There's never been a better time to build your own router—a practice which the FCC will hopefully not *also* ban for US #homelab consumers :)
Knowing how to build your own router for your homelab is going to be a useful skill, until this FCC ruling is reversed:https://www.fcc.gov/document/fcc-updat...
Lol, that sounds like wisdom earned through blood and tears
Make YouTube shorts, you'll reach the youngins so easily. Linux wisdom by bonafide sorcerer. Blood magic Linux this way.
@Madagascar_Sky @mikebabcock @geerlingguy I’m inclined to agree it will reach more eyes.
But a 3 minute short is not much time to cover firewalling. Not in sufficient detail.
There is so much you need to know about networking and services to be able to understand what the firewall is doing and what impact it will have other than just breaking things.
Admittedly less than packet sniffing.
😈
@mikebabcock that sounds about like what I’ve seen most other people not try to do.
Kudos to you sir!
What database?
I was actually thinking Oracle when I typed my previous comment.
Aside; I’ve seen a very small number of things fail in permissive mode but work when disabled. That was weird. It too required audit log mining and updating the policy to make work.
I've also run into this, and there are ways around it, but its really annoying. It usually means the software is doing something pretty non-standard and makes you wonder.
That said, I'm not going to throw the (much smaller than Oracle) vendor under the bus ... but much smaller.
@Retreival9096 @drscriptt @Madagascar_Sky
I have different feelings about Windows AV than I do about mandatory access controls like SELinux.
We ship a small terminal emulator internally to clients. We do not pay the Microsoft tax to have them sign it. As a result, Defender yells at everyone that it might not be safe. Why? Because we didn't pay the tax. Not because its safer to use signed software; it isn't.
@mikebabcock @Retreival9096 @Madagascar_Sky could you sign it with an internal private corp cert and load the root cert I to clients to avoid this issue?
I was involved in a different discussion elsewhere about this.
@mikebabcock @Retreival9096 @Madagascar_Sky I’m surprised that the AV doesn’t trust the local root certificate store. 🤔 TIL
I share your concern about a root certificate as a vendor.
In corporate IT there is more freedom for such things.
Though lately I’ve been messing with name based constraints as I work on things.
It’s an ongoing effort that both works (for the name on the tin) and doesn’t work (for IPs when name constraining to corp domain) at the same time.
Doing unconstrained allows me to sign SANs for the FQDN, UQN, nickname, and IP.
@drscriptt @Retreival9096 @Madagascar_Sky I'd really like a more powerful system-wide cert system (on Linux as well as Windows) with a full ACL rules system.
Cert A trusted for websites only.
Cert B trusted for applications not running as admin.
Cert C trusted for IPSec *and* website authentication.
Relatedly, I'm frequently found ranting about why I hate npm, pip, cargo et al. from a verification perspective.
@mikebabcock I would wonder if you could use (an environment variable which points to) a custom openssl.conf file that has separate configurations specifying where the trusted root certificates are.
Today has been long enough that I don’t remember if it’s .conf or .cnf, so take what I’m saying for a BIG helping of salt.
You might be able to have a custom file that includes the default configuration file and overwrite the CA specification at the end.
Or if OpenSSL’s config is like OpenSSH’s config specify it at the top and nothing comi g after can change it.
You can play (sym)link games to have some of the same certs in custom CA directories as the default CA directory. Or elsewhere if they aren’t in the default.
I’m speculating out of my ring buffer. But that’s what I’d try if I were you.
No, I do t fault you for wanting to do this.
I may blame you a little bit for prompting me to question the same thing.
@mikebabcock @drscriptt @Retreival9096
rpm-ostree all the way baybee!
It's a pain in the ass, but "only sandboxed apps please" is a good approach to making users safe. I think.
I'm sorry, this was off topic. I saw pip and immediately was transported back to vietnam, trying to manage different python environments. Toolbox has made my life so much easier. Python install looking mangled? Delete and re-install.
I'm not a professional dev.
@Madagascar_Sky as much as I love some other people's videos (who I untagged because this is barely about his post at this point), I'm thinking a substack/medium post would be too short to cover the details.
Relatedly, I'm reminded of when quality of service scripts started popping up to magically configure peoples' routers before fqcodel and cake ... nobody was *learning* how things worked, they were just applying fixes like script kiddies.
I want people to understand instead. #technology
Jeff Geerling
Michael T Babcock
Madagascar_Sky
DrScriptt
Analog AI