Richard Kettlewell <[email protected]d> wrote:

Marc Haber <[email protected]> writes:

Those consultants are paid to find things. Hence, they find things. Or
they make things up. The persons who hire them don't care as long as
there is a report.

A common approach to security is block or disable everything you don’t >need, and leave only the things you do need enabled.

Then the discussion moves to what is needed. From an operations point
of view, I NEED debugging.

Greetings
Marc
--
---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 06 Aug 2025 17:11:28 +0200, Marc Haber wrote:

Richard Kettlewell <[email protected]d> wrote:

A common approach to security is block or disable everything you don’t >>need, and leave only the things you do need enabled.

Then the discussion moves to what is needed. From an operations point of view, I NEED debugging.

No reason to make those interfaces public, though.

E.g. for one client, we have the production system on the main VM, even
though that was originally set up just for me to use for testing.

So when I needed an additional test setup, I created an LXC container
within the VM, running a separate copy of the software that is not
actually directly accessible outside the machine. I can only get to it via
an SSH tunnel.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 6 Aug 2025 11:38:12 +0100, Mike Scott wrote:

pf's tables - a list of ip addresses you treat within the rules as a
group, and change on the fly as desired. (pfctl -t inboundblock -T
add 1.2.3.0/24; pfctl -t inboundblock -T show). If something similar
is available, I certainly couldn't find it.

I think they’re called “sets” <https://manpages.debian.org/nftables(8)#SETS>. You can have named ones and anonymous ones.

Note also the subsequent sections on “maps” and “elements”.

For someone trying to get to grips with this, how does it help to
have a plethora of alternatives, a mound of interfaces, and - let's
face it - an awful lot of poor documentation around.

That’s why you have the more-user-friendly front ends like those
described in the article I originally referenced.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Lawrence D'Oliveiro <[email protected]d> wrote:

On Wed, 06 Aug 2025 17:11:28 +0200, Marc Haber wrote:

Richard Kettlewell <[email protected]d> wrote:

A common approach to security is block or disable everything you don’t >>>need, and leave only the things you do need enabled.

Then the discussion moves to what is needed. From an operations point of
view, I NEED debugging.

No reason to make those interfaces public, though.

Yes, that's a different point of view. My different point of view is
not to take security measures that don't increase security but instead
make regular life harder. If a box provides a service to the public,
the public already knows it's there, and IP header analysis can also
be done by accessing the service the machine is there to provide.

Let's agree to disagree here.

--
---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 07 Aug 2025 08:37:57 +0200, Marc Haber wrote:

Lawrence D'Oliveiro <[email protected]d> wrote:

On Wed, 06 Aug 2025 17:11:28 +0200, Marc Haber wrote:

Then the discussion moves to what is needed. From an operations point
of view, I NEED debugging.

No reason to make those interfaces public, though.

Yes, that's a different point of view. My different point of view is not
to take security measures that don't increase security but instead make regular life harder. If a box provides a service to the public, the
public already knows it's there, and IP header analysis can also be done
by accessing the service the machine is there to provide.

Let's agree to disagree here.

Too many security holes have been inadvertently left through things like diagnostic ports that should have been closed after testing had completed,
but found their way into the shipping product, back-door “testing”
accounts with full privileges and hard-coded passwords again that should
have been removed from the production code but were not, that kind of
thing.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 6 Aug 2025 12:46:30 +0200, Carlos E.R. wrote:

I don't trust my router, provided by the ISP.

I bought my own. I could even run my own routing stack on a Linux box.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, 11 Aug 2025 11:50:16 +0100, Mike Scott wrote:

Ok. It has sets. But (a) unless you know what they're called, you're not going to find them; and (b) that man page is singularly opaque and if
you already know the answer it's a handy reminder of syntax.

I didn’t know what they were called. I just went through the man page for
any likely-looking functionality, and it only took a few minutes to find
that section. It does have some examples of usage in it.

Where's the (any) guide that shows how everything fits together, with,
horror of horrors, a useful example setup intended for someone with zero knowledge of linux firewall config?

I don’t know. I’m just able to read documentation. I thought that was a skill that was so commonplace among folks who work with computers for a
living that you could take it for granted, but apparently not.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Mike Scott <[email protected]d> wrote:

On 11/08/2025 23:02, Lawrence D'Oliveiro wrote:

I don’t know. I’m just able to read documentation. I thought that was a >> skill that was so commonplace among folks who work with computers for a
living that you could take it for granted, but apparently not.

The horror is manuals written by the code-writer. They describe in
intimate detail each and every function; but not how it all hooks up. In
this case, I'd not even seen the nft man page, because I'd been
searching for the wrong terms, hadn't got there because I'd got drowned
in a morass of ipfilter and similar stuff, now apparently out-of-date;
and gave it up as a bad job.

nft is a horror in its own regard. In my opinion, it simply isn't
finished yet. Compare it with ferm, the "macro assembler for
iptables", for example, where you can have IPv4 and IPv6 addresses in
a single liste of addresses, and happily write any combination of v4
and v6 in your rules, with the "do what I mean" result ending up in
iptables and ip6tables. nft cannot do that and consequently segregates
v4 and v6. It's a pain.

Greetings
Marc
--
---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 12 Aug 2025 08:39:44 +0100, Mike Scott wrote:

On 11/08/2025 23:02, Lawrence D'Oliveiro wrote:

I don’t know. I’m just able to read documentation. I thought that was a >> skill that was so commonplace among folks who work with computers for a
living that you could take it for granted, but apparently not.

The horror is manuals written by the code-writer. They describe in
intimate detail each and every function; but not how it all hooks up. In
this case, I'd not even seen the nft man page, because I'd been
searching for the wrong terms, hadn't got there because I'd got drowned
in a morass of ipfilter and similar stuff, now apparently out-of-date;
and gave it up as a bad job.

What's wrong with a couple of clear examples, plus the detail to expand
on them?

We had a tech writer whose contribution to the documentation was pasting
in the programmer's fix notes. That worked out great. It's sad she died
young but at least we got a real tech writer after that. Her ongoing
background task was translating the existing documents into English from Nerdese.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 12 Aug 2025 08:39:44 +0100, Mike Scott wrote:

In this case, I'd not even seen the nft man page, because I'd been
searching for the wrong terms, hadn't got there because I'd got
drowned in a morass of ipfilter and similar stuff, now apparently out-of-date; and gave it up as a bad job.

You should know by now, that one of the first resorts when trying to find
info on important Linux/BSD/*nix subsystems/APIs is to look for man pages.

I have the feeling you didn’t even bother doing a web search, because ...

What's wrong with a couple of clear examples, plus the detail to expand
on them?

I just tried doing a Google search for “nftables”, and guess what I
found ...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 12 Aug 2025 10:54:57 +0100, The Natural Philosopher wrote:

Life is too short to read the whole manual cover to cover.

It helps to learn to speed-read. That man page has about 24,000 words in
it, and as I said, it only took a few minutes to find the info I needed.

Start by learning how to read without your lips moving.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 13 Aug 2025 09:47:32 +0100, Mike Scott wrote:

On 13/08/2025 00:07, Lawrence D'Oliveiro wrote:

I have the feeling you didn’t even bother doing a web search ...

Well, you'd better distrust your feelings then. Web searches are
fine if you know relevant keywords.

You mean, you didn’t try “nftables” as a search keyword? Because the
very first hit Google gave me for that was ... <https://wiki.nftables.org/wiki-nftables/index.php/Main_Page>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Mike Scott <[email protected]d> wrote:

(I'd given up on chatgpt ages ago, when it made Noddy mistakes on
trivial code examples. Looks like things have improved since then.)

It still does make noddy mistakes. I recently asked it for a regexp
that will cover all integers between 0 and 2^32-1, it didn't even get
the parenthesis matched right.

Greetings
Marc
--
---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 19 Aug 2025 12:35:53 +0200, Carlos E.R. wrote:

What's wrong with a couple of clear examples, plus the detail to expand
on them?

+1

There’s a whole website devoted to that, as I mentioned elsewhere.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 19 Aug 2025 15:16:26 +0200, Marc Haber wrote:

It still does make noddy mistakes.

In other news, a survey reports that, the less confidence developers have
in AI, the more they use it.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 19 Aug 2025 12:41:46 +0200, Carlos E.R. wrote:

On 2025-08-07 01:56, Lawrence D'Oliveiro wrote:

On Wed, 6 Aug 2025 12:46:30 +0200, Carlos E.R. wrote:

I don't trust my router, provided by the ISP.

I bought my own. I could even run my own routing stack on a Linux box.

The configuration needed by the ISP on the router is not documented ...

Here in NZ it’s all standard protocols. I bought the router from a local retailer, not from the ISP. Setup was straightforward -- the router calls
the setup option I am using “Dynamic IP”, but I think it’s just DHCP.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 20 Aug 2025 12:52:56 +0200, Carlos E.R. wrote:

On 2025-08-20 03:01, Lawrence D’Oliveiro wrote:

On Tue, 19 Aug 2025 12:35:53 +0200, Carlos E.R. wrote:

What's wrong with a couple of clear examples, plus the detail to
expand on them?

+1

There’s a whole website devoted to that, as I mentioned elsewhere.

Not good enough, it should be inside the manuals.

The man page has examples, too. Naturally a tutorial/wiki site has more.

Remember what reference documentation is for: it’s to act, no more and no less, as the definitive reference to all the details of functionality, not
to offer hand-holding tutorial recipes for every conceivable thing you
might want to do with that functionality.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 20 Aug 2025 07:47:00 -0700, John Ames wrote:

On Wed, 20 Aug 2025 01:01:32 -0000 (UTC)
Lawrence D’Oliveiro <[email protected]d> wrote:

What's wrong with a couple of clear examples, plus the detail to
expand on them?

+1

There’s a whole website devoted to that, as I mentioned elsewhere.

That's a fine thing to have in *addition* to proper man pages ...

Which nftables already has, as I have also pointed out.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 20 Aug 2025 11:13:41 +0100, The Natural Philosopher wrote:

Routers were never juts routers either, they were routers plus switches
plus modems plus wireless bridges...

My router has no “modem” functionality (unless you count Ethernet as requiring a “modem”). It has four Ethernet ports, which can be
individually configured to be on any of three separate networks, so I’m
not sure if that counts as “routing” or “switching”.

Its wi-fi functionality is disabled, since that is currently provided by a separate Linux box that is bridging the wi-fi with the Ethernet LAN.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 20 Aug 2025 11:13:41 +0100, The Natural Philosopher <[email protected]d> wrote in <108474l$7mtq$[email protected]>:

Optical Network Terminator. That's better than NTE at least

Oh well, its all grist to the ArtStudent™ mill where names and ideas are far more important that the reality of what they refer to.

Routers were never juts routers either, they were routers plus switches
plus modems plus wireless bridges...

Here I have an ONT -- which acts as a special bridge -- which
connects via 10GBaseT to the 10G Eero router, which has 10G ports
and wifi. 10G to my 10G switch, which handles my 10G workstation
and 10G Synology NAS.

I need to run a Cat-7 wire straight down to Mrs. vallor's office
downstairs so she'll be wired, but currently, the wifi signal
is strong -- and she hasn't complained.

I tried setting up Link Aggregation with this Netgear switch (my
workstation has 2 - 10GBase-T ports, as does the NAS), but the
switch only handles Static LAG, and it's a bit flakey. I bought
a switch to replace it that supports LACP, but haven't gotten
the round tuit to move over to it yet.

Oh, and the connection to the ONT is 10G XPON. We believe
in getting customers to go as fast as possible -- this nonsense
by our competitors to hold down connection speeds so they can
soak the customer for upgrades stinks to high heaven.

Finally, the Eero router does IPv4 NAT, and also acts as
a firewall for IPv6. Native IPv6 is a lovely thing.

--
-v System76 Thelio Mega v1.1 x86_64 NVIDIA RTX 3090Ti 24G
OS: Linux 6.16.1 D: Mint 22.1 DE: Xfce 4.18
NVIDIA: 580.76.05 Mem: 258G
"Some minds should be cultivated, others plowed under..."

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 21 Aug 2025 11:44:47 +0200, Carlos E.R. wrote:

I do not want reference documentation.

Then you can’t work in this field.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 21 Aug 2025 14:36:30 +0200, Carlos E.R. wrote:

Oh, searching the man for "movflags" or "faststart" fails. So ask the
AI. They are in the man page for the MP3 muxer, it says. Oh, right, I
forgot that.

No they aren’t. They’re part of QuickTime.

ffmpeg -h muxer=mov

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 27 Aug 2025 06:56:46 +0100, Mike Scott wrote:

pf allows, for example
pfctl -t inboundblock -T replace -f /etc/firewall/inboundblock
which is an atomic operation.

The docs say

nft -f «file»

is an atomic operation. You might have known that if you’d read them.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 28 Aug 2025 09:40:34 +0100, Mike Scott wrote:

To be fair, the online wiki does give the answer. Which raises the
issue, again, of documentation standards. When important matters are
absent from at least some key docs, then what?

Weren’t you one of those complaining that bare reference material wasn’t enough? That you wanted tutorial examples and how-tos and all that? Then
when I mention that it all that is available, you now find a new reason to complain?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 29 Aug 2025 08:10:08 -0700, John Ames wrote:

On Fri, 29 Aug 2025 00:56:54 -0000 (UTC)
Lawrence D’Oliveiro <[email protected]d> wrote:

Weren’t you one of those complaining that bare reference material
wasn’t enough? That you wanted tutorial examples and how-tos and
all that? Then when I mention that it all that is available, you
now find a new reason to complain?

Again, when important information for *core networking tools* is
only found on the Web, it hardly takes a great sage to discern the
problem.

The problem is, you don’t understand the Web?

Because *everything* is on the Web these days. If you can’t figure out
basic Web searching, then perhaps you should stay away from computers altogether?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, 29 Aug 2025 19:16:50 +0100, Mike Scott wrote:

Oh - the problem in hand. No doubt it's easy when you know: single
interface, allow all lan traffic, block wan inbound to port 22,
redirect wan inbound on port 12345 to 22 and pass. Block wan inbound otherwise. If anyone has a config snippet to do this, I'd be very
grateful.

Look at the stages of application of filter hooks here <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>:
there is “ingress”, followed by “prerouting”, followed by “input”.

The obvious place to block incoming packets for port 22 would be
either “ingress” or “prerouting”; you should be able, at the same
stage or a later one, to remap ones destined for port 12345 so they go
to port 22, after the block.

<https://wiki.nftables.org/wiki-nftables/index.php/Mangling_packet_headers>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)