It’s certainly existed for years and it’s a nice release, such as it is. However, the absolute lack of IPv6 and abject refusal to incorporate WireGuard for ReasonsTM led to me going back to OpenBSD and OpenWRT, personally. They seem to have a WIP towards finally incorporating WireGuard, but IPv6 is still AWOL, which is fatal for my use-case.
- 0 Posts
- 13 Comments
Joined 2 years ago
Cake day: June 20th, 2023
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
You can force Firefox to display dark mode in web content (even with privacy tweaks enabled to resist fingerprinting or tracking), by setting the two following hidden prefs in your
user.js:// PREF: enable a Dark theme for browser and webpage content // [TEST] https://9to5mac.com/ user_pref("ui.systemUsesDarkTheme", 1); // HIDDEN user_pref("browser.in-content.dark-mode", true); // HIDDEN
Yes of course. I hadn’t slept when I replied, how embarrassing to miss that. You can enable CNAME uncloaking in Brave, which I suspect draws them to a parallel. It would be interesting to see the test repeated with the setting enabled. Since one has to (or had to) enable it in uBO also, it would only be fair to compare apples to apples. As I said, the blocker in Brave is based on uBO anyway. To be clear, and as I’ve said before, I’ve daily driven Firefox since the beginning and run uBO in medium mode. I’m not shilling for Brave here, simply pointing out that the differences are small (much of the code is shared with uBO) and it does certainly render faster.
Brave isn’t represented anywhere on the graph? Unless I’ve misunderstood you. That’s a comparison of Firefox with various ad blockers, and uBO with and without CNAME unclocking enabled. Brave also uncloaks CNAMEs, so that’s one place they are equal. Chromium based browsers do lack some abilities compared to Firefox, however. I have daily driven Firefox since the first day, but Brave and Blink/Chromium based browsers are undeniably faster at rendering (unfortunately).
And thirdly, I have seen no mention of anything like ublock’s blocking modes (block 3rd party scripts/frames). Can you quickly select an element to block in brave?
You can enter as many custom filter rules as you like, with adblock syntax support. You can select an element to block, yes.
A baked-in content blocker like that of braves loses because it isn’t extensible.
In what way? I use(d) Firefox since the very first Firebird days, and Netscape Navigator before it, and I’m practically married to uBO (don’t tell my wife!). That said, Brave’s ‘shields’ blocker is just skinned uBO with some tweaks. It can add custom cosmetic filtering rules, additional adblock format filter lists, disable or enable JS (globally or per-site) and has built in fingerprint resistance. Aside from the differing UI, I genuinely can’t think of anything overtly missing as such.
18·1 year agoTo speed up DNF:
/etc/dnf/dnf.conf ... max_parallel_downloads=5 max_parallel_connections=20I have found that RHEL/Rocky/Alma are very much faster at updating using DNF than Fedora, though I don’t know why.
8·1 year agoI’m older than some in here, I think (judging by the answers). For me, a couple of the things on steakandcheese.com and rotten.com (back in its early days, not the later milder days), cartel videos, beheadings, hangings etc. The standout though was a video called ‘Terrorists, Killers & Middle East Wackos’… Grim stuff. From Wikipedia:
Terrorists, Killers and Middle-East Wackos (also Terrorists, Killers and Other Wackos in the UK) is a shockumentary video from the makers of Bumfights. It includes footage of riots, suicides, executions, and the televised suicide of R. Budd Dwyer. All the scenes included are real scenes of death and suffering. The Bumfights website store touts the video as “One hour of the sickest images ever put to film.”
I was young and dumb once, but I actively avoid things like that nowadays. There’s knowing how things happen in the real world, and there’s traumatising and desensitising yourself to the worst depravities possible for… reasons? Just no. You can’t unsee some things, and some things shouldn’t ever enter your consciousness at all (unless you’re really unlucky IRL…).
Even Hagezi’s most basic list blocks a lot more than OISD, and still no false positives. See a comparison (run over the top 10,000 websites) here.
DNS blocking is heavily dependent on the blocklist(s) you use. It’s entirely possible to block >95% of crapware, and break companies’ ability to track you without compromising usability.
Having used both for a lot of years, I’d say look instead at AdGuard Home. It is also FOSS but supports more out of the box; including certificate management, the ability to use encrypted DNS both upstream and downstream without need for third party software (cloudflared), the ability to use adblock filter syntax (lists are 200k lines instead of 2 million lines, but actually block more), and so on. PiHole has some improvements pending in the next version, but it’s not there yet in comparison, imho.
I’d also strongly suggest you check out Hagezi’s DNS blocklists, as they’re pretty much set and forget. They’re intended to be used as your only block list, and do an excellent job (see testing in the Discussions on their GitHub). Use the Normal list if you don’t want to deal with false positives occasionally, and the Pro++ list if you don’t mind getting your hands dirty (whitelisting occasionally) and want to block every last scrap of annoyance and anti-privacy crapware on the web. Both will significantly improve your online experience.
Not according to PrivacyTests.org. It lacks a lot of state partitioning, amongst other things. Just FYI, the front end UI is closed source, but the backend/engine is open source, because they’re just another chromium spin off.
Here’s mine, if this helps? I have WireGuard running on an Alpine LXC on my LAN, and use it to connect back home. I can SSH to or use resources from any other machine on the LAN while connected. You’ll need to amend the include rules to match whatever distro you’re using (the paths will be different), and you can add whatever rules you wish under the LAN section to allow local access to the WireGuard ‘host’ for other services (eg SSH).
There’s also a lot of useful info on the Pro Custodibus blog.
#!/usr/sbin/nft -f flush ruleset define pub_iface = "eth0" define wg_iface = "wg0" define wg_port = "51820" table inet my_table { set LANv4 { type ipv4_addr flags interval elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } } set LANv6 { type ipv6_addr flags interval elements = { fd00::/8, fe80::/10 } } chain my_input_lan { ip6 daddr fe80::/64 udp dport dhcpv6-client accept comment "Accept DHCPv6 configuration" udp dport netbios-ns accept comment "Accept NetBIOS Name Service (nmbd)" udp dport netbios-dgm accept comment "Accept NetBIOS Datagram Service (nmbd)" tcp dport netbios-ssn accept comment "Accept NetBIOS Session Service (smbd)" udp sport { bootpc, 4011 } udp dport { bootps, 4011 } accept comment "Accept PXE" tcp dport ssh accept comment "Accept SSH on port 22" } chain my_input { type filter hook input priority 0; policy drop; iif lo accept comment "Accept any localhost traffic" ct state invalid counter drop comment "Drop invalid connections" ct state established,related accept comment "Accept traffic originated from us" tcp dport 113 reject with icmpx type port-unreachable \ comment "Reject AUTH to make it fail fast" # ICMPv4 ip protocol icmp icmp type { echo-reply, # type 0 destination-unreachable, # type 3 echo-request, # type 8 time-exceeded, # type 11 parameter-problem, # type 12 } accept \ comment "Accept ICMP" # ICMPv6 icmpv6 type { destination-unreachable, # type 1 packet-too-big, # type 2 time-exceeded, # type 3 parameter-problem, # type 4 echo-request, # type 128 echo-reply, # type 129 } accept \ comment "Accept basic IPv6 functionality" icmpv6 type { nd-router-solicit, # type 133 nd-router-advert, # type 134 nd-neighbor-solicit, # type 135 nd-neighbor-advert, # type 136 } ip6 hoplimit 255 accept \ comment "Allow IPv6 SLAAC" icmpv6 type { mld-listener-query, # type 130 mld-listener-report, # type 131 mld-listener-reduction, # type 132 mld2-listener-report, # type 143 } ip6 saddr fe80::/10 accept \ comment "Allow IPv6 multicast listener discovery on link-local" ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \ comment "Accept DHCPv6 replies from IPv6 link-local addresses" ip protocol igmp accept comment "Accept IGMP" udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS" udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS" ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges" ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges" udp sport bootpc udp dport bootps ip saddr 0.0.0.0 ip daddr 255.255.255.255 accept comment "Accept DHCPDISCOVER (for DHCP-Proxy)" # Accept all WireGuard packets received on a public interface iifname $pub_iface udp dport $wg_port accept # Accept all DNS packets from wg clients sent to a DNS server running on the same local server (i.e. if running DNS and WG on the same VPS). # Doesn't seem necessary if the DNS is just on a separate server on the LAN. iifname $wg_iface tcp dport 53 accept iifname $wg_iface udp dport 53 accept counter comment "count dropped packets" } chain forward { type filter hook forward priority 0; policy drop; ct state vmap { invalid : drop, established : accept, related : accept } iifname $wg_iface oifname $pub_iface accept reject with icmpx type host-unreachable } chain my_output { type filter hook output priority filter; policy accept; # Accept every outbound connection } } table inet nat { chain postrouting { type nat hook postrouting priority 100; policy accept; iifname $wg_iface oifname $pub_iface masquerade } } # The state of stateful objects saved on the nftables service stop. include "/var/lib/nftables/*.nft" # Rules include "/etc/nftables.d/*.nft"