u/Great-Cow7256
HaGeZi blocklist format migration
FYI -
If you use HaGeZi DNS blocklists, they're deprecating their hosts and domains format lists on August 1. After that date, those URLs stop updating from the main repo.
Firewalla users are mostly unaffected. The Unbound and RPZ formats stay put with the same URLs.
The one edge case check - if you run Pi-hole or AdGuard Home behind your Firewalla and you're subscribed to a HaGeZi list in hosts or domains format, swap it for the equivalent RPZ or AdGuard format before August 1.
Browser extension users (uBlock, AdBlock) are not affected.
Driver leaves scene after e-bike hits into vehicle in Pittsburgh's South Side
wtae.comOffbeat Pittsburgh: A front-row seat to porch concerts in Morningside
triblive.comEmpress through the lock
I remember taking a trip on one of the gateway clippers when I was very very young and going through the locks, but I haven't seen this recently.
Edit - highland park bridge, taken from allegheny rivertrail park.
The boat turned around right after this, went through the lock again, and headed back downtown.
podman 6.0.0 is out. Has anyone updated from 5.7.x or 5.8.x yet?
massive changelog...
Security
- This release addresses CVE-2026-57231, where a malicious image using malformed
Enventries could cause host environment variables to leak into containers run based on the image, including the ability to use the*glob operator to leak large numbers of environment variables without knowing their exact names (GHSA-4hq8-gpf5-8p68).
Breaking Changes
- Due to breaking changes in this release, Podman v6.0.0 must be used with Buildah v1.44.0, Skopeo v1.23, Netavark and Aardvark v2.0.0, and configuration files from the container-libs repository's common/v0.68.0 release.
- Support for BoltDB databases has been dropped. Starting Podman 6 when the BoltDB database is in use will have Podman attempt an automatic migration from BoltDB to SQLite.
- Support for running on Intel Macs has been removed.
- Support for running on Windows 10 has been removed.
- Support for running on cgroups v1 systems has been removed. Please update your system to use cgroups v2.
- Support for running on iptables has been removed. Please use nftables instead.
- Support for CNI networking has been removed. Please use Netavark instead.
- Support for the slirp4netns rootless network stack has been removed. Please use Pasta instead. As part of this, the
--network-cmd-pathglobal option, only used withslirp4netns, has been removed. - Podman's configuration file parsing logic has seen a major rewrite. Please see this document for exact details.
- Podman's import path has changed from
github.com/containers/podman/v5togo.podman.io/podman/v6as part of our move into a CNCF-owned GitHub organization. - Network isolation now defaults to enabled, improving Docker compatibility and security. A special workaround for the Docker-compatible API related to isolation being disabled has been removed (#27349).
- The way the
podman quadletsuite of commands functions has been changed. Previously, Quadlets and their associated files were tracked using a.appfile, ensuring that removing a Quadlet also removed all associated non-Quadlet files. Now, Quadlets and associated files are placed in subdirectories, which should reduce bugs and make manual management of Quadlets added bypodman quadlet installmuch easier. - VMs made by
podman machineon Linux now mount volumes from the host using systemd. Volume mounts on existingpodman machineVMs on Linux have been broken by this change, and the VM will need to be recreated. - The
podman volume prunecommand now matches Docker's behavior by only pruning unused anonymous volumes. Please use the newly-added--alloption for the previous behavior (pruning all volumes). - The
podman volume listcommand now combines multiple filters using logicalANDinstead of logicalOR(meaning all filters must match for a container to be included in output) (#26786). - The
label!=filter used in many commands now combines the output of multiple instances of the filter with logicalANDinstead of logicalOR. - The
--format='{{json .Labels}}option to thepodman ps,podman pod ps, andpodman volume lscommands now prints its output as comma-separatedkey=valuepairs instead of as a JSON map, improving Docker compatibility (#21847). - The
--all-providersoption topodman machine listhas been removed, as machines from all providers can now be accessed by all commands. - The
MemorySwappinessfield ofpodman inspectis now set tonilwhen not explicitly set by the user (instead of-1), improving Docker compatibility (#23824). - The
podman commitcommand now pauses the container while committing changes, improving security by restricting concurrent modification. The prior behavior can be restored by usingpodman commit --pause=false .... - The Go bindings for the REST API have removed the redundant
nameOrIDparameter from theartifacts.Remove()function. - The minimum Go version required to build Podman is now v1.25.
Features
- All
podman machinecommands can now operate on VMs from all providers, regardless of what the current provider is set to. The provider set in the configuration only determines the provider used by newly-created VMs, and can be overridden by the newpodman machine init --provideroption. This should make operation of Mac and Windows installs mixing use ofapplehvandlibkrunVMs, orhypervandwslVMs, much easier. - A new command has been added,
podman machine os update, which updates the operating system of apodman machineVM. Please note that this is not supported with thewslprovider. - A new command has been added,
podman system hyperv-prep, allowing Windows administrators to prepare a host for their users to runpodman machineVMs using thehypervprovider. - When starting a VM with
podman machine startandpodman machine init --now, if the connection to that VM is not the default, users will be prompted whether they want to change the default to the machine that was just started. This can also be controlled by a new option,--update-connection, which controls whether the default will be updated. If the--update-connectionoption is set, a user-interactive prompt is not displayed. - The
podman machine initandpodman machine setcommands now support a new option,--import-native-ca, which, when set, causespodman machineVMs on Windows, Linux, and Mac to import the host's trusted CA certificates each time the VM boots. - The
podman execcommand now has a new option,--no-session, disabling API session tracking and database operations to increase performance (#26727). - The
podman image list --format jsoncommand now includes two new fields for each image,RepositoryandTag(#27632). - The manpages for Quadlets have been split into multiple files, one for each type of Quadlet file, and should be much more readable.
- Quadlet
.volumeunits now support three new keys,UID=andGID=(to set the UID and GID that the volume will be created with) andOptions=(to set generic volume options). - Quadlet
.containerunits now support mounting anonymous volumes (using aMount=key with no source specified) (#28497). - Two new search paths for Quadlets have been added,
/usr/share/containers/systemd/usersand/usr/share/containers/systemd/users/${UID}, to allow distributions to more easily package and distribute Quadlets (#27843). - The
podman quadlet listcommand now has a new alias,podman quadlet ls. - The
podman quadlet listcommand now has a new option,--noheading, which disables printing the table header. This is set automatically if the--formatoption is used. - The
pomdan quadlet listcommand now includes a new field in its output,Pod, which prints the pod a Quadlet.containerunit is part of. - The
podman quadlet listcommand's--filteroption now supports a new filter,status=(#28369). - The
--gpusoption topodman createandpodman runis now compatible with AMD GPUs. - The
podman create,podman run, andpodman pod createcommands can now specify volumes with a new option,nocreate(e.g.podman run --mount type=volume,src=myvol,dst=/mnt,nocreate) which will error if the specified volume does not exist, instead of creating it. - The
--log-optoption to thepodman runandpodman createnow supports a new option,label=, to attach additional labels to logged messages (only usable with thejournaldlog driver). - Many Podman commands now expose a
--tls-detailsoption, allowing custom tuning of TLS settings using acontainers-tls-details.yaml(5)file. - The
diedevent for Containers now exposes a new attribute,OOMKilled, which (if set) indicates the container was stopped due to running out of memory (#26701). - Containers can now set multiple static IP addresses by passing the
ip=option to--netmultiple times (e.g.--net mynet:ip=10.0.0.2,ip=10.0.0.3,ip=10.0.0.4). - The
podman volume prunecommand now includes a new option,--all, to prune all unused volumes, not just anonymous volumes (#24597). - The
podman volume prunecommand now includes a new option,--dry-run, which returns the volumes that would be removed but does not actually remove them (#27838). - The
podman image scpcommand now includes a new option,--format, to set the archive format used for the image transfer (#28183). - A new field has been added to
containers.conf,default_host_ips, to set the default host IP that ports are forwarded from if an IP is not specified by the user (#27186). - The
podman image trustsuite of commands now support a new--signature-policyoption, which is mandatory forpodman image trust set. - Events now include artifact lifecycle events (
create,pull,push, andremove) (#27260). - A new experimental option for the
rootless_port_forwarderfield incontainers.confhas been added,rootless_port_forwarder="pasta". When set, rootless bridge networks will use Pasta's kernel-level port forwarding via Pesto instead of rootlessport, preserving the original client source IP in network traffic in rootless containers. The default remainsrootlessport(the default for Podman 5.x), but we will investigate switching at a later date when stability is more certain. - A new filter has been added to the
podman psandpodman container prunecommands,--filter annotation=, to filter containers based on their annotations (#28562). - The
podman network createcommand's--routeoption can now create blackhole, unreachable, and prohibit routes to prevent containers from reaching certain networks (e.g.podman network create --route10.20.30.40/24,blackhole...) (#20022). - Add support for blackhole, unreachable, and prohibit route types in podman networks. Supported since netavark 2.0.
- The
podman infocommand now reports CDI spec directories and discovered CDI devices. - Events generated by pods and volumes now include the pod/volume's labels as attributes, matching the behavior of container events (#26480).
Changes
- VMs created by
podman machinenow mount the host's user configurations (e.g.~/.config/containerson Linux) into the machine at/etc/containers, allowing users to edit the config files controlling Podman's behavior directly. - The default
podman machineprovider on Macs has been changed tolibkrun. - Starting and stopping
podman machineVMs on Windows with thehypervprovider no longer requires administrator privileges (creating machines still requires admin, however). Operations requiring elevated privileges will prompt for administrator access. Please note that this only works with newly-created VMs. - The
podman pod inspectcommand now prints arrays in its output in deterministic order. - The
podman machine os applycommand has been updated, and now usesbootc switchto apply changes. All transports supported bybootc switchcan be used for the new image to apply. - An experimental feature has been added where, on systems using Kernel 6.18 and newer, rootless Podman will no longer need to create a pause process to hold open the rootless user namespace, instead using an
nsfsfile handle. This behavior is currently gated behind an environment variable,drop-pause-process, being set. - Containers created with
--net=hostwill now use127.0.0.1for theirhost.containers.internaladdress, instead of a public IP of the machine (#27823). - Containers in multiple networks now have these networks configured in a deterministic order based on the order they were passed on the command line.
- When building an image with process substitution, such as
podman build -f <(<<<"FROM scratch"), an empty temporary directory is now used as the context directory (#28113). - In Podman versions 5.x and under, image IDs (for both OCI and Docker v2s2 images) were always equal to the SHA256 digest of the image's config data. A future version of Podman will add support for non-SHA256 digests, and image ID format will change for images that are not using the SHA256 digest. The exact format of the new IDs has not yet been decided, but the assumption that image IDs are valid hashes will no longer be true in future Podman versions.
Bugfixes
- Fixed a bug where creating a Quadlet from a templated
.containerfile that was part of a pod would incorrectly add a dependency on the template used for the container to the pod (#27844). - Fixed a bug where Quadlet
.podfiles would unconditionally setRestart=on-failureeven when the user specified an alternative restart policy (#28081). - Fixed a bug where starting a
podman machineVM on Windows using thehypervprovider would fail if the machine failed to start on first boot (#27930). - Fixed a bug where
podman machine initandpodman machine setallowed creating VMs with more CPUs than were available on the host, creating VMs that could not be started (#28322). - Fixed a bug where artifact volumes only checked the validity of the artifact when the container was started, allowing containers to be created that referenced artifacts which did not exist and thus could never be started (#27747).
- Fixed a bug where containers with environment secrets could lose the value of the secret after a restart under some circumstances (#28075).
- Fixed a bug where the
podman container restore --publishcommand would silently ignore the--publishoption instead of erroring when used without the--importoption or a checkpoint image. - Fixed a bug where running nested rootless Podman containers on Windows using the
wslprovider was not possible (#27411). - Fixed a bug where the
podman container clonecommand would fail with containers created with environment secrets (--secret type=env,...) (#28130). - Fixed a bug where creating a container with the
tag=log option (--log-opt tag=mytag) was allowed when a log driver other thanjournaldwas selected. - Fixed a bug where the output of
--helpwith some commands was incorrectly formatted (#28178). - Fixed a bug where containers in pods with multiple volume mounts could have mount options from one volume mount leak to other mounts.
- Fixed a bug where the remote Podman client's
podman versioncommand would error if the server could not be connected to (e.g. thepodman machineVM was shut down). In this case, client version is now printed (#28222). - Fixed a bug where rootless Podman would display errors and refuse to launch if the pause process was killed and its PID recycled to another process (#28157).
- Fixed a bug where running
podman kube generateon a container including volumes with.characters in their names produced invalid YAML (#27620). - Fixed a bug where patterns in
.containerignoreand.dockerignorefiles that began or ended with slashes were silently ignored during remote builds (#25458). - Fixed a bug where healthchecks on containers created using the
--transient-storeoption would fail (#28483). - Fixed a bug where the
podman generate speccommand would panic when run on a pod with no infra container (#21609). - Fixed a bug where the
podman container inspectcommand could HTML-escape certain characters in its output (#28560). - Fixed a bug where pods with entries added to
/etc/hostscontaining multiple containers would incorrectly remove entries from/etc/hostsfor all containers in the pod when any container stopped. - Fixed a bug where hosts without
/dev/mqueuecould be unable to start containers as Podman attempted to add the device unconditionally. - Fixed a bug where inspecting networks without a gateway set would show the gateway as
<nil>instead of the showing nothing (#28705). - Fixed a bug where creating a container or pod with port mappings including duplicated host ports was allowed, when this configuration could never be started due to the port conflict.
- Fixed a bug where the remote Podman client was unable to connect to any host with a custom
HostNamein the user's SSH config (#25067). - Fixed a bug where the
podman inspect --type=allcommand would, when attempting to inspect multiple networks, output only one of the networks multiple times. - Fixed a bug where Quadlet
.containerfiles using thehttp_proxy=truesetting did not properly escape special characters in the environment variables added to the container when creating the systemd unit file (#28698). - Fixed a bug where containers created using the remote Podman client ignored the
log_pathsetting incontainers.conf(#28792). - Fixed a bug where the remote Podman client's
podman savecommand would fail on Linux when using the-f oci-diror-f docker-dirarguments. - Fixed a bug where
podman machineVMs on Linux would fail to mount the directories under a symlinked path into the VM (#28911). - Fixed a bug where the
podman container checkpoint --leave-runningcommand could produce inconsistent checkpoints because the rootfs and named volume diffs were performed after the processes were allowed to run for a time; the container is now paused until the checkpoint is fully complete. - Fixed a bug where the
podman kube playcommand would incorrectly set memory limits if the user specified the limit as a fractical BinarySI quantity (e.g.1.5Gi) (#28789).
API
- An improvement pass has been made over API documentation to document fields which were missing documentation. Look forward to more API documentation improvements in future releases!
- The supported Docker Compatible API version has been bumped to v1.44.
- All API requests that accept JSON body parameters will no longer error if an empty body is provided.
- The Compat List endpoint for Containers now includes a new field in its output,
Health, providing information on the status of the container's healthcheck (#27786). - Added a new API,
POST /libpod/local/artifacts/add, for loading artifacts from the local system (not requiring transmission of a tarball). - The
POST /libpod/local/imagesendpoint for loading images from the local system now requires that thepathquery parameter is an absolute path, not a relative path. - The Libpod Pull endpoint for Images can now report pull progress when the
pullProgressquery parameter is set totrue. - The Libpod Pull endpoint for Images now returns error status codes on failure to pull imges, instead of always returning HTTP 200.
- Fixed a bug where the
subpathoption for volumes when creating containers was ignored (#27171). - Fixed a bug where the Libpod Create endpoint for Containers ignored the
OCIRuntimefield. - Fixed a bug where the Compat Create endpoint for Containers returned a 500 (not a 409) when attempting to create a container with a name that was already in use.
- Fixed a bug where the Compat Create endpoint for Containers incorrectly handled CDI-qualified entries in
HostConfig.Devices, greatly improving the reliability of CDI devices when using the Compat API. - Fixed a bug where the Compat Info endpoint did not return the location of the Seccomp profile if a non-default profile was in use (#28379).
- Fixed a bug where the Compat List endpoint for Containers could return an invalid string for container status (#28359).
- Fixed a bug where the Compat List endpoint for Containers did not include the
HostConfigfield in its responses. - Fixed a bug where the Compat Wait endpoint for Containers would hang indefinitely when waiting for the
next-exitcondition (#28514). - Fixed a bug where the Compat and Libpod Update endpoints for Containers would clear the rlimits of the container if they were not explicitly set in the API request.
- Fixed a bug where the Compat Push endpoint for Images did not return a final JSON object including tag, digest, and size of the pushed image, as Docker does.
Misc
- Autocomplete has been enabled for inspecting artifacts with
podman inspect. - Updated Buildah to v1.44.0
- Updated the image library to v5.40.0
- Updated the storage library to v1.63.0
- Updated the common library to v0.68.0
Ente GitHub repo changed names seemingly just today, causing repo pull errors.
From ente-io to just ente. Took me 10 minutes to figure out why my Podman containers kept throwing errors with podman auto-update.
This affects docker users too.
If you pull ente from GitHub with podman or docker, make sure to change from ente-io to just ente in the repo name.
Remember the guy who gets in the news complaining about how stuff is ruining Italian South Oakland?
The one who lives in Hawaii most of the year?
This is what his latest stink was about.
Totally ruined this part of South O. /s
remote LUKS unlock + TPM auto-unlock on Ubuntu 26.04 (Dracut), is it possible?
I'm setting up a headless home computer on an Intel 13 NUCs running Ubuntu 26.04 server.
I was thinking of using LUKS to encrypt the drive and bind it to TPM7 (or maybe 1+7), but this will be headless and I don't want to have to run over with a monitor and keyboard every time something changes to put in the LUKS password so I can then boot in to re-bind LUKS to the TPM.
This seems to have been easier before Dracut with `dropbear-initramfs`, but I'm 99% sure that you can't mix solutions (Dracut for binding the tpm and `dropbear-initramfs` for spinning up a SSH server for failover/password entry.
What have people done to solve this? Or am I making things way too complicated by a) using LUKS and b) not seeing a way to mix Dracut and `dropbear-initramfs`.
thanks!
remote LUKS unlock + TPM auto-unlock on Ubuntu 26.04 (Dracut), is it possible?
I'm setting up a headless home computer on an Intel 13 NUCs running Ubuntu 26.04 server.
I was thinking of using LUKS to encrypt the drive and bind it to TPM7 (or maybe 1+7), but this will be headless and I don't want to have to run over with a monitor and keyboard every time something changes to put in the LUKS password so I can then boot in to re-bind LUKS to the TPM.
This seems to have been easier before Dracut with `dropbear-initramfs`, but I'm 99% sure that you can't mix solutions (Dracut for binding the tpm and `dropbear-initramfs` for spinning up a SSH server for failover/password entry.
What have people done to solve this? Or am I making things way too complicated by a) using LUKS and b) not seeing a way to mix Dracut and `dropbear-initramfs`.
thanks!
Switching from early/beta back to production...
I think it's straightforward but wondering if Firewalla can add this to the bottom of their beta pages (if it's not there... I didn't see it but I may have missed it)
Go into the AP7s one by one and change from early/beta back to production. It'll take a few minutes for these to switch back.
Go into the firewalla itself and switch from early/beta back to production. This will also take a few minutes.
What about the app? (I'm on android). Should I go into play store and "leave" the beta program?
I made a script to smoothly upgrade Podman on Ubuntu from source – with a safe rollback (tested on 5.7.0 → 5.8.3)
Apt on Ubuntu 26.04 ships Podman 5.7.0 and Ubuntu doesn't update Podman until its next release (which will be 26.10), and most likely even the 26.10 version of Podman will be "behind" the newest release on Github.
I wanted to try and install 5.8.3, the newest version, from Github without breaking anything just to see if I could do it, and, for the future, to keep up to date with changes in Podman.
After manually building from source a few times (and once accidentally logging myself out by stopping the wrong services... oops), I wrote a script to automate the whole process safely.
What it does:
- Pulls a Podman release tag from GitHub (e.g., v5.8.3), builds it, and installs it to /usr/local.
Your original system binary at /usr/bin/podman is never touched, so you always have a fallback.
- Supports --rollback to instantly revert to the apt-managed version.
- has a --fresh-install mode if you don’t have Podman installed at all and you want to install the newest Github version.
- Only stops podman.service and podman.socket (the script learned its lesson: it never touches your login session).
- Has full error recovery - if the build or install fails, it automatically removes any half-installed files and leaves your existing Podman working.
I ran this on two Intel 13i7 nuc machines with Ubuntu 26.04 and Podman 5.7.0.
- Successfully upgraded to 5.8.3.
- then rolled back to 5.7.0 (the rollback flag works perfectly).
- then updated again to 5.8.3.
- and I did not cry or swear, even once.
All containers and Quadlet services came back fine.
The “please be careful” part:
this compiles and installs a system binary. It’s not an apt package, and that inherently carries some risk.
- Back up your containers, volumes, and anything you care about.
- It’s only been tested on Ubuntu 26.04 / Podman 5.7.0. If you’re on a different distro, another version of Ubuntu, or a different target version, check that your build dependencies are new enough (the script doesn’t verify that for you).
- I’m not responsible if something melts.
I turned my collection of rootless Podman Quadlets .container files into a public repo
After migrating everything to rootless Podman with Quadlets on Ubuntu 26.04 (Podman 5.7.0), I cleaned up the configs and put them on GitHub. they all ready to deploy with systemctl --user start. Every .container file comes with hardening and tmpfs options commented out to increase compatability, and secrets are pulled from separate .env files.
Included so far: Audiobookshelf, BentoPDF, ConvertX, Homepage Dashboard, Omni-tools, Stirling-PDF, Syncthing, Tdarr (server + remote node), Uptime Kuma, Vert File Converter, Podman Socket Proxy, a full ADSB Ultrafeeder stack (Airspy/dump978 receivers, Ultrafeeder, and feeders for FR24, OpenSky, PlaneFinder, RadarBox, PlaneWatch, ADSBHub, RadarVirtuel, PlaneFence), Plex + Tautulli, Calibre (GUI & Web), Ente Auth, Immich (with optional Google Photos sync & internet public proxy), MinusPod CPU (with optional OpenVINO transcriber), and Paperless NGX.
Everything’s been running reliably on my homelab — hope it saves someone else some time. Feedback and PRs welcome!
I use an Intel box, and a beefy one at that, so everything is optimized for its GPU and memory, but in podman most of this is adjustable.
if there's a container that you want me to try and get working as rootless instead of rootful, or if you're having problems converting something from a Docker, let me know under Issues in github.
PIT Airport's microgrid, in the news twice over the past few days
PIT has a large solar array (10,000 panels) and multiple (5) tiny natural gas electric plants. It made the news twice in the last few days -
- https://flypittsburgh.com/microgrid-power-outage/ The electrical storm on June 11 -
>Safety and security are always the top priority along with resiliency, which is why we operate a microgrid to ensure we are as site-hardened as possible.
This afternoon, the storm produced a power surge that was so extraordinary that it triggered safety breakers from the traditional electrical grid power feed as well as our microgrid.
We were able to partially restore power in under an hour and fully restore power in under 90 minutes. Because of our microgrid, we were able to restore that power much more quickly and potentially prevented a significantly longer outage.
Our microgrid and the traditional grid functioned as intended with safety features, the electrical breakers, acting to stop the surge before it could do damage to our systems.
Throughout this issue, the airfield and air traffic control tower were not affected, maintaining power throughout because of redundant feeds. As a result, planes were able to land and takeoff at PIT resulting in no cancellations due to the outage.
- NPR Shortwave podcast https://www.npr.org/2026/06/17/nx-s1-5814725/is-sewage-the-future-of-green-aviation
End of the podcast (about sustainable aviation fuels) mentioned PIT's microgrid and how it's being used to help advance sustainable aviation fuels.
PITs own info about their microgrid. I think they're missing a prefix in front of "watt" because a 23 watt microgrid could probably be made by getting a lot of Costco size bags of potatoes... https://flypittsburgh.com/acaa-corporate/our-impact/strategic-initiatives/energy/ I'm 99% sure it's megawatt.
Edit -- oops, you'd need like 19,000 potatoes. Forget my idea of taking over the world with a few Costco potato sacks.
Bicycle rider injured after being hit by car in Lower Burrell
>A man was taken to the hospital after being hit by a car while riding a bicycle in Lower Burrell Wednesday afternoon.
>Emergency responders reported to the intersection of Leechburg Road and Reed Street at around 2 p.m.
>Lower Burrell Police sergeant Scott Miller said an older man was riding a pedal bike on Leechburg Road when he was hit from the side by an oncoming car. The driver stayed on scene to speak with police.
>A medical helicopter was initially called to the scene, but was canceled.
>“They were going to fly him,” Miller said. “Now they’re going to drive him, so that’s a good sign.”
>Officials started to clear the scene around 2:30 p.m.
>Miller said police would be continuing their investigation and taking witness statements after the incident.
>
Updated my quick Suricata + Eve Box container setup (Great test drive if you're eyeing the Gold Pro!)
If you’ve been on the fence about whether stepping up to the Gold Pro hardware is in the cards for you, this project serves as a perfect, though limited, introduction to exactly what Suricata does under the hood.
A few things to keep in mind if you play around with it:
Suricata is an absolute firehose of information. Running it raw will quickly show you just how much noisy data flies across a network.
Every enterprise provider (like Firewalla) uses a carefully tuned, proprietary mix of rules and specific actions on those rules.
There is a massive balancing act between the depth of the rule sets you load and the sheer processing power/memory required to parse that traffic in real time without bottlenecking your network (which is exactly why it demands the beefier specs of the Gold Pro). You can dumb it down for less beefy equipment but then the rulesets can be pretty worthless as a tradeoff
This sample project is purely a playground to get a feel for the data and the UI. It is not meant to replace a real, hardened Suricata instance or a dedicated security gateway. There is a dedicated suricata website with a ton of info too.
Also just to make this clear- do NOT run this on your Firewalla. This needs to go on a server/homelab/regular computer.
Plum Council President stands by Pride Month comments despite backlash
Oh Plum. You're so... Plum.
GitHub - upmcplanetracker/nts-for-firewalla: Enable Chrony NTS for NTP intercept on Firewalla
one more big update of my firewalla github trinity - very much beefed up the ability to run Chrony/NTS on Firewalla with many different lan configurations taken into account.
Basically:
Time in the sky <-----NTS/secure----> Firewalla <---NTP/not secure/intercept---> everything behind the firewalla/on your lan(s)
since NTS intercept is almost impossible to do it gives you secure NTS via your firewalla ntp intercept.
Thoughts or comments welcome. I've really made this a lot more robust.