Intro Recently I made a mistake in my firewall rules and locked myself out from having management access to my Proxmox cluster. What’s worse is that I could not get into the nodes via SSH because that was blocked as well. This meant I had no easy way to disable these rules, and unfortunately Proxmox lives in a data center very far away from me. This is where SSH tunneling came in handy for me! ...

Intro In my homelab I’ve been tediously managing firewall rules using ufw, iptables, and fail2ban. While this works well, I believe it’s overly complicated for my setup. This led me down the rabbit hole of how to implement firewall rules in Proxmox. Proxmox’s firewall is extremely competent, but it can be tricky as well. One thing I learned about Proxmox is that you need to make sure the firewall is enabled in multiple places. You have several layers of firewalling, one for the hosts, one for the VMs, and one for services running in VNETs. These firewall rules are backed by either iptables or the more modern nftables in the case of VNETs. ...

Focus Today I focused on DLR guard, more specifically some of the moves I saw in Jason Rau’s instructional What Worked I like the no-gi grip from DLR, it helps a lot especially when I can’t get upper body controls The foot stomp on the ground to get to the back while in DLR is nice, it makes it easy to dump people Jason Rau’s baby bolo variation where you pinch your top knee in, then use your bottom foot to hook and make space to bring your top leg in for hooks is a nice touch Your browser does not support the video tag. What Failed People are able to flatten their back and shrimp away Against bigger people it’s hard to even play DLR, I’ll need to learn k-guard Key Lessons No-gi style DLR works really well in the Gi Taking the back is not as hard as I thought, I just need to off balance my parter and have the right grips Next Session Plan Keep focusing on DLR back takes, the far leg grab and inversion is still loose Look into k-guard Ref https://bjjfanatics.com/products/modern-no-gi-de-la-riva-by-jason-rau

Abstract Dedicated to ZFS administration. Zpool Administration Basic Commands zpool list zpool list <name> zpool list -v zroot zpool status -x Creating Pools and VDEVs Make sure ashift is 4k, vfs.zfs.min_auto_ashift=12 Select disks (da1, da2, da3) ls -al /dev/ | grep da crw-r----- 1 root operator 0x5a Nov 14 02:51 da0 crw-r----- 1 root operator 0x5b Nov 14 02:51 da0p1 crw-r----- 1 root operator 0x5c Nov 14 02:51 da0p2 crw-r----- 1 root operator 0x5d Nov 14 02:51 da0p3 crw-r----- 1 root operator 0x6a Nov 15 18:46 da1 crw-r----- 1 root operator 0x6d Nov 15 18:46 da2 crw-r----- 1 root operator 0x70 Nov 15 18:46 da3 We can create a disk, provide it 1gb of swap, and label it. The labels should correspond to device serial numbers and location in production so it’s easy to swap out. GB swap partition and a large ZFS partition, created with gpart(8). gpart create -s gpt da1 gpart add -a 1m -s1g -l sw1 -t freebsd-swap da1 gpart add -a 1m -l zfs1 -t freebsd-zfs da1 gpart create -s gpt da2 gpart add -a 1m -s1g -l sw2 -t freebsd-swap da2 gpart add -a 1m -l zfs2 -t freebsd-zfs da2 gpart create -s gpt da3 gpart add -a 1m -s1g -l sw3 -t freebsd-swap da3 gpart add -a 1m -l zfs3 -t freebsd-zfs da3 gpart create -s gpt da4 gpart add -a 1m -s1g -l sw4 -t freebsd-swap da4 gpart add -a 1m -l zfs4 -t freebsd-zfs da4 gpart create -s gpt da5 gpart add -a 1m -s1g -l sw5 -t freebsd-swap da5 gpart add -a 1m -l zfs5 -t freebsd-zfs da5 gpart show -l <device> glabel status zpool create <pool-name> /dev/label/zfs1 /dev/label/zfs2 /dev/label/zfs3 Fix Degraded Pool Here we see the state is DEGRADED ...

Intro Hey Everybody, Happy New Year! This is my first post of 2026, and I’m excited to share how I currently manage DNS. If you’re like me, then nothing is worse than needing to do things manually. Especially the tedious task of clicking my way through Cloudflare’s portal and updating DNS by hand. Luckily, I found a better way to manage it with Terraform, Cloudflare, and GitHub Actions. Why Cloudflare? Why did I pick Cloudflare in the first place? ...

Hello everyone! Today I wanted to discuss how I’m keeping track of Fail2ban logs on my Proxmox cluster. For those of you who don’t know what Fail2ban is, it is a simple program that can automatically ban threats via iptables by parsing log files and scanning for regex patterns. Here is a sample file that can be parsed: [Definition] failregex = pvedaemon\[.*authentication failure; rhost=<HOST> user=.* msg=.* ignoreregex = And here is the the jail configuration: ...

Hi everyone, If you’re like me, there are tons of technologies that you work with on a day-to-day basis, but never have the opportunity to touch. In my day-to-day role, for example, I work heavily with networking and even with BGP. But rarely do I have the chance to do anything BGP-related as it pertains to the internet. It’s quite the dilemma! How is one supposed to get the experience of operating large-scale networks, if only very few people have the opportunity to work on them? Let alone set them up from scratch! ...

Hey Everyone! I wanted to share a small (pun intended) improvement to my personal security hygiene. That small improvement is called a YubiKey! For those unaware, a YubiKey is a hardware-based MFA device. It supports an MFA standard known as FIDO2, which is much more secure than TOTP. I’ve begun implementing this across various applications including my personal email, DNS provider, and even 1Password. The main draw for me is that if any of your authenticator apps are compromised, you are still susceptible to a hack. ...

What are your favorite password managers? I used to use LastPass, and while it worked fine for me, I eventually switched to 1Password and haven’t looked back. What I really like about 1Password is the extra layers of authentication. You either need a secret key or another authenticated device to approve your login. Plus, you can stack that with MFA for even more security. Last I checked, LastPass doesn’t have a secret key, just MFA. ...

Hi Folks, I’ve finally made the transition to using IPv6 at home! It’s been a long time coming, and while it took a few weeks to get everything working, I’m excited for this new chapter. I requested a /56 from Verizon, and at first, it didn’t seem to work. But after not checking for a while, I noticed some of my VLANs had started handing out IPv6 addresses! ...