Re: How do I connect my new wifi router (Mi Router 4C)?

[Max Nikulin]

On 26/10/2023 02:20, Martin wrote:

On Wed, Oct 25, 2023 at 07:33:52PM +0700, Max Nikulin wrote:

should have something like

table ip sharedconnection {
   chain postrouting {
 type nat hook postrouting priority srcnat; policy accept;
 ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade
   }
}

I did not add any masquerading rules by myself and output of command
'nft list ruleset' is showed below. It does not have anything like you
showed in section 'table ip sharedconnection'.


"sharedconnection" is an arbitrary name. It should be chosen to not 
conflict with other applications. Actually you have nat masquerading 
rules created by docker for other interfaces. Read 
/usr/share/doc/nftables/README.Debian and choose a convenient for you 
way to add rules. You may add the following heading and may save rules 
to a file that may be read by either "nft -f FILE.conf" or just 
executing it.


#!/usr/sbin/nft -f
table inet sharedconnection {}
flush table inet sharedconnection
# table ip shared connection { ... } from above

---

Upstream WiFi router does not know that packets addressed to 
192.168.231.5 (mi router) should be sent to your computer 
(192.168.0.16), so you computer should make upstream router believing 
that all packets from your phone originates from 192.168.0.16.

Re: Domain name to use on home networks

[Stefan Monnier]

>> It's just such a shame that they chose a name which refers to "arpa"
>> in it, which is not only US-centric but even belongs to the US's war
>> department
>
> It belongs to the Internet Architecture Board and is administered by
> IANA which is why they chose it. It stands for "Address and Routing
> Parameter Area” .

But that's a "backronym".
It originally referred to the US agency.
I totally understand the technical reasons why they decided to stick to
this naming, but it's still grating.


Stefan

Re: Domain name to use on home networks

[John Hasler]

Stefan writes:
> It's just such a shame that they chose a name which refers to "arpa"
> in it, which is not only US-centric but even belongs to the US's war
> department

It belongs to the Internet Architecture Board and is administered by
IANA which is why they chose it. It stands for "Address and Routing
Parameter Area” .

-- 
John Hasler 
j...@sugarbit.com
Elmwood, WI USA

Re: Domain name to use on home networks

[Stefan Monnier]

> If you go with the domain name home.arpa and an IPv4 subnet sliced out
> of one of 192.168.0.0/16, 172.12.0.0/12 or 10.0.0.0/8, you can be
> _almost certain_ that nothing will break because of those choices, now
> _or_ in the future.

100% agreement.

It's just such a shame that they chose a name which refers to "arpa" in
it, which is not only US-centric but even belongs to the US's war
department, which I find rather unpalatable.
I understand ARPA was closely related to the beginnings of the Internet,
but...  couldn't they choose something a bit more neutral?


Stefan

Re: Domain name to use on home networks; was: Bookworm:NetworkManager

[Dan Purgert]

On Oct 26, 2023, jeremy ardley wrote:
> 
> On 26/10/23 07:24, David Wright wrote:
> > > Or if you already have a domain, you can use a subdomain. eg. I have
> > > rail.eu.org, and at home it is depot.rail.eu.org
> > I'm not sure how that would work when my home network
> > is on a different continent from my domain's hosting.
> 
> 
> This is no problem asides from DNS.
> 
> You will have DNS records set up for your hosted service  with public IP
> addresses. It's quite straight forward to add a subdomain and assign non
> routable IP addresses to it.
> 
> Downside is it will look odd to an observer, and will leak some info about
> your internal network.
> 
> As an alternative you can still use the same naming convention but not put
> it in the public domain. This will require you to set up your own internal
> DNS service or hosts files and have DNS queries resolved locally without
> going to the external DNS server.

Indeed, split-horizon DNS is quite good for this "problem".


-- 
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1  E067 6D65 70E5 4CE7 2860


signature.asc
Description: PGP signature

Re: Domain name to use on home networks; was: Bookworm:NetworkManager

[jeremy ardley]

On 26/10/23 07:24, David Wright wrote:

Or if you already have a domain, you can use a subdomain. eg. I have
rail.eu.org, and at home it is depot.rail.eu.org

I'm not sure how that would work when my home network
is on a different continent from my domain's hosting.



This is no problem asides from DNS.

You will have DNS records set up for your hosted service  with public IP 
addresses. It's quite straight forward to add a subdomain and assign non 
routable IP addresses to it.


Downside is it will look odd to an observer, and will leak some info 
about your internal network.


As an alternative you can still use the same naming convention but not 
put it in the public domain. This will require you to set up your own 
internal DNS service or hosts files and have DNS queries resolved 
locally without going to the external DNS server.

Re: A file synchronization tool that respects hardlinks

[David Wright]

On Wed 25 Oct 2023 at 07:28:44 (-0600), Charles Curley wrote:
> On Wed, 25 Oct 2023 09:57:19 +0300
> Itay  wrote:
> 
> > Perhaps I will grab the chance to separate private stuff from work
> > stuff :-)
> 
> Indeed! I don't know where you are located, but I will tell you that in
> parts of the US commingling the two can become a legal nightmare. I
> would consider having a separate computer for each.

The same for phones.

Cheers,
David.

Re: Domain name to use on home networks; was: Bookworm:NetworkManager

[David Wright]

On Wed 25 Oct 2023 at 08:33:25 (+0200), Erwan David wrote:
> Le 25/10/2023 à 03:47, David Wright a écrit :
> > On Mon 23 Oct 2023 at 12:06:05 (+0200), Christian Groessler wrote:
> > > On 10/23/23 07:29, Jeffrey Walton wrote:
> > > > On Mon, Oct 23, 2023 at 1:24 AM ghe2001  wrote:
> > > > > How about a /29 or so, named "here.", hosts named 2 or 
> > > > > 3 letter abbreviations of what you call the computers, with 
> > > > > unroutable IPs, DNS'ed in /etc/hosts (with shortcuts).
> > > > Whatever you come up with for , ICANN can add to the
> > > > gTLD namespace; see .
> > > Just register a daomain and use that.
> > That costs money, and I can't see the point when there are TLDs
> > that are perfectly safe already available, like .home.arpa, and
> > before that, .{corp,home,mail}.
> > 
> Or if you already have a domain, you can use a subdomain. eg. I have
> rail.eu.org, and at home it is depot.rail.eu.org

I'm not sure how that would work when my home network
is on a different continent from my domain's hosting.

Cheers,
David.

Re: How do I connect my new wifi router (Mi Router 4C)?

[David Wright]

On Wed 25 Oct 2023 at 11:04:59 (+0300), Anssi Saari wrote:
> Martin  writes:
> > With wifi antena I receive a (rather weak) signal that connect my
> > computer to internet. I have to use windsurfer antena booster
> > (http://members.multiweb.nl/schaaijw/windsurfer_wifi_en.pdf)
> > to get usable signal. So my computer have internet signal from
> > wifi antena - yay great thing :)
> >
> > Now I also want to connect to internet with my mobile phone!
> 
> You mean you want to use some unspecified wifi signal with your phone
> also? Share the connection to your phone and computer? The link to this
> "windsurfer" doesn't work so it's a little hard to help if you can't
> describe what you have.

I presume what's going on here is that the Internet is provided by
a wifi access point that is distant and inaccessible (say, next door).
The windsurfer is a shaped piece of aluminium foil that pops over the
aerial to make a sort of parabola. Normally, you'd put this over your
modem/router's (external) aerial to increase the signal transmitted to
parts of your house (though it decreases it in the opposite direction).
But I'm guessing that here the windsurfer is on the computer's wifi
aerial, to improve the received signal.

That's why the OP's router (which, again presumably, has no Internet
Service) is connected "backwards", so the computer is the WAN, and
the mobile phone is the sole device on the LAN.

IOW Max's reply represents a string↔of↔connected↔devices rather than
- a
- bullet
- list.

> You have some kind of mysterious internet connection from
> something. That needs to connect to the router's WAN port.

That's how I would cascade two routers: a LAN port on the main
router connects by a plumbed-in Cat5 cable to a port on the
secondary router. The latter port would be the WAN connection,
but that's broken on mine, so I have to connect the cable to
a LAN port. I guess that makes my secondary router a switch?

Cheers,
David.

Re: faillock ante ataques de fuerza bruta

[Listas]

El mié, 25-10-2023 a las 22:07 +0200, Roberto Leon Lopez escribió:
> En Debian 12 está el paquete libpam-modules-bin la utilidad faillock
> y su módulo pam_faillock.so, al leer su página man no declara ninguna
> advertencia porque podemos dejar el sistema totalmente bloqueado para
> acceder con cualquier cuenta y es algo muy normal que pase al colocar
> las dos siguiente líneas:
> 
> auth [default=die]  pam_faillock.so authfail
> auth sufficient pam_faillock.so authsucc
> 
> En /etc/pam.d/login o en /etc/pam.d/common-auth.
> 
> ¿Me pueden dar alguna recomendación o alternativa al respecto?

Pues en principio solo debería bloquear la cuenta que tuvo los intentos
de login incorrectos. También, por defecto, esas cuentas se desbloquean
a los 10 minutos. Mientras se hacen pruebas se puede disminuir ese
valor en /etc/security/faillock.conf

Un saludo

Re: How do I connect my new wifi router (Mi Router 4C)?

[Martin]

On Wed, Oct 25, 2023 at 02:15:36PM +0200, Marco M. wrote:
> Am 25.10.2023 um 13:33:48 Uhr schrieb Martin:
> 
> > On Wed, Oct 25, 2023 at 08:47:03AM +0200, Marco M. wrote:
> > > 
> > > Why don't you use DHCP like your phone does?  
> > 
> > Because I used this computer before I had WiFi and phone.
> 
> Why it is a problem to change it?
> Do you really want to deal with manually addressing machines?

I only have one computer, and now this new router. Because I only have
one computer I did not feel need to use DHCP to automaticaly assing me
an IP address.

Martin

faillock ante ataques de fuerza bruta

[Roberto Leon Lopez]

En Debian 12 está el paquete libpam-modules-bin la utilidad faillock y su 
módulo pam_faillock.so, al leer su página man no declara ninguna advertencia 
porque podemos dejar el sistema totalmente bloqueado para acceder con cualquier 
cuenta y es algo muy normal que pase al colocar las dos siguiente líneas:

auth [default=die]  pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc

En /etc/pam.d/login o en /etc/pam.d/common-auth.

¿Me pueden dar alguna recomendación o alternativa al respecto?

Re: How do I connect my new wifi router (Mi Router 4C)?

[Martin]

On Wed, Oct 25, 2023 at 07:33:52PM +0700, Max Nikulin wrote:
> On 25/10/2023 18:24, Martin wrote:
> > On Wed, Oct 25, 2023 at 03:17:09PM +0700, Max Nikulin wrote:
> > > 
> > > So packet forwarding should be enabled on the computer.
> 
> sysctl net.ipv4.ip_forward
> 
> almost certainly enabled since you have the docker0 network interface

You are right, it is enabled:

$ sudo sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1

> I hope, you have a DNS server running on this machine
> 
> host debian.org 192.168.231.3

I did not had dig installed but host worked, alas it showed me that I do
not have installed DNS server. So I installed dnsmasq package and
wonders happened (without me editing any config files - just installing
dnsmasq) - on my mobile phone when I connected to 192.168.31.1 address
(default router address when I look from phone) It showed now green line
from router to internet.

But unfortunatelly phone does not connect to internet yet. I guess I will
need to issue some 'sudo route' command to add path from my router to
outside world (actually I do not have idea if this is the problem).

> Check that you do not have blocking rules in firewall

I do not use firewall anymore, since I stoped using wired home phone
(dialup modem) to connect to internet with ppp protocol. Since I am now
connected to internet via my weak antena which is connected to router(A)
and then to internet I know that distant router(A) is protected enough
(after all it uses only local address that i can see 192.168.0.1).

> and that masquerading
> is enabled for your downstream link enp3s0
> 
> nft list ruleset
> 
> should have something like
> 
> table ip sharedconnection {
>   chain postrouting {
> type nat hook postrouting priority srcnat; policy accept;
> ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade
>   }
> }

I did not add any masquerading rules by myself and output of command
'nft list ruleset' is showed below. It does not have anything like you
showed in section 'table ip sharedconnection'. I remember using iptables
command to make firewall and masquerading my computer while I was using
dialup modem internet connection. I do not set up use any iptable rules
manualy anymore.

So this is probably what I need to figure out how to use masquerading
and other firewall rules to enable my new router to connect to outside
internet. (I must admit that I forgot what rules should I use to enable
this setup - so I need your help)

Here is output of 'nft list ruleset' 'iptables -S' and 'iptables -L' command:
(I am not sure they provide different info, but here they are)

Thanks a lot
Martin


$ sudo nft list ruleset
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
iifname "br-7bfdce95ff27" counter packets 0 bytes 0 return
}

chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname "wlxe8de27a5ab1c" ip saddr 10.1.1.0/24  counter packets 
192 bytes 11818 masquerade
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 
bytes 0 masquerade
oifname != "br-7bfdce95ff27" ip saddr 172.18.0.0/16 counter 
packets 0 bytes 0 masquerade
}

chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 7727 bytes 479748 jump 
DOCKER
}

chain OUTPUT {
type nat hook output priority dstnat; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 3 
bytes 196 jump DOCKER
}
}
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain DOCKER {
}

chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 
0 jump DOCKER-ISOLATION-STAGE-2
iifname "br-7bfdce95ff27" oifname != "br-7bfdce95ff27" counter 
packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 27 bytes 1780 return
}

chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
oifname "br-7bfdce95ff27" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}

chain FORWARD {
type filter hook forward priority filter; policy drop;
 counter packets 57740 bytes 51358193 accept
counter packets 25 bytes 1644 jump DOCKER-USER
counter packets 25 bytes 1644 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 
0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 

Re: OT: Criptominador Outlaw en cuenta de usuario

[Paynalton]

El mié, 25 oct 2023 a las 12:35, JavierDebian
() escribió:
>
> Buenas tardes.
>
> Hace un par de años fui víctima de Outlaw's
>
> https://www.trendmicro.com/en_us/research/19/f/outlaw-hacking-groups-botnet-observed-spreading-miner-perl-based-backdoor.html
>
> Ahora, desde hace un mes, con alguna variante, otra vez.
>
> Se mete a través de la cuenta de una de mis hijas, se cuela en el
> crontab, y a diferencia del anterior, crea la carpeta ~/.configrc5;
> antes lo hacía en~./.configrc
>
> La solución es tan fácil como desde root hacer
> # killall -s 9 kswapd0 rsync
> # rm -r /home/hija/.configrc5
>
> y vaciar su crontab
> # crontab -u isabella -e
>
> Detectarlo, es fácil: en mi escritorio salta a la vista que usa el 100%
> de 4 núcleos sin respiro.
>
> Ahora la pregunta:
>
> ¿Alguien tiene idea de dónde se esconde el maldito gusano?
>
> Porque he revisado TODO (bashrc y los etcéteras que se les ocurran) y no
> encuentro un script o algo que lo lance.

Podria estar en la configuracion de arranque del escritorio, por eso
infecta a nivel usuario.

> Y a nivel WEB, no encuentro nada nuevo, todo del 2020/2021.
>
> Saludos.
>
> JAP
>

OT: Criptominador Outlaw en cuenta de usuario

[JavierDebian]

Buenas tardes.

Hace un par de años fui víctima de Outlaw's

https://www.trendmicro.com/en_us/research/19/f/outlaw-hacking-groups-botnet-observed-spreading-miner-perl-based-backdoor.html

Ahora, desde hace un mes, con alguna variante, otra vez.

Se mete a través de la cuenta de una de mis hijas, se cuela en el 
crontab, y a diferencia del anterior, crea la carpeta ~/.configrc5; 
antes lo hacía en~./.configrc


La solución es tan fácil como desde root hacer
# killall -s 9 kswapd0 rsync
# rm -r /home/hija/.configrc5

y vaciar su crontab
# crontab -u isabella -e

Detectarlo, es fácil: en mi escritorio salta a la vista que usa el 100% 
de 4 núcleos sin respiro.


Ahora la pregunta:

¿Alguien tiene idea de dónde se esconde el maldito gusano?

Porque he revisado TODO (bashrc y los etcéteras que se les ocurran) y no 
encuentro un script o algo que lo lance.

Y a nivel WEB, no encuentro nada nuevo, todo del 2020/2021.

Saludos.

JAP

Re: Bookworm: NetworkManager

[Max Nikulin]

On 22/10/2023 22:46, Lee wrote:
but /etc/network/interfaces over-rides /etc/NetworkManager - correct? So 
maybe I'm just using dhclient and have no idea if this works for 
NetworkManager or not.


NetworkManager may use built-in, dhclient, or dhcpcd, see 
NetworkManager.conf(5). It has a plugin for ifupdown. It is configurable 
whether NetworkManager manages interfaces configured through 
/etc/network/interfaces. Actually it may be set to ignore any interface.


nmcli device status
nmcli connection show

link-local 169.254.x.y addresses

[Max Nikulin]

On 25/10/2023 00:21, Pocket wrote:

On 10/24/23 12:48, Max Nikulin wrote:


There was a thread several months ago with discussion of link local 
169.254.x.y addresses.



Where may I find that thread?


See latest threads with the "mdns" keyword. Despite mDNS-SD (e.g. 
printer discovery) does not necessary mean link-local addresses, 
169.254.x.y is a fallback (so falls under the zeroconf umbrella). Do not 
neglect the IPv6 thread started by Gene as well.


https://lists.debian.org/cgi-bin/search?P=mdns=or=Gdebian-user=0=50

Besides avahi-autoipd, link-local addresses may be assigned by 
systemd-networkd, dhcpcd, NetworkManager.

Re: Domain name to use on home networks

[Jeffrey Walton]

On Wed, Oct 25, 2023 at 8:14 AM Marco M.  wrote:
>
> Am 25.10.2023 um 07:25:45 Uhr schrieb gene heskett:
>
> > Is there an RFC number for this already?
>
> ftp://ftp.rfc-editor.org/in-notes/rfc8375.html

This is so interesting (to me). I can't believe I missed that RFC...

>From the Abstract:

   This document specifies the behavior that is expected from the Domain
   Name System with regard to DNS queries for names ending with
   '.home.arpa.' and designates this domain as a special-use domain
   name. 'home.arpa.' is designated for non-unique use in residential
   home networks.  The Home Networking Control Protocol (HNCP) is
   updated to use the 'home.arpa.' domain instead of '.home'.

Notice '.home.arpa.' is a fully qualified domain name (FQDN). FQDN's
end in dot, and the dot denotes the top of the DNS tree.

'home' is not a FQDN. It is not a node from the top of the DNS tree.
It is just a special label.

One of my pet peeves is when someone conflates a hostname with a FQDN.
Systemd does this all the time. Systemd's [unofficial] policy seems to
be mDNS and its gossip is the source of truth for network names. Old
admins will always consider DNS as the single source of truth for
network names, not gossip-based protocols.

Systemd networking probably has W Richard Stevens rolling over in his grave...

Jeff

Re: Domain name to use on home networks

[Pocket]

Sent from my iPad

> On Oct 25, 2023, at 8:12 AM, Marco M.  wrote:
> 
> Am 25.10.2023 um 12:17:40 Uhr schrieb Joe:
> 
>>> On Wed, 25 Oct 2023 09:01:18 +
>>> Michael Kjörling <2695bd53d...@ewoof.net> wrote:
>>> 
>>> 
>>> 
>>> I see lots of people in this sub-thread arguing for
>>> cobbled-together, "it works for me for now and if it breaks I'll
>>> just fix it later" style solutions.
>>> 
>>> 
>> 
>> Not arguing about anything else, but this situation you describe is
>> how IT works, and will continue to work until it stabilises, maybe a
>> century from now.
> 
> Avoiding mistakes by using it as designed is much better than repairing
> it years later.
> 
Amen

Re: Vulnerabilidad CVE-2021-25216 (libdns-export1104 y libisc-export1100)

[Listas]

El mié, 25-10-2023 a las 15:43 +0200, Camaleón escribió:
> El 2023-10-25 a las 14:46 +0200, Julio Herrero escribió:
> 
> > 
> > Esos paquetes libdns-export* y libisc-export* no me aparecen en los
> > repositorios de Debian de mi sistema, que son los oficiales. 
> > 
> > $ apt search libisc-export
> > Ordenando... Hecho
> > Buscar en todo el texto... Hecho
> > $
> > $apt search libdns-export
> > Ordenando... Hecho
> > Buscar en todo el texto... Hecho
> > $
> > $ dpkg -l|grep libdns
> > $ dpkg -l|grep libisc
> > $ 
> 
> Están... son de Debian Buster.
> 
> https://packages.debian.org/buster/libdns-export1104
> https://packages.debian.org/buster/libisc-export1100


Efectivamente, me di cuenta después de mandar el correo. Son de
versiones anteriores a la estable actual de Debian. 

De todos modos, la versión de bind9 que indica el Op se corresponde con
la actual estable, bookworm, por lo que supongo que esas librerías
serán algún resto de alguna actualización. Si es así se pueden eliminar
esas y otros posibles restos. Con apt autoremove --purge se eliminarán
esos restos.

Un saludo

Re: Vulnerabilidad CVE-2021-25216 (libdns-export1104 y libisc-export1100)

[Camaleón]

El 2023-10-25 a las 14:46 +0200, Julio Herrero escribió:

No sé qué pasa a Gmail pero no he recibido el correo de Usaurios Lista 
:-?

> El mié, 25-10-2023 a las 13:53 +0200, Usuario Lista escribió:
> > Buenas.
> > 
> > Revisando las vulnerabilidades me he topado con esta que es bastante
> > antigua y no entiendo muy bien porque no se ha actualizado.
> 
> Según los trackers de Debian lleva corregido desde hace más de dos
> años:
> 
> https://security-tracker.debian.org/tracker/CVE-2021-25216
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987743

El paquete que lo corrige es Bind, no las bibliotecas.

> > Estoy utilizando Wazuh como SIEM y me detecta esta vulnerabilidad en
> > los servidores Debian. Resulta que tengo instalado en estos equipos
> > la
> > versión de bind9 actualizada y parcheada, pero no tengo actualizado
> > ninguno de estos paquetes:
> > libdns-export1104
> > libisc-export1100

Podría tratarse de un falso positivo o de otra vulnerabilidad. 
Teniendo en cuenta que Debian trocea mucho los paquetes, quizá las 
aplicaciones detectan las bibliotecas y piensan que Bind no está 
parcheado cuando realmente no es así.

https://security-tracker.debian.org/tracker/CVE-2023-3341

De todas formas, Buster ya no tiene soporte de seguridad, no conviene 
tenerlo instalado en servidores públicos en producción.
> 
> Esos paquetes libdns-export* y libisc-export* no me aparecen en los
> repositorios de Debian de mi sistema, que son los oficiales. 
> 
> $ apt search libisc-export
> Ordenando... Hecho
> Buscar en todo el texto... Hecho
> $
> $apt search libdns-export
> Ordenando... Hecho
> Buscar en todo el texto... Hecho
> $
> $ dpkg -l|grep libdns
> $ dpkg -l|grep libisc
> $ 

Están... son de Debian Buster.

https://packages.debian.org/buster/libdns-export1104
https://packages.debian.org/buster/libisc-export1100

> > Os paso la información del paquete instalado y del bind9
> > 
> > Os ocurre a vosotros lo mismo
> > No encuentro la forma de parchear esos paquetes o si incluso los
> > puedo eliminar.

A ver, si los tienes instalados será por algo. Si no por necesidad 
directa sí por alguna dependencia, ya que son paquetes de bibliotecas.
No los elimines sin asegurarte antes de que no vas a romper algo.

> Pues a mi no. Ya te digo que no aparecen en los repositorios y menos en
> el sistema. Intenta eliminarlos con apt a ver si se queja algún
> paquete. Puede que uses algún repositorio no oficial y vengan de ahí.

Saludos,

-- 
Camaleón 

Re: A file synchronization tool that respects hardlinks

[Charles Curley]

On Wed, 25 Oct 2023 09:57:19 +0300
Itay  wrote:

> Perhaps I will grab the chance to separate private stuff from work
> stuff :-)

Indeed! I don't know where you are located, but I will tell you that in
parts of the US commingling the two can become a legal nightmare. I
would consider having a separate computer for each.

-- 
Does anybody read signatures any more?

https://charlescurley.com
https://charlescurley.com/blog/

Re: Vulnerabilidad CVE-2021-25216 (libdns-export1104 y libisc-export1100)

[Julio Herrero]

El mié, 25-10-2023 a las 13:53 +0200, Usuario Lista escribió:
> Buenas.
> 
> Revisando las vulnerabilidades me he topado con esta que es bastante
> antigua y no entiendo muy bien porque no se ha actualizado.

Según los trackers de Debian lleva corregido desde hace más de dos
años:

https://security-tracker.debian.org/tracker/CVE-2021-25216

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987743


> 
> Estoy utilizando Wazuh como SIEM y me detecta esta vulnerabilidad en
> los servidores Debian. Resulta que tengo instalado en estos equipos
> la
> versión de bind9 actualizada y parcheada, pero no tengo actualizado
> ninguno de estos paquetes:
> libdns-export1104
> libisc-export1100

Esos paquetes libdns-export* y libisc-export* no me aparecen en los
repositorios de Debian de mi sistema, que son los oficiales. 

$ apt search libisc-export
Ordenando... Hecho
Buscar en todo el texto... Hecho
$
$apt search libdns-export
Ordenando... Hecho
Buscar en todo el texto... Hecho
$
$ dpkg -l|grep libdns
$ dpkg -l|grep libisc
$ 


> 
> Os paso la información del paquete instalado y del bind9
> 
> Os ocurre a vosotros lo mismo
> No encuentro la forma de parchear esos paquetes o si incluso los
> puedo eliminar.

Pues a mi no. Ya te digo que no aparecen en los repositorios y menos en
el sistema. Intenta eliminarlos con apt a ver si se queja algún
paquete. Puede que uses algún repositorio no oficial y vengan de ahí.

Un saludo

Re: How do I connect my new wifi router (Mi Router 4C)?

[Max Nikulin]

On 25/10/2023 18:24, Martin wrote:

On Wed, Oct 25, 2023 at 03:17:09PM +0700, Max Nikulin wrote:


So packet forwarding should be enabled on the computer.


sysctl net.ipv4.ip_forward

almost certainly enabled since you have the docker0 network interface


However I suspect an issue with IP addresses.

I was wrong.


2: enp3s0:  mtu 1500 qdisc fq_codel state UP 
group default qlen 1000
 link/ether e0:d5:5e:73:c9:d3 brd ff:ff:ff:ff:ff:ff
 inet 192.168.231.3/24 brd 192.168.231.255 scope global enp3s0

[...]

3: wlxe8de27a5ab1c:  mtu 1500 qdisc noqueue 
state UP group default qlen 1000
 link/ether e8:de:27:a5:ab:1c brd ff:ff:ff:ff:ff:ff
 inet 192.168.0.16/24 brd 192.168.0.255 scope global dynamic wlxe8de27a5ab1c


looks consistent from router settings you posted earlier


 IP address: 192.168.231.5
Subnet mask: 255.255.255.0
Default gateway: 192.168.231.3
DNS: 192.168.231.3


I hope, you have a DNS server running on this machine

dig debian.org @192.168.231.3

or

host debian.org 192.168.231.3

Check that you do not have blocking rules in firewall and that 
masquerading is enabled for your downstream link enp3s0


nft list ruleset

should have something like

table ip sharedconnection {
  chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.231.3/24 ip daddr != 192.168.231.3/24 masquerade
  }
}

A tool for further debugging is tcpdump or wireshark.

Re: How do I connect my new wifi router (Mi Router 4C)?

[Marco M.]

Am 25.10.2023 um 13:33:48 Uhr schrieb Martin:

> On Wed, Oct 25, 2023 at 08:47:03AM +0200, Marco M. wrote:
> > 
> > Why don't you use DHCP like your phone does?  
> 
> Because I used this computer before I had WiFi and phone.

Why it is a problem to change it?
Do you really want to deal with manually addressing machines?

> > Show 
> > ip a  
> 
> I posted output of that command to Max Nikulin email.
> 
> (Do not want to to post same info twice again as first email)

This is a mailing list, please keep the discussion here on the list and
do not send emails directly to subscribers. Nobody else can read them.

Re: Domain name to use on home networks

[Marco M.]

Am 25.10.2023 um 07:25:45 Uhr schrieb gene heskett:

> Is there an RFC number for this already?

ftp://ftp.rfc-editor.org/in-notes/rfc8375.html

Re: Domain name to use on home networks

[Marco M.]

Am 25.10.2023 um 12:17:40 Uhr schrieb Joe:

> On Wed, 25 Oct 2023 09:01:18 +
> Michael Kjörling <2695bd53d...@ewoof.net> wrote:
> 
> 
> > 
> > I see lots of people in this sub-thread arguing for
> > cobbled-together, "it works for me for now and if it breaks I'll
> > just fix it later" style solutions.
> > 
> >  
> 
> Not arguing about anything else, but this situation you describe is
> how IT works, and will continue to work until it stabilises, maybe a
> century from now.

Avoiding mistakes by using it as designed is much better than repairing
it years later.

Vulnerabilidad CVE-2021-25216 (libdns-export1104 y libisc-export1100)

[Usuario Lista]

Buenas.

Revisando las vulnerabilidades me he topado con esta que es bastante
antigua y no entiendo muy bien porque no se ha actualizado.

Estoy utilizando Wazuh como SIEM y me detecta esta vulnerabilidad en
los servidores Debian. Resulta que tengo instalado en estos equipos la
versión de bind9 actualizada y parcheada, pero no tengo actualizado
ninguno de estos paquetes:
libdns-export1104
libisc-export1100

Os paso la información del paquete instalado y del bind9

Os ocurre a vosotros lo mismo
No encuentro la forma de parchear esos paquetes o si incluso los puedo eliminar.

Package: libdns-export1104
Version: 1:9.11.5.P4+dfsg-5.1+deb10u5
Status: install ok installed
Priority: optional
Section: libs
Source: bind9
Maintainer: Debian DNS Team 
Installed-Size: 2.474 kB
Depends: libc6 (>= 2.14), libisc-export1100, libssl1.1 (>= 1.1.1)
Homepage: https://www.isc.org/downloads/bind/
Download-Size: desconocido
APT-Manual-Installed: yes
APT-Sources: /var/lib/dpkg/status
Description: Exported DNS Shared Library
 The Berkeley Internet Name Domain (BIND) implements an Internet domain
 name server.  BIND is the most widely-used name server software on the
 Internet, and is supported by the Internet Software Consortium, www.isc.org.
 .
 This package delivers the exported libdns shared library.


Package: bind9
Version: 1:9.18.19-1~deb12u1
Priority: optional
Section: net
Maintainer: Debian DNS Team 
Installed-Size: 1.159 kB
Pre-Depends: init-system-helpers (>= 1.54~)
Depends: adduser, bind9-libs (= 1:9.18.19-1~deb12u1), bind9-utils (=
1:9.18.19-1~deb12u1), debconf | debconf-2.0, dns-root-data, iproute2,
lsb-base (>= 3.2-14), netbase, libc6 (>= 2.34), libcap2 (>= 1:2.10),
libfstrm0 (>= 0.2.0), libjson-c5 (>= 0.15), liblmdb0 (>= 0.9.7),
libmaxminddb0 (>= 1.3.0), libnghttp2-14 (>= 1.3.0), libprotobuf-c1 (>=
1.0.0), libssl3 (>= 3.0.0), libsystemd0, libuv1 (>= 1.40.0), libxml2
(>= 2.7.4), zlib1g (>= 1:1.1.4)
Suggests: bind-doc, dnsutils, resolvconf, ufw
Breaks: bind (<< 1:9.13.6~)
Replaces: bind (<< 1:9.13.6~)
Homepage: https://www.isc.org/downloads/bind/
Download-Size: 494 kB
APT-Sources: http://security.debian.org/debian-security
bookworm-security/main amd64 Packages
Description: Internet Domain Name Server
 The Berkeley Internet Name Domain (BIND 9) implements an Internet domain
 name server.  BIND 9 is the most widely-used name server software on the
 Internet, and is supported by the Internet Software Consortium, www.isc.org.
 .
 This package provides the server and related configuration files.

Re: How do I connect my new wifi router (Mi Router 4C)?

[Martin]

On Wed, Oct 25, 2023 at 08:47:03AM +0200, Marco M. wrote:
> 
> Why don't you use DHCP like your phone does?

Because I used this computer before I had WiFi and phone.

> Show 
> ip a

I posted output of that command to Max Nikulin email.

(Do not want to to post same info twice again as first email)

Martin

Re: Domain name to use on home networks

[gene heskett]

On 10/25/23 05:01, Michael Kjörling wrote:

On 25 Oct 2023 07:32 +0200, from m...@dorfdsl.de (Marco M.):

TLD '.lan' works.  As best I can tell on the web, it doesn't exist.


Is it intended for that?
No?
Then don't use it. It can be used in the future for public domains.


Exactly.

I see lots of people in this sub-thread arguing for cobbled-together,
"it works for me for now and if it breaks I'll just fix it later"
style solutions.

"home.arpa" is _reserved specifically_ for almost exactly the purpose
we're talking about: local (for example residential) use where one
does not want to pay for a domain name and/or does not need globally
unique names.

If you have anyway, or are willing to pay for, a domain name that you
can use for the purpose, great; all that power to you.

But most home users aren't in that situation. For those people,
"home.arpa" is _the official_ answer. It's not something I've made up.
There's an RFC, there's a corresponding domain name reservation, it's
specifically set up so that it won't break for example DNSSEC, and
that RFC is a _PROPOSED STANDARD_ which is pretty much as officially
sanctioned as things get on the public Internet. (I think IPv4 has the
status of STANDARD.)

Just like you shouldn't pick some IP address range at random for your
LAN if you want hosts on that LAN to be able to communicate unimpeded
with hosts on the Internet, you shouldn't randomly pick a domain name.
Using a domain name (or IP address range) which is reserved for
examples and documentation likely won't break anything important, but
it _will_ cause confusion (as evidenced earlier in this thread).

If you go with the domain name home.arpa and an IPv4 subnet sliced out
of one of 192.168.0.0/16, 172.12.0.0/12 or 10.0.0.0/8, you can be
_almost certain_ that nothing will break because of those choices, now
_or_ in the future.

This thread is the first I've heard of home.arpa as a domainname for 
internal lan's. It s/b easy enough to switch my local lan to that since 
only the domainname changes. The alias shouldn't need changed.


Is there an RFC number for this already?


None of the other alternatives I've seen proposed in this thread can
offer anything like such guarantees.


Thank you for this clarificaion.

Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
 - Louis D. Brandeis

Re: How do I connect my new wifi router (Mi Router 4C)?

[Martin]

On Wed, Oct 25, 2023 at 03:17:09PM +0700, Max Nikulin wrote:
> On 25/10/2023 15:04, Anssi Saari wrote:
> > You have some kind of mysterious internet connection from something.
> > That needs to connect to the router's WAN port.
> 
> My guess is the following:
> 
> - Source of weak WiFi
> - WiFi booster
> - WiFi adapter in computer
> - ethernet port in computer
> - ethernet port of Mi router
> - WiFi provided by Mi router
> - WiFi adapter inside the phone
> 
> So packet forwarding should be enabled on the computer. However I suspect an
> issue with IP addresses. Martin, please, provide output of
> 
> ip address list

You are absolutely correct with your guess - although it take me
some time to understand what you are talking about - which is all my
fault.

here is result of 'ip address list' and also 'ip route' command:

$ ip address list
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN group 
default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
   valid_lft forever preferred_lft forever
2: enp3s0:  mtu 1500 qdisc fq_codel state UP 
group default qlen 1000
link/ether e0:d5:5e:73:c9:d3 brd ff:ff:ff:ff:ff:ff
inet 192.168.231.3/24 brd 192.168.231.255 scope global enp3s0
   valid_lft forever preferred_lft forever
inet6 fe80::e2d5:5eff:fe73:c9d3/64 scope link proto kernel_ll
   valid_lft forever preferred_lft forever
3: wlxe8de27a5ab1c:  mtu 1500 qdisc noqueue 
state UP group default qlen 1000
link/ether e8:de:27:a5:ab:1c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.16/24 brd 192.168.0.255 scope global dynamic wlxe8de27a5ab1c
   valid_lft 535000sec preferred_lft 535000sec
inet6 fe80::eade:27ff:fea5:ab1c/64 scope link proto kernel_ll
   valid_lft forever preferred_lft forever
4: docker0:  mtu 1500 qdisc noqueue state 
DOWN group default
link/ether 02:42:42:5b:a7:3b brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
   valid_lft forever preferred_lft forever
5: br-7bfdce95ff27:  mtu 1500 qdisc noqueue 
state DOWN group default
link/ether 02:42:52:ec:22:75 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-7bfdce95ff27
   valid_lft forever preferred_lft forever
6: tun0:  mtu 1500 qdisc fq_codel 
state UNKNOWN group default qlen 500
link/none
inet 10.1.1.1/24 scope global tun0
   valid_lft forever preferred_lft forever
inet6 fe80::f84d:e9fc:4ea5:f7fa/64 scope link stable-privacy proto kernel_ll
   valid_lft forever preferred_lft forever

$ ip route
default via 192.168.0.1 dev wlxe8de27a5ab1c
10.1.1.0/24 dev tun0 proto kernel scope link src 10.1.1.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-7bfdce95ff27 proto kernel scope link src 172.18.0.1 
linkdown
192.168.0.0/24 dev wlxe8de27a5ab1c proto kernel scope link src 192.168.0.16
192.168.231.0/24 dev enp3s0 proto kernel scope link src 192.168.231.3

Re: Domain name to use on home networks

[Joe]

On Wed, 25 Oct 2023 09:01:18 +
Michael Kjörling <2695bd53d...@ewoof.net> wrote:


> 
> I see lots of people in this sub-thread arguing for cobbled-together,
> "it works for me for now and if it breaks I'll just fix it later"
> style solutions.
> 
>

Not arguing about anything else, but this situation you describe is how
IT works, and will continue to work until it stabilises, maybe a
century from now.

I have web pages on my home intranet written anything up to twenty
years ago. The versions of HTML, PHP, Perl etc that I used in many of
them are long obsolete. To do things right, I ought to go over that code
line by line every year or two, checking current documentation to see
what's deprecated, find out how to workaround it and fix it.

Life's too short. So when I use a page I haven't used for years,
there's a good chance it won't work, and I'll have to fix it then. So
be it.

Scale that up, and it's how the whole of IT works. Inevitably, things
will break, hardware and software won't work on new operating systems,
and so on. We have to live with it. Yes, it's nice to do things exactly
correctly, but they are only exactly correct today. Tomorrow, they may
be deprecated, and eventually removed.

The exact situation you address may be set in stone for all time. Or it
may not: it can be changed on a whim. All we can do is make the best
choice at the time, and even then we have to guess at how much time we
need to spend researching it in order to have a better choice than we
can see now, and whether it's worth doing that when we don't even know
that there is a better choice possible.

-- 
Joe

Re: Domain name to use on home networks

[Michael Kjörling]

On 25 Oct 2023 07:32 +0200, from m...@dorfdsl.de (Marco M.):
>> TLD '.lan' works.  As best I can tell on the web, it doesn't exist.  
> 
> Is it intended for that?
> No?
> Then don't use it. It can be used in the future for public domains.

Exactly.

I see lots of people in this sub-thread arguing for cobbled-together,
"it works for me for now and if it breaks I'll just fix it later"
style solutions.

"home.arpa" is _reserved specifically_ for almost exactly the purpose
we're talking about: local (for example residential) use where one
does not want to pay for a domain name and/or does not need globally
unique names.

If you have anyway, or are willing to pay for, a domain name that you
can use for the purpose, great; all that power to you.

But most home users aren't in that situation. For those people,
"home.arpa" is _the official_ answer. It's not something I've made up.
There's an RFC, there's a corresponding domain name reservation, it's
specifically set up so that it won't break for example DNSSEC, and
that RFC is a _PROPOSED STANDARD_ which is pretty much as officially
sanctioned as things get on the public Internet. (I think IPv4 has the
status of STANDARD.)

Just like you shouldn't pick some IP address range at random for your
LAN if you want hosts on that LAN to be able to communicate unimpeded
with hosts on the Internet, you shouldn't randomly pick a domain name.
Using a domain name (or IP address range) which is reserved for
examples and documentation likely won't break anything important, but
it _will_ cause confusion (as evidenced earlier in this thread).

If you go with the domain name home.arpa and an IPv4 subnet sliced out
of one of 192.168.0.0/16, 172.12.0.0/12 or 10.0.0.0/8, you can be
_almost certain_ that nothing will break because of those choices, now
_or_ in the future.

None of the other alternatives I've seen proposed in this thread can
offer anything like such guarantees.

-- 
Michael Kjörling  https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”

Re: Network tcp/iptables issue with XRDP

[Anssi Saari]

Henggi  writes:

> Oh wow… that’s interesting. I had no idea about „nft“ (I just knew 
> „iptables-nft“) which seem to be very different.
> I think I have dig down where those „nft" rules are coming from while 
> iptables-nft is completely empty. Thanks, great clue!

Typically you'd have a /etc/nftables.conf with the rules for nft. Or at
least that's what I do.

Re: How do I connect my new wifi router (Mi Router 4C)?

[Max Nikulin]

On 25/10/2023 15:04, Anssi Saari wrote:
You have some kind of mysterious internet connection from something. 
That needs to connect to the router's WAN port.


My guess is the following:

- Source of weak WiFi
- WiFi booster
- WiFi adapter in computer
- ethernet port in computer
- ethernet port of Mi router
- WiFi provided by Mi router
- WiFi adapter inside the phone

So packet forwarding should be enabled on the computer. However I 
suspect an issue with IP addresses. Martin, please, provide output of


ip address list

Re: How do I connect my new wifi router (Mi Router 4C)?

[Anssi Saari]

Martin  writes:

> Hello,
>
> With wifi antena I receive a (rather weak) signal that connect my
> computer to internet. I have to use windsurfer antena booster
> (http://members.multiweb.nl/schaaijw/windsurfer_wifi_en.pdf)
> to get usable signal. So my computer have internet signal from
> wifi antena - yay great thing :)
>
> Now I also want to connect to internet with my mobile phone!

You mean you want to use some unspecified wifi signal with your phone
also? Share the connection to your phone and computer? The link to this
"windsurfer" doesn't work so it's a little hard to help if you can't
describe what you have.

> As it turn out I am not so bright to make this whole setup working :(
> I pluged in new router to power and connected ethernet cable from my
> computer to router WAN connection. (I belive this is how it should be
> connected togheder)

The WAN connection is for the internet, not your computer. It says as
much in the Xiaomi manual.

> While I was seting up router as described in
> https://manuals.plus/_mi/mi-router-4c-manual
> in Step 2 (point 3) it said I do not have internet.
> So I choose to manualy set up 'Static address' for
> router as folows (my computer has IP address 192.168.231.3):
>
>  IP address: 192.168.231.5
> Subnet mask: 255.255.255.0
> Default gateway: 192.168.231.3
> DNS: 192.168.231.3
>
> After all this setup I could issue those commands on my desktop:
>
> (this is my desktop IP address - just to show it works)

So you created a LAN between your computer and the router.

> I hope someone will be able to give me some hint how to solve
> this issue and be able to connect to internet from router - and
> connected phone.

You have some kind of mysterious internet connection from
something. That needs to connect to the router's WAN port.

Re: A file synchronization tool that respects hardlinks

[Itay]

On Tue, 24 Oct 2023, at 17:19, Itay wrote:
> 
> 
> On Sun, 22 Oct 2023, at 21:10, Charles Curley wrote:
> > On Sun, 22 Oct 2023 17:40:43 +0300
> > Itay  wrote:
> >
> >> According to wikipedia[4] the following tools are bidirectional:
> >>  FreeFileSync / NextCloud / Owncloud / SyncThing
> >> Please -- can someone quickly tell me if they respect hardlinks?
> >> Or recommend another tool(s) that respect hardlinks?
> >
> > I can tell you that nextcloud and syncthing do not appear to respect
> > hard links. They will copy two hard linked files (the same inode), but
> > on the receiving computer the files will not be hard linked.
> >
> > I suspect the same for owncloud, as nextcloud is a fork of owncloud.
> >
> 
> Thank you.  Your answer narrows down the options to FreeFileSync.
> I'll search the documentation.

According to FreeFileSync forum the tool does *not* respect hardlinks[1,2].
However, in the same forum they recommend the commercial tool SynCovery[2,3].
There are downloads packaged for debian, and a free one month trial.
Haven't tried it, yet.

My thanks to all the responders.

[1] freefilesync.org/forum/viewtopic.php?t=6087=hardlinks#p20016
[2] freefilesync.org/forum/viewtopic.php?t=6633=hardlinks
[3] https://www.syncovery.com/

> 
> > -- 
> > Does anybody read signatures any more?
> >
> > https://charlescurley.com
> > https://charlescurley.com/blog/

Re: A file synchronization tool that respects hardlinks

[Itay]

On Tue, 24 Oct 2023, at 18:09, Charles Curley wrote:
> On Tue, 24 Oct 2023 17:14:21 +0300
> Itay  wrote:
>
>> > Though, in general, the purpose of something like darcs is to
>> > *provide* the syncing.
>> >  
>> 
>> True.  But my home dir includes many subdirs that are not under darcs
>> control.
>
> Then perhaps you should consider what I do.
>
> I put stuff under version control under a directory dedicated to
> version controlled material, ~/versioned. Those I have to synchronize
> to such other computers as I want synchronized manually with the
> relevant VCS.
>
> I then put other stuff I want synchronized to other computers under a
> special directory, ~/projects. ~/projects is subject to syncthing, so
> other computers are updated automatically. (It also makes ~/ a lot
> cleaner.) No hard links so far.
>
> Stuff outside of ~/projects which I want synchronized I symlink into a
> tree under ~/projects/home. So ~/.emacs is a symlink to
> ~/projects/home/emacs. So now every time I change .emacs on one
> computer it gets updated on the others where I have syncthing.
>
> Other stuff I want synchronized, but rarely, such as music or
> photographs, I synchronize manually with rsync.
>

Maybe this would be the best way to go.
Perhaps I will grab the chance to separate private stuff from work stuff :-)

One point to remember is to avoid using hardlinks anywhere outside ~/versioned.

Thanks!

> -- 
> Does anybody read signatures any more?
>
> https://charlescurley.com
> https://charlescurley.com/blog/

Re: How do I connect my new wifi router (Mi Router 4C)?

[Marco M.]

Am 25.10.2023 um 08:45:26 Uhr schrieb Martin:

> I am using /etc/network and here is whole /etc/network/interfaces
> file:
> 
> auto lo
> iface lo inet loopback
> 
> auto enp3s0
> iface enp3s0 inet static
>   address 192.168.231.3
>   netmask 255.255.255.0

Why don't you use DHCP like your phone does?

Show 
ip a

Re: How do I connect my new wifi router (Mi Router 4C)?

[Martin]

On Wed, Oct 25, 2023 at 07:24:10AM +0200, Marco M. wrote:
> 
> Please specify the EXACT model names and the exact wiring of your
> devices.

There is no other name than 'Mi Router 4C' made by Xiaomi.
2 links that I provided are for exact model I have.
(here they are again:
https://www.mi.com/global/product/mi-router-4c/
https://manuals.plus/_mi/mi-router-4c-manual)


The wiring is as folow:
a) power cable goes from wall to the far right socket
   (when looking from front of modem)
b) ethernet cable is connected from my desktop to far left scoket of router.
   (there are also 2 middle ethernet cable sockets which i do not use
   my guess is they are for connecting other devices -like desktop- to
   subnetwork that wifi router uses which is 192.168.31.X - my phone is
   geting adress from this subnetwork when connected to wifi router)

> Please also tell us if you use NetworkManager or /etc/network for
> configuration.

I am using /etc/network and here is whole /etc/network/interfaces file:

auto lo
iface lo inet loopback

auto enp3s0
iface enp3s0 inet static
  address 192.168.231.3
  netmask 255.255.255.0

# auto wlxe8de27a5ab1c
iface wlxe8de27a5ab1c inet dhcp
 wpa-ssid Thomson
 wpa-psk mybigsecret

Martin

Re: Domain name to use on home networks; was: Bookworm:NetworkManager

[Erwan David]

Le 25/10/2023 à 03:47, David Wright a écrit :

On Mon 23 Oct 2023 at 12:06:05 (+0200), Christian Groessler wrote:

On 10/23/23 07:29, Jeffrey Walton wrote:

On Mon, Oct 23, 2023 at 1:24 AM ghe2001  wrote:

How about a /29 or so, named "here.", hosts named 2 or 3 letter 
abbreviations of what you call the computers, with unroutable IPs, DNS'ed in /etc/hosts (with 
shortcuts).

Whatever you come up with for , ICANN can add to the
gTLD namespace; see .

Just register a daomain and use that.

That costs money, and I can't see the point when there are TLDs
that are perfectly safe already available, like .home.arpa, and
before that, .{corp,home,mail}.

Cheers,
David.


Or if you already have a domain, you can use a subdomain. eg. I have 
rail.eu.org, and at home it is depot.rail.eu.org



--
Erwan David