The Book of PF, 4th Edition: It's Here, It's Real https://nxdomain.no/~peter/its_real_its_here.html - now that I have physical copies, I'll bring some to the upcoming conferences such as #asiabsdcon #bsdcan #eurobsdcon #freebsd #openbsd #pf #packetfilter #networking #networktrickery #freesoftware #libresoftware #bookofpf @EuroBSDCon @nostarch

#NetMCR (https://www.netmcr.uk/) is on again this Thursday (12th) in #Manchester.

The talk will be by Mark Tearle, titled:

‘It is a disaster! Reacting to the Unexpected’*

Mark has flown across the world, avoiding flight disruptions, to present an interactive talk about disasters that befall networks, data centres and telecommunications infrastructure across the globe. A curated set of incidents will be discussed and the question posed - how would you or your organisation respond?

Go and chat with some nice people, have some weird 🍻, and if you're hungry, 🍔 and 🍟!

#Networking #MeetUp

Nice! NAT64 in action, My IPv6-only jail can successfully talk with Github. No tayga, just the new "af-to" feature, that the "pf" firewall got in 15.0-RELEASE:

pass in quick on bastille0 inet6 from $jail_net to 64:ff9b::/96 \
af-to inet from ($ext_if) keep state

This is genuinly nice! 🙂

#freebsd #networking #pf #nat64 #ipv6

RE: https://mastodon.social/@pitrh/116182418029757504

Again for the Monday morning (CET) crowd -

There's a new book out for your #networking, #openbsd, #freebsd cravings:

Justine Smithies boosted

Peter N. M. Hansteen » 🌐 2026-03-06 / 2026-03-06
@pitrh@mastodon.social

The Book of PF, 4th Edition: It's Here, It's Real https://nxdomain.no/~peter/its_real_its_here.html #openbsd #freebsd #pf #packetfilter #networking #firewall #networktrickery #security #freesoftware #libresoftware @nostarch

Partner is away next week - and you know what that means....

I can break the home network without getting in trouble

#Networking #HomeLab

The Book of PF, 4th Edition Spotted in the Wild https://undeadly.org/cgi?action=article;sid=20260306131150 #openbsd #freebsd #pf #packetfilter #networking #security #networktrickery #freesoftware #libresoftware

The Book of PF, 4th Edition: It's Here, It's Real https://nxdomain.no/~peter/its_real_its_here.html #openbsd #freebsd #pf #packetfilter #networking #firewall #networktrickery #security #freesoftware #libresoftware @nostarch

New Blog Post!

https://blog.transitory.social/posts/2026-02-05-protonvpn-exit-via-egress-gateway-policy

(No AIs were inconvenienced in the writing of this post.

@homelab@fedigroups.social

#Homelab #SelfHosted #Kubernetes #Networking

Glad to see progress in securing internet routing.

https://blog.cloudflare.com/aspa-secure-internet/?utm_source=tldrdevops/

#networking

Conferences - #asiabsdcon is only a couple of weeks away, the call for papers for #eurobsdcon starts tomorrow, and #BSDCan is on for June.

Read more via "What is BSD? Come to a conference to find out!" https://nxdomain.no/~peter/what_is_bsd_come_to_a_conference_to_find_out.html #openbsd #netbsd #freebsd #freesoftware #development #networking #security

Finally, the ISP has removed CGNAT and gave me a public IP address for the GSM service.

Now the failover setup is complete, and with #docker driven #cloudflare updater "favonia/cloudflare-ddns", all is in place.

#Unifi5GMaxOutdoor #ISP #Unifi #selfhosting #selfhosted #homelab #networking

@mikrotik have a Fediverse account. And not only that- they even have their own instance! :o

https://mikrotik.social/@mikrotik

#mikrotik #router #switch #networking

Yes, You Too Can Be An Evil Network Overlord - On The Cheap With OpenBSD, pflow And nfsen https://nxdomain.no/~peter/yes_you_too_can_be_an_evil_network_verlord.html

A story about network metadata and #openbsd, originally from 2014, good for reprising. See The Book of PF for more #nfsen #netflow #pflow #monitoring #networking #security #pf #packetfilter #bookofPF @nostarch

Any chance that someone might have spare RIPE ATLAS credits?

I currently do some experiments with the IPv6 routing of my AS201379 and being able to do measurements on Atlas would be sooooo helpful right now.

#fedihelp #ripe #ripencc #ripeatlas #ipv6 #networking

From FediGarden I extracted a few servers to make new accounts at

no confirmation mail sent by

https://mastodon.cipherbliss.com
https://elekk.xyz

@FediGarden

#FediVerse #Social #SocialMedia #account #registration #error #networking #programming #OpenSource #configuration #annoying

Spent way too long getting HTTP/3 working on FreeBSD with nginx, so I wrote it all up.

The highlights: stock OpenSSL silently breaks QUIC at the HTTP/3 framing layer (the TLS handshake succeeds, so openssl s_client lies to you). eBPF worker routing doesn't exist on FreeBSD. And if nginx is in a jail with IPv4 NAT, a pass rule for UDP 443 is useless without a matching rdr.

New post: https://blog.hofstede.it/http3-on-freebsd-getting-quic-working-with-nginx-in-a-bastille-jail/

#FreeBSD #nginx #HTTP3 #QUIC #Networking

16 hours in, we're at ~125K IPs, so we're keeping the rate of around 2 attempts per second. I'm still waiting for recommendations on tools that would allow me to wade through this huge collection of IPs to get statistics on who they belong to, if there's an actual botnet in it (inclusive of residential addresses taken over by it) and/or which datacenters are involved. Any #recommendations? #askFedi #fediHelp #networking

One day I'll understand enough to separate the router from the gateway.... Today is not that day.

Probably not the year, either.

#Networking #NotWorking

A proper rain shower today and whole last night. Testing #Unifi5GMaxOutdoor IP67 rating ;)

#ISP #Unifi #selfhosting #selfhosted #homelab #networking

Stage 3, done. Mounted and connected end to end. All is working!
#ISP #Unifi #selfhosting #selfhosted #homelab #networking

Stage 2 complete. CAT7 cable is ready and it goes from UDM to the outside end position.

Need to attach the RJ45 connectors and mount the modem in place.

This will wait until th weather clears. One more stage to go.

(also, GSM ISP still didn’t remove CGNAT. I mean how long does it take to configure a single SIM?)

#ISP #Unifi #selfhosting #selfhosted #homelab #networking

Connect, adopt, update, done. Failover ready.

It took about 10-13 pings to switch over. Quick enough in my book.

#ISP #Unifi #selfhosting #selfhosted #homelab #networking

Internal (non-ideal) testing. The modem is indoors atm for adoption and update.

The speeds are lower as expected, but the whole setup works. This was too easy.

#ISP #Unifi #selfhosting #selfhosted #homelab #networking

#ISP failover setup has arrived!

- #Unifi 5G oudoor (PoE)
- 50m of CAT7 outdoor cable
- SIM card in the process of CGNAT removal

If the weather holds, it will be a "work" weekend!

#selfhosting #selfhosted #homelab #networking

Alt...

Unifi 5G Max outdoor GSM modem for failover network connectivity

The fresh 4th edition of The Book of PF in physical form has reached Europe (Ireland), https://www.linkedin.com/posts/tomsmythconnect_thebookofpf-openbsd-packetfilter-activity-7427686906349555713-7s4w - so my stack of author copies are hopefully on the way too.

The book home page is at https://nostarch.com/book-of-pf-4th-edition

Some background https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html @nostarch #bookofpf #openbsd #freebsd #pf #packetfilter #networking #security

#NetMCR (https://www.netmcr.uk/) is on again this Thursday (12th) in #Manchester.

The talk will be by Lewis Hill, ‘Migrating from VMWare to Proxmox’:

"We’re very excited to hear from Lewis, who is coming to us with his first talk, and it’s on a really pertinent subject for more than a few of us. Not one to miss!"

Go and chat with some nice people, have some weird 🍻, and if you're hungry, 🍔 and 🍟!

#Networking #MeetUp

Thinking about ways for my #homelab to be resilient to fundamental network changes like "what if the core router gets swapped out / loses dhcp leases / ISP rolls ipv6 leases"

The best I can figure is using some sort of overlay network to re-bootstrap internal DNS, ideally without requiring internet access. I haven't found a ton of prior art on an internet-less mesh cold start, but I think it's a neat thing to noodle on.

#networking #ipv6

#Networking #Android

So when your internet goes down your android phone understandably starts routing all network requests through mobile data, but maintains the connection to the WiFi and periodically checks to see of internet is back up so it can switch back. This is fine unless you want to access local network stuff. I know I can turn off mobile data, but that has obvious downsides. Is there another way to easily route certain things to the WiFi connection without turning off mobile data?

I bought a copy of "The Book of PF" from @pitrh

It's the best and most comprehensive resource about the marvelous PF firewall that I've ever seen, and I've been using PF since the early days.

Amazing work!

It's available here on No Starch Press: https://nostarch.com/book-of-pf-4th-edition

I also recently wrote a practical guide on PF (https://blog.hofstede.it/pf-firewall-on-freebsd-a-practical-guide/) for anyone who wants to get started :-)

#freebsd #pf #networking #firewall #books

Alt...

Cover of "THE BOOK OF PF"

Upcoming "Network Management with the OpenBSD Packet Filter Toolset" tutorials (covering #freebsd and #openbsd):

2026-03-19 AsiaBSDCob https://www.asiabsdcon.org
2026-06-18 BSDCan https://www.bsdcan.org

See https://nxdomain.no/~peter/pf_tutorial_upcoming_questions_welcome.html (https://bsdly.blogspot.com/2025/05/for-upcoming-pf-tutorials-we-welcome.html)
and https://nxdomain.no/~peter/what_is_bsd_come_to_a_conference_to_find_out.html (https://bsdly.blogspot.com/2025/11/what-is-bsd-come-to-conference-to-find.html)
plus https://nxdomain.no/~peter/yes_the_book_of_pf_4th_ed_is_coming.html (https://bsdly.blogspot.com/2025/07/yes-book-of-pf-4th-edition-is-coming.html)

#pf #packetfilter #bookofpf #networking @nostarch

Registration for BSDCan 2026 is open at https://www.bsdcan.org/2026/registration.html + tutorial schedule published.

#bsdcan #freebsd #openbsd #netbsd #development #networking #devops #sysadmin #conferences

For more on BSD and the BSD conferences, see https://nxdomain.no/~peter/what_is_bsd_come_to_a_conference_to_find_out.html (or tracked https://bsdly.blogspot.com/2025/11/what-is-bsd-come-to-conference-to-find.html +
https://medium.com/@peter.hansteen/what-is-bsd-come-to-a-conference-to-find-out-06acd7d77fd8 )

New blog post: Running your own Autonomous System on FreeBSD.

Got an AS number and IPv6 /48 via RIPE, set up a FreeBSD BGP router with FRR, two upstreams, and built GRE/GIF tunnels ti bring my own globally routable addresses to servers at different providers.

The interesting part: dual-FIB policy routing lets FreeBSD jails speak from both provider and BGP addresses simultaneously.

https://blog.hofstede.it/running-your-own-as-bgp-on-freebsd-with-frr-gre-tunnels-and-policy-routing/

#FreeBSD #BGP #IPv6 #Networking #SelfHosted

Registration for BSDCan 2026 is now open https://www.bsdcan.org/2026/registration.html and tutorials schedule is published.

#bsdcan #openbsd #netbsd #freebsd #libresoftware #freesoftware #conference #development #networking #sysadmin #devops

My website "hofstede.it" now lives in my own AS201379 on my asigned IP-addresses 🙂

https://bgp.tools/prefix/2a06:9801:1c::/48#asinfo

Running my own BGP router in LONAP (London) with FreeBSD and FRR, where I announce my network 2a06:9801:1c::/48 to the internet.

Peering is still fairly limited, but that'll improve within the next weeks, when I get 2 additional peers 🙂

#networking #ipv6 #peering #bgp #selfhosting #engineering #devops #freebsd

​​ Incident report: ​​

* Previously in the week it was noticed that Cilium had an update to 1.19.0
* Upon further inspection, this looked to be a pre-release, so it was left alone, cilium is a load-bearing component and should only be touched with care
* At some point in the last week I forgot about that and hit merge in forgejo, not an issue, since argocd won't auto-sync any load-bearing components (cilium, forgejo, argo, cert-manger, and a handful of others)
* Over the last few days I have repeatedly restarted various components while troubleshooting some OIDC issues. Including ArgoCD and Forgejo
* This caused a few sync errors or argo state refresh errors as pods were unceremoniously exploded
* At some point during this time Cilium ended up out of sync/errored
* By this point I had forgotten about the cilium major* update
* I hit sync to clear that out and see what is wrong. Everything is green, and nothing breaks.
* BGP sessions continue
* I go about my afternoon
* BGP sessions expire, causing immediate issues. since my old config was depricated
* I start the investigation with DNS, since the TV stopped playback and sites stopped loading on my laptop
* Yup, DNS is down.
* But not from my dev console, that means ad-guard DNS is down.
* Ad-guard DNS is throwing errors connecting to quad9 via DoT, I am not sure the cause of this, maybe the UI has a clue
* ad-guard DNS ui isn't opening, oh. No cluster-based site is opening actually.
* Confirmed, all LB services are down, must be BGP related
* Looking in the Mikrotik router I see two BGP sessions, so I restart the BGP service on the router, they drop and don't re-appear, must have been stale on that side.
* Restart cilium to see logs
* BGP config error? Wait, did cilium update???

⚠️ You may need to take action during upgrade to Cilium v1.19 if you use Network Policies, Cluster Mesh, LoadBalancer IPAM or BGP.

#it #technology #infrastructure #ipv4 #ipv6 #dns #networking #devops #itmemes #networkengineer #cybersecurity #womenintech #uwu #dns

source: https://www.instagram.com/reel/DUTSLcjkfJn/

A blog series on my descent into maddness with PKI/etc would probably be interesting

But first I can finish out the networking series (latest post here).

The last part for now will be about taking the engress policy features and wireguard and then creating a wireguard interface on a Talos linux node, and then assigning routing rules to a non-default table, so only traffic assigned to that interface uses it.

The end result: ability to create a egress policy targeting a pod, and send all outbound traffic out over that VPN link.

I could have done this for the web services that I am having exit on the cloud node, but I want to eventually put caching on the edge.

Of course the goal here with the wireguard exit was to use ProtonVPN for a download client......
#Homelab #Networking #Kubernetes #Talos

The Rest Is Trash https://nxdomain.no/~peter/the_rest_is_trash.html (tracked https://bsdly.blogspot.com/2026/02/the-rest-is-trash.html) following up on #greytrapping, updating the 18 years piece https://nxdomain.no/~peter/eighteen_years_of_greytrapping.html #openbsd #spamd #greytrappng #greylisting #antispam #cybercrime #networking # spam

Tonight the waves of bot traffic hitting many of the servers I manage have intensified, including Brew on BSD Cafe, but not only that. Honestly, the feeling I have now is no longer the same as it was some time ago (AI scrapers), but that there are real disruption operations going on. I can see it’s much more concentrated around certain providers and certain datacenters. If I block some countries like China, the numbers drop dramatically.

I still haven’t figured out whether there’s something specific and targeted happening (a broad DDoS) or if they’re still scrapers, but they honestly seem really dumb.

Maybe we should just create an alternative network and leave the Internet to these entities.
At this point they’re just talking to themselves anyway.

#IT #SysAdmin #Networking #DDoS

Assume two machines in the same network each have a link-local address (LLA) and a unique-local address (ULA). They could talk to each other with either address. Is there some kind of prioritizing the one over the other, e.g. always use LLA if available else use ULA?

#ipv6 #networking

The first scheduled "Network Management with the OpenBSD PF Toolset" session of the year will be at AsiaBSDCon 2026 https://2026.asiabsdcon.org/index.html.en, https://2026.asiabsdcon.org/entry/talk/ZUQPMV/, registration to open soon.

Also see https://nxdomain.no/~peter/what_is_bsd_come_to_a_conference_to_find_out.html #asiabsdcon #freebsd #openbsd #pf #packetfilter #networking #conference @nostarch @stucchimax