--- Log opened Tue Apr 10 00:00:39 2018 00:06 < DocScrutinizer05> KNetworkManager OpenVPN stalled when my router failed over from DSL to cable. Any comments on that? I expected OpenVPN to handle this more gracefully 00:07 < DocScrutinizer05> what to check? where to look for debugging info? 00:07 < SporkWitch> DocScrutinizer05: that's more a question for #kde 00:08 < SporkWitch> DocScrutinizer05: If the router failed over gracefully enough, it's possible that knetworkmanager didn't notice an issue, and so it took the openvpn plugin itself timing out to correct itself and reestablish the connection. 00:08 < DocScrutinizer05> err really? I'm not sure if it's related to KDE at all, except KNM controlling the OpenVPN subsystem 00:08 < DocScrutinizer05> ;nod: 00:08 < DocScrutinizer05> so it's about timeout setting in OpenVPN, no? 00:08 < SporkWitch> DocScrutinizer05: it's an issue with how knetworkmanager and the openvpn plugin for it are working; it'll either be a KDE issue or an OpenVPN issue, but not likely one with a #networking related fix 00:09 < SporkWitch> DocScrutinizer05: that would be my guess 00:09 < DocScrutinizer05> the parameters in the config files look pretty genuine OpenVPN 00:09 < SporkWitch> If you think about it, as far as your computer is concerned, there was no issue: the router failed over gracefully, masking any issue. 00:09 < DocScrutinizer05> yes, obviously 00:09 < DocScrutinizer05> that's the idea 00:10 < SporkWitch> DocScrutinizer05: the problem then comes up that the established tcp connections are no longer valid, because the origin addresses are no longer valid; it would be on openvpn/knetworkmanager to detect the issue, time out, and reestablish 00:11 < DocScrutinizer05> :nod: 00:11 < SporkWitch> (time out, detect the issue, then reestablish, but you know what i mean) 00:12 < DocScrutinizer05> I know and was on same page already. The question is probably: what determines how and when OpenVPN times out and where do I tweak it? 00:12 < SporkWitch> you'll notice the same kinds of issues with lots of stuff, such as discord, it's just that it masks it since as soon as it timesout it reestablishes connection, so all you notice is you didn't get any new messages for a few moments and then you get a bunch 00:12 < SporkWitch> definitely an openvpn question, heh 00:13 < lupine> you can have openvpn die and come back without breaking the tcp connections going over it 00:14 < DocScrutinizer05> wow 00:14 < DocScrutinizer05> however that's not the ideal solution. i'd hope for OWPN itself detecting the issue and doing a reconnect 00:14 < DocScrutinizer05> OVPN* 00:14 < lupine> right, it does if set up correctly 00:15 < SporkWitch> lupine: the connections going over it, yeah, but i believe we're talking about the openvpn connection itself 00:15 < lupine> well, you ought to be using udp, so there isn't one 00:15 < DocScrutinizer05> :-D 00:15 < DocScrutinizer05> I do 00:15 < DocScrutinizer05> do i? 00:15 < lupine> so it's just vpn session establishment 00:15 < SporkWitch> would still need to detect an issue and reauth, in that case 00:15 < lupine> which openvpn will happily do in a loop, linked to regular keepalive packets 00:16 < SporkWitch> should do, but that's why i directed him to KDE and openvpn, because the issues going to be with knetworkmanager or its openvpn plugin lol 00:16 < lupine> I just have `keepalive 10 120` 00:16 < DocScrutinizer05> yup, UDP http://wstaw.org/m/2018/04/10/plasma-desktopa22448.png 00:16 < lupine> using these gui frontends is generally more pain than it's worse 00:17 < SporkWitch> s/worse/worth/ 00:17 < lupine> um, yeah 00:17 < lupine> i pop openvpn on my router where there isn't room for kde anyway :p 00:17 < DocScrutinizer05> KNM is isong regular OpenVPN package 00:17 < DocScrutinizer05> using* 00:17 < SporkWitch> and yeah, the openvpn plugin for knetman is NOT the greatest, but once you do get it behaving it can be nice. makes it easy to tag it to automatically connect when using given networks and the like 00:17 < DocScrutinizer05> it's just a shim over it 00:18 < DocScrutinizer05> afaik 00:18 < SporkWitch> DocScrutinizer05: yup, but that shim is also defining the settings; i've run into issues setting it up before where it didn't like the config+creds files 00:18 < lupine> just pop the openvpn config file into /etc/openvpn along with any needed secrets 00:19 < lupine> what value does this gui add? 00:19 < SporkWitch> lupine: convenience, and the extra features like tying auto-connection to specific networks 00:19 < lupine> yes, we can all see the extra convenience 00:19 < SporkWitch> centralized management 00:20 < lupine> orthogonal, and centralized management is easier when you don't have a gui to go through anyway 00:20 < SporkWitch> once you get the creds file loaded it works fine, generally, it's just picky about getting it loaded initially sometimes 00:20 < DocScrutinizer05> http://wklej.org/id/3404829 00:20 < lupine> you can also enable or disable the vpn based on other interfaces coming up or down if you like, 'though I wouldn't bother 00:20 < SporkWitch> not on a workstation; you've got a network button in the system tray to manage all related stuff, vs a collection of random scripts and separate commands 00:21 < SporkWitch> nor would i; it's a PITA to do without the GUI :) 00:21 < lupine> nah, it's trivial 00:21 < SporkWitch> except requiring you to modify config files, manually specify SSIDs and BSSIDs, etc.; OR you hit a single box in the GUI lol 00:22 < lupine> eh, no 00:22 * DocScrutinizer05 glares ignorantly at >>reneg-sec 0<< 00:22 < SporkWitch> all of which is really beside the point here 00:22 < SporkWitch> eh, yes 00:22 < lupine> it's just on-up do-this and on-down do-that 00:22 < SporkWitch> lupine: which ties it to the interface, not the network, thus NOT achieving the functionality specified 00:22 < lupine> also, I manage my workstation with ansible, it makes rebuilding it from scratch easier 00:22 < lupine> ohhh, you want it based on what IP addresses you get? 00:23 < lupine> yeah, that's harder 00:23 < SporkWitch> not IP addresses, SSID/BSSID 00:23 < DocScrutinizer05> does any of you understand OpenBPN enough to hint me to timeout / keepalive related config options? 00:23 < SporkWitch> e.g. "if i'm connected at school, use the VPN; if i'm at home, don't bother" 00:23 < lupine> *shrug* broadly the same issue 00:23 < SporkWitch> DocScrutinizer05: #openvpn 00:23 < DocScrutinizer05> ok ta 00:23 < lupine> DocScrutinizer05: you want the keepalive thing 00:23 < lupine> how you get it in through your gui is something for you to work out 00:24 < SporkWitch> lupine: not really; just because i'm on 192.168.1.0/24 doesn't mean i'm on fbi_surveilance_5G 00:24 < lupine> I was talking in terms of cli implementation difficulty 00:24 < lupine> doing that in cli would indeed be a pain relative to nm-gui 00:25 < SporkWitch> lupine: i'm including how many steps and how many times they're repeated; setting it to an IP range covers any time you hit that IP range, but setting it to specific networks you'd have to do for each. 00:25 < SporkWitch> lupine: literally the only issue i've seen is sometimes it's stubborn about taking the initial config file and importing it. Once that's out of the way, though, knetworkmanager is great for dealing with it 00:26 < SporkWitch> (for all i know those issues have since been resolved; been a couple years since i messed with it) 00:26 < DocScrutinizer05> lupine: (get it in through GUI) I'm not shy to edit the config files, as lonmg as the gui can *cope* with it 00:42 < xau> I am consumed with rage and despair, shrieking at the mirror, standing hunched over shaking and trembling from head to toe, dropping to me knees and then flat out on the floor, huffing, raging, back to the mirror, repeat. 00:42 < xau> otherwise I'm fine, thanks for asking 00:45 < S_SubZero> networking isn't that bad 01:18 < tcl173> hello 01:19 < tcl173> I have only one pc and want to simulate a lan connection betwen two. 01:19 < tcl173> what should I do? 01:21 < S_SubZero> virtual machine 01:21 < tcl173> I have Windows 10, if perhaps it is a relevant detail 01:29 < darsie> Batch wants to know why she's banned. Wants to talk to an op. 01:31 < xau> I'm running Win7 with two matching nics, with matching routers connected to each of them. One of them is set up as a standard router -> nic -> isp link. I want the second router to run like this: routher -> nic -> the first nic -> isp. In other words: 01:31 < forgotten> pppingme seems to be the only +o'd at the moment 01:31 < xau> I want my isp linked nick to allow a second nic on the same box to share the isp connection from the first nic 01:32 < xau> I understand that this should be trivially easy, requiring perhaps two minutes work. 01:32 < xau> I'm getting to the end of a week so far trying to get this to work. 01:33 < xau> this is just venting 01:33 < xau> I haven't given up, but I'm taking a break until I stop hating the task 01:34 < xau> the "official instructions" are: right click, enable sharing, note the nic gateway addy. aim your second nick at the first nick gateway 01:34 < xau> like it should take one minute 01:34 < xau> haha 01:35 < xau> real life windows sucks too deeply to allow that 01:36 < xau> like I said earlier, I am raging and crushed with despair. but doing fine otherwise, thanks 01:40 < forgotten> xau: but you have to use / do it with windows? 01:41 < SporkWitch> if windows supports dual-WAN and failover on workstation versions that's news to me; if it does, it almost certainly requires Pro 01:42 < SporkWitch> pointless in any case; if your ISP goes down, you gain nothing, even if the ISP let you have multiple IPs / registered MACs 01:42 < SporkWitch> (which basically no consumer ISP does) 01:42 < xau> yes, forgotten. I am locked into Win7 on the box 01:43 < xau> hmm 01:43 < xau> I've got "Windows 7 Ultimate", whatever that is 01:44 < xau> are you suggesting, SporkWitch, that Win7 may not actually allow what I'm trying to do? 01:44 < xau> that would actually be great 01:45 < SporkWitch> ultimate would be the most full-featured version, but yes, i don't know that windows supports that. It would be fairly trivial on a real operating system, but it's not something you would normally do on a workstation, full-stop, so it's unlikely it's supported in non-server versions of windows 01:45 < SporkWitch> (at least not without registry hacks) 01:45 < xau> aha 01:45 < xau> my intent isn't to get multiple ip's from my isp 01:45 < xau> it's to funnel wifi clients into a virtual nic that goes to a vpn 01:46 < SporkWitch> and like i said, i don't see the point. Unless you have a separate WAN connection (e.g. DSL backup if Cable goes down) it would be moot anyway. Plenty of SOHO routers support dual-WAN natively, though, if you DO have a second ISP connection to fail over to 01:46 < xau> the point is to funnel wifi users on router #2 into a vpn linked virtual nic 01:47 < SporkWitch> to what end? that won't isolate them from the rest of the network, and if that's what you want, many routers have a guest network option that can also be segregated 01:48 < forgotten> maybe the wifi clients are doing nefarious activity and he doesn't wwant his ISP seeing that? 01:48 < xau> to this end: so that wifi clients can access the vpn 01:49 < xau> it's blindingly simple, but to explicitly demonstrate that would dox myself 01:50 < xau> thank you SporkWitch, for indicating that my attempts are likely futile, at least on the OS I'm using 01:50 < xau> that helps 01:50 < xau> ty! 01:51 < xau> forgotten my wifi client is an android tv box with access to the googleplay store 01:51 < xau> I want to maintain lol pseudo anonymity while buying apps. 01:52 < SporkWitch> at this point it'd be easier to get a cheap SOHO router that supports running a VPN client and add it in-line to the edge router; anyone connecting is automatically going over the VPN; that might even provide some isolation of that subnet from the other, though i'm not sure how robust it would be 01:52 < SporkWitch> hold on, what? 01:52 < xau> I've tried that already 01:52 < SporkWitch> okay, this has XY Problem written all over it 01:52 < forgotten> xau: so why are you stuck with a windows7 box? 01:53 < xau> 35 years of impossible to unravel interconnected apps and data 01:53 < SporkWitch> that so doesn't answer the question... 01:53 < xau> which question was that, SporkWitch? 01:54 < SporkWitch> your answer doesn't address why you're stuck on win7 for the purposes of this exercise; it explains why you USE windows 7 on SOMETHING, but not its relevance to the situation 01:54 < xau> It does, actually. #realworldfacts 01:54 < xau> thanks again 01:54 < SporkWitch> it's also sounding like you've come up with a fairly convoluted "solution" to a DIFFERENT problem/goal; if we had more information about what the actual end-goal is, odds are a better solution exists. 01:54 < forgotten> why do you have to use win 7? 01:54 < xau> cheers 01:55 < SporkWitch> it really doesn't, kid lol 01:55 < xau> I'm being all caps at 01:55 < xau> gr8 01:55 * xau wanders away 01:58 < forgotten> some people are just do difficult to help 01:59 < forgotten> too* 01:59 < xau> too late # 02:00 < SporkWitch> forgotten: when i am supreme overlord of the universe, remote-face-slapping devices will be mandatory for computer use 02:00 < forgotten> lmao 02:00 < xau> in the meantime you'll have to settle for being you 02:00 < abdulhakeem> I currently have A+, studying for Network+ and was planning to pursure Security+ after that, then CCNA after that. Good idea? Or should I just skip CompTIA and go straight for CCENT/CCNA? My reasoning for pursuing Net+ and Sec+ first is that I need to actually learn the knowledge cuz I dropped my networking major in college (huge mistake) so I gotta actually relearn everything 02:00 < forgotten> xau: try reddit. 02:01 < xau> no thanks, though, for sharing your rage and violence fantasy, and the direct, in your face bullying attempt 02:01 < xau> #lowquality 02:01 < SporkWitch> abdulhakeem: skip net+ and sec+, go for CCNA in place of net+. Much better security certs out there than sec+, but i'd have to do some googling to see what's currently in demand 02:01 < S_SubZero> well, when you can pass Net+ you are ready for moving on to CCNA I guess 02:01 < forgotten> xau: are you just randomly throwing words together ? 02:01 < abdulhakeem> SporkWitch: Should I maybe go CCENT first, then CCNA? 02:01 < S_SubZero> Net+ is also more "generic" so should you land in a place without Cisco stuff, you won't be totally out of your element 02:02 < abdulhakeem> I was thinking Net+ might get me in the door with an entry level networking job while I work on CCNA 02:02 < xau> forgotten: are you just being a dick? 02:02 < abdulhakeem> well net+ and sec+ 02:02 < SporkWitch> may be more generic but it's also far less comprehensive. translating from cisco to another OS is a simple google search away 02:03 < forgotten> xau: we're asking legitmate questions about your quest and you are being difficult. When we're trying to help, in our free time, for free. Might want to re-evaluate who's being a dick here. 02:03 < abdulhakeem> I'm in IT right now making 38k but my goal is to transition to networking and ideally make significantly more money 02:04 < xau> I stated clearly at the outset, forgotten, that I was venting, and that I was taking a break. Other people, including you, disregarded my clear statement. It is you who did the solicitation, clearly seeking an easy trolling victim. 02:04 < xau> who happens not to be me 02:04 < xau> read the log 02:05 < forgotten> xau: take your venting somewhere else. People try to help each other here with real problems. 02:05 < forgotten> imo 02:05 < SporkWitch> ^ 02:06 < xau> my vent was one line long. the drama was me committing the crime of respecting myself 02:06 < xau> ignored 02:06 < jkemppainen_> The problem is this right here, "that I was venting" -- this is a support community, not a place to throw a temper tantrum. 02:06 < SporkWitch> list an issue on IRC, people are going to respond to it; hell, we pretty much filter out the random cruft and key on actual issues 02:06 < jkemppainen_> So take that nonsense elsewhere. 02:06 < SporkWitch> stupid eternal september >_< 02:07 < abdulhakeem> Does anyone know of cheap/free CCENT/CCNA training? I've been going through Professor Messer's stuff for Network+, is there an equivalent to that? 02:07 < xamithan> udemy has some cheap courses 02:08 < abdulhakeem> oh yeah always forget about udemy 02:09 < jkemppainen_> i've also been looking into CompTIA's stuff 02:10 < jkemppainen_> I plan to do A+ and Linux+ 02:10 < abdulhakeem> oh yeah I was thinking of maybe Linux+ too just because I like linux 02:10 < abdulhakeem> but idk how useful/in demand it is 02:10 < forgotten> its useful. 02:10 < xamithan> Depends on area 02:10 < abdulhakeem> long term I'd liek to be a linux sysadmin rather than a windows one 02:10 < forgotten> i have linux+, sec+, cysa+, CASP. 02:10 < abdulhakeem> if at all possible 02:11 < forgotten> employers like em 02:11 < jkemppainen_> forgotten: nice 02:11 < abdulhakeem> I know M$ is generally more in demand right 02:11 < xamithan> I gotta take the ccna, ccent, and security+ this year 02:11 < jkemppainen_> forgotten: is Linux+ comparable to anything from Red Hat? 02:11 < abdulhakeem> if you're taking ccna, you don't really need ccent right? 02:11 < xamithan> rhcsa probably 02:11 < xamithan> comparable to linux+ 02:11 < jkemppainen_> ahh, right 02:11 < c|oneman> ccnet is 1/2 of ccna 02:11 < S_SubZero> "M$" cuz as we know no other company on earth currently is trying to make any money just MIKKKRO$$$$$$HAFT (three K's cuz racist) 02:11 < forgotten> RHCSA/RHCE are better than Linux+ but it's still good. 02:12 < xamithan> I got the CE I just need more networking 02:12 < forgotten> isn't ccent just the first half of CCNA? so you end up getting that anyway? 02:12 < jkemppainen_> is it really better? I mean RHCSA and RHSE are vendor-specific, Linux+ is vendor-neutral 02:12 < forgotten> it is better because it's practical exams 02:12 < jkemppainen_> ah right, so the actual test is harder 02:12 < xamithan> It is practical, I Know USA values it more 02:12 < forgotten> proves you actually know your shit vs just memorizintg stuff 02:12 < jkemppainen_> right 02:13 < forgotten> but ya Linux+ will cover both Yum/rpm based OS's as well as apt/deb based. 02:16 < S_SubZero> I got one of them online BS degrees getting a bunch o' certs and taking classes in stuff I could immediately apply at work. Did a project, the bonus for that covered all of my school costs ^^ 02:21 < abdulhakeem> that's the dream lol 02:22 < abdulhakeem> well now I'm conflicted because I've already put so much time into for studying for network+ I feel like I want to finish it, if only for the sake of seeing it through and finishing it 02:22 < abdulhakeem> but now I feel like it might be a waste of time so it kinda takes the wind out of my sails 02:31 < S_SubZero> Network+ is a buzzword on a resume. There's no downside to having it 02:31 < forgotten> abdulhakeem: comptia certs are pretty cheap in the grand scheme of things, so i would just finish it. 02:32 < abdulhakeem> okay thanks for the advice guys :) 02:33 < abdulhakeem> how much do the CCNA exams cost? 02:33 < abdulhakeem> I've never looked into it 02:33 < forgotten> they are pretty cheap too like 170 each i think 02:33 < lupine> nah, the certs are almost as useless as linux certs 02:33 < abdulhakeem> lupine: the CompTIA certs/ 02:34 < abdulhakeem> ?* 02:34 < lupine> sure 02:34 < abdulhakeem> well I mean like which are you referring to 02:37 < xamithan> all of them 02:37 < abdulhakeem> all of the CompTIA ones? 02:37 < xamithan> yes 02:49 < ScriptGeek> redrabbit: remember me? we were talking about wifi antennas a week or so ago... Well, I found this one: 02:49 < forgotten> I would somewhat disagree to completely knock all comptia certs 02:49 < ScriptGeek> https://www.amazon.com/NextG-USB-Yagi-Range-antenna-2200mW/dp/B0044D7J1W/ref=pd_sbs_147_5?_encoding=UTF8&pd_rd_i=B0044D7J1W&pd_rd_r=JSJP633V1BSHFGZ4K2A9&pd_rd_w=npoPq&pd_rd_wg=DPNLu&psc=1&refRID=JSJP633V1BSHFGZ4K2A9 02:50 < electromagnetism> ha ha monster antenna man geeeezzzzs cool 02:52 < ScriptGeek> It has a nice tripod that could come in handy with holding it steady while stealing free internet from the coffee shop miles away 02:53 < electromagnetism> reviews are kinda shitty though makes me question it really 02:53 < Maarten> haha, nice antenna. If you live close to a starbucks that might come in handy ;) 02:54 < ScriptGeek> Yeah, you never know, though... But some people write bad reviews when they know very little about the product 02:57 < electromagnetism> I have seen people use this same setup before https://www.amazon.com/Antenna-18dBi-ALFA-Super-Booster/dp/B01G6E6NCM/ 03:00 < ScriptGeek> my internet connection seems to have disconnected 03:01 < Maarten> shit happens 03:01 < ScriptGeek> I was checking out those reviews on that antenna... and it kinda looks like a pile of junk 03:02 < Maarten> well... the reality is that wifi is a nice to have convenience, but if you really want internet on a location that is FAR from a router, you run an effing wire and add another AP. :P 03:02 < ScriptGeek> Maarten: and then you flush? 03:03 < ScriptGeek> can't run a wire being a wifi leach 03:03 < rewt> you can do anything if you put your heart into it 03:03 < rewt> just believe in yourself 03:03 < Maarten> of course you can. You just have to have a lot more balls when stealing someone's internet ;) 03:03 < ScriptGeek> I suppose I could be a burglar and install a wire... 03:06 < electromagnetism> yeah google router default pw and just make your own ap name ha ha 03:09 < electromagnetism> there is still free dialup internet you know grab yourself a 56k modem from amazon your set 03:10 < electromagnetism> http://www.netzero.net/free/ 03:10 < zamanf> do you know of any way to limit the speed of a udp connection? I know the ip and port 03:11 < Epic|> Put a tight zip tie around the cable 03:11 < c|oneman> you can use downstream policer that drops 03:11 < c|oneman> it probably will work because most applications will react 03:12 < c|oneman> people like to say you can't control UDP 03:12 < c|oneman> because they read it in a book once 03:12 < c|oneman> and by once, I mean 34 times in some stupid course they took 03:12 < c|oneman> I guarentee you if you throttle UDP it will slow down most of the time 03:12 < c|oneman> the app might break, but it will work 03:14 < SporkWitch> yes, if you randomly drop packets it will slow the connection... that's not controlling the connection speed though, and unless you do it at the edge of your network and only care about keeping the traffic from reaching some host INSIDE, it doesn't actually buy you anything, it still takes up the same amount of throughput on the link 03:14 < electromagnetism> like the stock market with the giant roles of fiber cable used to slow down trades 03:15 < forgotten> i just ordered a pixel 2 :S. the rumors of the pixel 3 say it's gonna suck balls 03:17 < ScriptGeek> what is a pixel 2? 03:17 < Epic|> Phone 03:17 < Epic|> Hyped to the moon and back 03:17 < Epic|> They're ok but I wouldn't pay more than $250 for one 03:17 < forgotten> whats better for $250? 03:17 < electromagnetism> used 03:18 < SporkWitch> forgotten: if it's not too let, switch to the XL. While i Love my Pixel 2, it feels TINY after having a Nexus 6 for so long 03:18 < Epic|> All the phones are shit so... Nothing? 03:18 < SporkWitch> s/let/late 03:18 < Epic|> I paid $240 for my pixel 03:18 < Epic|> I don't feel like I under paid 03:19 < ScriptGeek> It looks better than my old phone, which is about 3 years old 03:19 < forgotten> oh i did get the XL 03:20 < ScriptGeek> I'm thinking I'd like a bigger screen, but I don't wanna spend the money 03:20 < forgotten> i have a pixel now. and it's still in really good shape. so i figure if i drawer it now, i have a kick ass backup phone 03:20 < SporkWitch> forgotten: good call; i wish i shelled out the extra 200. It's still a great phone, but my typos have gone up significantly, and i do miss the larger screen on the nexus 6 03:20 < forgotten> get the pixel 2 while they are still good. and then avoid the crappy pixel 3 03:20 < xamithan> Does netzero work over voip phone 03:20 < forgotten> my nexus 5x completely died, but i had a nexus 4, and nexus 5 before that, which were both really good. 03:21 < SporkWitch> forgotten: if the 100 dollar store credit promo is still going, it's worth picking up a daydream view. I've had a blast with it. Some great games, and watching Plex and Netflix on what amounts to an IMAX screen that doesn't matter what position i lay in bed in is very nice. It's honestly better than i expected the PC stuff to be, and considering the people using the PC stuff say daydream is 03:21 < SporkWitch> shit, i can only imagine how good it'll be when i pick up a vive pro + lighthouse 2.0 this fall 03:21 < forgotten> i has a day dream view already, came with my original pixel for free 03:21 < forgotten> :) 03:21 < Epic|> I'm glad I don't have the xl 03:21 < Epic|> I'd be fine with it being slightly smaller actually 03:21 < SporkWitch> forgotten: oh nice! yeah, that promo expired literally the DAY i got paid and was going to buy one (my nexus 6 was on its way out) 03:22 < forgotten> aw bummer 03:22 < forgotten> i have an old google cardboard too some where lol 03:22 < forgotten> Epic|: thats how i felt with my nexus 5x. then i got the pixel xl and was like... yeah this is better. 03:22 < SporkWitch> forgotten: then the nexus 6 randomly started not charging when plugged in (yet miraculously would charge again if it drained to the point of turning itself off), forced my hand and i got a pixel 2 even though i didn't really want / couldn't really afford it at the time (hence the non-XL). Came with a free google home mini and 100 dollar store credit, so i got the daydream view 03:23 < forgotten> nice 03:23 < forgotten> how you like the home mini? 03:23 < Epic|> I came from a alrger phone 03:24 < Epic|> At least my pixel has been durable. It rides in my thigh pocket while dirt biking and it still works fine despite being bent by a barbell 03:25 < SporkWitch> forgotten: for 50 bucks, the sound quality is damned decent. it's USELESS for running searches (it can't do arbitrary searches, so most things respond with "i don't know how to do that.") Makes for a good alarm clock and timer (majority of my use, especially when i work from home, since i can just shout at it without having to pick up my phone or something; even use that for work and the like) 03:26 < SporkWitch> forgotten: i'm limited on what i can explore with the home automation thanks to the usual bullshit terms of leases these days, but i do have a ring doorbell. For some silly reason you can't have it ping the Home when someone rings it, nor can you use it as an intercom, but it does let me quickly check battery status. 03:26 < Epic|> People in the 60s: the govt will wiretap your house, man. People now: hey wiretap, can cats eat pancakes? 03:26 < forgotten> i have a couple things integrated into google assistant. like my Nest thermostat, and some smart light switches. but just use it with my phone 03:26 < forgotten> Epic|: lol ya seriously 03:26 < SporkWitch> (talking to it now, it looks like hte ring integration can also list recent activity, e.g. "when is the last time my doorbell rang" 03:27 < forgotten> thats pretty cool 03:27 < Maarten> Epic|, also now: Govt. knows where you phone has been for last 3 years or so. :P (they keep GPS logs) 03:28 < forgotten> you can see all your places you've been on google maps lol if u let it do that 03:28 < SporkWitch> forgotten: it's also pretty good about throwing media to various devices. You can group speakers, but not speaker + chromecast (though you CAN group the audio-only version of chromecast; from talking with support, they're apparently working on that, because if my chromecast is already hooked into my receiver i shouldn't need ANOTHER chromecast to use just the speakers lol) 03:28 < Maarten> yeah that too :P 03:29 < forgotten> https://www.google.com/maps/timeline 03:29 < SporkWitch> Epic|: well assuming google is at least THIS honest, it does have a HARDWARE microphone switch (the mini does; i think the normal "google home" is a software key). Assuming they were honest about it, it is a physical cutoff, not just a "hey turn it off." 03:30 < forgotten> im pissed about google play movies/tv shows.. 03:30 < forgotten> can i say hey google play this on netflix on my livingroom tv. done. 03:30 < forgotten> but can't play shit out of my google play library that i've paid for the same way? 03:30 < forgotten> super lame 03:31 < SporkWitch> forgotten: are you asking or saying? because you CAN do that with netflix, youtube, spotify, google play music, and i think at least one other 03:32 < SporkWitch> i've only got like one or two videos through google play, so never actually tested that one 03:33 < forgotten> SporkWitch: im saying 03:33 < forgotten> you can't do it with google play movies 03:33 < forgotten> which is kinda BS imo 03:33 < forgotten> since you can do it with virtually everything else 03:35 < SporkWitch> that is a pretty glaring oversight lol 03:40 < thomas1> exit 03:56 < forgotten> i wrote some remote pcap scripts awhile back. just pulled an hour of pcap off a workstation, worked like a champ. all windows native. i had only ever tried it like 5, 10minutes at a time. 04:05 < oneplane> Linux based - I'm trying to decapsulate and forward a GRE stream that contains ethernet fames and whatever is in them, and while copying raw frames/packets from one interface to another isn't an issue, the decapsulation is. It seems gre or gretap should be able to do this, but when connecting them up to the interface that receives the data they don't seem to catch any of it 05:26 < hweaving> If anyone is awake, I'm confused by some apparent fragment behavior I'm seeing with IPv6 UDP packets 05:27 < hweaving> I have MTU set to a high value on both send and receive sides, but using sendmmsg() the packets appear to result in IPv6 fragment messages according to tcpdump and Wireshark 05:27 < hweaving> e.g. 1500-ish bytes still 05:27 < hweaving> I'm currently googling to see if there's another fragment / MTU setting I might be missing 05:37 < hweaving> Turns out /proc/sys/net/ipv6/conf/ethWHATEVER/mtu needed set as well 05:37 < hweaving> I have two systems directly connected by a cable so I'm not sure if path discovery is messing me up, if the system has an autoconfiguration daemon, or what. It's progress, however! 05:51 < inc0gn1t0> What's a good source on network reverse engineering 05:52 < chezidek> you want to do the hacks? 05:53 < inc0gn1t0> Yeet 05:54 < inc0gn1t0> I wanna be sooper l33t 05:54 < inc0gn1t0> Lol, all jokes aside tho, I'm serious about learning 05:56 < inc0gn1t0> Any good sites or books I should check out? 05:56 < chezidek> reverse engineering kinda refers to software i think 05:56 < chezidek> you probably want pentesting 05:56 < inc0gn1t0> Oh 05:56 < inc0gn1t0> 😶 05:57 < inc0gn1t0> Well I want to know the basic networking things to be able to do neat stuff like anonymity, and tracing people back thru subnets and all that good stuff 05:58 < inc0gn1t0> I have pentesting books, that's for once u have access to a machine. I want to learn all the stuff that comes before. How to find said machine 05:59 < chezidek> just do stuff in a lab :) 06:00 < inc0gn1t0> I don't have a lab 06:00 < chezidek> use vmware / virtualbox 06:00 < chezidek> or GNS 06:01 < inc0gn1t0> Oh. But where can I find good info on finding a machine that's well protected and hidden? Or moreso, to make mine more protected and hidden, so then I can set it up in vm, then find out how to find it 06:05 < TV`sFrank> lol 06:06 < TV`sFrank> Sounds like you're possibly wanting to commit a federal crime 06:06 < TV`sFrank> just make sure it isn't a "Federal interest computer" ;) 06:06 < chezidek> yeah i was serious about using your own stuff or a VM. 06:07 < chezidek> but like... if it's really hidden youre never going to find it 06:08 < chezidek> say it's on tor and configured to only allow connections which have "port knocked" 06:08 < chezidek> so most things you will be on a LAN with (broadcast domain) or it will be something which is public facing (on the internet). there are scanners that scan the entire internet, like shodan.io 06:15 < inc0gn1t0> TV`sFrank: not gonna commit a crime lol, just want the knowledge and ability 06:16 < TV`sFrank> Uh huh. Take it from me the federal authorities don't look kindely on even the attempt... 06:17 < electromagnetism> yeah I tried to use DNS white-listing only, no freaking way too much work what a bad idea, switch everything back now guh hummm stupid I tried I guess... 06:17 < electromagnetism> random post 06:17 < inc0gn1t0> chezidek: I just installed a vm the other day. I'll set it up. Idek what port knocked means... see, these are the type of things I need to learn. And also, I'm more interested in WAN. LAN is easy to pentest 06:18 < inc0gn1t0> TV`sFrank: ooh, what'd u do? 06:18 < inc0gn1t0> electromagnetism: what do u mean by freaking? 06:18 < chezidek> inc0gn1t0: shodan is pretty cool. 06:19 < inc0gn1t0> Wait. Nvm 06:19 < chezidek> most hacks are either someone who knows their shit, or someone who is using a documented vulnerability on some website nobody ever bothered to hack 06:19 < inc0gn1t0> chezidek: I'll check it out 06:21 < inc0gn1t0> How do people like, use ur voip to trace u back to the machine being used? 06:21 < chezidek> output from security software is interesting too, like Nessus, Qualys, or OpenVAS 06:21 < chezidek> on like playstation network? 06:22 < chezidek> any kind of peer to peer networking exposes your IP address 06:22 < chezidek> or can 06:22 < inc0gn1t0> I'll just use an example like kik. Or ps network works too. I want to prevent it 06:22 < inc0gn1t0> Oh 06:22 < chezidek> i thought kik goes through kik servers though, so not sure on that one. 06:23 < inc0gn1t0> It does. But there's people who can trace u back, they say they can find ur subnets? Which idek what that is.. 06:23 < electromagnetism> just ranting because if I revert and apply new setting it's going to bring the entire network down applying the new setting blackout time D 06:23 < chezidek> https://www.telerik.com/fiddler check this out. it is a proxy you run on your local network, and you can MITM your own SSL traffic and see what is actually sent where. 06:24 < inc0gn1t0> Awesome chezidek ty 06:25 < chezidek> oh and for kik i cant remember if it has voice chat but it probably uses STUN / TURN so if someone tries to call you it might reveal your IP. 06:27 < inc0gn1t0> I need to look all these things up lol. Complete noob (which is why I joined this channel) 06:28 < inc0gn1t0> It does have voice chat 06:28 < tcpdump> inc0gn1t0: whats the topic? 06:28 < inc0gn1t0> Sorry it sent twice. Lost network 06:29 < electromagnetism> oh the internet web thingies works, no go down humm, oh it killed everything related to local dhcp ohhhhhhh that's not good .... 06:29 < inc0gn1t0> tcpdump: just wanting to learn networking. Specifically, protecting mysel from hacking 06:30 < tcpdump> inc0gn1t0: ah, fun fun 06:30 < chezidek> if someone has no other information about you, and doesn't have a warrant or work for the ISP you use, and you don't have any port forwarding enabled to services which reveal information about you, and you're not committing a crime, your IP is pretty useless 06:31 < inc0gn1t0> Yes, but I still want to know. As pointless as it my seem. Can't be too cautious 06:31 < electromagnetism> until someone spoofs it and you get blamed for what they do 06:32 < electromagnetism> D 06:34 < chezidek> electromagnetism: i guess they could cause a hassle, but you can prove that UDP can be spoofed 06:36 < inc0gn1t0> I use port forwarding services as is. I want to protect my machine 06:36 < electromagnetism> what are you guys hackers or something, hack me to prove it you have my permission to do so, just be respectful if you succeed leave a note or something ha ha 06:39 < inc0gn1t0> I'm not a hacker lol. I only know minimal programming and am just now trying to learn more about networking 06:39 < electromagnetism> lesson 1 disable upnp 06:39 < skyroveRR> lol 06:40 < inc0gn1t0> What is it? 06:43 < inc0gn1t0> Ohh, discovery lol 06:43 < inc0gn1t0> Ok, lesson 2? 06:43 < electromagnetism> universal plug and play a free gift form Microsoft 06:44 < Criggie> automated firewall allows, outside your direct control 06:45 < inc0gn1t0> Criggie: allows what? Are you talking about upnp? 06:45 < Criggie> Yes. 06:45 < chan201_> we love UPNP! right! 06:45 < Criggie> *puke* 06:45 < chan201_> what would be hacker 101? 06:45 < Criggie> no, not really. 06:46 < chan201_> lessone 101. 06:46 < inc0gn1t0> *correction. I know wym by firewalls always allow. But I meant were you still commenting on upon, or was it another tip? 06:47 < inc0gn1t0> chan201_: lessOne lol 06:48 < inc0gn1t0> So negative 1 + 01 06:48 < inc0gn1t0> Got it 06:48 < electromagnetism> simply saying allows software to forward ports on your router open them up the down side it's poorly implemented most times ports get left open or malicious can use it to it's advantage 06:49 < inc0gn1t0> Exactly what I'm trying to learn to circumvent lol 06:49 < inc0gn1t0> So what's the next tip 06:49 < d1zz> anyone know about this hack for smart tvs that allegedly people put something into their smart tvs via ssiptv, and then get to watch a bunch of free channels (1000) in hd for free 06:50 < inc0gn1t0> Wow. Just get showbox. Smh 06:52 < inc0gn1t0> And back in old cable times. They had the same hacks. Called it a black box 06:52 < inc0gn1t0> You put it into ur direct tv (or w.e) reciever 06:52 < inc0gn1t0> Unlocked all channels 06:54 < inc0gn1t0> But easier to just mirrorcast showbox, which is free 06:54 < Criggie> d1zz: no. 06:56 < inc0gn1t0> So.. next step in protecting my now very fragile exposed ip 06:57 < inc0gn1t0> Hypothetically. And not 06:58 < electromagnetism> use tor 06:59 < electromagnetism> watch blackhat and defcon videos on youtube 06:59 < inc0gn1t0> Tor proxychains, got that part down. Don't know fancy config, just basic setup. However many hops that is.. idk 07:00 < electromagnetism> yeah just dont be an exit node youll geta knock on you door sooner than later doing that 07:01 < inc0gn1t0> I tend to watch defcon stuff. But they don't reveal all, it's just them doing hacks, and showing you how it works. Not showing you little specifics like tips and tricks 07:02 < inc0gn1t0> electromagnetism: how come being an exit node will cause that? 07:02 < Ben64> because random people will be using your ip to do bad things 07:03 < inc0gn1t0> So being an exit is bad then? I didn't know, I thought it gave you the advantage 07:03 < electromagnetism> humm twit.tv security now show sometimes some good stuff lots of rambling about junk though 07:04 < Ben64> using tor in general will bring more attention to you 07:05 < inc0gn1t0> Oh well. We're past that bridge. So, now that I'm Super exposed.... What's my next step lol 07:05 < Ben64> what's your goal 07:06 < inc0gn1t0> The best anonymity and protection for my not so hypothetical machine 07:07 < Ben64> anonymity from who 07:07 < inc0gn1t0> All 07:07 < Ben64> not possible 07:07 < electromagnetism> he want to secure his network and learn about networking and security relater hackey stuff but he's noob 101 "no offense" he seems like a cool guy 07:07 < inc0gn1t0> To the possible extent 07:07 < Ben64> you could use a vpn, then your isp couldn't see what you're doing, but the vpn and everyone past that could 07:08 < inc0gn1t0> I take no offense 07:08 < Ben64> you could use tor, but that's heavily monitored 07:09 < Ben64> or you could just not route your traffic through somewhere else and have full speed 07:09 < inc0gn1t0> I was considering a VPN, but didn't know a good free one to trust. Then heard of OpenVPN. Which is me controlling it. But I would need to learn how to secure it, as it's open-source and vulnerable 07:10 < Maarten> "free" and "good" seldom go together 07:10 < inc0gn1t0> I know.. sadly 07:10 < inc0gn1t0> But OpenVPN is free and recommended 07:11 < Maarten> yeah, that just means you build your own VPN server, which can work.... depending on your needs. 07:12 < electromagnetism> best way to use openvpn if your new is to buy a router that supports it out of the box ausu, linksys, if you set it up yourself without knowing anything guh not good too complicated 07:12 < inc0gn1t0> Yes. So only I see my traffic. But if I wanted to make a cloud VPN server, I heard it's really open to attack and I would need to learn countermeasure (saelw a hak5 tut) 07:13 < inc0gn1t0> *saw 07:13 < inc0gn1t0> I have a linux machine that will run OpenVPN already 07:13 < Ben64> but everyone past the vpn can still see your traffic 07:14 < inc0gn1t0> That's fine though, isn't it? 07:14 < Ben64> then why isn't it fine to not use a vpn 07:16 < electromagnetism> yeah hack5 and anything you see on youtube is most likely dated old news not really relevant as of date watch stuff with the thought your watching yesterdays news 07:16 < inc0gn1t0> Wait, so VPN allows protection by hiding your traffic right? So wouldn't everyone past the VPN see it anyways? Google would see the VPN accessed the site, not me 07:16 < Maarten> it really depends on your goal.... if your goal is to prevent your own ISP from snooping, yeah you can build a VPN tunnel to a server outside the ISP, and then go onto the internet. But from that VPN server to your destination, anyone can snoop in on the traffic. 07:17 < kopper> inc0gn1t0: Although VPN provider who says they are not logging anything are most likely logging your traffic 07:18 < inc0gn1t0> kopper: but OpenVPN, only you are logging it I heard 07:18 < kopper> True but then the traffic is originating from IP address you own 07:18 < kopper> VPN is not a privacy tool 07:18 < Maarten> VPM 07:19 < inc0gn1t0> Maarten: and is there a way to hide the other side of the VPN? 07:19 < inc0gn1t0> The outside traffic 07:19 < electromagnetism> yeah with keys and user names passwords, I have a few openvpn server and I log everything 07:20 < Maarten> inc0gn1t0, a point to point VPN. You can build a tunnel between you and someone else, and no one will be able to sniff the traffic going between them. Of course that limits you to your own private network and the other side's private network, not the internet. - I think we need to establish what exactly your end goal is here.... 07:21 < inc0gn1t0> Maarten: ^ THAT. That's my goal 07:22 < Ben64> really? doesn't seem like it 07:22 < inc0gn1t0> Point to point 07:22 < inc0gn1t0> Point to point 07:22 < inc0gn1t0> (Also, how to do point to point wifi without internet) 07:22 < inc0gn1t0> Well, it's one of them.. 07:23 < khp> hi, perhaps i have a misunderstanding somewhere: my pc has two NICs eth0 eth1 with another computer on each end, i created a bridge br0 over eth0 and eth1, dnsmasq bound to br0; both edge-computers get an IP addr, i can ping both from the pc with br0, i cannot ping edge computer 1 from edge computer 2 07:24 < khp> linux 07:24 < electromagnetism> hum open wifi ----> openvpn server that takes bitcoin--->>> tor ---->>> another openvpn server that takes bitcoin ----> tor again ---> the internet layers man layers 07:24 < inc0gn1t0> And with point to point, the other side could access a site, and said site won't know you accessed it? 07:24 < khp> arp all fine 07:25 < inc0gn1t0> I like layers. 07:25 < khp> on the edge computers, they know each others mac 07:25 < inc0gn1t0> I was thinking of VPN to tor, but that'd be slow af 07:26 < Ben64> you don't seem to get 'point to point' 07:26 < Ben64> it would be like home office <-> vacation house 07:26 < Ben64> no internet 07:27 < Ben64> although, anyone who cared would see encrypted traffic between the points 07:27 < inc0gn1t0> Ben64: yes, I want to know point to point without internet. But I also want to know how I'd protect a VPN server as well. (I kinda mixed all the questions together.) 07:27 < inc0gn1t0> Srry 07:28 < Ben64> you should forget about vpn 07:28 < inc0gn1t0> Why 07:28 < Ben64> because you don't know why you want it 07:28 < Ben64> which means you don't need it 07:28 < khp> I'm an idiot: iptables -A FORWARD -s $net -d $net -j ACCEPT 07:29 < khp> didnt know you have to this with a bridge 07:29 < khp> +do 07:29 < inc0gn1t0> I do know why. I want to make a VPN server to hide traffic from snooping eyes on open networks 07:29 < Ben64> but it doesn't 07:30 < inc0gn1t0> Then what does 07:30 < Ben64> nothing 07:30 < Ben64> until you own all the hops between you and your destination, treat it all as public 07:31 < Maarten> inc0gn1t0, so... OpenVPN server on location 1, OpenVPN server on location 2, and use the internet connections on both locations to create a tunnel between them, and done..... only thing you need to be sure of that location 1 and 2 have different local subnets. E.g. you can't be both 192.168.1.x, because there would likely be conflicts. :P 07:31 < electromagnetism> there really isn't anything you can do on the internet that anyone would care about really 07:33 < inc0gn1t0> Ok. I get your point now. But how do i better protect it? Encryption? And a VPN will help protect me on open networks. The traffic will go back to VPN server (which is why I want to protect it) 07:33 < HEROnymous> electromagnetism, is that so? 07:33 < inc0gn1t0> Maarten: thank youuu 07:33 < HEROnymous> inc0gn1t0, just use Tor, but learn to use it correctly or else it's not worth using it at all. 07:34 < Ben64> forget tor, slow and flags you 07:34 < HEROnymous> you can have anonymity or fast. pick one. 07:34 < Ben64> but it's not even anonymous 07:34 < HEROnymous> as far as "flags you", once again, learn to use it properly. 07:34 < HEROnymous> no one is responsible for you if you do it wrong "flag yourself". 07:36 < inc0gn1t0> That's the type of stuff I want to know, the tips and tricks, to start with. I mentioned idk how to do any fancy tor config, or "use it properly". Imma noob 07:36 < inc0gn1t0> But Ben64 seems to know his shit too. So I wanna know the other non tor options too 07:36 < electromagnetism> HEROnymous: I don't know what he's trying to do, sounds kinda overly paranoid that's why I said that lol who knows... 07:36 < HEROnymous> inc0gn1t0, a fancy Tor config is the last thing you want. go to torproject.org and start reading. there's plenty of documentation on there that explains how to use Tor safely. 07:37 < HEROnymous> electromagnetism, I'm not one to judge. ;) 07:38 < inc0gn1t0> electromagnetism: no lol. I just wanna go all in :P 07:38 < Ben64> just use https and dns over https if you like, boom, secure 07:39 < inc0gn1t0> What if the police was watching me? I need more security, what else could I do? 07:39 < HEROnymous> dns over https is still a ways out as far as end-user implementations, sadly 07:40 < Ben64> inc0gn1t0: you'd be fucked any way 07:40 < inc0gn1t0> Ok, but to hypothetically prevent said fucked, how could I better protect 07:40 < Ben64> you couldn't 07:41 < Ben64> hence fucked 07:41 < electromagnetism> yeah dns 4.2.2.1 4.2.2.2 there's some new one 1.1.1.1 forget 8.8.8.8 and 8.8.4.4 my opinion 07:41 < HEROnymous> inc0gn1t0, if the police are watching you, then you need an attorney, not better inet security. if you know you're being surveilled and trying to find ways to evade it to continue illegal activity, then you are a super idiot and will get what you deserve. 07:41 < HEROnymous> electromagnetism, I'd generally recommend 9.9.9.9 and/or 1.1.1.1, as the others you mentioned are run by for-profit enterprises that make money from the data that those collect. 07:41 < inc0gn1t0> I already use for and they said it will flag me and get a knock on my door, I'm using the scenario 07:41 < inc0gn1t0> *tor 07:42 < luxio> run your own dns 07:42 < electromagnetism> opennic 07:42 < HEROnymous> luxio, while that's often ideal, it's not always possible and often beyond the capacity of most n00bs. 07:42 < HEROnymous> inc0gn1t0, once again, if you have reason to believe you're being surveilled, then you need to seek the advice of an attorney. 07:43 < luxio> HEROnymous: everyone is being surveilled 07:43 < luxio> why only surveille certain people when you can surveille everyone 07:43 < HEROnymous> luxio, not in any meaningful sense. 07:43 < luxio> i mean some high-interest people might have their own personal nsa drones or something 07:44 < inc0gn1t0> HEROnymous: I said in using the scenario they mentioned. Calm ur ass down lol. I'm not under surveillance, or doing illegal shit 07:44 < HEROnymous> anyhow we're talking about someone being the subject of an active investigation. 07:44 < inc0gn1t0> No 07:44 < HEROnymous> inc0gn1t0, what country are you in that you're worried about being "flagged" for using Tor ? 07:44 < inc0gn1t0> Better security against better attackers 07:45 < inc0gn1t0> HEROnymous: that's what they told me man, scroll up 07:45 < HEROnymous> if you're actually in a censorship state, then you should be looking into finding a trusted entry bridge to use Tor via. 07:45 < inc0gn1t0> What's an entry bridge? Like a vpn? 07:45 < HEROnymous> No. 07:45 < HEROnymous> torproject.org, read docs. 07:46 < luxio> the tor launcher has a special button you press for if you're in a censorship state 07:46 < inc0gn1t0> Neat 07:46 < Ben64> note - tor doesn't stop attackers from hacking you 07:46 < inc0gn1t0> Obviously 07:47 < inc0gn1t0> I just want to help better prevent it 07:47 < Ben64> it does nothing 07:47 < luxio> inc0gn1t0: that's not the point of tor 07:47 < HEROnymous> inc0gn1t0, imho until you decide what vectors you're worried about it's difficult to give you good, specific advicew 07:48 < inc0gn1t0> I'm getting lots of good advice 07:48 < HEROnymous> if you just want to become better at things in a general sense, you should start studying, a lot, from the beginning just like most of us did. 07:48 < inc0gn1t0> I know know 2 things I wanted to learn 07:48 < inc0gn1t0> *now know 07:48 < HEROnymous> and my best advice in that regard is always to find an entry level networking job with a good mentor. 07:49 < electromagnetism> ok lesson 2 don't use Windows 07:49 < HEROnymous> that's a pretty crappy lesson. 07:49 < inc0gn1t0> Ok, if a networking entry job is out of question, how do i learn? Any good sites or books? (My original question) 07:50 < electromagnetism> lesson 1 was disable upnp on you router 07:50 < inc0gn1t0> I don't use Windows. Except my new laptop for some gaming. I rarely go online with it 07:50 < HEROnymous> inc0gn1t0, depends - I can think of lots of good books, but they tend to be vendor specific. you could try the CCENT study materials. 07:51 < HEROnymous> CCENT tends to be pretty general as a starting point 07:51 < HEROnymous> but it does stupid things like refer to classful ipv4 addressing >:> 07:51 < Ben64> still? 07:51 < HEROnymous> yeah 07:51 < Ben64> : / 07:51 < inc0gn1t0> HEROnymous: ok thanks 07:52 < HEROnymous> a lot of certs and stuff do - my wife took A+ a few months back and it had some too. but its ipv6 stuff was surprisingly decent. 07:52 < inc0gn1t0> electromagnetism: ya, I remember lesson 1 lol 07:52 < Ben64> when i took all my stuff, ipv6 wasn't in it at all :D 07:52 < HEROnymous> the last time I took a cert test was for solaris 7 in like 2000, so eh 07:52 < inc0gn1t0> I have some 2017 cert study guide books as pdf. I don't remember what they're for tho 07:53 < HEROnymous> electromagnetism, if you have a "router" that runs upnp you should probably just replace the "router" with something decent. 07:53 < inc0gn1t0> Oh shit, shots fired 07:53 < inc0gn1t0> Lol 07:54 < electromagnetism> what router do you have? I know gargoyle has a point and click openvpn setup ui and tor setup ui 07:54 < HEROnymous> lots of people run garbage "consumer grade" internet devices that are problems just waiting to happen 07:54 < HEROnymous> electromagnetism, at home? Juniper SRX320. 07:54 < electromagnetism> https://www.gargoyle-router.com/ 07:55 < electromagnetism> flash your router hours of fun and learning 07:55 < HEROnymous> meh. just another lede/openwrt/ddwrt type thing. 07:55 < inc0gn1t0> I don't know these routers. I just have whatever the cable guy installed... :/ 07:55 < HEROnymous> go get yourself a ubiquiti ER-X or something, at least. 07:56 < HEROnymous> inc0gn1t0, was his name... larry? 07:56 < inc0gn1t0> Probably not 07:56 < HEROnymous> weak. 07:56 < inc0gn1t0> It was Carey 07:56 < inc0gn1t0> Jim 07:56 < electromagnetism> HEROnymous: Oh I was talking to nic0gn1t0 ,,, sorry about that .... 07:56 < inc0gn1t0> The og cable guy 07:57 < HEROnymous> inc0gn1t0, hahah, I've seen that movie but do not remember it ;> 07:57 < mast> The cable for this server console is $130 07:58 < inc0gn1t0> I just remember he was like a crazy obsessed stalker that worked in a satellite dish 07:58 < HEROnymous> mast, what kind of cable is that ? some kind of breakout kvm cable? 07:58 < mast> It is the cable for a APC AP5017 07:58 < HEROnymous> are you sure it's not just a serial cable? 07:58 < mast> Just a cable. Bunch of plastic and metal, $130 07:59 < electromagnetism> HEROnymous: nice router though https://www.amazon.com/Juniper-SRX320-Security-Services-Appliance/dp/B01INYMQTC 07:59 < HEROnymous> mast, oh, yeah, some kinda proprietary console thing :/ 07:59 < inc0gn1t0> What makes them worth that much? Why are they so special? 07:59 < mast> Translation: greed :) 08:00 < HEROnymous> electromagnetism, yeah I'd go through a legit juniper var if you want one though, not that weird amazon seller :/ 08:00 < mast> Nothing. Nothing whatsoever. APC could have put VGA and PS2 outputs on the thing, and it would have made no difference whatsoever other than to APC's bottom line 08:01 < HEROnymous> mast, is it DB25 on the back? you could probably figure out the pinout and defeat them if you had some time, some crimpers, and... some time 08:01 < mast> haha so much time 08:01 < electromagnetism> HEROnymous: software date city https://www.cvedetails.com/vulnerability-list/vendor_id-874/Juniper.html 08:01 < electromagnetism> *update 08:01 < inc0gn1t0> Why are these routers so great? What sets them apart from a basic $20 router? 08:02 < HEROnymous> electromagnetism, every reasonable vendor has plenty of security updates. nothing unusual about that. 08:03 < HEROnymous> inc0gn1t0, an SRX? it's an actual router and security device. it can speak a number of routing protocols, provide decent vpn throughput, etc etc. it's not a great choice for a networking newbie though, you'd be better off with a ubiquiti device that has a web interface. 08:03 < mast> And some well meaning fellow has done a pin out video of it, but failed to attach the datasheet of his pin out success 08:03 < electromagnetism> HEROnymous: yeah true, I'd buy it I think it's awesome actually I want one $500 though ugh 08:04 < inc0gn1t0> I sense shade lol 08:04 < HEROnymous> electromagnetism, also if you don't have a gigabit connection the 300 series is pretty overkill. 08:05 < HEROnymous> I've got a 60/15 cable connection and a gigabit fiber connection at home and need to do policy-based routing between them 08:06 < electromagnetism> HEROnymous: What's that buzz word "future proof", I buy stuff jest because I think it's cool I have that problem lol 08:07 < inc0gn1t0> Ok, what steps would an advanced atracker take to anonymize themself with a basic setup? 08:07 < inc0gn1t0> Just dns and tor? 08:07 < electromagnetism> step 0 buy a router 08:07 < inc0gn1t0> Lol 08:08 < inc0gn1t0> You're amusing. But you did teach me one of the 2 main things I wanted to know😊 08:10 < HEROnymous> using isp cpe is not ideal 08:11 < electromagnetism> inc0gn1t0: HUmmmm do you have a raspberry pi ? 08:11 < inc0gn1t0> But if they had a shit router, what types of services would be used for online anonymity? And what countermeasures would they take to protect themselves? 08:12 < inc0gn1t0> A raspberry? Like that old phone thing? Pda 08:13 < electromagnetism> your making this hard lol 08:13 < inc0gn1t0> I'm totes jk. Yes, I have one lol 08:13 < inc0gn1t0> The new pi3 b+ 08:13 < electromagnetism> https://pi-hole.net/ 08:13 < inc0gn1t0> Haven't really played around much in it tho 08:14 < inc0gn1t0> I know about pi hole 08:14 < inc0gn1t0> That's just for adblocking 08:14 < inc0gn1t0> Isn't it? 08:15 < kopper> inc0gn1t0: Wardriving foropen wireless networks to be used for their stuff, maybe 08:15 < kopper> Not using IP address which has their name on it, anyway 08:16 < electromagnetism> hum I'm trying to think of easy things to tell you 08:16 < inc0gn1t0> Ok, so I could access another router to use as first step? (Smart) How would u get around the open networks nat 08:17 < inc0gn1t0> Or would u just use the NAT ip 08:17 < kopper> NAT doesn't give you any protection 08:18 < inc0gn1t0> Then why do they use it? 08:18 < kopper> To be able to extend lifeycle of IPv4 08:18 < inc0gn1t0> It stops u from accessing the router directly right? 08:18 < electromagnetism> well you don't want to double nat, nat new router enabled disable nat or you isp router 08:22 < inc0gn1t0> No double dipping, got it 08:24 < inc0gn1t0> But I've heard of honeypot, that are like a trap NAT aren't they? When someone tries to attack, their inside it where you can see everything they do 08:24 < inc0gn1t0> *they're 08:27 < linuxmodder> not always 08:27 < linuxmodder> some are training pots 08:28 < kopper> Or production machines 08:28 < linuxmodder> and some can even be for filtering your native traffic ( think of an ASA as a honeypot in some configurations) 08:28 < electromagnetism> a line tap 08:33 < inc0gn1t0> Ah ok 08:33 < electromagnetism> inc0gn1t0: (Frankfurt, Germany) ? 08:35 < inc0gn1t0> So if I wanted to use new router which was an open network, but I was only on the NAT..say I wanted to remote connect to that machine later, how would I do this? It's protected, could someone plant an ssh service? Would u need to bypass NAT? 08:36 < inc0gn1t0> electromagnetism: why u find me? How? 08:37 < kopper> inc0gn1t0: /whois inc0gn1t0, checked IRC server you're connected to 08:37 < inc0gn1t0> That's what I mean, I'm all super exposed and fragile lol 08:38 < electromagnetism> ha ha thats not correct that's just freenode crap ,, mine says I'm Amsterdam which is not right either.... 08:38 < inc0gn1t0> U caught me 08:39 < kopper> Since you confirmed it when he asked 08:39 < inc0gn1t0> Or did i throw off and obfuscate? Lol 08:40 < kopper> "Nice save" 08:40 < inc0gn1t0> I'm not in Germany :P 08:40 < electromagnetism> ha ha 08:40 < inc0gn1t0> Usa 08:40 < electromagnetism> us here too 08:40 < electromagnetism> ptd is my isp 08:40 < electromagnetism> my ip 75.97.137.118 08:40 < inc0gn1t0> I should be sleeping. Gotta work early af 08:40 < electromagnetism> hack me 08:41 < inc0gn1t0> I have about 5 hours left till I wake up lol 08:42 < electromagnetism> yeah work and save for a router man 08:42 < inc0gn1t0> I can't do haxx0r 08:42 < inc0gn1t0> Lol 08:43 < inc0gn1t0> Haha shaddup. Stop router shaming me 08:43 < Ben64> GeoIP City Edition, Rev 1: US, PA, Pennsylvania, Mountain Top, 18707, 41.123501, -75.968597, 577, 570 08:43 < Ben64> GeoIP ASNum Edition: AS3737 PenTeleData Inc. 08:43 < Ben64> you're hacked now 08:44 < inc0gn1t0> Lol 08:45 < inc0gn1t0> What did you use to get that Ben64 08:45 < Ben64> leet haxor skills 08:46 < inc0gn1t0> Lop. Psh, Just googled the ip 08:46 < electromagnetism> ha ha in range of a nuke I guess, ip look up, 08:46 < inc0gn1t0> *lol 08:46 < Ben64> nope no google 08:46 < Ben64> hint - look at the beginning of the line 08:46 < linux_probe> lol 08:47 < linux_probe> everyone is in range of a nuke or nuclear issue 08:47 < linux_probe> , # deal with it and move on 08:47 < electromagnetism> lol 08:47 < inc0gn1t0> Ben64: what line 08:47 < linux_probe> lets not forget everyone isin range of random gun fure/bullet strike at any time also 08:48 < Ben64> inc0gn1t0: they both start the same 08:49 < inc0gn1t0> I must be too tired, I'm lost 08:50 < inc0gn1t0> Hitting me with riddles here 08:51 < electromagnetism> when you hack my desktop and leave a text note 4 me then I'll be impressed feel free to keep the 29 bitcoins for you efforts D 08:51 < electromagnetism> here ya go 08:51 < Ben64> why would i leave a note, i'd just take the btc 08:52 < inc0gn1t0> Lol 08:52 < linuxmodder> he would need the address, he of course uses cold wallets and 2fa or mfa on his wallets 08:52 < inc0gn1t0> True. No clues left. That's dirty work 08:52 < linuxmodder> or gloating 08:53 < electromagnetism> ha ha that was my trick to get you back and my bitcoins along with all yours 08:53 < Ben64> will be interesting once we have systems that can break btc 08:54 < inc0gn1t0> How could leaving a note be traced back? 08:55 < Ben64> because you sign your name at the bottom 08:56 < inc0gn1t0> Oh of course 08:56 < electromagnetism> hummm arch undated today, bitcoins /ramdisk/leprechaun waiting 4u ... 08:57 < linux_probe> shitcoins 08:58 < inc0gn1t0> Cd/ potofgold. 08:58 < linux_probe> only thing shitcoins is = crookery 08:58 < inc0gn1t0> I can't find it 08:58 < inc0gn1t0> *cd /potofgold/ 08:58 < linux_probe> *foolsgold** 08:58 < linux_probe> "))) 08:59 < inc0gn1t0> Night y'all, thanks for the assists 08:59 < electromagnetism> have a good one... 09:03 < electromagnetism> I should stop saying that crap, getting kinda old, no one was ever capable of anyway, not even ddos, humm ZZZzzz 10:06 < mast> goddamn 10:06 < mast> I just spent like two hours trying to work through the pinout of that ridiculous cable 10:18 < Arpanet69> mast, pinout of an utp cable? 10:18 < mast> No some bullshit proprietary APC console server cable 10:18 < TV`sFrank> A cable to connect bacon to clowns? 10:23 < mast> Nothing special about it except that APC wanted to max out there bottom line 10:24 <+xand> APC love stupid cables, like the 10-pin-but-looks-like-RJ45 ones for some UPSes 10:26 < bezaban> hah. yeah. $oldjob I had an apc cable in my secret stash of useful gadgets 10:27 < bezaban> since they would just end up in with the other console cables and had to dig them out 11:35 < djph> xand: where only two or three pins actually *do* anything 11:36 <+xand> yeah but I think it uses the end ones to scupper use of rj45 11:37 < djph> something like that. Been a while since I've gotten one of those. The big one I put in the rack has a proper serial port (although the server's serial port seems damaged, or at least fubar in BIOS) 11:52 < iamtherealme> hey all. Anyone know of a good way of testing a network connection over time without putting real traffic on it? I want to understand the quality of the connection between 2 DCs 11:53 <+xand> iperf 11:53 < djph> ^ 11:55 < iamtherealme> well that was simple enough :) 11:55 < iamtherealme> thanks 11:55 < iamtherealme> does that just measure bandwidth - or can it also pick up other things like occasional packet loss? 12:00 < djph> it's mostly for bandwidth ... though I'm not an expert in all the potential uses 12:14 < zamanf> is it possible to set speed limits for a specific ip address in ubuntu? 12:15 < zamanf> specifically for the udp protocol 12:22 < djph> don't thing so 12:22 < djph> *think 12:44 < ^7heo> hi catphish 12:44 <+catphish> hai 13:05 < mAniAk-_1> zwamkat: with iptables and/or tc 13:31 < lithiumpt> anyone has access to fortigate firmwares? 13:39 < wiresharked> lithiumpt: Fortigate, is that a manufacturer of routers? 13:42 < lithiumpt> yes 13:42 < lithiumpt> routers/firewalls/accesspoints 13:43 < wiresharked> OK, so those are for enterprise networks? 13:44 < lithiumpt> mostly yes 13:45 < Gollee> lithiumpt: what firmware are you looking for? 13:45 < lithiumpt> they only allow firmware downloads for costumers with a valid support contract 13:45 < lithiumpt> 5.2.13 13:45 < Reventlov> Hi. 13:45 < lithiumpt> for FWF-40C 13:45 < lithiumpt> (FortiOS) 13:46 < Reventlov> Searching for 802.11ac usb dongle compatible with the monitor/promiscuous mode, to use on Linux 13:46 < Reventlov> any recommandation ? 13:55 < Alexander-47u> hi 13:55 < Alexander-47u> i want long distance wifi, any cheap solutions for client side? 13:58 < wiresharked> Alexander-47u: I think 802.11ac would work 13:58 < Alexander-47u> long distance ;p 13:58 < Dalton> 11b? 13:58 < Dalton> :P 13:59 < wiresharked> Alexander-47u: A netgear range extender would work 13:59 < Reventlov> Alexander-47u: ubiquiti 13:59 < Reventlov> with a directional antenna, and that's it. 13:59 < Alexander-47u> need outdoor wifi, that goes at least 100 m or more 14:00 < Reventlov> (btw long distance can be 5 km) 14:00 < Reventlov> https://www.ubnt.com/airmax/bulletm/ 14:01 < Reventlov> and if you want more distance, https://www.ubnt.com/airmax/airgridm/, but for 100m, well 14:01 < Reventlov> that's a little bit overkill. But, 100m is not interesting, it's more about whate there is on the path between the access point and you, in those 100m, that's interesting. 14:05 < Alexander-47u> thanks guys 14:06 < Alexander-47u> yes some km's would be fun of course xD 14:06 < Alexander-47u> but im looking for a cost-effective solution (being cheap) 14:08 < Reventlov> Alexander-47u: then, get a "directional" antenna, with a 802.11 ac adapter, and multiple streams (mimo) 14:08 < detha> Cheap solution: stick any cheap router/AP in an old icecream tub, glue it to the roof, run cables through window, *earth well* 14:09 < detha> 100m is very short distance, almost anything should do that 14:09 < Reventlov> depends what there is, on these 100 meters. 14:09 < Reventlov> If it's reinforced concrete, too bad for you 14:09 < Reventlov> if it's line of sight, yeah. 14:12 < djph> detha: or a UAP-AC-M ... 14:12 < djph> detha: least then, you're not fighting with a cheap router to turn it into an AP 14:12 < detha> true 14:16 < Alexander-47u> yes, but i was talking about client side 14:16 < Alexander-47u> receiving 14:16 < djph> "good luck" 14:21 < redrabbit> Alexander-47u: alfa awus036h 14:21 < redrabbit> you will be happy 14:21 < redrabbit> 100% 14:21 < redrabbit> 100m is nothing 14:21 < redrabbit> i did 750m with it 14:22 < redrabbit> also tested in earthquake proofed house 14:23 < redrabbit> with 3 of theses thick ass concrete + iron wire walls AP and antenna 14:24 < redrabbit> between* 14:24 < redrabbit> its not fast. 14:24 < redrabbit> it goes far 14:24 < Alexander-47u> 750m? thats far 14:25 < Alexander-47u> what kind of antenna did you use? 14:25 < redrabbit> yagi 14:25 < Reventlov> alfa awus036h 14:25 < Reventlov> lol 14:25 < Reventlov> this shit is not even doing 802.11 ac 14:25 < Simeri> lol 14:26 < redrabbit> 14:24 < redrabbit> its not fast. 14:26 < Alexander-47u> fast is not important, i need to go far, for cheap 14:26 < Reventlov> The only upside is that it supports monitor mode 14:26 < redrabbit> Reventlov: quit trolling its a beast card for cheap. 14:26 < redrabbit> ;) 14:27 < Reventlov> redrabbit: i'm not trolling 14:27 < Reventlov> we're in 2018, 802.11ac is out since 4 years 14:27 < Reventlov> it's time to move on. 14:27 < redrabbit> no 14:27 < Reventlov> (also, it's 1W, but it's not authorized in all country to go this far) 14:27 < Reventlov> for example, in france, you can only use it legally up to 300mW 14:27 < redrabbit> it has use cases 14:28 < redrabbit> 14:26 < Alexander-> fast is not important, i need to go far, 14:28 < redrabbit> theses 14:29 < Reventlov> and for theses, using the antenna that comes with the awus036h seems like a bad id. 14:29 < Reventlov> It's omnidirectional. 14:29 < redrabbit> for 100m its fine 14:29 < Reventlov> oh shit 14:29 < Reventlov> it's not even supporting 802.11n 14:29 < redrabbit> ᴖᴗᴖ 14:29 < Reventlov> redrabbit: yet again, we do not know what is in those 100m. 14:30 < Reventlov> So, yeah, its fine unless it is not. 14:30 < Reventlov> But, well, !bailout. 14:30 < detha> Alexander-47u: with clear LoS, <1km isn't far. this is far: https://imgur.com/a/ZPOtB 14:30 < redrabbit> this card will do the trick 14:30 < Alexander-47u> yes, but remember, i am being cheap :P 14:31 < Alexander-47u> the awus is a good one I guess 14:31 < redrabbit> yes 14:35 < purplex88> is there something called average download speed per second? 14:36 < Gollee> no 14:36 <+xand> speed per second would be acceleration 14:38 < Kingrat> acceleration would be speed per second per second, speed per second would be velocity 14:39 <+xand> velocity is the same as speed but with direction 14:41 < Alexander-47u> redrabbit: what about those chinese signal king things xD? 14:48 < purplex88> but we can have average bit rate 14:53 < detha> purplex88: in one minute, 10 cars drive over a stretch of highway at 100km/hr. the next minute, 40 cars drive over that same stretch of highway, also all doing 100km/hr. What was the speed of cars on that stretch of highway? What was the average speed? 14:54 < djph> detha: since time is infinite, the average speed is zero. 14:55 < purplex88> 100 km/hr 14:55 < detha> djph: since space is also infinite, the average speed is infinity/infinity, i.e. whatever you want it to be 14:56 < djph> detha: but you forgot to account for the fact that there is no life in the universe with which to measure the speed. 14:57 < detha> djph: you been playing that paperclip game by any chance? The one where you convert all dead and living matter in the universe into paperclips? 15:00 < purplex88> tell me if a graph like this makes sense: https://www.dropbox.com/s/nuuz2otjq8n1vmy/Graph%20average%20bit%20rate.png i used "average" bitrate instead of just bitrate. 15:01 < purplex88> units of file size and rate can be anything 15:01 < purplex88> but the question can we have "average bit rate" shown like this.. 15:04 < detha> If your measurements are "how long does it take to transfer a file of size X over a link", plot the samples for values of X, and fit a curve through it, yeah 15:04 < djph> detha: no, I fell asleep reading Hitchhiker's Guide last night 15:05 < purplex88> detha: what will it mean if I replace "average bitrate rate" with just "bit rate" ? 15:06 < detha> it would mean instead of looking at the total time to transfer the file, you are looking at bitrate during some sample interval, 1 second, 0.01 second, .... 15:06 < purplex88> so average bitrate something like the bitrate in say 5 seconds? 15:07 < purplex88> average bitrate can't be a bitrate in one second, right? 15:08 < purplex88> if one second is smallest unit of time 15:08 < detha> average bitrate will always be over a certain amount of time. Just bitrate assumes that it stays constant over your measuring interval 15:12 < djph> if you take readings at 1s intervals, you will know the *actual* bitrate at the time you read. You calculate the average bitrate by "(sum of all datapoints) / (number of datapoints)" 15:14 < ne2k> purplex88, you cannot really have instantaneous bitrate at all because bits are discrete. so all meaningful bitrates are averaged over an amount of time 15:15 < ne2k> I may just have made that up 15:16 < djph> ne2k: "I got N bits in $timeframe" 15:17 < ne2k> djph, yes, exactly, it's over an amount of time. unlike with a continuous variable like speed, where you can determine the speed of something at a specific instant, you cannot have a bitrate at an instant 15:18 < ne2k> a bit is either transmitted or it is not 15:19 < ne2k> this is, however, bordering on the metaphysical 15:19 < djph> ne2k: same as speed / velocity 15:20 < djph> err ... wait no, getting things crossed up, MORE COFFEE 15:20 < djph> bitrate is simply "how many things passed 'right here' in the past N time' 15:20 < mAniAk-_1> bitrate of a 1G interface is 1G, there's just gaps between packets if it's not fully utilized, so you need to get an average over time to get something useful 15:21 < djph> mAniAk-_1: yeah, I think the question is how to calculate "actual bitrate" as opposed to "physical bitrate" 15:22 < djph> e.g. a freeway with speedlimit Y "always(tm)" allows cars to travel at speed Y ... but if there's only 1 car / hour, is the car-rate really Y 15:41 < phre4k> hey guys, it seems that when I'm connected to my UBNT EdgeRouter via OpenVPN, DNS doesn't work. How to I push the DNS server in openVPN config? 15:41 < djph> push-dns ? 15:43 < Aeso> phre4k, I'm not familiar with the EdgeRouter software, but a couple of generic questions: Is the DNS server listening on an interface on your VPN subnet? Is the firewall configured to allow that traffic into the router? 15:43 < phre4k> Aeso: yes and yes 15:43 < phre4k> I tried "--push dhcp-option DNS 192.168.70.1" 15:48 < djph> phre4k: seemss ovpn uses the config file option push "dhcp-option DNS " and also possibly push "redirect-gateway def1" 15:48 < djph> although, I set it in the config file, not on runtime-switches 15:48 < phre4k> oVPN client says: "PUSH: Received control message: 'PUSH_REPLY,[…]dhcp-option DNS 192.168.70.1" 15:49 < phre4k> djph: so it seems to have gotten the push for DNS, but somehow it's not used? 15:49 < phre4k> if I do nslookup servername in Windows, it still tries to query the local DNS 15:50 < djph> hell if I know what windows will do 15:50 < phre4k> hm, network details show that it got the DNS server -.- 15:51 * variable looks at ne2k 15:52 < phre4k> W T F now it works 15:52 < phre4k> Windows is some weird OS, I tell ya 15:52 < djph> true 15:53 < Epic|> They're all weird 16:06 < phre4k> Epic|: you might be right 16:07 < Epic|> Fact of the universe. No might about it bruv 16:16 < ne2k> variable, ? 16:28 < ||cw> phre4k: probably just the local cache expiring. try ipconfig /flushdns next time 16:30 < phre4k> ||cw: thanks for the info :) 16:36 < Guest151> If you don't have a firewall on the system, are all ports open by default? 16:36 < Guest151> I guess the question is when is a port opened? 16:37 < ||cw> Guest11838: a port is opened when an application listens on it. a firewall protects you from apps that listen when you don't want them available 16:38 < ||cw> dan01: ^ 16:38 * ||cw grumbles at too many guests 16:39 < dan01> so as long as nothing is listening on a port, it 16:39 < dan01> it's safe? 16:40 < genec> dan01: without a firewall to drop it, default behavior will be to return an ICMP message indicating the port is closed 16:40 < ||cw> technically, yes, but can you really guarantee that some app won't start listening at any time? 16:40 <+catphish> dan01: yes, but good practice is to filter ports that aren't in use 16:41 < dan01> I was just wondering what is the change that average Joe get's hacked, when he obviously only runs a browser and soliter 16:42 <+catphish> dan01: if you don't run any services, you're pretty safe, the problem comes when people run services by accident, or don't realise their OS runs them my default 16:42 <+catphish> for many years windows ran filesharing by default, it was horribly insecure 16:44 < dan01> catphish: ah, like wannacry? hehe 16:45 <+catphish> windows default services have been hacked so many times now :) 16:45 < dan01> I guess it exploited that on Windows XP machines 16:45 <+catphish> hence pretty much nobody runs desktop clients without a firewall any more 16:46 < dan01> Any recommendations as where can I learn more about firewalls and network traffic in general? 16:46 < redrabbit> experiment 16:47 < ||cw> furthuring the issue is that many consumer routers have upnp on by default, which means if a PC does get malware it could easily open a port, ask the upnp, phone home, then listen for botnet commands 16:47 <+catphish> just experimenting is indeed a good way to start 16:47 <+catphish> dan01: read up about TCP and UDP for starters 16:47 <+catphish> those will give a good idea of how network packets are used in general, and how you might filter them 16:48 < mAniAk-_1> ||cw: like it matters if they already own something on your network 16:48 < ||cw> and it can do all this without local admin rights. turn off the local firewall would need admin rights. 16:48 < ||cw> mAniAk-_1: not necessary. 16:48 < ne2k> UPnP is hideous 16:49 < ||cw> botnets are a serious problem, and don't need any hacks, just have to get the user to run something. 16:49 <+catphish> u like upnp, no idea why it gets so much hate 16:49 <+catphish> *i 16:49 < mAniAk-_1> sure, but upnp is bad for other reasons 16:49 < dan01> ne2k: is UPnP subject to attacks? 16:50 < ||cw> upnp is handy on a home network, but you have to keep an eye on it 16:50 < djph> holy shit yes 16:50 < mAniAk-_1> like shit you have on your network becoming accessible from the internet, if they 16:50 < mAniAk-_1> 're already in upnp doesn't matter 16:50 <+catphish> i don't get it, if upnp only accepts requests from the target host, i don't see why it would ever be a problem 16:50 < dan01> djph: I'd like an article on that :) 16:51 < strive> Disabling UPnP on a firewall helps too. 16:51 <+catphish> helps with what? 16:51 < ||cw> catphish: it allows applications to listen on the internet without the users permission 16:51 < strive> Automatically adding rules 16:51 < dan01> Is uPnP not only accessible from the inside network? What's the problem then? 16:51 <+catphish> ||cw: if you're at the problem where you have untrusted code running on your machine it's game over anyway 16:52 <+catphish> *at the point 16:52 <+catphish> i seriously doubt many viruses are using inbound connections for C&C anyway 16:52 < ||cw> ok, upnp is a lto of things. we're specificaly talking about the feature where a user space application can add a port forward on the firewall with nothing more than a polite request, no auth, no user interaction 16:52 <+catphish> so it should only be legitimate apps listening for reasons the user wants 16:52 < kopper> dan01: Here's something https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/ 16:53 <+catphish> yeah, talking specifically about the ability for an application to open its own inbound firewall rules 16:53 < djph> dan01: it's a service that allows a requester to set up NAT and poke holes in a firewall ... with nothing more than a "hey, I'm the host at $IP_ADDRESS, please forward $port to me" 16:53 < mAniAk-_1> kopper: that article is shite though 16:53 < genec> dan01: poor UPnP implementations allow outsiders to control it. a malware infection could spontaneously use UPnP and open things you don't want open. 16:53 <+catphish> imo the problem is bad implementations 16:54 < genec> dan01: POOR implementations are accessible from the outside. 16:54 <+catphish> an app opening its own firewall rules should be ok in most cases 16:54 < djph> catphish: uh, have you ever seen a "good" implementation of UPnP? 16:54 <+catphish> but a bad implementation that allows this to be triggered by something outside would be disasterous 16:54 < tds> Is it possible to spoof the source of the upnp messages and expose a large amount of internal infrastructure to the internet at once? 16:54 < idnc_sk> there is no insentive to do "good implementations"(tm) of any protocols these days 16:54 < ||cw> anyway, keeping up with security updates and running a local firewall prevents it. 16:54 <+catphish> tds: on some bad routers yes 16:54 < redrabbit> incentive* 16:55 < idnc_sk> ouch 16:55 < kopper> mAniAk-_1: That's why it's the first result I guess 16:55 < redrabbit> you are right though 16:55 < redrabbit> people dont care 16:57 < idnc_sk> apparently, data === oil + 80:20 rule in regards to development vs security(or features vs security) 16:57 < redrabbit> there's more value to push a product on the market faster 16:58 < redrabbit> (not for the consumer, ofc) 16:58 < tda> i totally get that. most consumers won't care about something until it's #trending 16:59 < idnc_sk> +if someone skilled enough targets you directly, you are fcked anyway, but it is still worth wile making the data-collection en-masse harder 16:59 < tda> if your customers want to buy crap, you sell them crap 17:00 < redrabbit> idnc_sk: idk about that 17:00 < idnc_sk> this argument is often used by eco-nacis & co to drive home the notion that its us, those stupid fat consumers that do all the harm in this world 17:00 < redrabbit> theres various levels of skill needed 17:00 < idnc_sk> no its not 17:01 < redrabbit> its not that easy even if you know your shit 17:01 < idnc_sk> I dont want to change my LCD screen every 2y because of a under-* capacitor 17:01 < redrabbit> if your target is a bit hardened 17:01 < idnc_sk> redrabbit: of course its not yeasy(if you are targetted, almost impossible) 17:02 < redrabbit> only thing that ever worked on me was ddos 17:02 < redrabbit> skill-less bs 17:03 < idnc_sk> what I'm saying is, it is still worthwhile to make at least surveillance en-masse harder(security-by-obscurity is a very effective strategy, or, can be)[D 17:03 < shtrb|laptop> lol 17:03 < shtrb|laptop> I like your belief it is even possible to make it "harder" 17:04 < shtrb|laptop> mofo, put you on a list if you use ssh / or non standard websites 17:04 < idnc_sk> by not buyng spy-devices for 1000$ a piece and sleeping with them 17:04 < idnc_sk> for example :P 17:04 < idnc_sk> ehm, I ment smartphones 17:05 < idnc_sk> *meant 17:05 < redrabbit> dont use fb 17:05 < idnc_sk> a more grammar-minded person must have a hard time now 17:05 < idnc_sk> *grammar-sensitive 17:05 < idnc_sk> ^^ redrabbit 17:05 < idnc_sk> thats a good start 17:06 < shtrb|laptop> You can't really use an old school phone these days (cashless society) , maybe someplaces can but that is not the norm this days 17:06 < shtrb|laptop> fb uses you 17:06 < idnc_sk> I'm using one, but I still have a blu studio g in my bag just in case 17:06 < idnc_sk> which is one of the more famous spyphones 17:07 < shtrb|laptop> Something something location_update message 17:07 < shtrb|laptop> and if you think your operator doesn't share that data I have bad news for you 17:07 < redrabbit> even old phones track you 17:07 < redrabbit> so, whatever 17:07 < shtrb|laptop> that is what I was trying to say 17:07 < idnc_sk> I know, but they have far far less options to do so 17:07 < shtrb|laptop> Ever wondered how come the moment you enter a shopping mall you get an ad as a message ? 17:08 < redrabbit> america ftw 17:08 < redrabbit> we dont get this shit here (eu) 17:09 < shtrb|laptop> sweden is almost cashfree society , you can't get an insurance without a phonenumber (and I think without an email) 17:09 < shtrb|laptop> you can't even use your own cash to buy stuff in the store (there is a limit on the amount of cash you can use in a transaction ) 17:09 < idnc_sk> cashfree does not necessarily mean less freedom, but in every major implementation today this is exactly the aim 17:09 < shtrb|laptop> (spain) 17:10 < lupine> welp, time to move 17:10 < idnc_sk> where 17:10 < idnc_sk> khazakstan or mongolia 17:10 < idnc_sk> in the middle of nowhere 17:10 < shtrb|laptop> to less oppresive regime ? Syria ? Somaliland ? 17:11 < idnc_sk> hey that was not a joke(khaz + mongolia) 17:11 < idnc_sk> + syria is not an oppresive regime, it happens to be an obstacle on someones geopolitical path 17:12 < shtrb|laptop> Yes, I wish to see a modern IRC user who would trade to live in nowhere 17:12 < idnc_sk> true + us&co did all kinds of crazy shit on populations in the middle of nowhere 17:13 * shtrb|laptop just imagine himself trying to get WiFi reception somewhere in mogolia 17:14 < idnc_sk> data is sparse but only based on what we can get from 40-60y ago, us or ussr - a lot of *** 17:14 < shtrb|laptop> you know 40 years ago is 1978 and not 1960 yeh ? 17:16 < idnc_sk> yup, thats the worrying part, you may tell yourself that today, nobody would *dare* to do experiments on human popupaltions whether remote or living in urban areas 17:16 < lupine> no, it's definitely happening 17:16 < idnc_sk> then you came across a few documents from not that long ago 17:17 < lupine> also, I am living on a tiny archipelago between norway and iceland 17:17 < lupine> internet gets everywhere these days yo 17:17 < idnc_sk> iceland -> on my to-visit list 17:18 < shtrb|laptop> It's all for the common good ( someone's good ) 17:19 < idnc_sk> the most disturbing part of this all, there are actually good, well meaning people who get manipulated to do this crazy shit 17:19 < idnc_sk> for some "greater good" 17:19 < shtrb|laptop> Just think that in not so many years you would see Goitre comming back in California - because fuck old school knowledge 17:19 < idnc_sk> of course, there must be a lot of psychopaths involved 17:21 < idnc_sk> couple of months I actually met a girl whos sister (a biology PhD) worked @monsanto in holland 17:21 < idnc_sk> *couple of months ago 17:21 < idnc_sk> *netherlands 17:22 < idnc_sk> she was actually ashamed of that, never mentioned her work, and never ever mentioned any details even to her sister(in the pharmacy field) 17:24 < idnc_sk> [1] World Science Festival 2016 > It's Alive, But Is It Life: Synthetic Biology and the Future of Creation > Tom Knight | Drew Endy @1:17:00 – 1:22:00 is a very good example how good, well-meaning people are being manipulated (in this case not by mere “race-to-the-best-servitude” and/or “passivity” but by doing Evil disguised as a form of “greater good”) 17:29 < b0bby__> hey 17:29 < b0bby__> anyone good with programming and the socks5 protocol? 17:29 < b0bby__> I'm working on a server and ran into some trouble 17:29 < shtrb|laptop> ##C++-general 17:29 < King_DuckZ> hi, I have a problem with scp/rsync and someone suggested it might be due to my mtu being < 1500 - this http://paste.debian.net/1019583/ seems to confirm this hypothesis, though I don't understand why ping is failing even though netstat says 1500 for wlp1s0 (note that ping -M want succeeds) 17:29 < shtrb|laptop> sorry 17:34 < djph> are you trying to rsync out over the internet? 17:35 < Poster> The pings may be failing if the target or intermediate systems disallow larger echo requests 17:36 < djph> or if it's something simple like pppoe or something 17:42 < idnc_sk> wondering whether I was shadow-banned or just plain OT 17:42 < idnc_sk> I;d never trust freenode 17:42 < idnc_sk> to do any real good 17:43 < idnc_sk> but still 17:47 < King_DuckZ> djph: scp, yes 17:48 < King_DuckZ> Poster: but if I understand correctly, then ping should also fail with -M want, or am I wrong? 17:51 < King_DuckZ> Poster: as I understand it, if some intermediate node fails ping will report the first node that failed, but the error I get means the the local mtu is < 1500 17:51 < King_DuckZ> and the difference between -M do and -M want is that do will enforce whole packets even locally 17:51 < King_DuckZ> am I getting it wrong? 18:02 < shangul> where could I find information about commands which I could use when telneting to my router/modem? 18:02 < grawity> your router/modem's manual, if it has one 18:02 < ||cw> shangul: in your router's manual. or type "help" and see what happens 18:02 < grawity> if it doesn't, try "help" 18:03 < grawity> if it says "-sh: help: command not found", ls /bin /sbin 18:03 < hweaving> General problem: I am using sendmmsg() and recvmmsg() to do high-bandwidth IPv6 UDP tests. The sendmmsg() side works great, letting me do up to 4 Gbps without much issue before CPU saturation. 18:03 < shangul> ||cw, what if I could find anything in the manual? 18:03 < ||cw> shangul: then you're in unsupported territory 18:03 < hweaving> However, the recvmmsg() side appears to be dropping a ton of packets, and tcpdump reports packets dumped by kernel. Any tips on general causes for that? 18:04 < shangul> perhaps people have done some hacking on these routers 18:05 < ||cw> shangul: perhaps. google it? you didn't tell us what router.... 18:05 < shangul> grawity, help just shows a list of valid commands. Doesn't say anything about syntax of each command 18:05 < ||cw> shangul: now do "help {command here}" 18:05 < ||cw> have you ever used a cli before? 18:06 < shangul> ||cw, as I said help just gives me a list of valid commands. it even does not list sub-commands of a command 18:07 < shangul> It's a TD-W8901N 18:07 < shangul> <||cw> have you ever used a cli before? => I think so 18:08 < ||cw> and you didn't find https://wikidevi.com/wiki/TP-LINK_TD-W8901N_v1 ? 18:08 < ||cw> with a link to the manual? 18:09 < ||cw> good luck breaking your router :P 18:09 < shangul> I thought you were talking about the manual found in the CD which comes with device 18:09 < ||cw> always go for the latest manual. 18:10 < degenerate> Anyone got any suggestions on a remote power switch? 18:10 < ||cw> the cds are worthless unless you have no internet at all 18:10 < degenerate> i occasionally need to remotely reboot a server 18:10 < shangul> but thanks. the manual on that page helps 18:10 < shangul> ||cw, and that seems an interesting website! 18:10 < tda> degenerate: https://vignette.wikia.nocookie.net/en.futurama/images/a/a8/Finglonger.jpg/revision/latest?cb=20071229220020 18:11 < ||cw> shangul: it's the first result for "TD-W8901N telnet" 18:11 < grawity> degenerate: doesn't the server have a BMC? 18:11 < grawity> degenerate: like iLO/iDRAC/IPMI 18:11 < shangul> ||cw, I didn't google well 18:11 < degenerate> grawity its not a real rack mount server, its just a pc we use as a server 18:12 < grawity> does it have Intel AMT? 18:12 < grawity> does it wedge completely or just lose networking? 18:12 < tda> PDU with remote access? 18:14 < degenerate> we have remove ssh to that particular server disabled. its acting as a router, and i don't like it getting hammered all day with ssh probes. 18:15 < degenerate> occasionally it locks up, and i can't VPN into it anymore. 18:15 < degenerate> pfsense makes me wanna cry. i think i'm just gonna switch to mikrotek 18:16 < grawity> we did that, now mikrotik makes me wanna cry more 18:16 < degenerate> LOL 18:18 < grawity> hardware-wise it was a definite upgrade (from 5 seriously obsolete x86 PCs to two rackmount routers), but at least ospfd on pfsense didn't wedge the entire routing table every 3rd boot 18:18 < hweaving> Are there any pitfalls with recvmmsg() in regard to receive buffers I have to set in the program, for example? I believe I have a ton of OS buffers increased as needed extrenally 18:18 < hweaving> externally* 18:18 < grawity> (fortunately that's still remotely rebootable) 18:19 < grawity> otoh, the one pfsense I *did* keep (a fresh install on HyperV) keeps forgetting how to purge old states every few weeks and I have to reboot it via console... 18:19 < bray90820_> if my linkspeed is 1gbps would is be faster to copy the files with SSH or would it be faster to put both hard drives in a dock and copy them with esata bpth drives would be running on the same esata cable 18:19 < ||cw> degenerate: you can run ssh on an alternate port :) 18:20 < bray90820_> And that would help how? 18:20 < bray90820_> Oh sorry I didn't see the ping 18:21 < ||cw> bray90820_: ssh has encryption overhead, and depending on your esata and dock and drives you might get 6Gbps 18:22 < ||cw> but the cable and dock almost certainly support 3Gbps 18:23 < bray90820_> ||cw: So using the Hard Drives would be faster? 18:23 < ||cw> almost certainly 18:23 < bray90820_> Alright thanks 18:24 < ||cw> I mean, if it's old sata 1.5, maybe not... 18:24 < ||cw> but still maybe 18:24 < hweaving> Is anyone here familiar with /proc/sys/net/ipv6/WHATEVER/mtu? 18:24 < hweaving> I have two direct connected systems for bandwidth testing, no router, and yet that value gets reset occasionally 18:24 < hweaving> so I'm wondering if some sort of weird MTU detection attempt is happening. 18:28 < Apachez> https://www.coolstuff.se/C64-Mini-Spelkonsol 18:29 < Apachez> this will be fun: http://defence-blog.com/news/russia-suddenly-puts-troops-alert.html 18:30 < hweaving> Wrong channel? 18:30 < Apachez> na 18:30 < Apachez> that shit will affect my routing 18:36 < Apachez> sheldon russian edition found http://englishrussia.com/wp-content/uploads/2018/04/DZ2ymqTXkAAA4nf.jpg 18:44 < hweaving> Yet another recvmmsg() oddity: I send 4 UDP IPv6 messages in a burst. recvmmsg() returns 4. All is good, right? 18:44 < hweaving> However, the mmsghdr structure shows msg_len == (correct value) for the first entry fo msgvec, but msg_len == 0 for the remaining 3 messages 18:44 < hweaving> Any ideas why? 18:45 < Corko> the remaining three messages were blank? :P 18:45 < hweaving> Nope :( 18:46 < hweaving> All 4 are the same size, actually 18:46 < hweaving> Corko: I just double checked in Wireshark and every packet I am sending is virtually identical 18:46 < hweaving> I assume I'm misunderstanding how recvmmsg() is supposed to work so I'm digging further 18:47 < Corko> good luck, and godspeed 19:05 < hweaving> Yeah the last three mmsghdr entries do not appear to have any data populated...I'm gonna dig in the kernel source 19:13 < skyroveRR> I've got two routers, .140.158 and .140.147, each having its own separate gateway, let's say .158 has 1.2.3.4 and .147 has 4.3.2.1. I've got a machine, .140.145, and the ping to 8.8.8.8 works fine if the default route on .140.145 is set to .140.158, but not if the default route is set to .140.147..... any ideas? 19:14 < grawity> please to tcpdump 19:14 < ||cw> skyroveRR: but 147 routes properly itself? 19:14 < skyroveRR> ||cw: yes. 19:15 < skyroveRR> grawity: one sec. 19:15 < ||cw> then verify it's setup to route correctly 19:15 < skyroveRR> grawity: http://paste.debian.net/1019601/ 19:16 < grawity> skyroveRR: try separately on the incoming and outgoing interfaces 19:16 < grawity> I'd also add -e just to make 100% sure it's going to the correct gateway's MAC 19:17 < skyroveRR> I don't have the -e option for ping.. 19:18 < grawity> you have the -e option for tcpdump 19:18 < skyroveRR> Oh 19:20 < skyroveRR> Ok, seems like the traffic is going out just fine, but I'm not seeing anything on .140.145, there's no return traffic that .140.147 is seeing. 19:21 < grawity> what's the nexthop *of* .140.147? 19:21 < skyroveRR> http://paste.debian.net/1019602/ :ae is the MAC address of the wlan0 interface of the raspberry pi (.140.147) and :72 is the mac address of .140.145. 19:22 < hweaving> Anyone know the best LXR at present? The lxr.linux.no one is giving me an internal error 19:22 < skyroveRR> grawity: 192.168.225.1. 19:23 < grawity> skyroveRR: can you tcpdump on that? 19:23 < grawity> or, also 19:23 < grawity> when the outgoing traffic is going via .140.147, might the return traffic be going into .140.158? 19:23 < skyroveRR> Ok 19:23 < skyroveRR> I've got somewhat of a complicated ruleset actually, grawity 19:24 < skyroveRR> Let me paste you that ruleset. 19:24 < grawity> iptables has -j TRACE, nftables has meta nftrace 19:24 < skyroveRR> I have this in the routing table http://paste.debian.net/1019603/ 19:24 < skyroveRR> BUT! 19:25 < skyroveRR> If I remove the second line, it should pass through the .225.1, right? 19:29 < skyroveRR> grawity: still there? 19:38 < hweaving> It looks like I may have to trace this to the kernel level or something 19:39 < hweaving> Every example I can find, plus the source at https://lxr.missinglinkelectronics.com/linux/net/socket.c#L2248 19:39 < hweaving> suggests that msg_len should be filled out for each entry 19:40 < hweaving> Instead, I get something like "2000 0 0 0" whether I use flags or not 20:03 < linux_probe> so, chinese slave kids are considered renewable energy now? https://www.zdnet.com/article/apple-were-now-powered-by-100-percent-renewable-energy-worldwide 20:04 < oneplane> I want to decapsulate GRE traffic and forward the result on to another interface 20:04 < oneplane> but gre and gretap on linux don't see the incoming traffic at all, rcdcap wants ERSPAN and ipdecap doesn't work well on 64-bit systems :( 20:05 < hweaving> OK, figured it out 20:05 < hweaving> The extra message buffers didn't have iov_len set ahead of time in the iovec structures. 20:06 <+catphish> oneplane: a simple gre interface should work as long as the gre packets are addressed to the host 20:07 < oneplane> that's what I thought, but it seems to ignore all packets (can see them with tcpdump on the eth coming in) 20:07 <+catphish> oneplane: 1) check your firewall 2) check your routing table 20:07 < oneplane> packets are arriving at the thost 20:07 <+catphish> check you didn't typo the endpoints on the interface definition 20:07 < oneplane> copied/pasted them from the addresses shown by tcpdump to be sure 20:08 <+catphish> if it still doesn't work, paste your "ip addr" and "iptables-save" 20:08 <+catphish> oh, and the tcpdump 20:08 <+catphish> and maybe i can spot the problem 20:08 < oneplane> what was that packet website again for packet dumps? 20:08 <+catphish> its not free any more 20:08 < oneplane> aw :( ok 20:09 <+catphish> just use tcpdump 20:09 < drac_boy> hi 20:09 <+catphish> hello 20:10 < drac_boy> just curious but do the cisco racks from a few years ago have any kind of physical intrusion switch or not so much? like I mean would it know if you took the entire top off of the 2u router 20:11 * catphish shrugs 20:11 < epitamizor> drac_boy, nooo lol 20:12 < oneplane> https://hastebin.com/asuzojileg.pl 20:12 < linux_probe> lulz.. https://www.zdnet.com/article/cisco-security-russia-iran-switches-hit-by-attackers-who-leave-us-flag-on-screens/ 20:13 < oneplane> i'm using gretap instead of plain gre because inside the gre packets are ethernet frames, then ip, then tcp/udp etc. 20:13 < drac_boy> epitamizor thanks, was just curious re stripping the board out and basically rehouse it in something else diy 20:13 < oneplane> but using gre tunnel doesn't work either 20:14 < epitamizor> the only physical security chip is the TPM 20:14 < drac_boy> ah ok 20:16 < grawity> latest Linux supports ERSPAN 20:17 < grawity> apparently there are several kinds of GRE, iirc gretap isn't the same protocol as mikrotik's eoip :( 20:17 < oneplane> yeah, saw that in ip_gre.c 20:18 < oneplane> the problem here is vmware pretending to speak ERSPAN, but the traffic that actually comes in has no ERSPAN headers at all and is just Etherframe-IP-GRE-Ether(again)-IP-tcp/udp-application 20:19 < oneplane> wireshark reads it correctly as does tcpdump, but I can't seem to get any tap, gre endpoint or GRE stripper to work on this, except my own version in python but that is obviously too slow 20:20 < oneplane> wireshark/tshark/tcpdump seem to agree that this must be GRE 0 that is used for transparent ethernet bridging, but that doesn't seem to be a widely documented protocol or use case except from IETF RFCs 20:20 * drac_boy pings the local 2611 seller for a low price then 20:22 < oneplane> I do like that Alexey Kuznetsov wrote a lot of salty comments in ip_gre.c; apparently Cisco isn't doing things correctly according to the RFC they created themselves :p 20:23 < grawity> why would they 20:23 < grawity> if the RFC is just an excuse to pass it as an "open protocol" 20:23 < oneplane> ;-) 20:27 < jamesc> grawity, can you help me visualize the CORS relationship with this outbound websocket 20:27 < jamesc> i am still on the same problem i put to the channel yesterday 20:28 < hweaving> OK with the recvmmsg() issue solved, now I'm up to the next issue, determining the most likely cause of "packets dropped by kernel" per tcpdump 20:28 < jamesc> i am in a browswer session that has actually 10 or so outbound websockets to my remote server, if i make a get request over that websocket from the server to the browser session, i get a CORS violation 20:29 < oneplane> catphish, I'm trying a higher kernel just in case the few changes between 4.9 and 4.14 have more GRE flexibility 20:29 <+catphish> oneplane: sorry, got distracted, i'll look at your paste now 20:29 < jamesc> why does that incur a violation and not if I made the request directly from the browser in a different tab 20:29 < oneplane> catphish: no worries mate, just thought I'd let you know my results might change ;-) 20:30 < jamesc> like for example, if you navigate to http://buckeye-lab.smartrg.com/prime-home/control-panel/login?device=1CABC0:1CABC09732D0 20:30 <+catphish> they won't 20:30 < oneplane> oh :( 20:30 < jamesc> anyone can do it 20:30 < jamesc> it will resolve 20:30 < jamesc> but if I try to do that through my websocket it engages CORS 20:30 < grawity> jamesc: because that's literally the whole point of CORS 20:30 < jamesc> ok, i apologize i am just having a bit of time trying to see what is going on 20:31 < grawity> also the websocket doesn't really matter here 20:31 < grawity> it doesn't matter whether the "make get request" command arrives via websocket, or whether it's been coded in the page's JS from the beginning 20:31 < jamesc> ok 20:32 <+catphish> oneplane: i don't know gretap i'm afraid, just regular gre 20:32 < oneplane> I'm trying regular gre as well 20:32 < oneplane> does regular GRE in iproute2 have an opinion regarding what's inside the GRE packets? 20:32 < jamesc> in my understanding CORS is about the request originating from a domain that is allowed 20:33 <+catphish> oneplane: i don't think it cares what's inside 20:33 <+catphish> it just decapsulates them, then you can do whatever you like 20:33 < oneplane> yeah, that's what I normally get with normal GRE, but this vmware fake-erspan doesn't play ball :( 21:42 < hweaving> Debugging further. sendmmsg() jumbo packets sent to recvmmsg(). 21:42 < hweaving> ifconfig and ethtool aren't reporting any dropped packets or overruns that I can tell. The change in received packets = the change in sent packets on the other system. 21:43 < hweaving> However, my app that's calling recvmmsg() is only getting roughly 1/3 of the packets I'm sending, even though this is only about 100 Mbps (6,000 UDP packets per second) 21:43 < hweaving> Any idea where the packets might be silently vanishing if recvmmsg() isn't giving me errors? 21:46 < hweaving> There's barely any CPU core load. 21:49 < hweaving> /proc/net/udp6 is reporting the missing packets under the "drops" column, so that's a clue 21:53 < hweaving> I'm thining SO_SNDBUF and SO_RCVBUF may be too low 21:56 < AndrewMock> What is the catch here (other than sketch source): https://www.ebay.com/i/122603690508 22:00 < Zexaron> Hello 22:01 < Zexaron> Is it possible to do some deep level tracking on windows, like, I have this hosts file setup and I think I make a mistake and it's blocking some WAN locations, but there's many and I can't figure it out which one it is 22:02 < Zexaron> So if I could scan what happens under the hood to give me a clue 22:04 < ||cw> AndrewMock: you still need SFP+ adapters or cables 22:10 < xamithan> wireshark 22:10 < Zexaron> no 22:10 < Zexaron> usually that's blocked before it reaches wireshark 22:10 < Zexaron> i mean, redirected 22:11 < Zexaron> it's below at the OS level, lower than apps 22:11 < genec> Zexaron: a hosts file should ONLY affect 1 host per entry. not sure how that's done 22:11 < xamithan> Then you'll need an external device that does DPI. I don't see why you can't just remove the entry that is blocking it manually though 22:12 < genec> Zexaron: did you try stripping out your hosts file to see if that actually resolves the issue? sounds like it won't 22:12 < ottomatik> Hello and sorry for this stupid question. I picture tcp ports as virtual ports. According To this representation is the whole tcp segments delivered To the port or just the payload? 22:12 < Zexaron> yeah i should try that heh, i was wondering for days what it could be, just thought of this now 22:14 < genec> ottomatik: the app that has the socket only gets the payload 22:15 < ottomatik> genec, so only the payload gets delivered To the port? 22:15 <+catphish> AndrewMock: 10G NICs aren't that expensive these days, add the cost of the optics, and it's quite reasonable, switches are still quite expensive though 22:16 < Apachez> https://www.backblaze.com/blog/hard-drive-stats-for-2017/ 22:16 < hweaving> Confirmed, increasing SO_SNDBUF and SO_RCVBUF to 1MB each (2MB internally) eliminated the drops at the current bitrate. 22:16 < genec> ottomatik: yeah. otoh, if you PCAP the interface, you'll see the whole kit and kaboodle 22:17 <+catphish> ottomatik: tcp creates a virtual "stream" of data, the stream (data only) is delivered to the application that requested it 22:17 <+catphish> ottomatik: the whole packet is delivered to the port, but the OS removes and processes the headers 22:17 < ||cw> hweaving: 1MB sounds really small for 10G, IDK what's common tho 22:19 < hweaving> ||cw: I'm on a 100G connection so I'm going to increase it further 22:19 < hweaving> but I also don't know what's common 22:19 < genec> hweaving: I was thinking buffer when I read it. buffering and reduced interrupts are definitely required for high speeds 22:19 < ottomatik> Catphish, i was wondering in my representation, the virtual port receives the whole packet or the data only 22:19 < genec> hweaving: 100Gbps or 100Mbps??? 22:19 < hweaving> genec: Any tips for reduced interrupts? I'm assuming I might have to adjust core affinity for where the interrupts are handled 22:19 < hweaving> genec: 100Gbps 22:19 < hweaving> copper direct connect 22:19 <+catphish> ottomatik: i don't really understand your representation, so can't answer 22:19 < ||cw> hweaving: I mean, that's only 100 jumbo packets 22:20 <+catphish> ottomatik: perhaps don't try to re-represent TCP, and just look at the actual packets, once you know how it works, you can picture it however you like :) 22:20 < ottomatik> Catphish, simple representation where tcp ports are like switches ports 22:21 < genec> hweaving: a QSFP28 DAC? well, you did say 100Mbps before... 22:21 < grawity> but are they like that at all? 22:21 < hweaving> genec: I was testing at low rates because of the loss, but now I'm cranking up 22:21 < hweaving> sorry about the confusion 22:22 <+catphish> ottomatik: stop trying to imagine it like that, it's simply not how tcp works 22:22 < plagerism1> I have a canumdrum. The server team recently upgraded a Windows server from 2008 to 2012. The software on this machine posts transactions to another webservice. After the upgrade the webservice began returning to 500. After further testing with packet captures everything appeared identical in the requests. The only difference we see is that the request from the 2008 server contained 3 packets, and the 2012 server had 5, two additional packet 22:22 <+catphish> ottomatik: there's an OS to consider that processes the packets and extracts their payload 22:22 < genec> hweaving: yeah, drill into the adapter driver. your interrupts will be bound to a socket. short of a complex nick, you will be bound to a core. 22:23 < ottomatik> catphish, ok, thank you 22:23 < genec> ottomatik: how about this. there's layers. each API layer peels another layer of headers off/on as things move up/down 22:23 < plagerism1> Any thoughts on why the 2012 server might be producing those two small packets? I guessed lso, but that doesn't make sense 22:23 < hweaving> 4 Gbps no loss with 2KB IPv6 UDP packets! Much better :D 22:24 < hweaving> CPU is feeling it though 22:25 < genec> hweaving: at large frames it's easier. at tiny 64B frames, you have to take measures to reduce to ~32k interrupts per second AND reduce how many times you copy within RAM 22:25 < Aeso> <3 polling, zero-copy drivers 22:26 < Apachez> depending on arch the x86 have roughly 250k interrupts per core 22:26 < hweaving> genec: I'm hoping the sendmmsg() and recvmmsg() system helps with the copy stuff, yep 22:26 < Apachez> polling will increase pps with about 4x 22:26 < hweaving> Zero copy is probably in my tons of tabs to research :P 22:26 < Apachez> but at the same time also increase missed packets during peaks 22:26 < genec> Aeso: even polling gets pricey polling too often 22:26 < hweaving> Apachez: Would you disagree with a recvmmsg() approach? 22:27 < Apachez> one major drawback with polling is that your cpu pumps electrones at 100% (and heat) even if you have 0 pps for the moment 22:27 < hweaving> I hit 6 Gbps with 2k UDP packets before I started dropping...it happens somewhere around 8 Gbps because of CPU saturation on my test system 22:27 < ||cw> hweaving: mind if i ask what project you're working on? 22:27 < Apachez> hweaving: havent explored too much wtih the actual api calls, I have been digging more behind the scenes 22:27 < Aeso> genec, true. There's a balancing point that's driven by your latency requirements, more or less. 22:27 < genec> hweaving: I'm guessing you haven't read into the research that's been done already 22:27 < ||cw> or what kind of project... 22:27 < hweaving> ||cw: Unfortunately I can't give details, other than I'm experimenting with high bandwidth on small UDP packets 22:28 < ||cw> storage? databases? replication? 22:28 < lupine> haxxx 22:28 < genec> hweaving: please read up on the stuff that ntop does 22:28 < hweaving> genec: I've read some research, one of the most helpful ones is the million packet per second article 22:28 < ottomatik> genec, i understand how the layers work. I was trying To represent thing in a simple manner maybe it was stupid from my part 22:28 < Apachez> so looking at single core you get 250kpps (give or take) which with full 1522 byte size is roughly 250k * 1522 * 8 = 3 044 000 000 bps on the wire 22:28 < Apachez> and this is in total 22:29 < genec> Apachez: assuming you can distribute. 22:29 < Apachez> so if you want to look at full duplex you must take this bps and cut it in half (assumiming you pump equal amount of packets in each direction) 22:29 < Apachez> so give or take a single core can with interrupt based forwarding pump 1.5Gbps full duplex 22:29 < genec> Apachez: iirc, most NIC drivers aren't multithreaded to do that 22:30 < Apachez> so switching to pollbased you will roughly 4x that number 22:30 < Apachez> so you are now up at 6gbps by just switching from interruptbased to pollbased driversetting 22:30 < Apachez> and then go into jumboframes you increase by another (roughly) 6x (9000 bytes jumbos) 22:31 < Apachez> so now you can pump 36Gbps full duplex 22:31 < Apachez> with a single core 22:31 < genec> ottomatik: imagine a sheet of paper that's got words on it. then put it in an envelope. that gets put into another envelope etc etc 22:31 < Apachez> but this is peak 22:31 < Apachez> looking at packet distribution sizes not all packets are maxsize 22:31 < jamesc> So, I did some drilling down and I think that what happens with CORS is that if I make a request directly from the browser, an "Origin" header is never added to the request 22:31 < Apachez> so other improvements goes into how many cycles the cpu needs to actually process the packet(s) 22:31 < jamesc> so this kind of request never needs a Access-Control header in the response 22:32 < Apachez> zero copy and all that 22:32 < jamesc> in chrome at least 22:32 < Apachez> utilizing DPDK you can "look" cores to only process packets and not all other shit 22:32 < Apachez> and then you can start to distribute the packets among your cores 22:32 < hweaving> Apachez: Thanks for the food for thought :D 22:32 < Apachez> so a 24 core cpu could use 20 cores for packet handling and 4 cores for the rest of the mgmtplane features 22:32 < ottomatik> genec, in that case does the port receives the whole envelope or what's inside it. 22:32 < jamesc> if i try to make a request from my outbound websocket through the socket to the browser, then an Origin header is added 22:33 < Apachez> so now you can push 720Gbps full duplex 22:33 < genec> ottomatik: only the letter 22:33 < Apachez> that is polling + jumbos at maxsize (9000 bytes) 22:33 < genec> there's also some more exotic NICs that can help distribute the load 22:33 < ottomatik> genec, thanks that's what i wanted To know 22:33 < Apachez> yeah more exotic nics can do some offloading like checksum, tcp segments, ipsec and what else 22:34 < Apachez> so once the cpu gets hold of the data from the ram its already preprocessed 22:34 < Apachez> otherwise you have cpu cycles to do checksum and whatelse 22:34 < genec> Apachez: no, there's more stuff that some like the Napatechs can do 22:35 < genec> most Intels can do some checksum offloading 22:36 < ||cw> all intel server class Gbps+ i think can checksum 22:36 < Apachez> as I said there are more stuff that can be offloaded 22:36 < Apachez> and then you say Im wrong, because there are more stuff that can be offloaded 22:36 < Apachez> did you even read what I wrote? :P 22:36 < ||cw> not really exotic anymore 22:36 < Apachez> of course not 22:37 < Apachez> but 15 years later realtek is still shitty :P 22:37 < Apachez> I guess you have all seen the freebsd comments for the realtek driver? :) 22:37 < genec> RealTrash 22:38 < Apachez> https://pastebin.com/3wPF2jFP 22:38 < genec> my point was that without DPDK, Napatechs could distribute packet processing across multiple cores 22:38 < ||cw> you can make the same comparison for most consumer grade stuff. 22:39 < Apachez> genec: yeah but thats different from how DPDK and similar works 22:39 < Apachez> with DPDK you basically (more or less) completely remove the interrupt stuff going on for a regular core 22:39 < genec> Apachez: I'd count on a RealTrash to handle about 150Mbps at 1518 and probably not much more 22:40 < genec> it seems also DPDK is a kit designed to abstract that distribution across NICs of various vendors 22:40 < Apachez> I would assume a moden realtek nic would at least get to 700Mbps for a 1Gbps link 22:41 < Apachez> DPDK is so much more 22:41 < Apachez> what dpdk does is that it turns the remaining cores into pure "help cores" 22:41 < Apachez> which are excluded from the regular interrupt stuff going on in a modern computer 22:41 < Apachez> so you define for example 4x cores for mgmtplane and let say the remaining 20x cores to be used for dpdk 22:42 < Apachez> it will be similar to how a gpu will assist in codebreaking and similar stuff these days 22:43 < genec> but I believe neither system gets around the cost of processing a frame with a core of the opposing socket 22:43 < Apachez> if I recall it correctly intel (in the marketing but still) benched dpdk to process 80Mpps for a 10core system (2x mgmt, 8x dpdk) 22:43 < Apachez> so basically you pump the throughput from roughly 250kpps interrupt based (or roughly 1Mpps pollbased) into 10Mpps dpdkbased per core 22:45 < xingu> genec: the network is the computer: https://itpeernetwork.intel.com/intel-mesh-architecture-data-center/ 22:45 < Apachez> generally you have a drawback with dpdk that a single session is locked to the performance of a single core 22:45 < xingu> genec: locality effects exist inside the package now \o/ 22:46 < Apachez> at least for datastreams/sessions that are based on previous packets like encryption/decryption and such 22:47 < genec> xingu: I'm looking more at the introduction of the Westmere and its QPI plus socket-based memory controller though this might be some interesting reading 22:49 < jamesc> so i narrowed my websockets down to just one ip 22:49 < jamesc> i no longer get the CORS error 22:50 < jamesc> but the request still fails as the request type is OPTIONS 22:54 < jamesc> yes 22:55 < jamesc> running "curl 'http://ec2-18-188-155-5.us-east-2.ute.amazonaws.com:1337/exec?window.open(("http://192.168.0.1.ip.samy.pl"))'" i can open it successfully in a new window 23:21 < bad_blue_bull> hello 23:21 < bad_blue_bull> how does Quakenet underestand that I'm using Tor? 23:22 < genec> bad_blue_bull: they maintain a list of exit nodes 23:22 < bad_blue_bull> wow 23:22 < genec> bad_blue_bull: just like freenode. 23:22 < bad_blue_bull> yes, didn't try it on freenode 23:22 < genec> bad_blue_bull: otoh, freenode offers a hidden service for tor use 23:23 < bad_blue_bull> thanks 23:23 < genec> bad_blue_bull: https://freenode.net/kb/answer/chat#accessing-freenode-via-tor 23:23 < Apachez> https://imgur.com/gallery/2F8UZ 23:24 < meowzus> hi, i'm trying to do some work on simulating DDOS traffic and regular web traffic. Does anyone know of a tool that I can use which will simulate regular web traffic (not constant but some sort of typical web traffic) running on mininet? 23:25 < meowzus> I'm currently looking at tmix, but not really sure whether that's the right thing to use 23:26 < Apachez> meowzus: tcpreply 23:26 < Apachez> you basically construct your own pcap file 23:26 < Apachez> and then use tcpreply to run that in flood mode 23:26 < meowzus> tcpreplay right? 23:26 < Apachez> yeah 23:27 < Apachez> and then tweaking some tcpstack on the host running it 23:27 < meowzus> are there some sources for typical internet usage pcap files? 23:31 < genec> bad_blue_bull: lemme guess: Quakenet either blocks tor or flags you as a tor user so channels can easily block if they want 23:31 < jkemppainen> freenode also does the same, fwiw 23:31 < jkemppainen> (flag Tor users as such) 23:32 < genec> jkemppainen: with a gateway mask, yes. though at this point, I don't see why one would block tor since it takes a plainnet connection, email, SSL cert generation and upload then a client that can do the certfp just to connect over tor 23:33 < jkemppainen> no, not just a gateway mask -- that mask can be overriden with project cloak. The actual way is via the server, Zettel, unique to Tor users. 23:33 < genec> jkemppainen: that's true too 23:35 < genec> jkemppainen: my point is in the past, tor has been abused. I believe first to allow reconnect and looking like a new user with no effort then by attempting to brute-force someone's password. 23:36 < jkemppainen> Right 23:45 < wiresharked> So most of the performance improvements with 802.11ax are related to helping with a lot of interference, like concert venues and such 23:47 < Demos[m]> hey so I have a bunch of netgear xs7xxt switches, and ports will just fail at random requireing a switch reboot 23:47 < Demos[m]> is this just "lol netgear" or what 23:47 <+catphish> Demos[m]: RMA it :) 23:48 < Demos[m]> it's happened on every single switch 23:48 < Demos[m]> and we have like 7 23:48 <+catphish> well that's pretty odd 23:48 < ||cw> call support then 23:48 < Demos[m]> they are nit really super high end switches 23:48 < wiresharked> Or get the hardware replaced 23:49 <@pppingme> Demos[m] are they on ups's? 23:49 < Demos[m]> yeah I want to replace them with something else, it's hard to find price competitive 10G switches though 23:49 < Demos[m]> fs.com has some 23:49 < ||cw> the netgears i had were all reliable for some years, and when ports failed, they stayed failed after a reboot. 23:49 < michael_mbp> https://www.linksys.com/sa/p/P-LGS124P/ how is PoE+ enabled on these? 23:49 < Demos[m]> nope 23:49 <+catphish> though i have had multiple netgear switched with identical faults before, they have some bad designs sometimes, if so, they'll replace with a newer hardware revision 23:49 <+catphish> ask them 23:49 < Demos[m]> they are not poe 23:49 < genec> Demos[m]: I support pppingme and follow it with firmware checks 23:49 < michael_mbp> Demos[m]: this one is 23:49 <+catphish> Demos[m]: i would just ask netgear, they're quite helpful / happy to replace if its a known issue 23:49 < michael_mbp> upto 120W 23:50 <@pppingme> is it the same ports that fail over and over, or is it pretty random? 23:50 <+catphish> otherwise, i don't know, unless its an incompatibility with whatever you're plugging them into 23:50 < Demos[m]> is't pretty random 23:50 < Demos[m]> usually when a 10G negotiated port needs to go down to 1G 23:50 < Demos[m]> or lower 23:50 <+catphish> some common hardware at the other end? 23:50 <@pppingme> do any of these ports feed to another building? 23:50 <+catphish> 10G copper? 23:50 <+catphish> or module? 23:51 < genec> michael_mbp: 1) PoE+ requires first low-grade class0-3 negotiation followed by LLDP as specified in 802.3at 23:51 < Demos[m]> yeah 23:51 < Demos[m]> I mean there are 2-4 SFPs as well 23:51 <@pppingme> yeah to what? 23:51 < Demos[m]> no it is copper 23:51 < Demos[m]> none of the ports go to another building 23:51 < genec> Demos[m]: are all of the switches and devices located within a single room? 23:51 < Demos[m]> yep 23:51 <+catphish> i have some old dell 10g sfp+ switches that are rock solid 23:51 < Demos[m]> well no 23:51 < michael_mbp> genec: so... if one ingress cable supports PoE+ does it activate on all ports or? 23:51 < Demos[m]> two are elsewhere 23:52 < genec> michael_mbp: per-port 23:52 <+catphish> not sure how much i'd trust netgear with my SAN :) 23:52 < Demos[m]> but that may be a different issue, since no ports are working for a given thing 23:52 < genec> michael_mbp: up to 25.4W per port and 120W budget per switch 23:52 < Demos[m]> yeah 23:52 < michael_mbp> genec: not sure how they are 'enabled' to provide on a port by port basis though? 23:52 < michael_mbp> there's no admin or anything 23:53 < genec> michael_mbp: 1) ports 1-6 and 13-18 are available. 2) negotiation of the end device. 23:53 < mines5> what brand switch is it? 23:53 < michael_mbp> OH! 23:53 < michael_mbp> gotcha, that's neat. 23:54 < michael_mbp> and makes a whole lot of sense. 23:54 < genec> michael_mbp: 3) blind luck. it appears there's NO mechanism to disable the negotiation on those 12 ports 23:54 < mines5> I don't think I've ever met a switch that does PoE without management 23:54 < mines5> not that they don't exist 23:54 < michael_mbp> mines5: mmm. 23:55 < genec> mines5: https://www.linksys.com/sa/p/P-LGS124P/ 23:55 < michael_mbp> I built a home lab and got two in my rack at the moment. 23:55 < michael_mbp> totally glossed over the PoE capability but it will come in handy 23:55 < genec> mines5: there's no reason there can't be LLDP for negotiation while not providing a UI to control it 23:56 < mines5> genec: that switch should have some sort of management interface 23:56 < mines5> The only unmanaged switches you should see are consumer grade ones 23:56 < mines5> that looks like a rack mount enterprise style one 23:56 * mines5 hopes you won't quote him on that 23:58 < Demos[m]> oh there's some new software images from netgear 23:58 < Demos[m]> I'll try those 23:58 < michael_mbp> https://www.ubnt.com/unifi/unifi-ap/ I can run cabling to UAP-PROs from this switch. 23:59 < mines5> Scratch that previous statement 23:59 < mines5> there is no management interface 23:59 < mines5> https://www.newegg.com/Product/Product.aspx?Item=N82E16833124516 --- Log closed Wed Apr 11 00:00:00 2018