| 14 Dec 2025 |
|  @n4ch723hr3r:nope.chat changed their display name from n4ch723hr3r to n4ch723hr3r (stuff in name is cringe). | 03:42:57 |
|  suua joined the room. | 13:29:56 |
| 15 Dec 2025 |
| @n4ch723hr3r:nope.chat changed their display name from n4ch723hr3r (stuff in name is cringe) to MOVED TO n4ch7@n3831.net. | 00:16:13 |
 DenKn | * these rules are a little bit strange. typicaly first via contrack established connections are allowed, and at the end of the table anything else is REJECT (do not use DROP, you do not know, which effects it has, right?). | 14:36:27 |
| 16 Dec 2025 |
|  n4ch723hr3r (putting stuff in your name is cringe) joined the room. | 05:12:39 |
| @n4ch723hr3r:nope.chat left the room. | 05:12:45 |
 Sandro 🐧 | FYI https://github.com/NixOS/nixpkgs/pull/468790 | 23:45:40 |
| 17 Dec 2025 |
|  mall0c joined the room. | 20:37:22 |
 Marcus | What's the right way to configure the nixos firewall with ipv6 so it allows internet connections from the trusted interfaces, but doesn't forward connections from the wan? Seems I can ssh straight into my lan interface from the internet if filterForward is off, but can't ssh out of my lan if it's on. | 21:43:40 |
| Marcus | hrm, I guess this is because filterforward uses externalInterface, but my ipv6 is routed through a HE tunnel rather than the wan interface. | 22:05:01 |
| Marcus | yeah, filterforward even uses config from nat, so I guess it doesn't like non-natted ipv6 well. Fixed it with a extra ruleset for the HE tunnel. | 22:15:33 |
| 18 Dec 2025 |
| n4ch723hr3r (putting stuff in your name is cringe) | i have a dns server which for a machine name returns the VPN IP. however systemd only allows interface specific DNS lookups for a TLD. so my plan was to redirect $HOST.local for example to that DNS server. however the DNS server would return NXDOMAIN since it wants $HOST ONLY.
so the question: how could i edit that DNS query. through a local dns proxy?
graphically:
client ---- $HOST.local ---> proxy ---- $HOST -----> DNS server
| 07:53:25 |
|  Acid Bong joined the room. | 07:58:50 |
 K900 | Uhh what | 08:03:52 |
| K900 | What do you even mean by "only allows lookups for a TLD" | 08:04:04 |
|  Dieselgert Baghetto joined the room. | 08:39:11 |
| n4ch723hr3r (putting stuff in your name is cringe) | you define multiple DNS servers in resolved with the option to for example only use 1.1.1.1 for .local domains | 09:39:32 |
| K900 | ...and? | 09:39:45 |
| K900 | It can be any prefix | 09:39:47 |
| K900 | Not just a TLD | 09:39:49 |
| n4ch723hr3r (putting stuff in your name is cringe) | yeah but the dns is just the hostname (which in my case are alphanumeric chars) | 09:56:48 |
| n4ch723hr3r (putting stuff in your name is cringe) | so the dns does NOT work with something like dig myhost.local @myserver. instead you have to do dig myhost @myserver | 09:57:53 |
| K900 | You should use a separate domain name (possibly under arpa.home if you don't have a public one) and then set the search domain instead | 09:58:08 |
| K900 | So the canonical names for your hosts are foo.n4ch723hr3r.home.arpa or whatever | 09:58:36 |
| n4ch723hr3r (putting stuff in your name is cringe) | yes but the nebula DNS server does not have the functionality for that | 09:58:38 |
| K900 | And your search domain is n4ch723hr3r.home.arpa | 09:58:42 |
 magic_rb | Thats a nebula bug then | 09:59:03 |
| n4ch723hr3r (putting stuff in your name is cringe) | i need a reverse proxy but for DNS | 09:59:05 |
| n4ch723hr3r (putting stuff in your name is cringe) | its experimental | 09:59:11 |
| magic_rb | You need to put your local dns under a tld | 09:59:18 |
