Trainguyrom

@Trainguyrom@reddthat.com

This profile is from a federated server and may be incomplete. For a complete list of posts, browse on the original instance.

Trainguyrom ,

It really sounds like you need to dive into firewall rules. Generally you lean on your firewall to allow and restrict access to services. Probably the easiest place to start is to setup pfsense/opnsense since it has a really clean interface for setting up rules. Proxmox's built in firewall is nice too, but configuring the firewall per VM would probably get annoying and difficult after a while

And as you learn more about firewalls learning how subnetting works will allow for more efficient rules (for example, if you have 192.168.0.0/23 192.168.2.0/24 and 192.168.3.0/ 24 for your networks that you're allowing traffic to/from you can just enter one firewall rule for 192.168.0.0/22 rather than 3 separate rules)

Trainguyrom , (edited )

So from my experience you generally will have different zomes of security. Outside Internet is obviously entirely untrusted so block every incoming connection except those you really need, and even then ideally all remain blocked (especially for a home network). Then you generally have your guest network which might need access to some hosted resources but is largely just used by guests to connect to the internet, next is your client network where your computer likely lives which probably gets access to all hosted resources but no management access (or depending on how much you want to trust your primary PC, limit that to just your main PC) and finally your datacenter network where you hopefully trust everything running in there.

You generally work with these zones and write rules based on the zone the traffic is coming from, with some exceptions, such as I might not want to give the guest network any access to my data center network, except for access to my jellyfin so I'll create a rule allowing only tcp web traffic from that network to a specific port on a specific IP/hostname.

A common way to achieve this is with a DMZ network, a network that sits between all of your networks and relies heavily on routing and firewalls. Public services and routers get IP addresses on the DMZ, and your firewall only allows specific paths. The outside Internet can open connections to the web ports of the web server and nothing else, the web server can't open connections to your other networks, only specific machines/networks are allowed to access the SSH port of the web server, etc. the DMZ is where trusted and untrusted connections mix, hence why its named after the zone that belongs to both North and South Korea where both are allowed but also neither are allowed, where one only goes with specific purpose and explicit permission

I was a bit hesitant to do firewall rules based off of IP addresses, as a compromised host could change its IP address

Realistically any identifier you can write firewall rules based off of can be forged in some way. A rogue machine can change it's host name, IP address and MAC address (and many do randomize their MAC address these days) in enterprises this is generally mitigated through limiting a network to only Ethernet access or via 802.1X authentication on WiFi and potentially even Ethernet. (You can also take the approach of MAC address whitelists, and some switches even allow for "sticky" MAC addresses where the first MAC address that connects is whitelisted until either the switch is rebooted or an administrator explicitly clears/allows the MAC address)

However, if each host is on its own VLAN, then I could add a firewall rule to only allow through the 1 “legitimate” IP per VLAN

You could go crazy and do everything at L3 (which your idea is basically doing but with extra steps) but that sounds like far more effort than it's worth, since now you're making every client also act as a router, and you lose a ton of efficiency both in configuration and in routing & switching, plus you've now changed the type of threats you're vulnerable to.

Generally in the enterprise, risks like what you're trying to mitigate are handled through reporting. An automated alert email is sent when a new device connects to a network that should never have new devices connect to it, then you kill the connection and verify with the team of that was any of them and investigate if it wasn't.

Realistically as a home network your threat model is automated scripts and maybe a script kiddie trying to get in. You really just need higher than average security to mitigate such a threat model (and average security is a shit show)

I feel like I may have to allow a couple CT/VMs to communicate without going through the firewall simply for performance reasons. Has that ever been a concern for you?

Security is always a trade off of convenience and speed. You have to decide what is an acceptable compromise between security and efficiency

Generally anything virtual when you aren't sure what to do, you should look at what the physical solution would be. For example, network storage is very bandwidth intensive, latency sensitive and security intensive. This is usually secured at the physical level as a separate network with no routers so that most security can be disabled. So at the virtual level these would be tackled with a separate virtual network connected to a second interface, and firewall rules on other interfaces to disallow incoming and outgoing connections to the storage network

Edit: I just realized I never answered your first question. In short, from what I've seen most enterprises put one firewall from a vendor like Fortinet, Zscaler, Palo Alto, etc. right on the edge of the network closest to the internet then either entirely rely on that for firewall or rely on that for firewalling off the outside Internet then do additional firewalling with a different tool inside the network. For example, a bank I worked at had a pair of redundant L3 switchs (Nexus N9ks specifically) which handled all of the routing for all of the bank's networks, and connected between those and the internet was the Fortinet box which was managed by an outside vendor and while i was there as part of hardening ahead of a scheduled red team audit we setup firewall rules (I'm blanking on the Cisco term for it, but they're ultimately just firewall rules) on the L3 switches to limit access to more sensitive networks and services

Trainguyrom ,

No problem! I'm just an information sponge and I've lucked out with really good mentors so far in my career to learn from

Trainguyrom ,

abandoning semiconductor technologies and making computers out of simpler parts

I remember reading an article a while back about basically computing using cards which block or allow light to flow as a series of logic gates. Another way to think of it is reinventing the punch card.

Trainguyrom ,

I interned at a bank and they do a credit check as a standard step for hiring someone. I also overheard HR at that bank talking about how they should stop running credit checks before hiring people because they can't use the info from that for anything and it just costs money to run the credit check

Trainguyrom ,

I feel like with the direction of fire that's more of a penis than a gun. I'm on board let's do it!

Trainguyrom ,

This requires a lot of concrete. A more economical solution would be to just move the volcano elsewhere. Plus then you can sell all of the new real estate where the volcano once stood!

Trainguyrom ,

I wouldn’t be surprised if one day we’re building megastructures around volcanos specifically to manage them instead of being subject to them.

Brings new meaning to "geothermal energy"

maegul , to Fediverse
@maegul@hachyderm.io avatar

Nice demonstration of why mastodon's dominance is problematic

See the conversions here:
https://github.com/LemmyNet/lemmy/pull/4628
and
https://socialhub.activitypub.rocks/t/federating-the-content-of-posts-note-articles-and-character-limits/4087

AFAICT, mastodon's decisions, which are arguably problematic (on which see: https://lemmy.ml/post/14973403) are literally trickling down to other platforms and infecting how they federate with each other as they dance around mastodon's quirks in different ways.

It seems like masto is ruining "the standard" with its gravity.


@fediverse

Trainguyrom ,

Maybe I'm just not awake enough but I'm not entirely following exactly what's going on. Can you give me a quick summary?

Trainguyrom ,

Oh so it's a compatibility triangle of C being compatible with A makes it incompatible with B? Sounds like a mess for sure

Trainguyrom ,

I think "quiet quiting" specifically refers to a sliding of your norms that remain within the outlined KPIs. For example, if you usually respond to requests within the hour and the organizational requirement is within 1 business day, starting to not respond to requests until they've sat for several hours without any actual change to your workload would be very noticeable, but ultimately its still well within the required timeframe

Trainguyrom ,

I went back to college in 2021 hoping to ride the recession recovery up with a new degree, got a 2 year Networking degree and I caught the tail end of the Great Resignation and snagged a pretty good job immediately after graduation.

I highly recommend going back whenever you feel up for it. Going into it when your even just a few years older means you can better appreciate the opportunities available to you, plus it's a chance to do things you might not otherwise have done. For example, I stumbled into joining student government, and that was a blast traveling all over to visit other colleges for legislative meetings on the college's dime. I made several friends and generally came out a better person

You could even do the crazy thing I did which is going back even though you really should wait, because my wife was pregnant! I started a semester the day after we returned from the hospital after my youngest child's birth. I'm...not doing that again haha

Trainguyrom ,

If I remember correctly at the time powers that be kept standing in the way of her presenting this tech to the military purely based on her gender

Trainguyrom OP ,

4th gen intel i5s, 8GB of RAM and 256GB SSDs, so not terrible for a basic Windows desktop even today (except of course for the fact that no supported Windows desktop operating system will officially support these system come Q4 2025)

But don't get your hopes up, when I've bid on auctions like this before the lots have gone for closer to $80 per computer, so I was genuinely surprised I could win with such a low bid. Also every state has entirely different auction setups. When I've looked into it in the past, some just dump everything to a third party auction, some only do an in-person auction annually at a central auction house, and some have a snazzy dedicated auction site. Oh and because its the US, states do it differently from the federal government. So it might take some research and digging around to find the most convenient option for wherever you are (which could just be making a friend in an IT department somewhere that will let you dumpster dive)

Trainguyrom OP ,

From the listing photos these actually have half-height expansion slots! So GPU options are practically nonexistant, but networking and storage is blown wide open for options compared to the miniPCs that are more prevalent now.

Trainguyrom OP ,

The thought did cross my mind to run Linpack and see where I fall on the Top500 (or the Top500 of 2000 for example for a more fair comparison haha)

Trainguyrom OP ,

This is pretty high on the to-do list. I plan on virtualization a bunch of it, but it would be pretty easy to have one desktop hosting each subnet of client PCs and one hosting the datacenter subnet. Having several hosts to physically network means less time spent verifying the virtual networks work as intended.

Also playing with different deployment tools is a goal too. Having 2-3 nearly-identical systems should be really useful for creating unified Windows images for deployment testing

Trainguyrom OP ,

I think you're not giving 4th gen enough credit. My wife's soon-to-be-upgraded desktop is built on a 4th gen i5 platform, and it generally does the job to a decent level. I was rocking a 4790k and GTX970 until 2022, and my work computer in 2022 was on an even older i5-2500 (more held back by the spinning hard drive than anything. Obviously not a great job, but I found something much better in 2022) my last ewaste desktop-turned-server was powered by an i5-6500 (which is a few percentage points better performance than the 4th gen equivalent) and I have a laptop I use for web browsing and media consumption that's got a 6700HQ in it.

I've already got a few people tentatively interested, and I honestly accepted the possibility of having to pay to recycle them later on. Should be a fun series of projects to be had with this pallet of not-quite-ewaste

Trainguyrom OP ,

State government, and it says they come with SSDs. They came from a school so presumably they're from a lab or are upgraded staff PCs, both would be pretty low sensitivity. Maybe I'll learn the final test answers for Algebra 1 at worst!

Might be fun to do some forensic data recovery and see if anything was missed though

Trainguyrom OP , (edited )

12 cents per kilowatt-hour. I certainly don't plan on leaving more than a couple on long term. I might get lucky with the weather and need the heating though :)

Trainguyrom OP ,

Although he’d also need 25 monitors lol

Back to the government auctions then!

Trainguyrom OP ,

I won't be leaving all of them on for long at all. I've got a few basically unused 15A electrical circuits in the unfinished basement (can see the wires and visually trace the entire runs) I'll probably only run all 25 long enough to run a linpack benchmark and maybe run some kind of AI model on the distributed compute then start getting rid of at least half of them

Trainguyrom OP ,

I already said in the original post I plan on sellong off and giving away ~15 of them, keeping a few as spares, and only actually leaving one on 24/7

bare metal machines which take IP addresses, against just running it in VM’s which have IP addresses

Both bare metal and VMs require IPs, it's just about what networks you toss them on. Thanks to NAT IPs are free and there's about 18 million of them to pick from in just the private IPv4 space

Big reason for bare metal for clustering is it takes the guess work out of virtual networking since there's physical cables to trace. I don't have to guess if a given virtual network has an L3 device that the virtual network helpfully added or is all L2, I can see the blinky lights for an estimate as to how much activity is going on on the network, and I can physically degrade a connection if I want to simulate an unreliable connection to a remote site. I can yank the power on a physical machine to simulate a power/host failure, you have to hope the virtual host actually yanks the virtual power and doesn't do some pre shutdown stuff before killing the VM to protect you from yourself. Sure you can ultimately do all of this virtually, but having a few physical machines in the mix takes the guesswork out of it and makes your labbing more "real world"

I also want to invest the time and money into doing some real clustering technologies kinda close to right. Ever since I ran a ceph cluster in college on DDR2 era hardware over gigabit links I've been curious to see what level of investment is needed to make ceph perform reasonably, and how ceph compares to say glusterFS for example. I also want to setup an OpenShift cluster to play with and that calls for about 5 4-8 core 32GB RAM machines as a minimum (which happens to be the maximum hardware config of these machines). Similar with Harvester HCI

It just takes a lot of extra power and doesn’t achieve much

I just plan on running all of them just long enough to get some benchmark porn then starting to sell them off. Most won't even be plugged in for more than a few hours before I sell them off

there is no real reason to do this and I don’t understand so many people hyping it up.

Because it's fun? I got 25 computers for a bit more than the price of one (based on current eBay pricing). Why not do some stupid silly stuff while I have all of them? Why have an actual reason beyond "because I can!"

25 PC’s does seem slightly overkill. I can imagine 3-5 max.

25 computers is definitely overkill, but the auction wasn't for 6 computers it was for 25 of them. And again, I seriously expected to be out of and the winning bid to be over a grand. I didn't expect to get 25 computers for about the price of one. But now I have them so I'm gonna play with them

Trainguyrom , (edited )

From an admin perspective one of the best things to lab out is setting up a standard SMB server stack, which is 2x domain controllers, 2x DHCP servers, a file server, and a couple of desktop VMs, then practice setting it up to be nicely locked down like in a standard corporate environment. For example:

  • redirect user directories to the file server and set permissions so only the user, admins and departmental managers can access files
  • setup departmental directories on the share with departmental and managerial permissions
  • setup group policies to lock down the desktops so that users just get a standard experience

But also make sure to set this up both in Windows Server with the full "Desktop Experience" as well as on Windows Server Core, and try to do so while following best practices with redundancy, network segmentation, etc. you could even get fancy and setup a remote site with redundant servers and replication to the remote site as well to experiment with how that works.

Then of course, once you have your virtual SMB network setup, try to break it. Fill up some of the VMs so it's out of disk space, corrupt one of the VMs and try to recover it, power off the servers when you shouldn't, cut some important virtual Ethernet connections and leave them severed for a while, or degrade the virtual ethernet connection and see what happens, delete the only domain controller and see what the best path to business continuity is, etc.

This covers a lot of the tickets and critical failures you'll see on a standard SMB network and will give you a good amount of exposure to a lot of what you'll work with in the "real world"

Trainguyrom ,

A real world cursed config a friend who works at an MSP told me about is a domain controller with HyperV setup on it. You read that right, the DC is on the HyperV host. Apperently they've been wanting to fix it for a few years but haven't gotten the go ahead on the hours or downtime to fix it

Trainguyrom ,

Powershell remoting is still a pain in my ass in most places, I rarely use it.

So the big thing with remote Powershell sessions is that you can't hop around like you can with SSH, but it's super useful when troubleshooting complaints of frozen/misbehaving systems with less resource needs than rdp

Trainguyrom ,

If somebody told me five years ago about Adversarial Prompt Attacks I'd tell them they're horribly misled and don't understand how computers work, but yet here we are, and folks are using social engineering to get AI models to do things they aren't supposed to

Trainguyrom ,

Never feed the trolls, the only winning move is to downvote and move on

A counter-philosophy I subscribe to is call out the BS but don't go back and forth. If you let the trolls be this can bring more trolls. Call out the bad behavior and move on so it isn't accepted but they also don't get the satisfaction of engaging in an argument.

Trainguyrom , (edited )

holy cow I never knew that existed. I gave the first 5 minutes a watch and its wild how they tried to turn snarky novels dripping with thinly veiled social commentary into a children's television special

Edit: ended up watching the whole thing. I'm not sure who the target audience was, but I certainly enjoyed it, 90s budget animated film warts and all

Trainguyrom ,

I've been using bing at work and it's surprisingly good. It's got tracking and ads and crap but it's really more like Google was a few years ago than anything

Trainguyrom ,

My wife only went because I was hellbent on seeing the eclipse at totality (we saw the last October's eclipse and 2017 both from around 90% coverage). Afterwards she said "the Grand canyon ain't got shit on a solar eclipse" and we are both still in shock for how amazing of an experience it was.

The wonky colors as day slowly turned to night, the sudden whooshing shadow as totality began, the burning ring of fire in the sky then the light whooshing back as totality ended, the cacophony of yelps by folks too slow to put their eclipse glasses back on. It was a hell of an experience

Should I date now if I have to move in a few months to a place that is hours away by car and would likely have more potential suitors?

Please be kind as this topic is a pain point for me. I'm feeling the pressure of finding my significant other because I'm at an age where it seems like everyone in my social media feed is getting engaged, married, or having kids. The issue is I have a huge transition coming up and will have to move in a few months to a place...

Trainguyrom ,

So potential way to approah this, could you seek out a relationship that you plan on ending around when you move? That could push you to date someone you might not otherwise or do things you might not otherwise which could be a good experience and potentially expand your pallette. Really depends on your experience and "skill" with dating, but some food for thought at least

I did something similar when I went back to college, I decided to focus hard on trying new things and meeting new people and generally forced myself to be far more social than I would otherwise be comfortable being and through that process I became a much better version of myself

Trainguyrom ,

I have a degree in IT and have to compete with people more experienced than me for jobs that pay a dollar or two an hour more than retail jobs

In my experience the places paying barely more than retail wages are not hiring people with extensive resumes but mostly hiring people straight out of college. Places paying ~$20+ are where you're probably competing with more experienced folks

Make sure you're on LinkedIn, and also don't discount uploading your resume to Indeed and marking yourself as looking for work on both. For as long as I've been working in the industry I've had recruiters contacting me on both platforms with various opportunities for contracts and employment.

Also work with your college/university and your instructors to be referred for openings. Often employers will reach out to colleges with IT programs when there's openings in IT

Trainguyrom ,

Having a degree that might not necessarily be relevant to the job does suggest to an employer that you have the ability to complete tasks as assigned to a satisfactory degree and generally indicates some amount of communication, problem solving and other soft skills.

Also technical colleges and community colleges exist. You can spend a lot less than 200k getting a degree

Trainguyrom ,

So for a related fun fact, did you know they used to do this by train?

The Pullman Company built this wooden car for the Wisconsin Fish Commission as “Badger #2” in September 1913. It was designed with a steel underframe and fitted with steel tanks to carry fish to remote locations around the state to restock streams and rivers. The car would be stopped on a bridge and the tanks emptied into the water below.

Trainguyrom ,

Welp. That's a new fear unlocked

Trainguyrom ,

I worked at a bank a couple of years ago and we had a little team building outing to the local golf course. I had way more fun than I expected, and if someone invited me to join them golfing I'd certainly go again, but I'm not sure I'd go on my own

Trainguyrom ,

Last I did it you have to press a key combination to open a terminal and run a couple of commands at the right stage of the wizard to do so

Trainguyrom ,

Windows 7's control panel is better than whatever the heck Microsoft is doing with 10/11 (for one thing it actually worked for changing settings) but holy crap was it a horrible UI

Trainguyrom ,

Can you get away with just installing it and telling him it's the new windows?

Trainguyrom ,

Oh I was talking specifically about the Control Panel being terrible

Trainguyrom ,

But even then it was always too long hunting for the right thing within Control Panel after the extra click to make it easier to find the setting you needed. That's my point. Compare that to your phone, or honestly even Windows 10's new settings menu if it actually consistently worked for changing settings

Trainguyrom ,

I want to post to some of the niche hobby communities but I'm not currently active in said hobby so I don't have anything to contribute

Trainguyrom ,

Unciv is pretty cool but the simplified tiles and buttons can make me feeling a little lost and feel like I'm missing stuff at times

Trainguyrom ,

OpenTTD is awesome, especially when you dive into the NewGRFs (mod content)

Simutrans is also pretty cool. Similar game but definitely makes some different choices that make it play differently and has some nice features that will probably never make it into OpenTTD

Trainguyrom ,

Wait there's addon tracks?!

Trainguyrom ,

There was a fork a while back which changed the board into hexagons but I don't think that fork has bee maintained for quite some time, and their build pipeline is hopelessly broken so you'll have to roll your sleeves up and compile your own from source with a lot of dependency chasing/substituting

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • test
  • worldmews
  • mews
  • All magazines
    •