After a lot of nftables documentation read, I have a working ruleset with two-way blocking.
One thing that was a nuisance all along:
nftables provides a way to use configuration files to lay out your ruleset, which is great, and from what I infer was not possible in iptables and only accomplished with scripting.
But the docs are still very centered on configuring everything through imperative commands, which is just... hard to grasp, to say the least.
Compared to pf, there are some more complex possibilities, like dictionaries and typed sets.
The underlying processing is very different though. While in nftables I felt like I was writing the rules themselves, in pf I was writing syntax that would then expand to the rules. That meant much more concise rulesets.
It also defaults to stopping evaluation at the first block, while pf defaults to "last rule wins". Not sure how I feel about that, but overall pf seems to be easier to reason about.
@paul @soaproot @stefano Let's get it straight:
#OpenVPN is not a #VPN. Nor is any other piece of software. Some encrypted overlay network (in the simplest form just an encrypted point-to-point connection) is a necessary building block for a VPN. You'll still have to add proper authN and, well, access to some actual private network, to build a VPN.
Nothing we can do against this stupid confusion. It's been the same in other areas: A packet filtering software is NOT a #firewall. But you certainly need it to BUILD a firewall. 😞
Zeroing in on Port 0 Traffic in the Wild
https://arxiv.org/pdf/2103.13055
If your #firewall software requires you to use your own script instead of utilizing their unreliable DDNS plugin, it's time to reflect and ask yourself a couple of questions.
![curl -s -S -u "${noip_user}:${noip_pass}" \
"https://dynupdate.no-ip.com/nic/update?hostname=${noip_domain}"](https://files.mastodon.social/media_attachments/files/112/315/311/477/354/099/original/ffd08b040008ec4c.png "curl -s -S -u \"${noip_user}:${noip_pass}\" \
\"https://dynupdate.no-ip.com/nic/update?hostname=${noip_domain}\"")
Freitag Nachmittag, "Enterprise" Hersteller Geschenke fürs WE 🙄
Thnx an das BSI CERT Bund! 👌
Version 1.0: #PaloAlto Networks #Firewall's: Aktive Ausnutzung einer ungepatchten #Schwachstelle
https://www.bsi.bund.de/SharedDocs/Cybersicherheitswarnungen/DE/2024/2024-231856-1032
🦾 INCTEL N100 fanless mini PC and micro firewall appliance comes with four 2.5GbE ports using Intel i226V controllers | CNX Software
「 The device supports up to 16GB DDR5 memory, can take an M.2 NVMe SSD and/or a 2.5-inch SATA drive for storage, and also provides two video outputs through HDMI and DisplayPort, as well as a few USB ports, an RJ45 console port, and optional support for WiFi and 4G LTE connectivity 」
Uncommenting the "block in all", sending a pfctl -f /etc/pf.conf - noting in that precise moment that I didn't explicitly pass ssh - being closed out of my own server...done! ✅
#Networking #SysAdmin #Firewall #Security #SSH #ServerManagement #FreeBSD #OpenBSD
A new, interesting video by @garyhtech