Ah, obviously. #docker only gets along with #firewalld if the latter is using the iptables backend (not the higher performing nftables default).
The #iptables backend is depreciated and slated for removal.
And of course there's no error message if configured "incorrectly", just random breakage that one then gets to debug!
I hate computers. I wish I was good enough at something else.
Hey Fediverse , have you heard of Wireguard VPN networks?
No worries - we're not trying to trick you into subscribing to another scammy VPN provider that you don't need 😉
Wireguard is an Open Source VPN protocol and implementation for lightweight VPN connections that "just work". We've been using this technology to connect our ZERO #AMPS nodes across the internet and to our office. It enables us to monitor and update AMPS devices remotely without any client interaction.
To make sure that sensitive customer data does not leak, we've come up with a security concept for our VPN server. We share a part of our implementation in our latest blog post:
After spending yesterday entirely by re-implementing #tcp in #userspace I now know:
TCP is weird
we have the PSH flag that completly makes the data ignore the TCP sending/recieve buffers and directly writes into the application's stream
ACK can be part of literally any other package; you also can SYN, FIN or PSH data while ACK'ing
zero-length data packages technically exist, but they dont do anything; they dont even wake up the FD when it's in a epoll
the #linux#kernel is funny: it responds with RST to incomming TCP packets, even on raw sockets; you'll need to drop them via #iptables if you want to implement TCP in userspace
Learned a lot! Now I can go on and create a few tests for #webservers; mainly SYN floodings and so on.
Can I route my #pivpn traffic out to the internet via an online vpn provider. Say #protonvpn for example? Am I going to have to go deep into #iptables or would installing the protonvpn cli and enabling it be enough?
When can #Firefox get this feature? I had no idea #portscanning from the web was a thing. That's far too invasive. Is there a sane way to set this up locally #Linux with #iptables?
en: OK #fediverse fellows, here's a pad with IPv4 #iptables rules to block inbound traffic fom #meta & their friends, feel free to add any IPs/ranges that would be missing.
fr: OK les gens, voici un pad avec les règles IPv4 pour iptables bloquant en entrée Meta et ses copains, n'hésitez pas à y ajouter toute IP/range qui manquerait.
iptables -A INPUT -s 157.240.22.63 -j DROP
iptables -A OUTPUT -s 157.240.22.63 -j DROP
ip6tables -A INPUT -s 2a03:2880:f231:c5:face:b00c:0:43fe -j DROP
ip6tables -A OUTPUT -s 2a03:2880:f231:c5:face:b00c:0:43fe -j DROP
Here's a list of #iptables and #ip6tables commands for admins can copy and paste into their #Fediverse server's command line to bulk-block all packets to and from IPv4 and IPv6 addresses owned by #Meta:
https://datakra.sh/assets/lizard.txt (the 2,024 domains listed here have been found to use either of 26 IPv4 addresses, which I have updated the list on my Google drive with.)
The more I am digging in to #linux, the more I am realizing I really need to take the time to grok #iptables. This way I'll understand what tools like #firewalld and #ufw are really doing.
Is there really no #Linux#firewall that can allow or block FQDNs or domains?
iptables doesn't do it, and #ufw is just a frontend for #iptables. What else is out there for #Debian based machines?
For context: I've been around Linux since the days of ipchains. I know the #OSI model and run my own #DNS servers (primary, secondary, and resolving/caching) so there's no need to explain why this feature is non-trivial to implement
Most other OSes have this feature and it's pretty reasonable to want