Re: [DNG] my experience upgrading to NFT
Thomas Groman via Dng wrote: > I upgraded one of my larger and more complex servers from ASCII to > Beowulf. Switching to NFT was very easy after the upgrade. Just create > the rules, (have flush have the beginning), remove the iptables > if-pre-up hook if you made one, copy the example init script from > /usr/share/doc/nftables/example, set it executable, and rc-update add > nftables default. then openrc to bring the system to the new defined > default runlevel I upgraded to beowulf without reading the changes and was mystified that my self-written firewall scripts as well as others such as ufw and arno firewall stopped working. What was necessary to fix them was to create a link /etc/alternatives/iptables to /usr/sbin/iptables-legacy. Have fun (and working firewalls) -- Joel Roth ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] my experience upgrading to NFT
On Fri, 2020-07-31 at 18:44 -0700, Thomas Groman via Dng wrote: > I upgraded one of my larger and more complex servers from ASCII to > Beowulf. Switching to NFT was very easy after the upgrade. Just > create the rules, (have flush have the beginning), remove the > iptables if-pre-up hook if you made one, copy the example init script > from /usr/share/doc/nftables/example, set it executable, and rc- > update add nftables default. then openrc to bring the system to the > new defined default runlevel > While it clearly worked for you with openrc it is broken on sysvinit as the example /usr/share/doc/nftables/examples/sysvinit/nftables.init has this: # Default-Start: # Default-Stop: 0 1 2 3 4 5 6 in the LSB header, not the required: # Default-Start:S # Default-Stop: 0 1 6 On 2020-08-02 17:00, Hendrik Boom wrote: > What is NFT? > It stands for Net Filter Tables. It handles more than iptables (also ip6tables, arptables and ebtables) and it's been developed by the Net Filter team, hence the name. The binary is also nft. It is obviously coming in very slowly (it's been around for at least 5 years). And users are still translating it back to iptables syntax using iptables-legacy. Beowulf still installs with iptables. Buster uses nftables. Firewalld can use nftables as a backend. UFW can't. -- Marjorie ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] my experience upgrading to NFT
On 8/3/20 10:53 AM, Marjorie Roome via Dng wrote: > On Fri, 2020-07-31 at 18:44 -0700, Thomas Groman via Dng wrote: >> I upgraded one of my larger and more complex servers from ASCII to >> Beowulf. Switching to NFT was very easy after the upgrade. Just >> create the rules, (have flush have the beginning), remove the >> iptables if-pre-up hook if you made one, copy the example init script >> from /usr/share/doc/nftables/example, set it executable, and rc- >> update add nftables default. then openrc to bring the system to the >> new defined default runlevel >> > While it clearly worked for you with openrc it is broken on sysvinit as > the example /usr/share/doc/nftables/examples/sysvinit/nftables.init has > this: > > # Default-Start: > # Default-Stop: 0 1 2 3 4 5 6 > > in the LSB header, not the required: > > # Default-Start:S > # Default-Stop: 0 1 6 > > On 2020-08-02 17:00, Hendrik Boom wrote: >> What is NFT? >> > It stands for Net Filter Tables. It handles more than iptables (also > ip6tables, arptables and ebtables) and it's been developed by the Net > Filter team, hence the name. The binary is also nft. > > It is obviously coming in very slowly (it's been around for at least 5 > years). And users are still translating it back to iptables syntax > using iptables-legacy. > > Beowulf still installs with iptables. Buster uses nftables. > > Firewalld can use nftables as a backend. UFW can't. > > -- > Marjorie > Hi, did you try update-alternatives to set iptables to iptables-legacy behaviour. Arno-iptables-firewall and xtables-addons-dkms from testing work for me that way. Ciao, Tito ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] my experience upgrading to NFT
On 2020-08-02 22:35, Hendrik Boom wrote: > Does iptables still work on beowulf? As long as you use update-alternatives to choose /usr/sbin/iptables-legacy. Please see the other subthreads - I am new to this topic myself, in fact I have not realized until today that I was running nftables for months on buster :-P > And am I right in assuming that "nftables" does *not* stand for > New-Fangled Tables? :-) netfilter tables, AFAIK -- Ian ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] my experience upgrading to NFT
On Mon, 2020-08-03 at 13:26 +0200, Tito via Dng wrote:
> did you try update-alternatives to set iptables to iptables-legacy
> behaviour. Arno-iptables-firewall and xtables-addons-dkms from
> testing work for me that way.
>
The first machine I updated to Beowulf from Ascii was a clean install
(but with a /home partition taken from Ascii) and it came with the
iptables translation layer installed, so iptables worked 'out of the
box'.
If you check there are symlinks that do this:
/usr/sbin/iptables -> etc/alternatives/iptables
/etc/alternatives/iptables -> /usr/sbin/iptables-nft
/usr/sbin/iptables-nft -> /usr/sbin/xtables-nft-multi
See the XTABLES-NFT(8) manpage:
https://manpages.debian.org/testing/iptables/xtables-nft.8.en.html
You can check if you are using nft behind iptables by typing:
$sudo iptables -V
iptables v1.8.2 (nf_tables)
In Beowulf (with a clean install) you are.
The second machine I built as a mail+ntp+dns server and was also a
clean install, however with this one I jumped in and installed the
nftables .deb (with the described hack to the
/etc/init.d/nftables),enabled and started it having configured it in
/etc/nftables.conf.
The iptables translation sym links are still there but iptables wasn't
configured or used.
Configuring nftables is pretty uncomplicated if your firewall is.
Mine looks like this:
/etc/nftables.conf
##!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname lo accept
ct state established,related accept
tcp dport ssh ct state new accept
tcp dport http ct state new accept
tcp dport https ct state new accept
tcp dport imap2 ct state new accept
tcp dport imaps ct state new accept
tcp dport pop3 ct state new accept
tcp dport pop3s ct state new accept
tcp dport submission ct state new accept
tcp dport smtp ct state new accept
udp dport ntp ct state new accept
tcp dport 53 ct state new accept
udp dport 53 ct state new accept
# ICMP: errors, pings
ip protocol icmp icmp type { echo-request, echo-reply,
destination-unreachable, time-exceeded, parameter-problem, router-
solicitation, router-advertisement } accept
# ICMPv6: errors, pings, routing
ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
# Reject other packets
ip protocol tcp reject with tcp reset
}
}
include "/etc/nftables/fail2ban.conf"
--
Marjorie
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Zoom?
I've been relying on zoom on a laptop runnding debian. But there's a problem with it and I want to install zoom on beowulf 3. But there's no zoom in the beowulf repository. Do I have to download debian's zoom .deb? -- Haines Brown ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom?
Yes use the debian deb I have it running on devuan. or try the web client https://support.zoom.us/hc/en-us/articles/214629443-Zoom-web-client Ozi On Tue, Aug 4, 2020 at 9:58 AM Haines Brown wrote: > I've been relying on zoom on a laptop runnding debian. But there's a > problem with it and I want to install zoom on beowulf 3. > > But there's no zoom in the beowulf repository. Do I have to download > debian's zoom .deb? > > > -- > Haines Brown > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom?
Hi.
Haines Brown - 04.08.20, 01:58:26 CEST:
> I've been relying on zoom on a laptop runnding debian. But there's a
> problem with it and I want to install zoom on beowulf 3.
>
> But there's no zoom in the beowulf repository. Do I have to download
> debian's zoom .deb?
I used flatpak to install Zoom.
Still on Debian for this one laptop, but on Debian with runit as PID 1,
and with elogind, so I bet this will work on Devuan as well.
Advantage 1: you can use flatpak permission to restrict what the
application can do cause it runs in a kind of container. There is a
github issue on flatpak, as the default permissions are that is can
access all of $HOME¹. But that is completely unnecessary as pointed out
in the bug report. I used Flatseal, another app I installed with Flatpak
to restrict its permission to "Other files" to:
xdg-documents/Zoom
(that is where is puts whiteboards and so on)
You need to switch off access to home directory in Flatseal for this to
have any effect.
I also told it to make
.zoom
.config
persistent. This is so I do not have to configure it again every time.
However, as I found it stores some ID in an SQLite3 database that may be
used for tracking, I delete that database from time to time.
If you contain Zoom in that way, those configuration files are in
~/.var/app/us.zoom.Zoom
Nothing is stored directly in your home directory anymore, all is in
that directory above.
That code that apparently is used for tracking is in zoomus.db:
% ~/.var/app/us.zoom.Zoom/.zoom/data> sqlite3 zoomus.db
sqlite> .dump
INSERT INTO zoom_kv VALUES('tracking.code.join.meeting','{--
--}','ZoomChat');
I am not sure whether that is used for any purposes that does against
the user though, but nonetheless occasionally I delete the file or just
drop the tracking code in sqlite with something like this
sqlite> DELETE FROM zoom_kv WHERE 'tracking.code.join.meeting' NOT NULL;
I contacted Zoom privacy support, but they did not reveal anything on
the purpose of that tracking code. So far Zoom privacy support has been
not helpful, they claimed I do not have an account with them. Which is
right, however, as I still use it (with others who have accounts), I am
still eligible for GDPR requests like asking whether they do any
tracking or so.
I am pondering to just remove the persistency as I do not use Zoom all
that often and can set it up again quickly each time.
Advantage 2: Easy updates. As far as I am aware Zoom does not provide
any Debian repository, so you'd have to check for updates for yourself.
With flatpak you can just use "flatpak update".
Advantage 3: Installing Flatpak packages works with user rights. They
elevate privileges in the background during installation if you choose
to install the Flatpak systemwide (which seems to be the default).
However it may be that they do not let any maintainer scripts run with
root rights. I am not completely sure of that.
Disadvantage would be that some of the dependencies of Zoom are either
installed with a runtime Flatpak or directly with the Flatpak, like in
the case of Zoom, Qt, instead of Devuan/Debian packages. For security
you need to rely on the maintainers of the Flatpak. And there people
with critique about Flatpak security². I usually receive a Zoom update a
month at least though.
This could also be an advantage in case you like to avoid pulling in
additional dependencies in your main system.
The other option indeed it to use the Debian package you referred to. I
used that as well until I found about the Flatpak stuff.
And of course you could say that this, again, is stuff from Red Hat. I
don't mind as I do not judge the software solely from where it comes
from. While Zoom has far too many permissions by default in Flatpak, if
you install it as deb it can do everything it can do with user
privileges unless there would be some AppArmor profile or so which I
doubt would be in the official Debian package from Zoom. So every
restriction you place upon it by using Flatseal for example is something
you do not even have when installing it as a deb.
Another disadvantage is that you need to have some initial configuration
for the user for the additional comfort to be able to use the 'flatpak'
command directly. I forgot what it was and I do not find it right now,
but it is explained the first time you run the commend.
[1] https://github.com/flathub/us.zoom.Zoom/issues/18
[2] https://flatkill.org/
Best,
--
Martin
___
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom?
Martin Steigerwald - 04.08.20, 06:34:22 CEST: > Haines Brown - 04.08.20, 01:58:26 CEST: > > I've been relying on zoom on a laptop runnding debian. But there's a > > problem with it and I want to install zoom on beowulf 3. > > > > But there's no zoom in the beowulf repository. Do I have to download > > debian's zoom .deb? > > I used flatpak to install Zoom. By the way I am not recommending to use Flatpak to install just *any* app. I only use it for stuff that I cannot obtain via Devuan or in this case on this laptop Debian package repository. I agree with the assessment at¹ enough to avoid using it to install something that I can easily obtain via the official package repository of the distribution. But compared with using the Debian package from Zoom, it may have the advantages I described. Of course if you monitor the Zoom webpage with the Debian package daily and install a new package immediately you may install security fixes more quickly. There is likely to be *some* delay regarding updated Flatpaks, but as written I receive updates of it regularly. And with installing the deb package from Zoom you need to trust them completely. They could do anything on your computer as maintainer scripts run with root permissions. Also you cannot restrict permissions of the Zoom application like you can with Flatseal this way. So I personally see an security advantage of using Flatpak for third party, closed source apps like Zoom, Skype, Teams. The best approach from a security point of view however is to avoid those apps completely. If you use the Debian package, or even with the Flatpak, you can setup up a different use or use a VM, to contain the application. For now I rely on what Flatpak can do, but a different user or a VM of course gives stronger guarantees about security. [1] https://flatkill.org/ Ciao, -- Martin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom?
Ozi Traveller via Dng - 04.08.20, 06:00:43 CEST: > Yes use the debian deb I have it running on devuan. > > or > > try the web client > > https://support.zoom.us/hc/en-us/articles/214629443-Zoom-web-client I'd avoid using the web client. At least with a browser that is not specifically set up to avoid privacy leaks. I am not sure about the web client specifically, however the main webpage from Zoom at least uses Google Tag Manager and Google Analytics. Both blocked on my web browser. Of course as a user of Googlemail your mileage may vary. With my browser setup I cannot even set it up easily in order to fully display the page as it seems to pull resources from not so obvious or easy to guess sources. I'd be vary of the web client. On the other hand, if you use a secured browser and manage to make the web client work with it, this *may* give you a better isolation than using a Flatpak. If you install Zoom inside a VM just for that purpose or use a different user, you may get the best protection though. I currently rely on the sandboxing in Flatpak, unless I learn that it does not work. I also installed Rocket.Chat through Flatpak and there I was able that I am not able to track files into the chat client from directories that are *not* allowed for the app. Its error message was less than helpful, but the app apparently was not able to open the file. So I found the permission system basically appears to work. Best, -- Martin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom?
Martin Steigerwald - 04.08.20, 06:46:11 CEST: > If you use the Debian package, or even with the Flatpak, you can setup > up a different use or use a VM, to contain the application. For now I a different user > rely on what Flatpak can do, but a different user or a VM of course > gives stronger guarantees about security. -- Martin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom?
Martin Steigerwald - 04.08.20, 06:54:06 CEST: > I also installed Rocket.Chat through Flatpak and there I was able that > I am not able to track files into the chat client from directories *drag* > that are *not* allowed for the app. Its error message was less than > helpful, but the app apparently was not able to open the file. So I > found the permission system basically appears to work. *sigh* Typo not found during initial proofreading. -- Martin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom?
I have it on an isolated laptop! And I don't care what happens to it! On Tue, Aug 4, 2020 at 2:54 PM Martin Steigerwald wrote: > Ozi Traveller via Dng - 04.08.20, 06:00:43 CEST: > > Yes use the debian deb I have it running on devuan. > > > > or > > > > try the web client > > > > https://support.zoom.us/hc/en-us/articles/214629443-Zoom-web-client > > I'd avoid using the web client. > > At least with a browser that is not specifically set up to avoid privacy > leaks. > > I am not sure about the web client specifically, however the main webpage > from Zoom at least uses Google Tag Manager and Google Analytics. Both > blocked on my web browser. > > Of course as a user of Googlemail your mileage may vary. > > With my browser setup I cannot even set it up easily in order to fully > display the page as it seems to pull resources from not so obvious or > easy to guess sources. > > I'd be vary of the web client. > > On the other hand, if you use a secured browser and manage to make the > web client work with it, this *may* give you a better isolation than > using a Flatpak. > > If you install Zoom inside a VM just for that purpose or use a different > user, you may get the best protection though. > > I currently rely on the sandboxing in Flatpak, unless I learn that it > does not work. > > I also installed Rocket.Chat through Flatpak and there I was able that I > am not able to track files into the chat client from directories that are > *not* allowed for the app. Its error message was less than helpful, but > the app apparently was not able to open the file. So I found the > permission system basically appears to work. > > Best, > -- > Martin > > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom?
I've switched to teams. On Tue, Aug 4, 2020 at 2:55 PM Martin Steigerwald wrote: > Martin Steigerwald - 04.08.20, 06:46:11 CEST: > > If you use the Debian package, or even with the Flatpak, you can setup > > up a different use or use a VM, to contain the application. For now I > > a different user > > > rely on what Flatpak can do, but a different user or a VM of course > > gives stronger guarantees about security. > -- > Martin > > > ___ > Dng mailing list > Dng@lists.dyne.org > https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng > ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
Re: [DNG] Zoom?
Hi! No need to CC me. Ozi Traveller - 04.08.20, 06:55:48 CEST: > I have it on an isolated laptop! And I don't care what happens to it! That of course is the best isolation you can get. Ciao, -- Martin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
[DNG] Privacy and large public, yet privately owned, service providers (was: Re: Zoom?)
Ozi Traveller - 04.08.20, 06:57:38 CEST: > I've switched to teams. I avoid Teams as much as I can. Unfortunately we have Office 365 at work. I read about all the privacy issues on Zoom, but at least from the reaction of Zoom people I had the impression they are taking them seriously. And they are still smaller than Microsoft. However I do not completely trust them. The CEO publicly stated he did not want to enable end to end encrypted for free users for the service in order to *help* the FBI. The partly reconsidered, but still that kind of attitude is not acceptable for me from a privacy point of view. I also avoid Zoom. There is some chat I still used it for and if that would be end-to-end-encrypted in the future without me having to register an user account with them, it might be okay. However its still proprietary. Unfortunately it appears that Nextcloud Talk which I installed for myself cannot record talks. You can consider this a feature. But with agreement of *all* participants this would be a good thing to have. For me Microsoft with Office 365 is by no means better than Google or Amazon. They are doing the exact same thing if you ask me. And there are several data / privacy protection officials who say it is legally impossible to use Microsoft Teams and Co in Germany. I tried to understand their privacy statement. I failed to even grasp the structure of that document. Their privacy declaration is a complete, utter and incomprehensible mess. I am not sure a mere mortal is supposed to understand this crap. And then Max Schrems and his team at noyb.eu convinced the highest European court to finally kick Privacy Shield. I hope that some day companies stop the insanity to introduce proprietary software they have *no control* over *whatsoever* through the web browser and public cloud service providers, cause it does not even run on *their* computers. This stuff is proprietary software through the backdoor called browser. It completely undermines the free software movement while at least in part *using* free software. It is a trick for companies to regain and even extent their control over users. It violates user freedom at its core. I strongly distrust large public cloud service providers and I think they are in sum detrimental to a free and open society. I just recommend Why Privacy Matters from Gleen Greenwald https://invidious.snopyta.org/watch?v=pcSlowAhvUk (or use a different Invidious instance or Youtube directly as domain) With those cloud providers you can *never* know whether they spy on you or not. It is the perfect panopticon¹. Unless you only store *end-to- end* encrypted data on it, in a way that even metadata is encrypted. And even if I use something on another computer, and I do, I trust small providers like disroot.org or smaller web hosting providers a huge lot more than Google, Microsoft or Amazon Web Services. I'd like to host everything in my home though and in some homes of friends I trust. This whole centralization is a huge, big, fat mistake, if you ask me. It concentrates way too much power in way too few hands. All those companies who give up the control over their own infrastructure will at one point in history receive the real invoice for that. Loss of competence in their own employees, loss of control, increased dependencies and in the end very like also increased cost. They are at the mercy of their giant, yet privately owned, service providers. I do my best to get rid of it. It is not easy though at times to convince friends and relatives to use an alternatives. And very challenging to convince my employer to stop using Office 365. The did not tend to see the issues with it at least not to the point where they would really stop using it. However I installed my own Nextcloud and used it successfully for video chat and more meanwhile. I also attended BigBlueButton conferences and Jitsi meetings. I use XMPP for chat. This is the way to go forward. I am making a little step at a time. A little step into freedom, one after another. And I can only recommend to others to do that as well. [1] https://en.wikipedia.org/wiki/Panopticon Best, -- Martin ___ Dng mailing list Dng@lists.dyne.org https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
