Page MenuHomeFreeBSD
Feed Advanced Search

Advanced Search
Use Results
Hide Query

Jul 28 2023

freebsd_oldach.net added a comment to D37685: Fix per-FIB gateway support in rc.d/routing.

Can this please be MFCed to stable/13? As mentioned, this fixes a previous incorrect MFC.

Jul 28 2023, 4:22 AM

Jul 11 2023

freebsd_oldach.net added a comment to F64002692: otis periodic.

This is quite odd., as _localbase is set in /usr/sbin/periodic but not exported. The periodic scripts are invoked as a sub-shell (line 137 of periodic.sh) so they would not inherit _localbase. Perhaps -a / allexport set in ~/.shrc?

Jul 11 2023, 6:36 AM

Jul 7 2023

freebsd_oldach.net added inline comments to D40435: periodic: Honor kern.localbase.
Jul 7 2023, 2:28 PM
freebsd_oldach.net added inline comments to D40435: periodic: Honor kern.localbase.
Jul 7 2023, 8:57 AM
freebsd_oldach.net added inline comments to D40435: periodic: Honor kern.localbase.
Jul 7 2023, 8:50 AM
freebsd_oldach.net added inline comments to D40435: periodic: Honor kern.localbase.
Jul 7 2023, 8:03 AM

Dec 13 2022

freebsd_oldach.net accepted D37685: Fix per-FIB gateway support in rc.d/routing.
Dec 13 2022, 6:14 PM

Dec 4 2022

freebsd_oldach.net added inline comments to D22706: Add per-FIB gateway support to rc.d/routing.
Dec 4 2022, 9:55 AM

Feb 29 2020

freebsd_oldach.net added a comment to D16857: Introduce certctl(8).
In D16857#524898, @kevans wrote:
In D16857#524890, @1983-01-06_gmx.net wrote:

That all looks fine.

Here are now my questions:

  1. Why has the hash option selected? D16352 uses the common approach to concat PEM files into one PEM bundle which can be easily transported and distributed.

I wasn't initially involved in this decision, but I find it more convenient to manually manage or identify what's being trusted as-is, since I can ls/grep around /etc/ssl/certs.

Feb 29 2020, 12:39 PM
freebsd_oldach.net added a comment to D16857: Introduce certctl(8).
In D16857#524909, @1983-01-06_gmx.net wrote:

As far as I can see when certs in are in base security/ca_root_nss seems to be obsolete for me, these ports need to be changed:

Feb 29 2020, 12:33 PM

Mar 12 2018

freebsd_oldach.net added a comment to D9920: Fix rc.firewall workstation profile for fragmented packets.
In D9920#308104, @rgrimes wrote:

This patch leaves that value alone, that value is 1 by default. The added rules shall reassemble all UDP packets, and since one_pass is set it well at that point PASS THE PACKET. This is a huge hole in the firewall in effect allowing all UDP traffic to pass inward without any port or state being checked. With the added rule that reassembles udp packets it is a MUST that net.inet.ip.fw.one_pass be set to 0 so that the additional checks later in the firewall can be checked. It is also a must that the rule be moved before the check-state.

Mar 12 2018, 5:34 PM · rc

Mar 11 2018

freebsd_oldach.net added a comment to D9920: Fix rc.firewall workstation profile for fragmented packets.
In D9920#307830, @rgrimes wrote:

The reass rule has the side effect that once it assmebles a packet if net.net.ip.fw.one_pass=0 it passes
the packet without any further processing. That is not the desired behavior of a firewall.

Running a reass rule without net.net.ip.fw.one_pass=0 results in a firewall that can be
circumvented by simply fragmenting all packets.

Mar 11 2018, 6:14 PM · rc
freebsd_oldach.net added a comment to D9920: Fix rc.firewall workstation profile for fragmented packets.
In D9920#307797, @rgrimes wrote:

I am not so sure if we want to turn on net.inet.ip.fw.one_pass

Mar 11 2018, 4:58 PM · rc
freebsd_oldach.net requested changes to D9920: Fix rc.firewall workstation profile for fragmented packets.

Please put the reass before the check-state as fragments (except the first) don't carry protocol and port and thus cannot be dealt with by check-state anyhow. This will save a few cycles.

Mar 11 2018, 4:42 PM · rc