat.org) Received: from beesty.loosely.org (beesty.loosely.org [IPv6:2600:3c01:e000:4c0::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZVNkw5hRRz3bdQ for ; Sat, 05 Apr 2025 18:08:40 +0000 (UTC) (envelope-from fatty.merchandise677@aceecat.org) Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of fatty.merchandise677@aceecat.org designates 2600:3c01:e000:4c0::2 as permitted sender) smtp.mailfrom=fatty.merchandise677@aceecat.org Received: from localhost ([::1] helo=beesty ident=itz) by beesty with esmtp (Exim 4.98.1-5-133ee3edc) (envelope-from ) id 1u17wW-000000004AL-1vdG for questions@freebsd.org; Sat, 05 Apr 2025 11:08:33 -0700 Date: Sat, 5 Apr 2025 11:08:32 -0700 From: fatty.merchandise677@aceecat.org To: questions@freebsd.org Subject: Re: A FreeBSD-based Router Message-ID: Mail-Followup-To: questions@freebsd.org References: List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-questions@freebsd.org Sender: owner-freebsd-questions@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spamd-Result: default: False [1.72 / 15.00]; NEURAL_SPAM_LONG(1.00)[1.000]; NEURAL_SPAM_MEDIUM(1.00)[1.000]; ONCE_RECEIVED(0.20)[]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_SHORT(-0.18)[-0.176]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; ASN(0.00)[asn:63949, ipnet:2600:3c01::/32, country:SG]; FROM_NO_DN(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_ONE(0.00)[1]; RECEIVED_HELO_LOCALHOST(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; MISSING_XM_UA(0.00)[]; RCVD_TLS_LAST(0.00)[]; MLMMJ_DEST(0.00)[questions@freebsd.org]; DMARC_NA(0.00)[aceecat.org]; R_DKIM_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[] X-Rspamd-Queue-Id: 4ZVNkw5hRRz3bdQ X-Spamd-Bar: + On Sat, Apr 05, 2025 at 01:02:07PM -0500, Martin McCormick wrote: > My idea is to load a mini PC with FreeBSD and a router engine which > means that the mini PC would need to have at least 2 NICS. There are ARM based SBCs (smaller than a mini PC) purposely built as routers ie. with multiple ethernet ports. Since FreeBSD can run on ARM (in theory), I would look into those. Very low power :-) -- Ian From nobody Sat Apr 5 18:47:01 2025 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZVPbP24gGz5sbwB for ; Sat, 05 Apr 2025 18:47:13 +0000 (UTC) (envelope-from polarian@polarian.dev) Received: from mail.polarian.dev (mail.polarian.dev [IPv6:2001:8b0:57a:2385::8]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4ZVPbM5D4hz3jNm for ; Sat, 05 Apr 2025 18:47:11 +0000 (UTC) (envelope-from polarian@polarian.dev) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=polarian.dev header.s=polarian header.b=CubfmIQV; dmarc=pass (policy=reject) header.from=polarian.dev; spf=pass (mx1.freebsd.org: domain of polarian@polarian.dev designates 2001:8b0:57a:2385::8 as permitted sender) smtp.mailfrom=polarian@polarian.dev Received: from Hydrogen (_gateway [192.168.2.1]) by mail.polarian.dev (Postfix) with ESMTPSA id 1034B10A004C for ; Sat, 05 Apr 2025 18:47:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=polarian.dev; s=polarian; t=1743878823; bh=I2zHL9KAAmbFbq3B3TUV74BBIaht4RDSc5R+eu/LlTo=; h=Date:From:To:Subject:In-Reply-To:References; b=CubfmIQVOjUrNXDPv7iKT6Z9baTskso9OoshSpmvtfU4ssGcbO5knxtAM0QD9q932 mA5c5Ql5Lex+215oa2vQcxQG26bwhlwoZYkUUYOSVaHlhT56VvUU1wlCb5CRKOcYUI XWBWYnJ/39RAK+AOeBv8xjnvjZxYgXkD8Vv3tEM0= Date: Sat, 5 Apr 2025 19:47:01 +0100 From: Polarian To: questions@freebsd.org Subject: Re: A FreeBSD-based Router Message-ID: <20250405194701.6432e956@Hydrogen> In-Reply-To: References: