• anyone gaining physical or remote access to the device can set rules. by protecting the entire network with a hardware firewall you mitigate attack vectors from other hardware on your network that become compromised.
• iptables and firewalld are notorious for locking users out of the system by overzealous or green system admins. in the msp world this happens practically by the hour.
• iptables and firewalld can be used against you in the event of a breach. one of the first things an attacker may attempt is to forward ports and lock system admins out as they take over the system.
• make sure you save your rules properly or they’ll be gone after a reboot or botched upgrade
• migrating your rules from one system to another when you’re changing hardware or restoring a system is a huge pain in the ass.
• got a network change that’s going to modify the subnet your systems are on? get ready to migrate all 15 of your devices one by one for the next 8-15 hours (depending on the complexity of your rules)

it’s far easier, and safer to have all your network config done in the network. from system migrations to securing/hardening. it’s far more efficient and effective to have a single source of truth that manages network routing and firewall rules. hell, you can even have a redundant or load balanced firewall configuration if you’re afraid of a single point of failure.

point is, firewalld and iptables is for amateur hour and hobbyists.

if you want to complain that “docker doesn’t respect system firewalls” then at least have the chutzpah enough to do it the right way from the beginning.

all these new reboots are fuckin terrible.

let me put it this way.

the police will give known violent rapists and violent racists a job.

as long as you don’t ask questions like, "is that legal?” or “should we be doing that? it feels wrong.” you will undoubtedly have a bright future in law enforcement.

What if you rent a bare metal server in a data center?

any msp will work with your security requirements for a cost. if you can’t afford it, then you shouldn’t be using a msp.

Or rent a VPS from a basic provider that expects you to do your own firewalling?

find a better msp. if a vendor you’re paying tells you to fuck off with your requirements for a secure system, they are telling you that you don’t matter to them and their only goal is to take your money.

Or run your home lab docker host on the same vlan as other less trusted hosts?

don’t? IDK what to tell you if you understand what a vlan is and still refuse to set one up properly to segment your network securely.

It would be nice if there was a reliable way to run a firewall on the same host that’s running docker.

don’t confuse reliable with convenient. iptables and firewalld are not reliable, but they are certainly convenient.

You may say these are obscure use cases and that they are Wrong and Bad. Maybe you’re right, but personally I think it’s an unfortunate gap in expected functionality, if for no other reason than defense-in-depth.

poor network architecture is no excuse. do it the proper way or you’re going to get your shit exposed one day.

this is the second time I’ve seen a post like this.

docker has always been like this. if it’s news to you then you must be new to docker.

if you’re using the built in firewall to secure your system on your wan, you’re doing it wrong. get a physical firewall. if you’re doing it to secure your lan then you just need to put in some proper routes and let your hardware firewall sort it out with some vlans.

don’t rely on firewalld or iptables for anything.

FYI hackaday is on lemmy.

https://lemmy.world/c/hackaday@ibbit.at

that’s almost always their strategy.

you have to understand that IBM has never been an early adopter of new technology. they have a long track record of letting other companies do all the r&d

and then buying them.

this isn’t a “win”, this is “business as usual”.

good.

remove yourself from the gene pool.

nuclear power plants already use AI to run efficiently.

introducing a LLM into the equation won’t only damage infrastructure, it will kill people.

watchin AI drop!

what if I can’t read or write but my mom says I’m still handsome?

that part works “ok”, but if you try to import any of the boxart or other metadata they have to be named in a specific way in order to be “found”.

out of a library in the tens of thousands of roms I barely have 500 with boxart or metadata.

the alternative is to go to each game and select the game. by hand. no thanks.

I get it, it’s far easier to have required set parameters to start with, but there’s a better way to achieve the same goal with fuzzy logic and simple prompts.

I can’t recommend it.

if you have 300+ hours to configure it and have your entire ROM library ordered in the exact way it likes, go for it.

otherwise, I’d skip it.

I really really wanted to like it, but I just don’t have the time or attention span for it.

(sits in his Lamborghini Plex while a beautiful blonde gives him a handy) I’m fine, mate. Maybe later.

I for one enjoyed the uncomfortable couches and awkward tables. it gave me plenty of places to work throughout the day where nobody could know where I was at any given moment.

I would change places after every useless meeting and nobody could find me.

my favorite place was on the second floor in a “peace” room. I’d sit in there with the lights off for half a day. even took a nap one day 🤣.

I really don’t understand why lemmy hates ai so much.

because it’s the tool of the oligarchy that enables the oppressors who wish to enslave us.

not just fuck AI, fuck anyone that supports it.

headline is wrong. that’s a propagandist, not a journalist.