Network Hardening
Kernel, firewall, sysctl, and access-control playbooks for anyone running their own network edge.
DNS — name resolution end to end
DNS from first principles: zones, delegation, recursive vs authoritative resolvers, the wire format, caching, DNSSEC, DoH/DoT/DoQ, and where privacy actually leaks.
HTTP/1.1, HTTP/2, HTTP/3 — the evolution
Why HTTP needed three rewrites in twenty years: pipelining's failure, HTTP/2's multiplexing, QUIC's leap to UDP, and the head-of-line blocking that connects all three.
The IP forwarding plane
How a router actually forwards a packet: longest-prefix match, FIB lookup, adjacency resolution, TTL/Hop Limit, fragmentation, ICMP feedback, and the data/control/management plane split.
IPv6 fundamentals
IPv6 from first principles: address structure, SLAAC, Neighbor Discovery, extension headers, PMTUD, and the operational realities of dual stack.
NAT, NAT traversal, and the end-to-end principle
Why NAT exists, how mapping/filtering/timeouts actually behave, what STUN/TURN/ICE are for, and why CGNAT compounds the problem IPv6 was supposed to fix.
TCP congestion control
Why congestion control exists, how slow start and AIMD actually behave, what CUBIC and BBR change, and how bufferbloat ruins everything if you let it.
TLS 1.3 handshake byte by byte
TLS 1.3 from first principles: ClientHello, key agreement, key schedule, certificate authentication, 0-RTT replay caveats, and what the wire still leaks.
UDP, the simplest transport
UDP from first principles: datagram semantics, the 8-byte header, why DNS / QUIC / RTP / metrics protocols choose it, and when 'almost nothing' is the right answer.
Bits, signals, and the physical layer
The physical layer from first principles: bits vs symbols, line encoding, clock recovery, noise, bandwidth, and why software engineers should care.
Ethernet and MAC addressing
Ethernet frame format, MAC addressing, switching, ARP, broadcast domains, and the practical mechanics of a modern LAN.
IPv4 addressing and subnetting deep dive
IPv4 from first principles: CIDR, prefix math, route aggregation, RFC 1918, VLSM, and the subnetting mistakes operators keep repeating.
TCP at the wire level
TCP byte-by-byte: three-way handshake, state machine, sequence numbers, retransmission, window scaling, FIN vs RST. Read packet captures with confidence.
Auditing your network exposure with Nmap and ss
How to audit Linux network exposure the sane way: join local listener inventory from ss with remote reachability checks from Nmap instead of trusting only one view.
Chrony time sync for cryptographic correctness
How to configure chrony so TLS, DNSSEC, NTS, and other crypto-sensitive services stop failing for stupid clock reasons after boot and drift.
fail2ban and CrowdSec for VPN servers
How to choose between Fail2Ban and CrowdSec on public VPN gateways, when one tool is enough, and how to avoid two intrusion tools fighting over your firewall.
Linux sysctl reference for network-facing servers
A practical sysctl baseline for public Linux hosts, VPN gateways, and Docker boxes, with the knobs that matter and the ones that break routing when you cargo-cult them.
Choosing between nftables, iptables, and UFW in 2026
A practical firewall decision guide for Linux operators: when nftables is the right default, when UFW is still enough, and why Docker keeps iptables syntax relevant.
Disabling and replacing weak crypto algorithms server-wide
How to remove weak SSH-era crypto safely, where system-wide crypto policy really applies, and how to verify you modernized the server instead of just breaking access.
SSH hardening for VPN gateways and bastion hosts
A practical OpenSSH hardening guide for public gateways and bastions, including forwarding policy, PerSourcePenalties, session limits, and safe rollout habits.
Kernel-level packet filtering: XDP and eBPF basics
An operator-first introduction to XDP and eBPF packet filtering: where XDP sits in the path, what the actions mean, and when it beats nftables or tc.