Album
Album on lemmy.ca, beehaw.org, shit.itjust.works & lemmy.world
- 0 Posts
- 16 Comments
I have an n100 box that I put opnsense on for routing, firewall, DHCP, DNS and IDS. It uses unbound for DNS and so I’m leveraging the blocklist functionality in unbound. And then I use unbound to resolve instead of using DoT forwarding.
Dnsbl is only a small component of effective network security. Arguably the firewall is most important and so I have a default deny all for any device on my LAN trying to reach the Internet.
All applications need specific allows. Thus internally no device can use dns over tls because 853 is blocked by default. Then I use a DNSBL to catch known DoH by domain since the cert is provided by domain name.
Do you understand what an analogy is?
Yes, hence it being a shit one.
Anyways, Firefox is the project. All of those other “projects” are mostly configuration changes of the upstream project- not even code changes.
No, for example fennec for fdroid which is the base for mull or ironfox has multiple code deletes to remove unsolicited data sent to Google.
When Firefox decides to become hostile to those “other” browsers you use- they’ll be able to do fuck all about it.
That’s not how open Source works…
As someone who has never used Firefox only librewolf/mull/ironfox this analogy is asinine. Switching browsers is trivial and not at all like dealing with the threat of violence. It’s exactly bullshit like this that is tiring. No one is really thinking just making unintelligent quips and reactions or parroting the bullshit of others.
Ddg obviously hasnt updated it’s cache. Safetnet is new. Had a high rating at 4k reviews and the obviously social media misrepresents it and ppl flock to the store to drop 56k+ reviews on something they now misunderstand. So in just a few weeks the rating has changed dramatically and now ddg needs to update the cached review score.
Not that reviews matter for this app.
The dev that supported Mull also made significant contribution to fennec, though it still has it’s maintainer, So I’m nervous about fennec’s long term suitability.
Yeah, that’s basically right. With an opening line like mine (a formula), we’re basically dealing in typical reddit/lemmy pedanticism.
I (somewhat ironically now) specifically chose the words MFA over 2fa when saying “mfa-1” as to be most encompassing from the get go because yes:
- the truest definition of MFA is =>2
- there are cases where the factors are multiple things you have and/or are (like private keys and pass keys, and biometrics)
i do agree the 1st factor in a situation where its multiple factors is generally and common practice to be something you know.
It’s all dependent on what you’re doing and how. Like if you use Facebook you’re fingerprinted to the tits.
The granularity depends on examples like that.
But something a bit more benign and not as granular would be finger printing you based on the timezone your browser offers up. It’s not as basic as like “-7 GMT” since the iso list can go down to the state and or country. So if in your OS you picked “America/Houston” a lot of browsers will pony that up without hesitation.
How many more bits of data until you know what city I’m in, Street I’m on. Etc. And there’s tons of ways to derive that data over time.
https://browserleaks.com/ is an interesting example that can show all the bits of data your browser can give up.
And of course you can lock lots down given the right tools.
Yes and 100% isn’t 100%
People and their batteries though… It’s a futile obsession for some. It doesn’t matter how much science or logic you throw at them there’s always something.
Like how fast charging hasn’t for some time done like a full max rate for the entire time to keep heat within tolerances but still some people think doing the work themselves is somehow better thermal management than modern battery controllers to the point they think it will make a material difference.
Wrt lan deny all for the fam, it’s mostly hard on gamers cuz games tend to use wide port ranges and outbound IPs are potentially home isp networks not the game servers. But yeah it takes some time and research to really lock it down.
Most stuff is running through web protocols though. So right off the bat you create allow rules for any LAN device to hit ports: 80, 8080, 443, 8443 which are your common http and https ports. That’s gonna get most ppl what they need.
I do ASN based allows for certain applications like Google, Facebook, etc.
For consoles they’re pretty locked down so just give them full allow to the Internet. I don’t do that actually but it’s probably the better way.
IOT devices get only the ports they need to the IPs they need.
No I mean my unbound determines DNS for something like microsoft.com all by itself. It calls up the root name servers, finds the com nameservers, then asks the com nameservers for Microsoft. And for any subdomains it asks the MS name servers. This is instead of relying on external forwarding services like 8.8.8.8 or 1.1.1.1 or quad 9 or whatever. At least the former two are sure to be aggregating this data.
Additionally I do not allow devices on my network to reach out to external port 53, or 853 to circumvent lookups on my unbound by reaching out directly, which would then bypass the DNSBL. Anything for port 53 gets NAT’d to the unbound server. You can’t redirect TLS attempts so those get hard blocked.
Securicata is what opnsense uses. Pretty easy to set up.