[HN Gopher] OpenBSD Virtualization: Host and Guests on the Same ...
___________________________________________________________________
OpenBSD Virtualization: Host and Guests on the Same Network
Author : hucste
Score : 43 points
Date : 2021-07-24 13:32 UTC (9 hours ago)
(HTM) web link (doc.huc.fr.eu.org)
(TXT) w3m dump (doc.huc.fr.eu.org)
| mthld wrote:
| I believe the website must be hosted on a homeserver on some
| shelve somewhere. I still can't reach the page, timeouts!
| southerntofu wrote:
| Works here. Also, i'm glad it's selfhosted and not some
| CloudFlare anti-privacy junk.
|
| In case it's down again, feel free to use the Internet archive:
| https://web.archive.org/web/20210724134023/https://doc.huc.f...
| jmnicolas wrote:
| > CloudFlare anti-privacy junk
|
| Do you care to explain? (honest question)
| fearfulofview4 wrote:
| It's intrusive. It's paternalistic. It's not discrete about
| being a man in the middle.
| southerntofu wrote:
| There's two _main_ answers. The first one is that
| CloudFlare reduces overall security by acting as a
| universal Man-in-the-Middle that terminates TLS connections
| to inspect all trafic, so for any website using CloudFlare,
| CloudFlare will be able to see all your trafic.
|
| The second problem is that they use their privileged
| position to actively block privacy-conscious users/networks
| as well as homegrown scrapers. Being able to browse and
| archive the web freely is a fundamental property of the
| WWW, and a single corporation deciding who gets in (Google
| & friends) and who doesn't (the rest of us) is a huge
| problem, whether you approach it from a "human rights"
| perspective, or a "free competition" perspective.
|
| Website owners who go through CloudFlare are asking a
| private corporation to strip search anyone who wants to
| reach their doorbell/mailbox. Would you accept that in your
| neighborhood? If not, why do we accept it online?
|
| CloudFlare forces people to enable JavaScript, or you just
| can't get in. This means that people who don't use a modern
| reputable browser (based on Firefox or Chrome) are often
| left out (CLI browsers, homegrown browsers, etc). While
| people who are conscious about security who disable JS for
| this reason (see for example rowhammer.js as one of the
| many reasons why running untrusted code from the internet
| is the worst idea ever) are also left out. While users who
| have JS but in a privacy-friendly browser which prevents
| fingerprinting, such as the Tor Browser, will be placed on
| infinite CAPTCHA loops. I've personally spent over an hour
| once stuck on a CAPTCHA that i really needed to go through.
|
| Their argument for treating Tor users (and VPN users, etc)
| badly is that there is a lot of malicious traffic coming
| from there. However such arguments don't hold scrutiny as
| most attackers have resources a lot of IP addresses, and
| there's an entire gray/black hat industry of "residential
| VPNs" to acquire more for a few bucks. Moreover, as they
| are already terminating the TLS connection on their side to
| inspect the traffic, it would be rather straightforward
| (given a few false positives that could be reported) to
| block out known attacks and suspicious traffic, while
| letting obviously-innocent request passing through.
|
| All in all, CloudFlare is not 100% empire of evil and
| there's a lot of good folks "just doing their job" there
| who even like privacy in theory. But in practice, they are
| reinforcing what we privacy activists fight against:
| centralized surveillance infrastructure and privatization
| of public information.
|
| See also:
|
| https://blog.torproject.org/trouble-cloudflare <-- Tor
| project debunking most of CloudFlare claims
| https://pbs.twimg.com/media/C3-GC62XAAAVbYy.jpg <-- people
| so annoyed at CloudFlare blocking privacy activists that
| they actually made Fuck CloudFlare stickers that they
| distributed at free-software conferences (my laptop
| wouldn't be the same without it)
| hucste wrote:
| Yes, it's on homeserver. I'm on ADSL Link.
|
| OR, maybe, you're blocked by Geoghegan's pf-badhost rules for
| PF. Or, by personal rules if your act as villain by detecting
| few "details". Maybe...
|
| (I am not saying that this is necessarily your case)
| rubyfan wrote:
| same
| sgt wrote:
| I love it how neat config files generally are on the BSD's. It's
| all so transparent and easy to tinker with. Sadly I have not used
| OpenBSD in probably 2 decades, but I fondly remember using it for
| my first office job in around 2000. I used it as my desktop OS
| while the servers all ran Solaris.
| gigatexal wrote:
| yeah truly a breath of fresh air -- I like that the BSDs exist
| as a haven for those of us burnt out from all the complexity
| that is modern Linux.
| bitwize wrote:
| Linux doesn't have to be complicated, even today. Slackware
| and Void are BSD-like in their configuration simplicity. But
| I appreciate the BSDs being there... especially since they
| have code bases that are squeaky clean and thoroughly
| documented, at least by Linux and GNU standards.
| gigatexal wrote:
| well there was that one big black eye with FBSD code
| quality with that whole wireguard fiasco... something about
| a rush job paid for by the Netgate folks
| gigatexal wrote:
| I've been meaning to look into non-systemd distros --
| assuming you're putting Slackware and Void up as examples
| of that -- how do things like Docker or others that seem to
| require systemd cope?
| bitwize wrote:
| Docker runs just fine on my Alpine box. You just have to
| ensure dockerd is started upon startup.
|
| I don't faff about with GNOME or any of that, so if you
| want to run GNOME you may be out of luck. GNOME can be
| built without systemd dependencies, but it's probably a
| PITA, especially on Linux.
| hucste wrote:
| Tips to virtualize serenely under OpenBSD with vmd, where host
| and guest(s) are part of the same network!
___________________________________________________________________
(page generated 2021-07-24 23:00 UTC)