I honestly love the new nested replies in email chains they added to the inbox view a few months ago. It makes a messy inbox so much less messy looking

Honestly that can be a good thing, especially if you have more than one windows PC in your household, it’s only downloading them once then sharing the updates about over the LAN

I acquired an ewaste laptop with a 5+ year old Celeron, 4GM of RAM and a spinning rust drive. I tossed mint on there after fighting with Windows update to try to apply 3 years worth of updates and while the installer took 2 hours to complete, it actually is a bit more usable and once it’s booted it’s amusingly chirpy with random slowdowns whenever it has to hit the disc for data.

I might set it up as my daughter’s first computer. She’s getting to that age already so it’s about time to do it

I got one for work. It literally just pastes into ChatGPT

The thing I don’t like about laptops are 1. Noise and 2. The bursty CPUs just don’t mesh well if I want to run a swarm of VMs or need to just run a big compress/decompress process. I watched one laptop slowly throttle itself all the way down to 700mhz while I was messing with a bunch of VMs and it really made me miss having a desktop where it can just chill at 5x the speed at 100% utilization and chew through whatever is being thrown at it

I tossed mint on a PC after about 8 years of not using mint at all and I’ve been extremely impressed at how stable and friendly it is. It works exactly how you expect it to and Cinnamon has the best default workspace implementation of any DE I’ve used

get hyped for COSMIC

Honestly I’m just excited for a non-gnome DE with an actual company backing it. I can’t wrap my head around gnome’s expectations for how you use it, so the fact that it’s the default on every enterprise-backed Linux project is annoying as heck

I have two different ISPs serving the entire town I live in, both offering symmetric gigabit fiber to the home to the entire town, but can I get a lick of IPv6? Of course not!

Huh! Thank you very much for the detailed answer that’s extremely interesting!

Checking nmap’s documentation it looks like it’s perfectly possible to detect open udp ports

You should NOT have a WG tunnel from the home network to the VPS with fully unrestricted access to everything.

This is what I came here to make sure was said. Use your firewall to severely restrict access from your public endpoint. Your wiregaurd tunnel is effectively a DMZ so firewall it off accordingly

The really nice thing about tailscale for accessing your hosted services is absolutely nothing can connect without authentication via a professionally hosted standard authentication, and there’s no public ports for script kiddies to scan for, spot and start hammering on. There’s thousands of bots that do nothing but scan the internet for hosted services and then try to compromise them, so not even showing up on those scans is a good thing.

For example, I have tailscale on my Minecraft server and connect to it via tailscale when away from home. If a buddy wants to join I just send a link sharing the machine to them and they can install tailscale and connect to it normally. If for some reason buddy needs to be cut off, I can just stop sharing to that account on Tailscale and they can no longer access the machine.

The biggest challenge of tailscale is also it’s biggest benefit. Nothing can connect without connecting through the tailscale client, so if my buddy can’t/won’t install tailscale they can’t join my Minecraft server

My dad switched for vista, I switched for 10 for a while. Who knows, maybe I’ll switch for 11 too

Evidence suggests those that can tolerate lactose as adults are descended from farmers who drank milk to survive during seasons of bad yields.

Milk is full of great vitamins and minerals. I haven’t verified this claim but I heard someone say recently a person can entirely meet their entire nutritional needs on purely milk and potatoes, which doesn’t sound super pleasant to have as a diet, it’s certainly an easy baseline to meet

They usually have the milk on hand for cooking, or just the kids menu. If my family of 4 can easily go through 2 gallons a week, I can’t imagine a resteraunt having problems using up milk before it goes bad unless they over-purchase

I’ve never had that problem. I basically always order milk anytime I eat out. Sometimes they only give me a kids portion or even a kids cup (it was extra funny when my wife ordered it for me and I was away from the table changing a diaper while visiting family), but usually I get a full glass of milk

No problem! I’m just an information sponge and I’ve lucked out with really good mentors so far in my career to learn from

So from my experience you generally will have different zomes of security. Outside Internet is obviously entirely untrusted so block every incoming connection except those you really need, and even then ideally all remain blocked (especially for a home network). Then you generally have your guest network which might need access to some hosted resources but is largely just used by guests to connect to the internet, next is your client network where your computer likely lives which probably gets access to all hosted resources but no management access (or depending on how much you want to trust your primary PC, limit that to just your main PC) and finally your datacenter network where you hopefully trust everything running in there.

You generally work with these zones and write rules based on the zone the traffic is coming from, with some exceptions, such as I might not want to give the guest network any access to my data center network, except for access to my jellyfin so I’ll create a rule allowing only tcp web traffic from that network to a specific port on a specific IP/hostname.

A common way to achieve this is with a DMZ network, a network that sits between all of your networks and relies heavily on routing and firewalls. Public services and routers get IP addresses on the DMZ, and your firewall only allows specific paths. The outside Internet can open connections to the web ports of the web server and nothing else, the web server can’t open connections to your other networks, only specific machines/networks are allowed to access the SSH port of the web server, etc. the DMZ is where trusted and untrusted connections mix, hence why its named after the zone that belongs to both North and South Korea where both are allowed but also neither are allowed, where one only goes with specific purpose and explicit permission

I was a bit hesitant to do firewall rules based off of IP addresses, as a compromised host could change its IP address

Realistically any identifier you can write firewall rules based off of can be forged in some way. A rogue machine can change it’s host name, IP address and MAC address (and many do randomize their MAC address these days) in enterprises this is generally mitigated through limiting a network to only Ethernet access or via 802.1X authentication on WiFi and potentially even Ethernet. (You can also take the approach of MAC address whitelists, and some switches even allow for “sticky” MAC addresses where the first MAC address that connects is whitelisted until either the switch is rebooted or an administrator explicitly clears/allows the MAC address)

However, if each host is on its own VLAN, then I could add a firewall rule to only allow through the 1 “legitimate” IP per VLAN

You could go crazy and do everything at L3 (which your idea is basically doing but with extra steps) but that sounds like far more effort than it’s worth, since now you’re making every client also act as a router, and you lose a ton of efficiency both in configuration and in routing & switching, plus you’ve now changed the type of threats you’re vulnerable to.

Generally in the enterprise, risks like what you’re trying to mitigate are handled through reporting. An automated alert email is sent when a new device connects to a network that should never have new devices connect to it, then you kill the connection and verify with the team of that was any of them and investigate if it wasn’t.

Realistically as a home network your threat model is automated scripts and maybe a script kiddie trying to get in. You really just need higher than average security to mitigate such a threat model (and average security is a shit show)

I feel like I may have to allow a couple CT/VMs to communicate without going through the firewall simply for performance reasons. Has that ever been a concern for you?

Security is always a trade off of convenience and speed. You have to decide what is an acceptable compromise between security and efficiency

Generally anything virtual when you aren’t sure what to do, you should look at what the physical solution would be. For example, network storage is very bandwidth intensive, latency sensitive and security intensive. This is usually secured at the physical level as a separate network with no routers so that most security can be disabled. So at the virtual level these would be tackled with a separate virtual network connected to a second interface, and firewall rules on other interfaces to disallow incoming and outgoing connections to the storage network

Edit: I just realized I never answered your first question. In short, from what I’ve seen most enterprises put one firewall from a vendor like Fortinet, Zscaler, Palo Alto, etc. right on the edge of the network closest to the internet then either entirely rely on that for firewall or rely on that for firewalling off the outside Internet then do additional firewalling with a different tool inside the network. For example, a bank I worked at had a pair of redundant L3 switchs (Nexus N9ks specifically) which handled all of the routing for all of the bank’s networks, and connected between those and the internet was the Fortinet box which was managed by an outside vendor and while i was there as part of hardening ahead of a scheduled red team audit we setup firewall rules (I’m blanking on the Cisco term for it, but they’re ultimately just firewall rules) on the L3 switches to limit access to more sensitive networks and services

It really sounds like you need to dive into firewall rules. Generally you lean on your firewall to allow and restrict access to services. Probably the easiest place to start is to setup pfsense/opnsense since it has a really clean interface for setting up rules. Proxmox’s built in firewall is nice too, but configuring the firewall per VM would probably get annoying and difficult after a while

And as you learn more about firewalls learning how subnetting works will allow for more efficient rules (for example, if you have 192.168.0.0/23 192.168.2.0/24 and 192.168.3.0/ 24 for your networks that you’re allowing traffic to/from you can just enter one firewall rule for 192.168.0.0/22 rather than 3 separate rules)

I think the worst part is they entirely ignored the most painfully obvious solution of implementing a “reddit plus” or “reddit premium” or “reddit red” and just gated third party app access behind a $9.99/mo subscription. I have a hard time believing most reddit users’ ad views are worth anywhere near that much per month. But instead they decided to burn a significant sum of goodwill on questionable premises and pissed off a significant number of power users.

The feeling I got from all of the communications was that /u/spez was jealous of Apollo and just wanted to kill off Apollo. Which would explain why they took such a scorched earth approach in trying to kill all third party apps