Explains the bird feathers

Who needs 20! Lol. Says more about me than you.

To back off your post, does anyone have one for Australia?

I don’t think that works on my Samsung TV, or my partners iPad though. :)

Although not especially effective on the YouTube front, it actually increases network security just by blocking api access to ad networks on those kinds of IoT and walled garden devices. Ironically my partner loves it not for YouTube but apparently all her Chinese drama streaming websites. So when we go travel and she’s subjected to those ads she’s much more frustrated than when she’s at home lol.

So the little joke while not strictly true, is pretty true just if you just say ‘streaming content provider’.

Go watch “the cost of concordia” by the same guy :)

If you haven’t already that is.

After I followed the instructions and having 15 years of system administration experience. Which I was willing to help but I guess you’d rather quip.

From my perspective unless there’s something that you’ve not yet disclosed, if wireguard can get to the public domain, like a vps, then tailscale would work. Since it’s mechanically doing the same thing, being wireguard with a gui and a vps hosted by tailscale.

If your ISP however is blocking ports and destinations maybe there are factors in play, usually ones that can be overcome. But your answer is to pay for mechanically the same thing. Which is fine, but I suspect there’s a knowledge gap.

Are you sure? Did you want to troubleshoot this or did you just want to give up?

I’ve got two synology nas connected to each other directly for hyper backup replications at clients because both units are on cgnat isps and there’s no public IP. And it just works.

Didn’t understand that by willing you meant wanting.

I use Ubuntu, it’s the default for ROS. I tried debian but the instructions didn’t work instantly so I just as quickly gave up and went back to Ubuntu since I was busy. Lol.

Yes, but first go check which list you want to use since they’re a good starting point to understand a kind of level of tolerance and expectations around your experience.

There’s lots of lists around here’s a small sample:
https://arstech.net/pi-hole-blocking-lists-2023/

Be prepared for a bump in time outs as you work through things you might need (I blocked by accident a bunch of needed Microsoft services that I need to use during my job).

I haven’t edited my white list in months, maybe over a year. It’s going very well. I’ve been running pihole on ubuntu for more than 5 years as two virtual machines. I’m happy.

Yeah! Not sure why you get paid to work the only transaction that potentially needs to take place is paying for your work up front.

Why is money involved?

I’m not in America but the organisation for NIST recommends it in guidance now and its getting backing by the nsa

https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3215760/nsa-releases-guidance-on-how-to-protect-against-software-memory-safety-issues/

https://www.zdnet.com/article/nsa-to-developers-think-about-switching-from-c-and-c-to-a-memory-safe-programming-language/ https://www.malwarebytes.com/blog/news/2022/11/nsa-guidance-on-how-to-avoid-software-memory-safety-issues

I see this becoming required in the future for new projects and solutions when working for new governnent solutions. The drum is certainly beating louder in the media about it.

Not possible without a domain, even just “something.xyz”.

The way it works is this:

• Your operating system has some trusted certificate root authorities root certificates installed from installation of the OS. All OS have this, Linux, Windows, iOS, macos, Android, BSD.
• when your browser goes to a Web url and it is a https encrypted site it reads the certificate.
• the certificate has a certificate subject name on it. It also may optionally have some alternative names.
• the browser then checks if the subject name matches the Web url address. If it does, that’s check one.
• next it checks the certificate validity: it looks at the certificate chain of trust to see if it was signed by a intermediary and then the intermediary was signed by a root certificate authority. Then it can check if any certificate has been revoked along the way.
• if that’s all good, then you’ll open without a single warning, and you browse Web sites all day long without any issue.

Now, to get that experience you need to meet those conditions. The machine trying to browse to your website needs to trust the certificate that’s presented. So you have a few ways as I previously described.

Note there’s no reverse proxy here. But it’s also not a toggle on a Web server.

So you don’t need a reverse proxy. Reverse proxies allow some cool things but here’s two things they solve that you may need solving:

• when you only own one public IP but you have two Web servers (both listening to 443/80), you need something that looks at incoming requests and identifies based on the http request from the client connecting in ‘oh you’re after website a’ and 'you’re after website b".
• when you have two Web servers running on a single server, you have to have each Web server listening on different ports so you might choose 444/81 for the second Web server. You don’t want to offer those non standard ports to public so instead you route traffic via a reverse proxy inbound and it listens for both Web servers on 80/443 and translates it back to the server.

But in this case you don’t really need to if you have lots of ips since you’re not offering publicly you’re offering over tailscale and both Web servers can be accessed directly.

It’s possible to host a dns server for your domain inside your tailnet, and offer dns responses like: yourwebserver.yourdomain.com = tailnetIP

Then using certbot let’s encrypt with DNS challenge and api for your public dns provider, you can get a trusted certificate and automatically bind it.

Your tailnet users if they use your internal dns server will resolve your hosted service on your private tailnet ip and the bound certificate name will match the host name and everyone is happy.

There’s more than one way though, but that’s how I’d do it. If you don’t own a domain then you’ll need to host your own private certificate authority and install the root authority certificate on each machine if you want them to trust the certificate chain.

If your family can click the “advanced >continue anyway” button then you don’t need to do anything but use a locally generated cert.

It’s totally fine to bulk replace some sensitive things like specifically sensitive information with “replace all” as long as it doesn’t break parsing which happens with inconsistency. Like if you have a server named "Lewis-Hamiltons-Dns-sequence“ maybe bulk rename that so is still clear “customer-1112221-appdata”.

But try to differentiate ‘am I ashamed’ or ‘this is sensitive and leaking it would cause either a PII exfiltration risk or security risk’ since only one of these is legitimate.

Note, if I can find that information with dns lookup, and dns scraping, that’s not sensitive. If you’re my customer and you’re hiding your name, that I already invoice, that’s probably only making me suspicious if those logs are even yours.

Just fyi, as a sysadmin, I never want logs tampered with. I import them filter them and the important parts will be analysed no matter how much filller debugging and info level stuff is there.

Same with network captures. Modified pcaps are worse than garbage.

Just include everything.

Sorry you had a bad experience. The customer service side is kind of unrelated to the technical practice side though.

I love the hand gesture at the end!

Start realising that the way you’re used to scrolling with your mouse wheel, is a cog between you and the service it’s moving. Actually you were using natural all along. It was the early touch pads that were wrong and nonsense.

Luckily on your own network you have control over these decisions! Especially with source and destination firewall rules.

Traceroute.