computergeek125 @ computergeek125 @lemmy.world

Posts

0

Comments

255

Joined

2 yr. ago

I do not have an answer for that. But if you only plan to read one part of my answer I would suggest reading the last sentence of my response instead of the first. Can't help you if you don't tell me what's wrong.

As an IT Engineer this concept frankly terrified me and feels like your opening yourself up to a potential zero click attack - such as https://threatpost.com/apple-mail-zero-click-security-vulnerability/165238/

So my initial answer is an emphatic "please do not the ZIP". It could be as mundane as a ZIP bomb, or it could explain a vulnerability in the operating system or automatic extraction program. Having a human required to open the ZIP prior to its expansion reduces its attack surface area somewhat (but not eliminates it) because it allows the human to go "huh this ZIP looks funny" if something is off, rather than just dispatching an automated task.

With that out of the way - what's your use case with this? There has to be a specific reason your interested in saving a few clips here on one highly specific archive format, but not others like the tar unix archive, 7z, or RAR.

ZIP bomb is definitely among the most mundane of issues you could cause yourself by automatically unzipping a compressed archive.

Why immediate jump to IT mode? Sure ZFS is great but running ZFS takes a decent chunk of RAM for cache.

https://tenor.com/7cqP.gif

I get the statement you're trying to make here - serving the name of a platform you dislike with the same reverence as he-who-must-not-be-named in Harry Potter (Voldemort) - but all you've done is obfuscate the search engine. Now if someone is skimming for information on the platform via search, you've hidden your comments and post from someone who might find your perspective useful. No one is going to try 15 ways of spelling a platform name (except maybe trying stackoverflow with and without spaces). Internet users are pretty lazy.

Why are you redacting platform names like it's profanity? My brain keeps trying to read it as markdown....

No I can't say I'm excited for an OS that will undoubtedly contain first-party spyware

Ah yes the Floridan swamp cat

I've only had issues with embedded serial consoles and things where you have to swap ctrl-h/? for backspace. But usually it's solvable with key mapping.

Also you mention vi/m but insert is red? That's the toggle switch between insert and replace mode (i vs shift-R)

If Unity had a problem with VLC playing copyrighted content they should have said so, not issued a takedown on LGPL grounds. Regardless of whether they're right or not from a lawyer perspective, it's a bad look for Unity to show the double standard here.

I really only clicked on this to see if there were one you found interesting. Plenty of old interesting protocols and lots that probably can't survive in a NAT/PAT environment like we have today, reducing us to a handful of IP protocol numbers that we actually use day to day. If you exclude routing equipment, that number is even less.

There's just no prompt here. I for one love rabbit holes but where to even start here?

I'm probably the overkill case because I have AD+vC and a ton of VMs.

RPO 24H for main desktop and critical VMs like vCenter, domain controllers, DHCP, DNS, Unifi controller, etc.

Twice a week for laptops and remote desktop target VMs

Once a week for everything else.

Backups are kept: (may be plus or minus a bit)

• Daily backups for a week
• Weekly backups for a month
• Monthly backups for a year
• Yearly backups for 2-3y

The software I have (Synology Active Backup) captures data using incremental backups where possible, but if it loses its incremental marker (system restore in windows, change-block tracking in VMware, rsync for file servers), it will generate a full backup and deduplicate (iirc).

From the many times this has saved me from various bad things happening for various reasons, I want to say the RTO is about 2-6h for a VM to restore and 18 for a desktop to restore from the point at which I decide to go back to a backup.

Right now my main limitation is my poor quad core Synology is running a little hot on the CPU front, so some of those have farther apart RPOs than I'd like.

Yeah it got missed

That would explain why I was confused

It's a perspective trick - they're not close as you think they are, and the United plane carries more than double the passengers of the closer Alaska.

1. Where is the server located? Are you looking at an intranet location or internet?
2. Is the client connected to the VPN concentrator via IPv4 or IPv6?
3. Is the VPN concentrator connected to the server via IPv4 or IPv6?

What you ask may be possible depending on those answers.

Going to summarize a lot of comments here with one - VPNs are very powerful tools that can do lots of things. Traffic can be configured to go in several directions. We really have to know more about your use case to advise you as to what config you might need.

Going to just write a ton of words on paper here - OP, let me know if any of this sounds like what you're trying to do, and I can try to give a better explanation (or if something was confusing, let me know).

VPN that uses the client's IP when sending data out of the VPN server

That's the specific sentence I'm getting caught on myself. It could mean several things, some of which have been mentioned, some haven't.

• Site to site VPN: Two (generally) fixed devices operate a VPN connection between them and utilize some form of non-NAT routing so that every child device behind each site sees it's "real" counterpart without getting NATed. However, NAT is typically still configured for IPv4 facing the internet, so each device shows an internet "exit IP" matching the site it's on. Typically, the device with the most powerful / most stable / most central / least restrictive would be the receiver, while the other nodes would be initiators pointed to that receiver. In larger maps, you could build multiple hub/spoke systems as needed.
• Sub-type of site to site possible: where one site tunnels all of its data over to the second site, and the second site is the one that provides NAT. This is similar in nature to how GL.Inet routers operate their VPN switch, but IMHO more powerful of you have greater control over the server compared to subscribing to a public VPN service. Notably for you example, the internet NAT exit device can be either the initiator or the receiver.
• Normal VPN but without NAT: this is another possible expansion of what you've written, with one word adjusted - it operates the VPN but preserves the client IP as it's entering the network. This is how most corporate remote access VPNs operate, since it would be overloaded and pointless to have every remote worker from a small pool of IP addresses when you don't even need to use a NAT engine for intranet.

My remote access VPN for my home lab is of the latter type, and I have a few of the sites to site connections floating around with various protocols.

For mine, I have two VPN servers: one internal server that works tightly with my home firewall, and one remote server running inside a VPS. Both the firewall and VPS apply NAT rules to egress traffic, but internal bound traffic is not NATed and simply passed along the site to site connections to wherever it needs to go. My home-side remote access VPN is simply a "dumb" VPN server that has the VPN protocol port forwarded back to it and passes almost raw traffic to the firewall for processing.

For routing, since each VPN requires its own subnet, I use FRR with a mixture of OSPF and iBGP (depending on how old the link is)

For VPN protocols, I currently am using strongSwan for IPsec, but it's really easy to slap OpenVPN onto that routing stack I already set up and have the routes propagate inward.

Several paragraphs of licensing drama

Thank you for reminding me of the name of that webcomic

I followed it years ago and had quite forgotten when it was lost to a tab on a dead computer.

Even Opera is now Chrome....