Andree Toonk
@atoonk.bsky.social
I like Internet infrastructure engineering 🇳🇱 in Vancouver🇨🇦 https://toonk.io/
this was posted in the equinix metal community slack a few days ago
November 17, 2024 at 7:29 PM
this was posted in the equinix metal community slack a few days ago
To be clear, there's no issue here, this was just me being curious 🤓 Either way, that was my geeky early Saturday morning: a mix of coffee, FreeBSD, Go, and curiosity.
Anyone still use hosts.allow style filtering?
Example code for the curious: gist.github.com/atoonk/8863c...
A simple Go TCP server demonstrating how to use libwrap with /etc/hosts.allow and /etc/hosts.deny for access control. The server listens on port 12344 and filters client connections based on TCP Wrapp...
A simple Go TCP server demonstrating how to use libwrap with /etc/hosts.allow and /etc/hosts.deny for access control. The server listens on port 12344 and filters client connections based on TCP Wr...
gist.github.com
November 16, 2024 at 8:50 PM
To be clear, there's no issue here, this was just me being curious 🤓 Either way, that was my geeky early Saturday morning: a mix of coffee, FreeBSD, Go, and curiosity.
Anyone still use hosts.allow style filtering?
Example code for the curious: gist.github.com/atoonk/8863c...
I'm sure there's a good reason though. My guess? Likely performance related. Avoid using pf to squeeze more performance out of these boxes and make them more resilient against attacks.
November 16, 2024 at 8:50 PM
I'm sure there's a good reason though. My guess? Likely performance related. Avoid using pf to squeeze more performance out of these boxes and make them more resilient against attacks.
Now, I have no idea if Netflix uses this method it could be in-app (bgpd/sshd) filtering, or some other proxy thing(even nginx) filtering TCP entirely. What’s intriguing to me is the choice not to use the kernel firewall (pf) for this kind of traffic filtering as that would be the "obvious" choice.
November 16, 2024 at 8:50 PM
Now, I have no idea if Netflix uses this method it could be in-app (bgpd/sshd) filtering, or some other proxy thing(even nginx) filtering TCP entirely. What’s intriguing to me is the choice not to use the kernel firewall (pf) for this kind of traffic filtering as that would be the "obvious" choice.
To make it interesting, I wrote a simple Go program that integrates with libwrap, the library enabling /etc/hosts.allow functionality. Sure enough, when adding a deny statement, I replicated the same behavior: TCP session established, followed by an immediate disconnect.
November 16, 2024 at 8:50 PM
To make it interesting, I wrote a simple Go program that integrates with libwrap, the library enabling /etc/hosts.allow functionality. Sure enough, when adding a deny statement, I replicated the same behavior: TCP session established, followed by an immediate disconnect.
It’s been about 20 years since I last used that feature, but I woke up early this morning, made some coffee, and decided to revisit it, poke around 🤓 . I spun up a FreeBSD box on Vultr (Netflix famously uses FreeBSD for their caching servers) and started experimenting with /etc/hosts.allow.
November 16, 2024 at 8:50 PM
It’s been about 20 years since I last used that feature, but I woke up early this morning, made some coffee, and decided to revisit it, poke around 🤓 . I spun up a FreeBSD box on Vultr (Netflix famously uses FreeBSD for their caching servers) and started experimenting with /etc/hosts.allow.
It got me wondering: Is this filtering happening in the applications themselves (e.g., sshd or bgpd) or somewhere else? Or perhaps a blast from the past... could this be the classic /etc/hosts.allow and /etc/hosts.deny at play?
November 16, 2024 at 8:50 PM
It got me wondering: Is this filtering happening in the applications themselves (e.g., sshd or bgpd) or somewhere else? Or perhaps a blast from the past... could this be the classic /etc/hosts.allow and /etc/hosts.deny at play?
Running an nmap scan, I noticed something interesting: ports 22 (SSH) and 179 (BGP) appeared to be wide open. This surprised me. we all know best practices dictate that sensitive services like these should only be accessible from trusted sources, not the wide open internet?!
November 16, 2024 at 8:50 PM
Running an nmap scan, I noticed something interesting: ports 22 (SSH) and 179 (BGP) appeared to be wide open. This surprised me. we all know best practices dictate that sensitive services like these should only be accessible from trusted sources, not the wide open internet?!
Hhm interesting
Project for later 🤓 thanks 🙏
Project for later 🤓 thanks 🙏
November 11, 2024 at 3:58 AM
Hhm interesting
Project for later 🤓 thanks 🙏
Project for later 🤓 thanks 🙏
It feels friendly :) great first impression
And yah reminds me of early twitter days 😀
And yah reminds me of early twitter days 😀
a man in a suit and tie is running down a sidewalk and says `` let me in '' .
ALT: a man in a suit and tie is running down a sidewalk and says `` let me in '' .
media.tenor.com
November 11, 2024 at 1:21 AM
It feels friendly :) great first impression
And yah reminds me of early twitter days 😀
And yah reminds me of early twitter days 😀
