Monkey With A Shell

Like that it is largely offline other than to search the food DB sources, no account to have to sign into and feed your data to someone.

Dislikes, some graphical glitches on my phone like buttons going off the edge and unable to scroll down. Also, no murica measurements for those of us accustomed to measuring against arbitrary, non-scientific standards.

Was the prior drive set in some kind of raid set or just individuals, and what are the old drive capacity vs new?

I guess it depends a lot on what your doing with the server. If it’s pure data store I would just boot off a USB and give yourself all the data space since it’s quite likely all running in ram anyhow.

If you run apps out of it and need the M2 for swap and rapid cache storage the fastest would likely be make a 2 drive zpool, copy a single to it, and repeat as needed until you have it all copied over, then add the 3rd to the zpool

What you might call a stateful NAT is really a 1-1 NAT, anything going out picks up an IP and anything retuned to that IP is routed back to the single address behind the NAT. Most home users a many to one source nat so their internal devices pick up a routable IP and multiple connections to a given dest are tracked by a source port map to route return traffic to the appropriate internal host.

Basically yes to what you said, but a port forward technically is a route map inbound to a mapped IP. You could have an ACL or firewall rule to control access to the NAT but in itself the forward isn’t a true firewall allow.

Same basic result but if you trace a packet into a router without a port forward it’ll be dropped before egress rather than being truly blocked. I think where some of the contention lies is that routing between private nets you have something like:

0.0.0.0/0 > 192.168.1.1 10.0.0.0/8 > 192.168.2.1

The more specific route would send everything for 10.x to the .2 route and it would be relayed as the routing tables dictate from that device. So a NAT in that case isn’t a filter.

From a routable address to non-route 1918 address as most would have from outside in though you can’t make that jump without a map (forward) into the local subnet.

So maybe more appropriate to say a NAT ‘can’ act as a firewall, but only by virtue of losing the route rather than blocking it.

NAT in the sense used when people talk about at home is a source nat, or as we like to call it in the office space a hide address, everyone going to the adjacent net appears to be the same source IP and the system maintains a table of connections to correlate return traffic to.

The other direction though, if you where on that upstream net and tried to target traffic towards the SNAT address above the router has no idea where to send it to unless there’s a map to designate where incoming connections need to be sent on the other side of the NAT so it ends up being dropped. I suppose in theory it could try and send it to everyone in the local side net, but if you get multiple responses everything is going to get hosed up.

So from the perspective of session state initiation it can act as a firewall since without route maps it only will work from one side.

Assuming it’s not a 1-1 NAT it does make for a functional unidirectional firewall. Now, a pure router in the sense of simply offering a gateway to another subnet doesn’t do much, but the typical home router as most people think of it is creating a snat for multiple devices to reach out to the internet and without port forwarding effectively blocks off traffic from the outside in.

Indeed they do use 11x but it’s still a possibility to cause issues. It’s entirely possible to manage a fleet of IPs across a net but it takes a solid plan organization plan. My company is big on the acquiring companies game where IP overlaps are a perpetual challenge when merging sites in and you need a mess of snat/dnat conversions to keep routing from getting in a knot.

While handy on a personal net, on a larger corporate net this isn’t practical and even adds a security risk. By having servers request leases you run the chance that someone gets into a segment, funds the ARP association for an IP/MAC combo and can take over a server’s spot simply by spoofing their own MAC to match at the time of lease renewal.

In the post above about setting a static address in two spots that in itself isn’t required either. So long as there are no duplicates you would just set the static address on the end device, then the network will sort it out with ARP ‘who has’ requests in local segments, or routing in the case of distinct subnets.

Edit: the duplicate I suppose could be referring to putting names into a DNS registry, in which case yes you would need that double entry, or just reference things by IP if the environment is small enough for it to be practical.

I’ve used plenty of them with no problems for years. Just so long as you have redundancy in place like a good RAID setup there’s little risk of losing anything.

Did you happen to unplug the external drive when it was moved? Could wonder if the device ID got changed and the server can’t find the old location for the library any longer.

Generally yes, but it can be useful as a learning thing. A lot of my homelab use is for purposes of practicing with different techs in a setting where if it melts down it’s just your stuff. At work they tend to take offense of you break prod.

I’ve used MinIO as the object store on both Lemmy and Mastodon, and in retrospect I wonder why. Unless you have clustered servers and a lot of data to move it’s really just adding complexity for the sake of complexity. I find that the bigger gains come from things like creating bonded network channels and sorting out a good balance in the disk layout to keep your I/O in check.

ShredOS, lovely little USB boot system that you can use to wipe a drive like that. I would usually go with a 3 pass cleaning. Another option can be to use something like veracrypt to do an in place whole disk encryption that’ll make anything on it unreadable.

In my org a lot of it can come down to having someone to demand fixes from. If something becomes a critical component of the workflows there has to be someone with an enforceable SLA held over them to get things fixed when needed.

About 700 watts, it makes for a decent space heater in the winter.

Like others said, self signed or internal only domains work. Really though for the minimal cost of generally less than $20/year you can make it a lot easier by just buying a domain.

From a pure security stance it could be argued that a personally owned CA is more secure than any public one since it’s possible for others to create a trusted cert with a public entity. Cloudflare ends up doing that for any domains you register with them, but that’s really only an issue for things facing the web and using self signed certs will typically cause problems for any pre-compiled client apps you might use.

My two main boxes are split to be storage vs compute. The NAS box has a minimal CPU and a pile of 3.5 drives for the low cost storage and they hypervisor has all the CPU and fairly small storage.

Basically the goal in my setup is all the working data is in one place and the handling in another with various snapshots and RAID mixed in to avoid the risk of “oh shit did I just…?” situations.

So anything that could be called bulk data gets offloaded to the NAS directly via mounts and any cache/working data is held locally. If your lab space grows to a notable level over time eventually you need to consider disk I/O as part of the design and having the bulk data on another box let’s you effectively trade some network load in for disk load.

I tend to keep things simple so if I can it’s easier to not set up the separate auth middleware when there’s already an AD comparable system in place.

Another option I’ve used before is called Neth Server, but that’s more one of those SOHO all-in-one systems rather than a dedicated mail box.

https://community.nethserver.org/

Just beat me to it…

The one thing that they don’t have yet last I updated, though they’ve been working on it for a while, is a prod ready LDAP/SSO connection. I had the dev branch working with Keycloak, but never got plain LDAP to function.

They’re a part of the mix. Firewalls, Proxies, WAF (often built into a proxy), IPS, AV, and whatever intelligence systems one may like work together to do their tasks. Visibility of traffic is important as well as the management burden being low enough. I used to have to manually log into several boxes on a regular basis to update software, certs, and configs, now a majority of that is automated and I just get an email to schedule a restart if needed.

A reverse proxy can be a lot more than just host based routing though. Take something like a Bluecoat or F5 and look at the options on it. Now you might say it’s not a proxy then because it does X/Y/Z but at the heart of things creating that bridged intercept for the traffic is still the core functionality.

It depends on what your level of confidence and paranoia is. Things on the Internet get scanned constantly, I actually get routine reports from one of them that I noticed in the logs and hit them up via an associated website. Just take it as an expected that someone out there is going to try and see if admin/password gets into some login screen if it’s facing the web.

For the most part, so long as you keep things updated and use reputable and maintained software for your system the larger risk is going to come from someone clicking a link in the wrong email than from someone haxxoring in from the public internet.