Mastodawn

Michael T Babcock 11h ago

@geerlingguy as a guy who's been building his own routers professionally for decades now, this is great advice. Also its really quite easy (and always has been with the right knowledge).
Just PLEASE don't run additional software on your routers. Run them on a device *behind* the router. You'll thank me eventually.
#firewall #router #sysadmin #networking

@mikebabcock @geerlingguy

Madagascar_Sky 8h ago

Lol, that sounds like wisdom earned through blood and tears

Michael T Babcock

@Madagascar_Sky @geerlingguy among other things, your 'forward' rules used to restrict access to your LAN don't apply directly to local services. Your INPUT rules for local services don't apply to forwarded things. And if you have an allocated fixed IP range from your ISP, you probably want to bridge instead of forwarding your interfaces as well.
Should totally document my standard Linux router setup some day.

@mikebabcock @geerlingguy

Madagascar_Sky 8h ago

Make YouTube shorts, you'll reach the youngins so easily. Linux wisdom by bonafide sorcerer. Blood magic Linux this way.

@Madagascar_Sky @mikebabcock @geerlingguy I’m inclined to agree it will reach more eyes.

But a 3 minute short is not much time to cover firewalling. Not in sufficient detail.

There is so much you need to know about networking and services to be able to understand what the firewall is doing and what impact it will have other than just breaking things.

Admittedly less than packet sniffing.

😈

@drscriptt @Madagascar_Sky @geerlingguy see also "just turn off #selinux" on every package.

@mikebabcock @Madagascar_Sky @geerlingguy I say “no” followed by “not yet” and “not without explicit information on why it won’t work with SELinux enabled” when people suggest that I should disable SELinux or similar things.

@drscriptt so there I am on the phone with tech support for a database vendor and he explains that licensing isn't working because #SELinux is enabled, so I set it to permissive, log the errors, make an appropriate permissions list, compile and turn it back on.
He says "nobody in house has made it work with SELinux on" -- obviously none of them spent 15 minutes learning how to use the tools. Ugh. #rant

@mikebabcock that sounds about like what I’ve seen most other people not try to do.

Kudos to you sir!

What database?

I was actually thinking Oracle when I typed my previous comment.

Aside; I’ve seen a very small number of things fail in permissive mode but work when disabled. That was weird. It too required audit log mining and updating the policy to make work.

@drscriptt

I've also run into this, and there are ways around it, but its really annoying. It usually means the software is doing something pretty non-standard and makes you wonder.

That said, I'm not going to throw the (much smaller than Oracle) vendor under the bus ... but much smaller.

Analog AI 1h ago

@mikebabcock @drscriptt @Madagascar_Sky @geerlingguy
Like windows software which says "if you get antivirus errors, ignore them".

@Retreival9096 @drscriptt @Madagascar_Sky
I have different feelings about Windows AV than I do about mandatory access controls like SELinux.

We ship a small terminal emulator internally to clients. We do not pay the Microsoft tax to have them sign it. As a result, Defender yells at everyone that it might not be safe. Why? Because we didn't pay the tax. Not because its safer to use signed software; it isn't.

#rant #antivirus

DrScriptt 58m ago

@mikebabcock @Retreival9096 @Madagascar_Sky could you sign it with an internal private corp cert and load the root cert I to clients to avoid this issue?

I was involved in a different discussion elsewhere about this.

Michael T Babcock 49m ago

@drscriptt @Retreival9096 @Madagascar_Sky this gets around the Microsoft warnings but not the random AV warnings. I also don't like loading additional certs on client machines when I'm "just a vendor" and not their own IT. Respect and all that.
So yes I right-click AV, disable for 10 minutes, load app, re-enable.

DrScriptt 39m ago

@mikebabcock @Retreival9096 @Madagascar_Sky I’m surprised that the AV doesn’t trust the local root certificate store. 🤔 TIL

I share your concern about a root certificate as a vendor.

In corporate IT there is more freedom for such things.

Though lately I’ve been messing with name based constraints as I work on things.

It’s an ongoing effort that both works (for the name on the tin) and doesn’t work (for IPs when name constraining to corp domain) at the same time.

Doing unconstrained allows me to sign SANs for the FQDN, UQN, nickname, and IP.

Michael T Babcock 35m ago

@drscriptt @Retreival9096 @Madagascar_Sky I'd really like a more powerful system-wide cert system (on Linux as well as Windows) with a full ACL rules system.

Cert A trusted for websites only.
Cert B trusted for applications not running as admin.
Cert C trusted for IPSec *and* website authentication.

Relatedly, I'm frequently found ranting about why I hate npm, pip, cargo et al. from a verification perspective.

DrScriptt 28m ago

@mikebabcock I would wonder if you could use (an environment variable which points to) a custom openssl.conf file that has separate configurations specifying where the trusted root certificates are.

Today has been long enough that I don’t remember if it’s .conf or .cnf, so take what I’m saying for a BIG helping of salt.

You might be able to have a custom file that includes the default configuration file and overwrite the CA specification at the end.

Or if OpenSSL’s config is like OpenSSH’s config specify it at the top and nothing comi g after can change it.

You can play (sym)link games to have some of the same certs in custom CA directories as the default CA directory. Or elsewhere if they aren’t in the default.

I’m speculating out of my ring buffer. But that’s what I’d try if I were you.

No, I do t fault you for wanting to do this.

I may blame you a little bit for prompting me to question the same thing.

Analog AI 5m ago

@mikebabcock @drscriptt @Madagascar_Sky And if that's explained well to the user, that's great. I don't like those who blanket say ignore warnings without giving the reasons. And having Avira say it thinks something is a virus is different that having Defender say something isn't signed. (Even though both might be safe.)

@Retreival9096 @mikebabcock @Madagascar_Sky @geerlingguy again “no”. 😒

@Madagascar_Sky as much as I love some other people's videos (who I untagged because this is barely about his post at this point), I'm thinking a substack/medium post would be too short to cover the details.

Relatedly, I'm reminded of when quality of service scripts started popping up to magically configure peoples' routers before fqcodel and cake ... nobody was *learning* how things worked, they were just applying fixes like script kiddies.

I want people to understand instead. #technology