forked from DGNum/liminix
thunk
This commit is contained in:
parent
6bc45c2b55
commit
fc620df322
1 changed files with 69 additions and 0 deletions
69
THOUGHTS.txt
69
THOUGHTS.txt
|
@ -1810,3 +1810,72 @@ The service can depend on odhcp
|
||||||
add inotify to packages
|
add inotify to packages
|
||||||
use writeFennelScript with that dep
|
use writeFennelScript with that dep
|
||||||
see if it works
|
see if it works
|
||||||
|
|
||||||
|
Wed May 31 23:33:00 BST 2023
|
||||||
|
|
||||||
|
We have a thing that sets ipv6 address on lan interface, yay us
|
||||||
|
|
||||||
|
A firewall would be a very good idea
|
||||||
|
|
||||||
|
Thu Jun 1 18:46:59 BST 2023
|
||||||
|
|
||||||
|
TODO for now:
|
||||||
|
|
||||||
|
- services.default is suboptimal as there is no way to add to it
|
||||||
|
without wiping it
|
||||||
|
|
||||||
|
- decide whether to use liminix- or min- as our prefix for nixy
|
||||||
|
commands
|
||||||
|
|
||||||
|
- should we move config.outputs -> config.system.outputs ? see Mar 28
|
||||||
|
|
||||||
|
- less crap firewall
|
||||||
|
|
||||||
|
- create an l2tp configuration
|
||||||
|
|
||||||
|
- iperf and tuning
|
||||||
|
|
||||||
|
- wlan country code
|
||||||
|
|
||||||
|
Thu Jun 1 21:26:37 BST 2023
|
||||||
|
|
||||||
|
how can a client machine "opt out" of using the firewall, to allow
|
||||||
|
incoming connections? Most convenient would be to have a separate SSID
|
||||||
|
for grownups. Assuming it shows up as a separate wlan device, we can
|
||||||
|
write firewall rules to allow incoming connections on that interface
|
||||||
|
(can we? only if the packet is identifiable as destined for that interface)
|
||||||
|
|
||||||
|
https://www.rfc-editor.org/rfc/rfc6092.html
|
||||||
|
https://emailstuff.org/rfc/rfc7084
|
||||||
|
|
||||||
|
We could block incoming for slaac and dhcp addresses and permit it for
|
||||||
|
stable private addresses. If we were fairly sure that devices won't
|
||||||
|
ask for stable private addresses just for funsies.
|
||||||
|
|
||||||
|
https://wiki.archlinux.org/title/IPv6_#Stable_private_addresses
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
Fri Jun 2 14:42:43 BST 2023
|
||||||
|
|
||||||
|
I found a handy guide to nftables at https://ww.telent.net/2023/6/2/turning_the_nftables
|
||||||
|
|
||||||
|
Mon Jun 5 16:56:44 BST 2023
|
||||||
|
|
||||||
|
|
||||||
|
How are we going to do this firewall thing then?
|
||||||
|
I can see no reason to have more than one table per family, so lets
|
||||||
|
just name the tables after families
|
||||||
|
|
||||||
|
There is nothing in nftables for functionally grouping rules by
|
||||||
|
requirement that may touch multiple hooks/chains, so we need our own
|
||||||
|
abstraction - and we can't call it any name that nftables uses already
|
||||||
|
(so, not "ruleset"). rulegroup?
|
||||||
|
|
||||||
|
"policy" would be a good name except that it's already taken
|
||||||
|
|
||||||
|
"concern"? "requirement"? "feature"?
|
||||||
|
|
||||||
|
Mon Jun 19 20:45:48 BST 2023
|
||||||
|
|
||||||
|
why is chrony using libedit?
|
||||||
|
|
Loading…
Reference in a new issue