> There are also still a lot of misconceptions from network administrators who are scared of or don’t properly understand IPv6
Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.
That's more proof that TP-Link should not be trusted than that there is a problem with IPv6, really. Even cheap $20 Aliexpress routers have a firewall enabled by default.
> Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.
A router routing traffic makes people nervous? Isn't that what it's supposed to do? I'd be annoyed if my router did not pass traffic.
Now, if the ER7212PC was a firewall that would be something else.
(And no, I'm not being pedantic: routers should pass traffic unless told otherwise, firewalls should block traffic unless told otherwise. The purposes of the two device classes are different, they just happen to both deal with Layer 3 protocol data units.)
Routers and access points are also typically separate device classes. Yet the market has figured out that most consumers
prefer all-in-one devices. Expecting households to run dedicated firewalls besides their AiO wifi-routers is ludicrous.
What firewall do you recommend a typical user couple their ER7212PC (which BTW is already tripling as VPN gateway and cloud-controller) with?
The problem is that TP-link does not give two cents to security in their products.
> Yet the market has figured out that most consumers prefer all-in-one devices. Expecting households to run dedicated firewalls besides their AiO wifi-routers is ludicrous.
Except the ER7212PC, nor anything else under the Omada (sub-)brand, is not a consumer / household device. The tagline of Omada is "Networks Empower Business":
If you want to haul your boat buy an F-150 pickup and don't complain that your Golf doesn't have enough towing capacity: buy the tool that you need for the problem/job you have. If you want an all-in-one then buy an AiO and not a router.
>> And no, I'm not being pedantic
> You very much are.
Expecting a router to not-route IPv6 is the unreasonable thought.
Are you suggesting that people should buy both a router and a firewall for their home networks? I suppose they should buy a separate Wi-Fi AP as well, and a switch or two, in your opinion?
> Are you suggesting that people should buy both a router and a firewall for their home networks?
I am suggesting the ER7212PC is not a home network device, and thus having the two functions glommed together is an anti-feature in its design. The tagline of Omada is "Networks Empower Business":
You are of course correct, but most people will disagree because the world we live in is a lot messier than what we should do and people expect a base line. You have to remember that people rely on IPv4 NATing for security, despite every network engineer knowing that is it is not - in effect it is.
> You have to remember that people rely on IPv4 NATing for security, despite every network engineer knowing that is it is not - in effect it is.
Then buy a device that does default NATing and other consumer-y if you want that. Don't complain that a generic routing system routes IP—whether IPv4 or IPv6—by default.
If you want a firewall buy a firewall. If you want an all-in-one firewall/gateway/AP/whatever, buy it.
In this particular case the "problem" is not in the device but in purchasing the wrong tool for the job at hand. If you want to haul lumber buy a cargo van or pickup truck, not a VW Golf.
> Customer edge routers are expected to contain firewall (see RFC 7084 and RFC 6092).
The ER7212PC, nor anything else in the Omada line, is not for residential consumers which is what RFC 6092—"Recommended Simple Security Capabilities in Customer Premises Equipment (CPE) for Providing Residential IPv6 Internet Service"—refers to.
And RFC 7084 has two instances of the word "firewall", one (§3.1) in reference to IPv4 NAT:
A typical IPv4 NAT deployment by default blocks all incoming
connections. Opening of ports is typically allowed using a Universal
Plug and Play Internet Gateway Device (UPnP IGD) [UPnP-IGD] or some
other firewall control protocol.
and the other (§4.5) to tunnelling:
S-3: If the IPv6 CE router firewall is configured to filter incoming
tunneled data, the firewall SHOULD provide the capability to
filter decapsulated packets from a tunnel.
I agree that a consumer all-in-one firewall/gateway/AP/whatever should ("MUST"?) have a default-deny rule on incoming connections. But the original complaint that kicked off this sub-thread is about a particular device, which is not a consumer device but a more generic routing system and not a "firewall" as such.
People expect their router to act as a firewall too, via NAT. If you take this away and force people to buy an additional piece of hardware to restore the expected functionality, they won't switch. Simple as that.
All modern NAT routers include a firewall. They don't "act as a firewall too, via NAT", they have both NAT and firewall functionality, even for IPv4. It has been like this for a long time now.
I don't really care about that, since my threat model doesn't involve Hetzner looking through my photos and training an AI model on them. If/when I move this off to my own hardware, then I'll do full disk encryption, since my threat model may involve someone stealing my hardware.
Just use rclone if you need to turn object storage semantics usage into an encrypted mount.
It doesn't do well with non-object-storage access patterns but we're not putting an sqlite database on it here so that should be fine.
rclone has a `crypt` layer you can just paper over any of it's backends and still access through any of it's comfortable ways.
I'd personally likely bind mount the database folder over the rclone mount or the other way around, as needed to keep that database on a local filesystem.
Every background service wants some screen estate in the menu bar, but the app that I need is always hidden behind the notch of my MacBook. Why can’t I hide the ones I don’t frequently need?
You can Command-Drag some of them off the menubar. It doesn't work in every case, but it might help. Plus there are tools like Ice and Bartender that help you hide most or all of them.
I don't think a project's core security concerns should be left up to my charity.
I get why they need the permission to implement their cutesy drag and drop interface.
But I'd like to hear why these apps can't continue to hide menu icons after you've revoked the permission. Ice and Bartender at least require you to grant it at all times last I looked a few months ago.
As far as I understand it works by grabbing screenshots of your menu bar and redrawing overtop of it. It can't do that if it doesn't have the permission to do screengrabs.
Unless we're just waiting on someone to figure out another genius workaround, that's the case, yes. Macs are not Linux, for better and for worse.
To be honest it seems crazy at this point an overflow for menu bar items isn't built into macOS, especially now that all their laptops have this notch that can hide menu bar items if you have too many. Plus it competes with space with the dropdown menu items on the left since if an app has too many they'll wrap to the other side of the notch.
Maybe I can redeem myself by clarifying that the real frustration here is with bad macOS UX, not people trying to hack around it. I barked up the wrong tree.
Calling it out only because I don’t see it mentioned - until last year, Bartender was one of the popular go-to tools to manage menu bar items, but it fell from favor after quietly changing owners, changing certs, general shadiness https://forums.macrumors.com/threads/psa-bartender-mac-app-u...
A specific and relevant reminder why open source is so important for system utilities.
Many apps offer hiding their menubar icon as an option. I'm always looking for that option and I managed to get a super clean menubar[1] — without sacrificing features or apps I need. The “11m” icon is from a little gem called Aware[2].
You should know at some point in the past year or so it was silently sold to a shady company which makes me VERY wary for something I gave screen recording permissions to. I'd never install Bartender on my machine again.
I am not! Bought the program about a month ago and it’s really buggy on MacOS 15. You can clearly tell that it was developed for some previous MacOS version and has been since then forgotten.
In Gmail, I try to archive or delete everything that I’m done with, but it’s difficult to keep up with many notifications flowing in, which I don’t delete immediately or are relevant for the next few days and I never get back to. It’s easy to get behind.
I’ll try your approach of setting up a default section for ‘is:starred OR is:unread’ and stop bothering with the archive step.
If you look at it, everything is eventually archived. You have to stop looking at it; hence the `is:starred OR is:unread`.
I don't delete emails except for ephemeral transactional emails. I still have emails from the early 2000s and have surprised people by replying from then or continuing a conversation, reminding them that we talked way back in time.
You can add your download folder to $daily_clean_tmps_dirs in /etc/periodic.conf and files not accessed for three days will automatically be deleted. See /etc/defaults/periodic.conf and /etc/periodic/daily/110.clean-tmps
Can MRSK be used to manage deploying applications that are distributed as Docker images, such as Adguard Home?
I see there is support for ‘accessories’ such as Redis. What if I only want to deploy an image and skip building a Dockerfile and pushing it to a registry?
What hardware would be recommended for a Tailscale subnet router between two sites with a GBit link? Saturating a full-duplex GBit link would require two LAN ports, ruling out the option of a raspberry pi, wouldn’t it?
Enable IPv6 on a TP-Link Omada router (ER7212PC) and all internal services are exposed to the outside world as there is no default IPv6 deny-all rule and no IPv6 firewall. I get why some people are nervous.