think1984

Anyone who uses YouTube et al. or any number of non-DRM (Widevine) streams?

Here's mine, if this helps? I have WireGuard running on an Alpine LXC on my LAN, and use it to connect back home. I can SSH to or use resources from any other machine on the LAN while connected. You'll need to amend the include rules to match whatever distro you're using (the paths will be different), and you can add whatever rules you wish under the LAN section to allow local access to the WireGuard 'host' for other services (eg SSH).

There's also a lot of useful info on the Pro Custodibus blog.

#!/usr/sbin/nft -f
flush ruleset

define pub_iface = "eth0"
define wg_iface = "wg0"
define wg_port = "51820"

table inet my_table {
	set LANv4 {
		type ipv4_addr
		flags interval

		elements = { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }
	}
	set LANv6 {
		type ipv6_addr
		flags interval

		elements = { fd00::/8, fe80::/10 }
	}

	chain my_input_lan {
		ip6 daddr fe80::/64 udp dport dhcpv6-client accept comment "Accept DHCPv6 configuration"
		udp dport netbios-ns accept comment "Accept NetBIOS Name Service (nmbd)"
		udp dport netbios-dgm accept comment "Accept NetBIOS Datagram Service (nmbd)"
		tcp dport netbios-ssn accept comment "Accept NetBIOS Session Service (smbd)"
		udp sport { bootpc, 4011 } udp dport { bootps, 4011 } accept comment "Accept PXE"
		tcp dport ssh accept comment "Accept SSH on port 22"
	}

	chain my_input {
		type filter hook input priority 0; policy drop;

		iif lo accept comment "Accept any localhost traffic"
		ct state invalid counter drop comment "Drop invalid connections"
		ct state established,related accept comment "Accept traffic originated from us"

		tcp dport 113 reject with icmpx type port-unreachable \
                comment "Reject AUTH to make it fail fast"

		# ICMPv4

		ip protocol icmp icmp type {
			echo-reply,  # type 0
			destination-unreachable,  # type 3
			echo-request,  # type 8
			time-exceeded,  # type 11
			parameter-problem,  # type 12
		} accept \
		comment "Accept ICMP"

		# ICMPv6

		icmpv6 type {
			destination-unreachable,  # type 1
			packet-too-big,  # type 2
			time-exceeded,  # type 3
			parameter-problem,  # type 4
			echo-request,  # type 128
			echo-reply,  # type 129
		} accept \
		comment "Accept basic IPv6 functionality"

		icmpv6 type {
			nd-router-solicit,  # type 133
			nd-router-advert,  # type 134
			nd-neighbor-solicit,  # type 135
			nd-neighbor-advert,  # type 136
		} ip6 hoplimit 255 accept \
		comment "Allow IPv6 SLAAC"

                icmpv6 type {
                        mld-listener-query,  # type 130
                        mld-listener-report,  # type 131
                        mld-listener-reduction,  # type 132
                        mld2-listener-report,  # type 143
                } ip6 saddr fe80::/10 accept \
                comment "Allow IPv6 multicast listener discovery on link-local"

                ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \
                comment "Accept DHCPv6 replies from IPv6 link-local addresses"

		ip protocol igmp accept comment "Accept IGMP"
		udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"
		udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"

		ip6 saddr @LANv6 jump my_input_lan comment "Connections from private IP address ranges"
		ip saddr @LANv4 jump my_input_lan comment "Connections from private IP address ranges"

		udp sport bootpc udp dport bootps ip saddr 0.0.0.0 ip daddr 255.255.255.255 accept comment "Accept DHCPDISCOVER (for DHCP-Proxy)"

		# Accept all WireGuard packets received on a public interface
		iifname $pub_iface udp dport $wg_port accept
		# Accept all DNS packets from wg clients sent to a DNS server running on the same local server (i.e. if running DNS and WG on the same VPS). 
		# Doesn't seem necessary if the DNS is just on a separate server on the LAN.
		iifname $wg_iface tcp dport 53 accept
		iifname $wg_iface udp dport 53 accept
		counter comment "count dropped packets"
	}

    chain forward {
        type filter hook forward priority 0; policy drop;
        ct state vmap { invalid : drop, established : accept, related : accept }
        iifname $wg_iface oifname $pub_iface accept
        reject with icmpx type host-unreachable
    }

    chain my_output {
        type filter hook output priority filter; policy accept;
        # Accept every outbound connection
        }
}

table inet nat {
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        iifname $wg_iface oifname $pub_iface masquerade
    }
}

# The state of stateful objects saved on the nftables service stop.
include "/var/lib/nftables/*.nft"

# Rules
include "/etc/nftables.d/*.nft"

It's certainly existed for years and it's a nice release, such as it is. However, the absolute lack of IPv6 and abject refusal to incorporate WireGuard for Reasons^TM^ led to me going back to OpenBSD and OpenWRT, personally. They seem to have a WIP towards finally incorporating WireGuard, but IPv6 is still AWOL, which is fatal for my use-case.

You can force Firefox to display dark mode in web content (even with privacy tweaks enabled to resist fingerprinting or tracking), by setting the two following hidden prefs in your user.js:

// PREF: enable a Dark theme for browser and webpage content
// [TEST] https://9to5mac.com/
user_pref("ui.systemUsesDarkTheme", 1); // HIDDEN
user_pref("browser.in-content.dark-mode", true); // HIDDEN

Yes of course. I hadn't slept when I replied, how embarrassing to miss that. You can enable CNAME uncloaking in Brave, which I suspect draws them to a parallel. It would be interesting to see the test repeated with the setting enabled. Since one has to (or had to) enable it in uBO also, it would only be fair to compare apples to apples. As I said, the blocker in Brave is based on uBO anyway. To be clear, and as I've said before, I've daily driven Firefox since the beginning and run uBO in medium mode. I'm not shilling for Brave here, simply pointing out that the differences are small (much of the code is shared with uBO) and it does certainly render faster.

Brave isn't represented anywhere on the graph? Unless I've misunderstood you. That's a comparison of Firefox with various ad blockers, and uBO with and without CNAME unclocking enabled. Brave also uncloaks CNAMEs, so that's one place they are equal. Chromium based browsers do lack some abilities compared to Firefox, however. I have daily driven Firefox since the first day, but Brave and Blink/Chromium based browsers are undeniably faster at rendering (unfortunately).

And thirdly, I have seen no mention of anything like ublock’s blocking modes (block 3rd party scripts/frames). Can you quickly select an element to block in brave?

You can enter as many custom filter rules as you like, with adblock syntax support. You can select an element to block, yes.

A baked-in content blocker like that of braves loses because it isn’t extensible.

In what way? I use(d) Firefox since the very first Firebird days, and Netscape Navigator before it, and I'm practically married to uBO (don't tell my wife!). That said, Brave's 'shields' blocker is just skinned uBO with some tweaks. It can add custom cosmetic filtering rules, additional adblock format filter lists, disable or enable JS (globally or per-site) and has built in fingerprint resistance. Aside from the differing UI, I genuinely can't think of anything overtly missing as such.

To speed up DNF:

/etc/dnf/dnf.conf  
...
max_parallel_downloads=5
max_parallel_connections=20

I have found that RHEL/Rocky/Alma are very much faster at updating using DNF than Fedora, though I don't know why.

I'm older than some in here, I think (judging by the answers). For me, a couple of the things on steakandcheese.com and rotten.com (back in its early days, not the later milder days), cartel videos, beheadings, hangings etc. The standout though was a video called 'Terrorists, Killers & Middle East Wackos'... Grim stuff. From Wikipedia:

Terrorists, Killers and Middle-East Wackos (also Terrorists, Killers and Other Wackos in the UK) is a shockumentary video from the makers of Bumfights. It includes footage of riots, suicides, executions, and the televised suicide of R. Budd Dwyer. All the scenes included are real scenes of death and suffering. The Bumfights website store touts the video as "One hour of the sickest images ever put to film."

I was young and dumb once, but I actively avoid things like that nowadays. There's knowing how things happen in the real world, and there's traumatising and desensitising yourself to the worst depravities possible for... reasons? Just no. You can't unsee some things, and some things shouldn't ever enter your consciousness at all (unless you're really unlucky IRL...).

No problem!

Even Hagezi's most basic list blocks a lot more than OISD, and still no false positives. See a comparison (run over the top 10,000 websites) here.