home.social

#relayd — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #relayd, aggregated by home.social.

  1. Running #OpenBSD 7.8 ​:openbsd:​

    DNS:
    #nsd (3 Master Zones), #DNSSEC & #DANE (RFC6698) + #unbound
    Firewall:
    #pf with auto-fed tables (IPS-style), spambot-tarpitting & service rate limits.
    Mail:
    #smtpd (Multi-domain, RFC8461/MTA-STS) + #rspamd (DKIM) + #dovecot (IMAPS-only).
    Spam-Defense:
    #spamd with auto-SPF-walk (no more greylisting issues).
    Web:
    #relayd (TLS-Terminator, HSTS, CSP) + #httpd (NIP-05, Autoconfig, security.txt).
    Performance: Lightweight "Fail2Ban" via 1-liner shell script (No Python crap!).

    #Nostr Relay in Rust building...

    #SelfHosted #SysAdmin #Security #Privacy

  2. Running #OpenBSD 7.8 ​:openbsd:​

    DNS:
    #nsd (3 Master Zones), #DNSSEC & #DANE (RFC6698) + #unbound
    Firewall:
    #pf with auto-fed tables (IPS-style), spambot-tarpitting & service rate limits.
    Mail:
    #smtpd (Multi-domain, RFC8461/MTA-STS) + #rspamd (DKIM) + #dovecot (IMAPS-only).
    Spam-Defense:
    #spamd with auto-SPF-walk (no more greylisting issues).
    Web:
    #relayd (TLS-Terminator, HSTS, CSP) + #httpd (NIP-05, Autoconfig, security.txt).
    Performance: Lightweight "Fail2Ban" via 1-liner shell script (No Python crap!).

    #Nostr Relay in Rust building...

    #SelfHosted #SysAdmin #Security #Privacy

  3. Running #OpenBSD 7.8 ​:openbsd:​

    DNS:
    #nsd (3 Master Zones), #DNSSEC & #DANE (RFC6698) + #unbound
    Firewall:
    #pf with auto-fed tables (IPS-style), spambot-tarpitting & service rate limits.
    Mail:
    #smtpd (Multi-domain, RFC8461/MTA-STS) + #rspamd (DKIM) + #dovecot (IMAPS-only).
    Spam-Defense:
    #spamd with auto-SPF-walk (no more greylisting issues).
    Web:
    #relayd (TLS-Terminator, HSTS, CSP) + #httpd (NIP-05, Autoconfig, security.txt).
    Performance: Lightweight "Fail2Ban" via 1-liner shell script (No Python crap!).

    #Nostr Relay in Rust building...

    #SelfHosted #SysAdmin #Security #Privacy

  4. Running #OpenBSD 7.8 ​:openbsd:​

    DNS:
    #nsd (3 Master Zones), #DNSSEC & #DANE (RFC6698) + #unbound
    Firewall:
    #pf with auto-fed tables (IPS-style), spambot-tarpitting & service rate limits.
    Mail:
    #smtpd (Multi-domain, RFC8461/MTA-STS) + #rspamd (DKIM) + #dovecot (IMAPS-only).
    Spam-Defense:
    #spamd with auto-SPF-walk (no more greylisting issues).
    Web:
    #relayd (TLS-Terminator, HSTS, CSP) + #httpd (NIP-05, Autoconfig, security.txt).
    Performance: Lightweight "Fail2Ban" via 1-liner shell script (No Python crap!).

    #Nostr Relay in Rust building...

    #SelfHosted #SysAdmin #Security #Privacy

  5. Running #OpenBSD 7.8 ​:openbsd:​

    DNS:
    #nsd (3 Master Zones), #DNSSEC & #DANE (RFC6698) + #unbound
    Firewall:
    #pf with auto-fed tables (IPS-style), spambot-tarpitting & service rate limits.
    Mail:
    #smtpd (Multi-domain, RFC8461/MTA-STS) + #rspamd (DKIM) + #dovecot (IMAPS-only).
    Spam-Defense:
    #spamd with auto-SPF-walk (no more greylisting issues).
    Web:
    #relayd (TLS-Terminator, HSTS, CSP) + #httpd (NIP-05, Autoconfig, security.txt).
    Performance: Lightweight "Fail2Ban" via 1-liner shell script (No Python crap!).

    #Nostr Relay in Rust building...

    #SelfHosted #SysAdmin #Security #Privacy

  6. Gestern abend noch happy, weil #OpenBSD mit #relayd bei uns an den Start ging... Heute sporadisch Ohnmachtsanfälle wegen #stromausfall im Süden Berlins. Unser RZ ist betroffen. Notstrom Aggregat wegen Defekt außer Betrieb. Hatte ich erwähnt das wir unter anderem Winterdienst in ganz Berlin mittels unserer Systeme managen? Glaube mein Wochenende ist im Eimer :D .

    Aber alles halb so wild.... ist nur business. Viel wichtiger: Passt alle auf euch und eure Nächsten auf!

  7. This afternoon, I got close to what I wanted to achieve in terms of load-balancing between the two #AI #sabots I have running.

    I had originally planned to use #OpenBSD's #OpenHTTPD or #RelayD to do the job, but #HAProxy #PROXY protocol was the limiting factor… so I went #nginx instead.

    One thing I haven't worked out yet, is how to pass the client IP by PROXY protocol to a HTTP back-end. Seems I can do it for a generic TCP stream, but not HTTP.

    The alternative is to set X-Forwarded-For, and have the back-ends trust it, like they trust PROXY for the gateway's IPv4 address for #sniproxy.

    But… it works, you can hit sabot.vk4msl.com/ and you'll either get sabot01 (which uses nepenthes) or sabot02 (which uses iocaine). Since neither cares about the URI, I can bounce the client between them.

    This did get me thinking though, if enough of us did it, we could have a #AISabotAsAService for websites to redirect/link to when they think they're being scraped by an AI bot.

    We could provide a pool of servers that would provide the link maze. Front-end proxies would just bounce you between all the pool members, feeding your bot nonsense.

  8. This afternoon, I got close to what I wanted to achieve in terms of load-balancing between the two #AI #sabots I have running.

    I had originally planned to use #OpenBSD's #OpenHTTPD or #RelayD to do the job, but #HAProxy #PROXY protocol was the limiting factor… so I went #nginx instead.

    One thing I haven't worked out yet, is how to pass the client IP by PROXY protocol to a HTTP back-end. Seems I can do it for a generic TCP stream, but not HTTP.

    The alternative is to set X-Forwarded-For, and have the back-ends trust it, like they trust PROXY for the gateway's IPv4 address for #sniproxy.

    But… it works, you can hit sabot.vk4msl.com/ and you'll either get sabot01 (which uses nepenthes) or sabot02 (which uses iocaine). Since neither cares about the URI, I can bounce the client between them.

    This did get me thinking though, if enough of us did it, we could have a #AISabotAsAService for websites to redirect/link to when they think they're being scraped by an AI bot.

    We could provide a pool of servers that would provide the link maze. Front-end proxies would just bounce you between all the pool members, feeding your bot nonsense.

  9. This afternoon, I got close to what I wanted to achieve in terms of load-balancing between the two #AI #sabots I have running.

    I had originally planned to use #OpenBSD's #OpenHTTPD or #RelayD to do the job, but #HAProxy #PROXY protocol was the limiting factor… so I went #nginx instead.

    One thing I haven't worked out yet, is how to pass the client IP by PROXY protocol to a HTTP back-end. Seems I can do it for a generic TCP stream, but not HTTP.

    The alternative is to set X-Forwarded-For, and have the back-ends trust it, like they trust PROXY for the gateway's IPv4 address for #sniproxy.

    But… it works, you can hit sabot.vk4msl.com/ and you'll either get sabot01 (which uses nepenthes) or sabot02 (which uses iocaine). Since neither cares about the URI, I can bounce the client between them.

    This did get me thinking though, if enough of us did it, we could have a #AISabotAsAService for websites to redirect/link to when they think they're being scraped by an AI bot.

    We could provide a pool of servers that would provide the link maze. Front-end proxies would just bounce you between all the pool members, feeding your bot nonsense.

  10. This afternoon, I got close to what I wanted to achieve in terms of load-balancing between the two #AI #sabots I have running.

    I had originally planned to use #OpenBSD's #OpenHTTPD or #RelayD to do the job, but #HAProxy #PROXY protocol was the limiting factor… so I went #nginx instead.

    One thing I haven't worked out yet, is how to pass the client IP by PROXY protocol to a HTTP back-end. Seems I can do it for a generic TCP stream, but not HTTP.

    The alternative is to set X-Forwarded-For, and have the back-ends trust it, like they trust PROXY for the gateway's IPv4 address for #sniproxy.

    But… it works, you can hit sabot.vk4msl.com/ and you'll either get sabot01 (which uses nepenthes) or sabot02 (which uses iocaine). Since neither cares about the URI, I can bounce the client between them.

    This did get me thinking though, if enough of us did it, we could have a #AISabotAsAService for websites to redirect/link to when they think they're being scraped by an AI bot.

    We could provide a pool of servers that would provide the link maze. Front-end proxies would just bounce you between all the pool members, feeding your bot nonsense.

  11. This afternoon, I got close to what I wanted to achieve in terms of load-balancing between the two #AI #sabots I have running.

    I had originally planned to use #OpenBSD's #OpenHTTPD or #RelayD to do the job, but #HAProxy #PROXY protocol was the limiting factor… so I went #nginx instead.

    One thing I haven't worked out yet, is how to pass the client IP by PROXY protocol to a HTTP back-end. Seems I can do it for a generic TCP stream, but not HTTP.

    The alternative is to set X-Forwarded-For, and have the back-ends trust it, like they trust PROXY for the gateway's IPv4 address for #sniproxy.

    But… it works, you can hit sabot.vk4msl.com/ and you'll either get sabot01 (which uses nepenthes) or sabot02 (which uses iocaine). Since neither cares about the URI, I can bounce the client between them.

    This did get me thinking though, if enough of us did it, we could have a #AISabotAsAService for websites to redirect/link to when they think they're being scraped by an AI bot.

    We could provide a pool of servers that would provide the link maze. Front-end proxies would just bounce you between all the pool members, feeding your bot nonsense.

  12. @haircode Nothing in networking is straightforward. While not having tried this using the #relayd , it is likely to be a standard firewalling destination NAT (see DNAT) capability, suitable for running a server inside a firewall protected LAN. . So I've configured firewalls to do this many times, including using IPTABLE rules on Linux.

    Some useful notes linked, but note that in this example:

    ==========================
    Packets destined for IP 10.1.1.7 will be forwaded to 192.168.1.2 UDP,TCP

    Does NOT work with ping (ICMP) correctly, does not handle ICMP protocol WLAN IP reply on a ping without

    iptables -t nat -A PREROUTING -p tcp -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2
    iptables -t nat -A PREROUTING -p udp -i wlan0 -d 10.1.1.7 -j DNAT --to-destination 192.168.1.2

    ==========================
    traffic on all ports are forwarded, while it's more likely you will want to forward traffic on specific ports for the Minecraft server port requirements, as that is more secure.

    gist.github.com/tomasinouk/eec

  13. Surely port-forwarding UDP and TCP packets to a #Minecraft (Debian) server using #relayd on #OpenBSD should be straightforward?

    Spent quite a bit of time on this yesterday and didn't manage it. I'm a relative newb when it comes to networking, #pf, etc but even #AI couldn't get me through it.

    Has anyone done this? Grateful for any tips.

  14. #relayd configuration error spotted and corrected.
    #searxng service restored.

    Too much self-confidence here! Sorry!

  15. Today, the new block is based on a (sh!tty) HTTP Referer. The instance should gain access to search engines back anytime soon. Hopefully…

    <positive attitude>This helps improving filters skills on #OpenBSD #relayd…</positive attitude>

  16. Dear #NoGooMe users,

    I’ve just added a blocklist towards Bots at the #relayd level. If that ever blocks your legit traffic, please reach me ;-)

  17. Version 7.4.2024.01.15-p1 of #FreeBSD #relayd has just been released and is available in the FreeBSD Ports tree:

    cgit.freebsd.org/ports/commit/

    One of the interesting changes is fix for a crash that can be triggered by a config reload. The commit message contains a nice write-up:

    github.com/KlaraSystems/freebs

    We are working on getting the fix upstreamed to #OpenBSD. Here's the bug report if you want to take a look:

    marc.info/?l=openbsd-bugs&m=17

    #opensource #osdev #CFT #foss