capitalists complaining – I could listen to them whine for hours
ah, my socialist heart loves this <3

until one week ago, I did not know what a “key light” is – heard ir from some streamers while researching how to improve my online presence (as I aim to work from home for as long as possible)

according to our friends at Wikipedia, a key light is part of the classic “three-point-lighting” that is used in studios and for photographers.

so.. while I am totally not familiar with the desired effects (higher or lower than eye line, etc.. etc..) I am very pleased with the results, especially when having a window (sunlight) pouring on from one side.. it nicely sets off the angles and shadows and creates more “depth”

Also, thanks to our friends at Rollei I don’t have to shell out 200 for a cheap elgato light (what all the streamers seem to use) but can get this for 35 <3

now we are talking. (note: powering it from USB port on my laptop made the light flicker a bit.. so I dedicated an old samsung charger (2A output) to it. no more flickering)

not going to start streaming anytime (ever) but this is good for video meetings. It adds depth and presence. (poor doggo dit not like the lightshow and fled the scene halfway)

Bonus points for a webcam with a shallow FoV – wide aperture / manual focus.
Razer Kiyo Pro Ultra comes to mind. that adds even more “pop” (or “object separation”)

in photography you would use
a) a lightbox
b) a reflector
c) an illuminated background or a filling light.

so many years ago I thought i had finally found my crowd – I was mistaken. They accepted me, but i was never a part of it. Why? I have never found out… I probably did not commit enough (well, that’s what I thought) – this repeated itself over and over again over the years.

Many years later, I am now sporting a proper aversion to any kind of group affiliation, immediately trying to blend in vs. being afraid to commit

Why do I always want to “belong” somewhere? Why can I not just accept that I am – me?

And not “part of something” or “piece of something else”. Seriously I hate being part of the human race at this moment. Just leave me alone, whoever you are. I don’t like you. I am not your friend. Please go away.

that’s a mood, I guess

Seriously.. I have ranted to so many people about how ugly SUVs and crossover cars are… and yet.. everyone seems to join me in this but most people then just buy them anyway.. conveniently?
And the market/manufacturers then say “the market demands more SUVs” > repeat this cycle.
1974 italdesign came up with this concept that would become famous as “hyundai pony coupe”

so.. while the pony never looked like this, it definitlely inspired others. Some Lamborghini, the Alfa GTV , the VW Scirocco and most notably the DMC DeLorean

Now.. fast forward to 2022 – there are rumours that DeLorean are trying to reboot the brand (going all-electric) – and.. I can’t even imagine what moved those people but this is.. just another car.. also: it’s not the design language – the only thing that resembles the 1974 vibe are the gullwing doors :/

Am I subject to nostalgia? It’s not about the fucking doors.. it’s about design language. And being consistent with it. Who will buy this thing for 250K when there is Ferrari, Lamborghini, Porsche, etc.. etc.. out there being far more established and looking just as great?

look at Hyundai and their hydrogen “rolling lab” called “N Vision 74” where they (successfully) demonstrate how to speak the same language while still being innovative.

If there is a worthy successor of the DeLorean, it would be this one.

Also, while Hyundai have their own design language and – I admit I find it fugly – I have to admit, they stick to it – so kudos to them for understanding what “design” means.

People like you… I think it’s totally OK to have fun in the park – so do I

people like you get the trash off of the party and take it away – so do I

but then taking it away is difficult so you just leave it close to some other trash for example a little trashcan

The birds will take care of the rest and make a big mess

People like you are probably defending slavery, because having someone else to clean up after you and making it “not your problem” is always preferable

I hate you

fuck you

mood…

I have used pi-hole for a while and love its amazing “just works” factor but I missed some real DHCP features // some proper packet filtering / blocking features that only a proper firewall can do so here goes:

I want to use pfsense as my router/firewall but keep using pi-hole as DNS resolver – the adblocking of pfblockNG is just not the same finesse as pi-hole.

Assumption here: Static IP for LAN interfaces of firewall and the pi-hole

pfsense

standard install, LAN and WAN, source NAT/PAT – so far so good. So the Firewall advertises itself as DNS via DHCP and gets fed by upstream DNS. let’s fix that.

next step would be to disable the DNS resolver inside the firewall but I kinda use it for registering reverse DNS records for DHCP leases.. which the pi-hole then queries (more about that later) – so let’s leave it on and just add this (Services > DNS resolver)

(Caution: Apparently this breaks things when operating the firewall in python mode.)

Now we have a setup, we just need to tell our DHCP server to not announce itself but the pi-hole as DNS resolver. This is done here (Services > DHCP server)

Default is to advertise its own LAN interface.. so let’s change that. Why 2 IP adresses? I found out that some (all?) Android mobile phones add 8.8.8.8 (google) if you only adverise one single DNS resolver. so that’s that. But more on Google later.

Pi-Hole

pi-hole is surprisingly easy to use and set up, it works out of the box. All there is to do is to change/set up the upstream DNS servers and the reverse DNS lookup for LAN IPs.

that will take care of one thing: in the “query log” window, you will not see the IP adresses of the client but the hostnames from DHCP – see previous chapter ^ ^

This is where the nice things stop. Till now we have been friendly and allowed our friends at Google and Cloudflare and whatnot to gather our data and sure.. with emerging technologies like DNS over TLS, DNS over HTTPS, QUIC and what not.. it is important to ask yourself a few questions:

• what do I want to achieve here?
• why am I doing this?
• do I just want ads blocked or browse securely / not give away my data to X to do Y

here is my take on this: Block as many ads as possible while still allowing privacy to exist. DNS over HTTPS allows Firefox to bypass censorship and control by a totalitarian regime.

But also Google Chrome can use UDP to port 443 and tunnel DNS through, bypassing my DNS server and the entire thing was for nothing. (Remember: Google is not your friend, they harvest your data (LOTS of it) for profit. Make it as hard as possible for them, they don’t pay you after all)

Advanced DNS / Firewall stuff (here be dragons)

Step 1: redirect all DNS traffic to the firewall.

Anyone who is trying to bypass the pi-hole’s adresses (manual DNS, hardcoded DNS resolvers (Android, I am talking about you!) will bypass our solution, let’s redirect those back to the firewall. sneaky. from the pfsense manual

Firewall > NAT > Port Forward.

Create a rule for TCP/UDP trying to reach port 53 EXCEPT when it’s on the LAN, AND NOT the pi-hole itself. Redirect that to the firewall’s IP and disable reflection. (wonderful application of inverted matches :)

the filter rule will be created automatically

Step 2: Firewall Rules

it is important to set the rules in the right order, remember: Top to bottom, once there is a match, the filtering stops.

Firewall > Rules > LAN

So what have I done here?

• allow pihole to access the internet unfiltered
• allow all DNS traffic from LAN to the firewall (created by the NAT policy before)
• reject all other DNS traffic
• reject DNS over TLS (port 853)
• reject DNS over HTTPS to Google and Cloudflare (8.8.8.8, 8.8.4.4, 1.1.1.1, etc…)
• reject UDP traffic to port 80 or 443 (used by chrome/QUIC)

see the pfsense manual for more information on blocking external DNS

So now I have achieved (I think) the best of both worlds. I enjoy near-perfect ad blocking while using a real firewall for my LAN. sure. pfblockNG is amazing (and I use it for IP blocking!) but the adblocking is just sub-par.

Step 3: pfblockNG

That one is a litte more tough to set up. I used a lot of reddit posts and blogs to get it working as there a ton of settings. I ended up using the Tier1 IP blocklists and the DNS blocklists of BBcan177 (thanks, whoever you are!)

basically it can make pi-hole redundant but I am using VMs so… why bother? :)

At my age I am not often surprised or hyped but this caught me off guard. Oh so many memories and legendary swordfights. This is definitely one of the things, that strongly shaped my character and my life. Also: Grog is bad for you :P

Source: https://grumpygamer.com/rtmi_trailer

Thank you. Ron. You are a legend.
We will celebrate with grog and red herring <3

Havent seen a single cloud all day 🤩