Notices by Solène :flan_hacker: (solene@bsd.network), page 2

Is anyone aware of an open source project to create a gateway between 2 networks and force traffic over a VPN?

Basically, I think of a raspberry pi that would connect over WiFi and provide network to a computer on ethernet. The pi would establish a VPN and make sure the computer packets do not leak. This could also act as a simple firewall so that you can let the computer handle the VPN but to a couple of IP only.

I already designed all features that could be provided, how to manage the thing too, but before going further I wondered if such project did not exist yet? I wasn't able to find anything except expensive commercial products. And having to do all the configuration from something bare is not an option (due to skill issues for end users and risks of misconfiguration).

@prahou great work :flan_smile:

@d thank you very much :flan_smile:

Seems like we are reaching the good amount of links for a new #OpenBSD webzine issue soon :flan_hacker:

https://webzine.puffy.cafe/

@JustinDerrick @reay I wrote a privacy guide about emails when working for IVPN

https://www.ivpn.net/privacy-guides/email-and-privacy/

Basically, you should avoid emails if you care about privacy, there is nothing private about emails. Your email provider can read your sent/received emails and each recipient provider can do the same.

ProtonMail, Tuta, Posteo, Mailbox.org and custom encryption at rest will not fix the statement above. The encryption at rest done only prevent them from reading currently stored emails.

End-to-end encryption can help but they still know who send emails to who, at which frequency and each email size.

@marmarta I use restic, borg and wyng, basically I want this for a backup solution:

- encryption
- remote storage (ssh or s3) that does not require an agent on the remote
- ability to verify a backup
- ability to check the repository integrity
- ability to restore a backup (that's the point of the tool though 😅 )
- ability to exclude data (when applicable)
- deduplication of data within repository
- being able to configure auto deletion/pruning of old data using retention rules
- bonus if you can backup multiple hosts to the same repository and use deduplication
- show me some stats

The biggest issues I had with backups tools:

- inability to prune old data from a repo because the storage is full (restic problem)
- a not clear documentation about integrity check: there are repository checks and data check, the former is quick because it just validates metadata while the other requires validating the whole repository data.

@videlft @solenepercent I did not test the backup yet, but it seemed usable, in contrary to LineageOS in which I never figured how to use backups

@farooqkz the security features are named pledge and unveil, the first restricts system calls the process can do, the latter restricts filesystem access.

Chromium and Firefox received both on OpenBSD, they are limited in term of system calls (not really visible for the end user), but also in term of filesystem, they can write in the directory ~/Downloads/ and read a ton of other directories useful for the runtime (settings, fonts, shared libraries etc...), nothing more.

FreeBSD has an equivalent named capsicum but they did not implement it into web browsers (checked a few months ago).

Linux has sandboxing using multiple methods:

- web browsers installed with snap or flatpak are sandboxed
- web browsers started with firejail are sandboxed

@pitrh I think what @gyptazy meant, if I understood, was that it's easy to add someone's server to the ban list by filling a form sending an email to your honeypot address, through a registration form on a web service for instance

@pitrh when do you remove an entry from the blocklist? If an entry was due to a server being hacked, and it has been freshly assigned to a new customer inheriting the IP, how should that person proceed to not be blocked?

Also, a note about logs, due to GDPR it may not be legal to keep emails logs more than 2 or 3 years 😅 , but I'm not an expert and different laws of countries or EU often collide. It's still something to think about though.

@mrmasterkeyboard @cova my favorite are circular dependencies issues, especially between harfbuzz and freetype 🙀 😱

@mrmasterkeyboard @cova my only joy using Gentoo is watching genlop and ccache during an emerge update :flan_hacker:

@joel VictoriaMetrics works really well

Retention by default is pretty low, this can be configured on the command line parameter of the service (using rcctl set victoriametrics flags), everything is configured as flags in VM

@jan this may be more work at first, but if you get the package upstream in the ports tree, this will be less work for releases and upgrades

@jan this will be a real improvement for OpenBSD security if you were able to get wazuh to work, and provide a package to the ports tree :flan_thumbs:

No EDR on OpenBSD is a real bummer when someone wants to deploy it in corporation.

@jan there are no working EDR on OpenBSD, been there :flan_aw:

@Doomed_Daniel @morgant @pthane @matthew the best is to have choice for 2nd factor

@pthane @solene @matthew I've only occasionally run into issues with my business email address not being accepted in online accounts/stores. So far, it's always been because my domain doesn't use a historical core gTLD (`.tech`, in my case). Similarly, I have enough email accounts that I can use one that I prefer less, if necessary, but annoying to troubleshoot.

@raspbeguy Super green :flan_thumbs:

With Qubes OS, malwares do not come and go as they please using a multi-pass (5th element reference)

#qubesos #qubes