JesseBot
@jessebot@social.smallhack.org  路  activity timestamp 4 hours ago

Does anyone know of a public set of ModSecurity exceptions for the fediverse/ActivityPub I can take a look at? I'm setting it up for GoToSocial and Mastodon now and manually doing this is pain.

Update, @cloudymax and I started a plugin here:
https://github.com/small-hack/argocd-apps/blob/2b7995c6fae5ecbb3944c6c6f4b139d98b76e67f/ingress-nginx/modsecurity_plugins_configmap.yaml#L177

Still happy to collaborate on it, but also wanted to note there was a mention a year ago about making an ActivityPub plugin over at the OWASP CRS repo, so maybe we could donate to that if its ever created:
https://github.com/coreruleset/coreruleset/issues/3497#issuecomment-1902181156

#WAF #modsecurity #nginx #apache #firewall #webApplicationFirewall #mastodon #gotosocial #activitypub
JesseBot
@jessebot@social.smallhack.org  路  activity timestamp 4 hours ago

Does anyone know of a public set of ModSecurity exceptions for the fediverse/ActivityPub I can take a look at? I'm setting it up for GoToSocial and Mastodon now and manually doing this is pain.

Update, @cloudymax and I started a plugin here:
https://github.com/small-hack/argocd-apps/blob/2b7995c6fae5ecbb3944c6c6f4b139d98b76e67f/ingress-nginx/modsecurity_plugins_configmap.yaml#L177

Still happy to collaborate on it, but also wanted to note there was a mention a year ago about making an ActivityPub plugin over at the OWASP CRS repo, so maybe we could donate to that if its ever created:
https://github.com/coreruleset/coreruleset/issues/3497#issuecomment-1902181156

#WAF #modsecurity #nginx #apache #firewall #webApplicationFirewall #mastodon #gotosocial #activitypub
Jason Tubnor 馃嚘馃嚭
@Tubsta@soc.feditime.com  路  activity timestamp last week

Burning it in for 12 hours now. It consumes 17W at idle running #OpenBSD 7.7 without apmd and ramps to 35W during KARL. Firmware was updated to the latest supported for the model and VT-x extensions have been turned off, this is just a firewall.

Thermals are good with the case back together. In 20 degrees ambient, they are reporting:
hw.sensors.cpu0.temp0=39.00 degC
hw.sensors.acpitz0.temp0=27.80 degC (zone temperature)
hw.sensors.nvme0.temp0=40.00 degC, OK

I did clean the heat sink and CPU, then applied new thermal paste. Time to build some ansible playbooks for management and then apply them, ready for production. #firewall#IPv6
Jason Tubnor 馃嚘馃嚭
@Tubsta@soc.feditime.com  路  activity timestamp last week

Burning it in for 12 hours now. It consumes 17W at idle running #OpenBSD 7.7 without apmd and ramps to 35W during KARL. Firmware was updated to the latest supported for the model and VT-x extensions have been turned off, this is just a firewall.

Thermals are good with the case back together. In 20 degrees ambient, they are reporting:
hw.sensors.cpu0.temp0=39.00 degC
hw.sensors.acpitz0.temp0=27.80 degC (zone temperature)
hw.sensors.nvme0.temp0=40.00 degC, OK

I did clean the heat sink and CPU, then applied new thermal paste. Time to build some ansible playbooks for management and then apply them, ready for production. #firewall#IPv6
r1w1s1
@r1w1s1@snac.bsd.cafe  路  activity timestamp 4 months ago

Comparing firewall syntax for SSH (port 22) with default-deny:
================================================

#iptables (Linux)
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP

#nftables (Linux)
nft add rule inet my_filter input tcp dport 22 accept
nft add rule inet my_filter input drop

#ufw (Linux - simplified frontend to iptables)
ufw allow 22/tcp
ufw default deny incoming

#pf (OpenBSD)
pass in proto tcp to port 22
block all

pf鈥檚 syntax feels so elegant, human-readable, & minimal!

After 20years scripting iptables, I鈥檓 ready to try UFW on my laptop.
#firewall #sysadmin #pf #iptables #ufw #nftables