There's never been a better time to build your own router—a practice which the FCC will hopefully not *also* ban for US #homelab consumers :)
Knowing how to build your own router for your homelab is going to be a useful skill, until this FCC ruling is reversed:https://www.fcc.gov/document/fcc-updat...
Lol, that sounds like wisdom earned through blood and tears
Make YouTube shorts, you'll reach the youngins so easily. Linux wisdom by bonafide sorcerer. Blood magic Linux this way.
@Madagascar_Sky @mikebabcock @geerlingguy I’m inclined to agree it will reach more eyes.
But a 3 minute short is not much time to cover firewalling. Not in sufficient detail.
There is so much you need to know about networking and services to be able to understand what the firewall is doing and what impact it will have other than just breaking things.
Admittedly less than packet sniffing.
😈
@Retreival9096 @drscriptt @Madagascar_Sky
I have different feelings about Windows AV than I do about mandatory access controls like SELinux.
We ship a small terminal emulator internally to clients. We do not pay the Microsoft tax to have them sign it. As a result, Defender yells at everyone that it might not be safe. Why? Because we didn't pay the tax. Not because its safer to use signed software; it isn't.
@mikebabcock @Retreival9096 @Madagascar_Sky could you sign it with an internal private corp cert and load the root cert I to clients to avoid this issue?
I was involved in a different discussion elsewhere about this.
@mikebabcock @Retreival9096 @Madagascar_Sky I’m surprised that the AV doesn’t trust the local root certificate store. 🤔 TIL
I share your concern about a root certificate as a vendor.
In corporate IT there is more freedom for such things.
Though lately I’ve been messing with name based constraints as I work on things.
It’s an ongoing effort that both works (for the name on the tin) and doesn’t work (for IPs when name constraining to corp domain) at the same time.
Doing unconstrained allows me to sign SANs for the FQDN, UQN, nickname, and IP.
@drscriptt @Retreival9096 @Madagascar_Sky I'd really like a more powerful system-wide cert system (on Linux as well as Windows) with a full ACL rules system.
Cert A trusted for websites only.
Cert B trusted for applications not running as admin.
Cert C trusted for IPSec *and* website authentication.
Relatedly, I'm frequently found ranting about why I hate npm, pip, cargo et al. from a verification perspective.
@mikebabcock I would wonder if you could use (an environment variable which points to) a custom openssl.conf file that has separate configurations specifying where the trusted root certificates are.
Today has been long enough that I don’t remember if it’s .conf or .cnf, so take what I’m saying for a BIG helping of salt.
You might be able to have a custom file that includes the default configuration file and overwrite the CA specification at the end.
Or if OpenSSL’s config is like OpenSSH’s config specify it at the top and nothing comi g after can change it.
You can play (sym)link games to have some of the same certs in custom CA directories as the default CA directory. Or elsewhere if they aren’t in the default.
I’m speculating out of my ring buffer. But that’s what I’d try if I were you.
No, I do t fault you for wanting to do this.
I may blame you a little bit for prompting me to question the same thing.
@mikebabcock @drscriptt @Retreival9096
rpm-ostree all the way baybee!
It's a pain in the ass, but "only sandboxed apps please" is a good approach to making users safe. I think.
I'm sorry, this was off topic. I saw pip and immediately was transported back to vietnam, trying to manage different python environments. Toolbox has made my life so much easier. Python install looking mangled? Delete and re-install.
I'm not a professional dev.
Jeff Geerling
Michael T Babcock
Madagascar_Sky
DrScriptt
Analog AI