>I always felt, and still feel, that applied Linux networking is difficult to get started with, mainly due to lack of good guidance. Most of the time I had to dig through small pieces of documentation scattered throughout the internet, trying to put them together to form a systematic overview of the network stack in Linux.
...
>It is extremely frustrating when somebody interested in setting up their own network infrastructure has to at some point get stuck at some convoluted networking concepts, intricate and abstract tools, mysterious errors here and there, or lack of systematic documentation. I wish everyone has some choices other than spending days and weeks trying to figure these out alone, so I decided to write down what I have done, what I have learned and what I have to share with the rest of the internet. I sincerely hope that some day IT operations would be more beginner-friendly, and hosting one's own network infrastructure no longer means headache and mess.
These are exactly my feelings. Stinky.fish makes more sense for a Linux blog. Everything about it stinks until it actually works. :)
I experienced this back when I configured my home Linux boxes as a router, VPN server, firewall, media server, etc. Since I had the time, compiled all of the info I found on random blogs and sites and added them to the Ubuntu Community wiki. That was the 12.x days, when Ubuntu was in its prime and the distro to use.
While these blogs were a great resource, I often found the commands outdated or applied to a different distro. A distro specific wiki solves both those issue. While I don't get the glory of a blog, I just checked an it's nice to see my notes still there for future Denvercoder9's.
The Gentoo Wiki was a great resource for many networking questions, even when I wasn't using Gentoo.
A major hurdle is simply learning how to describe what you want to do "in the industry terms" - "I can't access my server from my computer but it works from the Internet" is a lot easier to resolve when you learn what "hairpin NAT" is.
Ahhh, it sounds like you've only done this once. I started off with ipfw, then ipchains, then iptables and now whatever firewalld supports. OK that's roughly 25 years so not too much firewalling churn! I stopped hand rolling my own rule sets with ipchains and switched to generators and there are loads of them.
For me some of the problems nowadays are caused by search engine manipulation. Up until around five or so years ago Linux concept searches would get you pointed at the usual big hitters - Arch/Gentoo/Ubuntu/etc wikis and useful and quite well known blogs. My modern block list for ublacklist is huge and barely scratches the surface.
Now I come to think of it, we now have ChatGPT and I bet it can roll a decent ruleset without hallucinating madly. No doubt someone will soon be Showing HN: their smart new firewall prompt generator language for <insert AI here>. It will make the LLM use Rust as an intermediary for extra safety.
I found WireGuard to actually be especially frustrating, because it doesn't really log anything. If you do a single configuration misstep the packets just won't flow. Then good luck figuring out whether it's the authentication that's wrong (or any of the cert checks in the chain), rounting, MTU, firewall or anything inbetween.
It's kinda horrible. Not that IPsec is any better. OpenVPN at least yells something at you.
I'm wondering whether one can get these notifications through netlink. Not having any way to get the kinds of feedback you're mentioning from a stateful thing is horrible user experience. It doesn't need to cover the firewall part, mtu rejects, etc. Because if it's actually modular, you're supposed to be able use the usual tools (/proc/net and /sys/net for stats and netlink for firewall logs?), hopefully they're usable...
...
>It is extremely frustrating when somebody interested in setting up their own network infrastructure has to at some point get stuck at some convoluted networking concepts, intricate and abstract tools, mysterious errors here and there, or lack of systematic documentation. I wish everyone has some choices other than spending days and weeks trying to figure these out alone, so I decided to write down what I have done, what I have learned and what I have to share with the rest of the internet. I sincerely hope that some day IT operations would be more beginner-friendly, and hosting one's own network infrastructure no longer means headache and mess.
These are exactly my feelings. Stinky.fish makes more sense for a Linux blog. Everything about it stinks until it actually works. :)