| 2 Dec 2025 |
 Sandro 🐧 | first as in the one with highest default route, as first doesn't make much sense otherwise | 14:47:25 |
 K900 | Do you control the route metrics? | 14:48:56 |
| K900 | You can just push the correct metric over DHCP | 14:49:22 |
| K900 | If you control the DHCP | 14:49:30 |
| K900 | (you probably should do that anyway) | 14:49:41 |
| 4 Dec 2025 |
|  Ido Samuelson joined the room. | 01:46:10 |
|  isabel changed their profile picture. | 16:41:36 |
|  Tanja (she/her) - ☎️ 4201 changed their display name from Tanja (she/her) to Tanja (she/her) - ☎️ 4201. | 18:10:30 |
| 6 Dec 2025 |
|  P J joined the room. | 07:45:51 |
| 8 Dec 2025 |
|  okamis joined the room. | 14:22:46 |
| okamis | Im using runnixostest interactive as a playground environment. I would like it to be a bit similar as non-interactive, so I would like ssh access but not access to the internet, whats a good way to achieve that? Currently im running "ip route del default" in the testscript. | 14:24:11 |
| K900 | Could just firewall all outgoing connections | 14:24:36 |
| okamis | I had a rule drop all outgoing, and it screwed up kubectl connecting to k3s using localhost:8080, | 14:26:38 |
| K900 | Well that depends on how you implemented it | 14:27:32 |
| okamis | iptables -t filter -I FORWARD 1 -m state --state NEW -j DROP | 14:29:10 |
| K900 | Yeah that's not all outgoing connections | 14:29:28 |
| okamis | oh sorry should be OUTGOING instead of forward | 14:29:28 |
| K900 | That is also a bad idea | 14:29:35 |
| K900 | You want to match on interface | 14:29:40 |
| K900 | Or explicitly exclude loopback I guess | 14:29:45 |
| okamis | is this reasonable?
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -o eth0 -m conntrack --ctstate NEW -j DROP
| 15:21:45 |
| K900 | Probably | 15:22:48 |
| K900 | I don't remember iptables well enough | 15:22:54 |
| 9 Dec 2025 |
|  adamcstephens changed their profile picture. | 17:25:09 |
| adamcstephens changed their profile picture. | 17:48:29 |
| 10 Dec 2025 |
|  Theodora changed their display name from Theodora The Absurdist Schizotisticoball to Theodora. | 12:17:46 |
| adamcstephens changed their profile picture. | 14:49:51 |
 DenKn | these rules are a little bit strange. typicaly first via contrack established connections are allowed, and at the end of the table anything else is REJECT (do not use DROP, you not know, which effects it has, right?). | 21:56:03 |
| DenKn | So, first use simple rules with ACCEPT, and at the end REJECT anything, which was not accepted. | 21:56:44 |
| DenKn | If you do not used firewalls, yet, use nftables instead of iptables. iptables is not dead, but nftables ist better. | 21:58:23 |
