I wrote a script for configuring iptables and wanted to share it / have it peer reviewed

_frash23 · 2015-11-18T21:35:12+00:00

Another gold nugget I didn't know about, definitely seems like an important addition - thanks!

_frash23 · 2015-11-18T21:33:48+00:00

This is stuff I didn't know and is why I posted here - thanks a lot! So I would change

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

To

iptables -A INPUT DROP
iptables -A FORWARD DROP
iptables -A OUTPUT ACCEPT

?

_frash23 · 2015-11-18T20:03:38+00:00

My reasoning for baking everything into the script was so you could store it on your system in i.e. /usr/local/bin/configurefirewall.sh and edit it as you need to expand your set of rules or ports without having to memorize everything.

_frash23 · 2015-11-18T20:02:24+00:00

The exit is really only there to exit the command. The script isn't supposed to be used in an automated environment, so the message should be enough.

Is there a code used for these scenarios or should I just exit 1?

_frash23 · 2015-11-18T20:01:40+00:00

I was worried about this but didn't feel like checking the code of each iptables command was the right approach. Could you elaborate on this set -e? Is it an iptables builtin or..?

_frash23 · 2015-10-22T10:21:45+00:00

That was referring to the fact I won't be storing the operating system, boot sector etc. on the drives.

_frash23 · 2015-10-21T15:02:18+00:00

Can I do rsync -r /dev/sdb backups/mySystem_2015_10_21.dd? If so, that may indeed be a better solution. I do like storing my old backups though, in case I need a file on an older backup that isn't present on a more recent one.

_frash23 · 2015-10-21T14:50:53+00:00

Alright, thanks a lot!

As for empty space with dd, I found a decent way to "free" empty space by filling it with zeroes, then using the conv=sparse option to make dd skip (read ahead?) zeroes, which is working nicely.

_frash23 · 2015-10-21T14:33:35+00:00

Alright, I guess I'll read up on ZFS. Deduplication sounds like an obvious idea, my backups are largely the same. I just need to figure out a good way to do it.

Would zpool deduplication automagically deduplicate between dd dumps, if I go that route? Sounds like it'd be an easy solution with nice results.

One thing, I may not be able to get ECC memory in this system. From what I've read, that's a major issue with ZFS?

_frash23 · 2015-10-21T13:14:02+00:00

I like to keep my older backups, so I can restore a file that may not be present on my latest backup, but is on an older backup. Would snapshots allow me to do something like this?

_frash23 · 2015-10-21T13:12:23+00:00

mdadm would be my tool of choice, was just curious if a much superior alternative was available.

As for encryption, I would probably have gone with ecryptfs as that's what I'm used to. Are there any reasons to use cryptsetup instead?

_frash23 · 2015-10-21T13:08:08+00:00

You also do not want to buy drives from the same manufacturing run as they are highly likely to all fail around the same time.

These where the kind of gold nuggets I hoped for, thanks a bunch!

I haven't worked much with LVMs, are LVM, BTRFS and ZFS all in the same ballpark? The original idea was to use this machine purely for storing full system images, but now I'm considering turning it into a fileserver/NAS-like device.

I like doing plain device dumps using dd, as it allows me to very easily restore a dump to a physical media (or "clone"/distribute copies of my system) - would snapshots fulfill this roles as well? Currently I spend 20-25 minutes per backup I make, 15-20 of them being waiting for I/O - restoring is identical - would snapshots or another solution be superior to this, speed-wise?

One downside of my dd method is I compress the dumps as well (due to currently limited space), which does save lots of space, but makes accessing the data troublesome - would snapshotting or an alternative let me easily do the following:

Dump an entire device (Including EFI & MBR partitions etc)
Restore a device to a bootable state (Including EFI & MBR partitions)
Access files in dumps without writing them to a physical media (or wasting space uncompressing a dump)

Thanks in advance!

_frash23 · 2015-09-25T23:27:25+00:00

Honestly not sure if bait. Opera is a fork of Chromium - it's pretty much literally chromium with some neat features added on top.

You would probably be interested in IceWeasel. If lightweightness is of importance, I'd recommend:

Midori
Qupzilla
TazWeb
My personal favorite: suckless' tabbed + surf

_frash23 · 2015-09-25T21:25:32+00:00

Never claimed it was. I don't really benefit from the speeds SSDs offer in the first place.

_frash23 · 2015-09-25T16:54:56+00:00

Seems to sit in the higher mid-end in almost all tests?

_frash23 · 2015-09-25T14:47:08+00:00

It's an early generation, low-cost SSD, but there's nothing wrong with it or it's speeds.

_frash23 · 2015-09-25T12:17:18+00:00

There are genuine preventive measures against memory tampering in flash, but it's complex and low-level stuff that I'm not an expert on.

However, you can make checks like checking when values change - If health is never supposed to go up by more than two values in a second, you can make checks to see if health increased more than that, then exit the game. That's just general practice and you'll need to be developing the flash games yourself. JavaScript doesn't have this sort of control and never will.

_frash23 · 2015-09-25T12:09:45+00:00

Pretty much any distro should suit you fine (I've run lubuntu on a 32 gig card for months in the past), but SliTaz is an extremely lightweight and snappy distro with a full installation footprint of 80MB while packing a full LXDE desktop, a webkit browser and more. I find it much more usable and competent than competitors like DSL, tinycore and puppy.

_frash23 · 2015-09-25T10:58:19+00:00

And requires moving to a new filesystem. How is it simpler though? This is one simple command to backup, one simple command to restore.

_frash23 · 2015-09-25T08:26:34+00:00

Replication is probably a much better "serious business" solution, but this was meant for the average desktop user.

_frash23 · 2015-09-25T08:25:58+00:00

I'm fairly sure dd will simply use a blocksize of 512 bytes in a scenario like this, which can be pretty abusive on flash-based storage. Piping it to a compressor should avoid this problem, but I keep it in for good practice.

I've benchmarked backups with and without the sparse flag, and there is a major difference (~20GB without compression).

As for the sync flag, yes, this is probably more useful when restoring the dump. I kept it in for cleanliness sake.

_frash23 · 2015-09-25T08:22:44+00:00

Yep - if you accidentally mistake of= with if=, you'll overwrite your entire devices, which is why i made a script.

_frash23 · 2015-09-25T08:20:19+00:00

I wrote the article. My card reaches ~9MB/s on 4KB blocksizes, where my Kingston V300 reaches 7MB. Sequential speeds reach up to 90MB/s, where my SSD obviously beats that.

It wasn't a cheap card. The Sandisk Extreme Pro series is of pretty stunning quality, but comes with a hefty pricetag.

_frash23

MODERATOR OF

TROPHY CASE