Problem with apt update (is not signed)

[Paweł Kopeć]

Hello,

since yesterday (2023-10-25) I received an error during the apt update 
command:


docker run -it debian:bullseye /bin/bash
Unable to find image 'debian:bullseye' locally
bullseye: Pulling from library/debian
69b3efbf67c2: Pull complete
Digest: 
sha256:c141beaa9e0767774221cc82efe3a6712a1cc4f75d2699334dfd9a28a6f7357b

Status: Downloaded newer image for debian:bullseye

root@eb335ad71846:/# apt-get update
Get:1 http://deb.debian.org/debian bullseye InRelease [116 kB]
Get:2 http://deb.debian.org/debian-security bullseye-security InRelease 
[48.4 kB]

Get:3 http://deb.debian.org/debian bullseye-updates InRelease [44.1 kB]
Err:1 http://deb.debian.org/debian bullseye InRelease
  At least one invalid signature was encountered.
Err:2 http://deb.debian.org/debian-security bullseye-security InRelease
  At least one invalid signature was encountered.
Err:3 http://deb.debian.org/debian bullseye-updates InRelease
  At least one invalid signature was encountered.
Reading package lists... Done
W: GPG error: http://deb.debian.org/debian bullseye InRelease: At least 
one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian bullseye InRelease' is 
not signed.
N: Updating from such a repository can't be done securely, and is 
therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user 
configuration details.
W: GPG error: http://deb.debian.org/debian-security bullseye-security 
InRelease: At least one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian-security 
bullseye-security InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is 
therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user 
configuration details.
W: GPG error: http://deb.debian.org/debian bullseye-updates InRelease: 
At least one invalid signature was encountered.
E: The repository 'http://deb.debian.org/debian bullseye-updates 
InRelease' is not signed.
N: Updating from such a repository can't be done securely, and is 
therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user 
configuration details.


Where I should send this problem?

Regards

Re: How do I connect my new wifi router (Mi Router 4C)?

[Max Nikulin]

On 26/10/2023 02:20, Martin wrote:

On Wed, Oct 25, 2023 at 07:33:52PM +0700, Max Nikulin wrote:

should have something like

table ip sharedconnection {
   chain postrouting {
 type nat hook postrouting priority srcnat; policy accept;
 ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade
   }
}

I did not add any masquerading rules by myself and output of command
'nft list ruleset' is showed below. It does not have anything like you
showed in section 'table ip sharedconnection'.


"sharedconnection" is an arbitrary name. It should be chosen to not 
conflict with other applications. Actually you have nat masquerading 
rules created by docker for other interfaces. Read 
/usr/share/doc/nftables/README.Debian and choose a convenient for you 
way to add rules. You may add the following heading and may save rules 
to a file that may be read by either "nft -f FILE.conf" or just 
executing it.


#!/usr/sbin/nft -f
table inet sharedconnection {}
flush table inet sharedconnection
# table ip shared connection { ... } from above

---

Upstream WiFi router does not know that packets addressed to 
192.168.231.5 (mi router) should be sent to your computer 
(192.168.0.16), so you computer should make upstream router believing 
that all packets from your phone originates from 192.168.0.16.

Re: Domain name to use on home networks

[Stefan Monnier]

>> It's just such a shame that they chose a name which refers to "arpa"
>> in it, which is not only US-centric but even belongs to the US's war
>> department
>
> It belongs to the Internet Architecture Board and is administered by
> IANA which is why they chose it. It stands for "Address and Routing
> Parameter Area” .

But that's a "backronym".
It originally referred to the US agency.
I totally understand the technical reasons why they decided to stick to
this naming, but it's still grating.


Stefan

Re: Domain name to use on home networks

[John Hasler]

Stefan writes:
> It's just such a shame that they chose a name which refers to "arpa"
> in it, which is not only US-centric but even belongs to the US's war
> department

It belongs to the Internet Architecture Board and is administered by
IANA which is why they chose it. It stands for "Address and Routing
Parameter Area” .

-- 
John Hasler 
j...@sugarbit.com
Elmwood, WI USA

Re: Domain name to use on home networks

[Stefan Monnier]

> If you go with the domain name home.arpa and an IPv4 subnet sliced out
> of one of 192.168.0.0/16, 172.12.0.0/12 or 10.0.0.0/8, you can be
> _almost certain_ that nothing will break because of those choices, now
> _or_ in the future.

100% agreement.

It's just such a shame that they chose a name which refers to "arpa" in
it, which is not only US-centric but even belongs to the US's war
department, which I find rather unpalatable.
I understand ARPA was closely related to the beginnings of the Internet,
but...  couldn't they choose something a bit more neutral?


Stefan

Re: Domain name to use on home networks; was: Bookworm:NetworkManager

[Dan Purgert]

On Oct 26, 2023, jeremy ardley wrote:
> 
> On 26/10/23 07:24, David Wright wrote:
> > > Or if you already have a domain, you can use a subdomain. eg. I have
> > > rail.eu.org, and at home it is depot.rail.eu.org
> > I'm not sure how that would work when my home network
> > is on a different continent from my domain's hosting.
> 
> 
> This is no problem asides from DNS.
> 
> You will have DNS records set up for your hosted service  with public IP
> addresses. It's quite straight forward to add a subdomain and assign non
> routable IP addresses to it.
> 
> Downside is it will look odd to an observer, and will leak some info about
> your internal network.
> 
> As an alternative you can still use the same naming convention but not put
> it in the public domain. This will require you to set up your own internal
> DNS service or hosts files and have DNS queries resolved locally without
> going to the external DNS server.

Indeed, split-horizon DNS is quite good for this "problem".


-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: Domain name to use on home networks; was: Bookworm:NetworkManager

[jeremy ardley]

On 26/10/23 07:24, David Wright wrote:

Or if you already have a domain, you can use a subdomain. eg. I have
rail.eu.org, and at home it is depot.rail.eu.org

I'm not sure how that would work when my home network
is on a different continent from my domain's hosting.



This is no problem asides from DNS.

You will have DNS records set up for your hosted service  with public IP 
addresses. It's quite straight forward to add a subdomain and assign non 
routable IP addresses to it.


Downside is it will look odd to an observer, and will leak some info 
about your internal network.


As an alternative you can still use the same naming convention but not 
put it in the public domain. This will require you to set up your own 
internal DNS service or hosts files and have DNS queries resolved 
locally without going to the external DNS server.

Re: A file synchronization tool that respects hardlinks

[David Wright]

On Wed 25 Oct 2023 at 07:28:44 (-0600), Charles Curley wrote:
> On Wed, 25 Oct 2023 09:57:19 +0300
> Itay  wrote:
> 
> > Perhaps I will grab the chance to separate private stuff from work
> > stuff :-)
> 
> Indeed! I don't know where you are located, but I will tell you that in
> parts of the US commingling the two can become a legal nightmare. I
> would consider having a separate computer for each.

The same for phones.

Cheers,
David.

Re: Domain name to use on home networks; was: Bookworm:NetworkManager

[David Wright]

On Wed 25 Oct 2023 at 08:33:25 (+0200), Erwan David wrote:
> Le 25/10/2023 à 03:47, David Wright a écrit :
> > On Mon 23 Oct 2023 at 12:06:05 (+0200), Christian Groessler wrote:
> > > On 10/23/23 07:29, Jeffrey Walton wrote:
> > > > On Mon, Oct 23, 2023 at 1:24 AM ghe2001  wrote:
> > > > > How about a /29 or so, named "here.", hosts named 2 or 
> > > > > 3 letter abbreviations of what you call the computers, with 
> > > > > unroutable IPs, DNS'ed in /etc/hosts (with shortcuts).
> > > > Whatever you come up with for , ICANN can add to the
> > > > gTLD namespace; see .
> > > Just register a daomain and use that.
> > That costs money, and I can't see the point when there are TLDs
> > that are perfectly safe already available, like .home.arpa, and
> > before that, .{corp,home,mail}.
> > 
> Or if you already have a domain, you can use a subdomain. eg. I have
> rail.eu.org, and at home it is depot.rail.eu.org

I'm not sure how that would work when my home network
is on a different continent from my domain's hosting.

Cheers,
David.

Re: How do I connect my new wifi router (Mi Router 4C)?

[David Wright]

On Wed 25 Oct 2023 at 11:04:59 (+0300), Anssi Saari wrote:
> Martin  writes:
> > With wifi antena I receive a (rather weak) signal that connect my
> > computer to internet. I have to use windsurfer antena booster
> > (http://members.multiweb.nl/schaaijw/windsurfer_wifi_en.pdf)
> > to get usable signal. So my computer have internet signal from
> > wifi antena - yay great thing :)
> >
> > Now I also want to connect to internet with my mobile phone!
> 
> You mean you want to use some unspecified wifi signal with your phone
> also? Share the connection to your phone and computer? The link to this
> "windsurfer" doesn't work so it's a little hard to help if you can't
> describe what you have.

I presume what's going on here is that the Internet is provided by
a wifi access point that is distant and inaccessible (say, next door).
The windsurfer is a shaped piece of aluminium foil that pops over the
aerial to make a sort of parabola. Normally, you'd put this over your
modem/router's (external) aerial to increase the signal transmitted to
parts of your house (though it decreases it in the opposite direction).
But I'm guessing that here the windsurfer is on the computer's wifi
aerial, to improve the received signal.

That's why the OP's router (which, again presumably, has no Internet
Service) is connected "backwards", so the computer is the WAN, and
the mobile phone is the sole device on the LAN.

IOW Max's reply represents a string↔of↔connected↔devices rather than
- a
- bullet
- list.

> You have some kind of mysterious internet connection from
> something. That needs to connect to the router's WAN port.

That's how I would cascade two routers: a LAN port on the main
router connects by a plumbed-in Cat5 cable to a port on the
secondary router. The latter port would be the WAN connection,
but that's broken on mine, so I have to connect the cable to
a LAN port. I guess that makes my secondary router a switch?

Cheers,
David.

Re: How do I connect my new wifi router (Mi Router 4C)?

[Martin]

On Wed, Oct 25, 2023 at 02:15:36PM +0200, Marco M. wrote:
> Am 25.10.2023 um 13:33:48 Uhr schrieb Martin:
> 
> > On Wed, Oct 25, 2023 at 08:47:03AM +0200, Marco M. wrote:
> > > 
> > > Why don't you use DHCP like your phone does?  
> > 
> > Because I used this computer before I had WiFi and phone.
> 
> Why it is a problem to change it?
> Do you really want to deal with manually addressing machines?

I only have one computer, and now this new router. Because I only have
one computer I did not feel need to use DHCP to automaticaly assing me
an IP address.

Martin

Re: How do I connect my new wifi router (Mi Router 4C)?

[Martin]

On Wed, Oct 25, 2023 at 07:33:52PM +0700, Max Nikulin wrote:
> On 25/10/2023 18:24, Martin wrote:
> > On Wed, Oct 25, 2023 at 03:17:09PM +0700, Max Nikulin wrote:
> > > 
> > > So packet forwarding should be enabled on the computer.
> 
> sysctl net.ipv4.ip_forward
> 
> almost certainly enabled since you have the docker0 network interface

You are right, it is enabled:

$ sudo sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

> I hope, you have a DNS server running on this machine
> 
> host debian.org 192.168.231.3

I did not had dig installed but host worked, alas it showed me that I do
not have installed DNS server. So I installed dnsmasq package and
wonders happened (without me editing any config files - just installing
dnsmasq) - on my mobile phone when I connected to 192.168.31.1 address
(default router address when I look from phone) It showed now green line
from router to internet.

But unfortunatelly phone does not connect to internet yet. I guess I will
need to issue some 'sudo route' command to add path from my router to
outside world (actually I do not have idea if this is the problem).

> Check that you do not have blocking rules in firewall

I do not use firewall anymore, since I stoped using wired home phone
(dialup modem) to connect to internet with ppp protocol. Since I am now
connected to internet via my weak antena which is connected to router(A)
and then to internet I know that distant router(A) is protected enough
(after all it uses only local address that i can see 192.168.0.1).

> and that masquerading
> is enabled for your downstream link enp3s0
> 
> nft list ruleset
> 
> should have something like
> 
> table ip sharedconnection {
>   chain postrouting {
> type nat hook postrouting priority srcnat; policy accept;
> ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade
>   }
> }

I did not add any masquerading rules by myself and output of command
'nft list ruleset' is showed below. It does not have anything like you
showed in section 'table ip sharedconnection'. I remember using iptables
command to make firewall and masquerading my computer while I was using
dialup modem internet connection. I do not set up use any iptable rules
manualy anymore.

So this is probably what I need to figure out how to use masquerading
and other firewall rules to enable my new router to connect to outside
internet. (I must admit that I forgot what rules should I use to enable
this setup - so I need your help)

Here is output of 'nft list ruleset' 'iptables -S' and 'iptables -L' command:
(I am not sure they provide different info, but here they are)

Thanks a lot
Martin


$ sudo nft list ruleset
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
iifname "br-7bfdce95ff27" counter packets 0 bytes 0 return
}

chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname "wlxe8de27a5ab1c" ip saddr 10.1.1.0/24  counter packets 
192 bytes 11818 masquerade
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 
bytes 0 masquerade
oifname != "br-7bfdce95ff27" ip saddr 172.18.0.0/16 counter 
packets 0 bytes 0 masquerade
}

chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 7727 bytes 479748 jump 
DOCKER
}

chain OUTPUT {
type nat hook output priority dstnat; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 3 
bytes 196 jump DOCKER
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain DOCKER {
}

chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 
0 jump DOCKER-ISOLATION-STAGE-2
iifname "br-7bfdce95ff27" oifname != "br-7bfdce95ff27" counter 
packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 27 bytes 1780 return
}

chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
oifname "br-7bfdce95ff27" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}

chain FORWARD {
type filter hook forward priority filter; policy drop;
 counter packets 57740 bytes 51358193 accept
counter packets 25 bytes 1644 jump DOCKER-USER
counter packets 25 bytes 1644 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 
0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 by

Re: Bookworm: NetworkManager

[Max Nikulin]

On 22/10/2023 22:46, Lee wrote:
but /etc/network/interfaces over-rides /etc/NetworkManager - correct? So 
maybe I'm just using dhclient and have no idea if this works for 
NetworkManager or not.


NetworkManager may use built-in, dhclient, or dhcpcd, see 
NetworkManager.conf(5). It has a plugin for ifupdown. It is configurable 
whether NetworkManager manages interfaces configured through 
/etc/network/interfaces. Actually it may be set to ignore any interface.


nmcli device status
nmcli connection show

link-local 169.254.x.y addresses

[Max Nikulin]

On 25/10/2023 00:21, Pocket wrote:

On 10/24/23 12:48, Max Nikulin wrote:


There was a thread several months ago with discussion of link local 
169.254.x.y addresses.



Where may I find that thread?


See latest threads with the "mdns" keyword. Despite mDNS-SD (e.g. 
printer discovery) does not necessary mean link-local addresses, 
169.254.x.y is a fallback (so falls under the zeroconf umbrella). Do not 
neglect the IPv6 thread started by Gene as well.


https://lists.debian.org/cgi-bin/search?P=mdns&DEFAULTOP=or&B=Gdebian-user&SORT=0&HITSPERPAGE=50

Besides avahi-autoipd, link-local addresses may be assigned by 
systemd-networkd, dhcpcd, NetworkManager.

Re: Domain name to use on home networks

[Jeffrey Walton]

On Wed, Oct 25, 2023 at 8:14 AM Marco M.  wrote:
>
> Am 25.10.2023 um 07:25:45 Uhr schrieb gene heskett:
>
> > Is there an RFC number for this already?
>
> ftp://ftp.rfc-editor.org/in-notes/rfc8375.html

This is so interesting (to me). I can't believe I missed that RFC...

>From the Abstract:

   This document specifies the behavior that is expected from the Domain
   Name System with regard to DNS queries for names ending with
   '.home.arpa.' and designates this domain as a special-use domain
   name. 'home.arpa.' is designated for non-unique use in residential
   home networks.  The Home Networking Control Protocol (HNCP) is
   updated to use the 'home.arpa.' domain instead of '.home'.

Notice '.home.arpa.' is a fully qualified domain name (FQDN). FQDN's
end in dot, and the dot denotes the top of the DNS tree.

'home' is not a FQDN. It is not a node from the top of the DNS tree.
It is just a special label.

One of my pet peeves is when someone conflates a hostname with a FQDN.
Systemd does this all the time. Systemd's [unofficial] policy seems to
be mDNS and its gossip is the source of truth for network names. Old
admins will always consider DNS as the single source of truth for
network names, not gossip-based protocols.

Systemd networking probably has W Richard Stevens rolling over in his grave...

Jeff

Re: Domain name to use on home networks

[Pocket]

Sent from my iPad

> On Oct 25, 2023, at 8:12 AM, Marco M.  wrote:
> 
> Am 25.10.2023 um 12:17:40 Uhr schrieb Joe:
> 
>>> On Wed, 25 Oct 2023 09:01:18 +
>>> Michael Kjörling <2695bd53d...@ewoof.net> wrote:
>>> 
>>> 
>>> 
>>> I see lots of people in this sub-thread arguing for
>>> cobbled-together, "it works for me for now and if it breaks I'll
>>> just fix it later" style solutions.
>>> 
>>> 
>> 
>> Not arguing about anything else, but this situation you describe is
>> how IT works, and will continue to work until it stabilises, maybe a
>> century from now.
> 
> Avoiding mistakes by using it as designed is much better than repairing
> it years later.
> 
Amen

Re: A file synchronization tool that respects hardlinks

[Charles Curley]

On Wed, 25 Oct 2023 09:57:19 +0300
Itay  wrote:

> Perhaps I will grab the chance to separate private stuff from work
> stuff :-)

Indeed! I don't know where you are located, but I will tell you that in
parts of the US commingling the two can become a legal nightmare. I
would consider having a separate computer for each.

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: How do I connect my new wifi router (Mi Router 4C)?

[Max Nikulin]

On 25/10/2023 18:24, Martin wrote:

On Wed, Oct 25, 2023 at 03:17:09PM +0700, Max Nikulin wrote:


So packet forwarding should be enabled on the computer.


sysctl net.ipv4.ip_forward

almost certainly enabled since you have the docker0 network interface


However I suspect an issue with IP addresses.

I was wrong.


2: enp3s0:  mtu 1500 qdisc fq_codel state UP 
group default qlen 1000
 link/ether e0:d5:5e:73:c9:d3 brd ff:ff:ff:ff:ff:ff
 inet 192.168.231.3/24 brd 192.168.231.255 scope global enp3s0

[...]

3: wlxe8de27a5ab1c:  mtu 1500 qdisc noqueue 
state UP group default qlen 1000
 link/ether e8:de:27:a5:ab:1c brd ff:ff:ff:ff:ff:ff
 inet 192.168.0.16/24 brd 192.168.0.255 scope global dynamic wlxe8de27a5ab1c


looks consistent from router settings you posted earlier


 IP address: 192.168.231.5
Subnet mask: 255.255.255.0
Default gateway: 192.168.231.3
DNS: 192.168.231.3


I hope, you have a DNS server running on this machine

dig debian.org @192.168.231.3

or

host debian.org 192.168.231.3

Check that you do not have blocking rules in firewall and that 
masquerading is enabled for your downstream link enp3s0


nft list ruleset

should have something like

table ip sharedconnection {
  chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade
  }
}

A tool for further debugging is tcpdump or wireshark.

Re: How do I connect my new wifi router (Mi Router 4C)?

[Marco M.]

Am 25.10.2023 um 13:33:48 Uhr schrieb Martin:

> On Wed, Oct 25, 2023 at 08:47:03AM +0200, Marco M. wrote:
> > 
> > Why don't you use DHCP like your phone does?  
> 
> Because I used this computer before I had WiFi and phone.

Why it is a problem to change it?
Do you really want to deal with manually addressing machines?

> > Show 
> > ip a  
> 
> I posted output of that command to Max Nikulin email.
> 
> (Do not want to to post same info twice again as first email)

This is a mailing list, please keep the discussion here on the list and
do not send emails directly to subscribers. Nobody else can read them.

Re: Domain name to use on home networks

[Marco M.]

Am 25.10.2023 um 07:25:45 Uhr schrieb gene heskett:

> Is there an RFC number for this already?

ftp://ftp.rfc-editor.org/in-notes/rfc8375.html

Re: Domain name to use on home networks

[Marco M.]

Am 25.10.2023 um 12:17:40 Uhr schrieb Joe:

> On Wed, 25 Oct 2023 09:01:18 +
> Michael Kjörling <2695bd53d...@ewoof.net> wrote:
> 
> 
> > 
> > I see lots of people in this sub-thread arguing for
> > cobbled-together, "it works for me for now and if it breaks I'll
> > just fix it later" style solutions.
> > 
> >  
> 
> Not arguing about anything else, but this situation you describe is
> how IT works, and will continue to work until it stabilises, maybe a
> century from now.

Avoiding mistakes by using it as designed is much better than repairing
it years later.

Re: How do I connect my new wifi router (Mi Router 4C)?

[Martin]

On Wed, Oct 25, 2023 at 08:47:03AM +0200, Marco M. wrote:
> 
> Why don't you use DHCP like your phone does?

Because I used this computer before I had WiFi and phone.

> Show 
> ip a

I posted output of that command to Max Nikulin email.

(Do not want to to post same info twice again as first email)

Martin

Re: Domain name to use on home networks

[gene heskett]

On 10/25/23 05:01, Michael Kjörling wrote:

On 25 Oct 2023 07:32 +0200, from m...@dorfdsl.de (Marco M.):

TLD '.lan' works.  As best I can tell on the web, it doesn't exist.


Is it intended for that?
No?
Then don't use it. It can be used in the future for public domains.


Exactly.

I see lots of people in this sub-thread arguing for cobbled-together,
"it works for me for now and if it breaks I'll just fix it later"
style solutions.

"home.arpa" is _reserved specifically_ for almost exactly the purpose
we're talking about: local (for example residential) use where one
does not want to pay for a domain name and/or does not need globally
unique names.

If you have anyway, or are willing to pay for, a domain name that you
can use for the purpose, great; all that power to you.

But most home users aren't in that situation. For those people,
"home.arpa" is _the official_ answer. It's not something I've made up.
There's an RFC, there's a corresponding domain name reservation, it's
specifically set up so that it won't break for example DNSSEC, and
that RFC is a _PROPOSED STANDARD_ which is pretty much as officially
sanctioned as things get on the public Internet. (I think IPv4 has the
status of STANDARD.)

Just like you shouldn't pick some IP address range at random for your
LAN if you want hosts on that LAN to be able to communicate unimpeded
with hosts on the Internet, you shouldn't randomly pick a domain name.
Using a domain name (or IP address range) which is reserved for
examples and documentation likely won't break anything important, but
it _will_ cause confusion (as evidenced earlier in this thread).

If you go with the domain name home.arpa and an IPv4 subnet sliced out
of one of 192.168.0.0/16, 172.12.0.0/12 or 10.0.0.0/8, you can be
_almost certain_ that nothing will break because of those choices, now
_or_ in the future.

This thread is the first I've heard of home.arpa as a domainname for 
internal lan's. It s/b easy enough to switch my local lan to that since 
only the domainname changes. The alias shouldn't need changed.


Is there an RFC number for this already?


None of the other alternatives I've seen proposed in this thread can
offer anything like such guarantees.


Thank you for this clarificaion.

Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis

Re: How do I connect my new wifi router (Mi Router 4C)?

[Martin]

On Wed, Oct 25, 2023 at 03:17:09PM +0700, Max Nikulin wrote:
> On 25/10/2023 15:04, Anssi Saari wrote:
> > You have some kind of mysterious internet connection from something.
> > That needs to connect to the router's WAN port.
> 
> My guess is the following:
> 
> - Source of weak WiFi
> - WiFi booster
> - WiFi adapter in computer
> - ethernet port in computer
> - ethernet port of Mi router
> - WiFi provided by Mi router
> - WiFi adapter inside the phone
> 
> So packet forwarding should be enabled on the computer. However I suspect an
> issue with IP addresses. Martin, please, provide output of
> 
> ip address list

You are absolutely correct with your guess - although it take me
some time to understand what you are talking about - which is all my
fault.

here is result of 'ip address list' and also 'ip route' command:

$ ip address list
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group 
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
   valid_lft forever preferred_lft forever
2: enp3s0:  mtu 1500 qdisc fq_codel state UP 
group default qlen 1000
link/ether e0:d5:5e:73:c9:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.231.3/24 brd 192.168.231.255 scope global enp3s0
   valid_lft forever preferred_lft forever
inet6 fe80::e2d5:5eff:fe73:c9d3/64 scope link proto kernel_ll
   valid_lft forever preferred_lft forever
3: wlxe8de27a5ab1c:  mtu 1500 qdisc noqueue 
state UP group default qlen 1000
link/ether e8:de:27:a5:ab:1c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.16/24 brd 192.168.0.255 scope global dynamic wlxe8de27a5ab1c
   valid_lft 535000sec preferred_lft 535000sec
inet6 fe80::eade:27ff:fea5:ab1c/64 scope link proto kernel_ll
   valid_lft forever preferred_lft forever
4: docker0:  mtu 1500 qdisc noqueue state 
DOWN group default
link/ether 02:42:42:5b:a7:3b brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
   valid_lft forever preferred_lft forever
5: br-7bfdce95ff27:  mtu 1500 qdisc noqueue 
state DOWN group default
link/ether 02:42:52:ec:22:75 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-7bfdce95ff27
   valid_lft forever preferred_lft forever
6: tun0:  mtu 1500 qdisc fq_codel 
state UNKNOWN group default qlen 500
link/none
inet 10.1.1.1/24 scope global tun0
   valid_lft forever preferred_lft forever
inet6 fe80::f84d:e9fc:4ea5:f7fa/64 scope link stable-privacy proto kernel_ll
   valid_lft forever preferred_lft forever

$ ip route
default via 192.168.0.1 dev wlxe8de27a5ab1c
10.1.1.0/24 dev tun0 proto kernel scope link src 10.1.1.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-7bfdce95ff27 proto kernel scope link src 172.18.0.1 
linkdown
192.168.0.0/24 dev wlxe8de27a5ab1c proto kernel scope link src 192.168.0.16
192.168.231.0/24 dev enp3s0 proto kernel scope link src 192.168.231.3

Re: Domain name to use on home networks

[Joe]

On Wed, 25 Oct 2023 09:01:18 +
Michael Kjörling <2695bd53d...@ewoof.net> wrote:


> 
> I see lots of people in this sub-thread arguing for cobbled-together,
> "it works for me for now and if it breaks I'll just fix it later"
> style solutions.
> 
>

Not arguing about anything else, but this situation you describe is how
IT works, and will continue to work until it stabilises, maybe a
century from now.

I have web pages on my home intranet written anything up to twenty
years ago. The versions of HTML, PHP, Perl etc that I used in many of
them are long obsolete. To do things right, I ought to go over that code
line by line every year or two, checking current documentation to see
what's deprecated, find out how to workaround it and fix it.

Life's too short. So when I use a page I haven't used for years,
there's a good chance it won't work, and I'll have to fix it then. So
be it.

Scale that up, and it's how the whole of IT works. Inevitably, things
will break, hardware and software won't work on new operating systems,
and so on. We have to live with it. Yes, it's nice to do things exactly
correctly, but they are only exactly correct today. Tomorrow, they may
be deprecated, and eventually removed.

The exact situation you address may be set in stone for all time. Or it
may not: it can be changed on a whim. All we can do is make the best
choice at the time, and even then we have to guess at how much time we
need to spend researching it in order to have a better choice than we
can see now, and whether it's worth doing that when we don't even know
that there is a better choice possible.

-- 
Joe

Re: Domain name to use on home networks

[Michael Kjörling]

On 25 Oct 2023 07:32 +0200, from m...@dorfdsl.de (Marco M.):
>> TLD '.lan' works.  As best I can tell on the web, it doesn't exist.  
> 
> Is it intended for that?
> No?
> Then don't use it. It can be used in the future for public domains.

Exactly.

I see lots of people in this sub-thread arguing for cobbled-together,
"it works for me for now and if it breaks I'll just fix it later"
style solutions.

"home.arpa" is _reserved specifically_ for almost exactly the purpose
we're talking about: local (for example residential) use where one
does not want to pay for a domain name and/or does not need globally
unique names.

If you have anyway, or are willing to pay for, a domain name that you
can use for the purpose, great; all that power to you.

But most home users aren't in that situation. For those people,
"home.arpa" is _the official_ answer. It's not something I've made up.
There's an RFC, there's a corresponding domain name reservation, it's
specifically set up so that it won't break for example DNSSEC, and
that RFC is a _PROPOSED STANDARD_ which is pretty much as officially
sanctioned as things get on the public Internet. (I think IPv4 has the
status of STANDARD.)

Just like you shouldn't pick some IP address range at random for your
LAN if you want hosts on that LAN to be able to communicate unimpeded
with hosts on the Internet, you shouldn't randomly pick a domain name.
Using a domain name (or IP address range) which is reserved for
examples and documentation likely won't break anything important, but
it _will_ cause confusion (as evidenced earlier in this thread).

If you go with the domain name home.arpa and an IPv4 subnet sliced out
of one of 192.168.0.0/16, 172.12.0.0/12 or 10.0.0.0/8, you can be
_almost certain_ that nothing will break because of those choices, now
_or_ in the future.

None of the other alternatives I've seen proposed in this thread can
offer anything like such guarantees.

-- 
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”

Re: Network tcp/iptables issue with XRDP

[Anssi Saari]

Henggi  writes:

> Oh wow… that’s interesting. I had no idea about „nft“ (I just knew 
> „iptables-nft“) which seem to be very different.
> I think I have dig down where those „nft" rules are coming from while 
> iptables-nft is completely empty. Thanks, great clue!

Typically you'd have a /etc/nftables.conf with the rules for nft. Or at
least that's what I do.

Re: How do I connect my new wifi router (Mi Router 4C)?

[Max Nikulin]

On 25/10/2023 15:04, Anssi Saari wrote:
You have some kind of mysterious internet connection from something. 
That needs to connect to the router's WAN port.


My guess is the following:

- Source of weak WiFi
- WiFi booster
- WiFi adapter in computer
- ethernet port in computer
- ethernet port of Mi router
- WiFi provided by Mi router
- WiFi adapter inside the phone

So packet forwarding should be enabled on the computer. However I 
suspect an issue with IP addresses. Martin, please, provide output of


ip address list

Re: How do I connect my new wifi router (Mi Router 4C)?

[Anssi Saari]

Martin  writes:

> Hello,
>
> With wifi antena I receive a (rather weak) signal that connect my
> computer to internet. I have to use windsurfer antena booster
> (http://members.multiweb.nl/schaaijw/windsurfer_wifi_en.pdf)
> to get usable signal. So my computer have internet signal from
> wifi antena - yay great thing :)
>
> Now I also want to connect to internet with my mobile phone!

You mean you want to use some unspecified wifi signal with your phone
also? Share the connection to your phone and computer? The link to this
"windsurfer" doesn't work so it's a little hard to help if you can't
describe what you have.

> As it turn out I am not so bright to make this whole setup working :(
> I pluged in new router to power and connected ethernet cable from my
> computer to router WAN connection. (I belive this is how it should be
> connected togheder)

The WAN connection is for the internet, not your computer. It says as
much in the Xiaomi manual.

> While I was seting up router as described in
> https://manuals.plus/_mi/mi-router-4c-manual
> in Step 2 (point 3) it said I do not have internet.
> So I choose to manualy set up 'Static address' for
> router as folows (my computer has IP address 192.168.231.3):
>
>  IP address: 192.168.231.5
> Subnet mask: 255.255.255.0
> Default gateway: 192.168.231.3
> DNS: 192.168.231.3
>
> After all this setup I could issue those commands on my desktop:
>
> (this is my desktop IP address - just to show it works)

So you created a LAN between your computer and the router.

> I hope someone will be able to give me some hint how to solve
> this issue and be able to connect to internet from router - and
> connected phone.

You have some kind of mysterious internet connection from
something. That needs to connect to the router's WAN port.

Re: A file synchronization tool that respects hardlinks

[Itay]

On Tue, 24 Oct 2023, at 17:19, Itay wrote:
> 
> 
> On Sun, 22 Oct 2023, at 21:10, Charles Curley wrote:
> > On Sun, 22 Oct 2023 17:40:43 +0300
> > Itay  wrote:
> >
> >> According to wikipedia[4] the following tools are bidirectional:
> >>  FreeFileSync / NextCloud / Owncloud / SyncThing
> >> Please -- can someone quickly tell me if they respect hardlinks?
> >> Or recommend another tool(s) that respect hardlinks?
> >
> > I can tell you that nextcloud and syncthing do not appear to respect
> > hard links. They will copy two hard linked files (the same inode), but
> > on the receiving computer the files will not be hard linked.
> >
> > I suspect the same for owncloud, as nextcloud is a fork of owncloud.
> >
> 
> Thank you.  Your answer narrows down the options to FreeFileSync.
> I'll search the documentation.

According to FreeFileSync forum the tool does *not* respect hardlinks[1,2].
However, in the same forum they recommend the commercial tool SynCovery[2,3].
There are downloads packaged for debian, and a free one month trial.
Haven't tried it, yet.

My thanks to all the responders.

[1] freefilesync.org/forum/viewtopic.php?t=6087&hilit=hardlinks#p20016
[2] freefilesync.org/forum/viewtopic.php?t=6633&hilit=hardlinks
[3] https://www.syncovery.com/

> 
> > -- 
> > Does anybody read signatures any more?
> >
> > https://charlescurley.com
> > https://charlescurley.com/blog/