Arch: Primary script unknown after upgrade to 7.4.0

Do you know that? Everything is running fine, you update, reboot and it's fucked up? Normally that doesn't happen on Arch :-) But on a friday night it has to happen to me. What happened exactly? After the reboot I've found the following log message: *26 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream And of course the PHP application was not working anymore. Googling this error message leads to one solution: You have to set SCRIPT_FILENAME as FastCGI parameter. Weiterlesen →

WireGuard: "Error: Unknown device type" on Archlinux

Do you also have the following problem after installing wireguard-tools and wireguard-arch? [root@test ~]# ip link add dev wg0 type wireguard Error: Unknown device type. No, you didn't do anything wrong! Yes, that's the right way to install WireGuard on Arch! So why isn't it working? The fix is pretty simple: Update your fucking system! [root@test ~]# pacman -Syu :: Synchronizing package databases... core is up to date extra is up to date community is up to date :: Starting full system upgrade. Weiterlesen →

RAID 0 with 3 disks: md/raid0: please set raid.default_layout to 1 or 2

Today was time for a backup. I've recently increased my RAID 0 with a third disk for more space. Adding the disk was already a pain in the ass and it seemed that I fucked up again. Last time I did a backup was round about a month ago. So today I attached the three disks again and the RAID would not build. A mdadm --detail gave me: [root@homeserver ~]# mdadm --detail /dev/md127 /dev/md127: Version : 1. Weiterlesen →

OPNsense: Route subnet over VPN

The piracy rate of movies and TV series dropped significantly after Netflix made its breakthrough. With one monthly subscription you had access to a huge amount of content just one click away. It has never been easier and comfortable. Congratulations to the publishers for stepping out of your comfort zones. Your loss of piracy was reduced quite a bit. But you greedy bastards are pushing your customers towards piracy again. You enforce geoblocking or don't license your stuff to established streaming servives. Weiterlesen →

IPv6 privacy extensions and firewall policies

At work the office router already advertises an IPv6 prefix for our end user devices. Because our management networks are IPv4 only IPv6 was only used for browsing the internet. However the IPv6 rollout for our internal network is finally starting. However a colleague of mine who did the first IPv6 enabled system setup found a big “problem”: IPv6 privacy extensions (RFC 3041). Since you are reading this I assume you already know what IPv6 privacy extensions mean. Weiterlesen →

Generating IPv6 PTR records on the fly

In the IPv4 world doing a reverse DNS search should always return a PTR record. BIND has the ability to create such a zonefile by calling the $GENERATE function. With this you did not have to write each PTR record by hand. In IPv6 where a /56 contains 4.722.366.482.869.645.213.696 IPv6 addresses you are not able to store it in memory or in a file. The biggest ISP in germany is Deutsche Telekom and they provide a valid PTR for each IPv6 in their /23 network. Weiterlesen →

Upgrading Cisco SG350 firmware over tftp

For my ongoing IPv6 only network at home and to keep my systems up to date I upgraded the firmware of my Cisco SG350 switch. Best part is that it's really easy over tftp. MacOS has a built in TFTP server which supercharges that task. Download the the current firmware for your switch version from the Cisco website. Next switch to the terminal, load and start the tftp server. You need to be an administrator to do this: Weiterlesen →

Systemd: Bind to privileged port without altering upstream service file

I'm using syncthing to sync files to all my devices. It comes with a webinterface accessable over port 8384. I don't like websites which are not accessable over port 80 or 443. Normally I use nginx to proxy requests. For me that's hassle free because I'm using ansible to spin up nginx installations. Yet it's unnecessary overhead. An unprivileged application usually can't bind to ports below 1024. My syncthing installation runs with user privileges and is - as far as I know - not able to drop privileges like nginx. Weiterlesen →

GitHub: Cloning or pushing results in "Broken pipe" error

Something strange happens at the moment with my GitHub interaction over ssh. I get the following error when trying to interact (push, pull, clone) with any repo. That has something to do with ssh. The GitHub help page suggest issuing the following command: ssh -T git@github.com It should print out your username. If that happens your ssh works and GitHub can authenticate you. However my result differs a bit: git clone git@github. Weiterlesen →

pfSense/OPNsense: Statisches IPv6 Routing hinter Fritz!Box

Mein ISP stellt mir nun glücklicherweise eine statisches IPv6 Prefix zur Vergügung. Wie ich dieses nun hinter meine OPNSense bekommen habe schreibe ich hier zusammen. Dies ist ein Follop-Up zu meinem Artikel pfSense/OPNsense: IPv6 Delegation hinter Fritz!Box - 2019 Version. Netzstruktur Das Netz sieht wie folgt aus: [Fritz!Box 7590] <--L2--> [OPNSense/WAN] --> L2: DMZ --> L2: LAN --> L2: GUEST Die Fritz!Box bekommt vom ISP das Prefix 2001:0DB8:37f:b000::/56. Dieses Prefix soll hinter der OPNSense erreichbar sein. Weiterlesen →