marauding_gibberish142 @ marauding_gibberish142 @lemmy.dbzer0.com

Posts

16

Comments

399

Joined

4 mo. ago

I see. But does the installation cover hardening steps like hardened_malloc, permission hardener, kernel self-protection etc?

I had looked into openstack a while back but left it thinking it was too complex. I was looking at Apache's Cloudstack then.

I see now that a contributor has got Debian in the official list of supported distributions. Which means my distro-morphing idea should work in theory with OpenStack. This is a great idea, thanks. I will look at OpenStack more seriously now. Does look like it will need some effort though

No, I do not trust my computers that much. Quite unfortunate, really that I'll have to build a whitebox switch to get what I want

I never considered tailscale for my LAN, but it's certainly an intriguing idea. I suppose running Headscale as a VM on my router isn't that difficult. Thank you, I will think about it a bit more

Thanks

asking for people to solve a solved problem

Solved using devices that run proprietary software (which is, I imagine, frowned upon in such communities) which we don't control at all. Heck, even Mikrotik who has a good rapport with this community uses a proprietary Linux distro with a severely outdated kernel for their devices. For something as critical as internal networking, I'm surprised I do not see more dialogue on improving the situation.

Let me try and explain the problem. I want to build a setup where I have multiple clustered routers (I'm sure you've heard of the clustering features in PFSENSE/OPNSENSE/DIY approach using Keepalived). But if I want to use VLANs without using a switch running god-knows-what under the hood, I'm going to need a LOT OF ports. Unfortunately, 6+ port PCIe cards are quite expensive and sometimes have many other problems.

This is why I'm trying to find simpler solution. The solution that you mention doesn't seem to be a solution at all, but just the community giving up on trying to find one and accepting what is given. I was hoping for a better outcome.

I'm using Cisco terminology so it likely means VLAN trunking unfortunately (unless I missed something)

Thank you for that. I'd also like to ask you: is that a possibility too if one were to configure a trunk port on a switch and plug the PCs in?

Hmm, so virtual interfaces on the router won't work? I admit I'm a bit stumped, would you be able to give me an ELI5 on why this is the case? I will try and read up more, of course

The computers will be running OpenBSD. I am researching hardening methods for them and also seeing if it is feasible for me to get Corebooted hardware. I didn't mention it because I didn't think it was important.

I feel like my post is being taken very negatively with people finding faults in my words rather than in the networking concept. Would you happen to know why?

Thanks but as I mentioned that will not scale. I'm interested in if separating computers by subnets will work. Have you tried something like this?

It's not that they are expensive, it's that they run archaic proprietary OSes which the consumer cannot control. I cannot trust such a switch when the rest of my network depends on it. Please let me know if something in the post didn't make sense.

Thank you for the wonderful comment. I am talking about the operating system (Debian vs CentOS if I remember correctly) when I mention Hardening.

I haven't seen a concrete example of anyone applying CIS policies on the XCP-NG base, neither have I seen any mentions of securing the XCP-NG base by companies using them in production. I understand that having a walled-off dom0 is great and I like that about Xen, but not seeing dialogue on base OS level security is making me a bit uncomfortable about XCP-NG. Not sure if it is immutable, if it is then that would relieve some of my worries.

Personally, I think Proxmox is somewhat unsecure too. I believe something like following relevant STIG recommendations, kernel self-protection, hardened malloc and other things (there's a huge list but I'll be brief) should be essential. Ideally I would've preferred that the Proxmox project took some of the measures that the Kicksecure project does in hardening debian but I don't see any mention of something like that. If I end up wanting to run Proxmox, I'll install Debian, distro-morph it to Kicksecure and then follow the instructions for Proxmox (not sure how I'll keep from using the Proxmox custom kernel but we'll see).

Works. I mentioned those two since they seem to have the best privacy policy

Why aren't you just using Kodi?

Mostly Kubernetes and sometimes podman

Get a VPN using cash/XMR (Mullvad/IVPN), and then either use them directly or over TOR to create the account.

I need to watch this Defcon talk

Personally, Framework has become a bit too expensive for me. If you're in the US I'd look at the older Dell precision and HP ZBook workstations from 2020 or earlier, they have amazing specs and go for $400 or so. Fairly repairable because enterprises demanded that they be and gobs of power for anything you want.

Older MacBooks still have that darned WiFi card which you need special proprietary drivers for. And basically nothing in that chassis is standard; everything is Apple-specific if you want to repair it. I don't recommend MacBooks