Georg Schölly's questions

Wireguard works even without setting a tunnel IP address, i.e. it's enough to set the AllowedIPs, endpoint addresses, private and public keys.

In the docs of OpnSense, there is the following warning:

Note: The tunnel address must be in CIDR notation and must be a unique IP and subnet for your network. [..] Do not use a tunnel address that is a /32 (IPv4) or a /128 (IPv6)

and pfSense has a likely explanation:

pfSense docs:

Note: Routes are not automatically created in the system routing table. Routes for networks other than the tunnel network itself must be configured separately using static or dynamic routes.

Searching on the internet does not yield many explanations:

• Reddit: Confusion about subnet masks
• Reddit: Help on /24 and /32 when using as a VPN Server
• Reddit: differences between /8, /16 etc... What they are used for?

The subnet does not seem to have any functionality, we did some testing:

• It's not related to local traffic routing, i.e. routing to a second connected peer works with and without a subnet which contains both peers.
• it's not related to "staying on the interface" vs passing through the kernel. In both cases we could control the traffic using firewall rules.

So, what is the purpose of the subnet mask in the tunnel ip?

Given the following network:

                     +-- endpoint 1
                     |
internet -- server --+-- endpoint 2
                     |
                     +-- endpoint 3

where the endpoints are on subnet 192.168.1.0/24 and they route their traffic through the server.

For this, we require a NAT rule on the server for the interface connected to the internet:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE 

Two questions:

1. Packets originating on the server itself are also matched by this rule. They already have the correct source IP. What happens with them? (Experimentation shows it works.)
2. I always considered the question to add MASQUERADE or not to be a property of the interface (because the connected network can either handle multiple source IPs or it needs a NAT). Is this a good mental model?

Given the following network diagram:

                  internet
                     |
                     |
            +--------+--------+
            |                 |
   dmz2 ----+                 +---- lan
            |                 |
            +--------+--------+
                     |
                     |
                    dmz1

internet: 0.0.0.0/0
dmz1:     192.168.10.0/24
dmz2:     192.168.20.0/24
lan:      192.168.30.0/24

I would like to add a rule to allow traffic from all interfaces to the internet. LAN should additionally be able to access DMZ1 and DMZ2. I can of course use something like:

dmz1:
ACCEPT dst != 192.168.0.0/16

dmz2:
ACCEPT dst != 192.168.0.0/16

lan:
ACCEPT always

However, in case we add later a third dmz in 10.0.0.0/8 the rules break. Is there a way to add a robust rule that matches on the internet interface?

I recently learned that IPv6 sockets can also listen on IPv4 ports if /proc/sys/net/ipv6/bindv6only is enabled.

So far I have been using netstat and ss to check what sockets are listening. Since I am often only interested in IPv4 sockets, I used to use to the following command:

$ sudo ss -tulpn4

but this misses all inet6 sockets listening which also accept IPv4 peers.

Is there a convenient tool that quickly shows all sockets listening on IPv4 ports?

We cannot create more than 65000 sub-directories on a ext4 file systems and one suspicion we have is that the directory was created with an older version of ext4 or a different feature set.

I know how to find some basic information:

> stat .
  File: ‘.’
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 801h/2049d      Inode: 2           Links: 24
Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2017-12-04 09:41:00.892098776 +0000
Modify: 2017-12-04 09:58:37.576216794 +0000
Change: 2017-12-04 09:58:37.576216794 +0000
 Birth: -

I'm interested in the more detailed ext4 flags, e.g. if the directory is linear or hash-based.

How can we view the settings of the inode, e.g. the flags?

Is it possible to extract the TLS session keys from Lighttpd so we are able to decrypt traffic captured by tcpdump?

Alternatively, we could disable PFS but we prefer not to do that.