#nixos-on-your-router on 2019-03-28

01:56 <gchristensen> I have a VM running with tap0

01:56 <gchristensen> I'd like it to not be able to chat with any devices on my network, only public IPs

01:56 <gchristensen> so I tried this, but.. $ sudo ip route add blackhole 10.0.0.0/8 dev tap0

01:56 <gchristensen> RTNETLINK answers: Invalid argument

01:58 <gchristensen> any suggestions on how to do this?

02:01 <gchristensen> hmm maybe iptables

02:07 <cransom> iptables in the output table, yeah.

02:08 <gchristensen> how about FORWARD table?

02:08 <gchristensen> sudo iptables -I FORWARD -i tap0 --dest 192.168.0.0/16 -j DROP is what I'm trying

02:08 <cransom> unless you have a really great plan and real need for it, doing security in the routing table is probably a bad idea.

02:09 <gchristensen> sure, that seems reasonable

02:09 <gchristensen> what should I look at instead?

02:09 <cransom> ah, yeah. that would do as well.

02:10 <gchristensen> oh

02:10 <gchristensen> you're saying use iptables, not routes

02:11 <cransom> i was thinking you would use the output since that's where i thought you were modifying the table

02:11 <cransom> yes, use the firewall.

02:11 <gchristensen> coo/

02:11 <gchristensen> cool

02:12 <gchristensen> https://gist.github.com/grahamc/abf2de84b5aaae661bbacd06ab9a55d1

02:14 <cransom> didn't you already have a setup like this to segregate the mac builders somewhere?

02:15 <gchristensen> I do that with vlans

02:15 <gchristensen> I'm reconsidering how builders build, and this is part of it

02:15 <cransom> tap, vlan, same thing.

02:16 <gchristensen> ah

02:16 <gchristensen> well I don't restrict the builders at all beyond being on their own vlan

02:16 <gchristensen> :)

02:16 <cransom> all made in taiwan/all layer3 interfaces

02:16 <gchristensen> anyway, the next round of builders will be much more locked down / assumed to be malicious

02:17 <gchristensen> (in fact, I'd love to have people try to break them once I have something to try)

02:17 <cransom> unless you were doing layer2 only, then you get into ebtables world.

02:20 <gchristensen> I wouldn't blow too hard on the security measures of the builders.

02:20 <gchristensen> next round, yes please

02:21 <gchristensen> thank you, cransom :) good night!

04:44 pie___ has joined #nixos-on-your-router

04:47 pie__ has quit [Ping timeout: 246 seconds]

07:26 pie__ has joined #nixos-on-your-router

07:28 pie___ has quit [Read error: Connection reset by peer]

13:05 mmlb977450 has quit [Ping timeout: 250 seconds]

14:38 mmlb977450 has joined #nixos-on-your-router

15:26 andi- has quit [Ping timeout: 258 seconds]

15:38 andi- has joined #nixos-on-your-router

15:44 andi- has quit [Excess Flood]

16:48 andi- has joined #nixos-on-your-router

17:41 andi- has quit [Ping timeout: 255 seconds]

17:48 andi- has joined #nixos-on-your-router

21:52 Guanin has joined #nixos-on-your-router

22:14 Guanin has quit [Quit: Leaving]

22:14 Guanin_ has joined #nixos-on-your-router

22:28 mmlb9774508 has joined #nixos-on-your-router

22:29 mmlb977450 has quit [Ping timeout: 246 seconds]

22:40 mmlb9774508 has quit [Ping timeout: 250 seconds]

22:52 mmlb9774508 has joined #nixos-on-your-router

22:56 Guanin_ has quit [Quit: Leaving]