|
unruly posted:Install ufw or firewalld. loving around with nftables or iptables is for greybeards. On a machine that travels, it's not worth the headache. is it as simple as that? (skim) reading the wiki on this it seems I configure the default to be the "public" profile (assuming this is the most secure) and then my home wifi to "home" and done? told you it might be a stupid question..! ta
|
#
?
Aug 8, 2023 22:16
|
|
|
|
| # ? Jun 10, 2024 14:12 |
|
|
Bozza posted:is it as simple as that? (skim) reading the wiki on this it seems I configure the default to be the "public" profile (assuming this is the most secure) and then my home wifi to "home" and done?
|
|
#
?
Aug 8, 2023 22:22
|
|
|
brill, thanks so much!
|
|
#
?
Aug 8, 2023 22:36
|
|
|
unruly posted:Install ufw or firewalld. loving around with nftables or iptables is for greybeards. On a machine that travels, it's not worth the headache. This is good advice.
|
|
#
?
Aug 9, 2023 00:01
|
|
|
Anyone know of a good “immutable” distro for ARM (Pi4)? I’d kinda like to try that for “appliance” maintenance on a project server.
|
|
#
?
Aug 9, 2023 00:10
|
|
|
Subjunctive posted:Anyone know of a good “immutable” distro for ARM (Pi4)? I’d kinda like to try that for “appliance” maintenance on a project server. I know a few "technically it is reported to work" ones Fedora CoreOS Flatcar Container Linux BalenaOS Alpine has some sort of Read-Only mode I've only tried Flatcar and was unable to get it to display any kernel messages on the monitor. Maybe the kernel booted, maybe not. Probably not. But it was not the PiOS "dd an SD card and plug it in" experience I was hoping for. cruft fucked around with this message at 00:24 on Aug 9, 2023 |
|
#
?
Aug 9, 2023 00:18
|
|
|
Thanks, maybe I’ll give Fedora a spin.
|
|
#
?
Aug 9, 2023 03:07
|
|
|
cruft posted:I know a few "technically it is reported to work" ones IoT might be a better pick for a bare metal install on a Pi4. https://fedoraproject.org/iot/ The ignition file requirement for CoreOS makes installing it outside of the cloud or VMs kind of a pain. You can also replicate the auto updates of CoreOS with this https://discussion.fedoraproject.org/t/how-to-actually-enable-automatic-updates-in-fedora-iot/77061/3
|
|
#
?
Aug 9, 2023 03:47
|
|
|
Bozza posted:Potentially an absolutely stupid question but looking for some advice wrt firewalls It's not a stupid question; everyone has to start somewhere. Bozza posted:I've got a relatively fresh arch install which I've been dicking about with but working through the tips on the wiki I've neglected to install a firewall. tbh most of the time I'm in my house so sat behind my router firewall and therefore not really that bothered. however I do occasionally use my laptop when I go away for work (for personal use, have a work laptop so there's nothing "sensitive" on it as such) so thought I'd beef it up a bit. Yes a firewall on a laptop is a good idea and no it's not security theater. The router firewall protects you from malicious traffic outside your home network, but a router firewall does nothing to protect your laptop if you connect it to a network outside the house (wifi at a coffee shop, airport, hotel, etc). A router firewall also does not protect your laptop from malicious traffic inside your home network. Examples of how someone might breach a home network: an unpatched IoT device (e.g. "smart" devices like light bulbs, robot vacuums, doorbells, etc), an old printer, an IP camera, a smart TV, etc. Many, many years ago we moved a work machine from a lab into a "more secure" data center. The instant I connected the machine to the data center network, I noticed some suspicious dropped traffic in the system log. I showed the suspicious traffic to the data center technicians and they went off to investigate. It turns out that a machine on the data center network had been compromised, and whoever had gotten in was scanning the network looking for additional machines to break into. I guess my point is that even trusted networks can end up compromised, and a firewall is a great way of reducing your attack surface and increasing the visibility of suspicious network activity. Bozza posted:- same question again but I have wireguard configured to connect back to my home router via VPN so theoretically same level of protection I have sat on my sofa. just leave it in VPN and all hunky dory? I'm not really sure what question you're asking here, but I can confirm that WireGuard is a fantastic VPN. Bozza posted:- if the to the above is still yes, it is worth installing: is there a total fuckwits guide to setting up either iptables/nftables, or which one is better, and how to understand what ports etc I want open/closed? I agree with the other comments; it's easier to start off with something less fiddly like ufw or firewalld. If you decide to be a sadist and use iptables or nftables, they each have their pros and cons:
Personally I have a mixture of both iptables and nftables. I use iptables on older systems that are working fine and I don't want to mess with, and I use nftables on newer systems. If you are interested, I have some commented laptop and server nftables firewalls here. The ports that you would want open/closed vary depending on your use case, but here are some general rules of thumb:
Bozza posted:Arch wiki recommends the following for nftables but I can vaguely follow it. Is this all I need really and good to go? I mostly just use my laptop for watching YouTube and chatting on Discord so don't have massive need for loads of weird ports open but would be useful to see if I try and run something in the future and it bumps off it where I can find out who/what/why it did that and how to add info. The arch example you pasted seems like a reasonable starting point for a laptop firewall. In response to this comment: "where I can find out who/what/why it did that and how to add info": One change I would make to the Arch example you provided would be on the last line of the "my_input" chain. I would change that line from this: code:code:Bozza posted:
Edit: Fix typos. MrPablo fucked around with this message at 08:13 on Aug 9, 2023 |
|
#
?
Aug 9, 2023 07:59
|
|
|
Subjunctive posted:Anyone know of a good “immutable” distro for ARM (Pi4)? I’d kinda like to try that for “appliance” maintenance on a project server. I'm using Fedora IoT on my Pi. It is smooth sailing and I can reuse all my knowledge from my Silverblue PCs. A single warning: whatever you use the Pi for, make sure it starts automatically on a reboot, 'cause with immutable distros you'll have to reboot to deploy updates.
|
|
#
?
Aug 9, 2023 09:39
|
|
|
MrPablo posted:A router firewall also does not protect your laptop from malicious traffic inside your home network. Examples of how someone might breach a home network: an unpatched IoT device (e.g. "smart" devices like light bulbs, robot vacuums, doorbells, etc), an old printer, an IP camera, a smart TV, etc. You'll be pleased to know that all my internet of things devices are segregated off into a VLAN so hopefully none of that! I think it's even called InternetOfPiss quote:I'm not really sure what question you're asking here, but I can confirm that WireGuard is a fantastic VPN. It was that if I log into hotel WiFi but am always using Wireguard I'm basically back behind my home router again therefore no concerns but you covered that above so will [spoiler]have[/quote] install one quote:I agree with the other comments; it's easier to start off with something less fiddly like ufw or firewalld. Thanks so much for the detailed explanation, it's useful as a learner.
|
|
#
?
Aug 9, 2023 11:54
|
|
|
Bozza posted:It was that if I log into hotel WiFi but am always using Wireguard I'm basically back behind my home router again therefore no concerns but you covered that above so will have install one Wireguard covers all your outgoing traffic, but I'm not sure if it helps with services listening on interfaces. Run the command 'ss -lptu' and check if you have any processes listening on Local Address "0.0.0.0:", "*:", or "[::]:". Those might be accessible even with Wireguard running.
|
|
#
?
Aug 9, 2023 12:16
|
|
|
Okay, wiped my machine. Fresh ubuntu install since I'm not 100% on top of everything. I'm trying to get RDP or VNC to be able to connect. Did amdgpu-install and selected all driver options there in case whatever is needed, enabled sharing and tried to remote desktop from android's microsoft remote desktop app. Tried to VNC to the machine, and won't take the same password that RDP did. When I tried to RDP, it would connect but graphically it would bug out. What logs can I check for these scenarios, is there something other than /var/log/auth.log? code:notwithoutmyanus fucked around with this message at 20:58 on Aug 10, 2023 |
|
#
?
Aug 10, 2023 20:55
|
|
|
Bozza posted:You'll be pleased to know that all my internet of things devices are segregated off into a VLAN so hopefully none of that! I think it's even called InternetOfPiss That's great! We do the same thing; ours is called "nyet-iot-gtfo". Bozza posted:I think I'm going to get it all set up and running with firewalld then probably have a play round with nftables before I inevitably break it. Sounds like a good plan! Bozza posted:Thanks so much for the detailed explanation, it's useful as a learner. Sure, no problem.
|
|
#
?
Aug 11, 2023 00:25
|
|
|
Super basic question: where is considered a “best practices” location to store small tools/software? I’ve just been using a folder in my home directory for little python apps and whatnot
|
|
#
?
Aug 15, 2023 15:20
|
|
|
Call me basic but a lot of small bash scripts that I use once in a while (like not entire projects, but utilitarian stuff), I just put in ~/scripts/
|
|
#
?
Aug 15, 2023 15:32
|
|
|
Head Bee Guy posted:Super basic question: where is considered a “best practices” location to store small tools/software? I’ve just been using a folder in my home directory for little python apps and whatnot I used to always use ~/bin, now I use ~/.local/bin. Some installable things like to drop per-user CLI binaries there these days, so it has to be in my PATH anyway, and it's vaguely nice to not have that top level "bin" visible in my home directory.
|
|
#
?
Aug 15, 2023 16:01
|
|
|
JLaw posted:I used to always use ~/bin, now I use ~/.local/bin. Some installable things like to drop per-user CLI binaries there these days, so it has to be in my PATH anyway, and it's vaguely nice to not have that top level "bin" visible in my home directory. I still use ~/bin but I spend a lot of time developing scripts and software so having the directory visible is desirable. Otherwise I'd use ~/.local/bin
|
|
#
?
Aug 15, 2023 16:33
|
|
|
What's the actual difference between ~/.local/bin and ~/bin? This has come up from time to time but I still don't quite get the insistence that using ~/bin is bad.
|
|
#
?
Aug 15, 2023 16:35
|
|
|
F_Shit_Fitzgerald posted:What's the actual difference between ~/.local/bin and ~/bin? This has come up from time to time but I still don't quite get the insistence that using ~/bin is bad. It's not bad. It's your frickin' home directory. Set it up however you want. ~/.local/bin is apparently a standard (didn't know this until an hour ago) and lets you have binaries in your home directory without them showing up by default in the file manager or with ls. That's the only advantage. ~/bin is also a standard, in that Debian's shrc adds it to PATH if the directory exists. e: regarding Klyith's post below, I want to re-emphasize that there is absolutely nothing wrong with setting up your home directory however the hell you want. If you don't know how to set $PATH, use the xdg standard, it was made for you. I actually have ~/bin, ~/.local/bin, ~/scripts, and ~/bin/$(uname -s)-$(uname -m) in my PATH. That last one is for when my home dir is NFS mounted across multiple architectures and/or kernels. cruft fucked around with this message at 17:18 on Aug 15, 2023 |
|
#
?
Aug 15, 2023 16:39
|
|
|
F_Shit_Fitzgerald posted:What's the actual difference between ~/.local/bin and ~/bin? This has come up from time to time but I still don't quite get the insistence that using ~/bin is bad. I don't think there's any insistence that using ~/bin is bad. But it was never a real unix standard, it was just a long-standing convention that people did. So when a bunch of linux groups agreed on the XDG standards to organize homedir poo poo, they put stuff in .local so that: 1) it'd all be in one folder that replicates the system hierarchy 2) it's hidden so that non-expert desktop users don't see it
|
|
#
?
Aug 15, 2023 17:01
|
|
|
Head Bee Guy posted:Super basic question: where is considered a “best practices” location to store small tools/software?
|
|
#
?
Aug 15, 2023 18:14
|
|
|
F_Shit_Fitzgerald posted:What's the actual difference between ~/.local/bin and ~/bin? This has come up from time to time but I still don't quite get the insistence that using ~/bin is bad. ~/bin is where you put your stuff, ~/.local/bin is where non-system "package managers" like pip or npm installs stuff.
|
|
#
?
Aug 15, 2023 18:27
|
|
|
cruft posted:~/bin is also a standard, in that Debian's shrc adds it to PATH if the directory exists. That explains it, I was halfway through setting up a few Debian installs, made ~/bin, later noticed it was in PATH when I had sworn I hadn't actually done that yet.
|
|
#
?
Aug 16, 2023 02:01
|
|
|
Sometimes, you just have days where you wonder... "WHY?!" Today is one of those days. Here's Discord running on FreeBSD: pre:96656 1001 30 20 0 1123G 445M uwait 7 1:38 8.01% electron: --type=renderer --user-data-dir=/home/debdrup/.config/Discord
|
|
#
?
Aug 16, 2023 19:05
|
|
|
BlankSystemDaemon posted:Sometimes, you just have days where you wonder... "WHY?!" Electron. SMH.
|
|
#
?
Aug 16, 2023 19:06
|
|
|
BlankSystemDaemon posted:Sometimes, you just have days where you wonder... "WHY?!" Lmao
|
|
#
?
Aug 16, 2023 19:13
|
|
|
Why do you care though? It has no effect on anything. edit: on linux allocating a huge amount of VM runs up your OOM score, insuring that chrome and electron apps get killed first by oom killer if you run out of memory. so it has the one effect of making sure they get shot first for being wasteful of memory 
Klyith fucked around with this message at 20:54 on Aug 16, 2023 |
|
#
?
Aug 16, 2023 20:47
|
|
|
Klyith posted:Why do you care though? It has no effect on anything. Same reason I don't like buying 50 gallon drums of pickles when I only want 1 pickle.
|
|
#
?
Aug 16, 2023 21:06
|
|
|
Yeah using lots of VM doesn't actually cost anything, but it's hilarious. Like how do you write a program that will even use 1 TB of VM in the first place? The world's biggest mmap call???
|
|
#
?
Aug 16, 2023 21:11
|
|
|
VostokProgram posted:Yeah using lots of VM doesn't actually cost anything, but it's hilarious. Like how do you write a program that will even use 1 TB of VM in the first place? The world's biggest mmap call??? It's super easy, and yes exactly. There's a super common genetics tool, plink, that will by default reserve half the physical memory of the host as it's workspace and allocate it, even if the host has 1 or 2TB of RAM and it's only going to be using 2GB.
|
|
#
?
Aug 16, 2023 21:13
|
|
|
VostokProgram posted:Yeah using lots of VM doesn't actually cost anything, but it's hilarious. Like how do you write a program that will even use 1 TB of VM in the first place? The world's biggest mmap call???
|
|
#
?
Aug 16, 2023 22:55
|
|
|
VostokProgram posted:Yeah using lots of VM doesn't actually cost anything, but it's hilarious. Like how do you write a program that will even use 1 TB of VM in the first place? The world's biggest mmap call??? Apparently, sandboxing your javascript by putting it in a couple of small boxes, and then putting the small boxes into a giant empty box, which makes it very easy to catch if the javascript ever tries to escape from the small box into the big box. Or possibly just to give BSD one more thing to bitch about with electron apps.
|
|
#
?
Aug 16, 2023 23:44
|
|
|
To be clear, electron is a turd though.
|
|
#
?
Aug 17, 2023 02:46
|
|
|
Where possible I make PWAs rather than use electron apps.
|
|
#
?
Aug 17, 2023 03:50
|
|
|
Klyith posted:Why do you care though? It has no effect on anything. Also, that's pretty much exactly how FreeBSD works too.
|
|
#
?
Aug 17, 2023 10:26
|
|
|
BlankSystemDaemon posted:Sometimes, you just have days where you wonder... "WHY?!" pro-tip: run discord in firefox, it runs way better and doesn't leak ram like a colander lmao e: also, i run kde and it's really funny how they had to fix/make workarounds for discord to work on wayland properly, only for discord to gently caress it up in one of the updates so it now also leaks vram under kwin-wayland lmao Truga fucked around with this message at 10:37 on Aug 17, 2023 |
|
#
?
Aug 17, 2023 10:35
|
|
|
Actually, how does VM work these days? If you got the system with 16GB ram and 16GB swap, what does allocating 1TB for firefox or whatever actually do? Everything I found by googling suggests that total VM allocation should be smaller then RAM+swap.
|
|
#
?
Aug 17, 2023 10:36
|
|
|
app tells kernel "i'm gonna malloc 1tb rams" and the kernel says "ok, sure, here's a 1tb chunk of ram" that's actually probably only a mb or so initially, similar to how an "empty" sparse file would be on disk and then if it actually tries to use the entire tb it gets killed lol
|
|
#
?
Aug 17, 2023 11:17
|
|
|
|
| # ? Jun 10, 2024 14:12 |
|
|
VictualSquid posted:Actually, how does VM work these days? When carve outs are actually needed in the sandbox, mprotect is used to change the protection flags, which would result in a COW zero-page allocation on read, or an actual dirty page allocation on write. Again, for modern POSIX systems this is just an extent mapping and is essentially free. It's only an issue for folks who interpret the VSZ column of ps output as something more meaningful than it actually is. Interestingly on older versions of Windows it actually is somewhat memory costly, which makes me think that Windows preallocates COW zero-page mappings which can have pretty serious memory hits depending on whether it uses 4 MB or 4 kB pages. ExcessBLarg! fucked around with this message at 13:04 on Aug 17, 2023 |
|
#
?
Aug 17, 2023 11:50
|
|