1 hour ago · 21 min read4270 words · Tech · hide · 0 comments

Table of Contents Table of Contents At a Glance Architecture The Host pf: Default Deny, Both Directions nginx: A Lazy Mirror with proxy_store The pkg Mirror (Port 8080) The freebsd-update Mirror (Port 80) The Release Mirror (Port 8081) What About Trust? Client Configuration The Proof: 15.0 to 15.1 Over the Mesh The Full Jail Lifecycle Operational Notes Public DN42 Service Lessons Learned Conclusion References Since joining DN42, the number of FreeBSD machines living inside the mesh has quietly grown. They sit on fdce:73f7:a2dc::/48, they speak IPv6 to the rest of the hobbyist internet, and by design they have no route to the clearnet. That is exactly how I want them - right up until the moment a FreeBSD security advisory lands and every one of them needs to talk to update.freebsd.org. The usual answers are all unsatisfying. Punching clearnet holes into isolated hosts defeats the point of isolating them. NAT-ing the whole DN42 segment out through the home router reintroduces the…

No comments yet. Log in to reply on the Fediverse. Comments will appear here.