There's never been a better time to build your own router—a practice which the FCC will hopefully not *also* ban for US #homelab consumers :)
Knowing how to build your own router for your homelab is going to be a useful skill, until this FCC ruling is reversed:https://www.fcc.gov/document/fcc-updat...
shakedowns are not tariffs.
Lol, that sounds like wisdom earned through blood and tears
Make YouTube shorts, you'll reach the youngins so easily. Linux wisdom by bonafide sorcerer. Blood magic Linux this way.
@Madagascar_Sky @mikebabcock @geerlingguy I’m inclined to agree it will reach more eyes.
But a 3 minute short is not much time to cover firewalling. Not in sufficient detail.
There is so much you need to know about networking and services to be able to understand what the firewall is doing and what impact it will have other than just breaking things.
Admittedly less than packet sniffing.
😈
@mikebabcock that sounds about like what I’ve seen most other people not try to do.
Kudos to you sir!
What database?
I was actually thinking Oracle when I typed my previous comment.
Aside; I’ve seen a very small number of things fail in permissive mode but work when disabled. That was weird. It too required audit log mining and updating the policy to make work.
I've also run into this, and there are ways around it, but its really annoying. It usually means the software is doing something pretty non-standard and makes you wonder.
That said, I'm not going to throw the (much smaller than Oracle) vendor under the bus ... but much smaller.
@Retreival9096 @drscriptt @Madagascar_Sky
I have different feelings about Windows AV than I do about mandatory access controls like SELinux.
We ship a small terminal emulator internally to clients. We do not pay the Microsoft tax to have them sign it. As a result, Defender yells at everyone that it might not be safe. Why? Because we didn't pay the tax. Not because its safer to use signed software; it isn't.
@mikebabcock @Retreival9096 @Madagascar_Sky could you sign it with an internal private corp cert and load the root cert I to clients to avoid this issue?
I was involved in a different discussion elsewhere about this.
@mikebabcock @Retreival9096 @Madagascar_Sky I’m surprised that the AV doesn’t trust the local root certificate store. 🤔 TIL
I share your concern about a root certificate as a vendor.
In corporate IT there is more freedom for such things.
Though lately I’ve been messing with name based constraints as I work on things.
It’s an ongoing effort that both works (for the name on the tin) and doesn’t work (for IPs when name constraining to corp domain) at the same time.
Doing unconstrained allows me to sign SANs for the FQDN, UQN, nickname, and IP.
@drscriptt @Retreival9096 @Madagascar_Sky I'd really like a more powerful system-wide cert system (on Linux as well as Windows) with a full ACL rules system.
Cert A trusted for websites only.
Cert B trusted for applications not running as admin.
Cert C trusted for IPSec *and* website authentication.
Relatedly, I'm frequently found ranting about why I hate npm, pip, cargo et al. from a verification perspective.
@mikebabcock I would wonder if you could use (an environment variable which points to) a custom openssl.conf file that has separate configurations specifying where the trusted root certificates are.
Today has been long enough that I don’t remember if it’s .conf or .cnf, so take what I’m saying for a BIG helping of salt.
You might be able to have a custom file that includes the default configuration file and overwrite the CA specification at the end.
Or if OpenSSL’s config is like OpenSSH’s config specify it at the top and nothing comi g after can change it.
You can play (sym)link games to have some of the same certs in custom CA directories as the default CA directory. Or elsewhere if they aren’t in the default.
I’m speculating out of my ring buffer. But that’s what I’d try if I were you.
No, I do t fault you for wanting to do this.
I may blame you a little bit for prompting me to question the same thing.
@mikebabcock @drscriptt @Retreival9096
rpm-ostree all the way baybee!
It's a pain in the ass, but "only sandboxed apps please" is a good approach to making users safe. I think.
I'm sorry, this was off topic. I saw pip and immediately was transported back to vietnam, trying to manage different python environments. Toolbox has made my life so much easier. Python install looking mangled? Delete and re-install.
I'm not a professional dev.
@Madagascar_Sky as much as I love some other people's videos (who I untagged because this is barely about his post at this point), I'm thinking a substack/medium post would be too short to cover the details.
Relatedly, I'm reminded of when quality of service scripts started popping up to magically configure peoples' routers before fqcodel and cake ... nobody was *learning* how things worked, they were just applying fixes like script kiddies.
I want people to understand instead. #technology
@mikebabcock @Madagascar_Sky @geerlingguy
I’d be curious to read such an article.
I should do similar too.
Aside: when the FORWARD and INPUT chain jump to a common (sub)chain, they can share rules. 😈
Assuming iptables which I’ve been doing for … ~25 years.
I remember reading a Sys Admin magazine article about the new iptables in about 2001. Been using it ever sense.
@geerlingguy hmm, one of the reasons wifi chipset vendors (for example to provide #OpenWrt support) more and more grown to refuse not just source code but also hardware/programming specifications because of a blind reference to the #FCC not allowing it. It’s understood that with documentation *anyone* can then modify it to use frequencies or modulations not permitted by the #FCC
This is now a completely useless argument, if the FCC doesn’t approve routers anyway, so I’ll say, let them release the full specs! It would actually benefit the router ecosystem to bring up everyone to at least the security of OpenWrt…
After thinking of my stash of old routers and hoping I can still get new dev boards... I went and complained to my representative because this is also a stupid rule and congress could overturn it.
Build it while you can!
@csolisr
So you have an FTTH type of setup, right? So why don't you just put your own router right behind the ISP provided fibre to ethernet box?
That's what I do. I treat the ISP device as an untrusted device, a part of the public internet as far as I'm concerned. No need to try to circumvent the ISP device.
@geerlingguy
OpenWRT One [1], anyone? By buying the product you will also support, through SFC, development of OpenWRT.
Darrell BRYKA
Jeff Geerling
Markus Sugarhill 
McTwist
Aho
maya_b 🇨🇦
Michael T Babcock
Madagascar_Sky
DrScriptt
Analog AI
SGOTI
Burak Gürsoy
chexum
Diane
Bruce Simpson, Ph.D.
Noah Bailey
edafe
Philip
Echo Nar
Steve
Kroc Camen
Lykso
Carlos Solís
panu
GrumpyDad 🇺🇦🇵🇸