The statement is very informative. The bug happens under increased read/write operations to the same file causing a race condition.

I also found interesting:

Despite the bug being present in OpenZFS for many years, this issue has not been found to impact any TrueNAS systems. The bug fix is scheduled to be included in OpenZFS 2.2.2 within the next week

This is the best suggestion for DIY, I can even get away without a printer and just write by hand. Perfect! Wish I could pin this comment.

nothing wrong with being self taught, you could follow these basics topics before poking holes in firewall.

1. VLANS: learn how to separate your LAN into networks with different security requirements. For wireless, try to make a “main” and “IoT” network so that IoT network that can’t talk to your “main” network but “main” can reach IoT devices. For wired, try to have a Management network, and a “Dirty network” etc.
2. Firewalls and Routing: You will need to be able to route between your VLANS and set firewall rules to allow certain traffic. Best practice is block everything and allow only what you need.
3. NMAP: learn how to do NMAP scans of your network to discover hosts and their open ports/services. This is a similar approach that “hackers” and script kiddies use on the public internet to find vulnerae and open services. Being able to probe your own network is crutial in understanding how others might approach in penetrating it.
4. Wireguard VPN: Learn to access your network remotely by setting up a wireguard VPN. Wireguard is preferred because it is “stealthy” and will not respond to unsolicited attempted to probe your network. Start small by using wireguard to access between VLANs so you don’t run the risk of using the internet.
5. NGINX and Reverse Proxy: If necessary, learn to expose your services or blog or website by only exposing nginx and proxying to your services. Many guides on securing NGINX exist. Try not to expose anything, but sometimes necessary if you want others to reach your website/blog/hosting etc.

That’s a rough outline that you can use to guide yourself and achieve milestones with hands on experience. In your pursuit you’ll run into certificates and domain name hosting and stuff. But all this is on the web so let your curiosity (and paranoia) drive! Have fun!!

The table of contents hints there is only one section relevant to security, Lab Firewall Config.

Anyone have experience with this book that could vouch for other chapters that explore best practices for security?

using the settings you described ( minus the VPN ) I was not able to cloak myself over the past several days

Yes, some guy was streaming live on YouTube talking about a subject that he does not otherwise have, and he showed that before talking about the subject, there were no ads for dog toys, and after talking about dogs, there were ads about dog toys. The video isn’t really that great because he goes and clicks on an ad about a dog toy and proceeds to get more of them, so he kind of tainted his results.

I wish I didn’t waste my time watching this video

7 visits with brave, 7 times identified as the same. I’m using the default options of a fresh brave install

how did you have such success?

thanks for the masterclass in CF tunnels.

I am ready to accept everything you’ve said but there is the SSH case that keeps tripping me up. For reference, here is the CF docs on Connecting SSH through CF Tunnels.

Can you help me clear up the misunderstanding here? From the docs it appears you can create a SSH key pair on a client and then copy the public key to the server. It does not appear that the docs state you need to share those keys with CF, so I assume (perhaps incorrectly) that my session will be encrypted with my private key (on client) and public key (on server).

Again, what you said appears to make sense, perhaps SSH is the only edge case that is implemented differently?

hmm, I’m not sure I agree - or perhaps I didn’t explain myself well previously and caused confusion between us.

Yes I agree with you in your description of how cloudflare encrypts -> decrypts -> encrypts; they are allowing you to ride over their network. If you remove cloudflare from the picture entirely, then you just have the internet facing server.

What I’m saying is, if the client and endpoint (server) talk in an encrypted protocol, then cloudflare cannot MiTM the data, only the IP headers. This is similar if you were to connect to any ol’ website over an ISP’s network. If your session is not HTTPS, then your application data can be read. You can have encrypted sessions inside of CF tunnel-network-tunnel.

If your services support encryption, great. But you can also expose a wireguard endpoint so you have the following

wg client --(tunnel to CF)–> CF network --(tunnel to your server)–> wireguard server

the real advantage to CF tunnel is hiding your IP from the public internet, not poking any holes in your firewall for ingress traffic, and cloudflare can apply firewall rules to those clients trying to reach your server by DNS hostname.

thanks.

The last gleam of hope I had was last year when John Oliver did an episode on data brokers. He in turn went and purchased data that would match congressmen in the D.C. area, along with their “interests.” He jokingly threatened to release it (bc congressmen tend to act on an issue if it affects them personally). I thought that would be huge, everybody would see how rampant and invasive data collection would be. I was thrilled for a breakthrough.

but so far no movement, hasn’t been released. I wonder if people wrote to John Oliver and his team if we will get an answer haha

I feel so powerless, so hopeless.

Bills aren’t being passed by lawmakers because like many of us who care about privacy, they have not heard about the abilities of data brokers and have no visibility into how rampant and disgusting and invasive their behavior is.

Friends and family I talk to don’t care. “Oh well, what are they going to do, find me personally?”

I feel if people were able to look themselves up in these databases, they would fear it as well

interesting, I’ll have to read about this some more then. thanks for pointing me in the right direction

I apologize, I misread the chain of comments. Your explanation is perfectly adequate for someone who has a basic grasp on networking and VPN and tunnels and encryption.

I would just like to add that if your endpoints communicate via an encrypted transport (HTTPS, SSH, etc) then doesn’t matter if cloudflare tries to inspect your packets. There would be 2 layers of encryption while traversing the public web, then 1 layer when traversing CF’s network.

And to some, packet inspection is not a downside since they can offer more protection - but that is totally up to your attack vector tollerence

WARP (a client) just connects you to CF’s network.

If your server is running cloudflared (an outbound-only tunnel) then you can enroll your WARP client to reach your server, while your server is never accessible on the public web. That’s the principal behind Zero Trust.

While techinically yes, WARP can be considered as a VPN, it is just a secure tunnel to an endpoint. In which case you can argue any point-to-point tunnel is a VPN.

discovered tailscale from this post and after reading their “how tailscale works” I was hoping to get some clarification from an activer user (you).

CF tunnels setup an outbound-only tunnel from my private network via cloudflared, I have no ingress holes in my firewall to access my services. cloudflared does all the proxying. Plus my IP changes monthly as I don’t pay for a static one from my ISP. This “outbound-only” connection is resilient to that.

Tailscale is point-to-point (for data plane) connection and only the control plane is “hub and spoke”. This sounds like I need to allow ingress rules on my private network so my server can be connected to? Is this true or where did I misunderstand?

he was not, nobody cares about his 2 bytes

Gotcha, thanks. Well, I’ll look into it some more. I appreciate you supporting Rebble!

What is incredible about this product is that I can speak normally and fluently as I normally do.

The need to look at the output as you speak is only necessary if you expect there to be errors. FUTO, amazingly, performs extremely well in this regard and I have a high confidence in not being able to trip it up. I don’t feel that I need to look down at a live transcription.

This whole comment was written using FUTO voice input. I’m definitely going to donate to them.

GrapheneOS is the open source android OS on pixel hardware without any google binary blobs.

The advantage of using it is Google develops and optimizes the OS so it works on their hardware. The GrapheneOS project compiles the source code, hardens some parts, and boom

I take you are a satisfied user. Ages ago when I looked into it, I didn’t see the need. To save time for me and other people on this thread, what value does it bring to you? I would consider subscribing just to financially support them but what other tangible use does a subscription bring?