Real talk: The Muppet Christmas Carol is the best film version of A Christmas Carol, hands down.

Russia has spent the last 500 years bouncing around between malevolent autocrats. Hell, Kruschev was one of the more “sane” heads of state for which he was rewarded by being forced into “retirement.”

The only way there will be a regime change is if the current regime is burned to the ground and then there’s no guarantee that what comes next will be better. I’m not even sure what will happen when Putin finally kicks the bucket which will likely open a massive power vacuum.

There’s a need for change but it would be naive to think that the path to it would be painless. It won’t.

In the words of a former Fox News talking head, “Fuck it! We’ll do it live!”.

“It is difficult to get a man to understand something when his salary depends on his not understanding it.”

Encryption and Decryption can be resource intensive processes. Most firewalls typically have a lower throughout for VPN connections than they do for just straight routing because of the extra processing power required for VPN. Based on what little I’ve read, it seems like CPU’s with AES-NI are capable of handling the encryption process more efficiently which probably reduces system load and allows for more throughput.

This only helps in situations where your firewall is either serving or connecting to a VPN. It won’t make any difference if your connecting to a work VPN form your computer. Even if you are hosting a VPN connection from your firewall, AES-NI is probably overkill unless you’re planning to connect a bunch of clients to it at the same time or plan to do something like file transfers at Gigabit speeds.

“People are saying.”

Somewhere in the Kremlin there’s got to be at least one person who goes home at night and thinks to themselves, “WTF kind of Mickey Mouse operation have I dedicated my life’s work to? Is this really my legacy? Are they going to tell my grandchildren, ‘Dedushka served his country by drafting many menacing yet ultimately hollow threats while the world collectively rolled their eyes.’?”

Errrrr… It’s a little known fact that the, uh, first NPC’s were invented by the Romans. Ya see, in the days of the gladiators, they would, uh, place random people in the colluseum to yell random stuff at the gladiators while they were fighting for their lives. The NPC wasn’t technically part of the match and you weren’t allowed to kill them, even if you really wanted to.

My local grocery chain is a lot better quality than Walmart in some respects. But, the price tag is usually much steeper. Thank God for Aldi’s.
I like to support the little guy when possible but when it makes your monthly grocery bill $1,200 instead of $900, that’s a tough pill to swallow. That $300 wouldn’t necessarily break the bank for me but it’s a lot of money to a lot of people.

This is also a big reason that many Americans have poor nutrition. Processed junk food is cheaper than healthy food. Presenting better lifestyle or diet “choices” is an illusion when you have to have money to make those choices.

So you could say the Australian government Arthur Andersoned the report.

Indeed they are not. LibreOffice docs claim VBA support is “mostly complete”. Apparently that’s a relative term because in my experience, VBA macros in Calc barely work at all.

LibreOffice Calc is great but in the spreadsheet world, Excel is still the gold standard. One of the reasons I’m still paying for a Office 365 subscription. That and a handful of custom integrations I have with Exchange that I don’t currently have time to find alternatives for.

Maintaining an empire is hard work. You gotta pick a random little country to kick the shit out of once in a while or else the other little countries start getting ideas. /s

Cheapskate subdivision builders commonly build on concrete slabs anymore with no way to access plumbing.

You’re probably better off blocking it at the firewall level. It would be more thorough but also more effort. In my experience, most devices/apps that use DoH call a domain name rather than an IP. If you block the domain in piHole, the app cant resolve the DoH server IP and therefore won’t be able to use DoH.

NAT TLDR

Your router is, at it’s core, a very advanced traffic cop and NAT – Network Address Translation – is it’s primary function. You have multiple devices on your local network (LAN) that need to communicate with other non-local servers via the WAN (i.e. the internet). Now you have a problem. Your ISP assigns you (usually) a single IP address on their network which is on a different subnet than your LAN. Devices on your local network and devices on the WAN are not aware of one another and cannot communicate with each other directly. So, requests have to be routed to the correct destination via your router.

SRC-NAT

Let’s say you’re trying to pull up a website on your computer. Your computer sends the request to the router. Your router alters the IP packet headers so that the request source address, and therefore the address that the server responds to, is your WAN IP instead of the requesting devices LAN IP. Your router then forwards the packet to the destination server, tracks the connection, and forwards the response back to your computer.

DST-NAT

Let’s say you’re hosting a web service on your home server that you want to make available publicly. You would set up a dst-nat (often called port forwarding) rule in your router/firewall which will tell your router to redirect any requests received at the WAN IP on port 80 or 443 to your home server’s IP address. Unlike SRC-NAT, your router doesn’t replace the source IP address. Just the destination. Your server knows that the requesting device is not on your LAN subnet and will forward the response back to the gateway (your router) which is already tracking the connection and will forward the response back to the requesting device via the WAN.

Routing DNS with DST-NAT

Since DST-NAT is just changing the destination IP address and routing the packet to the new destination, this can be done internally in some situations as well. To redirect DNS requests, you would set up a rule in your router/firewall to grab outbound UDP packets that originated from the LAN, do not originate from your internal dns server, and have a destination of port 53 and redirect/dst-nat them to the IP address of your choice. The new destination can be an internal or external IP address and the requesting device won’t know the request was redirected. OpenWRT’s documentation actually has a section that deals with DNS redirection which you can find here. The DNS redirection part is near the bottom of the page.

Some days I miss my old LG Plasma. Sold the house and left it bolted to the wall. 1080P, deep blacks, crisp colors, and zero “smart” features.

It put off enough heat to warm up the living room but that was only a “bug” in the summer months. Simpler times.

That’s correct. I block DoT in my firewall and block known DoH domains in piHole. I’m sure stuff slips through occasionally but the vast majority of my DNS requests are handled by piHole.

Traditional DNS over UDP/53 is insecure but I’m using ProtonVPN’s DNS server over VPN externally so I’m not worried about that.

I have a firewall rule to dst-nat any outgoing DNS requests not coming from piHole back to the piHole server. That way all devices on the LAN are forced to use piHole for DNS and can’t bypass it. I don’t have an OPNSense firewall but I would think it should be able to do that as well.

Canadians are like Minnesotan’s with better healthcare and the metric system.