Sunday, December 08, 2024
dev@conference.yunohost.org
December
Mon Tue Wed Thu Fri Sat Sun
            1
2
 3
 4
 5
 6
 7 8
9
 10
 11
 12
 13
 14
 15
16
 17
 18 19
 20
 21
 22
23
 24
 25
 26
 27
 28
 29
30
 31
          

[10:52:11] <Yunohost Git/Infra notifications> [yunohost] a​lexAubin created new branch trash-packaging-v1
[10:52:11] <Yunohost Git/Infra notifications> [yunohost] a​lexAubin pushed 1 commit to trash-packaging-v1: Trash support for packaging v1 ([adb88b8c](https://github.com/YunoHost/yunohost/commit/adb88b8c808af6f684dd0bc631b0b35091900c7f))
[12:15:32] <Yunohost Git/Infra notifications> [yunohost] a​lexAubin opened [pull request #2008](https://github.com/YunoHost/yunohost/pull/2008): [Trixie] Trash support for packaging v1
[13:23:21] <Salamandar> Is there a reason (apart from migration costs) to keep using iptables instead of nftables ?
[13:24:31] <Salamandar> https://wiki.debian.org/nftables#Current_status
[13:33:01] <Aleks (he/him/il/lui)> not really ... i guess nftables is just less straightforward ? (and it's network config stuff so urhg @_@)
[13:33:19] <Aleks (he/him/il/lui)> also apps like vpnclient / hotspot are likely to also call iptables commands
[13:42:08] <Salamandar> > <@Alekswag:matrix.org> not really ... i guess nftables is just less straightforward ? (and it's network config stuff so urhg @_@)

looks to me like it's "more" straightforward as it's just dropping configuration files
[13:42:21] <Aleks (he/him/il/lui)> hmokay ?
[13:42:22] <Salamandar> > <@Alekswag:matrix.org> also apps like vpnclient / hotspot are likely to also call iptables commands

that could be replaced with configuration files for those apps (so, easier to maintain)
[13:42:34] <Aleks (he/him/il/lui)> oh cool okay
[13:42:49] <Salamandar> (that's what i understood anyways)
[13:51:59] <Aleks (he/him/il/lui)> https://officialaptivi.wordpress.com/2024/10/08/debian-trixie-no-longer-provides-32-bit-installers/
[13:52:08] <Aleks (he/him/il/lui)> No i386 32 bit for trixie ?
[13:57:07] <Salamandar> > even the most recent 32-bit only processors
[13:57:09] <Salamandar> > **recent**
[14:00:29] <Salamandar> https://en.wikipedia.org/wiki/Pentium_4
[14:00:41] <Salamandar> > The first Pentium 4-branded processor to implement 64-bit was the Prescott (90 nm) (February 2004
[14:01:01] <Salamandar> https://www.overclock.net/posts/29204232/
[14:01:03] <Salamandar> grmblblbl
[14:01:13] <Salamandar> > Jun 18, 2023

> I'm running 32-bit XP
[14:01:19] <Salamandar> is this person crazy ?
[14:02:20] <Salamandar> On pourrait faire un sondage sur le forum ^^
[14:22:46] <Yunohost Git/Infra notifications> [yunohost] a​lexAubin pushed 1 commit to trash-packaging-v1: Trash support for packaging v1 ([2bb084b5](https://github.com/YunoHost/yunohost/commit/2bb084b5b300259e6f429d88c0d1670bd0a917e9))
[15:04:18] <Salamandar> hmmm we could also leverage microupnpd instead of handling upnp ourselves…
[15:25:49] <Salamandar> (actually we could already use the `miniupnpd-iptables` debian package)
[15:26:08] <Salamandar> (actually the more i read the upnp code the less i understand what it's supposed to do and what problem it is supposed to solve)
[15:27:25] <Salamandar> (and on my setup it basically never worked anyways…)
[15:30:21] <Aleks (he/him/il/lui)> you mean firewall.py ?
[15:30:41] <Aleks (he/him/il/lui)> it's like the most unmaintained .py of yunohost ...
[15:30:57] <Aleks (he/him/il/lui)> and yeah it's spaghetthi
[15:31:13] <Aleks (he/him/il/lui)> and it auto-disables itself forever the first time it doesn't work
[15:31:18] <Aleks (he/him/il/lui)> and i don't know how to even test it because you need a box that supports upnp and i don't know if mine does
[15:31:56] <Salamandar> the upnp bit
[15:32:19] <Salamandar> > <@Alekswag:matrix.org> and i don't know how to even test it because you need a box that supports upnp and i don't know if mine does

mine does
[15:32:20] <Salamandar> but anyways
[15:32:21] <Salamandar> https://github.com/YunoHost/yunohost/blob/b063f500b11c1fecc08c49e2bdecde4cbaaeddac/src/firewall.py#L403
[15:32:25] <Salamandar> localport=1 can't help…
[15:32:28] <Salamandar> that's why i don't understand *how* it could even work
[15:58:53] <Salamandar> also for me once i fix this, it tries to set upnp on ports under 1024… pretty sure that's not supported
[15:59:08] <Salamandar> here's my default config on openwrt
[15:59:20] <Salamandar> https://aria.im/_matrix/media/v1/download/matrix.org/hjtGDGffobjAVzOJRyeOlZmi
[15:59:31] <Salamandar> (yes i manually set the 10022 to check)
[16:04:52] <Salamandar> Aaaand it works by ignoring ports under 1024
[16:05:08] <Salamandar> ```
salamandar:salamandar:# /usr/bin/yunohost --debug firewall upnp enable
314 DEBUG acquiring lock...
340 DEBUG lock has been acquired
354 DEBUG loading python module yunohost.firewall took 0.014s
355 DEBUG processing action 'yunohost.firewall.upnp'
1596 DEBUG Running 'systemctl restart fail2ban'
2992 SUCCESS Firewall reloaded
3009 DEBUG discovering UPnP devices...
6064 DEBUG found 1 UPnP device(s)
6071 WARNING UPnP should not try ports under 1024, port 22 ignored
6072 WARNING UPnP should not try ports under 1024, port 25 ignored
6072 WARNING UPnP should not try ports under 1024, port 80 ignored
6072 WARNING UPnP should not try ports under 1024, port 443 ignored
6072 WARNING UPnP should not try ports under 1024, port 587 ignored
6072 WARNING UPnP should not try ports under 1024, port 993 ignored
6117 WARNING UPnP should not try ports under 1024, port 111 ignored
6434 WARNING UPnP should not try ports under 1024, port 111 ignored
6577 WARNING Can't use UPnP to open '1:65535'
6866 SUCCESS UPnP turned on
6867 DEBUG action executed in 6.512s
6867 DEBUG lock has been released
enabled: True
```
[16:28:51] <Yunohost Git/Infra notifications> [issues] S​alamandar labeled :birthday: feature on [issue #2497](https://github.com/YunoHost/issues/issues/2497): Revamp firewall management
[16:28:53] <Yunohost Git/Infra notifications> [issues] S​alamandar opened [issue #2497](https://github.com/YunoHost/issues/issues/2497): Revamp firewall management
[16:29:26] <Yunohost Git/Infra notifications> [issues] S​alamandar edited [issue #2497](https://github.com/YunoHost/issues/issues/2497): Revamp firewall management
[16:29:35] <Yunohost Git/Infra notifications> [issues] S​alamandar labeled :construction: refactoring on [issue #2497](https://github.com/YunoHost/issues/issues/2497): Revamp firewall management
[16:30:25] <Yunohost Git/Infra notifications> [issues] S​alamandar labeled :closed_lock_with_key: Security on [issue #2497](https://github.com/YunoHost/issues/issues/2497): Revamp firewall management
[16:30:32] <Yunohost Git/Infra notifications> [issues] S​alamandar labeled :cake: enhancement on [issue #2497](https://github.com/YunoHost/issues/issues/2497): Revamp firewall management
[16:31:09] <Yunohost Git/Infra notifications> [issues] S​alamandar unlabeled :birthday: feature on [issue #2497](https://github.com/YunoHost/issues/issues/2497): Revamp firewall management
[16:32:49] <Aleks (he/him/il/lui)> it worked for several people on "real life" internet boxes
[16:33:16] <Salamandar> > <@Alekswag:matrix.org> it worked for several people on "real life" internet boxes

yeah maybe they allowed ports under 1024… that is much not recommended
[16:33:30] <Aleks (he/him/il/lui)> but yeah maybe openwrt defaults to denying upnp for port < 1024 because i guess the use case for UPnP was more "I wanna play a game on the internet an I need port 8472"
[16:34:28] <Salamandar> that is the whole point of upnp
[16:34:46] <Salamandar> opening port 22 is NOT
[16:34:49] <Salamandar> it is an awful security issue
[16:34:50] <Aleks (he/him/il/lui)> ¯\_(ツ)_/¯ yup
[16:35:00] <Salamandar> if any (untrusted) device allows the public port 22 to be redirected to any local device… wtf ????
[16:35:14] <Salamandar> if that's the case, the latest CUPS vuln is even worse LOL
[16:35:42] <Aleks (he/him/il/lui)> or port 80 and then obtain a lets encrypt cert yeah
[16:36:25] <Salamandar> yeah exactly
[20:54:21] <Yunohost Git/Infra notifications> [issues] a​lexAubin [commented](https://github.com/YunoHost/issues/issues/2497#issuecomment-2526376327) on [issue #2497](https://github.com/YunoHost/issues/issues/2497) Revamp firewall management: > dont try ports under 1024 (or at least dont fail on them) The point of the UPnP integration is that people wont ne...
[20:56:02] <Yunohost Git/Infra notifications> [issues] a​lexAubin [commented](https://github.com/YunoHost/issues/issues/2497#issuecomment-2526376750) on [issue #2497](https://github.com/YunoHost/issues/issues/2497) Revamp firewall management: >drop the yunohost-firewall service in favor of the nftables one ? dunno what you mean but yeah theres ufw and fire...
[20:59:40] <Yunohost Git/Infra notifications> [yunohost] a​lexAubin pushed 1 commit to dev: Fix global settings, having a visible on an entire section doesnt work ? ([dce043a6](https://github.com/YunoHost/yunohost/commit/dce043a6610c2a01a6e258a1b5599274c69dacec))
[21:06:04] <Yunohost Git/Infra notifications> [yunohost] a​lexAubin pushed 1 commit to dev: Update changelog for 12.0.8 ([e992bd19](https://github.com/YunoHost/yunohost/commit/e992bd19107d38de2daadd9dae3136f9b31f77f1))
[21:06:05] <Yunohost Git/Infra notifications> [yunohost] a​lexAubin created new tag debian/12.0.8
[21:07:38] <Yunohost Git/Infra notifications> 🏗️ Starting build for yunohost/12.0.8 for bookworm/stable/all ...
[21:11:54] <Yunohost Git/Infra notifications> [yunohost] a​lexAubin pushed 1 commit to new-log-streaming-api: Fix angry linter ([512d1d5b](https://github.com/YunoHost/yunohost/commit/512d1d5b44075934796bcfad3e509b4532d5ffc5))
[21:19:32] <Yunohost Git/Infra notifications> [issues] S​alamandar [commented](https://github.com/YunoHost/issues/issues/2497#issuecomment-2526386872) on [issue #2497](https://github.com/YunoHost/issues/issues/2497) Revamp firewall management: > The point of the UPnP integration is that people wont need to manually configure port 22, 25, 80, 443 and 993 Yeah i...
[21:22:15] <Yunohost Git/Infra notifications> [yunohost] a​lexAubin pushed 1 commit to trash-packaging-v1: Trash support for packaging v1 ([5590ca03](https://github.com/YunoHost/yunohost/commit/5590ca03906d7c5a7fbadb2a40a9c277fa9b25cc))
[21:23:51] <Yunohost Git/Infra notifications> [issues] S​alamandar edited [issue #2497](https://github.com/YunoHost/issues/issues/2497): Revamp firewall management
[21:24:30] <Yunohost Git/Infra notifications> [issues] S​alamandar [commented](https://github.com/YunoHost/issues/issues/2497#issuecomment-2526386872) on [issue #2497](https://github.com/YunoHost/issues/issues/2497) Revamp firewall management: > The point of the UPnP integration is that people wont need to manually configure port 22, 25, 80, 443 and 993 Yeah i...
[21:28:46] <Yunohost Git/Infra notifications> [issues] S​alamandar edited [issue #2497](https://github.com/YunoHost/issues/issues/2497): Revamp firewall management
[21:41:35] <Yunohost Git/Infra notifications> ✔️ Completed build for yunohost/12.0.8 for bookworm/stable/all.
[22:16:31] <Yunohost Git/Infra notifications> [yunohost] o​rhtej2 opened [pull request #2009](https://github.com/YunoHost/yunohost/pull/2009): Fix PHP sourcing in helpers 2.1
[22:18:01] <Yunohost Git/Infra notifications> [yunohost] o​rhtej2 edited review [pull request #2009](https://github.com/YunoHost/yunohost/pull/2009#pullrequestreview-2487301446): Fix PHP sourcing in helpers 2.1
[22:18:02] <Yunohost Git/Infra notifications> [yunohost] o​rhtej2 commented [pull request #2009](https://github.com/YunoHost/yunohost/pull/2009#pullrequestreview-2487301446) Fix PHP sourcing in helpers 2.1: This however for some reason no longer spams console with set +x :shrug:
[22:18:58] <Yunohost Git/Infra notifications> [yunohost] g​ithub-advanced-security[bot] [commented](https://github.com/YunoHost/yunohost/pull/2009#discussion_r1875062739) on pull request #2009 Fix PHP sourcing in helpers 2.1: ## Unused local variable

Variable helpers_version is not used.

[Show more details](https://github.com/YunoHost/yunohos...
[22:19:29] <Yunohost Git/Infra notifications> [yunohost] o​rhtej2 [commented](https://github.com/YunoHost/yunohost/pull/2009#discussion_r1875063010) on pull request #2009 Fix PHP sourcing in helpers 2.1: Would you kindly stick to the code I actually modified? :P
[22:30:59] <Salamandar> @Alekswag:matrix.org upnp also opens the port 1900, but that's completely unrelated to the upnp that opens ports on the router…
[22:38:26] <Aleks (he/him/il/lui)> hmkay ?
[22:45:42] <Salamandar> and tbh i think that should be removed (but i'm not entirely sure)
[22:49:30] <Salamandar> this is only for autodetection of stuff on the network (dlna, ssdp, network share)
[22:49:53] <Salamandar> and tbh on a server with multiple services on it, i don't even understand how this should be "multiplexed"
[22:50:03] <Salamandar> like, only one service can listen on port 1900, so…
[22:50:08] <Salamandar> /shrug
[22:50:27] <Salamandar> https://lookanotherblog.com/resolve-port-1900-conflict-between-plex-and-synology/
[22:50:28] <Salamandar> lulz
[22:57:22] <Yunohost Git/Infra notifications> [yunohost-admin] A​xolotle pushed 5 commits to sse ([57e6399a4f94...bca93eb4ec10](https://github.com/YunoHost/yunohost-admin/compare/57e6399a4f94...bca93eb4ec10))
[22:57:25] <Yunohost Git/Infra notifications> [yunohost-admin/sse] feat(sse): handle recent_history events - axolotle
[22:57:27] <Yunohost Git/Infra notifications> [yunohost-admin/sse] feat(sse): handle heartbeat events - axolotle
[22:57:29] <Yunohost Git/Infra notifications> [yunohost-admin/sse] feat(sse): handle sse reconnection - axolotle
[23:20:39] <Aleks (he/him/il/lui)> hmmm but as far as i see in the code it's not opened/forwarded via UPnP, it's only opened on the firewall ?
[23:21:50] <Salamandar> yes yes
[23:22:53] <Salamandar> but it's added by the same configuration
[23:25:13] <Yunohost Git/Infra notifications> [yunohost] a​lexAubin pushed 1 commit to new-log-streaming-api: Typo T_T ([f01b93dd](https://github.com/YunoHost/yunohost/commit/f01b93ddcb681c9c19d3d09739e764b06ad5e130))
[23:26:35] <Aleks (he/him/il/lui)> https://github.com/YunoHost/yunohost/commit/4e72595aaa64f1372532203ad9728d3c7c63a220
[23:26:56] <Aleks (he/him/il/lui)> "9 years ago"
[23:27:11] <Aleks (he/him/il/lui)> :le_scream:
[23:27:15] <Salamandar> lulz
[23:27:17] <Salamandar> yeah indeed, it seems like detecting the IGD UPnP device requires port 1900 open
[23:27:19] <Salamandar> BUT
[23:27:21] <Salamandar> now jellyfin is listening on it so i can't listen on it…
[23:27:24] <Aleks (he/him/il/lui)> >`git rm firewall.py`
[23:29:24] <Salamandar> > <@Salamandar:matrix.org> now jellyfin is listening on it so i can't listen on it…

no that's unrelated
[23:35:38] <Salamandar> aaaaaah okay i got it
[23:36:05] <Salamandar> what a nightmare
[23:36:10] <Salamandar> the miniupnpc (and all upnp clients) listens on udp on a random port (on my tests, 57493, 55392)
[23:37:03] <Salamandar> and then send multicast probes on port 1900
[23:37:15] <Salamandar> and the router replies with UDP unicast on port <the one the client is listening>
[23:37:33] <Salamandar> So i had to `yunohost firewall allow UDP 50000:65535` before running the miniupnpc…
[23:39:15] <Salamandar> so :
[23:39:17] <Salamandar> ```
# yunohost firewall allow UDP 55555
# python3
>>> import miniupnpc
>>> p = miniupnpc.UPnP()
>>> p.discoverdelay = 3000
>>> p.localport = 55555
>>> p.discover()

```

that works
[23:39:21] <Salamandar> gmbbfpfpfp
[23:39:31] <Salamandar> dodo