Xenguy | onefang: I used shorewall for some years, and thought it was quite well done (except for whenever they released a new version, you had to adjust the config every time) | 00:43 |
---|---|---|
Xenguy | I'm not sure you're going to get something as good as shorewall for nftables so soon. If you find something, I'd be interested in hearing about it. I wonder if the shorewall devs have any plans to migrate over to nftables? | 00:44 |
ShorTie | ever try SmoothWall ?? | 01:16 |
Xenguy | ShorTie: Heard of it, but never tried it | 01:19 |
ShorTie | it's the original and the best, imho | 01:44 |
tuxd3v | I am searching for a good firewall for arm64, the majority of firewall software exists for amd64/i386, but for arm64 doesn't know anny.. | 02:15 |
tuxd3v | eventually I will go with iptables, but as onefang said, maybe best to advance for nftables.. | 02:16 |
clort | hi tuxd3v | 02:26 |
clort | open source frontends should compile on arm | 02:27 |
tuxd3v | clort, hello | 02:27 |
clort | nftables still put the hurt on me. | 02:27 |
clort | i still don't have my nftables box handling the packet forwarding to usb network | 02:28 |
clort | i only have so much energy. people breaking sh*t on my OS pisses me off now. | 02:28 |
tuxd3v | I wanted it for an appliance, to run on nanoPI R2S :) | 02:29 |
tuxd3v | if I found anny, I know that pfsense, seems to support arm/arm64, but they are freebsd based, I wanted one linux based :) | 02:30 |
clort | hm if you find one for stupid bears like me | 02:31 |
clort | where i can point-click 'share network interface' | 02:31 |
clort | that would be nice | 02:31 |
rrq | tuxd3v: check with "apt-cache search firewall" ... there are a fair few though I do't know if they fit your "good" list | 02:32 |
rrq | I liked the name ipkungfu but have no idea what it is :) | 02:33 |
clort | it's iptables-based. devuan forces nftables on me | 02:34 |
clort | bad devuan. no biscuit. | 02:34 |
tuxd3v | rrq that seems a option indeed :) | 02:35 |
rrq | I think iptables "API" remain available over the nftables backend | 02:35 |
clort | it's broken | 02:36 |
clort | iptables -L broken | 02:36 |
clort | ah ok wait maybe it's my stupid kernel from nvidia that's broken | 02:36 |
clort | yes sorry my bad | 02:37 |
clort | anybody here want to make a linux .dts for nvidia jetson nano? | 02:37 |
tuxd3v | clort, that board should be in devuan indeed.. if I got one, I would make a img for it :) | 02:38 |
clort | are you in europe tuxd3v ? | 02:38 |
tuxd3v | rrq, shorewall seems also available, but I never used it don't know, what it is :) | 02:39 |
clort | hah prices for jetson nano have gone up | 02:39 |
tuxd3v | clort, yes I am | 02:39 |
clort | i don't see myself able to afford sending you one sorry | 02:39 |
tuxd3v | enclosured in a house in emergency state due to covid :/ | 02:40 |
clort | due to politicians | 02:40 |
clort | oh there's a 2GB version for 74 euro on amazon | 02:40 |
rrq | tuxd3v: I believe ufw is fairly commonly used | 02:40 |
tuxd3v | rrq: I use it on desktop, but I wanted one like an apliance to run headless | 02:42 |
rrq | I'm doing naked iptables myself so I can't vouch for any ... | 02:42 |
Xenguy | When I needed a 'real firewall', I used shorewall, but now that I don't really need to be opening ports or doing anything fancy, I've found that 'ufw' is super simple to setup... | 02:43 |
Xenguy | Default is just deny outside, allow inside, so makes a good default firewall setup with a minimum of effort. | 02:43 |
Xenguy | I'm sure it could scale a bit too, but not sure how far, or how easily | 02:44 |
tuxd3v | yeah, I loved iptables( and still do ), and I have done already some things with it, so its a option for me, I already have all rules, for a vpn to work, now I need to adjust a bit, for incomming traffic | 02:45 |
tuxd3v | but if I find a good software that I can manage via web/ethernet, that supports also vpn, maybe I will give it a try instead.. :) | 02:46 |
tuxd3v | clort, yea i have the idea jetson nano have a higher price now | 03:00 |
clort | the khadas Vim3 will be nice when panfrost just works | 03:01 |
tuxd3v | have you tried to do a devuan img with your jetson nano? | 03:01 |
clort | i did live conversion | 03:01 |
clort | but nvidia's kernel sucks. it sucks. no cdrom support etc | 03:01 |
clort | no iptables | 03:01 |
tuxd3v | yeah, its better to compile your own kernel for it :) | 03:02 |
clort | yeah idk if i lose the openGL though | 03:09 |
tuxd3v | idk how the graphics stack works for jetison nano | 03:15 |
tuxd3v | on normal computers you need the kernel headers, and dkms, to be able to install the nvidia drivers | 03:15 |
tuxd3v | but idk how it works on nano :/ | 03:16 |
Guest21 | does neofetch just bring up the debian logo | 05:35 |
brocashelm | it did for me when i first installed devuan, but after major updates, it corrected | 05:39 |
brocashelm | there should be a file in /etc you can edit to point to devuan IIRC | 05:40 |
brocashelm | what its faq writes: "When Neofetch detects a Linux distro it first looks for the lsb_release command before searching for the /etc/os-release file. Since some downstream distros mostly utilize their upstream distro's repositories they'll include the upstream distro's version of lsb_release. The prominent case is with Antergos and Arch with lsb_release installed, Antergos will be detected as "Arch" instead." | 05:42 |
Guest21 | interesting | 05:43 |
Xenguy | neofetch brings up devuan ascii art here, on Ascii | 06:10 |
onefang | Xenguy: (who isn't here, but for others that are interested as well) Shorewall developer is 71 and wont be adding nftables support coz it too much work. | 08:46 |
onefang | ShorTie: Smoothwall isn't available in Beowulf package repo. Isn't it where Shorewall came from? | 08:47 |
systemdlete | onefang: I'm using openwrt, which has been pretty good so far. Works on x86 machines also, including VM's. | 09:01 |
onefang | That would be in a separate box, not an in place firewall? | 09:02 |
systemdlete | I did evaluation on a few firewall projects. smoothwall, endian, zeroshell. | 09:02 |
systemdlete | in place? You mean a server running in a general-purpose box? | 09:02 |
systemdlete | openwrt runs in 256m or less. There is a claim it can be run in 64m. | 09:03 |
onefang | I need it for my desktop, and my remote server. So needs to run directly on the remote server. | 09:03 |
systemdlete | It's just an option, onefang. You will decide what is best. For "in-place" (if I'm understanding you), I use ufw/gufw, which works well enough for most purposes. | 09:04 |
systemdlete | gufw doesn't do everything, but if you are willing to hack at ufw, I think it can address most things. | 09:04 |
systemdlete | I'm not expert with ufw or openwrt though. Just been using them for some time. | 09:04 |
onefang | ufw looks to be iptables only. I used to use it looong ago, before switching to Shorewall. | 09:05 |
systemdlete | One problem I encountered with smoothwall is the fact it is not well-supported. They don't come out with many updates, and support is sketchy. | 09:05 |
systemdlete | nice interface, though. | 09:06 |
systemdlete | (I'm referring to smoothwall appliance though, not the type of install you want) | 09:07 |
systemdlete | openwrt support has been very good, btw. | 09:07 |
systemdlete | did you check backports also, onefang? | 09:08 |
systemdlete | Sometimes I miss those. | 09:08 |
onefang | Yes, I'm running a backports kernel. | 09:09 |
systemdlete | I mean, is there a shorewall package in backports? (I haven't checked) | 09:09 |
onefang | Nope. | 09:10 |
onefang | But as I said, Shorewall isn't likely to move to nftables, and I think it's time I did move to nftables. | 09:10 |
systemdlete | Well, I ran into an interesting bit of bad luck. A starlinux (essentially, beowulf) VM desktop froze, though I could get console and switch back and forth. The error messages I saw were something to do with "crtc disable failed" -- this was after being "away" from the VM for a bit -- I was working in the host and other VM's. Had to do a reset on the VM. All seems OK now, but that was odd. | 09:12 |
onefang | Screenblanker tried to kick in and failed maybe? Just a wild guess. | 09:13 |
systemdlete | Well, it *is* vbox, after all. I'm seeing more and more problems in the latest releases. | 09:13 |
systemdlete | It has plenty of memory and disk. So I'm not sure what was wrong. | 09:14 |
systemdlete | Ah, well this is interesting. I had not noticed this previously. On Nov 28 (2 days ago), that VM had hard disk errors. I wonder if that might have been a USB drive I mounted that day... can't recall now. | 09:16 |
systemdlete | onefang: firewalld maybe? | 09:32 |
systemdlete | (I've not used it) | 09:32 |
onefang | I mentioned above that firewalld seems to be what Debian is recommending. It's use of dbus might be an issue. | 09:33 |
systemdlete | ah I see. | 09:34 |
ShorTie | onefang, no package, it's a LFS build | 10:48 |
ShorTie | and i'm sure if you search shorewall sources you will find some SmoothWall in it | 10:49 |
ShorTie | even ipfire has some | 10:50 |
onefang | I'm trying to avoid too much stuff that needs to be tracked outside of simple apt update & apt upgrade. There's sure to be perfectly adequate firewall software in Devuan Beowulf apt repos. | 11:43 |
mason | onefang: A straight iptables script driven from /etc/network/interfaces would work well and meet that criteria. | 15:26 |
KREYREEN | I have debian in VM that has VGA on PCI 00:00.0, but i can't use it in e.g. `DRI_PRIME=1 supertuxkart` and #debian is band of retards that doesn't want to help me because xen >.> | 19:38 |
* KREYREEN wants to change it on devuan, but he can't do that now as QubesOS is using systemd atm >.> | 19:38 | |
KREYREEN | #debian helped after all.. so far resolved | 20:12 |
KREYREEN | ^-^ | 20:12 |
unixbsd | hello is there maybe any FTP to download devuan DVD ascii i386? e.g. ncftp ftp.devuan.org ? | 22:29 |
unixbsd | (bit like netbsd or BSDs). | 22:29 |
gnarface | some of the mirrors that were also mirroring other things already might have ftp still, if debian didn't deprecated it officially yet (but i seem to recall they did) | 22:30 |
gnarface | afaik none of the devuan infrastructure has ftp ports open at all | 22:30 |
gnarface | i recommend wget or curl | 22:30 |
gnarface | or lynx, if you're desperate | 22:30 |
unixbsd | I prefer ncftp, it compiles from source, and it works on all platform.s | 22:30 |
unixbsd | wget needs pkg installer. | 22:31 |
gnarface | hmm | 22:31 |
gnarface | well if you know HTTP and are a little clever you can get it with netcat | 22:31 |
phogg | or telnet | 22:31 |
unixbsd | lynx has dump indeed and it compiles well with termcap | 22:31 |
unixbsd | really, I didnt know that netcat would help there. | 22:32 |
unixbsd | nice sockets ;) | 22:32 |
gnarface | HTTP is just a lot better thought out than FTP | 22:32 |
gnarface | it's way easier to work with | 22:32 |
unixbsd | well, actually you would just use my code to FTP to get it might work. .. | 22:32 |
phogg | about 20 years better | 22:32 |
DHE | netcat would be sufficient to download all by itself | 22:32 |
unixbsd | telnet-client.c http://termbin.com/oxtt (just clang and it works). | 22:33 |
unixbsd | nc and netcat is in all BSD and linux, except ubuntu maybe | 22:33 |
gnarface | some of the primary load concerns about HTTP over FTP aren't measurably relevant anymore after processors got > 500MHz | 22:33 |
gnarface | so the security concerns introduced by the dual-port communication model just came under fire | 22:34 |
gnarface | and people started throwing it overboard because they'd been using their web browser as their primary FTP client anyway | 22:34 |
gnarface | (and uploading over ssh/scp) | 22:35 |
gnarface | but i'm sure there's a compilation of netcat examples out there that includes using it for both a http client and http server | 22:36 |
unixbsd | well, still... FTP is the oldest protocol. it is the best ever. Hence ftp.devuan.org would be great idea. like Unix ;) real one. | 22:36 |
MinceR | why not UUCP? | 22:36 |
unixbsd | I wonder why people havent discoverd FTP yet. | 22:37 |
Wonka | what for? | 22:37 |
Wonka | name anything that's worse with HTTP | 22:37 |
gnarface | because you can use ssh for sftp instead | 22:37 |
unixbsd | There are all striving and sweating to copy a file on Windows, while a raspberry pi zero can offer FTP, samba, and all stuffs without having to use a dropbox or evilish google/microsoft drive. | 22:38 |
Wonka | People need to acknowledge that FTP's time is over. | 22:38 |
Wonka | SFTP works. | 22:38 |
phogg | unixbsd: have you read the FTP RFC? It is not the best. | 22:38 |
gnarface | alright, well this is drifting into editorializing, which is offtopic | 22:38 |
onefang | https://www.devuan.org/get-devuan lists plenty of FTP mirrors for the ISOs, and https://pkgmaster.devuan.org/mirror_list.txt lists plenty of package mirrors that support FTP. | 22:38 |
golinux | There are ftp mirrors listed on the download page of devuan.org | 22:38 |
unixbsd | FTP is basically too old, way too old. The good reason is sufficient to use a dropbox ;) | 22:38 |
Wonka | If you need to mount storage as a Windows drive, use WebDAV over HTTPS. | 22:38 |
unixbsd | haha -.. no seriously, I use FTP. Not even ssl. | 22:39 |
golinux | There are 11 of them so take your pick. | 22:39 |
golinux | unixbsd: ^^^ | 22:39 |
Wonka | PASV my ass, just use HTTPS! | 22:40 |
golinux | onefang: Do we have a mind meld going on? | 22:40 |
unixbsd | I prefer FTP on secured sites. SSL is overkill a bit for a file, that anyhow will be MD5sum ;)! | 22:40 |
fsmithred | sha256sum | 22:41 |
Wonka | md5sum is an invitation to inject malware | 22:42 |
fsmithred | also won't tell you anything useful about our isos. | 22:43 |
onefang | If FTP is too old, then TCP/IP is also too old, we need to create Devuan mirrors that use the more modern Mind Meld Protocol. B-) | 22:43 |
fsmithred | start saving tin cans and string | 22:44 |
unixbsd | nice shinning modern things are overkill, usually. FTP + md5 is fair enough and secured enough. | 22:45 |
unixbsd | On Ubuntu, the DVD are EFI, and it seems that they focus on secured boots, (U)EFI. Shall it be similar in next devuan releases? | 22:59 |
jonadab | ftp is fine for downloading public data, like open-source software and such. | 23:00 |
jonadab | Unless you're in China, in which case you have to use a VPN anyway. | 23:00 |
unixbsd | really, chinese gov do that? man, china != human rights. | 23:00 |
jonadab | For private data, you use scp. | 23:00 |
jonadab | unixbsd: In practice, pretty much any site you can name is probably blocked in China. | 23:01 |
jonadab | Though I suppose ftp sites are more likely to not be blocked, than http ones. | 23:01 |
unixbsd | I heard that google is banned up there in china. | 23:01 |
fsmithred | secure boot should be working in beowulf | 23:01 |
golinux | Getting reall offtopic folks | 23:01 |
unixbsd | I am still at Legacy, I dont need uefi. I am proud to run Netbsd 9.0 on AMD-K6 with 64MB with X11, could linux offer that (debian: -nope)? here an amd-k6 running modern advanced, stuffs: https://postimg.cc/xqJyfCbT Of course, it would be great that devuan had still amd-k6 or more archs. | 23:04 |
unixbsd | (gallery : https://postimg.cc/gallery/MS7whZ0 ) I guess ascii would eventually work maybe on it. | 23:05 |
fsmithred | 686 should work on k6 | 23:06 |
ErRandir | I still have an AMD-K6 somewhere in the house. Hasn't been booted in a while, the clock crystal is unstable. | 23:06 |
unixbsd | it can be used as a perfect router or for simple eboard chess or classic gtk games for kids.;) xpenguins and stuffs | 23:06 |
ErRandir | I'll probably be doing a new Devian install soon. Normally I would do a network install, but this one will be behind a firewall. Does that mean I have to use all the CD ISOs? | 23:07 |
ErRandir | s/Devian/Devuan/ | 23:08 |
qaluH | devian? | 23:08 |
unixbsd | if you have apache you can debootstrap from your server mounted dvd. | 23:08 |
unixbsd | In case you use local dvd, mount /cdrom and run : | 23:08 |
gnarface | ErRandir: no, netinstall should still work unless the firewall is misconfigured | 23:08 |
unixbsd | PKG='wpasupplicant,netbase,ssh,login,passwd,less,gcc,make' ; debootstrap --no-check-gpg --include=$PKG --arch amd64 ascii . file:///media/cdrom | 23:09 |
unixbsd | (for more reading, I have a bunch of installation craps like that for bsd and devuan here: https://termbin.com/qy11 ) | 23:09 |
qaluH | what is devian? | 23:10 |
unixbsd | *u | 23:10 |
gnarface | ErRandir: the netinstall should only need to be allowed outbound DNS and HTTP requests | 23:10 |
ErRandir | ok, so those are 2 options I can try. Thanks! | 23:11 |
qaluH | always minimal | 23:13 |
ErRandir | I will try to use Beowulf. I'm still on ASCII on my other machines. | 23:14 |
qaluH | apt will fix all dependecies | 23:14 |
unixbsd | Depends the hardware, I see that ubuntu is at kernel 5.8. man, that's quite evolved kernels. | 23:14 |
miskatonic | i prefer old kernels for my old hardware | 23:16 |
unixbsd | really, why? | 23:16 |
unixbsd | faster? | 23:16 |
miskatonic | faster to start | 23:16 |
qaluH | why?? | 23:17 |
gnarface | > #devuan-offtopic | 23:17 |
qaluH | its only the kernel, why should the kernel be slower in a higher state? | 23:17 |
unixbsd | the kernel uses more memory, looks modern stable debian. forget a low mem specs. it is no longer supported by debian. | 23:20 |
qaluH | lol | 23:21 |
aitor_ | hi | 23:51 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!