I think CNCF is at the point where you can assume that "there's a CNCF project for that" is true for anything container/kubernetes related.

https://www.cncf.io/projects/containerssh/

Until something forces the transition nothing is going to change.

And before now, there were still some unused addresses available. We've just begun the phase where we have to scrounge for loose change in the couch cushions. Previously there was money in the wallet. (Only a little, but that's what you use first.)

My guess is scrounging will initially be easy. Then it will get gradually harder, until eventually it becomes easier to just use IPv6, and then people will switch over.

(And apparently the police are not big fans either, as it makes it more difficult to track down miscreants).

From a consumer standpoint the problems I've run into and heard about are:

1. Can't use port-forwarding anymore since you can't configure the ISPs router doing the NAT

2. A bad neighbor sharing your IP can get you IP banned on sites that still think IP address is a good way to block/throttle bad players

3. Connections can be unstable if there's a lot of connections going on, so prime-time can often run into issues.

Not at all, it's a stupid idea. You are trying to nail down an identity without authentication, that can not work. If you use credentials with sufficiently high entropy, which you should do anyway, you don't have a problem that this could be the solution to.

In Finland 2 out of 3 mobile operators give you IPv6 by default (and mobile data usage is very high).

This is the chicken-and-egg problem that all new networks are facing with regard to IPv6 adoption. In order to have a usable network, you have to support IPv4 to all endpoints. But once you have v4 at all endpoints, the incentive to run v6 is greatly diminished.

As always, v6 needs a "killer app" that Grandma wants to use that is unavailable over the v4 internet, and then network administrators could use the actual demand from their customers as a justification for moving to v6. Unfortunately, at the moment, the list of v4-only must-have apps is still greater than the list of v6-only must-have apps.

Amusingly that's how mobile/smartphones are supposedly run: the devices get IPv6-only, and if they need to hit an IPv4-only address they are CGNATed.

* https://www.internetsociety.org/resources/deploy360/2014/cas...

* https://blogs.akamai.com/2016/06/preparing-for-ipv6-only-mob...

They certainly could be using CGNAT, but that seems like a weird way to do it.

How are you able to tell with IPv4? You cannot run ifconfig on an iPhone, so how are you determining that?

Maybe we've done too early (it was about five years ago maybe, I don't really remember exactly) and now tooling is better, idk

Unfortunately Virgin Media (my ISP) are still dragging their heels but have decided to go with DS-Lite.

Many large cable ISPs in the USA have been running IPv6 internally for years now. They likely have some of the largest deployments if you account for all their IP managed gear.

Of course, these are the same ISPs that already provide a dual-stack gateway to their customers.

CableOne/Sparklight says hi, because they have zero intention on deploying v6 for the foreseeable future.

At least in Poland, you must provide law enforcement with information about your subscriber for any given 5-tuple at a given time (timestamp, {src,dest}{ip,port} and protocol). If you're CGNATing everyone, you have to either:

- log all outgoing connections (which is a GDPR hazard)

- design your CGNAT to use static outgoing ports for a given customer (but then you're running out of ports pretty fast, if you're doing anything close to >=500 subscribers)

With IPv6, you can just immediately tell who the subscriber is based on the IP address, and as such don't have to log anything.

Most of the stuff regular people care about performance for is on CDNs that support IPv6 (or is YouTube, Netflix etc)

https://www.aussiebroadband.com.au/help-centre/nbn/tech-supp...

The adoption rate has been really slow.

If everyone is routable it cuts the gordian knot in the "What kind of content should be allowed on our platform?" question by allowing everyone to simply be their own platform. If ipv6 gets adopted fast enough it might just save the 'net from being just a more privacy invasive form of television.

This is such a great analogy.

The Internet has become a dopamine fix. Platforms are generic and inflexible. (Remember when you could change the HTML?) Content is watered down or demonetized for the sake of ad money (Youtube, Tumblr). You can't read the news without getting a video ad shoved down your throat. Commercial video is DRM'd. Browsers (read: Chrome) enables websites to prevent you from copying text or viewing source images. Your every move is tracked to better target ads and sell your profile.

    * {
      -webkit-user-select: text !important;
      user-select: text !important;
    }

It is incredible how much more palatable the web becomes with uBlock Origin + uMatrix + Stylus. Not optimistic for the web in the long term, though.

Example: https://www.ghacks.net/2016/05/24/chrome-copy-text-manipulat...

Your comment brings a whole new angle to IPv6 I hadn't before considered. Having each packet routable straight to a TCP/UDP port number eliminates the complexities of NAT. Since the {hard,soft}ware that handles NAT wouldn't be needed, perhaps a shift to IPv6 could also give throughput gains.

It does, although barely noticeable. More noticeable is the cost to ISPs for carrier-grade NAT equipment.

I have even found that real world IPv6 addresses are not quite as bad as they look. We have all seen the auto-generated ones and they look awful but you don't actually use those as such. For example you are allocated a /48 prefix: 2001:db8:1234:: in general you might think of the ISP as 2001:db8:: and your site as 2001:db8:1234::. Your first subnet might be say 000a or simply "a" for VLAN 10 because you decide not to allocate IPv6 to your default VLAN 1 and start with your current PC VLAN which is 10.123.10/24. In IPv4 you have 10.123.10.1 as the default gateway (VRRP) with .2 and .3 for the physical routers. Hence your PC VLAN routers get given 2001:db8:1234:a::2 and 3 and ::1 for the VRRP address. You can play games with 1337 addresses using 0-9a-f eg face:b00c sigh.

Ultimately, technologies are less important than public opinion, politics and commerce in dictating how the net goes.

* Or a single trackable address range, no matter. Yes, ISPs could do differently. Why would they? All the incentives are on the other side.

Sorry, but this is incorrect. No matter how you connect to the internet, someone has to agree to route your traffic. Just having an allocation of "public" address space doesn't mean you are free to do whatever you want. Other people have to actually pick up your traffic.

If you don't have an ASN and a core router on a backbone to announce and carry your traffic, and instead are just using what an ISP gave you, you really have almost no control over whether that address is routable, what protocols you can use with it, etc. They can impose the same limits on IPv6 as IPv4 - and in order to reduce overt abuses of their network resources, they almost certainly will.

Remember: passing packets requires real money. The larger the number of packets, the larger the bandwidth used, the larger the concurrent connections, the more money it costs. Any segment in the network that takes up significantly more traffic than another, will end up costing a disproportionate amount of dollars and maintenance to support. So unless you're paying for all of it, you will have limits. And just like every other resource on the planet, some people will have more resources than others.

IPv6 is identical to IPv4 in terms of what "freedom" you have on the internet.

It is easier to offer services on IPv6 IMHO. If you want to have some boxes at home to SSH into, you need to provide port forwarding after the first.

So for the first system in IPv4 you would have pubip:22 -> inta:22, but then you have to do pubip:23 -> intb:22, pubip:24 -> intc:22, etc.

With IPv6 you can just use the hosts' IPv6 addresses and punch holes for :22 for each individual system as desired: no port tomfoolery needed.

The ISP can decide to impose exactly the same limit on allocated IPv6 as IPv4, and charge you for more hosts. Your freedom hasn't changed, only your billing has.

So from where I'm standing IPv6 is not identical to IPv4.

Do you think the adoption of IPv6 would lead ISPs to drop their ban on running servers from non-business accounts?

I don't think that even given widespread IPv6 adoption, we'll ever go back to a model where residential or mobile internet connections will allow for public reachability by default.

Of course, NATs and firewalls are not the same thing (you just effectively happen to get the latter when deploying the former). But I firmly believe that the bulk of technologies that give us dynamic endpoint lookup and coordinated firewall traversal will outlive IPv4 and NAT.

As an anecdotal example, I used to have a mobile data plan that assigned a public IPv4 address to my phone, including inbound TCP/UDP reachability! That's neither good for battery life, nor for data consumption (on a metered plan). By contrast, my current one puts me behind a carrier grade NAT, but I have no problems whatsoever making peer to peer VoIP calls to friends behind the same type of NAT.

Given how sht the security on IoTs is I'm not convinced giving everything a routable IP is a good idea frankly. At least not until the IoT players up their game significantly

Also NAT is not a firewall, but that’s a story for another day.

Home devices are always going to be deployed with an allow outgoing, deny incoming firewall, regardless if they have IPv6 or not. They are identical in terms of security.

It most certainly does. If you have an insecure device behind a nat, say something with telnet sitting open, a port scanner from the outside won't be able to find it (unless you've gone to great efforts to allow inbound connections without an established outbound connection). This is objectively better than if that device were directly addressable.

> Home devices are always going to be deployed with an allow outgoing, deny incoming firewall, regardless if they have IPv6 or not.

Not always. My last router came with the firewall off and that was just a few years ago. A lot of consumer ISPs don't bother with the firewall because they don't want to field customer service calls about things not working.

This is amazing. How does it work? What stops me going to the devices behind the router?

However, I have yet to see proof of any provider that actually deployed home routers this way.

Here's how you do "PAT" on Linux: `iptables -t nat -A POSTROUTING -o wan0 -j MASQUERADE`. Notice how it's limited to outbound connections ("-o wan0")? That means it doesn't apply to inbound connections, and thus doesn't have any effect on the behavior of inbound connections.

If it doesn't have any effect on the behavior of inbound connections, then how could it possibly block inbound connections?

(The typical consumer configuration pairs "PAT" with a firewall, and the firewall does block inbound connections. It's also typical to pair it with RFC1918 addresses, which doesn't block connections but does make it much harder for most people to make the relevant connections in the first place. None of that changes the fact that "PAT" doesn't block connections.)

They obviously can't address traffic directly to 192.168.1.0/24 over the Internet as that's a bogon address and the Internet routers will either reject it out of hand, or not know where to send it.

That's not obvious at all. Now, you obviously can't just inject a packet addressed to 192.168.1.1 anywhere on the internet and expect it to turn up on any particular LAN, but that just excludes a subset of the possible attack vectors for unwanted inbound connections.

Your ISP can still send you packets addressed to 192.168.1.1. Thus, obviously anyone compomising your ISP, or some subset of their routers can as well (hello Cisco hardcoded passwords!). Also, it has happened that ISPs failed to isolate customers from one another (think multiple customers on the same VLAN), so your neighbour could send packets addressed to 192.168.1.1 to your router's WAN interface as well. Or potentially malware on their network, if someone were to systematically exploit such a setup.

It isn't even unheard of that ISPs forgot to disable routing protocols on customer-facing interfaces and some CPE managed to advertise their RFC1918 space via RIP to their ISP's access network.

Or, for that matter, an attacker could just hook into your uplink between you and your ISP, if you are a valuable enough target, to gain access to your CPE's WAN interface.

All of those are actually solved security-wise by having a stateful firewall, which will also prevent inbound connections from anywhere else on the internet.

That (for most average consumers) is a vastly reduced attacker set.

Security is not binary, it's a scale.

Except it really doesn't because you haven't?

There are two practically relevant circumstances where the statement "NAT provides security" is made:

1. With regards to real-world home routers (which also come with a stateful firewall), in which case the statement is simply false: Adding or removing NAT makes no difference whatsoever for security. This is also the scenario that then is used to argue against IPv6, because IPv6 supposedly lacks this security, when it just doesn't, because the IPv6 router also comes with a stateful firewall, and adding NAT (or disabling IPv6 because of a "lack of NAT") achieves absolutely nothing security-wise, because there is no problem in the first place.

2. By people who falsely believe that NAT does in fact prevent all inbound connections and for that reason fail to configure the necessary firewall rules on more business-oriented routers, so the belief that "NAT provides security" keeps them from actually securing their network, and that in particular in scenarios where it is much more relevant than for your typical home user.

So, it is technically true that NAT could have security-enhancing effects under artificial circumstances. But under all real circumstances, it either just doesn't, or the belief that it has is what causes the configuration to be less secure than it easily could be, if only people didn't have the completely not-understood belief that "NAT provides security".

https://www.fourmilab.ch/documents/digital-imprimatur/

by John Walker, of Autodesk fame.

The router has a public IP and everything behind it has a local one. That you can do NAT in different contexts and that technically you could have NAT without the firewall functionality doesn't change that this is 99.9% of all NAT applications.

A bit more text about this concept:

https://security.stackexchange.com/questions/176744/why-is-n...

And this is in fact what we see in the real world with IPv6 deployments. Roughly 50% of my country has IPv6, and every single provider provisions it with sensible default firewall rules.

This is just arguing semantics. It's not "NAT itself", but a side effect of using it is that it requires deliberate effort to allow inbound connections to get to devices behind the router. This has many of the same effective security benefits as a firewall blocking inbound connections does.

Another way of saying this: the companies that make cheap, crappy routers can do the absolute bare minimum and not end up exposing internal devices to inbound internet traffic. So NAT provides security against the cheap, crappy router manufacturers.

With IPv6, the opposite is true: The router manufacturer has to do deliberate extra effort to block inbound connections, beyond just making the router "work". Will most router manufacturers do this extra effort and include a properly-configured firewall? Probably yes, especially if they don't want to get a terrible reputation for being insecure, which would (hopefully) eventually drive them out of business.

Will absolutely 100% of them always do this properly and never make a mistake? I wouldn't bet on it.

Unless your router has UPnP port forwarding enabled—as most home routers do by default, since popular apps require it—in which case any device can open a hole in the firewall for whatever incoming traffic it wants. In this scenario NAT provides no additional protection beyond what the client device could provide for itself by simply not accepting incoming connections. To get security from a NAT setup you need to disable UPnP and manually configure any required port forwarding, which is at least as much effort as properly configuring an IPv6 firewall.

The right solution IMHO is to have a separate LAN/WLAN/VLAN for the untrusted IoT devices which rejects all inbound connections from the WAN (no UPnP support) as well as all outbound connections to the main LAN. Outbound connections to the WAN for updates or cloud-base control are permitted but logged; inbound connections from the main LAN are also permitted, to control the IoT devices locally. For the main LAN the router should only perform basic filtering for malformed or misrouted packets—ones with an external or multicast destination address or an internal source address, for example. Apart from that, devices on the main LAN are expected to handle their own security. Laptops, smartphones, tablets, and other mobile devices are already required to handle this since they are routinely connected directly to untrusted networks.

The way common household NAT works is you have hosts on a private IP space behind a NAT device with an ephemeral internal IP/port table. When an internal device initiates a connection outward the NAT device takes a note of the IP address and port it is connecting to and writes them to the table, along with its own port mapping.

When a packet arrives addressed to the NAT device it checks the table and if it finds a matching entry it rewrites the packet and forwards it back to the original host.

So someone attempting to make a new connection to an internal host is effectively firewalled off by the lack of a mapping table.

Now most people who say "NAT isn't a firewall" are referring to the case where you have for some reason turned off the default firewall rules on the NAT device and have somehow routed a packet with a destination address that is on your internal network. In this case, the NAT will just forward the packet onto your internal host and provide no protection as they say. However, it ignores the difficulty of getting your ISP to route an RFC 1918 address to your NAT device in the first place. The very fact that your internal hosts are on non-routeable addresses is a form of protection provided by NAT.

The lack of a mapping table entry just means that your packet doesn't get translated. It doesn't mean that inside hosts are unreachable.

> Now most people who say "NAT isn't a firewall" are referring to the case where you have for some reason turned off the default firewall rules on the NAT device

Yeah, so: NAT isn't a firewall. The firewall is a firewall. NAT is typically deployed together with a firewall precisely because NAT isn't a firewall.

This is an important distinction, because it means that the security you think you're getting from NAT is actually coming from the firewall, meaning you don't need NAT to get that security.

Note that I'm not ignoring the issue of reaching non-routeable addresses either. Your ISP can route to your LAN range easily, and there are plenty of people who could trick or force your ISP into cooperating. If you want to be secure, you can't rely on "probably I won't receive any evil connections, it'll be fine", you need to actually block them. If you're in a situation where non-routeability is relevant then you were already insecure.

You've also forgotten that NAT doesn't provide you with non-routeable addresses, even if it's typically deployed with them. It works on any address range and it has no impact on the routeability of the range you use. NAT is also not required to use non-routeable addresses (which as mentioned aren't even secure in the first place). So, again, it provides no security.

A bit incorrect. There are IPv6 protocol changes (ex. ICMP vs ICMPv6) where the newer protocols are more secure. But actually having a private IP behind a NAT gateway is more secure in general, because nobody can directly route to a host behind your NAT, without exploiting reverse NAT traversal. IPv6 will allow easier exploitation of default host configurations due to being able to route to them easier.

This also needs to be balanced against the difficulty of exploiting servers that have been deliberately exposed to the internet, for example cameras or NASs. People often expose those deliberately (via port forwards on v4) so they can access them remotely.

v6 will make it harder to exploit those devices, because it makes it harder to find them in the first place. Most botnets that run on cameras etc spread via random network scanning, so making those devices harder to find makes it harder for botnets to spread. You can consider this akin to vaccination's effect on the R value for a contagious disease: vaccination can eliminate a disease even when it doesn't eliminate 100% of infections. If a botnet can't find enough vulnerable hosts to exploit, it'll die out.

NAT with port forwards makes it far easier to find devices like that, because it reduces the search space. v4 reduces the search space further still, to the point where it's quite feasible to do an exhaustive search.

On balance, I think this makes the larger address space (without NAT) less exploitable.

NAT itself does have the security benefit of masking more bits of client identity though. If I had a bunch of machines on an ip6 prefix, I would still want their outgoing connections to be NATted, to avoid address-based tracking.

We can envision a better version where each device pulls multiple addresses at a time and rotates through them basically per-topic, but I don't think stacks are really set up to do that. But sure we could get there eventually, at least modulo outdated firmware stuck with said vulnerabilities. On the other hand, if we already need maintained premise routers to manage incoming connections, they can simply NAT outgoing connections and get a perfect probability distribution across IP6+port that fully masks the internal network.

Ultimately I think the distinction between "outgoing" and "incoming" connections is only going to continue increasing, regardless of IP6.

Not saying that you’re incorrect, but the problem might not be as big as you think.

Were it not for home routers supporting NAT because they need to with IPv4, the same routers would have a basic firewall with that default block rule in place.

No, it really doesn't. It makes easier one aspect of developing peer to peer software. Which sure is a good thing, but it's not some panacea. Our regressive software landscape didn't come about because end users simply didn't have easy access to routeable IP addresses. But rather because tinkering with software can be tedious, developing easy to use software takes resources, and the most straightforward way of recouping that investment through surveillance and control.

Right now, you can get a VPS with perfectly routable addresses for $5/mo. And if you're not interested in or able to afford that, you're certainly not going to leave your own machine up 24/7 as a server. In reality, IP/DNS is a namespace that's terrible for user-facing systems - it itself causes centralization by necessitating that singular authoritative servers answer requests for a named object. What we actually need for a non-corporate net is higher level addressing such as content concentric networking (IPFS et al).

(I've gotten some downvotes, and I would be really interested in hearing the actual disagreement. I know we're all biased to think this paradigm of IP4/6 could do everything we want, if only it were used "correctly". But after a few decades of watching things evolve I just don't see how it's sufficient for de-centralization).

(It's fine to assert things, but make sure you're right first. Asserting things you don't know to be true is disingenuous, and a bad habit.)

Look at the speed with which WhatsApp was adopted (talking about before the FB acquisition), and compare to Mastodon or Diaspora - there is no contest.

If it's getting newspaper coverage, it's probably not all that niche.

If you somehow use them only for yourself so they run effectively as "your own" (assuming you can and want to isolate them) you run into the same issues I mentioned above.

Your comment in brackets applies very much now ;).

We'd have doused Zuck's dorm room sever in gasoline if we'd known what was to happen.

Let's go back to distributed. Let content proliferate according to novelty and interest gradients. Don't tax it. Don't rent seek.

There are ways to profit without ruining it for everybody else.

I still don't understand how bittorrent (or any decentralized platform) is "your own platform". Most people will always just be part of someone else's platform. Whether it's YouTube, PeerTube, or friendica, it's never their own and IPv6 won't change that. And they explicitly sell themselves as distributed which by definition makes them shared, everybody's, or nobody's. They can never really be your own and that's exactly what their appeal is.

Most people are unable (due to skill, money, or effort constraints) to manage their own platform. And the ones who can don't need to wait for IPv6.

Having said that, it's still possible to hear about independent websites, nobody can "easily wipe me off the internet," and I'm pretty sure my data is far more likely to leak from actual YouTube/FB/Twitter/someChan/etc. than it is from a non-monetized, advertising-free Mastodon instance, let alone my static website. But it's also absolutely true that the best way for me to drive traffic to my web site is getting linked from Twitter or Reddit; discovery is one of the big problems for federated, decentralized networks.

It only causes problems for me with absolutely no gain. There isn't a single website I can't reach, and no website that I've found runs any quicker when using IPv6.

But at the same time, if I have v6 on, it causes delays in name resolution and sometimes I just can't connect to a site until I disable v6.

I still have an addressable v4 address, so I can still run a home server.

I don't know how to fix this. I know that v6 is good for the planet, and I know these problems won't get better until more people are using v6, but it's definitely a chicken/egg problem.

That sounds like your ISP does not actually support IPv6, eg. doesn't have the full Internet routing table for v6. I've seen this happen.

DNS v4/v6 resolutions can also hang with glibc because of a well known bug with Happy Eyeballs when ISPs that fuck up outgoing DNS packets (eg. messed up stateful NAT/DPI). "options single-request-reopen" in /etc/resolv.conf is a workaround. See https://bugzilla.redhat.com/show_bug.cgi?id=505105.

I would contact your ISP, or at least publically shame them. This is not how IPv6 Internet should work (source: we provide IPv4/v6 as an ISP and take care to prevent issues like this).

- Serving different content on IPv4 vs. IPv6, e.g. just showing Apache2's "It Works" page

- Serving some subresources behind a reverse proxy on IPv4 only (and 404ing on IPv6)

- Forgetting IPv6 AAAA Records after a server change

Trying to debug this as a user is annoying and even if I identified the issue before leaving the site, working with sites to get it fixed has been an issue. I quickly ran into the "Works for me" issue, when the administrators (and a majority of their users) ran on IPv4 only networks.

Ultimately I just disabled IPv6 on all my systems because it ends being more trouble than it's worth.

Also, I don't even use my ISPs name servers, I use Cloudflare or Google, so I don't think it's that unless the ISP is somehow munging the packet in transit, which I suppose is possible.

Honestly I think it is all due to issues with the v6 stack in MacOS.

But my point is, I shouldn't have to be a network engineer to make v6 work. I should be able to turn on my computer and just have it work.

That's exactly the problem. You send out two v4 DNS UDP packets one after another (one for A, another for AAAA), both go via your ISPs CGNAT, the CGNAT gets confused, one of the packets gets dropped. I've seen this exact behavior when talking to 8.8.8.8 on Orange in Poland (and they do DS-Lite). It didn't occur with the ISP's DNS, because a) they were also on v6 b) they weren't getting CGNATed.

> But my point is, I shouldn't have to be a network engineer to make v6 work. I should be able to turn on my computer and just have it work.

By disabling IPv6 you're letting shit ISPs get away with this. Your ability to debug this and to figure out it's the ISP's issue should be used to voice your concerns, and not just let this slide.

Maybe this is true. But as the other guy said. There is zero benefit in moving to v6 so there isn't any point in taking the time to investigate.

With RIRs running out of addresses, that's about to change (well, realistically, maybe in 1-2 years).

As techs, I think it's our responsibility to push this forward and keep the Internet free and decentralized.

I doubt it. Websites that want to be reachable will find a way to be reachable.

> As techs, I think it's our responsibility to push this forward and keep the Internet free and decentralized

I agree, but there is only so much I'm willing to sacrifice for that effort. I've tried to use v6 for at least two weeks on three separate occasions. I do that about once a year. That's the level of sacrifice I'm willing to make for this effort.

My hope is that one year it goes so smoothly I forget to switch back.

Edit: I should point out that I had no idea my machine was using IPv6 until I wondered why I was able to use Gmail and not other sites (such as HN).

I haven't seen a consumer CPE that both supports v6 and doesn't firewall off incoming v6 connections, and I haven't seen any operating system in years that doesn't enable RFC4941 by default.

If they supported IPv6, and gave me a globally routable address that was unfiltered except at my gateway, I'd be happier.

https://tunnelbroker.net/

>Our free tunnel broker service enables you to reach the IPv6 Internet by tunneling over existing IPv4 connections from your IPv6 enabled host or router to one of our IPv6 routers.

(It's still obviously less direct, and inferior to your ISP supplying native IPv6, but it may improve your situation.)

There's a list of brokers at https://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers

https://6project.org/ looks viable (OpenVPN) and cheap.

IPv6 was always about maintaining the status quo. It doesn't become "better" than IPv4 until CGNAT makes IPv4 worse. (Or if your internal network reaches the scaling limits of RFC1918.)

So as long as I connect to the EC2 instance over IPv6, I get a free static IP address on my server.

a) for one as a response against CGN, thankfully my ISP isn't using one right now but I have a hunch they're going to start becoming a lot more common in the future. and b) as a hacker I'm interested to finally set it up and play around with it.

Also IMO even if it doesn't bring any improvements to the general consumer given all the pressure to start switching to IPv6 it is a good thing to be interested about it, pressuring more ISPs to start supporting it.

the isp could also provide dynamic dns as part of their package for users who do want to access their devices at home. why remember a 4-octet ip when you can get your own subdomain from your internet provider?

Maybe you could elaborate on why you assume these things are bad?

Is RAID the only redundancy?

[1]http://marshallbrain.com/manna1.htm)

disclaimer: Not affiliated.

[1]https://www.twilio.com/

tmux is two kinds of terminal application: it interacts with your outer, "real" terminal, and it presents an inner, "fake" terminal to the programs running inside it. By default, tmux will respect the limitations implied by $TERM, so if your outer terminal claims to be an 8-colour device, tmux will filter the colours of applications inside it to fit the standard 8-colour palette.

Vim also respects the limitations implied by $TERM, but some people override it into using 256-colour mode anyway, by doing something like "set t_Co=256" in their .vimrc. That works for Vim running in the outer terminal, but it doesn't work for any other tools running in the outer terminal, and in particular it doesn't help tmux.

These days, it's generally best to configure your terminal app to set $TERM to something like "xterm-256color", "nsterm-256color" (for Terminal.app), "putty-256color" (for PuTTY), "gnome-256color" (for libvte-based emulators) or similar. If your terminal application doesn't support manually overriding $TERM, you can do it in your shell profile. That way, every app should understand your terminal's capabilities, including 256-colour support, both inside and outside of tmux.

https://github.com/tmux/tmux/pull/112

  # Force tmux to assume the terminal supports 256 colors
  tmux -2 

  # if /usr/share/terminfo/x/xterm-256color exists
  export TERM='xterm-256color'
  # otherwise
  export TERM='xterm-color'

1. Connect Raspberry Pi to local LAN and get wifi setup (I VLAN wireless traffic, so I have it listening/connected to both)

2. Change iptables default policy to DROP

3. Add relevant ALLOW rules to make sure basic stuff like DHCP still works. I added an allow rule to talk to another machine that runs a PHP script that talks to Twilio

4. Spend about a week adding custom DROP rules for any normal broadcast traffic on your network (Bonjour, random auto-discovery stuff, etc)

5. If you have properly excluded everything "normal" you should be able to run "iptables -vL" about 24 hours apart and the packet count next to the INPUT chain policy will not have incremented (remember we have a default of DENY)

6. Add a final rule of 'iptables -A INPUT -m limit --limit 2/min -j LOG --log-prefix "ZOMG: " --log-level 4'

7. Write a bash script to monitor syslog, parse the log, forward to the before-mentioned script on another host

Just my 2 cents, but I feel like there might be some commercial demand for something like this if you'd ever consider packaging it.

Hate it when that happens to me...every week.