Snowplow8861
@Snowplow8861@lemmus.org
- Comment on Correcting > Helping 11 months ago:
Almost like that xkcd joke…
- Comment on Jeff Bezo is now cosplaying as a working class man. 11 months ago:
Yes. How can you sit and turn 180 on only your waist. This is just a joke.
- Comment on An unusual scene 11 months ago:
First of all it clearly says counter clockwise so like first of all don’t rotate it clockwise like I did. Then secondly google image search rick roll. Thirdly consider the methods and time people go to to land a joke. Like I wonder if it was assisted by AI to just obfuscate it just enough to not be obvious.
Anyway I had to go to the comments too but mostly because I didn’t read the instructions.
- Comment on Best place to buy server hardware 1 year ago:
To back off your post, does anyone have one for Australia?
- Comment on Gonna be a great day! 1 year ago:
April first.
- Comment on Users of PiHole/AdGuard/Blocky, what blocklists are you using? 1 year ago:
I don’t think that works on my Samsung TV, or my partners iPad though. :)
Although not especially effective on the YouTube front, it actually increases network security just by blocking api access to ad networks on those kinds of IoT and walled garden devices. Ironically my partner loves it not for YouTube but apparently all her Chinese drama streaming websites. So when we go travel and she’s subjected to those ads she’s much more frustrated than when she’s at home lol.
So the little joke while not strictly true, is pretty true just if you just say ‘streaming content provider’.
- Comment on Prowlarr VPN/proxy advice 1 year ago:
There have been a few cases where ports are blocked. For example on many residential port 25 is blocked. If you pay and get a static ip this often gets unblocked. Same with port 10443 on a few residential services. There’s probably more but these are issues I’ve seen.
If you think about how trivial these are to bypass, but also that often aligns to fixing the problem for why they’re blocked. Iirc port 10443 was abused by malicious actors when home routers accepted Nat- pnp from say an unpatched qnap. Automatically forwarding inbound traffic on 10443 to the nas which has terrible security flaws and was part of a wide spread botnet. If you changed the Web port, you probably also are maintaining the qnap maybe. Also port 25 can be bypassed by using start-tls authenticated mail on 587 or 465 and therefore aren’t relaying outbound mail spam from infected local computers.
Overall fair enough.
- Comment on Linus Torvalds releases Linux 6.6 after running out of excuses for further work 1 year ago:
It’s paraphrasing Torvalds himself though. It’s a cheeky title. You can choose to be offended though.
- Comment on CGNAT blocking external access to NAS. Looking to address this plus more. 1 year ago:
After I followed the instructions and having 15 years of system administration experience. Which I was willing to help but I guess you’d rather quip.
From my perspective unless there’s something that you’ve not yet disclosed, if wireguard can get to the public domain, like a vps, then tailscale would work. Since it’s mechanically doing the same thing, being wireguard with a gui and a vps hosted by tailscale.
If your ISP however is blocking ports and destinations maybe there are factors in play, usually ones that can be overcome. But your answer is to pay for mechanically the same thing. Which is fine, but I suspect there’s a knowledge gap.
- Comment on CGNAT blocking external access to NAS. Looking to address this plus more. 1 year ago:
Are you sure? Did you want to troubleshoot this or did you just want to give up?
I’ve got two synology nas connected to each other directly for hyper backup replications at clients because both units are on cgnat isps and there’s no public IP. And it just works.
- Comment on "Fair" coin flips appear to not be all that fair 1 year ago:
To be honest I think we have different cultural values here. The way I read this and the way you read it is clearly different. I’m disappointed by how little I had my expectations changed, while you had them moved more.
- Comment on "Fair" coin flips appear to not be all that fair 1 year ago:
I think the question is, where can you bet on a single coin flip? Maybe because I’m Australian, there’s only one day a year you can bet on a (two) coin flip legally here. Everyone else seems to generally understand that coin flips aren’t fair for gambling and therefore is illegal.
If this paper was like ‘this is how corruption in sports…’ rather than ‘this is like that magician cup and balls trick’ then I’d understand your concern.
But like you said, you don’t even have a coin in the house, so the practical side is day to day, perhaps not even once a year, not only are you not deciding on a coin flip, even if you were, you’d (or whomever was flipping it for you) have to learn a technique to see it affect you.
- Comment on BBC will block ChatGPT AI from scraping its content 1 year ago:
When the horses have all bolted, BBC is the one to close the barn door.
- Comment on Https on tailnet? 1 year ago:
Not possible without a domain, even just “something.xyz”.
The way it works is this:
- Your operating system has some trusted certificate root authorities root certificates installed from installation of the OS. All OS have this, Linux, Windows, iOS, macos, Android, BSD.
- when your browser goes to a Web url and it is a https encrypted site it reads the certificate.
- the certificate has a certificate subject name on it. It also may optionally have some alternative names.
- the browser then checks if the subject name matches the Web url address. If it does, that’s check one.
- next it checks the certificate validity: it looks at the certificate chain of trust to see if it was signed by a intermediary and then the intermediary was signed by a root certificate authority. Then it can check if any certificate has been revoked along the way.
- if that’s all good, then you’ll open without a single warning, and you browse Web sites all day long without any issue.
Now, to get that experience you need to meet those conditions. The machine trying to browse to your website needs to trust the certificate that’s presented. So you have a few ways as I previously described.
Note there’s no reverse proxy here. But it’s also not a toggle on a Web server.
So you don’t need a reverse proxy. Reverse proxies allow some cool things but here’s two things they solve that you may need solving:
- when you only own one public IP but you have two Web servers (both listening to 443/80), you need something that looks at incoming requests and identifies based on the http request from the client connecting in ‘oh you’re after website a’ and 'you’re after website b".
- when you have two Web servers running on a single server, you have to have each Web server listening on different ports so you might choose 444/81 for the second Web server. You don’t want to offer those non standard ports to public so instead you route traffic via a reverse proxy inbound and it listens for both Web servers on 80/443 and translates it back to the server.
But in this case you don’t really need to if you have lots of ips since you’re not offering publicly you’re offering over tailscale and both Web servers can be accessed directly.
- Comment on Https on tailnet? 1 year ago:
It’s possible to host a dns server for your domain inside your tailnet, and offer dns responses like: yourwebserver.yourdomain.com = tailnetIP
Then using certbot let’s encrypt with DNS challenge and api for your public dns provider, you can get a trusted certificate and automatically bind it.
Your tailnet users if they use your internal dns server will resolve your hosted service on your private tailnet ip and the bound certificate name will match the host name and everyone is happy.
There’s more than one way though, but that’s how I’d do it. If you don’t own a domain then you’ll need to host your own private certificate authority and install the root authority certificate on each machine if you want them to trust the certificate chain.
If your family can click the “advanced >continue anyway” button then you don’t need to do anything but use a locally generated cert.
- Comment on OpenSubtitles Hostility 1 year ago:
It’s totally fine to bulk replace some sensitive things like specifically sensitive information with “replace all” as long as it doesn’t break parsing which happens with inconsistency. Like if you have a server named "Lewis-Hamiltons-Dns-sequence“ maybe bulk rename that so is still clear “customer-1112221-appdata”.
But try to differentiate ‘am I ashamed’ or ‘this is sensitive and leaking it would cause either a PII exfiltration risk or security risk’ since only one of these is legitimate.
Note, if I can find that information with dns lookup, and dns scraping, that’s not sensitive. If you’re my customer and you’re hiding your name, that I already invoice, that’s probably only making me suspicious if those logs are even yours.
- Comment on OpenSubtitles Hostility 1 year ago:
Just fyi, as a sysadmin, I never want logs tampered with. I import them filter them and the important parts will be analysed no matter how much filller debugging and info level stuff is there.
Same with network captures. Modified pcaps are worse than garbage.
Just include everything.
Sorry you had a bad experience. The customer service side is kind of unrelated to the technical practice side though.
- Comment on Access Remmina Remotely 1 year ago:
Luckily on your own network you have control over these decisions! Especially with source and destination firewall rules.
- Comment on How can I restrict visiting a service through a domain to VPN-connected devices? 1 year ago:
100%.Or set host file entries on each endpoint to resolve the mail.domain.com to your internal ip that’s available only over vpn. Not going to be easy on mobiles.
There is an assumption though that the mail server has an internal IP address wherever you are hosting. That might not be true. I would always put the public IP on the firewall and then NAT with specific port 25 in to the private IP of the server, but who knows what this particular OP has done.