Goofed Home

Internet Protocol is the protocol underlying all Internet communications, what lets a packet of information get from one computer on the Internet to another.

Since the beginning of the Internet, Internet Protocol has permitted Computer A to send a packet of information to Computer B, regardless of whether Computer B wants that packet or not. Once Computer B receives the packet, it can decide to discard it or not.

The problem is that Computer B also only has so much bandwidth available to it, and if someone can acquire control over sufficient computers that can act as Computer A, then they can overwhelm Computer B’s bandwidth by having all of these computers send packets of data to Computer B; this is a distributed denial-of-service (DDoS) attack.

Any software running on a computer — a game, pretty much any sort of malware, whatever — normally has enough permission to send information to Computer B. In general, it hasn’t been terribly hard for people to acquire enough computers to perform such a DDoS attack.

There have been, in the past, various routes to try to mitigate this. If Computer B was on a home network or on a business’s local network, then they could ask their Internet service provider to stop sending traffic from a given address to them. This wasn’t ideal in that even some small Internet service providers could be overwhelmed, and trying to filter out good traffic from bad wasn’t necessarily a trivial task, especially for an ISP that didn’t really specialize in this sort of thing.

As far as I can tell, the current norm in 2026 for dealing with DDoSes is basically “use CloudFlare”.

CloudFlare is a large American Content Delivery Network (CDN) company — that is, it has servers in locations around the world that keep identical copies of data, and when a user of a website requests, say, an image for some website using the CDN, instead of the image being returned from a given single fixed server somewhere in the world, they use several tricks to arrange for that content to be provided from a server they control near the user. This sort of thing has generally helped to keep load on international datalinks low (e.g. a user in Australia doesn’t need to touch the submarine cables out of Australia if an Australian CloudFlare server already has the image on a website that they want to see) and to keep them more-responsive for users.

However, CDNs also have a certain level of privacy implications. Large ones can monitor a lot of Internet traffic, see traffic from a user spanning many websites, as so much traffic is routed through them. The original idea behind the Internet was that it would work by having many small organizations that talked to each other in a distributed fashion, rather than having one large company basically monitor and address traffic issues Internet-wide.

A CDN is also a position to cut off traffic from an abusive user relatively-close to the source. A request is routed to its server (relatively near the flooding machine), and so a CDN can choose to simply not forward it. CloudFlare has decided to specialize in this DDoS resistance service, and has become very popular. My understanding — I have not used CloudFlare myself — is that they also have a very low barrier to start using them, see it as a way to start small websites out and then later be a path-of-least-resistance to later provide commercial services to them.

Now, I have no technical issue with CloudFlare, and as far as I know, they’ve conducted themselves appropriately. They solve a real problem, which is not a trivial problem to solve, not as the Internet is structured in 2026.

But.

If DDoSes are a problem that pretty much everyone has to be concerned about and the answer simply becomes “use CloudFlare”, that’s routing an awful lot of Internet traffic through CloudFlare. That’s handing CloudFlare an awful lot of information about what’s happening on the Internet, and giving it a lot of leverage. Certainly the Internet’s creators did not envision the idea of there basically being an “Internet, Incorporated” that was responsible for dealing with these sort of administrative issues.

We could, theoretically, have an Internet that solves the DDoS problem without use of such centralized companies. It could be that a host on the Internet could have control over who sends it traffic to a much greater degree than it does today, have some mechanism to let Computer B say “I don’t want to get traffic from this Computer A for some period of time”, and have routers block this traffic as far back as possible.

This is not a trivial problem. For one, determining that a DDoS is underway and identifying which machines are problematic is something of a specialized task. Software would have to do that, be capable of doing that.

For another, currently there is little security at the Internet Protocol layer, where this sort of thing would need to happen. A host would need to have a way to identify itself as authoritative, responsible for the IP address in question. One doesn’t want some Computer C to blacklist traffic from Computer A to Computer B.

For another, many routers are relatively limited as computers. They are not equipped to maintain a terribly-large table of Computer A, Computer B pairs to blacklist.

However, if something like this does not happen, then my expectation is that we will continue to gradually drift down the path to having a large company controlling much of the traffic on the Internet, simply because we don’t have another great way to deal with a technical limitation inherent to Internet Protocol.

This has become somewhat-more important recently, because various parties who would like to train AIs have been running badly-written Web spiders to aggressively scrape website content for their training corpus, often trying to hide that they are a single party to avoid being blocked. This has acted in many cases as a de facto distributed denial of service attack on many websites, so we’ve had software like Anubis, whose mascot you may have seen on an increasing number of websites, be deployed, in an attempt to try to identify and block these:

https://lemmy.today/api/v3/image_proxy?url=https%3A%2F%2Fraw.githubusercontent.com%2FTecharoHQ%2Fanubis%2Frefs%2Fheads%2Fmain%2Fweb%2Fstatic%2Fimg%2Fhappy.webp

We’ve had some instances on the Threadiverse get overwhelmed and become almost unusable under load in recent months from such aggressive Web spiders trying to scrape content. A number of Threadiverse instances disabled their previously-public access and require users to get accounts to view content as a way of mitigating this. In many cases, blocking traffic at the instance is sufficient, because even though the my butt web spiders are aggressive, they aren’t sufficiently so to flood a website’s Internet connection if it simply doesn’t respond to them; something like CloudFlare or Internet Protocol-level support for mitigating DDoS attacks isn’t necessarily required. But it does bring the DDoS issue, something that has always been an issue for the Internet, back to prominent light again in a new way.

It would also solve some other problems. CloudFlare is appropriate for websites, but not all Internet activity is over HTTPS. DoS attacks have happened for a long time — IRC users with disputes (IRC traditionally exposing user IP addresses) would flood each other, for example, and it’d be nice to have a general solution to the problem that isn’t limited to HTTPS.

It could also potentially mitigate DoS attacks more-effectively than do CDNs, since it’d permit pushing a blacklist request further up the network than a CDN datacenter, up to an ISP level.

Thoughts?

1. Akamai is by a huge margin the single biggest CDN in the world, they are the 800lb gorilla. Fastly and Cloudflare aren’t minor players by any means, but their volume is not in the same league.
2. CDNs and DDOS don’t have much to do with each other. Cloudflare mitigates DDOS by scaling up network capacity and using pretty advanced pattern detection to simply soak up the traffic. Cloudflare is really, really good at scaling.

Now on that last point, there will indeed come a time when simply using the engineering technique of “making things bigger” won’t work if the attacks become sophisticated enough, but at that point networking will have fully become geopolitical tools (more than they are now).

A Layer-3 (network-layer) blacklist risks cutting off innocent CGNAT and cloud users. What you’re proposing is similar to mechanisms that already exist (e.g., access control lists at the ISP level work by asking computer B which requests it wants to reject and rejecting those that originate from computer A). However, implementing any large-scale blocking effort beyond the endpoint (i.e. telling an unrelated computer C to blackhole all requests from computer A to computer B) would be too computationally expensive for a use case as wide and as precise as “every computer on the Internet”.

Also, in your post you mentioned, “A host would need to have a way to identify itself as authoritative, responsible for the IP address in question.” This already happens in the form of BGP though it doesn’t provide cryptographic proof of ownership unless additional mechanisms are in use (RPKI/ROA).

Hi, it’s me again. I like to think that my endless questions help fuel community engagement to feel less bad :sweat_smile:

So like the title says, I’m interested in running an OPNsense router for my home network so I can do better firewall filtering for both security and privacy (ad-blocking, phoning home, etc.) purposes. I found this video by Dave’s Garage that talks about running OPNsense in Transparent Filtering Bridge mode. I also researched that it’s better to use a switch and APs for any wireless traffic rather than having the router/firewall combo do it, so any hardware suggestions there? Here’s info about my network:

• 500 Mbps download and 50 Mbps upload speeds (stick with 1 Gbps ports right?)
• My Proxmox homelab is wired connection only, so I need to use one of the switch ports for it
• We do have a door camera (I pray it’s not Ring…), so I should set up VLANs right?
  • VLAN ideas: Guests, Family/Home, IoT, Homelab specifically? (any others suggestion VLANs/segmentation???)
  • Maybe I’ll do selfhosted IoT devices in the future because of this? The homelab must grow
• My mom watches a lot of YT on our FireTV, so any guides on what IPs to block for that?

So what Mini PC should I stick with (just 2 ports for WAN & LAN is fine right)? Do I need to avoid any specific brand NICs (do Mediatek cards suck)? What 4-port switch would be good? What wireless AP is recommended? Furthermore, how do you go about running cables in your home? The coax plate that my modem is connected to is literally in the corner of my house. The Wifi is bad in some spots because of this, so we’ve thought about extenders. But if I do my homelab and have a wireless AP, I can just run an Ethernet cable from the switch to a properly placed AP (I guess I’d need PoE then…) right? My mom is afraid of tripping on wires and while I say to just run them along the baseboard, she’s doubting me.

Second Protectli. They are solid little x86 boxes with no moving parts.

Furthermore, how do you go about running cables in your home?

You watch some Youtube videos about how to do it and then you follow the instructions.

It’s going to depend a lot on the construction details of your house: * Do you have wooden framing (common in the US), masonry (common in Europe, as I understand it), or something else? * Do you have access to an attic or basement/crawlspace? * Do you need to run wires on exterior walls (which means dealing with insulation), or just interior ones?

For me (wooden frame construction, accessible attic and basement), I didn’t find it to be too difficult. Is it work? Yeah, of course. But it’s not that bad, and I recommend spending the effort because having proper wall plates wtih in-wall wires is way nicer than having stuff snaking along surfaces.

Hey everyone 👋. I just wanted to share a little personal project that grew a bit more than I initially planned.

The original idea was simply to build a game so I could play Parchis (Ludo) with my family, as it’s a classic in our household. I ended up building the whole thing entirely through “vibecoding” (AI-assisted coding) because I wanted to see how far I could push current my butt tools.

The result is a full web multiplayer game (React/Vite frontend + Node/Express/Socket.io backend with SQLite to store game data).

If anyone is curious or wants to spin it up on their local network to play with friends/family: 🔗 Repo: https://codeberg.org/baner/parchis (it has a docker-compose.yml ready to go in seconds).

⚠️ A big warning about security: As I mentioned, I completely built this relying on AI, and it was initially meant as a home project. *I am not a cybersecurity expert by any means.* While I have briefly exposed it to the internet a couple of times to play with remote relatives, my absolute recommendation is to host it ONLY on your local network (LAN) or behind a VPN (like Tailscale/Wireguard). The nature of AI-generated code means it’s probably full of vulnerabilities that I haven’t caught. Play at your own risk if you decide to open ports to the wild web! 😅

This is also my first project using a monorepo structure and publishing a Docker image for others to deploy. If you take a look and see something horrible (or something that works surprisingly well haha), all feedback is super welcome. I hope someone finds it fun for a local game night!

https://lemmy.zip/pictrs/image/f6530eaa-d644-44fa-b16a-43cc9da22f42.avifhttps://lemmy.zip/pictrs/image/c1565209-1015-4877-8c82-c2e3fae0c616.avifhttps://lemmy.zip/pictrs/image/d6dc5657-becc-4cf0-904b-ec1e14be7566.avifhttps://lemmy.zip/pictrs/image/7b9ac290-016c-4529-b6cb-cb0a8cd2c2fe.avifhttps://lemmy.zip/pictrs/image/ccf41f63-5f49-4c6a-99e2-8d23cb8bb42d.avifhttps://lemmy.zip/pictrs/image/d1072de0-036a-4358-adb9-e2bc5cbfca02.avifhttps://lemmy.zip/pictrs/image/1b09e506-5d7e-441d-8adb-bcbac4de3d61.avifhttps://lemmy.zip/pictrs/image/f28c7aee-6253-456c-a94b-7625881923d1.avif

This project seems pretty neat! I appreciate that you are upfront that it is AI-assisted (some projects don’t do that and get grilled for it), I might check it out!

Thanks, I have tried to follow best security practices on this like using JWT for authentication, sanitize all inputs for SQL injections, password hashing, etc. Still better to be cautious, project still need some fixes but not affecting the overall gameplay. Right now I am working on documentation. It can be played as a guest but creating an account allows the game to track stats about win, lost, captures, XPs and a lot more. is mobile friendly, there is an android app but is not part of the repository at this time. make sure to share back your experience if you check it out.

I run a SearXNG instance and rate limiting has never been a issue until now. so i wanted to ask what the cheapest and most privacy respecting vpn/proxys are to use.

Are you the only user of this searxng?

no

Hello!

I’ve been playing around with self-hosting for a while now and I’ve started moving over to a VPS. At home I have a PC that’s on more or less ²⁴⁄₇ with an *arr stack, jellyfin and some other services. They can only be accessed through Netbird. The services aren’t that important, the data doesn’t really need to be backed up since it’s not very important. On the VPS, however, I would like to host some more critical services, such as:

• Vaultwarden
• Immich
• Gitea
• Overleaf

I want them available ²⁴⁄₇, even if I decide to distrohop and wipe my PC at home. The problem is how to structure all this. My current idea is to run Gitea and Overleaf out in the open behind some reverse proxy without authentication (Nginx or Nginx Proxy Manager). I’d like Vaultwarden and Immich to be on the same VPS, but, I don’t want those services to be accessible to anyone but me, so I’d need some form of ACL or authentication system. I’m thinking of using Netbird for this, since I already use it on all of my devices.

So I would set up DNS records from within Netbird that would point immich.domain.tld and vaultwarden.domain.tld to the internal Netbird IP of the VPS. In the reverse proxy, I’d set up access control such that it only redirects the Netbird IP range to those services. On Cloudflare, I’d point git.domain.tld to the external IP of the VPS with proxy enabled.

Everything would receive HTTPS certificates, and I’d block incoming traffic on every port except for 80 and 443.

Is this a good setup? Any tips or recommendations? Any pitfalls?

Thanks!

@deepjoy @versionc name dropping Traefik AND Authentik in one comment? Ok, you’re talking my language. Followed.

Your split setup makes sense, but juggling Netbird DNS + reverse proxy ACLs + Cloudflare can get complex fast.

You might want to check out Syncloud — it’s a fully open source self-hosting platform that handles HTTPS, auth, and app installs (Nextcloud, Gogs, etc.) out of the box. Runs on any hardware and you don’t have to babysit configs. Could simplify the VPS side of things at least.

Hey guys, so I’ve been self hosting for 2 years, making small upgrades until I reached this point where I replaced my router with one of those Chinese fanless firewalls running Intel n150 and running a proxmox homelab.

I am self hosting headscale with many of my buddies connected, including ny own services. Everything was working great until I setup OPNsense.

The firewall was not easy to setup, but after I set it up, I discovered odd behaviors from tailscale.

The firewall was blocking all connections from the ip 100.60.0.0/24, I had to explicitly allow it and change the forewall state to hybrid

What happens is that my LXC containers running tailscale would receive requests from tailscale0 interface but respond via LAN.

Apparently as I understood, consumer routers have assymetric NAT so that works fine, but not with opnsense.

Every guide I read online talks about installing tailscale on the opnsense router directly but I do not want to expose it to the tailscale network.

For now temporarily I set an ip route to tailscale0 and resolved it that way temporarily, but I still cannot get a solution that can help without compromising the firewall.

It’s also very cumbersome to do this for 50+ LXC containers over and over, even with running systemd scripts a problem might happen in the future

If you guys have any experience with this it would help a lot.

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

[Thread #136 for this comm, first seen 6th Mar 2026, 09:50] [FAQ] [Full list] [Contact] [Source code]

I might have a solution for you by doing what I’m doing. I’m running OPNSense as my firewall as well. I have one NAT:Port Forward rule for torrents (I really am seeding linux iso torrents) and that is it. Any services I’m hosting outside the network are done using Cloudflare tunnels from either a Cloudflared instance or from the LXC itself. This method has fixed my issues with Plex outside of my network since I was able to turn off “Remote Access” and make it available to my friends/family through a “Custom server access URL” (in the network settings, looks like: https://plex.domain.url,http://192.168.1.xx:32400/). No messy NAT rules to complicate things.

I am also using tailscale, but I don’t terminate it on my firewall. I terminate Tailscale on another host inside my network, you could probably use an LXC container. It’s a Debian system with Tailscale installed, routing enabled (https://tailscale.com/docs/features/subnet-routers), and set up as an exit node and subnet router. On OPNSense, I set up a Gateway on the LAN interface pointing to my Debian Tailscale router node. Then I pointed the remote networks of my family to the Tailscale router using the routes in OPNSense. Fortunately, for me (and because I set them up), they are all different networks.

The benefit to this method is also that when remotely reaching my services, the traffic looks to the services on my network as if they are coming from the Tailscale router and so return there instead of trying to go out my firewall. Tailscale maintains the tunnel through the firewall so it really isn’t a participant in the tailnet. The only issue I’ve really had had been DNS with the Tailscale Magic DNS wanted to respond instead on my internal DNS servers. I’ve got MagicDNS disabled. but it always messed stuff up. The way I fixed it was to put tailscale on my Adguard container and make it’s tailscale IP the first DNS server, followed by the internal IP addresses of my DNS servers (192. addresses). This has worked for me pretty well.

Please let me know if you want any follow up info. I’ve been doing this for a long time. It’s my main hobby (and directly congruent to my job).

I am interested in self hosting a Personal Health Record (PHR) system. I don’t need my own EMR/EHR, I just want to be able to pull down my own data, host it, and navigate it.

For example, I’d like to be able to pull down my vitals/labs from my provider and look at trends over time. I’d like to be able to pull down my prescriptions to see when I went on/off different medications. I’d like to pull down doctor’s notes, so I can see when I first started complaining about poor sleep, to see if it correlates to any of my medications or some other health change.

I have tried Mere Medical, and it was able to pull down my information from my provider (who uses Cerner), but the functionality is quite lacking. You basically get a timeline view, but nothing to really organize or search through notes (they are mostly just linked documents), or anyway to pull down lab results and see trends.

FastenHealth has also come up in my search, but it seems the onprem is a very stripped down, limited version of their paid product.

Is anyone familiar with anything like this? Ideally, it’s be combined with a fitness tracker to pull my health data from my phone/wearables too.

Sure. But I’d also not host it publicly on the Internet, just on my local lan!

Mere was interesting, but it runs entirely offline in a browser (which is pretty cool). But, this means all data lives in your browser’s localStorage (or indexdb), which would make it hard to sync between devices.

A lot of people simply don’t have time to go the extra steps.

Instead you should be focused on secure by default design. E.g. not setting a static router password to admin admin.

It’s stupid in this day and age to continue to see default logins occur still.

simply don’t have time

Sorry, but that is no reason. That’s a bit akin to having a dog and saying: “Nah I don’t have time to walk the dog now”. Selfhosting something that is publicly available (not as in “everyone can use it” but “everyone can access it”) bears some level of responsibility. You either make the time to properly set up and maintain it, or you shouldn’t selfhost stuff.

Statistics for Strava is a self-hosted, open-source dashboard for your Strava data.

Features and improvements worth mentioning since we lasted posted here:

• Dark mode
• Added a timeline view of your key achievements and milestones over time.
• Added statistics for recording devices, giving you more insight into which devices you use for your activities
• You can now view Eddington metrics in both metric and imperial units, regardless of your default unit system
• Use compression algorithms to store data. This results in a 70% drop in used storage space
• A lot of bug fixes and quality of life improvements

As always, thanks for your feedback and I’m looking forward to more feature requests! Stay fit, stay healthy 💪

• Example: https://statistics-for-strava.robiningelbrecht.be/dashboard
• GitHub: https://github.com/robiningelbrecht/strava-statistics
• Docs: https://statistics-for-strava-docs.robiningelbrecht.be/#/--

You may want to look at the supported devices on this project. It’s an app to get data to/from wearables.

Two of the supported devices are bangle.js and bangle.js 2. These are open source smart watches with GNSS and HR, which have different apps available already that I believe can record data without your phone connected, and then sync later, either to your phone or computer (not sure on that one). And you can develop your own apps too of course.

I don’t really know much more than that. I do want to get back into exercising regularly, and would like to track my progress, so I may get one myself at some point.

I’ve already looked into gadgetbridge, but all supported devices unfortunately have fairly limited functionality. I get that it’s the premise with the reverse engineering they do to make things almost work.

The bangle.js models are a fucking ugly apple watch clone, I’d never wear that thing. And I’m not looking to get an actual smartwatch, I have no need for any of that clutter or a desire to charge my watch daily or every other day.

I’ve used a coros pace 2 for a long time, definitely not private but very limited smartwatch bullshit and >week of battery with +1h of daily GPS tracked running. Not supported by gadgetbridge though.

Continuwuity - a self-hostable Matrix Homeserver - just got a new release.

Sorry, but I find it immature of you to judge a book by its cover.

Fully within your right.