this post was submitted on 25 Feb 2024
368 points (97.2% liked)

Selfhosted

39964 readers
317 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
 

Another successful OpenBSD setup

I've been buying these little boxes from AliExpress for years to use as firewalls and routers. My oldest one is almost 9 years old now! OpenBSD installs just fine. Just a BIOS tweak to always boot up after power is restored.

@selfhosted #selfhosting #selfhosted #openbsd #runbsd

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 15 points 8 months ago (5 children)

Do any of those cheap Chinese computers ever get any firmware or bios updates?

[–] [email protected] 31 points 8 months ago (1 children)

No and they don't provide the source either. Makes you wonder what's running in there.

[–] [email protected] 21 points 8 months ago (1 children)

While i agree, no one provides full source blobs for firmware and bios that i am aware of. Please correct me if I am wrong, however.

[–] [email protected] 3 points 8 months ago (2 children)
[–] [email protected] 11 points 8 months ago* (last edited 8 months ago)

Open source bios yes, but you still have close source firmware blobs for amd/intel used on those systems. The only way to do this is to make 100% of the hardware.

Also please note, I am using coreboot already on my pcengines router.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago)

Few computers use CoreBoot, and CoreBoot still uses proprietary blobs typically. Normally only libreboot has zero blobs, and they are very rare indeed.

[–] [email protected] 14 points 8 months ago

I'd be surprised if it wasn't just based off the UEFI sdk examples containing 30+ CVEs over the last couple of years. If anything, it won't get patched for logofail and all the others UEFI exploits we'll definitely see in the coming years.

[–] [email protected] 7 points 8 months ago* (last edited 8 months ago) (1 children)

I was wondering... that tp-link probably negates anything remotely resembling security on its own. But yeah, you can update some of these noname boxes easily, others, not so much.

I have dealt with (in a professional capacity) Chinese manufacturers that are under the impression they do not have to provide a working build tree for the kernel, let alone firmware, so its a gamble if you're not talking to a major Chinese name brand. Mind you, I was ordering hundreds of those boxes, so there was some leverage.

[–] [email protected] 15 points 8 months ago* (last edited 8 months ago) (2 children)

That TP-link is a dumb switch. Unless you're telling me that someone is going to find an opening in the firmware and hack their way into the ARP table or something (in which case the threat model here just became state actors and I don't think the OP is safe with this equipment), I don't think it affects much, if anything.

Now, if I'm mistaken and that is actually a managed switch; god help them with network security.

[–] [email protected] 8 points 8 months ago* (last edited 8 months ago) (1 children)

It is a managed switch. What’s wrong with TP-Link managed switches?

I have a basic Netgear managed switch for VLANs.

[–] [email protected] 0 points 8 months ago (1 children)

The problem is that their Web interface and firmware in general are not updated (at all). I think it's even possible for script kiddies to hack into such managed switches, which forms the reasoning behind my comment.

Does your switch produce its Web interface over TLS?

[–] [email protected] 3 points 8 months ago* (last edited 8 months ago) (1 children)

Doesn’t look like it but if I set up VLANs unless an user is on the correct VLAN they can’t access the web interface. And the only way for them to get access is to get physical access and plug a device into the correct port.

[–] [email protected] 0 points 8 months ago (1 children)

VLAN hopping can be done on outdated firmware if one is somewhat determined, AFAIK

[–] [email protected] 1 points 8 months ago (1 children)

From the switch? I thought the routing was done at the router level?

[–] [email protected] 0 points 8 months ago (1 children)

If the switch is managed (I'm assuming it supports L3 functions which means inter-VLAN routing), then it's possible to hop VLANs on the switch.

[–] [email protected] 1 points 8 months ago

My Netgear switch doesn’t support Level 3 routing. It only supports basic VLAN functions.

[–] [email protected] 6 points 8 months ago (2 children)

They do make managed switches, but just to be completely clear, my comment was mostly hyperbole. I just found the general combination of security - mindedness and cheap Chinese hardware curious / amusing.

[–] [email protected] 3 points 8 months ago

I did realise that, and apologies for my tone earlier.

With that said, this seems to be a slight bias - unless the PCB has some nefarious spy-chip built inside, hardware is hardware, regardless of where it comes from.

[–] [email protected] 2 points 8 months ago

I just found the general combination of security - mindedness and cheap Chinese hardware curious / amusing.

I think it can make sense, since there are so often vulnerabilities in consumer router firmware, and because those devices are so common the vulnerabilities are profitable to exploit. Running a BSD-based router on a cheap Chinese PC is likely to be better security for the router's OS and software itself, even if you don't know for sure about the firmware on the board (which you don't with consumer routers either, really). Overall you could still have reduced your attack surface compared to a popular consumer router.

[–] [email protected] 7 points 8 months ago (1 children)

None that I know of :(
But @benjja tells me that on some of these you can install coreboot: https://ohnepunktundkomma.org/@benjja/111991771619601081

Something I’m keen to look into.

@cmnybo @selfhosted

[–] [email protected] 3 points 8 months ago

@otl @cmnybo @selfhosted

Protectli ported coreboot for their hardware, and with a little research you can find this hardware on aliexpress, of course under a different name.

[–] [email protected] 3 points 8 months ago

Does any board ever get firmware updates? I don't understand your logic.