Tagged: linux
24 posts · browse all tags
-
Cilium: Kubernetes Networking and Security Built on eBPF
Cilium replaces iptables-based kube-proxy and overlay CNIs with eBPF programs on the kernel datapath. Connects back to namespaces, veth pairs, nftables, and eBPF/XDP, then covers identity-based network policy and Hubble observability.
-
Nmap and the Scripting Engine: A Network Engineer's Field Guide to NSE
Nmap's scan engine and NSE scripting framework are as useful for firewall change validation and inventory work as for security assessments. Covers scan types, timing, NSE categories, writing a custom script, and practical recipes for network engineers.
-
strncpy Is Finally Gone: What Linux 7.2-rc1 Means for Kernel Security
Linus opened the 7.2 merge window and tagged 7.2-rc1 — and with it, strncpy() is finally gone from the kernel tree. Six years, 362 commits, 70 contributors. Here's what the function actually did wrong, why it took so long to kill, and why removal beats deprecation.
-
Linux Network Namespaces: Isolated Network Stacks Without a Hypervisor
Network namespaces give a process its own interfaces, routing table, iptables rules, and sockets — completely isolated from the host. They underpin Docker, Kubernetes, and VPNs. This post covers how they work and how to use them hands-on.
-
nftables: The Modern Netfilter Framework Every Network Engineer Should Know
nftables replaced iptables as the default Linux firewall framework years ago, but most existing guides and scripts still assume iptables syntax. This post covers the nftables model properly — tables, chains, sets, maps — and how to think about it coming from an iptables or FortiGate policy background.
-
eBPF and bpftrace: Network Observability Without Touching the Packet Path
eBPF lets you attach tiny programs to kernel hooks — TCP state changes, socket events, XDP ingress — with zero packet-path overhead and no kernel modules. bpftrace makes it scriptable. This post covers both for network engineers.
-
Bash Patterns Every Network Engineer Should Know
Most network engineers write bash defensively, copying patterns from old scripts without understanding why they work. This post covers the patterns that actually matter — strict mode, parallel SSH fan-out, retry logic, and structured output — with an emphasis on what breaks when you skip them.
-
Deeper Than tcpdump: NIC Diagnostics with ethtool and Protocol Analysis with tshark
ethtool exposes the NIC hardware state that sits below anything tcpdump can see — link negotiation, ring buffers, offload settings, error counters. tshark adds full protocol decode on top of tcpdump's capture model. Together they cover the diagnostic gap between 'the cable is fine' and 'I can read every field in this packet.'
-
Linux VRFs: Route Isolation Without the Namespace Overhead
Linux VRFs give you FortiGate-VDOM-style routing table separation on a single network stack, without the full isolation (and overhead) of network namespaces. This post covers the l3mdev model, VRF creation, route leaking, and when VRFs are the right tool versus namespaces.
-
jq for Network Engineers: Parsing APIs, Routing Tables, and Structured Logs
jq is the missing piece between modern JSON-emitting tools — ip -j, ss -j, REST APIs — and the shell. This post covers the filter language properly: selection, mapping, construction, and the patterns that come up constantly when automating network infrastructure.
-
Replacing netstat with ss: A Network Engineer's Diagnostic Guide
ss is the modern replacement for netstat — faster, richer, and capable of exposing per-socket TCP internals that netstat never could. This post covers the filter syntax, TCP state analysis, and the diagnostics that matter when troubleshooting live connections.
-
Beyond ifconfig: The ip Command Reference Every Network Engineer Needs
The ip command from iproute2 replaced ifconfig and route over a decade ago, but most guides still treat it as a drop-in substitute. This post covers the full model — interfaces, addresses, routes, policy routing, ARP, and live monitoring — with practical examples aimed at network engineers.
-
Traffic Control Under the Hood: A Linux tc Deep Dive for Network Engineers
tc is the Linux traffic control subsystem behind netem, HTB shaping, and DSCP-aware queuing. This post explains the model properly — qdiscs, classes, filters — then builds a practical lab rig for testing SD-WAN Performance SLA thresholds and QoS behaviour.
-
Chronos Keeps Time: Building an Enterprise-Grade NTP Service with chrony and Integrating it with FortiGate
Why we chose chrony over ntpd and timesyncd, what CIS and Fortinet hardening guides say about NTP, a full build walkthrough, the deny-all ordering mistake every network engineer will make, and how to generate NTP keys that FortiOS will actually accept.
-
The Packet Never Lies: Advanced tcpdump Recipes for the Enterprise Engineer
Bitwise BPF masking, enterprise recipes for asymmetric routing and retransmission hunting, a safe SSH-to-Wireshark live-streaming setup that won't loop your own session, and a cross-vendor capture map spanning Debian, Cisco IOS, FortiOS, Junos, and VeloCloud.
-
spectre-meltdown-checker: Auditing CPU Vulnerability Mitigations on Linux
A deep dive into spectre-meltdown-checker — how it actually works under the hood, what it tells you that /sys/devices/system/cpu/vulnerabilities does not, the alternative tools (lscpu, vendor microcode checkers, in-tree kernel reporting), and when to reach for each one on a production Linux box.
-
Generating a Constant Stream of Web Traffic with Python
A small, polite Python script that round-robins through ten popular public sites at a configurable rate — useful for homelab traffic, exercising a proxy, or learning the requests library. Walks through the full code, the safety rails, and how to run it under tmux.
-
Resilient DNS at Home: Building an HA Pi-hole Pair on Raspberry Pi
A complete walkthrough for installing Pi-hole on a Raspberry Pi running current Raspbian, then turning a single box into a highly available pair using keepalived and Orbital Sync — with the config examples and show commands you'll actually use.
-
Building a FortiManager Lab on Proxmox — Part 3: Proxmox Networking, Linux Bridges, VLAN-Aware Bridges and SDN for the Lab
Part 3 of the FortiManager-on-Proxmox series. Designs the four-segment lab network, compares Linux bridges, VLAN-aware bridges and Proxmox SDN, walks through the /etc/network/interfaces shape, and explains why the lab bridges should never have an IP on the host.
-
iptables to nftables: Migrating Production Firewalls Without Downtime
A working engineer's guide to moving from iptables to nftables on production Linux firewalls — the mental model shift, where iptables-translate misleads you, atomic ruleset swaps, and a clean rollback strategy that means a bad migration costs you seconds, not your weekend.
-
Linux Networking from the Ground Up: Network Namespaces, veth Pairs, and Building a Multi-Router Lab on One Host
Build a real multi-router BGP and OSPF lab on a single Linux box using network namespaces, veth pairs, and FRRouting — no VMs, no containers, no GNS3. A practical walk-through of the primitives that GNS3, Docker, and Kubernetes are quietly using under the hood.
-
Network Emulation with NETEM: Simulating Latency, Loss, Jitter, and Bandwidth Constraints for Realistic Lab Testing
A practical guide to using Linux's NETEM qdisc to bend networks to your will — adding latency, loss, jitter, duplication, reordering, and bandwidth caps so you can test how applications and protocols actually behave when the network is anything other than perfect.
-
SSH Hardening Beyond the Basics: Certificate Authorities, Bastion Patterns, and Session Auditing
A production-grade SSH setup that goes beyond disabling password auth — running your own SSH CA with short-lived user and host certificates, ProxyJump bastions, ForceCommand restrictions, and recording sessions with tlog and auditd.
-
tcpdump Deep Dive: BPF Filters, Capture Rotation, and Cross-Mapping to FortiGate's diagnose sniffer packet
A practical, command-heavy guide to getting real value out of tcpdump — precise BPF filters, production-grade ring-buffer captures, and a side-by-side mapping to FortiGate's diagnose sniffer packet so you can switch between the two without losing your place.