Registro de mudanças
Novidades
Um registro contínuo de novas ferramentas, novos artigos do Learn e mudanças importantes neste site. Há 77 ferramentas disponíveis hoje.
Procurando o que vem a seguir? O roadmap acompanha o que está planejado e na fila; esta página registra o que já foi entregue.
- Recurso
List view rebuilt in catalogue anatomy
The list mode on the tools and Learn indexes is no longer a flattened card: it is now a proper catalogue table per section - tool, badges, posture, and standards anchors for tools; article, topic, and summary for Learn - in the same anatomy as the internal build catalogue. Cards remain the default; the toggle and its remembered preference are unchanged.
- Nova ferramenta
ASN lookup joins the red room
The second /dev/out resident. Type an AS number and the deterministic layers answer what they can before any egress: special-purpose ASNs (AS0, AS112, AS_TRANS, documentation and private ranges, the reserved ends) are explained locally with their RFC and never leave the browser, bootstrap gaps are reported as unallocated, and real numbers are fetched browser-direct from the owning RIR on an explicit Ask - including following NIR redirects honestly (Brazilian ASNs answer from Registro.br) and naming who actually answered. RIPE-region numbers fail honestly with the exact curl to run instead.
- Recurso
The developer wing completes its color triad: /dev/out in red
Network-egress tools now live in /dev/out, the red room, which inherits the explicit-egress rules and the RDAP lookup; /dev/other, the green room, is reserved for tools whose shapes the catalogue cannot hold yet, for reasons other than egress. Blue mothership, green for the odd shapes, red for the room where packets leave. Old RDAP links redirect.
- Nova ferramenta
Operations & Fieldcraft opens with the Fault Hypothesis Builder
A new tool family for operational judgment, piloted end-to-end per D-86. Describe a fault in six structured fields and 25 deterministic rules rank hypotheses to test across 13 fault domains, each with evidence to collect and the signals that would support or weaken it, plus an exportable Markdown worksheet. It structures, it never diagnoses; the verification model is rule-firing snapshot vectors, pinned in CI. A paired method article covers hypothesis-driven fault isolation, and four follow-on fieldcraft tools are admitted to the queue pending the post-pilot review.
Fault Hypothesis Builder · A Primeira Hora: Isolamento de Falhas Orientado por Hipóteses
- Recurso
The developer wing gets an index, and a green room opens: /dev, /dev/fun, /dev/other
/dev-fun moved to its canonical home at /dev/fun (old URLs 301), a small /dev index now fronts the wing, and a new room opened: /dev/other, for tools that ask the live internet instead of computing locally. The room is marked by a deep-green background (the site palette hue-rotated, same darkness) and a visible notice stating exactly how it differs: input leaves the browser only when you press Ask, it goes browser-direct to the official registry (never to ronutz.com servers), and live answers carry no golden-vector guarantee. First resident: RDAP lookup, WHOIS the modern way — domain, IP, or AS number routed deterministically via vendored IANA bootstrap snapshots (RFC 9224), with the registry named before anything is sent, 15 golden vectors on the deterministic layers, and honest curl fallbacks where registries do not allow browser queries. The tools index gained a green door after the last tool.
- Nova ferramenta
BigD calculator learns the platform-to-hyperthreading map
Type the platform instead of guessing the formula: per F5's own platform documentation, rSeries splits down the middle (r5000/r10000/r12000 hyperthreaded, two vCPUs per core; r2000/r4000 physical cores only), VELOS tenants run on hyperthreads (HT-Split per K15003), iSeries and VIPRION count hyperthreads in F5's sizing language but cannot run 21.x (shown as context with that caveat), and Virtual Edition depends on the host (check lscpu). "8 r10900" now selects the hyperthreaded formula, "16 r4800" the normal one; an explicit ht/normal word still overrides the platform default. Golden vectors grew from 13 to 23; the platform map is sourced from the rSeries/VELOS clouddocs pages and K15003, fetched 2026-07-08.
BigD thread calculator · Open the calculator · The 21.x ops story
- Conteúdo
Five Learn articles complete the BIG-IP 21.x pack
The 21.x series is now whole. New today, en + pt-BR: the ops story (in-place upgrade with Dry Run and its two honest limits, the 64-bit control plane, the OOM ladder, MCPD worker threads, iControl REST rate limits, UCS platform-migrate validate); WAF over QUIC (HTTP/3 protection with its four stated limits, OpenAPI 3.1, Splunk key-value Extended); DNS as a policy engine (multi-RPZ: 65,535 zones, precedence, TSIG HMAC-SHA-512, the full action set, per-FQDN walled gardens); F5OS 2.0 from the tenant's seat (cloud-init with DO/AS3, per-port UDP RRDAG fine print, Q-in-Q on VELOS); and access & identity (RFC 7591 DCR, native system-browser SAML, Access IPsec constraints, ES13, ARM64). Grounded verbatim in F5's 21.1.0 and 21.0.0 release notes, the 21.1 GA announcement, and K4309 / K60235402 / K86001294, fetched 2026-07-08.
The 21.x ops story · WAF over QUIC · Multi-RPZ · F5OS 2.0 · Access & identity
- Nova ferramenta
New tool: BigD thread calculator
BIG-IP 21.1 rebuilt bigd as a multi-threaded single instance serving up to 15,000 control-plane monitors, and documented the automatic thread count: (vCPUs × 6) ÷ 10 on hyperthreaded systems, (vCPUs ÷ 2) − 1 on normal ones, with bigd.numprocs as a manual override capped at the vCPU count (0 = automatic). The calculator encodes both formulas verbatim, shows the exact value and its whole-thread floor when the arithmetic lands on a fraction (F5 states no rounding rule, so the tool says so instead of guessing), and surfaces the override cap and the monitor ceiling. 13 golden vectors; formulas re-verified against F5 techdocs 21.1.0 on 2026-07-08. Pairs with the new ops article.
BigD thread calculator · Open the calculator · The 21.x ops story
- Recurso
List view for the Tools and Learn indexes and the vendor hubs
Both indexes and the four vendor hubs now offer two densities. Cards remains the default; the new List view re-flows the very same entries into compact catalogue-style rows, name, a one-line summary, and the category and vendor chips, for fast scanning of a long index. The choice sits next to the category filter, is remembered on your device (per index, and once for all hubs), and needs no page reload; with JavaScript off the pages simply stay on cards. Also in this update: the Fortinet dot on the vendor hub strip and chips is now orange, keeping it clearly distinct from F5's red at dot size.
- Conteúdo
Two BIG-IP 21.x deep-dives: AI/MCP, and post-quantum TLS
The two marquee themes of the 21.x line, each in full. AI Traffic on BIG-IP walks MCP from the 21.0 foundation (HTTP, JSON, and SSE profiles, iRule-based session pinning, S3 integrations for AI workloads) to 21.1's native aimcp persistence profile, where TMM hands the client a wrapped and encrypted Mcp-Session-ID, and the Advanced WAF MCP Protection Policy template aimed at the OWASP MCP Top 10, with the caveat that matters: SSE streaming responses bypass response-side inspection. Post-Quantum TLS traces the ML-KEM hybrid lineage from X25519MLKEM768 in the 17.5 era to 21.1's SecP256r1MLKEM768 and SecP384r1MLKEM1024 on both client and server side per FIPS 203, plus X25519 hardware acceleration via Intel QAT on by default, TLS 1.3 and DTLS 1.2 parent-profile defaults, the OCSP nonce, C3D enhancements, and a rollout plan that breaks no legacy client. In English and Portuguese, verified against F5's release notes, manuals, and launch announcements.
- Conteúdo
New Learn article: the BIG-IP DNS request processing order
One query, six answering machines: what actually answers a DNS query arriving at a BIG-IP listener, in F5's documented precedence, iRules first, then DNSSEC processing, the GSLB wide IP match, DNS Express, the DNS cache, the local BIND server, and finally an LTM pool, with the self-IP port 53 edge case at the very end. Covers the responders-versus-resolvers split, the Unhandled Query Action choices, the three DNS cache types, F5's pool-over-BIND recommendation, and the Rapid Response mode that silently removes BIND from the line. In English and Portuguese, grounded in F5 K14510 and K28650431, the BIG-IP DNS Services manual, and K13850558.
- Nova ferramenta
New tool: curl command builder
Pick any of the 27 protocols curl speaks, from HTTPS and SFTP to MQTT, IMAP, and DICT, fill in protocol-aware fields, and get the exact command assembled in one canonical flag order with every flag explained. Per-protocol explainer panels show what each protocol is, its default port, and its TLS posture. Warns on -k, on cleartext protocols, on passwords placed on the command line, and on curl's form-encoded -d default. The inverse of the HTTP request translator. Local and offline; nothing is executed.
- Nova ferramenta
F5 release cadence calendar
On 6 July 2026 F5 moved from a quarterly to a monthly security release cadence: hardened software releases on the third Wednesday of every month starting 15 July, and security notifications one month later starting 19 August (covering the July release). This tool turns that schedule into concrete dates. Pick a start date, which defaults to today, and it lists the upcoming hardened releases and security notifications and tells you the next of each. Because F5's own anchor dates line up to third Wednesdays, each third Wednesday carries both that month's release and the previous month's notification, and the tool makes that plannable in advance. Verified against F5's two published anchors; local date arithmetic, nothing leaves the browser. Ships with a companion Learn article explaining exactly what changed, why F5 says it changed, what stays the same, and what it means for how you patch.
F5 release cadence calendar · A cadência mais rápida da F5: lançamentos endurecidos e notificações de segurança mensais
- Conteúdo
BIG-IP 21.x: the flagship overview
Why TMOS jumped from 17.x straight to 21, what 21.0.0 and 21.1.0 actually deliver (MCP-aware AI traffic, post-quantum TLS, in-place upgrade, 64-bit control plane, HTTP/3 WAF, multi-RPZ), and the platform and lifecycle rules to check first. First piece of the BIG-IP 21.x pack; deep dives follow.
BIG-IP 21.x: o que mudou, e por que não existem as versões 18, 19 e 20
- Nova ferramenta
iRules performance linter
Paste an iRule and it flags a small, high-confidence set of anti-patterns straight from F5's own documentation, line by line. The flagship finding is the global-namespace variable ($::x, set ::x, the global keyword): F5's validator catches it from v10 and demotes the virtual server to a single TMM instance (CMP demotion), globals have been deprecated since v10, and the old $::datagroup form raises a runtime error and resets the client on v11 and later. It also warns on unbraced expr (which the bytecode compiler cannot optimize) and notes deprecated matchclass/findclass and costly regexp/regsub. It deliberately does not cry wolf: static::, class match, braced expr, and persistence/tables/session (all CMP-safe on modern versions) pass clean, and comments are skipped. Each finding carries a severity, the offending token, why it matters, and the fix. Ships with a companion Learn article on CMP and the static:: namespace, and points at the runtime calculator for real measurement. Local scan; nothing leaves the browser.
iRules performance linter · iRules, CMP e o namespace static::
- Nova ferramenta
iRules runtime calculator
A browser version of DevCentral's long-standing iRules Runtime Calculator spreadsheet. Paste the timing statistics from tmsh show ltm rule, give it your platform's clock speed and core count, and it converts CPU cycles into real runtime: the average microseconds each event costs, the total cycles per request, the CPU percentage a single request consumes, and the maximum requests per second the rule can sustain, both across all cores and demoted to a single core. It reads the Cycles (min, avg, max) output, uses the average and discards the compile-inflated maximum exactly as F5 advises, and reproduces F5's own published worked example to the digit. Ships with a companion Learn article on how iRules execute (a Tcl interpreter compiling to bytecode inside TMM), what timing measures, and why average is the number that matters. Local arithmetic; nothing leaves the browser.
iRules runtime calculator · Desempenho de iRules: ciclos, timing e a calculadora de runtime
- Conteúdo
Vendor ACME companions: BIG-IP and FortiGate
Two vendor Learn articles on certificate automation. The F5 BIG-IP article covers the native ACMEv2 client added in BIG-IP 21.1.0, which handles provisioning, renewal, and deployment for any ACMEv2 CA (Let's Encrypt, ZeroSSL, DigiCert, Buypass, Google Trust Services, SSL.com) through Certificate Order Management, alongside the dehydrated-based DevCentral solutions that preceded it, BIG-IQ's centralized Let's Encrypt CA management profile, and Ansible-driven issuance. The FortiGate article covers FortiOS's built-in ACME client for the appliance's own management certificate: its public-IP and FQDN requirements, the single-name SAN constraint (no wildcards, no multiple SANs), and the TLS-ALPN-01 and HTTP-01 challenges by FortiOS version. Both link the certificate cluster (rate-limit planner, x509 decoder, renewal planner, dns-01) and contrast the two native clients. Every vendor claim was checked against the vendor's own documentation, including F5's 21.1.0 release notes and Fortinet's per-version admin guides. English and Portuguese, other locales served by English fallback.
ACME no BIG-IP: dos scripts do DevCentral a um cliente nativo · ACME no FortiGate: um cliente embutido para o certificado do próprio equipamento
- Nova ferramenta
Let's Encrypt rate-limit planner
Paste the hostnames you plan to certify and see how they map onto Let's Encrypt's limits. It groups names by registered domain (eTLD+1) using the Public Suffix List, shows the fewest certificates you need by packing up to 100 names each, points out where a wildcard would collapse subdomains, and warns if issuing one certificate per name would exceed the 50-per-registered-domain-per-week limit. The concrete limits are shown with their snapshot date and source link, and it notes that ARI-coordinated renewals are exempt from all limits. Builds directly on the registered-domain resolver; runs entirely locally.
Let's Encrypt rate-limit planner · ACME: como os certificados se emitem e se renovam sozinhos
- Nova ferramenta
Registered domain (eTLD+1) resolver
Find the public suffix and registered domain for any hostname. Paste a name and it returns the eTLD (e.g. co.uk), the registered domain (e.g. example.co.uk), the subdomain, and which section of the Public Suffix List decided it. It implements the full PSL algorithm, including wildcard and exception rules, and when a PRIVATE-section rule wins (like github.io) it also shows the ICANN-only view. This is the exact boundary certificate rate limits, cookies, and same-site checks rely on. Runs locally against a bundled, dated snapshot of the list; verified against the PSL algorithm test vectors. Ships with a companion article on public suffixes and eTLD+1.
- Nova ferramenta
ACME dns-01 TXT computer
Compute the TXT record that passes an ACME dns-01 challenge. Paste the challenge token and your ACME account key (a public JWK, or its thumbprint) and it returns the _acme-challenge record name, the value to publish, and the key authorization and RFC 7638 thumbprint it was derived from. Only the key's public members are used and the key is never echoed; the SHA-256 runs locally via Web Crypto, verified against the RFC 7638 known-answer test. Ships with a new ACME protocol article explaining the whole issuance flow.
ACME dns-01 TXT computer · ACME: como os certificados se emitem e se renovam sozinhos
- Nova ferramenta
ExtremeXOS config explainer
Paste an ExtremeXOS (EXOS / Switch Engine) configuration and it explains each command in plain English, summarizes the VLANs with their tags and tagged/untagged ports and IP addresses, and groups the commands by category. First Extreme Networks tool, so the Extreme hub is now live.
EXOS (Switch Engine) config explainer · Como uma configuração ExtremeXOS é estruturada
- Nova ferramenta
PAC file explainer and validator
Paste a Proxy Auto-Config file and it reads back the proxy directives it returns, the helper functions it uses (with the DNS-consulting ones flagged), structural and correctness lints, and whether it is a Netskope Cloud Explicit Proxy steering file. It never evaluates the file. First Netskope tool, so the Netskope hub is now live.
PAC file explainer + validator · Como um arquivo PAC escolhe um proxy
- Nova ferramenta
FortiOS packet sniffer builder
Build a FortiGate diagnose sniffer packet command from parts, or paste one to have every argument explained: interface, filter, verbosity 1-6, count, and timestamp format, with the common traps flagged. First Fortinet tool, so the Fortinet hub is now live.
FortiOS packet sniffer builder · Lendo uma captura do sniffer do FortiGate
- Recurso
Two more Boss-Key Screens: MS-DOS Defrag and Copy II PC
The Boss-Key Screen gallery gains two animated DOS disk utilities: the MS-DOS 6 defragmenter with its cyan block map, and Central Point's Copy II PC copying a floppy track by track. Both animate with CSS only and respect reduced-motion.
- Recurso
Disclaimer and limitation-of-liability page
A new plain-language disclaimer sets out that everything on the site is provided as is, built from public information, for use at your own risk, with no warranty and no liability, and that security is best-effort. Linked from the footer next to the license and privacy notices.
- Conteúdo
New Learn articles: proxies, TLS interception, and SAML proxying
A batch of ten articles on the proxy family. Five vendor-agnostic explainers cover the TCP proxy at Layer 4, HTTP proxies (forward vs reverse, explicit vs transparent), inbound TLS at a reverse proxy (offload, bridging, passthrough), the SSL forward proxy that intercepts outbound TLS, and the SAML proxy that inserts an identity layer into a session. Five vendor companions map those concepts onto real products: F5 SSL Orchestrator topologies, F5 BIG-IP APM as a SAML SP/IdP, enforcing forward secrecy on F5, FortiGate certificate vs deep SSL inspection, and Netskope cloud forward proxy with inline TLS decryption. Perfect forward secrecy and the F5 client-SSL/server-SSL profile split were already covered by existing explainers, which the new articles link to rather than duplicate. Every vendor claim was checked against the vendor's own documentation. English and Portuguese, with the other locales served by English fallback.
Proxies HTTP: Forward vs Reverse, Explícito vs Transparente · SSL Forward Proxy: Como Funciona a Interceptação de TLS de Saída e o Que a Quebra · O SAML Proxy: Inserindo uma Camada de Identidade numa Sessão
- Recurso
Boss-screens viewer: grouped, with a jump navigator
The boss-key screen gallery on /dev/fun now organizes its 76 screens into six families, home computers, PC hardware and POST, DOS software, operating systems and servers, online services and BBSes, and network analysis, each in its own labelled section. A jump navigator sits on top, the same category-nav pattern used by the Tools and Learn indexes, so you can skip straight to a family instead of scrolling one long grid. Group labels are localized (English and Portuguese, other locales via English fallback); the cards, thumbnails, and fullscreen overlay are unchanged.
- Conteúdo
New Learn articles: post-quantum cryptography
Three new articles in the transport track cover the post-quantum transition end to end. The first explains what a quantum computer would actually break (Shor against RSA/DH/ECC, Grover only halving symmetric strength) and why harvest-now-decrypt-later makes it a present concern. The second walks the finalized NIST standards, FIPS 203 ML-KEM for key establishment and FIPS 204 ML-DSA and FIPS 205 SLH-DSA for signatures, plus the HQC and FN-DSA backups still in the pipeline. The third is the practical one: how hybrid key exchange (X25519MLKEM768) puts post-quantum crypto on the TLS 1.3 wire today, the ClientHello size problem it creates for middleboxes and load balancers, and where browser and server deployment stands. Grounded in NIST CSRC, the IETF drafts, and current deployment reporting; English and Portuguese.
- Nova ferramenta
New tool: F5 iQuery protocol explainer
A new F5 BIG-IP DNS (GTM) tool that decodes iqdump output and /var/log/gtm iQuery messages, and explains the iQuery architecture on request. Paste iqdump and it reads back the header comments and the <xml_connection> stanza (the big3d peer on TCP 4353, the sync group, version, connection_id); paste a gtm log and it decodes the box green-to-red state changes; or pick a topic (mesh, port 4353, SSL trust, iqdump, metrics, gtmd, big3d, VLAN) for a plain-language explanation. Decode-only and fully local, grounded in F5's BIG-IP DNS/GTM manuals and K-articles, with the example taken from a real iqdump sample F5 published. Ships with a paired Learn article in English and Portuguese.
iQuery protocol explainer · Como o iQuery Conecta o BIG-IP DNS ao Resto da Rede
- Recurso
Keyboard shortcut: press F for the dev-fun index
The site-wide keyboard shortcuts gain F, which jumps to the dev-fun landing page (joining B for the boss key, M for the Mega Brain console, and Z for Buzzword Bingo). Like every shortcut it is rebindable in Settings and inert while you are typing in a field. Separately, the PCBoard boss screen now shows a handle at its login prompt, matching how PCBoard boards actually identified callers.
- Conteúdo
The Sniffer learns to decode: eight famous captures in the three-pane view
The Network General Sniffer screen gains eight companion decodes rendered in its authentic three-pane analysis view (summary, detail, and hex): an HTTP 420 Enhance Your Calm response, the ILOVEYOU mail envelope, and the Morris Worm, Stuxnet, Conficker, Mirai, WannaCry, and NotPetya. HTTP 420 and ILOVEYOU show their real, benign application-layer artifacts in full; the six network worms are shown at the header level only (ports, protocol, CVE, date) with a clear payload-omitted marker, so no exploit or shellcode bytes appear. Every on-screen string is grounded in a cited source, from CISA and CAIDA to Microsoft and the Twitter API record.
- Conteúdo
Two professional tools close out the boss-screen set
The retro collection reaches 68 with the pro tools that ran the network room: the Network General Sniffer, the DOS protocol analyzer that named the whole category and whose menu here is taken verbatim from a Sniffer v4.4 tutorial, and the VMware ESXi 6.7 DCUI, the bare-metal hypervisor's yellow-and-grey console with its F2-to-configure, F12-to-shut-down legend. Both were checked against period sources, from the Sniffer's own manual description to VMware's release records.
- Conteúdo
The 128K Spectrum family: +2A and +3 join, and the 128 menu is corrected
The ZX Spectrum 128 boot menu was fixed to show the machine's real options (Tape Loader, 128 BASIC, Calculator, 48 BASIC) with no spurious copyright line, and two new screens join it: the Amstrad-era ZX Spectrum +2A and +3, both showing the shared +3 ROM menu (Loader, +3 BASIC, Calculator, 48 BASIC) and the (c)1982, 1986, 1987 Amstrad Plc. line, matched against a real-hardware photo and the official +3 manual.
- Conteúdo
TK90X and TK95 boot screens corrected against real hardware
Photographs of real Microdigital hardware corrected two things on these boot screens. Both machines show an eight-colour test bar (the ZX Spectrum bright palette) that was missing before: the TK90X a thin horizontal bar, the TK95 a taller field of vertical colour bands. The TK95's boot line was also fixed to read Microdigital TK95, its actual name, replacing a line taken from a mislabelled Spanish-variant ROM dump. A reminder that a ROM dump is only good evidence when it is the right ROM.
- Conteúdo
The GUI and online era arrives: six more boss screens
The retro collection reaches 64 with the interfaces that carried computing from the command line into the graphical, networked age: Windows for Workgroups 3.11 Program Manager, the OS/2 Warp Workplace Shell desktop, the classic Macintosh Finder with its Trash, NCSA Mosaic opening the web, and the two services that first put millions online, CompuServe with its numbered menu and AOL with its Welcome screen. Framing facts were checked against period sources, from IBM and Microsoft histories to NCSA's own account of Mosaic.
- Conteúdo
TK90X and TK95 boot screens: the rainbow stripes are gone
The Microdigital TK90X and TK95 retro screens were showing four colour bars that the real machines never display at power-on: those stripes belong to the Spectrum's logo and case motif, not the boot screen, which is plain black text on a paper-white background. Both now boot the way the hardware does, to a blank white screen with only the copyright line at the bottom (TK90X - Color Computer and TK Color Computer), verified byte-for-byte against ROM dumps and a real-hardware boot video.
- Conteúdo
Ten DOS-era workhorses join the boss screens
The retro screen collection jumps to 58 with the software that ran offices and small businesses: XTreePro and XTreeGold, dBASE II at its dot prompt, a Clipper Summer '87 compile with its preserved copyright banner, Borland SideKick popping over a DOS session, MultiMate Advantage, Professional Write, Harvard Graphics, Microsoft Works, and Ami Pro, the first fully functional Windows word processor. Every dated fact was checked against period sources, from the XTree fan archive's command list to Microsoft's own history pages.
- Conteúdo
Three BBS screens, and the TK90X and TK95 set right
The retro screen collection reaches 48 with the other side of the modem: RemoteAccess waiting for a caller on the sysop's console, Oblivion/2's scene-styled front door, and Telegard's classic main menu. The TK90X and TK95 boot screens were also corrected: the real machines boot to their own names (TK90X - Color Computer and TK Color Computer), verified character by character against ROM dumps and real-hardware video, replacing an inaccurate Sinclair-style line.
- Conteúdo
Three deep-cut boss screens: NetWare, PCBoard, and Videotexto
The retro screen collection grows to 45 with three long-requested additions: the Novell NetWare 3.12 console running MONITOR.NLM (its utilization figure ticking about once a second, the way the real screen refreshed), a PCBoard BBS session dialing Clark Development's own Salt Air support board at 2400 bps, and the TELESP Videotexto index painting line by line the way Brazil's 1982 videotex service did over a 1200/75 bps modem link.
- Conteúdo
Two more retro boot screens, and a fix to a third
The hidden retro boot-screen collection gains the Microdigital TK-82C (a ZX81 clone, the machine this site's author first learned to program on) and the TK95 (the TK90X's Spectrum-clone successor), bringing the set to 42. The ZX81 and TK-82C screens now type a first line by themselves, the way those machines did. The TK90X screen was corrected: its ROM replaced the copyright symbol with a Greek delta, so its boot line now reads accurately. The screens in the viewer are also listed in alphabetical order.
- Infraestrutura
Pinned to the framework version the site builds cleanly on
The framework was briefly moved up a major version, which changed how the site is turned into static files at build time: it began emitting several extra bookkeeping files per page, and across thousands of pages in sixteen languages that overflowed the build machine's disk before the export could finish. Since the site is a purely static export that gains nothing from the newer version's server-oriented features, it is now pinned back to the previous major version, which produces far fewer build artifacts and completes the export well within the available space. Everything the site does is unchanged; this only affects how it is built.
- Conteúdo
Boss-key screens now hold a proper 4:3 monitor shape
The retro boss-key screens are now framed like the CRT and TV displays these machines actually used, a 4:3 monitor that scales to fit the window and centers with letterboxing, rather than stretching. Previously each screen filled the full window height while its width followed its content, so a screen with only a line or two (a ZX Spectrum copyright line, an MSX prompt) became a tall, narrow strip, while a wide two-panel layout like Norton Utilities happened to look right. Every screen now shares the same correct proportions on any window size, from an ultrawide monitor to a phone.
- Recurso
A user guide that stays current with the toolbox
There is now a Site User Guide at /guide, linked from the footer. It has four parts: an at-a-glance datasheet, a full tool reference grouped by category, suggested-usage recipes that map a common task to the tools that do it, and a short manual covering how to run a tool, privacy, the API, languages, and offline use. The datasheet figures and the tool reference are generated from the site's own sources at build time, so they always match what is published; a build guard additionally fails if a recipe ever points at a tool that no longer exists. English and Portuguese are authored directly; other locales fall back per key.
- Recurso
A single switch turns the API on or off, and the pills follow it
Whether the API is served is now controlled by one value in one file (API_PROCESSING in the API surface config): 0 keeps it documented but not served, 1 turns on local processing, where the same-origin worker answers each endpoint with the in-house engines. Both the worker and the interface read that one value, so they can never disagree: while it is off, every /api/v1 request returns an honest 404, and every API pill and badge shows a neutral grey state with 'documented, not served' wording; flip it to 1 and the same pills turn green with 'served locally' wording, on each tool page and on the API page. The switch ships in the off position. A repository link was also added to the License page and the footer. English and Portuguese ship together; other locales fall back per key.
- Infraestrutura
A proper multilingual sitemap, with hreflang for every language
The site now generates sitemap.xml at build time, listing every page with an hreflang alternate for each of the sixteen live languages plus an x-default, so search engines understand which URLs are translations of one another. It is derived from the built pages, so it stays current automatically as pages are added or removed. robots.txt now points at it. This complements the per-page canonical links added earlier.
- Lançamento
ronutz.com is now open source: Apache-2.0 for code, CC BY 4.0 for content
The project is now open source. The application code is licensed under the Apache License 2.0, and the written content, including every Learn article and all the tool copy, under Creative Commons Attribution 4.0 (CC BY 4.0). Both licenses require attribution, so anyone reusing the code or the content must credit the source, and ronutz.com stays the canonical, maintained home. The License page now describes the open terms, the footer badges are live, and the repository carries the full LICENSE, a content license, and the third-party NOTICE. Each page also now declares its own canonical URL, so a copy rehosted elsewhere still points search engines back here. English and Portuguese ship together; other locales fall back per key.
- Recurso
Open-source and licensing badges, on the way to opening the code
The License page and the footer now carry a set of hand-drawn, self-hosted badges that declare how the project will be licensed once it is opened: Open Source, the code under the Apache License 2.0, and the content under Creative Commons Attribution 4.0 (CC BY 4.0), which requires anyone reusing it to credit the source. The badges are inline SVG that theme with the rest of the site and load no external assets, in keeping with the privacy stance; the Apache mark is a plain SPDX label rather than the Apache Foundation's feather, and the Creative Commons glyphs are the marks CC publishes for exactly this purpose. On the License page they are framed as the planned terms, since the project is still proprietary today; the footer cluster links through to the full terms. English and Portuguese ship together; other locales fall back per key.
- Recurso
Every API-capable tool now shows its endpoint URL, linked to the spec
Each tool that has an HTTP API endpoint now displays that endpoint on its page, for example GET https://ronutz.com/api/v1/cidr, as a link that opens the API reference's Swagger UI view, deep-linked to that tool's operation. The endpoint URLs and their operation anchors are read from the generated OpenAPI spec at build time, so they are always correct, including hand-authored operations whose identifiers differ from the tool slug. The label is honest: the endpoint is documented, not served, and the link opens the specification rather than making a live call. Tools without an API endpoint show nothing. English and Portuguese ship together; other locales fall back per key.
- Recurso
The API reference is now public, documented but deliberately not served
The tools API now has a visible home, linked from the footer next to the build stamp. Every tool is built to run as a small, deterministic HTTP API, and the full OpenAPI 3.1 contract is published and browsable, both in an on-brand reference and in a standard Swagger UI view. The page is honest about one thing up front: the API is implemented and documented, but this site does not serve it, because a public API bills for compute on every call in ways a single maintainer cannot cap safely, and the site is meant to stay free and predictable to run. In keeping with that, both reference views are now inert: Swagger UI's try-it-out controls are removed, and the on-brand explorer builds the exact request URL you would call but sends nothing. The engine is open, so anyone who needs the API today can run it themselves. English and Portuguese ship together; other locales fall back per key.
- Recurso
A 'what this page needs' pill on the CIDR tool (proof of concept)
A new capability row is being trialled on the CIDR calculator before a wider rollout. It states, up front, what your browser needs for the tool to be fully functional: a 'Runs in your browser' pill notes that the tool computes entirely on your device (so nothing you type is sent anywhere) and therefore needs JavaScript, and an 'API-ready' pill marks that this tool is also built to work over an HTTP API, with a clear note that the API is not switched on yet. With JavaScript disabled, a short note now explains the reduced-function version honestly: the page's explanation, the Markdown reference, the Learn article, and the sources all still render server-side; only the live calculator needs JavaScript. English and Portuguese ship together; other locales fall back per key.
- Recurso
Full Apple coverage: the Apple I, the original Apple II, and the Macintosh (Happy Mac)
The boss-key gallery now covers Apple's iconic early machines end to end, each checked against original documentation. New: the Apple I (1976), where Wozniak's 256-byte WozMon prints a backslash and a blinking cursor after Reset; the original Apple II (1977), which has no autostart ROM and comes up in the machine-language monitor at a * prompt (Ctrl-B enters Integer BASIC and its > prompt); and the Macintosh 128K (1984), with Susan Kare's friendly boot, a blinking floppy-with-a-question-mark that resolves into the smiling Happy Mac and Welcome to Macintosh. The existing //e screen was also corrected: it now shows the enhanced //e's Apple //e banner, which keeps it visually distinct from the Apple ][+ screen. Together with the II+, //c, and IIgs added earlier, that is seven Apple screens; the gallery now holds forty in all.
- Recurso
Nine more boot screens: Apple ][+, //c, IIgs, Atari 800XL, TI-99/4A, MSX turbo R, and Brazilian clones
The boss-key gallery in /dev/fun grew by nine period-accurate boot screens, each checked against original documentation. New this round: the Apple ][+ (the plain Apple ][ banner and ] prompt), the Apple //c (Apple //c, then Check Disk Drive with no disk in the drive), the Apple IIgs (its Check Startup Device screen with the colour Apple logo sliding side to side), the Atari 800XL (deep blue Atari BASIC READY), the TI-99/4A (the cyan TEXAS INSTRUMENTS HOME COMPUTER title, press any key to begin), and the MSX turbo R (the logo assembling from the sides into MSX BASIC 4.0). Three are Brazilian machines from the market-reserve years: the Prologica CP-300 (the compact, disk-less TRS-80 Model III clone that boots straight to cassette BASIC), the Prologica CP-400 (the TRS-80 Color clone, a CoCo 2 running Extended Color BASIC), and the Unitron AP II (the faithful Apple II Plus clone with a Portuguese ROM). They join the existing screens in the same shuffled rotation (you see them all before any repeats), browse left and right while one is up, and Esc dismisses; all animations respect the reduced-motion setting.
- Recurso
Customizable shortcuts, a settings page, ten boss-key screens, and a motion switch
A big pass over the site's keyboard shortcuts and the /dev/fun corner. Shortcuts are now user-configurable: a new Settings page (linked in the footer) lets you rebind any shortcut key, with the choice saved on your device; press ? anywhere for a live cheat-sheet of the current bindings. New shortcuts were added alongside the originals: s opens search, / focuses it, h goes home, ? opens the cheat-sheet, and 1 to 5 jump to five go-to tools (CIDR, Base64, JWT, JSON to YAML, and the F5 hub). Language is now a saved preference too: a return visit to the site's home takes you to your preferred language, while any explicit /en/ or /pt-BR/ link is always honored as-is. The boss key grew from two disguises to ten period-accurate ones (Lotus 1-2-3, WordStar, VisiCalc, Norton Utilities, WordPerfect 5.1, dBASE III+, Turbo Pascal, the Windows blue screen, Norton Commander, and a Commodore 64 that types a program by itself), shuffled so you see them all before any repeats; while one is up, the left and right arrows browse the rest, and Esc dismisses. A new Boss-Key Screens gallery in /dev/fun lets you browse them by name, thumbnail, and a short note, and open any one fullscreen. Finally, the Mega Brain console got a motion switch in its title bar for anyone who prefers less movement (its explanatory banners now also hold still while the console shakes), complementing the system reduced-motion setting the site already respects.
- Recurso
Site-wide keyboard shortcuts, and a Mega Brain console tune-up
New single-key shortcuts on every page: b for the boss key (hide the page behind a 1980s work app until any key or click), t for the Tools index, l for the Learn index, m for the Mega Brain console, and z for Buzzword Bingo. They stay completely inert while you are typing (a focused text field, paste box, or search input keeps its keys) and when a modifier is held (so Ctrl+T and the like are never shadowed); they run entirely in the browser with no tracking, and are documented on the privacy and site-behavior page. Alongside that, the Mega Brain console got a tune-up: the FULL POWER and STOP controls moved into the window title bar as pills (FULL POWER a fixed-pink lightning pill, STOP a red octagonal emergency-stop button), the Mano Deyvin tribute overlay now dismisses on a click anywhere (fixing a mispointing cue and the sense that a timer was blocking it), and the /dev/fun label in the console frame is now a link back to the /dev/fun index, with a matching link added to Buzzword Bingo.
- Nova ferramenta
New tool: Telemetry Streaming (TS) explainer
The third F5 Automation Toolchain explainer, completing the AS3 / DO / TS set. Paste the JSON you POST to /mgmt/shared/telemetry/declare and it reads it back: it confirms the top-level Telemetry class, reads the optional Controls (logLevel, debug, the beta memoryMonitor), and walks every named class-object grouped by its role in the telemetry pipeline rather than by onboarding order. Data sources produce telemetry (a Telemetry_System with its systemPoller or iHealthPoller, a standalone Telemetry_System_Poller pulling from another BIG-IP, or a Telemetry_Listener ingesting events on TCP+UDP port 6514); consumers forward it out (Telemetry_Consumer push consumers with the full type catalogue: Splunk, Azure, AWS CloudWatch/S3, Graphite, Kafka, ElasticSearch, DataDog, Generic HTTP, OpenTelemetry and more, or Telemetry_Pull_Consumer pull consumers like Prometheus); and Telemetry_Namespace and Telemetry_Endpoints support the rest. The headline check is pipeline completeness: it flags a declaration that is valid but does nothing, consumers with no source, sources with no consumer, a Telemetry_System missing its systemPoller (the troubleshooting-doc gotcha), a Consumer missing its type, and it counts namespace-internal sources and consumers so a namespaced declaration is not falsely flagged. Where AS3 and DO configure the box, TS observes it. Grounded in F5 TS docs (clouddocs, TS 1.41-1.42); note TS is in maintenance mode per F5, still supported, no deprecation planned. Decode-only, nothing leaves the browser.
- Conteúdo
Learn article: Telemetry Streaming, the extension that observes
The companion to the new explainer, in English and Portuguese. It places TS in the toolchain by what it does differently: AS3 and DO configure the BIG-IP, TS observes it, aggregating, normalizing, and forwarding stats and events to a consumer. It walks the flat Telemetry-class model (no tenant, no Common, unlike DO), the three object roles (sources produce, consumers forward, namespaces and endpoints support), the long push/pull consumer catalogue, and the failure that passes schema validation: an incomplete pipeline with a source but no consumer or a consumer but no source, including the Telemetry_System-without-systemPoller trap and the namespace-scoping subtlety. States plainly that F5 has placed TS in maintenance mode. Cross-linked to the DO and AS3 articles and the new tool.
Telemetry Streaming: A Extensão do Automation Toolchain que Observa em Vez de Configurar
- Nova ferramenta
New tool: DO declaration explainer + validator
The sibling of the AS3 explainer, for the other half of the F5 Automation Toolchain. Paste the JSON you POST to /mgmt/shared/declarative-onboarding and it reads it back: whether it is a DO request wrapper (class DO, as sent to a BIG-IQ with a targetHost) or a bare Device declaration, the top-level options (schemaVersion, async, webhook, label), and the one tenant a DO declaration is allowed, which the schema requires be named Common. It walks that tenant's class-objects grouped by the phase DO effectively onboards them in: licensing and provisioning first because they gate the modules, then system identity (hostname, DNS, NTP, users), then networking (VLANs, self IPs, routes), then the clustering that joins a box to its peers. Every class is named and explained from F5's schema reference. It also flags the documented gotchas that bite in production: a hostname set on both Common and a System class (mutually exclusive), a self IP with no allowService (DO 1.36 changed that default from `default` to `none`, so it now locks down), a root user missing its oldPassword, and async:true returning a 202 you poll with GET. A structure explainer and sanity checker, not the full JSON-Schema validator; grounded in F5 DO docs (clouddocs, DO 1.47.0), decode-only, nothing leaves the browser.
- Conteúdo
Learn article: Declarative Onboarding, the L1-L3 half
The companion to the new explainer, in English and Portuguese. It draws the line that makes the whole toolchain click: AS3 configures the L4-L7 application services on a box already on the network, and DO does the L1-L3 onboarding that gets it there, licensing, provisioning, DNS and NTP, VLANs and self IPs and routes, users, and clustering. It walks the one-Device-one-Common-tenant model and why DO is stricter than AS3 about the tenant name, the async-returns-202 contract, the classes in the order onboarding actually happens, and the three version-specific traps the docs bury: the hostname mutual-exclusion, the DO 1.36 allowService default flip to none, and the root oldPassword requirement. Cross-linked to the AS3 anatomy article and the new tool.
Declarative Onboarding: A Metade L1-L3 do Automation Toolchain
- Nova ferramenta
New: AWAF policy-diff hole checker (FP set complete)
Paste a before and an after declarative WAF policy and it classifies every security-relevant change as a relaxation or a tightening, then answers the question that matters after tuning: did this open a hole? It separates relaxations that widen protection beyond a single entity (switching to Transparent, disabling a violation or evasion, Data Guard off, trusting X-Forwarded-For, moving signatures to staging, or adding a wildcard entity) from a properly-scoped single-entity allow (adding one URL or parameter, the normal false-positive fix). The verdict is opened-hole if any policy-wide relaxation is present, scoped-only if the widenings stay entity-scoped, or tightened-only. This completes the four-tool false-positive set (request-log triage, learning-suggestion interpreter, signature accuracy/risk, and now policy-diff). Field paths validated against F5's declarative WAF policy schema; decode-only, nothing leaves the browser.
- Nova ferramenta
New: AWAF signature accuracy/risk interpreter
Reframed from a per-signature-ID lookup (not feasible or honest given F5's proprietary signature set): it reads the two properties F5 publishes for every attack signature, its Accuracy and its Risk, plus whether it applies to your systems and whether it is enforced. F5 defines accuracy as false-positive susceptibility, so low accuracy means a high false-positive likelihood, medium some, high low; risk is the damage a real match would do. It places the signature in the accuracy-by-risk quadrant and gives the tuning move: low/low is the prime relax candidate, low accuracy plus high risk is false-positive-prone but dangerous so investigate first, high/high is a reliable high-stakes block you do not relax. It flags signatures for systems not in your stack as pure noise and surfaces accuracy as a lever: a signature set weighted toward higher-accuracy signatures produces fewer false positives. Tool 3 of the four false-positive follow-ons. Grounded in F5's attack-signature docs; deterministic, nothing leaves the browser.
- Nova ferramenta
New: AWAF learning-suggestion interpreter
Ties the poisoning estimator and the false-positive triage together. Characterise a Traffic Learning suggestion (its action, its learning score, the violation rating, the learning mode, and the source trust) and it says whether accepting it loosens the policy (add an allowed entity, allow a meta-character, relax an attribute, disable a violation or signature) or tightens it (remove a wildcard, enforce a staged entity, make an attribute more specific), whether a loosening is a genuine false-positive fix or a security relaxation (by rating: 1-2 fix, 3 investigate, 4-5 relaxing an attack), and whether Automatic learning is about to enforce it. It flags the poisoning vector: Automatic mode, a relaxing loosening, untrusted traffic, and a climbing learning score, which rises as the violation rating falls, so low-rated suggestions auto-accept fastest. This is tool 2 of the four false-positive follow-ons. Grounded in F5 K03513854 and the ASM learning docs; deterministic, nothing leaves the browser.
- Nova ferramenta
New: AWAF request-log triage
Paste an ASM request-log entry, the syslog key-value line or the CEF line you see in your SIEM, and it extracts the policy, the support ID for log correlation, the request status, the violation rating, the client IP, method, and URI, classifies each violation into a triage category, and gives F5's rating-based verdict (4-5 likely attack, 3 investigate, 1-2 likely false positive), then bridges to the false-positive triage tool for the per-violation fix. It handles both the legacy key-value format and CEF. Note on honesty: it does not decode the support-ID number, because that number is an opaque correlation reference and does not carry the violations, the log line does. This is the first of the four false-positive follow-on tools. Grounded in F5's ASM logging-field and reporting docs; decode-only, nothing leaves the browser.
- Nova ferramenta
New: AWAF false-positive triage
The flip side of the poisoning estimator: it helps you relax a genuine Advanced WAF false positive correctly, with scope, and stop before relaxing a real attack. Pick a violation category, its average violation rating, and whether it is enforced, staged, or transparent, and it returns F5's rating-based verdict: ratings 1 and 2 are likely false positives you can accept if confirmed, rating 3 must be investigated, and ratings 4 and 5 block even with Block flags off, so you clear the suggestion without relaxing. It gives the scoped remediation for that category (disable a signature on one URL or parameter, add an allowed entity, add the meta-character to that entity's set, attach an XML/JSON profile, mark a file-upload parameter, or enable Potential False Positive Detection), never a policy-wide disable, and always restates the discipline: relax only where a false positive occurred, never where a real attack caused the violation. A companion Learn article covers the workflow. Grounded in F5 K70544352 and the ASM violation-rating and learning docs; deterministic, nothing leaves the browser.
- Nova ferramenta
New: AS3 declaration explainer
Paste the JSON you POST to /mgmt/shared/appsvcs/declare and this reads it back: whether it is a full AS3 request (class AS3, with action and persist) or an ADC-only declaration (class ADC), the schemaVersion and metadata, and the Tenant to Application to resource tree with every class named and explained, from Service_HTTP and Service_HTTPS through Pool, Monitor, TLS_Server, Certificate, WAF_Policy, and iRule. It also checks the structural rules F5 documents: a top-level AS3 or ADC class, a schemaVersion, at least one Tenant containing an Application containing a resource, and the template and service-class matching rule (http/https/tcp/udp/l4 require a matching Service_* named service), plus reserved-name and 1-to-64 alphanumeric name checks. It lights up the Automation sub-category on the F5 hub as its first tenant. A companion Learn article walks the anatomy of a declaration. A structure explainer and sanity checker, not a full schema validator; grounded in F5's AS3 docs, decode-only, nothing leaves the browser.
- Nova ferramenta
New: AWAF automatic-learning poisoning estimator
A deterministic calculator for a question every WAF instructor gets: how many requests does an attacker need to drill a hole through your BIG-IP Advanced WAF policy when the Policy Builder is left in Automatic learning against untrusted traffic? In Automatic mode a suggestion that reaches a 100% learning score is auto-accepted and enforced, and the Loosen stage can disable violations and widen entities. Enter your policy's Loosen thresholds (different sources, sessions, time spread; F5 default 10 untrusted sources) and the target manipulation's violation rating, plus the attacker's distinct source IPs and per-source rate, and it computes the minimum sources, requests, and elapsed time to force one automatic relaxation. It gates hard on the documented rules that make it impossible: Manual or Disabled learning, rating-5 unlearnable violations, and loosening restricted to trusted traffic, and it surfaces the five hardening levers. A companion Learn article, 'Automatic Learning in Production: How an Attacker Poisons a WAF Policy', explains the mechanism. Grounded in F5 K000134503 and the ASM learning manuals; nothing is fetched or sent.
- Conteúdo
F5 hub: dedicated iRules category, corrected tags, standardized names
The F5 hub got a taxonomy and naming pass. iRules is now its own category with a dedicated heading, split out from LTM, so iRule tools and articles group together on their own. The BIG-IP persistence-cookie decoder, which was mis-tagged Security & WAF, now correctly reads Networking. The platform divider is standardized to 'TMOS · F5OS · Platforms', and six F5 tool names were polished for consistency: sentence case throughout, 'F5XC' rather than 'F5 XC', 'iRules' spelled consistently, and cleaner separators, aligned across the hub and the catalogue in both English and Portuguese.
- Nova ferramenta
New: AWAF evasion-technique explainer
The decode side of 'evasion technique detected' (VIOL_EVASION), grounded verbatim in F5's K7929 and the current BIG-IP ASM 17.5 violation chapter. Type a sub-violation name or 'evasions' and get F5's own eight sub-violations explained, Microsoft %u decoding, Apache whitespace, Bad unescape, Bare byte decoding, Directory traversals, IIS backslashes, IIS Unicode codepoints, and Multiple decoding, each with its default (all enabled) and the encoding trick it catches. Or paste the evasions block of a declarative policy to read each one back as enabled or disabled, with the Multiple-decoding pass count surfaced and bounds-checked against the schema's 2-to-5 range. It bridges to the Base64 and Percent codec tools that perform the very same decode operations, the encode/decode complement asked for, since several evasions are exactly the %u, bare-byte, and repeated percent-decoding those tools already do. A companion Learn article, 'Evasion Techniques: How Advanced WAF Normalizes Around Attacker Encoding', explains the whole class. Decode-only; nothing leaves the browser.
- Conteúdo
The colophon now states the hosting ceiling, honestly
A new colophon section, echoed in one paragraph on the roadmap, spells out the hard limits this site lives under: a Cloudflare Worker version carries at most 20,000 static files on the free plan and 100,000 on the paid plan (raised five-fold in September 2025, deployable only with Wrangler 4.34 or newer), no file over 25 MiB, and static-asset requests free and unlimited. Against that, the site's own arithmetic: about three files per rendered page across sixteen languages, roughly fifty files per tool and a hundred per tool-with-article pack, a little over eighteen thousand files today, and a mapped expansion path, route-sharded Workers, then object storage, should the toolbox ever outgrow one Worker.
- Recurso
Every tool now has an Example button (D-83 retrofit complete)
The Example and Clear buttons that newer tools shipped with are now on every tool, all 54 of them. The 31 retrofitted tools each load a sample taken verbatim from their own golden test vectors, so every example provably works: the RFC 4231 HMAC test case, the RFC 7636 PKCE verifier from appendix B, the RFC 7517 example key set, the canonical jwt.io token, the classic BIG-IP persistence cookie from K6917, real tmsh stanzas, and more. Even the two form-style tools joined in their own way: the iRule event-order tool's Example applies the HTTPS re-encrypt preset, and the tcpdump builder's fills in the all-TMM interface, name-resolution-off, and a host-and-port filter. One click shows what each tool does; one click clears it.
- Recurso
Vendor sub-categories, and generic categories go vendor-agnostic
The taxonomy grew a level. Vendor hubs now group their tools and articles by ordered sub-categories: for F5, the ten pillars from LTM and iRules through TMOS, DNS/GTM, ASM, AFM, APM, SSL Orchestrator, automation, public cloud, and Distributed Cloud, with every tool assigned and articles inheriting their placement from the tools they relate to. Fortinet, Netskope, and Extreme Networks received source-grounded taxonomies of their own, built from each vendor's official product catalogue, twelve Fortinet sub-categories with the full A-to-Z product list assigned, ten Netskope One components, eight Extreme product families, ready for the day their first tools ship. And the generic categories on the Tools and Learn indexes are now exclusively vendor-agnostic: vendor content lives on its hub, one cross-vendor syslog article came home to networking, and the hub strip on top of each index is the way in.
- Conteúdo
Privacy page: why preferences live only on your device
A new section on the privacy page explains what this site remembers and why. The theme choice is stored only in your browser's localStorage and applied before first paint; no cookie, no account, no server ever sees it, which is exactly why a private window, cleared site data, or another device starts you back at the default. Language is not stored at all, it lives in the URL, so a bookmarked address in your language keeps it. With no accounts and no tracking, preferences can only live where you can see and delete them.
- Conteúdo
Learn article: session variables, where APM keeps everything it learned
The companion to the new reference, in English and Portuguese, and the closing of the APM cluster the SSO article opened: the naming anatomy from the manual's own figure and why the names are templates, the three official read syntaxes with the chapter's own OTP percent-expansion as proof text, the secure contract in F5's own lab wording and the silent empty read it produces on a bare mcget of a password, the plumbing pair every SSO method ultimately reads, session.custom's auto-container behavior, and the two debug surfaces, the active-sessions-only report with its message-box pause trick and sessiondump from the CLI. The SSO methods article's closing line now links the live reference.
- Nova ferramenta
New tool: APM session-variable reference
The Session Variables chapter, vendored and made pattern-aware. Paste session.ad.last.attr.memberOf and it resolves against the chapter's own dollar-name templates with the bindings shown, because each retrieved attribute becomes its own variable, the chapter's rule. Families run from policy results through the client and AAA sets to the full session.ssl.cert family, endpoint checks with the always-zero hd.state quirk flagged, OTP with the chapter's own percent-expansion example, and the logon and SSO plumbing rows the SSO methods read. Expressions parse across the three official syntaxes, percent expansion, mcget inside expr branch rules, and access::session data get and set, with the secure audit riding along in F5's own wording: encrypted in the session db, hidden from reports and logs, minus-secure required on both read paths. The one-click Example is the classic empty-value trap, a bare mcget on the logon password, and the tool names exactly what comes back: nothing.
- Conteúdo
Learn article: living TCP, frozen TCP, and the two fast paths
The companion to the new explainer, in English and Portuguese: the day the tcp family started living, told in the 13.0 announcement's own words, updated versions of the -optimized trio, progressive for the very latest features, five read-only living profiles tuned through child profiles with the custom flag pinning settings against future pushes, and the frozen legacy trio that still ships. FastL4 as the profile that is not a proxy, the PVA packet path, the loose pair for asymmetric routing, and the late-binding FIX trick. FastHTTP as the narrow case whose qualification is a checklist, every criterion a disqualifier read backwards, with K8024 as the reading you do before deploying, not after.
O Proxy TCP: O Que um Middlebox de Camada 4 Vê e o Que Não Vê
- Nova ferramenta
New tool: LTM L4 protocol profile explainer
The protocol-profile decision, told the way F5's own sources tell it. The tcp family's living-versus-legacy split from the 13.0 announcement verbatim: f5-tcp-wan, lan, and mobile as the updated versions of the -optimized trio, f5-tcp-progressive as the general-use profile carrying the very latest features, all five living profiles continually updated and read-only, tuned through child profiles, while the frozen legacy names still ship for configurations that depend on them. FastL4 as the not-a-proxy: the PVA hardware packet path for Performance and Forwarding virtual servers, the ops guide's little-or-no-processing when-clause, the loose-initialization and loose-close pair for asymmetric routing with their man-page defaults, and the late-binding FIX offload. FastHTTP as the narrow case: TCP Express, HTTP, and OneConnect combined, with the complete when-to-use criteria list, the basic-iRule event trio, and K8024 named as required pre-deployment reading. The one-click Example opens FastL4, the card with the most decisions on it.
- Recurso
Tools index hero: the thesis takes the headline
The tools hub's eyebrow and headline both read Tools, breaking the pattern every other index page follows: a short eyebrow, a statement headline, a supporting lede. The headline is now the site's own thesis, tools that compute, never guess, in both languages, with the eyebrow keeping the short label and the existing lede staying as the supporting line.
- Conteúdo
Learn article: APM SSO methods and the blast radius
The companion to the new explainer, in English and Portuguese: the eight methods and the asymmetry the chapter states up front, a broken non-form object can dim SSO for the whole session while the two form methods stay standing. What each method actually moves, from Basic's base64 header to NTLMv2's single-header quirk, the Kerberos prerequisite checklist with the no-keytab line and the federate-in-front-delegate-in-back pattern, the Forms - Client Initiated password token that keeps the credential out of the page, and the session-variable plumbing underneath all eight, with the variable reference named as this cluster's next tool.
Métodos SSO do APM: Um Objeto Ruim Pode Apagar a Sessão Inteira
- Nova ferramenta
New tool: APM SSO method explainer
The eight methods the Single Sign-On Methods chapter defines, each rendered with its mechanism, its credentials plumbing, its prerequisites, and the verdict that decides outages: the chapter's own blast-radius paragraph, a misconfigured SSO object for HTTP Basic, NTLM, Kerberos, OAuth Bearer, or SAML can disable SSO for every method in that user's session, and the two form methods are the only exempt ones. The Kerberos card ships the full constrained-delegation prerequisite list, delegation account per realm, SPN-format account name, uppercase realm, multi-realm RBCD, and the line worth framing, APM Kerberos SSO does not need or use a keytab file. NTLMv2 carries its documented single-WWW-Authenticate quirk, and Forms - Client Initiated its password-token indirection, the real password never sits in the page.
- Conteúdo
Learn article: AFM contexts, accept as a ticket
The companion to the new explainer, in English and Portuguese: the fixed context order with the management port apart, the manual's processed-again-at-the-next-context sentence that makes accept a ticket to the next checkpoint rather than through the building, accept-decisively as the one yes that ends the walk, the bluntly worded ICMP restriction at edge contexts, staging as the honest rehearsal, the system's own redundant-and-conflicting definitions including the accept-versus-accept-decisively surprise, and the ADC-versus-Firewall default-action split with the fail-open-versus-fail-closed stakes named.
Contextos do AFM: Accept É um Bilhete para o Próximo Posto de Controle
- Nova ferramenta
New tool: AFM rule-context & match explainer
Paste contexts, policies, and a packet, and the walk runs in the manual's own order: global, route domain, then the virtual server or self IP, with management port rules processed separately. The semantics that decide real outcomes are all here: a matching rule's action applies and the traffic is processed again at the next context, so accept is a ticket to the next checkpoint and only accept-decisively ends the walk with a yes; the one-click Example is a global accept-decisively trumping a virtual-server drop that never sees the packet. ICMP rules at edge contexts are skipped with the manual's ignored note, staged policies log without enforcing, rule-lists expand in place, and criteria the tool cannot evaluate stop the walk honestly. A lone policy gets the audit the system itself defines: redundant and conflicting rules, including accept versus accept-decisively counting as conflicting.
- Conteúdo
Learn article: OneConnect, reuse as a grouping problem
The companion to the new explainer, in English and Portuguese: the source mask's two documented poles and the subnet-style grouping between them, the naming drift (Source Mask, Source Prefix Length, source-mask), and the sentence both K articles state that decides real outcomes: SNAT translates first, the mask sees only the translated address, so one SNAT address means one reuse group however narrow the mask. Plus the pool lifecycle defaults, the per-TMM division and the Current Idle statistic's real meaning from F5's own lab, and the strict limit the manual itself recommends against.
OneConnect: Reuso É um Problema de Agrupamento, e o SNAT Reescreve os Grupos
- Nova ferramenta
New tool: OneConnect source-mask explainer
Paste a one-connect profile and every option renders with the v17 man page's own semantics, defaults filled in explicitly, from the 0.0.0.0 mask that shares reused connections across all clients to the strict limit the manual itself calls not recommended. Or run the mask simulation: real client IPs, a mask, and optionally a SNAT address, which demonstrates the ordering K7208 and K5911 both state, translation first, mask second, so one SNAT address collapses every client into a single reuse group however narrow the mask. Rounded out with the statistics honesty from F5's own lab article: max-size divides per TMM, and Current Idle counts idle connections whether or not they are eligible for reuse.
- Localização
Full i18n pass: the last hardcoded strings
A three-pass audit of every page and component (line-level text, multi-line prose, and metadata) found the stragglers and moved them into the message system: the Learn hub's entire hero (section marker, title, and tagline were hardcoded English on all sixteen locales), the Read links and Read-next block on articles, the primary navigation's screen-reader label, and the changelog and roadmap meta descriptions. Portuguese ships alongside English as always; the remaining locales fall back per key. Protocol samples inside tools (dig headers, tmsh literals, example XML) stay English on purpose, because they are syntax, not copy.
- Recurso
Homepage joins the page-hero standard; Tools index gets its eyebrow
The landing hero now uses the same title and lede scale as every other top-level page, the one page deliberately left out of the header standardization pending an explicit call - the reading-comfort scale won. The call-to-action row inherits the spacing the old subtitle carried, with no inline overrides. And the Tools index, which had the standard title but not the small cyan section marker the Learn, Changelog, and Roadmap pages carry, now opens with one: TOOLS above the tagline, translated like its siblings.
- Conteúdo
Learn article: packet filters, the checkpoint before everything
The rich companion to the new tool, in English and Portuguese: one global list in ascending order, first terminal match wins, continue as the only action that lets a packet touch two rules, and an empty expression matching everything. Then the part that decides real outcomes: the master switch ships disabled and off means allow-all, trusted exemptions outrank every rule and cannot be overridden, ARP and four important ICMP types walk past by default, established connections are invisible to the filter unless you enable the option F5 itself says rarely helps, and the management port never meets any of it. Closes with the chapter's own prose-versus-tables wording inversion as a careful-reading note, and the v16 security packet-filter policy name collision.
Packet Filters: O Checkpoint Antes de Tudo, e a Chave Que Vem Desligada
- Nova ferramenta
New tool: BIG-IP packet-filter explainer
The layer that runs before almost everything else, walked with the man page's own semantics: a single global list, lowest order first (the reference's worked 500/100/300/200/201 sequence is a golden vector), unique orders enforced, evaluation stopping on accept, discard, or reject, continue as the only non-terminal action, and an empty rule expression matching ALL packets, with VLAN-scope-aware shadow detection. Add a sim: line and an honest three-state BPF-subset simulator answers which rule matches, stopping the walk rather than guessing when an expression leaves the evaluated subset. The context panel carries what the chapter says always applies: the master switch is disabled by default and off means all traffic allowed, trusted exemptions precede rules and cannot be overridden, ARP and the important ICMP types are exempt by default, established connections are not filtered by default, and the management interface is untouched by any of it.
- Conteúdo
Learn article: CMP, the cores you paid for
The article behind the new iRules pair, in English and Portuguese: one TMM per core, connections disaggregated across them, and demotion meaning every connection for a virtual serialized onto a single TMM. The demotion list per the CMP Compatibility page: global variables (validator catches them as of v10) with static:: as the documented cure, plus the two per-TMM traps that bite without demoting - RULE_INIT-generated keys and statistics profiles. Closes with the persistence timeline for the folklore, and the LTM-policy escape hatch for match-and-act logic that never needed Tcl.
CMP: Os Núcleos Que Você Pagou, e as Linhas de iRule Que os Devolvem
- Nova ferramenta
Two new tools: the iRules CMP pair
The command/context explainer reads an iRule the way the reference would: every when block with the event's own Master List one-liner, commands inventoried with direct links to their reference pages, the documented priority evaluation order, and a CMP audit sourced line by line to the CMP Compatibility page - global variables demote the virtual server to a single TMM (the validator catches them as of v10), static:: is the documented cure, RULE_INIT-generated keys are per-TMM, statistics profiles count per TMM. Its sibling classifies each block against LTM policies with three honest verdicts: policy-expressible with a migration sketch in the grammar the vendor's own examples demonstrate, verify-on-version for constructs the verified sources did not show, or iRule-required with the blockers named. Both link per-command validity pages rather than reproducing tables they have not verified.
iRules command-context explainer · iRules vs LTM policy classifier
- Conteúdo
Two Learn articles: SYN flood protection, and connection eviction policies
The DoS-vector explainer's article pair, in English and Portuguese. SYN Flood Protection walks the cookie mechanics per K14779, the LTM threshold map and per-VLAN hardware mode, the AFM tcp-half-open vector's documented precedence over the LTM global SYN cookie, and the mitigation-below-detection arrangement that drops traffic with no attack log. Connection Eviction Policies covers the K15738 lineage from the adaptive reaper, the watermark semantics that change meaning with the attachment context, the strategies the manual honestly calls statistical and opportunistic, and the slow-flow monitor-first pattern. Both grounded in the F5 references fetched this session.
- Nova ferramenta
New tool: AFM DoS-vector explainer
Paste security dos device-config or profile stanzas and every vector renders with F5's own one-line identity (the full 105-entry reference table, sys-db tunables included), the threshold mechanics spelled out - detection compares a 1-minute average against an absolute value or a learned 1-hour baseline, and the internal rate limit runs in hardware where the platform has it - and deterministic cross-checks: the mitigation-below-detection inversion that drops traffic with no attack log, automatic-mode semantics, policing with detection disabled, bad-actor wiring, and the tcp-half-open SYN-cookie interplay. Defensive configuration only; the tool never generates traffic.
- Recurso
Three small touches: the stamp, the roadmap pointer, and a heart
The build stamp in the footer's machine row now links here, to the changelog, since that is the natural question a build stamp raises. This page opens with a one-line pointer to the roadmap, separating what is planned from what has shipped. And the special-thanks line on the colophon now ends with a small monochromatic heart, as it always should have.
- Conteúdo
Certification record corrected against the certificate itself
The Extreme Networks switching credential listed as Certified Administrator (2026) is, per the certificate document now hosted alongside it, the Extreme Certified Associate, issued August 2023 with no expiry. The entry was corrected to match the document and the certificate PDF is served with it.
- Recurso
Calmer page headers across the site
Every top-level page now opens with the same header format the Learn page pioneered: titles cap at a comfortable 2.75rem instead of the 3 to 4.5rem the section pages used to run, and the intro line reads at body-text scale. One shared style now carries the look, replacing three copies of an inline override and eight page-specific variants. The homepage landing hero keeps its own scale on purpose.
- Conteúdo
Two new Learn articles: the GSLB chain and the topology sort
BIG-IP DNS Load Balancing: the Wide IP, the Pool, and the Three-Step Chain covers both decision tiers and the chain rules people trip over: the alternate can only be static, the fallback ignores availability on purpose, and None cascades all the way to a BIND aggregate. GTM Topology Records: Longest Match Is a Sort, Not the Pick walks the record anatomy, the verified sorting ladder, and the scoring model with shadowing, including the worked example the scorer loads as its one-click demo. Both in English and Portuguese, grounded in the tmsh references, the Load Balancing manual, and K10721.
- Nova ferramenta
New tool: GSLB decision-flow explainer
Paste gtm wideip and gtm pool stanzas and the two-tier BIG-IP DNS decision renders as it really runs: pool selection at the wide IP, then each pool's preferred, alternate and fallback chain in F5's own terms, with the grammar validated per tier, the fallback-ignores-availability rule stated on every resolved chain, and the manual's cross-checks applied, from Fallback IP wiring to the topology-at-both-tiers warning. A method name explains one method; the word methods lists both catalogues.
- Nova ferramenta
New tool: GTM topology longest-match scorer
Longest Match is a sort, not the pick, and this tool computes it the way BIG-IP DNS does: the records sort by source statement, destination statement and weight, then the scoring walk assigns each candidate its score from the first matching record, shadowing the rest. Paste topology records and a source line to see the sorted list with per-record rationale, which record scored which candidate, and why a heavy wildcard really can beat a light /32.
- Infraestrutura
Paste boxes now wrap long lines
The input boxes on the F5XC service-policy explainer, the BIG-IP license explainer, and the Advanced WAF policy explainer were using the terminal-output text style, which never wraps: a long pasted line ran off the right edge behind a scrollbar. They now use the same wrapping paste-box style as every other tool. The dig and nslookup explainers keep the non-wrapping style on purpose, since aligned terminal output is the point there.
F5XC service-policy explainer · F5 BIG-IP license explainer · AWAF declarative-policy explainer
- Infraestrutura
robots.txt now exists
The footer's machine-readable row has linked robots.txt since the row shipped, but the file itself was never created, so the URL answered 404. It now serves a plain allow-all policy and points crawlers at llms.txt, the full machine-readable index.
- Nova ferramenta
New tool: LB-method chooser
Paste an ltm pool and get its load-balancing method explained in F5's own terms, with cross-checks against the rest of the pool: ratio weights the mode ignores, missing connection limits that weighted modes require, slow-ramp pairing, priority-group activation, and the ignore-persisted-weight scope. Covers all 19 documented modes, takes a bare method name or the word methods for the full catalogue, and answers two questions with a sourced recommendation. Grounded in the tmsh ltm pool reference, K42275060, and K6406. Runs entirely in the browser.
- Conteúdo
Two new Learn articles: load-balancing methods and virtual server types
BIG-IP Load-Balancing Methods, and What Each One Weighs walks the 19 modes along the two axes that organize them, static or dynamic and member or node, including the ratio rule from K6406 that explains half the field surprises. BIG-IP Virtual Server Types, and What Each One Actually Does covers Standard through Reject and the specialists, from the full-proxy handshake to the FastL4 packet path, grounded in K93100324 and K8082. Both in English and Portuguese.
- Conteúdo
On building new tools, easier to read
The funding story on the contribute page is the same text, now set for comfortable reading: a short intro, the three seats as a compact list, the infrastructure line, and the monthly total on its own line so the number is easy to find. Not a word changed in English or Portuguese, only the presentation.
- Recurso
Clearer API error messages
When a tools API call fails validation, the error now tells you something useful. Deliberate validation messages from the tool engines pass through unchanged, while internal runtime errors, like a missing field in a JSON body, map to a stable hint that points at the request schema in openapi.json instead of leaking implementation details.
- Infraestrutura
Permanent redirects for locale-less URLs
Bare URLs without a language prefix, like /f5 or /colophon, now answer with a permanent 301 to their English page instead of a temporary 302. The site ships English as its default and performs no header-based language negotiation, so the target never varies and search engines can safely consolidate on the localized address. Deep links keep working exactly as before.
- Conteúdo
Funding transparency, updated
The On building new tools section on the contribute page now tells the whole story: the three CONCORD seats (ANVIL on Claude, SCOUT on ChatGPT Plus, PRISM on Google AI Pro), the Cloudflare Workers plan, and the yearly domain fees, roughly USD 150 to 250 a month all in, with a link to the colophon for how the seats work. Buy Me a Coffee contributions go to that toolchain and nothing else.
- Recurso
F5 hub, easy to find
Hub discoverability now lives on top of the Tools and Learn listings: a small pill on each page links straight to the F5 hub, keeping the header a simple four-item bar. The pills are generated from the same populated-vendor rule as the hub itself, so Fortinet, Netskope, and Extreme Networks will appear there automatically the day their first tools ship.
- Recurso
Vendor hub pages
ronutz.com/f5 is live: one page gathering every F5 tool, grouped by family, followed by every F5 article. The bare /f5 address permanently redirects to the English hub, and /tools/f5 and /learn/f5 land on the hub's anchored sections in every language. Fortinet, Netskope, and Extreme Networks hubs materialize automatically when their first tools ship; until then their addresses redirect to the tools index. A new build guard keeps the vendor namespace safe: no tool, article, or page may ever take a vendor name as its address.
- Recurso
Five F5 tools renamed with permanent redirects
The BIG-IP persistence cookie decoder, tcpdump builder, iRules event order, tmsh config explainer, and persistence method explainer now carry the f5- vendor prefix in their URLs, matching the rest of the F5 family. Every old address answers with a permanent redirect: page and .md URLs via static 301 rules in all sixteen languages, and old API slugs via a 308 from the worker so request method and body are preserved. The old names also remain as OMNIBOX aliases, so pasting or typing them still lands on the right tool.
BIG-IP persistence-cookie decoder · BIG-IP tcpdump builder · iRules event-order explainer · tmsh config explainer · Persistence-method explainer
- Nova ferramenta
New tool: F5 BIG-IP license explainer
Paste your /config/bigip.license, the full file or any fragment, and read it in plain language: whether it is BIG-IQ managed or licensed directly, the licensing dates with the K7727 upgrade verdict, the Registration Key and platform, active and optional modules with their per-module keys, Exclusive_version, Deny_version and Exclusive_Platform constraints, and every feature token. Key and signature values are never displayed, and nothing leaves the browser. The line grammar is grounded in two real, sanitized lab license files (one BIG-IQ managed, one direct) and in F5 K000160443, K7727, K3782, K7752, K42091606 and K02011230, verified against 5 golden vectors.
- Nova ferramenta
F5 service check date now reads pasted licenses and tmsh output
Paste your /config/bigip.license contents, any fragment of it, or the output of tmsh show sys license, and the tool picks out the service check date and answers the same upgrade-eligibility question, echoing the matched line for confirmation. Both published line forms are recognized: the file form (Service check date : 20151008, with flexible colon spacing) and the tmsh form (Service Check Date 2016/08/18). Quick manual entry is unchanged and remains the primary path. Grounded in F5 K3782 and K000160443 plus F5's published upgrade checklist, verified against 6 new golden vectors (20 total).
- Recurso
Sticky vendor filter, back-to-top, and a tidier footer
Browsing the long lists is easier: the vendor filter on the tools and Learn indexes now stays pinned below the header while you scroll, and a small corner button returns you to the top once you are more than a screen down. The footer is consolidated too: its utility links now sit in three compact rows with dimmed separators, and the machine-readable row (llms.txt, robots.txt, feed.xml) now sits at the very end just above the build stamp, in smaller monospace, so the three read as the quiet file endpoints they are.
- Nova ferramenta
New tool: F5 Advanced WAF declarative-policy explainer
Paste a BIG-IP Advanced WAF (ASM) declarative policy (JSON) and get a section-by-section, plain-language reading grounded in F5's published schema, with security callouts that read the values: transparent enforcement means monitor-only, plus signature staging, X-Forwarded-For trust, Data Guard off, and cookies missing Secure or HttpOnly. Covers about 55 policy sections and honors the template-delta rule (an absent section means template default, not disabled). Decode-only, grounded in the F5 v17.1 declarative-policy schema (published versions v16.0 to v17.5), verified against 6 golden vectors built from F5's own example policies, with four Learn articles in English and Portuguese.
- Nova ferramenta
New tool: F5 service check date
Enter a BIG-IP version for the minimum service check date its license must carry, or enter a service check date for the newest version you can upgrade to and the newer branches you cannot reach yet. It encodes F5's published License Check Date table (K7727) and does the comparison entirely in the browser, with no clock and no network. Grounded in F5 K7727 and K8986, verified against 14 golden vectors, with three Learn articles in English and Portuguese.
- Nova ferramenta
New tool: SSRF URL classifier
Paste a URL and see where it actually points: loopback, private (RFC 1918), link-local, cloud metadata (169.254.169.254 and the IPv6 and vendor equivalents), CGNAT, reserved, or public, with an SSRF risk level and plain-language reasons. It decodes the IP-obfuscation tricks that hide an internal address from a naive filter (decimal, octal, hex, short-form, and IPv4-mapped IPv6) and flags dangerous non-HTTP schemes and embedded credentials. It classifies purely from the string and never resolves DNS or issues the request (D-53). Grounded in RFC 1918/3927/6598/3986 and the OWASP SSRF cheat sheet, verified against 26 golden vectors, with six Learn articles in English and Portuguese.
- Recurso
Public roadmap page
A public roadmap at /roadmap, generated from the live build catalogue so it is always current: every planned tool grouped by family, plus a running count of what has already shipped. Linked from the footer and the Share-an-idea page so proposals can check what is already planned and avoid duplicates.
- Recurso
Footer shows a last-modified timestamp
The footer now shows a Last modified date and time, in UTC, written on every build so the site's currency is always visible at a glance.
- Recurso
Navigation and credibility restructure
The main navigation now leads with what you use (Tools and Learn) alongside About, Training, and Contact. Certifications and Endorsements moved out of the top bar and now lead the About page as featured cards, and the Training page opens with the instructor and links to those credentials, so the professional showcase is cleanly separate from the tools.
- Nova ferramenta
New tool: hash preimage finder
Paste an MD5, SHA-1, or SHA-256 hash, choose an alphabet and length, and watch a bounded local brute-force search either recover a weak input in milliseconds or run out of keyspace on anything with real entropy. No dictionary, no wordlist, no precomputed table: pure local enumeration and hashing, capped so it only ever recovers trivially weak inputs. A teaching tool for why fast, unsalted hashes fail, pairing every result with the defenses (salting, slow KDFs, and algorithm choice). MD5, SHA-1, and SHA-256 are verified against published test vectors, and it runs only in the browser.
- Recurso
Every tool now has an HTTP API endpoint
Every deterministic tool is now reachable over a simple HTTP API at /api/v1/<tool>, driven by a single registry so the API and its published OpenAPI specification stay in lockstep with the toolbox as tools are added. Capabilities that would be abused as an unbounded search on shared infrastructure are explicitly excluded and remain browser-only. The API reference page lists what is available.
- Nova ferramenta
New tool: HTTP request translator
Paste a curl command and get it both explained (method, URL, every header, the body with its real Content-Type, auth, cookies, and each flag) and translated to fetch, a raw HTTP/1.1 request, HTTPie, and Python requests. A single local parse drives both views. It gets curl's -d Content-Type default right (form-encoded, not JSON) and warns on --insecure, plaintext http, and credentials in the URL. Local and offline.
- Nova ferramenta
New tool: CVSS vector decoder
Paste a CVSS v3.1 vector and get the Base score computed and mapped to None through Critical, with Temporal and Environmental scores when those metrics are present and every metric spelled out. Pure scoring math implemented from the FIRST.org specification and validated against officially published reference scores. Local and offline.
- Nova ferramenta
New tool: F5XC service policy explainer
Decode an F5 Distributed Cloud service policy and get its rules explained in evaluation order: the match criteria, the action, and the first-match logic that determines allow or deny. Decode-only and offline.
- Nova ferramenta
New tool: nslookup output explainer
Paste nslookup output and get it explained: the server and port queried, whether the answer is authoritative, each record returned, and the common warnings. A companion to the dig output explainer. Local and offline.
- Nova ferramenta
New tool: XML decoder
Paste XML and get a structural tree view plus a security analysis: entities are surfaced and the parser is XXE-safe, flagging external-entity and billion-laughs patterns without ever resolving them. Decode-only and offline.
- Localização
OIDC tool now fully localized in all 16 locales
The OIDC decoder's entire interface - input labels, badges, panels, claim categories and field labels, the assessment reasons, and the authorization-code flow diagram - is now translated across all 16 locales.
- Nova ferramenta
New tool: dig output explainer
Paste dig output and get every section explained: the header and flags, the question, and each answer, authority, and additional record, along with the query timing. Local and offline.
- Nova ferramenta
New tool: text diff
Compare two blocks of text and get a line-by-line diff with additions, removals, and unchanged context. Runs entirely in the browser; nothing is uploaded.
- Nova ferramenta
New tool: TOTP / HOTP
Generate and verify TOTP and HOTP one-time codes (RFC 6238 and RFC 4226) from a shared secret, with the time step, counter, and digit count shown. Golden-vector tested; local and offline.
- Nova ferramenta
New tool: BIG-IP tcpdump builder
Build a correct F5 BIG-IP tcpdump command from a plain description: the right interface syntax (including the :nnn peer-flow form), host and port filters, and capture options, with each part explained. Local and offline.
- Conteúdo
oidc: authorization-code flow diagram
The OIDC tool now shows a theme-aware diagram of the OpenID Connect authorization-code flow, from the authorization request through token exchange, ID token validation against the JWKS, and the optional UserInfo call. Each step names the same discovery-document endpoint the decoder reports.
- Localização
cipher key-exchange groups panel now in all 16 locales
The post-quantum key-exchange groups reference is now translated across all 16 locales, so its labels and explanations read natively instead of falling back to English.
- Recurso
cipher: post-quantum key-exchange groups reference
The cipher tool now includes a reference for the TLS supported_groups - the key-agreement groups negotiated separately from the cipher suite - with the post-quantum ML-KEM hybrids featured. X25519MLKEM768 (0x11EC), SecP256r1MLKEM768, and SecP384r1MLKEM1024 are shown alongside the classical ECDHE and finite-field groups, each flagged by type, post-quantum status, and recommended/obsolete state. Backed by a golden-vector-tested name and code-point decoder.
- Localização
x509 Certificate Transparency panel now in all 16 locales
The SCT panel's labels and explanatory text are now translated across all 16 locales, so embedded Certificate Transparency timestamps read natively instead of falling back to English.
- Recurso
x509: decode embedded Certificate Transparency SCTs
The X.509 decoder now decodes the signedCertificateTimestampList extension (RFC 6962) instead of just naming it: each embedded SCT's version, log ID, logged-at timestamp, and signature algorithm are shown. Structural decode only - the SCT signatures are not verified, which would need the CT log's public key. Golden-vector tested against hand-built SCT lists and validated end-to-end against a certificate carrying the extension.
- Localização
CSR decoder UI now in all 16 locales
The CSR decoder's interface (input labels, result cards, the requested-extension and attribute labels, and the error messages) is now translated across all 16 locales (40 strings each), so the tool reads natively instead of falling back to English.
- Nova ferramenta
New tool: CSR decoder
Decode a PKCS#10 certificate signing request (RFC 2986) entirely in the browser: subject, public key, requested SANs and extensions, the legacy challenge-password and unstructured-name attributes, and the self-signature. A CSR is a request, not a certificate, so there are no validity dates, serial, or issuer to read. Deterministic, golden-vector tested against OpenSSL-generated RSA, EC and Ed25519 requests, and never uploaded.
- Localização
Certificate renewal planner UI now in all 16 locales
The planner's interface (input labels, result cards, the SC-081v3 schedule table, the projection, and the guidance notes) is now translated across all 16 locales (44 strings each), so the tool reads natively instead of falling back to English.
- Localização
Planner Learn articles now in Brazilian Portuguese
The five certificate renewal planner articles (the 47-day schedule, validity windows, DCV/SII reuse, renewing with ACME and ARI, and public vs private PKI) are now translated to Brazilian Portuguese, bringing pt-BR to parity with English for this set.
- Conteúdo
Learn: five articles on certificate lifetimes and renewal
Five new Learn articles back the certificate renewal planner: the CA/Browser Forum path to 47-day certificates, how validity windows and renewal lead time work, the shrinking DCV and SII validation-reuse periods, renewing on time with ACME and ARI, and why the rules bind public TLS but not private PKI. English first; other locales follow.
- Localização
Remaining static pages fully localized
The Share-an-idea feedback page, plus the last English-fallback paragraphs on the colophon, API, and license pages, are now translated across all sixteen languages, bringing every non-article static page to full locale parity. The feedback page now explicitly invites bugs, mistakes, and inaccuracies.
- Conteúdo
Decomposition diagram added to the syslog PRI decoder
The syslog PRI decoder now shows how a single PRI integer splits into its two fields - dividing by 8 gives the facility and the remainder gives the severity - with the worked example of PRI 134.
- Conteúdo
Construction diagram added to the HMAC generator
The HMAC generator now shows the two-pass construction - the key XORed with an inner pad around the message and hashed, then XORed with an outer pad around that result and hashed again - the structure that makes HMAC resistant to length-extension.
- Conteúdo
Key-matching diagram added to the JWKS explainer
The JWKS explainer now shows how a verifier selects a key - a JWT header's kid is matched against the keys in the set, picking the one with the same kid to check the signature.
- Conteúdo
Anatomy diagram added to the JWT decoder
The JWT decoder now shows the token's three base64url segments - header, payload, and signature - colour-coded and joined by dots, with the header and payload bracketed as the signing input that the signature is computed over.
- Conteúdo
Flow diagram added to the SAML decoder
The SAML decoder now shows the SP-initiated web-browser SSO round trip - the AuthnRequest, the redirect to the identity provider, authentication, the signed assertion, and the POST back to the service provider - so a decoded message can be placed in the wider flow.
- Nova ferramenta
New tool: certificate renewal planner
The first of a certificate-lifecycle set. Enter a TLS certificate's issue and expiry dates to see its validity length, whether that length fits the CA/Browser Forum SC-081v3 schedule (the 398 -> 200 -> 100 -> 47-day reduction running to 2029), the renewal cadence it implies and how that escalates at every future cap, the domain and identity validation-reuse windows for its issuance era, and a recommended renew-by date. All offline, in your browser; publicly trusted TLS certificates only.
- Recurso
SSL profile explainer now shows the data path
Decoding a client-ssl or server-ssl profile now draws the BIG-IP SSL data path (client, BIG-IP, pool member) and lights up the TLS leg the profile actually governs: a client-ssl profile on the client-side leg it terminates, a server-ssl profile on the server-side leg it initiates, with the profile named on that leg. The note spells out the offload-versus-re-encrypt consequence. This closes the Tier 1 SVG retrofits. Vector, theme-aware, parsed entirely in the browser.
- Recurso
IPv6 tool now shows the address structure
Decoding an IPv6 address now draws its 128 bits as eight hextet cells over a 0-128 bit ruler, with the prefix boundary drawn at the actual /N, shading the network prefix apart from the host portion and naming the 64-bit interface identifier when the split lands on /64. With no prefix supplied, a dashed line marks the conventional /64 boundary instead. The fourth of the Tier 1/2 SVG retrofits, and the right shape for 128 bits where a per-bit grid would not fit. Vector, theme-aware, all in the browser.
- Recurso
CIDR analyzer now shows the address layout
Alongside the binary bit-grid, a subnet now gets an address-layout strip: the network address and the broadcast address as reserved cells at each end, with the usable-host span shaded between them and the first/last host range named. A /31 or /32 collapses to a single all-usable bar, since RFC 3021 reserves neither network nor broadcast there. The third of the Tier 1/2 SVG retrofits. Vector, theme-aware, computed entirely in the browser.
- Recurso
x509 tool now shows the chain of trust
Decoding a certificate now draws a small chain-of-trust diagram (root CA, intermediate CA, end-entity) and highlights where the pasted certificate sits: a self-signed certificate lights up the root, a CA certificate the intermediate, and an ordinary certificate the leaf, with its subject and issuer named and the self-signed case called out. The second of the Tier 1/2 SVG retrofits. Vector and theme-aware; the certificate never leaves the browser.
- Recurso
PKCE tool now shows the flow as a diagram
The PKCE generator gains an inline sequence diagram of the S256 authorization-code flow (generate a code_verifier, derive the code_challenge, carry it on the /authorize request, get an authorization code, send the verifier on the /token request, and have the server re-derive and compare before issuing tokens), colour-coded by who acts (app vs authorization server). It is the first of the Tier 1/2 SVG retrofits across existing tools. Vector and theme-aware; nothing about the tool leaves the browser.
- Nova ferramenta
iRule event order is live
Toggle the profile stack on a BIG-IP virtual server (client-SSL, HTTP, server-SSL, pool, or FastL4) and see the order the common iRule events fire, from CLIENT_ACCEPTED through CLIENT_CLOSED, as a color-coded timeline (the toolbox's first inline diagram) and an ordered list, with the conditional events (TCP/HTTP collect, LB failure, 100 Continue) called out and where each one slots in. The sequence is pinned to F5 Clouddocs and the DevCentral event-order capture. Five Learn articles ship alongside it. It is a model of documented behaviour that runs entirely in the browser and never contacts a device.
- Nova ferramenta
Unix time converter is live
Paste a Unix timestamp, whose unit (seconds, milliseconds, microseconds, or nanoseconds) is read from its magnitude and stated back to you, or an ISO-8601 date, and get the instant in every common form: the UTC calendar breakdown with weekday and day-of-year, ISO 8601, RFC 3339, the HTTP date, and the timestamp in all four units. Negative timestamps and the Year 2038 boundary are flagged. Five Learn articles ship alongside it. The conversion is pure date math that runs entirely in the browser; a Now button and a relative-to-your-clock line are the only parts that read the wall clock.
- Nova ferramenta
F5 SSL profile explainer is live
Paste a tmsh client-ssl or server-ssl profile and get its role, the TLS protocol matrix derived from the options field (which version each no- flag permits or blocks), and a 🟢/🟡/🟠/🔴 security read covering chain building, renegotiation, SNI, OCSP stapling, and mutual-TLS validation, with each setting explained. Five Learn articles ship alongside it. Parsing runs entirely in the browser; it never contacts a device.
- Recurso
Two F5 iControl REST tools on the roadmap
Queued an iControl REST path explainer that decodes /mgmt/tm/... URLs, the tilde-encoded ~partition~ paths, and the query options and shows the matching tmsh path, and an iControl REST stats decoder that flattens F5's deeply nested stats JSON into readable key-values. Both are offline and never contact a device.
- Conteúdo
Licensing and colophon copy updated across all locales
The license, colophon, and API copy were reworded in every live language to match how things work now: each tool is self-contained and runs entirely in the browser, with no upstream engine imported at runtime. The determinism and privacy guarantees are unchanged.
- Recurso
Two Expect (Tcl) tools on the roadmap
Queued an Expect script explainer that breaks down spawn, expect, send, and timeout blocks and flags pitfalls like hardcoded credentials and a missing timeout, and an Expect pattern tester for the glob, -re, and -ex match modes. Both are static and offline; neither runs a script.
- Infraestrutura
CIDR is now self-contained
The CIDR tool was the last piece still calling an external compute package; its single-subnet analysis (cidrAnalyze) has been brought in-house, with output verified byte-for-byte against what it replaced. The site no longer depends on any external engine at runtime.
- Nova ferramenta
New tool: Regex Toolkit
Compile, test, and explain JavaScript regular expressions in one place: live matches with positional and named capture groups highlighted, a plain-language token breakdown of what the pattern does, and a static check that warns before a catastrophic-backtracking (ReDoS) pattern runs against your text, so that a single keystroke cannot freeze the page. Ships with three Learn articles. Everything runs in the browser.
- Recurso
CIDR tool: octet bit visualization and a netmask slider
The subnet mode now draws the address as 32 bits across its four octets, showing the binary and decimal value of each octet and highlighting the network bits apart from the host bits. A prefix-length slider lets you drag the mask from /0 to /32 and watch the split move.
- Recurso
F5 packet-trailer tools added to the roadmap
Two tools derived from the Wireshark f5ethtrailer dissector were added to the roadmap: an F5 Ethernet trailer decoder (Low, Medium, and High details: ingress, slot, TMM, VIP, flow and peer IDs, RST cause, peer info; it ignores the TLS keylog provider) and an F5 TCP RST cause explainer.
- Nova ferramenta
JWKS explainer and key matcher
A new tool that breaks down a JSON Web Key Set: it explains every key (type, use, algorithm, size), flags any private or symmetric key material that should never appear in a published set, and matches a JWT to its key by kid. It completes the JWT and OIDC verification story and never fetches a jwks_uri. Shipped with three Learn articles.
- Nova ferramenta
Syslog PRI decoder and encoder
A new tool that decodes a syslog PRI value (such as 134) into its facility and severity, or encodes a facility and severity back into a PRI and its on-the-wire form. It notes the common network-device facility defaults (FortiGate local7, Cisco ASA local4, F5 BIG-IP local0). Shipped with three Learn articles.
- Recurso
SIEM event formats added to the roadmap
Four logging and SIEM tools were added to the roadmap: a CEF decoder (ArcSight), a Splunk HEC event explainer, a LEEF decoder (QRadar) in a new logging category, and an F5 high-speed logging and log-profile explainer.
- Recurso
Roadmap expanded with syslog, API, and cloud-native tools
Nine tools were added to the roadmap. Two syslog tools (a PRI decoder and encoder, and a full RFC 5424 / RFC 3164 message parser) and four API tools (a JWKS explainer and key matcher, a CORS preflight explainer, a webhook signature verifier, and an OpenAPI explainer) were ranked by value. A cloud-native set (Kubernetes NetworkPolicy, RBAC, and kubeconfig explainers) was added in a new category at the end of the queue.
- Nova ferramenta
F5 cipher-string explainer
A new tool that parses an F5 BIG-IP cipher string, explains every keyword and operator, and flags weak or deprecated choices alongside forward secrecy. It recognizes the pre-built rules (f5-default, f5-secure, f5-ecc). It deliberately does not reproduce the exact per-TMOS ordered suite list, which depends on the platform version. Shipped with three Learn articles.
- Nova ferramenta
Persistence-method explainer
A new tool that reads BIG-IP persistence profiles and virtual servers, explains each method (cookie, source-address, SSL, universal, hash, and more) with its real failure modes, and resolves each virtual's primary and fallback persistence chain. It reuses the tmsh parser and pairs with the persistence cookie decoder. Shipped with three Learn articles.
- Nova ferramenta
tmsh config explainer
A new tool that parses a BIG-IP bigip.conf snippet and explains its objects, virtual servers, pools, monitors, profiles, and iRules, in plain English. Shipped with three Learn articles.
- Nova ferramenta
JSON / YAML converter
A new tool that converts between JSON and YAML in the browser, flagging dropped comments, expanded anchors, and number-precision limits. Useful for moving between F5 AS3/DO (JSON) and Kubernetes, Ansible, or CI (YAML). Shipped with three Learn articles.
- Nova ferramenta
JSON formatter and inspector
A new tool that formats and validates JSON with precise error locations, structural statistics, and duplicate-key detection. Shipped with three Learn articles.
- Nova ferramenta
URL inspector
A new tool that parses a URL into its components, decodes query and path encoding, and explains each part, introducing the new HTTP and web tool category. Shipped with three Learn articles.
- Nova ferramenta
BIG-IP persistence cookie decoder
A new tool that decodes F5 BIG-IP persistence cookies across all four encoding formats, detects encrypted cookies, and can also encode a cookie from a pool member. Shipped with Learn articles.
- Nova ferramenta
OIDC decoder
A new tool that decodes OpenID Connect ID tokens (reusing the JWT engine) and .well-known/openid-configuration documents, flagging missing claims, the none algorithm, and PKCE method. It never calls the jwks_uri. Shipped with Learn articles.
- Nova ferramenta
SAML decoder
A new tool that decodes and explains SAML assertions and metadata using an XXE-hardened XML parser, with the mandatory external-entity rejection. Shipped with Learn articles.
- Nova ferramenta
Security headers analyzer
A new tool that analyzes HTTP security response headers across 25 headers with detailed reason codes, the first tool of the ranked build sprint. Shipped with five Learn articles.
- Recurso
Tool roadmap ranked and catalogue reorganized
The full tool roadmap was ranked end to end and persisted into the catalogue. The tools index was reorganized to list tools alphabetically, with Learn articles in a curated reading order.
- Recurso
Search upgraded with result badges
Site search moved from grouped results to pure relevance ranking, and now labels each result as a tool, an article, or a page.
- Nova ferramenta
base64 rebuilt as a unified codec
The base64 tool was rebuilt into a single codec covering base64, base64url, base32, base16/hex, and percent-encoding, with four new Learn articles.
- Nova ferramenta
CIDR tool rebuilt
The CIDR tool was rebuilt and moved to its own canonical page, with new Learn articles.
- Infraestrutura
Locale scaffolding expanded
Additional locales were scaffolded, bringing the total to 42, including right-to-left layout support for the relevant scripts.
- Localização
Sixteen languages completed
Full message packs were completed across all sixteen live locales. A machine-translation notice and a Contribute page were added, with downloadable language packs for community review.
- Lançamento
ronutz.com went live
The site launched on Cloudflare Workers with ten client-side tools (JWT, PKCE, X.509, cipher-suite, IPv6, CIDR, base64, hash, HMAC, and UUID), the Learn article system, Pagefind search, an eight-theme switcher, and the full About, Certifications, and Training sections. Every tool runs entirely in the browser with no telemetry.
JWT decoder · PKCE helper · X.509 inspector · Cipher-suite decoder · IPv6 toolkit · CIDR / subnetting · Base64 / Base32 / Hex / Percent codec · Hash · HMAC · UUID