Unix/Linux

It seems that by default, SELinux policy manpage is not available. Here’s how to make it available. First install selinux-policy-devel package Then generate the man page by running: # sepolicy manpage -a -p /usr/share/man/man8<br/> -a : all domains -p : path to store the manpage (by default it’s /tmp) /usr/share/man/man8 – section 8 of manpage is for system admin command Create or update manual page index caches # mandb Benefit # man -k _selinux (or e.g. ”man httpd_selinux“) ...

FreeBSD 11.2-RELEASE was released a few days ago. This means it’s time to upgrade the FreeBSD running on my nas. For the most part, this was all what I did: # freebsd-update -r 11.2-RELEASE upgrade # freebsd-update install # reboot # freebsd-update install After it’s been upgraded, I also need to update the Zpool. root@nas:~ # zpool status pool: zroot state: ONLINE status: Some supported features are not enabled on the pool. The pool can still be used, but some features are unavailable. action: Enable all features using 'zpool upgrade'. Once this is done, the pool may no longer be accessible by software that does not support the features. See zpool-features(7) for details. scan: scrub repaired 0 in 0h0m with 0 errors on Tue Jan 23 23:54:42 2018 config: NAME STATE READ WRITE CKSUM zroot ONLINE 0 0 0 gpt/zfs0 ONLINE 0 0 0 errors: No known data errors Let’s upgrade the zpool zroot as suggested: ...

I have a FreeBSD server which used to run of a smaller SSD drive. When replaced with a larger capacity SSD by using dd command to clone the disk, there is free space allocated. I want to extend the existing zroot pool to use this space. The following describes how I achieve this with the help of a forum post. Let’s list some information about the zroot pool: root@nas:~ # zfs list zroot NAME USED AVAIL REFER MOUNTPOINT zroot 4.88G 50.8G 144K none List the partition scheme of the drive I’d like to extend my zroot zpool with: ...

It’s another night with another FreeBSD problem. Well, I could just use Linux like Ubuntu or Void, but then things would just work. Where is the fun? 😉 So, I’ve been having problem with upgrading or installing new binary packages on a machine running FreeBSD 12.0 for a few days now. root@vansota:~ # pkg upgrade Updating FreeBSD repository catalogue... FreeBSD repository is up to date. All repositories are up to date. Checking for upgrades (13 candidates): 100% Processing candidates (13 candidates): 100% The following 6 package(s) will be affected (of 0 checked): New packages to be INSTALLED: p5-Locale-gettext: 1.07 Installed packages to be REINSTALLED: xorg-server-1.18.4_6,1 (needed shared library changed) xf86-input-synaptics-1.9.0 (options changed) texinfo-6.5,1 (options changed) m4-1.4.18,1 (options changed) help2man-1.47.5 (options changed) Number of packages to be installed: 1 Number of packages to be reinstalled: 5 The process will require 2 MiB more space. 3 MiB to be downloaded. Proceed with this action? [y/N]: y [1/6] Fetching xorg-server-1.18.4_6,1.txz: 100% 1 MiB 184.0kB/s 00:08 pkg: cached package xorg-server-1.18.4_6,1: size mismatch, fetching from remote [2/6] Fetching xorg-server-1.18.4_6,1.txz: 18% 272 KiB 180.2kB/s 00:08 ETA First I’d thought it was just some FreeBSD mirrors were out of sync of each others. This happens quite frequently with Ubuntu mirrors. Usually, we give it a bit of time and the problem will fix itself. ...

This post is probably more relevant to my use case of PF firewall running on FreeBSD 11.1, and I need to remind myself how to unblock an IP from the block list. Here’s a snippet of what’s in /etc/pf.conf: table persist # Don't send rejections. Just drop. set block-policy drop # Exempt the loopback interface to prevent services utilizing the # local loop from being blocked accidentally. set skip on lo0 # all incoming traffic on external interface is normalized and fragmented # packets are reassembled. scrub in on $ext_if all fragment reassemble # set a default deny policy. block in log all # This is a desktop so be permissive in allowing outgoing connections. pass out quick modulate state # Enable antispoofing on the external interface antispoof for $ext_if inet #antispoof for $ext_if inet6 # block packets that fail a reverse path check. we look up the routing # table, check to make sure that the outbound is the same as the source # it came in on. if not, it is probably source address spoofed. block in from urpf-failed to any # drop broadcast requests quietly. block in quick on $ext_if from any to 255.255.255.255 block in log quick on $ext_if inet from to any In the pf.conf, the blocked IP table is called sshguard. To list all the blocked IPs, run: ...