this post was submitted on 23 Jul 2023
51 points (96.4% liked)

Piracy: ꜱᴀɪʟ ᴛʜᴇ ʜɪɢʜ ꜱᴇᴀꜱ

54577 readers
100 users here now

⚓ Dedicated to the discussion of digital piracy, including ethical problems and legal advancements.

Rules • Full Version

1. Posts must be related to the discussion of digital piracy

2. Don't request invites, trade, sell, or self-promote

3. Don't request or link to specific pirated titles, including DMs

4. Don't submit low-quality posts, be entitled, or harass others



Loot, Pillage, & Plunder

📜 c/Piracy Wiki (Community Edition):


💰 Please help cover server costs.

Ko-Fi Liberapay
Ko-fi Liberapay

founded 1 year ago
MODERATORS
 

I would really appreciate it if someone would double check me. Sorry for the screenshot. Either the Lemmy code button isn't great or I'm just dum at formatting.

This has local *arr servers available and traceroute shows me going through the VPN.

The largest blue blotch is the ip address of a mullvad vpn server.

Rpi4, Raspberry Pi OS lite.

Mullvad VPN. IPv6 has been nuked. Using Wireguard through wg-quick.

wg2 originates from a .conf file from Mullvad with IPv6 stripped.

Do these UFW settings look right?

top 9 comments
sorted by: hot top controversial new old
[–] kowcop@aussie.zone 13 points 1 year ago (2 children)

Pretty sure DNS is 53 UDP. Not sure if you meant it like that.

Port 53 TCP is for dns zone transfers

DNS vc is used for any dns request, not just zone transfers. UDP can sometimes fail in some situations, in which case the client will fall back to TCP which will keep it working.

[–] Machinist@lemmy.world 3 points 1 year ago (2 children)

I've got 53 and 5353 open so that DNS will work for my local network when connecting to *arr and jellyfin.

I.E. type raspberrypi:8989 in a browser to bring up Sonarr.

Should I restrict to UDP?

[–] kowcop@aussie.zone 6 points 1 year ago

Just did some reading as it has been many years since I did firewall.. looks like dns is mostly UDP, but fails over to TCP if the dns reply exceeds 512bytes.

No, you should keep both udp and tcp port 53 open going out. blocking dns vc/tcp will result in dns being partially broken.

[–] dragonfly4933@lemmy.dbzer0.com 5 points 1 year ago (2 children)

Why would you strip ipv6 if mullvad supports it. The reason people disable or block v6 are for 2 reasons, ignorance, and/or the vpn providor doesn't support ipv6. V4 and v6 can and usually do run at the same time (this is called dual stack), so if the vpn only touches the v4 side of things, v4 will be tunneled while v6 will be unaffected.

Also, the firewall doesn't matter if you use a torrent client that can just bind to the wg interface (assuming there is no nat being performed from the wg interface to the physical interface). The client will take one or all of the ips on the interface, which will make it impossible to leak IP directly assuming your switch or router doesn't also have an ip in the same subnet as your wg interface ip.

I don't know UFW, but if you run iptables-save or nft list ruleset i can take a look to see if it is sane.

But what i can tell is that it might work. You appear to be only allowing public traffic to wg. It should be noted that this setup will likely fail at some point because you are hard coding the IP. It should fail safe, but the public internet will not work.

[–] Mixel@feddit.de 5 points 1 year ago (1 children)

I think I'm just ignorant 😅 I know how ipv4 works and all the addressing and that's why I'm currently sticking to it I just couldn't really wrap my head about ipv6 I guess there aren't any major changes just other addressed

There are definitely differences, but usually they don't matter from a simple address and routing perspective.

For example, there is no ARP in IPv6. Instead another protocol is used called Neighbor Discovery Protocol, which actually is done through ICMPv6. Therefore, if you blindly block all ICMPv6, your network may break.

Once you have a grasp on v6, it is much better than v4 because even the smallest common v6 network size of /64 is many times larger than all the addresses in v4. Every device can have it's own global ip, so you no longer need nat at all. Everything can easily connect, assuming there is no firewall blocking it.

[–] Machinist@lemmy.world 4 points 1 year ago

I'm stripping ipv6 because I'm ignorant on a lot of this and a lot people say it's bad and show how to strip it. I'm a script kiddie in a old guys body.

I ran both iptables-save and nft list ruleset but, the output was so offensively formatted when inserted into Lemmy, I'll wait until I've had some sleep to try and get it legible.

Right, fail safe is the concern, I couldn't get the kill switch to work so I started monkeying with UFW.