what about nft… isnt that replacing iptables on linux?

Yeah, firewalld is switching to nft. I’ll still use whatever stock solution to run local firewall on a Linux host, but I don’t think I’ll use linux as an edge gateway again.

Not that I was using a home brew Linux gateway at any point, but Ubiquiti is Linux under the hood as is mikrotik, ip fire, etc.

pfchad

Soon™

#       $OpenBSD: pf.conf v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

include	"/etc/pf.conf.d/00-macros.conf"
include	"/etc/pf.conf.d/01-tables.conf"
include	"/etc/pf.conf.d/10-policy.conf"
include	"/etc/pf.conf.d/20-if-lo.conf"
include	"/etc/pf.conf.d/21-if-egress.conf"
include	"/etc/pf.conf.d/30-if-adm-oobm.conf"
include	"/etc/pf.conf.d/31-if-adm.conf"
#include	"/etc/pf.conf.d/32-if-adm-net.conf"
#include	"/etc/pf.conf.d/33-if-adm-srv.conf"
#include	"/etc/pf.conf.d/34-if-adm-dom.conf"
#include	"/etc/pf.conf.d/35-if-adm-iaas.conf"
#include	"/etc/pf.conf.d/36-if-adm-physec.conf"
#include	"/etc/pf.conf.d/37-if-adm-desk.conf"
include	"/etc/pf.conf.d/40-if-net-oobm.conf"
include	"/etc/pf.conf.d/41-if-net.conf"
include	"/etc/pf.conf.d/50-if-srv-oobm.conf"
include	"/etc/pf.conf.d/51-if-srv.conf"
include	"/etc/pf.conf.d/60-if-dom-oobm.conf"
#include	"/etc/pf.conf.d/61-if-ad.conf"
include	"/etc/pf.conf.d/62-if-ipa.conf"
include	"/etc/pf.conf.d/70-if-iaas-oobm.conf"
include	"/etc/pf.conf.d/71-if-ovirt-migrate.conf"
include	"/etc/pf.conf.d/71-if-ovirt-stor.conf"
include	"/etc/pf.conf.d/71-if-ovirt.conf"
#include	"/etc/pf.conf.d/72-if-vsphere-stor.conf"
#include	"/etc/pf.conf.d/72-if-vsphere.conf"
#include	"/etc/pf.conf.d/73-if-proxmox-stor.conf"
#include	"/etc/pf.conf.d/73-if-proxmox.conf"
#include	"/etc/pf.conf.d/80-if-physec-oobm.conf"
#include	"/etc/pf.conf.d/81-if-surveillance.conf"
#include	"/etc/pf.conf.d/90-if-client-oobm.conf"
#include	"/etc/pf.conf.d/91-if-dept.conf"
#include	"/etc/pf.conf.d/92-if-voip.conf"
#include	"/etc/pf.conf.d/93-if-print.conf"
include	"/etc/pf.conf.d/a0-srv.conf"
include	"/etc/pf.conf.d/b0-user.conf"
#include	"/etc/pf.conf.d/c0-process.conf"
include	"/etc/pf.conf.d/d0-proxy-relayd.conf"
include	"/etc/pf.conf.d/d1-proxy-ftp.conf"
include	"/etc/pf.conf.d/e0-drop.conf"
include	"/etc/pf.conf.d/f0-allow.conf"


# vim: ts=8:sw=8:sts=8:noet

This is a pretty good illustration of why I found pfsense’s GUI-only configuration to be insufficient.

after about three or four tries… i figured out you were likely trying to say pf chad… but i kept seeing PFC Had.

Lol yep. As in “Block like a Chad” or something (idk, it was around 3am).

Man, this has been bumming me out all day. What is GPL even for if this is possible? I just want to buy a piece of hardware and install an open source operating system on it with no support. Yet I cannot without paying an OSS-hostile company to do so. What?

The beauty of GPL is that you don’t have to pay the $970 for debian.

GPL covers software, not hardware. Unfortunately, hardware is still locked down, and money-grubbing companies gonna be money grubbing companies.

I don’t mind buying the switch, just the Debian fork I don’t want to pay for. I wish someone would fork Cumulus but I suspect that it relies on a lot of non-free drivers to be of any use by itself.

There’s some crazy stuff on ebay…

Some good news that went under my radar.

I’ve been using a mix of cloudflare and quad9 but might go back to pure quad9.

Hmm, that might be a better alternative to me running my own DNS off of the root servers…

Might anonymize you better?

What are you using for that? Bind or something else?

Really makes you wonder why they’re priced so low

It’s looking to me like a lot of these ONIE switches run Open Network Linux which seems to be abandoned/replaced with SONiC, but they aren’t on SONiC’s hardware compatibility list. They do support some commercial NOS’s but those are really expensive.

So you’re buying a switch with an EOL OS.

Unbound. At first running on Linux, and (for) now on pfSense. It will query the root servers if not explicitly set up to do differently.

Do you mind posting that config? I don’t think I’ve seen that done before. I’m also using unbound, but DoT to quad9 and cloudflare.

Yes.

Yes I would.

Ha, still working on it. It’s changed structure a bit also.

Awesome, looking forward to it.

I saw I don’t like FreeBSD, but yet I lean heavily on and really like pfSense and FreeNAS.

The latter, I’m sooooo stoked TrueNAS SCALE is a thing. Can’t wait for it to become stable and migrate over to it. Just feel like being Linux it will grow faster, have more support, more documentation, more documented and vetted ‘tweaks’ possible.

I just hope I can install apt packages on it without breaking the whole system and being yelled at in the trunas forum.