I’m the administrator of kbin.life, a general purpose/tech orientated kbin instance.
Linux secure boot was a little weird last I checked. The kernel and modules don’t need to be secure boot signed. Most distros can use shim to pass secure boot and then take over the secure boot process.
There are dkms kernel modules that are user compiled. These are signed using a machine owner key. So the machine owner could for sure compile their own malicious version and still be in a secure boot context.
Yeah, but asking film/tv producers for permission would kill my content collection!
Actually how is your ISP giving out IPs to you? Mine uses IPv6 PD to give me a /48. And I then use SLAAC locally on the first /64 prefix on my LAN. Plus another /64 for VPN connections.
If you mean receiving RA/ND packets from your ISP (which are used to announce IPv6 prefixes) then you need to allow icmpv6 packets (if you don’t want to be able to be pinged, just block echo requests, ICMP in v4 and v6 carry important messages otherwise).
If your ISP uses DHCPv6 Prefix delegation you will need to allow packets to UDP port 546 and run a DHCPv6 client capable of handling PD messages.
If you have a fixed prefix, then you probably don’t need to use your ISPs SLAAC at all. You could just put your router on a fixed IP as <yourprefix>::1 and then have your router create RA/ND packets (radvd package in linux, not sure what it would be on pfsense) and assign IPs within your network that way.
If you have a dynamic prefix… It’s a problem I guess. But probably someone has done it and a google search will turn up how they handled it.
EDIT: Just clarified that the RA/ND packets advertise prefixes, not assign addresses.
I believe the privacy concerns are made moot if all consumer level routers by default blocked incoming untracked connections and you need to poke holes in the firewall for the ports you need.
Having said that, even knowing the prefix it’s a huge address space to port scan through. So it’s pretty secure too with privacy extensions enabled.
But for sure the onus is on the router makers for now.
I used HE for ages until my isp gave native ipv6. I also used sixxs back then too. Both provided good connectivity for the few sites that were around using it at the time.
This is my biggest bugbear about a lot of UK isps. They are dynamically allocating ipv6 prefixes for absolutely no good reason.
I’ve only ever done ipv6 using Linux directly as a firewall or a mikrotik router. So cannot help with pfsense I’m afraid.
You start by adding ipv6 and serving both. One side needs to move first. Content providers or isps.
The big tech companies are using ipv6. In the UK the isps are mostly offering it too.
Host both and help us move towards dropping Ipv4 some day. It’s not going to happen in a day.
It’s for backup purposes mainly. A lot of cloud backup providers don’t store permissions.
So if I restore the data I can then restore the permissions after. So these are the folders I am backing up (with some exceptions in /var)
OK so it’s fairly simple. You need to install the acl package (or whatever equivalent package contains getfacl/setfacl. Then you can use that to dump the data from an entire structure into a file (I also then bzip that). Then I backup all installed packages to help with a restore too.
So the script looks like:
#!/bin/bash
cd /etc
/usr/bin/getfacl -R . | /usr/bin/bzip2 -9 >PERMISSION_BACKUP.bz2
chmod 600 PERMISSION_BACKUP.bz2
cd /home
/usr/bin/getfacl -R . | /usr/bin/bzip2 -9 >PERMISSION_BACKUP.bz2
chmod 600 PERMISSION_BACKUP.bz2
cd /root
/usr/bin/getfacl -R . | /usr/bin/bzip2 -9 >PERMISSION_BACKUP.bz2
chmod 600 PERMISSION_BACKUP.bz2
cd /var
/usr/bin/getfacl -R . | /usr/bin/bzip2 -9 >PERMISSION_BACKUP.bz2
chmod 600 PERMISSION_BACKUP.bz2
/usr/bin/apt list --installed | /usr/bin/bzip2 -9 >/root/INSTALLED-PACKAGES.bz2
chmod 600 /root/INSTALLED-PACKAGES.bz2
To restore you change to the folder the backup was taken from, unbzip the file (or uncompress live via pipe) and use setfacl --restore=<file>
Yeah. Only on my phone right now but will get it and post here later/tomorrow.
I mean, too late for you now. But I have a script that backs up just the permissions and owners for a given folder hierarchy.
I use it because I backup to a cloud backup platform that doesn’t save them. So these files are backed up with the data so the files and permissions/owners can be restored in an emergency.
But you could of course also use the file to restore permissions after a user generated mistake too.
Yeah I think allowing a write in answer is too risky. You will end up with 12 unique text answers otherwise.
I do like the idea of the equivalent of an open verdict. Which is probably a mix of options 1 and 3 from your list. If you don’t believe either of the provided options are suitable and you don’t want to skip then this option would be a nice thing.
Needs a skip option for questions you’re really not comfortable giving a reply to (I maybe missed it if there). I hit one I really did feel was far too subjective to give a reply to that might even potentially be taken seriously.
Otherwise a nice idea.
Can Linux run programs that rely on frameworks like .NET or other Windows-specific libraries?
So this one I thought I’d answer because I’ve done development in both NET framework and NET core and how it works is different for each (although things will usually work one way or another).
For .NET framework applications, if the program is compiled for windows (the .exe) you can usually run it with mono (you generally don’t need wine, but there’s some caveats that mean sometimes you should use wine). This will include programs with GUIs. If the NET framework app calls other windows programs it is best to run it via wine, you will need to install the net framework within wine, but there’s a winetricks command for that. There are a few things that are generally niche things that do not work in linux net framework’s mono though. By niche the one I can think of, is serial port events. Very annoyingly they all exist, so the program will run but the events will never trigger an action in the programs. Very annoying, but luckily very rare/niche stuff.
For .NET core, you can build directly to linux targets, and if the project you are working on does target NET core, then you can run the binary natively (note: you usually cannot build applications using forms to linux native binaries, for these you should run the windows exe with wine). You can also run the .exe files for this with wine and I’ve rarely had a problem with it.
Note that if you develop .NET applications, you won’t be able to build anything that uses the standard forms GUI under linux. There are other UI frameworks out there you can use that are multi platform. For this reason, for the projects that do use windows forms, I have a VM with windows on that I boot up for this reason.
In short, if you’re just running windows binaries, you will be generally fine with mono for framework and wine for core. For development “it’s complicated”.
I feel like the only even remotely acceptable way to do this is to show the ad, prompt for the answer for 10 seconds. They can log the right/wrong answer or if the time expires the lack of one and must move on.
I can imagine metrics knowing if your advertising is actually reaching people is valid. But to make people answer and especially make them watch more if they answer wrong is about as dystopian as it gets.
If (and I say if, I really don’t want to believe it is) that is the case, the only correct response is to uninstall Hulu immediately and put on your pirate hat.
Didn’t have the link to hand. But a search turned this one up: https://reggiodigital.com/blog/nginx-rule-blocking-bad-bots/ it looks to be the same list, and you can see the ones I’ve added to the end of that list.
Hmm, I took an original list and added to it. You got a website I can check? If so I’ll happily remove. I don’t mind slow web crawlers at all.
So on my mbin instance, it’s on cloudflare. So I filter the AS numbers there. Don’t even reach my server.
On the sites that aren’t behind cloudflare. Yep it’s on the nginx level. I did consider firewall level. Maybe just make a specific chain for it. But since I was blocking at the nginx level I just did it there for now. I mean it keeps them off the content, but yes it does tell them there’s a website there to leech if they change their tactics for example.
You need to block the whole ASN too. Those that are using chrome/firefox UAs change IP every 5 minutes from a random other one in their huuuuuge pools.
Yeah, I probably should look to see if there’s any good plugins that do this on some community submission basis. Because yes, it’s a pain to keep up with whatever trick they’re doing next.
And unlike web crawlers that generally check a url here and there, AI bots absolutely rip through your sites like something rabid.
Wireguard vpn into my home router. Works on android so fire sticks etc can run the client.