Jeff Geerling18h ago

There's never been a better time to build your own router—a practice which the FCC will hopefully not *also* ban for US #homelab consumers :)

https://www.youtube.com/watch?v=04oL0qVSWJE

Homebrew routers just got a whole lot more important in the US

Knowing how to build your own router for your homelab is going to be a useful skill, until this FCC ruling is reversed:https://www.fcc.gov/document/fcc-updat...

YouTube
Show threadMichael T Babcock18h ago
@geerlingguy as a guy who's been building his own routers professionally for decades now, this is great advice. Also its really quite easy (and always has been with the right knowledge).
Just PLEASE don't run additional software on your routers. Run them on a device *behind* the router. You'll thank me eventually.
#firewall #router #sysadmin #networking
Show threadMadagascar_Sky15h ago

@mikebabcock @geerlingguy

Lol, that sounds like wisdom earned through blood and tears

Show threadMichael T Babcock15h ago
@Madagascar_Sky @geerlingguy among other things, your 'forward' rules used to restrict access to your LAN don't apply directly to local services. Your INPUT rules for local services don't apply to forwarded things. And if you have an allocated fixed IP range from your ISP, you probably want to bridge instead of forwarding your interfaces as well.
Should totally document my standard Linux router setup some day.
Show threadMadagascar_Sky15h ago

@mikebabcock @geerlingguy

Make YouTube shorts, you'll reach the youngins so easily. Linux wisdom by bonafide sorcerer. Blood magic Linux this way.

Show threadDrScriptt8h ago

@Madagascar_Sky @mikebabcock @geerlingguy I’m inclined to agree it will reach more eyes.

But a 3 minute short is not much time to cover firewalling. Not in sufficient detail.

There is so much you need to know about networking and services to be able to understand what the firewall is doing and what impact it will have other than just breaking things.

Admittedly less than packet sniffing.

😈

Show threadMichael T Babcock8h ago
@drscriptt @Madagascar_Sky @geerlingguy see also "just turn off #selinux" on every package.
Show threadDrScriptt8h ago
@mikebabcock @Madagascar_Sky @geerlingguy I say “no” followed by “not yet” and “not without explicit information on why it won’t work with SELinux enabled” when people suggest that I should disable SELinux or similar things.
Show threadMichael T Babcock
@drscriptt so there I am on the phone with tech support for a database vendor and he explains that licensing isn't working because #SELinux is enabled, so I set it to permissive, log the errors, make an appropriate permissions list, compile and turn it back on.
He says "nobody in house has made it work with SELinux on" -- obviously none of them spent 15 minutes learning how to use the tools. Ugh. #rant
1:12amWeb
Show threadDrScriptt8h ago

@mikebabcock that sounds about like what I’ve seen most other people not try to do.

Kudos to you sir!

What database?

I was actually thinking Oracle when I typed my previous comment.

Aside; I’ve seen a very small number of things fail in permissive mode but work when disabled. That was weird. It too required audit log mining and updating the policy to make work.

Show threadMichael T Babcock7h ago

@drscriptt

I've also run into this, and there are ways around it, but its really annoying. It usually means the software is doing something pretty non-standard and makes you wonder.

That said, I'm not going to throw the (much smaller than Oracle) vendor under the bus ... but much smaller.