Page MenuHomeVyOS Platform

Asteroza (N/A)
User

Projects

User does not belong to any projects.

User Details

User Since
Mar 3 2016, 10:58 PM (419 w, 4 d)

Recent Activity

Aug 31 2021

Asteroza added a comment to T3784: can't build iso with custom built iptables .

Unlikely but, possible MD5 hash collision?

Aug 31 2021, 1:36 AM · VyOS 1.4 Sagitta

Mar 23 2021

Asteroza added a comment to T3420: Support UPNP protocol.

There are genuine use cases, especially for small/home networks. But UPnP is a literal minefield of problems, and on top of that has had some serious security issues in the past due to fundamental design. If you were going to do this, I would want it off by default.

Mar 23 2021, 5:31 AM · VyOS 1.4 Sagitta (1.4.0-epa), Restricted Project

Dec 2 2020

Asteroza added a comment to T3096: Add a build option to disallow live CD boot.

I think the intention here is by default build with no liveCD support, and use the flag to explicitly build liveCD images when needed. The justification is if an image is cloud type image, there are certain security assumptions about the live network the image is connected to (because many cloud providers provision an image via information over specific link local addresses). If you boot a physical PC with a cloud ISO, you run the risk of exposing cloud-init to the local network, which would allow trivial takeover.

Dec 2 2020, 2:40 AM · VyOS 1.4 Sagitta

Oct 26 2020

Asteroza added a comment to T3015: It's over 9000! Super Jumbo Frame Support.

Don't some 10G/40G/100G gear support some megajumbo frame sizes now as well? Not sure about the 2.5/5G stuff though...

Oct 26 2020, 1:34 AM · VyOS 1.3 Equuleus (1.3.0)

Oct 20 2020

Asteroza added a comment to T2997: DHCP: disallow/do-not-request certain options when requesting IP address from server.

I can see a case where people deliberately do NOT want to use ISP provided DNS servers (to avoid DNS NX hijacking) (and/or lock to a major internet DNS server like google 8.8.8.8 or Quad9 9.9.9.9 or Cloudflare 1.1.1.1 for example)

Oct 20 2020, 12:25 AM · VyOS 1.3 Equuleus (1.3.0)

Sep 4 2020

Asteroza added a comment to T563: webproxy: migrate 'service webproxy' to get_config_dict().

I've previously mentioned light blocking (domain level, gTLD level), but with the increasing amount of DoH, having a means to kill off DoH and force special DNS processing, including offload to a separate DNS server (managed by a security appliance for example, say PiHole or similar) would be valuable.

Sep 4 2020, 4:32 AM · VyOS 1.3 Equuleus (1.3.0-epa1)

Sep 1 2020

Asteroza added a comment to T291: support for Predictable Network Interface Names.

The bad behavior of udev/systemd was a topic of an interesting twitter thread...

Sep 1 2020, 1:00 AM · VyOS 1.5 Circinus

Jun 24 2020

Asteroza added a comment to T2630: Allow Interface MTU over 9000.

There is the weird area here, as 1G interfaces are generally capped at 9K more or less (whether limits include those overheads or not is always weird, such as switches saying they are 9K but also 9120). For VM nics, you're never completely sure of what the host or what the switches directly connected to the hosts will allow either.

Jun 24 2020, 2:29 AM · VyOS 1.3 Equuleus (1.3.0)

Nov 14 2019

Asteroza added a comment to T1802: Wireguard QR code in cli for mobile devices.

The suggested debian package qrencode seems handy for terminal use. Actually, using QRcodes to transfer information would be interesting for other uses as well, such as exporting other kinds of keys such as OpenVPN. As a remote support measure, if a config is causing issues that prevent remote login, having a local login being able to emit the current config as a QRcode might be interesting...

Nov 14 2019, 12:57 AM · VyOS 1.3 Equuleus (1.3.0), VyOS 1.4 Sagitta

Nov 4 2019

Asteroza added a comment to T921: Encrypted DNS.

Wait, Argo tunnel uses Cloudflare's WARP VPN system, which under the hood is basically wireguard...

Nov 4 2019, 12:29 AM · VyOS 1.4 Sagitta

Oct 16 2019

Asteroza added a comment to T1732: Removing vyatta-webproxy module.

One might need to differentiate between transparent bump-in-the-wire type squid deployments, and running it as a known proxy (delivered via DHCP and an onboard PAC file). Plus any kind of speedbump captive portal. I know one place specifically uses it to force clients to expose connecting hostname due to the use of the CONNECT command for TLS connections, for passive logging on the wire. Which will get interesting with the emergence of DoH and DoT in mainstream browsers, and enterprise efforts to kill that off.

Oct 16 2019, 1:49 AM · VyOS 1.3 Equuleus (1.3.0)

Sep 10 2019

Asteroza added a comment to T1644: Wireguard listen ports lower than 1024.

Actually somebody made a nifty websocket tunnel named wstunnel (similar to stunnel conceptually, but websockets is more natural for tunneling generic binary protocols thanks to webRTC...) that seems to work alright for Wireguard.

Sep 10 2019, 1:06 AM · Rejected
Asteroza added a comment to T1644: Wireguard listen ports lower than 1024.

As long as the local nginx is not listening on the external interface on udp/443, functionally there should be no limitation to running wireguard on 443 there. A convoluted script to check that the current config has no existing 443 mapping is one solution, but that seems a bit fragile, and wouldn't really tell you where in the config the blocking 443 instance is.

Sep 10 2019, 12:30 AM · Rejected

Jun 27 2019

Asteroza added a comment to T1443: New "service https" implementation.

Just to confirm, HTTP proxy in this context being nginx being a reverse proxy frontend for GUI and API HTTP servers, likely living on localhost bindings, right?

Jun 27 2019, 7:34 AM · VyOS 1.2 Crux (VyOS 1.2.3)

Apr 25 2019

Asteroza created T1353: Termshark • A terminal UI for tshark, inspired by Wireshark.
Apr 25 2019, 3:27 AM · Rejected

Nov 5 2018

Asteroza added a comment to T962: Intel 520 card requires modprobe option when using non-Intel SFP.

I think Intel now even recommends using Brocade 1gigabit modules for SFP+ modules when needing to down grade a 10G port to gigabit now, since they no longer manufacture 1G modules, so this is bound to bite people. Perhaps default to adding the allow_unsupported_sfp=1 for the various intel drivers perhaps?

Nov 5 2018, 12:02 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc8)

Aug 8 2018

Asteroza added a comment to T427: Wireguard support.

Apparently Linus loves Wireguard as well now.

Aug 8 2018, 5:19 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc1)

Jun 29 2018

Asteroza added Q50: Any hope for DPDK? (Answer 207).
Jun 29 2018, 5:17 AM

Jun 27 2018

Asteroza created T718: add minor console monitoring utilities to base image (htop, bmon, iotop, atop).
Jun 27 2018, 6:29 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc4)

Jun 13 2018

Asteroza updated the task description for T694: netboot PXE/gPXE/iPXE support.
Jun 13 2018, 7:35 AM · VyOS 1.4 Sagitta
Asteroza added a comment to T692: TFTP server functionality.

Added a child feature request for iPXE.

Jun 13 2018, 7:11 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc1)
Asteroza added a parent task for T694: netboot PXE/gPXE/iPXE support: T692: TFTP server functionality.
Jun 13 2018, 7:09 AM · VyOS 1.4 Sagitta
Asteroza added a subtask for T692: TFTP server functionality: T694: netboot PXE/gPXE/iPXE support.
Jun 13 2018, 7:09 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc1)
Asteroza created T694: netboot PXE/gPXE/iPXE support.
Jun 13 2018, 7:08 AM · VyOS 1.4 Sagitta

Jun 12 2018

Asteroza added a comment to T692: TFTP server functionality.

If you are going to do this, then there's the related issue of whether or not to put in PXE/gPXE/iPXE related stuff to support netbooting things.

Jun 12 2018, 2:35 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc1)

May 28 2018

Asteroza added a comment to T427: Wireguard support.

Algo VPN, the premier personal IPSEC VPN distro is now preparing to bake in wireguard. Admittedly their distro is intended for disposable VPN VM's but they seem to think wireguard is is close to production ready. It seems they are moving to wireguard for android client connections.

May 28 2018, 11:52 PM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc1)

May 21 2018

Asteroza added a comment to T637: Replace tshark with tcpdump.

I wasn't sure if we were maintaining our own package or not. If we're pulling updates from Debian security updates directly, then I see no problem. The researcher is still collecting and analyzing the fuzzer run so no published reports as of yet.

May 21 2018, 12:38 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc1)

May 17 2018

Asteroza added a comment to T637: Replace tshark with tcpdump.

fair warning, there's a security research currently fuzzing tcpdump who has been finding some stack overflow bugs so expect a package update or two in the not so far future...

May 17 2018, 4:41 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc1)

Feb 9 2018

Asteroza added a comment to T380: Add system service fail2ban.

straight firewalling won't help if the logon attempts still come from a presumably trusted LAN. I like the idea of at least a temporary lockout to prevent mass attempts when someone is running a big password list, though the utility of this naturally drops if VyOS can be fingerprinted before the attempt and the instance runs with a default password, but that's a sysadmin problem.

Feb 9 2018, 4:08 AM · Invalid
Asteroza added a comment to Q132: Supported dynamic DNS providers.

How about

Feb 9 2018, 4:03 AM · Restricted Project, VyOS 1.2 Crux
Asteroza added a comment to T427: Wireguard support.

Q82 Wireguard?

Feb 9 2018, 3:52 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc1)

Nov 29 2017

Asteroza added a comment to V5: Should we keep web proxy functionality in base 1.2/1.3/2.0?.

I suppose I should also mention that I am also using a proxy PAC file hosted on the internal lighttpd instance as well over HTTP (again, can't use HTTPS due to certificate trust issues for unknown client PC's) which is important due to DHCP server URL designation of a PAC/WPAD file currently.

Nov 29 2017, 7:12 AM · VyOS 1.3 Equuleus, VyOS 1.2 Crux

Nov 27 2017

Asteroza created T478: Firewall address group (multi and nesting).
Nov 27 2017, 12:48 AM · VyOS 1.4 Sagitta
Asteroza added a comment to V5: Should we keep web proxy functionality in base 1.2/1.3/2.0?.

I do use squid in production, but without the hardcoded blacklists, rather my own local list only, and as an explicit proxy with a rejection message locally hosted as HTTP on the inbuilt lighttpd instance (can't serve HTTPS rejections because of certificate trust issues).

Nov 27 2017, 12:45 AM · VyOS 1.3 Equuleus, VyOS 1.2 Crux

Nov 23 2017

Asteroza asked Q115: OpenR for routing engine?.
Nov 23 2017, 3:38 AM · VyOS 2.0.x

Sep 15 2017

Asteroza added a comment to T379: UDP Broadcast Packet Relay.

This could be possibly used for targeted Wake-on-LAN packet relaying as well...

Sep 15 2017, 4:06 AM · VyOS-1.2.0-GA, VyOS 1.2 Crux (VyOS 1.2.0-rc1)