Does anyone know of any good firewalls for macOS? The built in firewall is practically unusable, and if client isolation can be bypassed, the local firewall is more important than ever.
I often have a dev server running bound to 0.0.0.0 as it makes debugging easy at home on the LAN, but then if I connect to a public WiFi I want to know that I am secure and the ports are closed. "Block all incoming connections" on macOS has failed me before when I've tested it.
Little Snitch is a user-friendly, software-level blocker, only – use with caution.
Just FYI: LittleSnitch pre-resolves DNS entries BEFORE you click `Accept/Deny`, if you care & understand this potential security issue. Your upstream provider still knows whether you denied a query. Easily verifiable with a PiHole (&c).
I liken the comparison to disk RAIDs: a RAID is not a true backup; LittleSnitch is not a true firewall.
You need isolated hardware for true inbound/outbound protection.
>Just FYI: LittleSnitch pre-resolves DNS entries BEFORE you click `Accept/Deny`, if you care & understand this potential security issue. Your upstream provider still knows whether you denied a query. Easily verifiable with a PiHole (&c).
This also feels like an exfil route? Are DNS queries (no tcp connect) logged/blocked?
When you see the LittleSnitch dialogue (asking to `Accept/Deny`), whatever hostname is there has already been pre-resolved by upstream DNS provider (does not matter which option you select). This software pares well with a PiHole (for easy layperson installs), but even then is insufficient for OP's attack.
I have just today discovered zmx [1] which is like tmux but I always hated the tmux terminal emulation and how it hijacks scrolling, especially on Termius on my phone. It does session persistence but I think without the terminal emulator side of things, so scrolling works normally.
Been testing it today with Claude Code and it seems to work quite well switching between my laptop and phone.
I also hate how tmux uses alt mode and can never remember all the shortcuts, copy paste is a PITA and just today I had to look up how to dump the scrollback buffer to a file. Named sessions without window management makes a lot more sense these days. Similarly, I'm not a fan of all the ANSI escape codes that CC uses to jump the cursor around and rewrite the display to look like a GUI. I prefer a TUI that doesn't mutate rows after writing them, that's what alt mode is for. CC often clears whatever was in the scrollback buffer before you opened it, it hides bracketed paste, and goes crazy sometimes when content overflows the window and I have to resize the terminal or get blasted with a wall of glitching characters--extra annoying if I'm working from a low bandwidth link. I develop my own agent framework and code agent, and while some features aren't as polished as CC, one of my explicit goals is to preserve the traditional CLI feel, like the python REPL (that's what it's based around). I'll give zmx a try tonight :)
I was travelling a lot a couple of days ago across the countryside just outside of Krakow, and people are definitely burning plastics and trash, you can smell it even inside your car in the early hours of the morning.
It's coming from the surrounding areas, not the city itself.
Also one thing to note is that if pollution is bad in general then nearby fires and local sources of pollution will be much more noticeable. At least in my experience it seems to keep the pollution closer to the ground. Like if you are walking around a city with a lot of traffic on a day with bad pollution you will basically smell car exhaust all day whereas on days with low pollution even with the exact same amount of cars it will be much less noticeable.
Suburbs may be fine, but beyond them there's a ring of small towns and villages, and I bet most of the pollution is flowing from them down into the city.
"A high-latency architect who spends his days documenting every time a CDN sneezes while dreaming of a mountain drive through the Balkans with a fresh burek in hand."
Definitely don't recommend going down this path if you're not already familiar with Nix, but if you are, a strategy that I find works really well is to package your software with Nix, then you can run it easily via systemd but also create super lightweight containers using nix-snapshotter[0] so you don't have to "build" container images if you still want the flexibility of containers. You can then run the containers on Docker or Kubernetes without having to build heavy images.
Not gonna lie Terranix has been working great for us, all our configuration is in Nix files anyway so it's so easy to just pass stuff in rather than using Tf variables etc
Looking forward to the post mortem on this one. We weren't affected (just using the CDN), and people are saying they weren't affected who are using Cloudflare Workers (a previous culprit which we've since moved off), so I wonder what service / API was actually affected that brought down multiple websites with a 500 but not all of them.
Wise was just down which is a pretty big one.
Also odd how some websites were down this time that previously weren't down with the global outage in November
Yeah it's strange. My sites that are are proxied through Cloudflare remained up, but Supabase was taken offline so some backends were down. Either a regional PoP style issue, or a specific API or service had to be used to be affected.
>A change made to how Cloudflare's Web Application Firewall parses requests caused Cloudflare's network to be unavailable for several minutes this morning.
>The change was deployed by our team to help mitigate the industry-wide vulnerability disclosed this week in React Server Components.
>We will share more information as we have it today.
Two's a coincidence, three's a pattern; I guess we will have to wait until next month to see if it becomes a pattern. Was there a particular aspect of the React Server Components that made it easy to have this problem appear? would it have been caught or avoided in another framework or language?
The entire Cloud/SaaS story had a lot of happy-path cost optimization. The particular glitch that triggered the domino effect may be irrelevant relative to the fact that the effect reproduces.
we were not affected too and we realised it was Cloudflare because Linear was down and they were mentioning an upstream service. Also Ecosia was affected, and I then realised they might be relying on Cloudflare too.
This has to be setting off some alarm bells internally, a well written postmortem on an occasional issue, great, but when your postmortem talks about learnings and improvements yet major outages keep happening, it becomes meaningless..
I often have a dev server running bound to 0.0.0.0 as it makes debugging easy at home on the LAN, but then if I connect to a public WiFi I want to know that I am secure and the ports are closed. "Block all incoming connections" on macOS has failed me before when I've tested it.