Daniel Barlow boosted

So I had the idea that the router would default to allowing no incoming connections - because of IoT things and appliances on the LAN which potentially have poor security posture - but that hosts who wanted to run servers could set the no-firewall DHCP user class, and the router would notice this and allow all incoming for them. (This is for IPV6, I have no interest in implementing any v4 port forwarding unless I absolutely have to)

This does feel weirdly like client-side authentication (perhaps because it is?) but right now I'm thinking it's probably OK. The firewall isn't a trust boundary (the LAN is an untrusted network), it's just there to discourage "smart" devices from joining botnets

All that said, getting anything other than a Windows machine to send a dhcp user class is either somewhat involved or significantly impossible.

I won't say it's done, because it's not done. But, I can see the end from here

#nixwrt running on real hardware getting real internet traffic from a real ISP and routing to a local network

#diff-b2672dbec125801aecf42552931f00442ad5aa8d71ef085fd16e39c509573874L3" rel="nofollow">https://github.com/telent/nixwrt/commit/e0217999f6fde51698f66ef48dd83d67a4544e16#diff-b2672dbec125801aecf42552931f00442ad5aa8d71ef085fd16e39c509573874L3

Daniel Barlow boosted

Daniel Barlow boosted

#nixwrt on qemu is sending dhcp and all the gubbins to a second qemu process that I booted using a System-Rescue iso image.

This is probably an achievement. I say "probably" because I can't actually see the output from the system-rescue vm because it doesn't work properly with -serial stdio. But the packets are flowing ...

Nov 21 17:56:45 dnsmasq-dhcp[120]: 13935373 client MAC address: 52:54:00:12:34:56

Nov 21 17:56:45 dnsmasq-dhcp[120]: 13935373 client provides name: sysrescue

Nov 21 17:56:45 dnsmasq-dhcp[120]: 13935373 DHCPSOLICIT(eth1) 00:04:dc:c5:43:08:80:09:95:31:b5:c5:75:68:d8:5f:2e:2e

Nov 21 17:56:45 dnsmasq-dhcp[120]: 13935373 DHCPREPLY(eth1) 2001:8b0:de3a:40dc::f0dc

00:04:dc:c5:43:08:80:09:95:31:b5:c5:75:68:d8:5f:2e:2e sysrescue

from https://www.rubydoc.info/github/mongoid/mongoid/Mongoid%2FFindable:find_by

If a matching Document is not found and Mongoid.raise_not_found_error is true it raises Mongoid::Errors::DocumentNotFound, return null nil elsewise.

So a global config option affects the semantics of this method quite fundamentally. Didn't we agree this was a bad idea back in the php.ini days?

The upshot is that any library code using mongoid is unable to give any guarantees about its behaviour in error situations because it doesn't know how the app it's embedded into has set its configuration options.

I grant that ActiveRecord has its own design problems, but if you're going to ignore it in favour of doing your own thing, maybe at least try not to make it worse?

How to find out whether your Nixos device has Bluetooth LE support:

$ nix run nixos.bluezFull -c bluetoothctl scan on devices

and notice that it's within range of the Pinetime watch in the bedroom on the next floor up. Apparently "low energy" doesn't always mean "short range"

seeking advice from #linux/#networking folk

I have a ppp over l2tp interface, using xl2tpd and pppd. The L2TP bit seems to work OK, the PPP interface comes up and negotiates IPv4 addresses then IPV6 link addresses.

I can v4 ping both ends of the connection But: I can't ping the v6 link addresses (maybe this is normal) and when I run odhcp6c to get a prefix delegation, it sends a SOLICIT but doesn't see the ADVERTISE replies from the DHCP6 server

(I know the DHCP6 server is sending replies because I can see them in tcpdump)

  • The kernel doesn't have netfilter or any iptables stuff compiled in, so I don't think there's any kind of firewalling

  • rp_filter, as far as I can tell, works only for ipv4 not ipv6

I'm a bit stuck for what to try next. Any ideas?

Did a giant #nixwrt WIP commit, because I have now changed so many things at once I have given up on the prospect of it making any sense in my head.

But it's on a branch. When I get to the end of this journey (l2tp connection to my ISP and all the IPv6 prefix faff) I will ... probably print the diff and use four colours of magic marker to decide which bits to commit in what order to create some meaningful narrative

https://github.com/telent/nixwrt/compare/services-wip don't look

Comparing main...services-wip ยท telent/nixwrt

Build images for embedded MIPS SoCs using NixPkgs (experimental) -...


Daniel Barlow boosted