tofubl @ tofubl @discuss.tchncs.de

Posts

5

Comments

188

Joined

2 yr. ago

Do you mean these options under Interfaces > WAN? I have them disabled after they did show up as a block in the log.

Further digging: The request reaches the docker container, which returns 200 OK.

my-apache-app | 2024-02-09T12:53:22.925676854Z 192.168.0.123 - - [09/Feb/2024:12:53:22 +0000] "GET / HTTP/1.1" 200 161

What is going on here? Do I need some rules in the other direction, on top of "Automatic outbound NAT rule generation"?

And here's what this request looks like in the firewall log:

Can you please elaborate? Who's restricting 192.168.0.x? It's not actually WAN, right? It's just a local network I connected the firewall to.

Like this?

    
~$ curl 192.168.0.136:8888
curl: (56) Recv failure: Connection reset by peer


  

Here's some more: From behind the firewall (i.e. from a 10.0.0.x IP) the port forward works (which would be a reflection, I suppose?).

From in front of the firewall, I get "connection reset", which I interpret as somewhat working but then breaking somewhere else. Does that make sense?

i times i is -1, though. Imagine that!

My post title was going to be "firewall noob vs. double NAT", but I'm too much of a noob to tell if that's where the problem is. 😅

Edit: plus, is it actually a double NAT if I try to port forward into 10.0.0.x from 192.168.0.x? I'm only crossing one NAT, no?

The docker01 alias is a host alias with 10.0.0.22 and there's an apache test container running on port 8888.

I have created a pass any in rule on WAN (just until I figure out what's wrong)

In firewall > settings > advanced, I have set "reflection for port forwards" and "automatic outbound Nat for reflection" although I'm not sure if that is needed.

Is there any other info I can provide?

I am trying to learn in a safe environment without breaking my existing network. It's not actually a WAN, except from the firewall's point of view.

Could you please elaborate how you do the honeypotting?

Love it. Thanks for bringing it up.

You mean like the AIO image, the one officially supported way to install Nextcloud?

But if you want to tune it, I'm afraid you'll have to run sudo tune once per waking hour.

This sounds interesting.

I use docker in vscode for latex. It saves me the trouble of having to install texlive on my system. I have a task defined that mounts my sources in and runs the compilation in the container.

Would love to hear about your work flow.

Very anecdotally, I saw a little speed improvement but not all that much. DB size increased a bit. I'll be sticking with it for the time being because why not.

They will be delighted to hear it.

That makes sense. If you start out without any of those I'm sure it's night and day.

Thanks for the additional input!

I don't think you'll do yourself any favours setting it up on Windows directly. How about docker+wsl2?

Yeah, I saw that but wanted to take it step by step as not to break everything all at once. 😉

Here's a cool article I found on Nextcloud performance improvements, and connecting Redis over Unix sockets gave me a more substantial performance improvement than migrating to Postgres. Very happy I fell down this rabbit hole today.

To note if you're following the tutorial in the link above, and for people using the nextcloud:stable container together with the recommended cron container:

• the redis configuration (host, port, password, ...) need to be set in config/config.php, as well as config/redis.config.php
• the cron container needs to receive the same /etc/localtime and /etc/timezone volumes the app container did, as well as the volumes_from: tmp