OPNsense: Tayga NAT64/DNS64 installation

Have you ever dreamed of running a pure IPv6 only network? I have. But until the IPv4 defenders finally kick the bucket we have to rely on transition methods. In this case NAT64 in combination with DNS64 so IPv6 only hosts can talk to IPv4 legacy systems transparently. And here is how you can do it with OPNsense and the help of a recursive BIND resolver. With OPNsense 20.1.1 Michael (🖇️ 🔐) built a plugin for the NAT64 application tayga. Weiterlesen →

Subjectmilter: A postfix milter to reject bad words in a subject

TL;DR: SpamAssassing is an ancient, bloated software. I like go and wrote my own milter. Background story I’m running my own mailserver for a couple of years now and hardly received any e-mail spam. Of course it was quickly discovered and spammers tried to relay over it which is of course blocked. A year and a half ago I started to receive a few spam mails, because I posted my e-mail address unprotected on this blog. Weiterlesen →

Pi-hole: Returning NXDOMAIN is a bad idea

I’ve found that Amazons Fire TV is spamming my Pi-hole trying to resolve secure-eu.imrworldwide.com every three seconds. Here is how it looks like in the graphs: The blue spikes is the Fire TV which was not in use throughout the day and should be on silently on standby. However it tries very eager to reach a tracking service. Bad Fire TV! Shame! By default Pi-hole is returning or :: for blocked domains. Weiterlesen →

Arch: Primary script unknown after upgrade to 7.4.0

Do you know that? Everything is running fine, you update, reboot and it’s fucked up? Normally that doesn’t happen on Arch :-) But on a friday night it has to happen to me. What happened exactly? After the reboot I’ve found the following log message: *26 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream And of course the PHP application was not working anymore. Googling this error message leads to one solution: You have to set SCRIPT_FILENAME as FastCGI parameter. Weiterlesen →

WireGuard: "Error: Unknown device type" on Archlinux

Do you also have the following problem after installing wireguard-tools and wireguard-arch? [root@test ~]# ip link add dev wg0 type wireguard Error: Unknown device type. No, you didn’t do anything wrong! Yes, that’s the right way to install WireGuard on Arch! So why isn’t it working? The fix is pretty simple: Update your fucking system! [root@test ~]# pacman -Syu :: Synchronizing package databases... core is up to date extra is up to date community is up to date :: Starting full system upgrade. Weiterlesen →

RAID 0 with 3 disks: md/raid0: please set raid.default_layout to 1 or 2

Today was time for a backup. I’ve recently increased my RAID 0 with a third disk for more space. Adding the disk was already a pain in the ass and it seemed that I fucked up again. Last time I did a backup was round about a month ago. So today I attached the three disks again and the RAID would not build. A mdadm --detail gave me: [root@homeserver ~]# mdadm --detail /dev/md127 /dev/md127: Version : 1. Weiterlesen →

OPNsense: Route subnet over VPN

The piracy rate of movies and TV series dropped significantly after Netflix made its breakthrough. With one monthly subscription you had access to a huge amount of content just one click away. It has never been easier and comfortable. Congratulations to the publishers for stepping out of your comfort zones. Your loss of piracy was reduced quite a bit. But you greedy bastards are pushing your customers towards piracy again. You enforce geoblocking or don’t license your stuff to established streaming servives. Weiterlesen →

Generating IPv6 PTR records on the fly

In the IPv4 world doing a reverse DNS search should always return a PTR record. BIND has the ability to create such a zonefile by calling the $GENERATE function. With this you did not have to write each PTR record by hand. In IPv6 where a /56 contains 4.722.366.482.869.645.213.696 IPv6 addresses you are not able to store it in memory or in a file. The biggest ISP in germany is Deutsche Telekom and they provide a valid PTR for each IPv6 in their /23 network. Weiterlesen →

Upgrading Cisco SG350 firmware over tftp

For my ongoing IPv6 only network at home and to keep my systems up to date I upgraded the firmware of my Cisco SG350 switch. Best part is that it’s really easy over tftp. MacOS has a built in TFTP server which supercharges that task. Download the the current firmware for your switch version from the Cisco website. Next switch to the terminal, load and start the tftp server. You need to be an administrator to do this: Weiterlesen →

Systemd: Bind to privileged port without altering upstream service file

I’m using syncthing to sync files to all my devices. It comes with a webinterface accessable over port 8384. I don’t like websites which are not accessable over port 80 or 443. Normally I use nginx to proxy requests. For me that’s hassle free because I’m using ansible to spin up nginx installations. Yet it’s unnecessary overhead. An unprivileged application usually can’t bind to ports below 1024. My syncthing installation runs with user privileges and is - as far as I know - not able to drop privileges like nginx. Weiterlesen →