Thanks for your email with ID info. I appreciate your email because it convinces me that you are making a serious request which deserves the time I am investing in trying to administer access to the server.
May I please share a few thoughts which came up in my mind?
Port 81: Could we use a high port instead of a privileged port?
What exactly is meant by "private proxy?" I originally imagined it meant a proxy just for use by our friendly Neighbors on our fine server. But maybe "private proxy" means something more or different than a proxy just for all of us?
If somebody interested in security like @AuroraZero asked what is the threat model here, how might you answer?
There are providers here at LES who seem especially interested in privacy. How was the decision made to try our fine server instead of considering some of the providers who seem especially interested in privacy?
Sharing access with others via PM: Should all users of our server comply with the OP Rules in the same excellent way that you are?
Do we need explicit consent from @Hosteroid and @cmeerw, or is silence enough because "silence denotes consent?"
The last thing I want to do is cause trouble for @Hosteroid. How can we be sure that running a proxy on our fine server will not cause trouble for Hosteroid?
Does it make any sense for us to consider other proxies in addition to or instead of shadowsocks-libev? For example, what about Tinyproxy?
Do we know that shadowsocks-libev still works on Debian 12? Maybe you have used shadowsocks-libev recently?
Debian 8, 9 or higher
You can build shadowsocks-libev and all its dependencies by script:
mkdir -p ~/build-area/
cp ./scripts/build_deb.sh ~/build-area/
cd ~/build-area
./build_deb.sh # See https://github.com/shadowsocks/shadowsocks-libev/blob/master/scripts/build_deb.sh
What logging does shadowsocks-libev do?
Are you up on the source code of shadowsocks-libev? Are you okay with posting here in our thread about building shadowsocks-libev (or maybe about installing with Docker) and also posting about how everything works? Are you okay with answering questions about proxies from me and from others?
If we need to use Docker, are you okay with posting here about Docker and with answering questions both about Docker and about the shadowsocks-libev running inside Docker? Are @cmeerw and me going to be able to see inside the Docker container and post about what is there?
I'm looking forward to having you with us on our server because I think proxies are something I could learn more about!
@itsdeadjim said: You can still try removing packages like before (you probably dont need quick3d) but I am not sure how far you can go from here.
I haven't the faintest idea about what's really going on. But, just for fun, I will change the qt6-qtquick3d PLIST by adding the file presently in the build directory but not on the PLIST and also by renaming the .so file to be consistent with the PKG directory.
I'm just having a little fun introducing myself to the huge and complex pkgsrc build process for Wireshark. I don't expect to use the resulting Wireshark, even if it does eventually compile. If there is yet another bump in the build process, I might not continue further. But it's been a lot of fun so far!
=> Checking file-check results for qt6-qtmultimedia-6.8.0nb3
ERROR: ************************************************************
ERROR: The following files are in /usr/pkgsrc/multimedia/qt6-qtmultimedia/work/.destdir/usr/pkg but not in the PLIST:
ERROR: /usr/pkgsrc/multimedia/qt6-qtmultimedia/work/.destdir/usr/pkg/qt6/include/QtMultimedia/6.8.0/QtMultimedia/private/qsymbolsresolveutils_p.h
*** Error code 1
Stop.
bmake[2]: stopped making "reinstall" in /usr/pkgsrc/multimedia/qt6-qtmultimedia
*** Error code 1
Stop.
bmake[1]: stopped making "reinstall" in /usr/pkgsrc/multimedia/qt6-qtmultimedia
*** Error code 1
Stop.
bmake: stopped making "all" in /usr/pkgsrc/net/wireshark
Even installing Wireshark with apt-get would require quite a few packages.
I would track down what, and why they're deemed necessary - as X11 is not a requirement for wireshark. It runs on OpenWRT. Afraid I don't care enough to delve deeper.
Oh wow, so many questions~~~ this is why I thought those would come at an earlier step #1... I might have not applied if I had known this would come.
@Not_Oles said: Port 81: Could we use a high port instead of a privileged port?
I am using the same port on a network of other servers of mine~ and I do not think it is used for any relevant service.
What exactly is meant by "private proxy?" I originally imagined it meant a proxy just for use by our friendly Neighbors on our fine server. But maybe "private proxy" means something more or different than a proxy just for all of us?
I just meant a proxy protected by password~ (as opposed to a public one for everyone opened to all). I have no idea of the (other) requirements other than just being a LES member to get all the settings. I imagined that only interested people would ask for the access, I can't imagine people just joining LES to get this private proxy access considering all the browser extensions that exist already... This is why: I feel all those questions are a bit overkill~ my simple mind just imagined the start of a custom/tradition of sharing a similar service (be it from their own servers).
If somebody interested in security like @AuroraZero asked what is the threat model here, how might you answer?
I do not understand the "threat model" so I guess it would be:
from a server load point of view? Shadowsocks is very well written and uses very little RAM & CPU, the only resources would really be bandwidth/traffic
from a security point of view? It is password protected, it does not care about DDoS
from an encryption point of view? It is using AES
from a legal perspective? It cannot be more dangerous than all those hosting providers here on LES, can it?
There are providers here at LES who seem especially interested in privacy. How was the decision made to try our fine server instead of considering some of the providers who seem especially interested in privacy?
I do not really need this myself~ I think it is just a nice addition: out of 65.5K TCP ports and 65.5K UDP ports of (potential) services that could run (131K ports in total) just 2x ports are enough to implement this...
Sharing access with others via PM: Should all users of our server comply with the OP Rules in the same excellent way that you are?
Most people can order a server without showing an ID... I do not think it would be relevant to apply the same OP Rules for that.
Do we need explicit consent from @Hosteroid and @cmeerw , or is silence enough because "silence denotes consent?"
I have no idea.... aren't you in charge of this?
The last thing I want to do is cause trouble for @Hosteroid. How can we be sure that running a proxy on our fine server will not cause trouble for Hosteroid?
I really doubt anyone would ask access Hosteroid' server to hack the Pentagon considering the amount of VPN/proxy offers out there already... there are even public list of proxies out there (accidently left opened by unexperienced admins and discovered by bots). Surely those "offers" are more valuable for doing something nasty than asking me or you for the access settings?...
Does it make any sense for us to consider other proxies in addition to or instead of shadowsocks-libev? For example, what about Tinyproxy?
I don't know about Tinyproxy, I've looked it up and there are no encryption layer (apart maybe from the standard SSL).
Do we know that shadowsocks-libev still works on Debian 12? Maybe you have used shadowsocks-libev recently?
This is why Docker is appropriate: it doesn't care about the underlying OS (I didn't even know you were running Debian 12, and you can change this in the future without a problem).
I do not think there is any, especially considering those logs would be within the Docker container (which would make it a pain to examine). In terms of disk I believe the usage is around 50MB~.
Are you up on the source code of shadowsocks-libev? Are you okay with posting here in our thread about building shadowsocks-libev (or maybe about installing with Docker) and also posting about how everything works? Are you okay with answering questions about proxies from me and from others?
If we need to use Docker, are you okay with posting here about Docker and with answering questions both about Docker and about the shadowsocks-libev running inside Docker? Are @cmeerw and me going to be able to see inside the Docker container and post about what is there?
I did not examine the code of shadowsocks-libev, I just trust the developers. I do not mind writing a tutorial~. The container would only be using port 81 on both TCP & UDP, there cannot be any other usage than shadowsocks as no backdoors could exists because no other ports could create an access to the container anyway... The port forwarding to/from the container is easily viewable from a ps aux command.
We could make a rule that such access should NOT be used for scrapers (and obviously any other nasty stuff, you can include NO torrenting in that, I do not even think it's possible to torrent with Shadowsocks but maybe I am wrong as I didn't even try it myself~). This is NOT the usage I had in mind ANYWAY... Maybe this is too sensitive of a topic/service~ I can see from the questioning it triggers that it seems quite a concern already.. Maybe it's better that I just drop this idea now?
If I get the strength/time one day I might just offer it myself to the LES community from my own servers: again I just think there is very little demand for this, considering the numerous offers out there, with free or $1/m servers available around...
@WSS said:
I would track down what, and why they're deemed necessary - as X11 is not a requirement for wireshark. It runs on OpenWRT. Afraid I don't care enough to delve deeper.
Presumably, wireshark can be built without the GUI (which is what the OpenWRT build does - so you only get TShark there).
@jcn50 said: I really doubt anyone would ask access Hosteroid' server to hack the Pentagon considering the amount of VPN/proxy offers out there already... there are even public list of proxies out there (accidently left opened by unexperienced admins and discovered by bots). Surely those "offers" are more valuable for doing something nasty than asking me or you for the access settings?...
Maybe the value could be that this fine server is not on any blacklist so far
@jcn50 said: This is why Docker is appropriate: it doesn't care about the underlying OS (I didn't even know you were running Debian 12, and you can change this in the future without a problem).
There is even a Debian package, but why does the README not recommend using that?
@cmeerw said: Maybe the value could be that this fine server is not on any blacklist so far
A shadowsocks service is not a SMTP relay service. I do not even know what happens on the email headers side when sending an email, I actually never tried~.
@cmeerw said: There is even a Debian package, but why does the README not recommend using that?
@cmeerw said: Maybe the value could be that this fine server is not on any blacklist so far
A shadowsocks service is not a SMTP relay service. I do not even know what happens on the email headers side when sending an email, I actually never tried~.
Not all blacklists are only about SMTP (and email spam), but some of them also cover other undesirable behaviour from a particular IP.
@WSS said:
I would track down what, and why they're deemed necessary - as X11 is not a requirement for wireshark. It runs on OpenWRT. Afraid I don't care enough to delve deeper.
@jcn50 said: Maybe this is too sensitive of a topic/service~ I can see from the questioning it triggers that it seems quite a concern already.. Maybe it's better that I just drop this idea now?
@jcn50 said: I guess I will just silently evaporate from this thread...
Thanks for opening and participating in our excellent discussion!
Thanks to Hosteroid for donating our excellent server!
Comments
Hi again @jcn50!
Thanks for your email with ID info. I appreciate your email because it convinces me that you are making a serious request which deserves the time I am investing in trying to administer access to the server.
May I please share a few thoughts which came up in my mind?
Port 81: Could we use a high port instead of a privileged port?
What exactly is meant by "private proxy?" I originally imagined it meant a proxy just for use by our friendly Neighbors
on our fine 
server. But maybe "private proxy" means something more or different than a proxy just for all of us?
If somebody interested in security like @AuroraZero asked what is the threat model here, how might you answer?
There are providers here at LES who seem especially interested in privacy. How was the decision made to try our fine server instead of considering some of the providers who seem especially interested in privacy?
Sharing access with others via PM: Should all users of our server comply with the OP Rules in the same excellent way that you are?
Do we need explicit consent from @Hosteroid
and @cmeerw 
, or is silence enough because "silence denotes consent?"
The last thing I want to do is cause trouble for @Hosteroid. How can we be sure that running a proxy on our fine
server will not cause trouble for Hosteroid?
Does it make any sense for us to consider other proxies in addition to or instead of shadowsocks-libev? For example, what about Tinyproxy?
Do we know that shadowsocks-libev still works on Debian 12? Maybe you have used shadowsocks-libev recently?
Instead of Docker, could we possibly consider following something like the build instructions from the RREADME.md at https://github.com/shadowsocks/shadowsocks-libev ?
What logging does shadowsocks-libev do?
Are you up on the source code of shadowsocks-libev? Are you okay with posting here in our thread about building shadowsocks-libev (or maybe about installing with Docker) and also posting about how everything works? Are you okay with answering questions about proxies from me and from others?
If we need to use Docker, are you okay with posting here about Docker and with answering questions both about Docker and about the shadowsocks-libev running inside Docker? Are @cmeerw and me going to be able to see inside the Docker container and post about what is there?
I'm looking forward to having you with us on our server because I think proxies are something I could learn more about!
Thanks! Best wishes!
Tom
I hope everyone gets the servers they want!
@itsdeadjim
I looked at https://releng.netbsd.org/bulktracker/x11/qt6-qtbase. The only Linux on that page seems to be Rocky, which seems to have "failed" and also "indirect-failed".
I haven't the faintest idea about what's really going on. But, just for fun, I will change the qt6-qtquick3d PLIST by adding the file presently in the build directory but not on the PLIST and also by renaming the .so file to be consistent with the PKG directory.
I'm just having a little fun introducing myself to the huge and complex pkgsrc build process for Wireshark. I don't expect to use the resulting Wireshark, even if it does eventually compile. If there is yet another bump in the build process, I might not continue further. But it's been a lot of fun so far!
Thanks @Hosteroid!
Thanks @itsdeadjim!
I hope everyone gets the servers they want!
Okay, that's it for this time.
Even installing Wireshark with apt-get would require quite a few packages.
I hope everyone gets the servers they want!
Why do you have X11 depends?
My pronouns are like/subscribe.
@WSS
Great to see you!
X11 dependencies are present, I suppose, because Wireshark is a graphical application. And graphical applications want X11.
Probably you have a better idea.
It's getting late here, so sleep now for me. But I will look for your reply, if any, in the morning.
Hope you are doing great! Best wishes! Nice that you are back!
I hope everyone gets the servers they want!
I would track down what, and why they're deemed necessary - as X11 is not a requirement for wireshark. It runs on OpenWRT. Afraid I don't care enough to delve deeper.
My pronouns are like/subscribe.
Oh wow, so many questions~~~ this is why I thought those would come at an earlier step #1... I might have not applied if I had known this would come.
I am using the same port on a network of other servers of mine~ and I do not think it is used for any relevant service.
I just meant a proxy protected by password~ (as opposed to a public one for everyone opened to all). I have no idea of the (other) requirements other than just being a LES member to get all the settings. I imagined that only interested people would ask for the access, I can't imagine people just joining LES to get this private proxy access considering all the browser extensions that exist already... This is why: I feel all those questions are a bit overkill~ my simple mind just imagined the start of a custom/tradition of sharing a similar service (be it from their own servers).
I do not understand the "threat model" so I guess it would be:
I do not really need this myself~ I think it is just a nice addition: out of 65.5K TCP ports and 65.5K UDP ports of (potential) services that could run (131K ports in total) just 2x ports are enough to implement this...
Most people can order a server without showing an ID... I do not think it would be relevant to apply the same OP Rules for that.
I have no idea.... aren't you in charge of this?
I really doubt anyone would ask access Hosteroid' server to hack the Pentagon considering the amount of VPN/proxy offers out there already... there are even public list of proxies out there (accidently left opened by unexperienced admins and discovered by bots). Surely those "offers" are more valuable for doing something nasty than asking me or you for the access settings?...
I don't know about Tinyproxy, I've looked it up and there are no encryption layer (apart maybe from the standard SSL).
This is why Docker is appropriate: it doesn't care about the underlying OS (I didn't even know you were running Debian 12, and you can change this in the future without a problem).
The deployment with Docker would take 1~2 min.
I do not think there is any, especially considering those logs would be within the Docker container (which would make it a pain to examine). In terms of disk I believe the usage is around 50MB~.
I did not examine the code of shadowsocks-libev, I just trust the developers. I do not mind writing a tutorial~. The container would only be using port 81 on both TCP & UDP, there cannot be any other usage than shadowsocks as no backdoors could exists because no other ports could create an access to the container anyway... The port forwarding to/from the container is easily viewable from a
ps auxcommand.We could make a rule that such access should NOT be used for scrapers (and obviously any other nasty stuff, you can include NO torrenting in that, I do not even think it's possible to torrent with Shadowsocks but maybe I am wrong as I didn't even try it myself~). This is NOT the usage I had in mind ANYWAY... Maybe this is too sensitive of a topic/service~ I can see from the questioning it triggers that it seems quite a concern already.. Maybe it's better that I just drop this idea now?
If I get the strength/time one day I might just offer it myself to the LES community from my own servers: again I just think there is very little demand for this, considering the numerous offers out there, with free or $1/m servers available around...
I have opened a poll~, let's see the demand...
Presumably, wireshark can be built without the GUI (which is what the OpenWRT build does - so you only get TShark there).
Maybe the value could be that this fine server is not on any blacklist so far
There is even a Debian package, but why does the README not recommend using that?
A shadowsocks service is not a SMTP relay service. I do not even know what happens on the email headers side when sending an email, I actually never tried~.
I don't know~~ one can only guess & my assumption is that libpcre3 will one day be deprecated for Debian as well.
At the moment the poll is favoring the "No" side~ so I guess I will just silently evaporate from this thread...
Not all blacklists are only about SMTP (and email spam), but some of them also cover other undesirable behaviour from a particular IP.
Google found discussion of Wireshark and OpenWRT at https://openwrt.org/docs/guide-user/firewall/misc/tcpdump_wireshark. One of the example commands from that discussion is
The -k and -i options are explained on the man page:
It looks like Wireshark in the OpenWRT example might be passing its output over ssh, and so it's "really" tshark, maybe?
Neither NetBSD pkgsrc nor pkgsrc-wip seem to offer the option to install tshark. The Wireshark website offers hints:
https://ask.wireshark.org/question/12584/how-to-build-and-install-tshark-without-wireshark/
https://www.wireshark.org/docs/wsdg_html_chunked/ChToolsCMake.html
Maybe I could figure out some more and eventually help add tshark to pkgsrc-wip?
Hey, maybe we LESbians could meet up at the Sharkfest!
Thanks again @WSS! Again, it's great that you are back! I hope you continue to stick around!
I hope everyone gets the servers they want!
Thanks for opening and participating in our excellent discussion!
Thanks to Hosteroid for donating our excellent server!
Best wishes and kindest regards!
I hope everyone gets the servers they want!