On Thu, 13 Jun 2024 at 11:08, BD dzidek23@gmail.com wrote:
An example that I have seen working was a ZTNA configuration with Fortinet hardware and SDN for network separation.
That sort of thing will be out of my budget!
I suspect the same thing could be achieved using pfSense and network management (with a nice GUI to control it). Quick search on the Internet for "pfSense zero trust" returned a few interesting sites. Additionally pfSense can serve as a VPN concentrator too.
I spent a bit of time looking into this. The biggest issue for me is that it's FreeBSD and most of our stuff is hosted at DigitalOcean, and they no longer offer FreeBSD as an option. I can of-course look elsewhere, but DO combine the bandwidth of all your services and we're nowhere close to using it all, so putting a VPN which could potentially be fairly heavy traffic somewhere it can use that bandwidth makes sense if I can.
I spent ages playing with Wireguard - there are some useful tools for building the config ([1], [2]) but I never got a configuration which worked properly with my phone over mobile data (or my laptop using mobile data over a hotspot) and as that's one of the main things I needed to achieve I ended up walking away from my attempts (in part because I managed to get the old SSL-based VPN working over those connections by turning off "FastSSL".
I'd like to get this working at some point but a day and half of experimenting and getting nowhere useful was as much (more if I'm honest) as I could afford to allocate to it.
[1] https://www.wireguardconfig.com/ - Configuration builder [2] https://github.com/mvpsnet/wireguard4vps - PHP-based manager
On 27/06/2024 13:57, Mark Rogers wrote:
[Big SNIP]
Hi Mark,
Two things:
1) I've dumped Digital Ocean as all their IP addresses have been blocked by those crooks at UCEProtect. And I mean ALL of them, so it's occasionally impossible to send out email from their servers.
I have migrated most of my kit to Vultr, and they are much better, as cheap, and their network lines and VMs seem faster.
2) You might like to have a look at Shorewall...
Cheers, Laurie.
On Fri, 28 Jun 2024 at 11:55, Laurie Brown laurie@brownowl.com wrote:
- I've dumped Digital Ocean as all their IP addresses have been blocked
by those crooks at UCEProtect. And I mean ALL of them, so it's occasionally impossible to send out email from their servers.
Does anyone actually use uceprotect? (Well, anyone who matters?)
I don't send emails directly from my servers anyway so this isn't an issue (we use mailgun or aws SMTP servers).
I have migrated most of my kit to Vultr, and they are much better, as cheap, and their network lines and VMs seem faster.
I looked at Vultr around the same time we moved to DO (almost a decade ago it turns out). We've never had any issues with DO but I have often thought about using a mixture of the two.
(I think there are better hosts if you have the resources, but in the $5/mo market they're both pretty strong). Hertzner also came up recently as a European-based alternative.
- You might like to have a look at Shorewall...
One weakness of DO is that you're pretty limited to the distros they support. It's never really been an issue but it does limit me here whilst I am sticking with them.
I might have to think about spinning up a VM at Vultr for testing. Google suggests they give a flat 2TB bandwidth regardless of how much stuff I have with them? Seems an odd approach so maybe I misread it. But that would be enough for my purposes I am sure.
On 29/06/2024 12:53, Mark Rogers wrote:
On Fri, 28 Jun 2024 at 11:55, Laurie Brown laurie@brownowl.com wrote:
- I've dumped Digital Ocean as all their IP addresses have been blocked
by those crooks at UCEProtect. And I mean ALL of them, so it's occasionally impossible to send out email from their servers.
Does anyone actually use uceprotect? (Well, anyone who matters?)
I don't send emails directly from my servers anyway so this isn't an issue (we use mailgun or aws SMTP servers).
I have migrated most of my kit to Vultr, and they are much better, as cheap, and their network lines and VMs seem faster.
I looked at Vultr around the same time we moved to DO (almost a decade ago it turns out). We've never had any issues with DO but I have often thought about using a mixture of the two.
(I think there are better hosts if you have the resources, but in the $5/mo market they're both pretty strong). Hertzner also came up recently as a European-based alternative.
- You might like to have a look at Shorewall...
One weakness of DO is that you're pretty limited to the distros they support. It's never really been an issue but it does limit me here whilst I am sticking with them.
I might have to think about spinning up a VM at Vultr for testing. Google suggests they give a flat 2TB bandwidth regardless of how much stuff I have with them? Seems an odd approach so maybe I misread it. But that would be enough for my purposes I am sure.
I'm slow to the discussion (way too busy to check lists at the moment), but...
I use Wireguard quite happily, all be it my configuration is fairly basic. I have a fixed IP address, so that makes things more practical, although I think you should be OK with just a single fixed IP and connecting in and routing through that. Not something I've played with yet.
That said, you may like to take a look at Tailscale (https://tailscale.com/), which takes the hassle out of Wireguard and allows you to manage the links through a central management account (hosted by them, but I think you could setup your own - don't quote me though!). There is a free tier, but if you are looking at a VPS then you may like to look at the $6 a month to see if you need the extra. I haven't used it myself, but several attendees at Portsmouth LUG swear by it.
On 29/06/2024 12:53, Mark Rogers wrote:
On Fri, 28 Jun 2024 at 11:55, Laurie Brown laurie@brownowl.com wrote:
- I've dumped Digital Ocean as all their IP addresses have been blocked
by those crooks at UCEProtect. And I mean ALL of them, so it's occasionally impossible to send out email from their servers.
Does anyone actually use uceprotect? (Well, anyone who matters?)
Yes. I was blocked by both MS (hotmail/outlook) and Google. It was a nightmare to get exemptions from them, and DO couldn't give a flying one.
UCEProtect block an entire Class C if the decide any spam has been sent, and they want payment, monthly, to unblock each single IP. IMO it's a criminal scam, but they don't give one either. That's why I dumped DO for Vultr, who are better anyway, IMO.
Apple was a different story, but another marathon.
I don't send emails directly from my servers anyway so this isn't an issue (we use mailgun or aws SMTP servers).
I have migrated most of my kit to Vultr, and they are much better, as cheap, and their network lines and VMs seem faster.
I looked at Vultr around the same time we moved to DO (almost a decade ago it turns out). We've never had any issues with DO but I have often thought about using a mixture of the two.
I was happy with DO until UCE came along and DO didn't care.
Cheers, Laurie.
I usually read these emails on my phone, which won't allow me to reply as plain-text. Which means I tend to forget to reply later...
On Wed, 3 Jul 2024 at 13:54, Laurie Brown laurie@brownowl.com wrote:
Yes. I was blocked by both MS (hotmail/outlook) and Google. It was a nightmare to get exemptions from them, and DO couldn't give a flying one.
I'm not sure DO are in the wrong here - UCEProtect is, as you say, a scam; surely ignoring them is the best option? Anyone using them has essentially chosen to break their email and only UCE will benefit from pandering to them.
for Vultr, who are better anyway, IMO.
That is of course a different matter, and on paper I can see several reasons to prefer Vultr (including those already mentioned here, like BSD/ISO support). It hasn't reached the threshold required for me to move yet though.
I prefer the DO approach to bandwidth (you get an allowance per droplet and it accumulates across all of them) rather than, AIUI, the fixed 2TB you get from Vultr regardless of how much stuff you have with them? But that's not a reason to stick with DO, that's all inertia.
That said the support I've had from DO has generally been OK and responsive so the inertia is compounded by a lack of strong reasons to up sticks.
On 09/07/2024 15:26, Mark Rogers wrote:
I usually read these emails on my phone, which won't allow me to reply as plain-text. Which means I tend to forget to reply later...
On Wed, 3 Jul 2024 at 13:54, Laurie Brown laurie@brownowl.com wrote:
Yes. I was blocked by both MS (hotmail/outlook) and Google. It was a nightmare to get exemptions from them, and DO couldn't give a flying one.
I'm not sure DO are in the wrong here - UCEProtect is, as you say, a scam; surely ignoring them is the best option? Anyone using them has essentially chosen to break their email and only UCE will benefit from pandering to them.
Yes, but as I said, MS and Google were banning my emails as a result - those crooks were the only place my servers were blacklisted.
Anyway, good luck!
[SNIP]
Cheers, Laurie.
-
Laurie Brown -
Mark Rogers -
Paul Tansom