[DNG] SSH Tunnelling and more at Wednesday GoLUG meeting
Hi all, Wednesday night, 7PM Eastern (New York) time, Wednesday, 12/1/2021, Linux guru der.hans will give a detailed presentation on SSH Tunnels. You can see the presentation writeup and a list of topics covered, as well as complete info on time and (virtual) place, at http://golug.info This is the monthly GoLUG meeting, on ultra-Linux-compatible Jitsi, at https://meet.jit.si/golug . See http://golug.info for details. Thanks, SteveT Steve Litt Spring 2021 featured book: Troubleshooting Techniques of the Successful Technologist http://www.troubleshooters.com/techniques ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Wanting to set up an email system
Hi TIA In der Nachricht vom Saturday, 27 November 2021 16:17:45 CET steht: > that's needed for an email system. So - - - I'm looking for recommendations > on what and how to setup an email system. The why you're using what you are > is vitally important for me (as are my security and privacy). Be prepared for a long, long journey setting up an email system with SMTP/ IMAP/Webmail using all the goodies SPF/SRS, BATV, DKIM, DNSSEC, TLS certs, DANE, virusscanning, anti-spam Measures (possibly greylisting, classification, RBLs, dnswl, ...), virtual domain handling, user auth from a directory, automatical MUA configuration, backup of the mailstorage, asf. is rather complex and time consuming. But it can be fun nevertheless... :-) Regards, Adrian. PS: I'm using exim/dovecot/greylistd/spamassassin/pyzor/razor/srsd/apache/ roundcube/mysql/? on Devuan. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] networking thinking
Hi TIA In der Nachricht vom Sunday, 28 November 2021 14:20:14 CET steht: > 1. is my splitting the network system into the three parts a good idea or > should I truncate parts 1 and 2 into the router? If you would please give > reasons - - - please? Less devices, less to setup and maintain and less to break: I would go with 1 Firewall and 1 Switch. Get a box with an SFP Port for your firewall and install OPNSense on it. Stick your fiber directly in your firewall, if your provider lets you chose and does not insist on some plastic box. If he does, then try to use it in bridge mode. Upon request, the providers over here tell what one has to do, when using a media converter (e.g. VLAN tag or PPPoE). OPNSense and pfSense are excellent firewall distributions and IPv6 is well integrated with both of them. They are almost identical, coming the same way. OPNSense is more community oriented where as pfSense drifted away to be more commercial now, but Documentation is better. PCEngines is a stable, bullet-proof hardware, it's industrial grade, lasts for ever and has a core boot BIOS. There soon will be a version with an SFP port available. You won't get Gigabit-Speed through an APU with OPNSense (around 800Mbit/s), get something with a CPU on par with a Intel N4100, if you want to be ready for gigabit speed. There are many nice boxes around without SFP ports (like the ones from AsRock industrial e.g.) but don't use Zotac nano ci329 with pfSense, it doesn't run stable (Linux in contrary runs like a charm on these). Zyxel Switches are basically OK, but you don't get security updates after some years, the interface doesn't work on all browsers and they have weird bugs (e.g. prios in RSTP together with LAGGs). You're better of with a MikroTik using SwOS. The MikroTiks boot amazingly fast, SwOS is easy to configure and they are rather cheap. You get a Desktop Switch with 2x 10GbE and 8x 1 GbE for <$100. If you want to play around with your Zyxel to install whatever on it, that's fine, but I wouldn't invest my time on that ─ better get your lab running. Opinions on the topic will go apart, you'll get tons of advice in any direction. To a certain extent it's about your personal liking. Mine you probably just read above... Regards, Adrian. signature.asc Description: This is a digitally signed message part. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] networking thinking
On 2021-11-29 18:23:25, Simon wrote: > o1bigtenor via Dng wrote: > > > 1. is my splitting the network system into the three parts a good > > idea or should I truncate parts 1 and 2 into the router? If you would > > please give reasons - - - please? > > Six of one, half a dozen of the other. Sometimes having separate boxes > is good, other times it isn’t. For example, if you run a router doing NAT > (on IPv4) behind a firewall, then the firewall doesn’t see details of > where the traffic comes from - only the mangled version where it’s all > coming from one address. On the other hand, sometimes it can be tricky > making everything work on one box - e.g. doing traffic shaping both ways > when there’s multiple internal networks can require an intermediate > virtual port (an IFB, intermediate function block, in iptables > terminology) to route traffic through and I never did get the hang of > that. > > > 2. are there any good sources for information on and about networking? > > debian has moved to nftables from iptables - - - is devuan doing > > similar? > > Everything has moved, or will be moving, to nftables - it’s a kernel > thing. There’s a shim layer to provide an iptables interface to help > people through the transition, but I suspect it might struggle with some > of the more complex stuff due to differences in semantics between > iptables and nftables. > > > Where does one find information to enable a firewall that works > > yet isn't stupid? > > I’m afraid that’s up there with the answer to life, the universe, and > everything - and in this case it’s not 42 ;-) > > > Back when it was part of the day job, I would “sort of absorb” bits and > pieces until I knew enough about networking to be dangerous. After that, > it’s a case of recognising when there’s a gap in the knowledge and > filling it through reading/research. > > Sometimes a good starting point is to have a specific thing you need a > pointer to and asking others. > > > In the past my preferred firewall was Shorewall - it’s quite a steep > learning curve, but not as steep as native iptables, and not as limiting > as most other firewalls. However, I’m not sure of it’s current status as > it was always very tightly bound into the semantics of iptables and would > probably need a bottom up re-write to work well with nftables. > > But while the learning curve can be steep when past the basics, the > examples will let you get common setups going very quickly. > > But by far the biggest thing that I liked about Shorewall was the > “everything is in a bunch of text files” approach - meaning that you can > look at the files and see what’s going on - and, I know this will > frighten many used to GUIs, you can put comments in the files to tell you > what is going on ! At the same job I mention below, some of the > fireballing was down with Zyxel appliances - all though a “rubbish” GUI > that makes finding anything difficult and documenting it impossible. > Almost a write-only system. I use Shorewall to, for my home systems, and for the servers I'm looking after. I hope they update to nftables, or I'll have to find a new firewall. -- A big old stinking pile of genius that no one wants coz there are too many silver coated monkeys in the world. ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] networking thinking
o1bigtenor via Dng wrote: > 1. is my splitting the network system into the three parts a good idea or > should I truncate parts 1 and 2 into the router? If you would please give > reasons - - - please? Six of one, half a dozen of the other. Sometimes having separate boxes is good, other times it isn’t. For example, if you run a router doing NAT (on IPv4) behind a firewall, then the firewall doesn’t see details of where the traffic comes from - only the mangled version where it’s all coming from one address. On the other hand, sometimes it can be tricky making everything work on one box - e.g. doing traffic shaping both ways when there’s multiple internal networks can require an intermediate virtual port (an IFB, intermediate function block, in iptables terminology) to route traffic through and I never did get the hang of that. > 2. are there any good sources for information on and about networking? > debian has moved to nftables from iptables - - - is devuan doing > similar? Everything has moved, or will be moving, to nftables - it’s a kernel thing. There’s a shim layer to provide an iptables interface to help people through the transition, but I suspect it might struggle with some of the more complex stuff due to differences in semantics between iptables and nftables. > Where does one find information to enable a firewall that works yet > isn't stupid? I’m afraid that’s up there with the answer to life, the universe, and everything - and in this case it’s not 42 ;-) Back when it was part of the day job, I would “sort of absorb” bits and pieces until I knew enough about networking to be dangerous. After that, it’s a case of recognising when there’s a gap in the knowledge and filling it through reading/research. Sometimes a good starting point is to have a specific thing you need a pointer to and asking others. In the past my preferred firewall was Shorewall - it’s quite a steep learning curve, but not as steep as native iptables, and not as limiting as most other firewalls. However, I’m not sure of it’s current status as it was always very tightly bound into the semantics of iptables and would probably need a bottom up re-write to work well with nftables. But while the learning curve can be steep when past the basics, the examples will let you get common setups going very quickly. But by far the biggest thing that I liked about Shorewall was the “everything is in a bunch of text files” approach - meaning that you can look at the files and see what’s going on - and, I know this will frighten many used to GUIs, you can put comments in the files to tell you what is going on ! At the same job I mention below, some of the fireballing was down with Zyxel appliances - all though a “rubbish” GUI that makes finding anything difficult and documenting it impossible. Almost a write-only system. For the ultimate in control, eschew packages and get down and dirty with the native commands - i.e. learn how to drive nftables directly. tito via Dng wrote: > I personally prefer x86 hardware for this kind of things Me too, though there’s some fairly decent small computers about these days. IIRC the rPi4 has a “real” network interface, and gigabit at that - so it would probably make a fairly decent “router on a stick”. Router on a stick being a reference to something like a lollipop where there’s a “blob” on the end of a single stick. You can use VLANs up this single ethernet link to separate the different classes of traffic - e.g. a VLAN for the connection to your ISP, another for a management subnet for the switches etc, another for the main office LAN, another for a guess WiFi, … At my last place I had a Debian VM (pre SystemD) with something like 3 DSL (PPPoE) connections, another via an ethernet provider, a backend for inter-server traffic, office LAN, guest LAN, management LAN, and possibly something else as well. Most run on separate VLANs over a single ethernet interface. And all configured with Shorewall. Simon ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Wanting to set up an email system
Hi, o1bigtenor via Dng writes: > Greetings > > Started way back when when I got to the web full-time using webmail. > Haven't ever setup an email system and AIUI it is a system - - - there are > a lot of parts that have to work together to have everything working well. > > A mentor, now deceased, recommended using Claws but even that's not all > that's needed for an email system. So - - - I'm looking for recommendations > on what and how to setup an email system. The why you're using what you are > is vitally important for me (as are my security and privacy). Since you mention webmail and claws, I assume you are talking about a mail client setup. Here's what I use: - dma to get mail off my laptop to a smarthost (i.e. my ISP) and handle delivery of local mail (i.e. mail addressed to user accounts on the laptop, think "root" for one). It doesn't handle incoming mail. It doesn't even listen to any ports, SMTP or otherwise. Before dma, I quite happily used postfix but since I didn't need a full-blow mailserver on my laptop I looked for something smaller. - getmail6 to get mail from my ISP onto my laptop. This also grabs the mail from a mail account my alma mater provides. I've configured it so that mail older than a certain number of days is deleted on the ISP and my alma mater's account. Before getmail, I quite happily used fetchmail but negative comments about its error handling/security made me switch. - maildrop to handle stuffing incoming mail into the right Maildir. My getmail configuration uses `MDA_external` type delivery to it. The ~/.mailfilter file control what goes where. Before maildrop, I quite happily used procmail but I thought writing recipes was overly complicated. Not sure maildrop is any better in that respect though. - mu4e to read and compose mail from within Emacs. It intergrates with mu, which handles indexing and searching. Before mu4e, I quite happily used gnus but its org-mode integration left to be desired. To be explicit, moving messages between folders would break links in my org-mode files. mu4e doesn't. - a custom "localdrop" script to pass mail from /var/mail/$LOGNAME to maildrop. Nothing too complicated, if you ignore the locking ;-) test -s /var/mail/$LOGNAME \ && lockmail /var/mail/$LOGNAME \ && /bin/sh -c "cat /var/mail/$LOGNAME | reformail -f0 -s maildrop && >/var/mail/$LOGNAME" Hope this helps, -- Olaf Meeuwissen, LPIC-2FSF Associate Member since 2004-01-27 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13 F43E B8A4 A88A F84A 2DD9 Support Free Softwarehttps://my.fsf.org/donate Join the Free Software Foundation https://my.fsf.org/join ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng