• 0 Posts
  • 82 Comments
Joined 2 years ago
cake
Cake day: June 16th, 2023

help-circle










  • More incus:

    • mounting persistent storage into containers (cheating by exporting NFS from my proxmox zfs into the incus host.
    • wrote a pruning backup script for containers, runs daily, keeps last 7 days and the first of the month
    • passed through hardware (quicksync) into jellyfin container (it works!)
    • launched an OCI container (docker home assistant) natively in incus (this is a game-changer!)

    Next:

    • build 2nd incus node
    • move all containers from proxmox to incus
    • decom proxmox
    • setup Debian with NFS export







  • That is not normal. I have much the same setup, sabnzbd, Plex, jellyfin, sonar, radar. They all run under a particular user and their /opt and /var/lib folders don’t ‘revert’ to their old ownership and permissions.

    Either something is watching those folders and setting permissions, or some kind of immutability is in play, but permissions normally don’t revert like that.



  • Because NAT acts as a firewall with a “default deny” policy for incoming packets, but no other rules. You cannot prevent a device on the private subnet side of a NAT from attempting to communicate with an “outside” ip with nat alone, nat doesnt understand the concepts of accept/deny/drop.

    All nat does is rewrite address headers.

    The machines behind a NAT box are not directly addressable because they have private IP addresses. Machines out on the general Internet cannot send IP packets to them directly. Instead, any packets will be sent to the address of the NAT box, and the NAT box looks at its records to see which outgoing packet an incoming packet is in reply to, to decide which internal address the packet should be forwarded to. If the packet is not in reply to an outgoing packet, there’s no matching record, and the NAT box discards the packet.

    It’s a confused topic because for a lot of people, nat does essentially everything they want. As soon as you get into more complex networking where a routing table needs to be updated, or bidirectional fw rules, it becomes apparent why routing + fw + nat is the most common combo.