--- Log opened Thu Apr 12 00:00:42 2018 00:01 < ||cw> these are all great topics for ##windows-server 00:06 < OpenSorce> So... 1.1.1.1 any advantages? 00:06 < Criggie> no 00:06 < Criggie> lets someone other than google track your DNS requests 00:06 < Criggie> allows cloudfront more data to make better decisions about caching 00:07 < Criggie> Tends to fail badly if there's a cisco router between client and 1.1.1.1 cos that IP is not uncommon as loopback IP addresses on Ciscos 00:07 < petemc> very pessimistic 00:07 < Criggie> 1.0.0.1 is slightly more likely to succeed 00:07 < OpenSorce> Well yeah... but they delete logs. 00:07 < Criggie> petemc: he didn't ask who the advantantages were for :) 00:07 < Criggie> OpenSorce: sure. 00:08 < Criggie> OpenSorce: and facebook doesn't share your personal information with anyone. 00:08 < Criggie> #doubt 00:08 < OpenSorce> Lol 00:08 < Criggie> :) 00:09 < Criggie> On the plus side, therir IPv6 DNS servers are the same speed as their v4 servers 00:09 < Criggie> But they lack a cool IP address. 00:09 < OpenSorce> I disabled IPv6... Spectrum doesn't do it right. 00:10 < Criggie> well that's not good 00:17 < hehehe> is it normal for domain registrar A record change yet to work after 5 hrs? 00:17 < hehehe> I wonder 00:19 < tds> hehehe: are you querying a resolver, or the nameservers directly? 00:19 < tds> 5 hours might be reasonable if the ttl is high enough, 5 hours to update nameservers doesn't sound right 00:19 < hehehe> tds yep 00:20 < hehehe> tds: I just use some online site to chck dns 00:20 < hehehe> I could use dig 00:20 < tds> yeah, I'd use dig to check the NS records, then query those servers directly 00:20 < hehehe> I do not change ns 00:20 < hehehe> A record 00:20 < tds> (dig +trace can also be useful) 00:20 < hehehe> tds: how? 00:20 < hehehe> :) 00:21 < hehehe> sugar I forgot I am on windows today 00:21 < hehehe> still I can do it from 1 of my boxes 00:21 < tds> it lets you see the delegation down the chain from the root 00:21 < tds> if you're not changing NS records though it shouldn't matter 00:21 < hehehe> how do I query ns 00:23 < tds> dig NS example.com to get the nameservers, then dig example.com @ns1.example.com to query them 00:26 < hehehe> nothing 00:26 < hehehe> A is empty 00:28 < hehehe> I will delete A record and re dd 00:28 < hehehe> add 00:28 < tds> just to confirm, what's the status returned? NXDOMAIN? 00:29 < hehehe> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 00:29 < tds> you're looking for the line before that, it should have status: ... 00:29 < qman__> it will tell you the TTL of the request, if that number hits zero it will pull from the source again 00:30 < hehehe> my mistake 00:30 < hehehe> I added it for www.example.com 00:30 < hehehe> and not for example.com 00:31 < hehehe> mad day today 00:31 < hehehe> lol 00:37 < wiresharked> OK, so access points have logs that keep track of each device that they are connected to so they know where to transmit data to or receive data from. This sounds like what a routing table does 00:44 < electricmilk> Hmm Content filtering on SonicWALL has an option to exclude administrator...but for the life of me I can't find how it determines who is an Admin or not. When set sure enough my account isn't filtered. When tested from a workstation not on the domain that has Admin access it is still blocked...works great but how does it work? 00:45 < electricmilk> Does the SonicWALL somehow know who is in the Administrators group for the domain? 00:48 <@pppingme> Is it linked into AD? 00:48 < electricmilk> pppingme, No I don't think so. I didn't add any AD settings to the SonicWALL 00:48 < electricmilk> pppingme, Perhaps it goes by the ip address of the host connected to the backend? 00:49 <@pppingme> if true, that'd be a sloppy way to deal with it 00:49 < electricmilk> hmm. I can't think how else it would know who an Admin is 00:50 < electricmilk> I'll just disable it. 00:54 < zamanf> I have a noob question, is it possible to find the socket that handles a udp connection between my pc and a remote host? and attach to it so I can read the data or modify it? 01:07 < drac_boy> hi 01:09 < PowerPCMAC> hi 01:10 < Criggie> hola both 01:10 < PowerPCMAC> hola 01:11 < drac_boy> just remembered that I asked this some time ago but don't recall if anyone ever replied so don't mind me asking this silly little thing again.. 01:12 < drac_boy> if you only wanted to do dhcp+nat and nearly nothing else (not even much firewall) for a few occasional computers then your router could easily be just a 486 cpu powered one right? 01:12 < drac_boy> or did I figure wrong on the overhead that would be needed? 01:35 < smootimus> Where that dude at? 01:38 < wadadli> Can anyone recommend an ADSL2+ modem? 01:39 < drac_boy> wadadli north america or elsewhere? 01:39 < wadadli> Elsewhere. Does that matter? 01:42 < drac_boy> wadadli hm well tp-link may not be selling it everywhere but if you want a simple adsl modem try tp-link .. theres some minor models difference but you basically want to find something that starts with 8 (and is 4 digits long there) 01:42 < djph> drac_boy: sure ... but that's ... well, a bit power hungry 01:42 < drac_boy> djph yeah I figured as much..only used the 486 as a crude example of how little processing power it would have :) 01:43 < djph> heh, just grab a UBNT ER-X ... it's like $50 01:43 < drac_boy> wadadli on other hand if you can get access to uk brands there is draytek with a simple adsl modem as well 01:43 < drac_boy> djph and wheres the uart or any slots on it tho? :P heheh 01:44 < djph> yeah, if you need a hardware console port ... 01:44 < wadadli> I need one that supports bridge mode. Modem from ISP doesn't have that option. 01:44 < drac_boy> wadadli tp-link and draytek can do that .. dunno about other brands as they don't even sell anything new on market afaik here :-s 01:44 < djph> time to fire up google then. 01:48 < drac_boy> wadadli tbh not blaming anyone but its very annoying when you go to random stores and basically can expect to count only 0 or 1 adsl modem around yet one shelf up is like 15 different-brands-same-docis cable modems -_- 01:48 < drac_boy> meanwhile most houses I've had to visit only can get adsl .. very few (and generally near urban) even have coaxial 01:48 < drac_boy> talk about weird store vs home difference 01:49 < drac_boy> (and btw I'm not talking about amount of stock, I'm actually talking about what is listed in the system for purchasing) 01:54 < drac_boy> anyway I'm going off for now so have fun :) 01:55 < johnnylee> Hello, I have a mikrotik router and a windows server 2016. Somehow some SSL connections are maybe getting mangled but I can't browse some sites 01:55 < johnnylee> where can I start looking? 02:01 < johnnylee> hello; anyone? 02:01 < johnnylee> test 02:03 < djph> johnnylee: holy fuck son, take a breather and give the other meatsacks here a chance to enjoy their scotch before getting embroiled in explaining how your MTU is set wrong 02:03 < johnnylee> djph - thats what i though but it seems not to be :( 02:04 < djph> what's your internet link? (DSL, cable, microwave, fiber, something more fun) 02:08 < johnnylee> it's a server connected to an edge router that has IP Transit and BGP 02:08 < johnnylee> djph: but you maybe onto something; I am just doing an optimal mtu test and I get 1430 to be it which is weird to me; pretty low 02:09 < djph> 1430 is a touch low, but depends on what the encapsulation is (e.g. pppoe / pppoa / something else fun) 02:11 < johnnylee> djph - shouldn't windows pickup the proper mtu automatically? 02:12 < djph> not when it's going through a router across the internet it won't 02:14 < djph> a standard ethernet segment will be MTU1500 (well, up to 1528 if it can do VLANs and some other things ... but let's stick with 1500). Trouble is, your local network segment and "the internet connection" can differ (e.g. if said connection is via a VPN, or pppoe/pppoa, or perhaps even MPLS, etc.) 02:15 < djph> v6 networks use PMTUD to sort it out ... but lots of v4 networks drop all ICMP, and as such you have to set things by hand (at least between you and your gateway) 02:19 < johnnylee> djph: it was MTU size. You can't believe how many times I told the f*ckers that handle Cisco it might be that and they didn't look into it 02:20 < johnnylee> we have IPv6 disabled on windows 02:21 < johnnylee> so if icmp is open windows talks, and set's MTU properly? 02:21 < Dagger> "set's"... 02:21 < djph> "properly" 02:22 < Dagger> at least that one is spelt properly 02:22 < djph> PMTUD "MIGHT" work -- it depends on *every* hop allowing ICMP. 02:22 < djph> Dagger: wasn't commenting on the spelling, but rather that "auto-detection" isn't a silver bullet. 02:22 < Dagger> (or am I supposed to spell that "properl'y" these days? I'm starting to be less sure about that...) 02:23 < djph> Dagger: p'p'r'ly 02:23 < djph> *pr'p'r'ly 02:24 < Dagger> that's horrific but correct, since you're omitting letters 02:24 < johnnylee> djph: I just did a test and I could ping at MTU=1412 and 10 minutes later I can only ping at MTU=1384 and nothing higher than that. What could be causing this? 02:24 < djph> Dagger: trouble is, it makes you sound like you're from Yorkshire :) 02:24 < djph> johnnylee: your network is fubar. 02:24 < rewt> http://proper.ly/ 02:25 < rewt> oh wow, that's actually a website :o 02:25 < Dagger> it's the use of ' to indicate that there's an upcoming "s" that people need to stop doing 02:25 < rewt> you mean: it's the u'se of ... 02:25 < johnnylee> djph: what if I set this at like 1300 and call it a day. How is that bad? it will be slow? 02:26 < rewt> johnnylee, you can use ping to find the highest you can go 02:26 < djph> johnnylee: your fubar network will probably go even lower. find out why the fuck it knocked another 30 bytes off your MTU 02:26 < rewt> send pings with don't-fragment set at increasing sizes until it stops ponging 02:28 < b0bby__> Could someone help me setup vsftpd? 02:28 < djph> sudo apt-get install vsftpd 02:29 < djph> although why on cthulhu's watery prison are yo usettin up FTP 02:30 < b0bby__> djph: because I want an ftp server. Is that not a reason? 02:31 < nickster> FTP is dated though. Consider either SFTP or anything newer. 02:31 < djph> well, FTP is generally considered "a really bad idea" :) 02:31 < djph> SFTP would be a better idea 02:32 < b0bby__> djph: well I'll configure vsftpd to use ssl 02:32 < djph> that's still awful 02:33 < b0bby__> djph: Why? 02:33 < b0bby__> djph: Is ftp really that bad? 02:33 < djph> because (a) it's still FTP, and (b) now you've bolted on SSL, which is a mess in its own right. 02:34 < djph> yes. SFTP for basic use is easy --> apt-get install openssh-server <-- done. Sure, you can fiddle with the defaults and turn off "compatibility" ciphers, but even out of the box, SFTP is pretty much "install and done". 02:34 < b0bby__> djph: when I say ftp I mean sftp 02:35 < djph> FTP(and FTP/SSL) and SFTP are different things ... 02:35 < nickster> ^ 02:35 < b0bby__> djph: Ok now I know 02:35 < nickster> They really can't be referred to as the same thing, hence the confusion. 02:36 < nickster> One still has a place while the other should almost never be considere 02:36 < djph> SFTP = Secure FTP (i.e. SSH/FTP). FTP is .. well, plain ol' FTP. FTP/SSL is plain 'ol FTP with SSL bolted on. 02:36 < rewt> that last one is aka FTPS 02:36 < nickster> or, 02:36 < djph> (note that SFTP isn't actually the "File Transfer Protocol" under the hood -- it's more akin to interactive secure copy [scp]) 02:36 < nickster> or or or, 02:36 < nickster> hear me out 02:37 < nickster> dooooont use *ftp* ? 02:37 < b0bby__> ok how would I setup sftp 02:37 < djph> b0bby__: apt-get install openssh-server 02:37 < djph> *done* 02:37 < nickster> ^ 02:37 < djph> or, if you're on a RH variant ... format and install debian, then apt-get install openssh-server 02:37 < djph> :D 02:38 < rewt> just as a curiosity, why do you want ftp? 02:38 < rewt> (s or otherwise) 02:39 < b0bby__> rewt: simplicity 02:39 < djph> granted, simply installing openssh-server will get you a "bog standard" SFTP server. Depending on needs, you may want to turn off "older" algorithms that're kept around for interoperability purposes. 02:39 < djph> b0bby__: these days, SFTP is the "simpler" approach. 02:39 < b0bby__> djph: well now I know 02:39 < djph> ;) 02:40 < rewt> how does ftp help with simplicity? 02:41 < djph> rewt: apparently he was misinformed that "FTP" was simpler than "SFTP" (not to mention that he didn't grok the differences between FTP(S) and SFTP) 02:41 < rewt> i kinda meant in the big-picture kind of way 02:43 < djph> rewt: ohhhh 03:11 < thadtheman> I have a question about connecting to a machine past a router. So I have a router which is connected to the internet. Let us say that it is mappped to myserver.com. Behind that is a computer. Say 192.168.5.5, I have a computer that is directly connected to the internet call it mycomputer.com. How do I connect mycomputer.com to 192.168.5.5? 03:12 < thadtheman> I'm thinking of an application, similar to say skype, It looks up the two addresses myserver.com and 123.168.5.5, mycomputer .com connects and then transfers data backand forth. 03:13 < rewt> you forward the required ports from the router to .5.5 03:15 < thadtheman> You mean I have to modify the router tables to do that? 03:16 < thadtheman> For every device? 03:21 < rewt> it's usually a few clicks in "home routers" and should be no more than 1 line per port in other routers 03:21 < SporkWitch> thadtheman: there are two options, port triggering and port forwarding. Port triggering is triggered by a service on the inner side of NAT, temporarily setting up a forward from a given port to that host. Forwarding is always-on and statically routes traffic sent to that port to a specific host. If you have multiple hosts that you want accessible outside the NAT you must set up separate rules 03:22 < SporkWitch> With port forwarding you can have multiple open simultaneously but each must use a different port; with triggerring only one host can be used at a time, and it would have to time out for another to use it 03:23 < SporkWitch> More specific to your query, you would likely also need to use a DDNS service to update the DNS entry with your current public IP 03:23 < SporkWitch> (though some ISPs do offer static IPs, usually for a fee) 03:28 < pekster> There are some semi-automated NAT-traversal schemes like STUN and similar, though they depend on certain conditions in the NAT engine to function and aren't 100% relaible as a result 03:29 < thadtheman> I thought the DDNS setup an entry for the router. How does something Skype make the point to point connection from 5.5 to mycomputer.com? The router at the end isn't the only router. There are all these routers in between, you don't want to be touching all those routers. You don't even know what they will all be. 03:30 < SporkWitch> the issue isn't the router, the issue is NAT 03:31 < SporkWitch> https://computer.howstuffworks.com/nat.htm 03:32 < pekster> The issue could well be the router if a firewall is involved. NAT != firewall, but not having NAT does not imply there is no firewall 03:32 < pekster> NAT _generally_ implies a firewall, though technically you can do NAT (stateful or stateless) without a firewall, though it would be very stupid to do that 03:32 < SporkWitch> pekster: in that case the issue still isn't the router, it's the firewall; since we're dealing with a private address, though, we know NAT is involved 03:33 < thadtheman> I'm going to screw up the language here. Each router has it's own NAT tables each that has to be modified. 03:33 < pekster> Each router with its own (private) addressing, sure 03:34 < SporkWitch> thadtheman: NAT tables are generated dynamically; the rule is the only static portion (typically) 03:34 < pekster> Normally machines behind a NAT layer are "pure clients" that don't host anything. NAT "works" here only because these systems tend to only ever intiate connections, not recieve connections initiated elsewhere on the Internet 03:34 < pekster> NAT breaks for "peer to peer" applications that rely on being able to establish connections in either direction 03:36 < SporkWitch> thadtheman: your question about how skype is able to work is answered in the link, but in short, the router changes the source port on the packets it sends, so when it receives responses on that port it knows which host it's meant for 03:36 < thadtheman> So how does something like skype work? Does it need an intermediary at a fixed address? 03:37 < SporkWitch> asked and answered 03:37 < SporkWitch> (twice) 03:38 < SporkWitch> basically "i put the traffic joe sent from port A on port B; so if i get stuff destined for port B, i should send it to joe on port A" 03:39 < pekster> Except skype is no longer (ca. mid-2017) a peer-to-peer app; it's "cloud based" now, ie: server/cleint. https://support.skype.com/en/faq/FA12381/what-does-it-mean-that-skype-is-moving-from-peer-to-peer-to-the-cloud 03:39 < pekster> With a fuzzy definition of server 03:40 < SporkWitch> pekster: that must have happened well after the MSFT buyout; the last i heard it was still peer-to-peer, they just stopped allowing community supernodes, so they could sniff all the session keys by forcing everything to use supernodes they control 03:40 < SporkWitch> (why i stopped using skype when MSFT bought them: they happily gave the US gov the back door they'd been demanding unsuccessfully for years) 03:41 < SporkWitch> all that said, it doesn't really change anything for the purposes of this discussion, since your host and router don't know or care about the difference between a server and another router doing NAT 03:41 < thadtheman> Also I'm thinking gmail on my mobiles. It beeps the minute that I get a new email. Is that because that app is always connect to the gmail server(s)? 03:42 < SporkWitch> thadtheman: it would have to do SOMETHING, but I'd honestly have to look it up; i've never investigated how PUSH works 03:42 < pekster> Usually those are a "push based" service. Those tend to function as pure clients (outbound connects) but keep a TCP socket open that will be sent data from the server when an email arrives 03:43 < thadtheman> So the gmail app is always running on the mobile device? 03:43 < pekster> You can also operate a fairly responsive client using a leightweight "poll" based design, though that tends to be more expensive to maintain both in terms of proper security as you have to keep state or re-handshake each time, and it's less battery friendly for mobile devices 03:43 < pekster> Many apps are "always running" on modern mobile devices, yes 03:44 < SporkWitch> thadtheman: it's always running on the device, and it would have to send occasional keepalives, but not constant traffic; can't receive if it's not listening, and can't get through NAT without an active session 03:44 < pekster> A handful of those probably keep lingering "push" style sockets open to their endpoints, such as gmail. I use IMAP with PUSH notifications for work and personal email too, with similar effect 03:44 < SporkWitch> re: poll vs push, there's been good articles over the years about how MOST people would benefit from a poll-based system rather than push. if you get little traffic, a poll-based system uses less battery 03:45 < avery> anyone have a good recommendation for a secure linux dist? 03:45 < pekster> Depends a bit on how often you poll, how often keepalives are sent, and so on 03:45 < pekster> A lot of that is very specific to the implementation 03:45 < SporkWitch> avery: if it's insecure there'd be articles panning it; assume it's secure if "x compromised" isn't the first hit when you search for it 03:46 < SporkWitch> pekster: granted, but generally; it may need a re-evaluation just because of the explosion of stuff sending emails all the time now, vs 5 years ago 03:46 < avery> sorry I meant anonymous 03:46 < SporkWitch> avery: tails 03:46 < SporkWitch> avery: i know of no other with that specific goal 03:47 < pekster> Yea, +1 to tails, but be sure you read the Tor Project's documentation, because using tails by itself does not help your security unless you embrace the operational requirements to remain secure online 03:47 < pekster> Tails will, very "anonymously", leak your identity if you're not careful with the information you share and how you share it while online 03:48 < avery> yeah my problem is retrieving the distro 03:48 < pekster> Ideally get a trusted copy of the GPG keys that sign tails, then you can download tails even on untrusted even "hostile" Internet connections 03:48 < avery> without tailing any of my info 03:48 < SporkWitch> avery: huh? in any case, this isn't the right channel, ##linux <-- is over there 03:49 < SporkWitch> catch22 there, mate; if you're that paranoid you'd need to go to an open wifi hotspot someplace significantly geographically separated from where you are, spoof a random MAC, ensure NOTHING else sends a packet while connected, and download it there 03:49 < avery> haha yeah 03:50 < SporkWitch> personally, unless you're living in someplace like iran, i don't have much regard for that degree of paranoia; if your adversary is a government, and you are not a government, there's not much you can do. 03:50 < pekster> If you want tails, just download it. Unless posessing annomizing tools is illegal in your jurisdiction, the fact that your ISP (or government, employer, whoever) might *possibly* know you grabbed a copy isn't very interesting 03:51 < pekster> And I say possibly because most of the time traffic is not observed, much less hostilly attacked. While it _could_ always be, it's not part of my threat model beyond validating my downloads most of the time 03:51 < avery> so the ultimate purpose of me even joining this room is that I'm looking to pick some brains of people who can help guide me through my CEH cert 03:51 < SporkWitch> unless you started looking at it immediately after getting access to the internet, there's not a whole lot of benefit anyway; if you've been using the internet for any length of time "they" already have a good profile of you built, making a switch to TOR and similar of questionable benefit due to the efficacy of traffic correlation attacks 03:53 < SporkWitch> pekster: i honestly question even the benefit of checking hashes on downloads except to make sure it wasn't DAMAGED (not attacked); if the download was compromised, odds are extremely high that they could trivially ensure the hash you're told to verify against matches the compromised file 03:53 < pekster> 'eh, much of that boils down to opsec. Notwithstanding something like linguistic or source code style analysis (very different topics, IMO) you can be reasonably anonymous for general-use web surfing with educated use of a platform like Tails 03:54 < pekster> Um, explain that SporkWitch. The hashes I get are either gpg signed (which I validate) or presented to me over https. A casual MITM attacker (say that's you for the sake of argument) would need not only to compromise a mirror or MITM my traffic (hard, but doable, even against me ;) but you would _also_ need to compromise either the gpg signature or the https:// I downloaded the checksum against 03:54 < SporkWitch> pekster: my thinking is this: if you had a habit of searching a topic before, and suddenly you stop after downloading TOR, it's reasonable to assume you're just doing it over TOR now. They've got the profile either way, and if they were INTERESTED in you, they could keep watching this way. Odds are they're NOT interested in you, because honestly, no one gives a fuck about you. 03:54 < pekster> So, I'd love to hear how you think either of those crypto-attacks is "easy" 03:55 < SporkWitch> pekster: much more likely the site was compromised, is my thinking 03:55 < pekster> Both the site and the mirror? But yes, if you mean the download comes from the same (https, presumably) site you got the hash from, a server-side compromise of the online service could exploit both 03:56 < SporkWitch> pekster: as to the GPG signing, it all comes down to how you're exchanging and verifying the keys themselves. I'm literally pointing at a single band for hash and file distribution (the site listing the link and hash). 03:56 < SporkWitch> pekster: the mirror is the link the attacker set it to, in my scenario 03:56 < SporkWitch> pekster: if we're talking GPG sigs and out-of-band verification of the keys themselves, then you're absolutely right; this topic took a paranoid tangent, so i am operating in tin-foil mode for the purposes of this discussion 03:57 < SporkWitch> s/gpg/pgp/ 03:57 < pekster> Right. OOB protection, like GPG for most FOSS stuff, or AuthentiCode (for MSFT products) are a big part of the solution. The former requires users to actually check them though :\ 03:57 * pekster validates gpg sigs of Ubuntu, TBB, Tails, and such every time, though how many others do is an open question… 03:57 < avery> I'm loving this 03:58 < HEROnymous> pppingme, do you drive a wrx? 03:58 < avery> I do and I've downloaded atleast 25 flavors in the past month 03:58 < SporkWitch> pekster: but those keys aren't out-of-band; we're talking about a bootstrapping problem now. Unless all key updates are signed from a key that is truly known good, you have to trust at a minimum of one point. 03:59 < pekster> Ah, the Thompson problem :) 03:59 < SporkWitch> again note, i'm going full tin-foil here because of the direction the convo went; i DO NOT believe this is a reasonable threat model except in a VERY tiny set of situations 03:59 < pekster> Right 04:00 < SporkWitch> haven't heard it referred to that way, but if the Thompson problem is a bootstrapping problem, sure :) 04:00 < pekster> You haven't heard of the Thompson Compiler? You'll enjoy reading about it 04:01 < SporkWitch> can you recommend a good link? thompson compiler sounds vaguely familiar, but it's been a rough decade 04:01 < pekster> Coincidentally published in 1984 (that date ring any other bells in terms of "paranoia" ? ;) though it was authored the year prior 04:01 < HEROnymous> did about $3k in stuff to my car today 04:01 < SporkWitch> pekster: it's not paranoid when the governments have basically ADMITTED they're using it as a guide, not a warning :P 04:01 < HEROnymous> new bbs sr gunmetal wheels, big sticky summer tires, and a tcu tune 04:01 < pekster> SporkWitch: http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf 04:02 < SporkWitch> wc and a fresh beer then reading it :) 04:02 < avery> have any good recommendations for learning network security? 04:03 < avery> I've been grinding CBTNuggets for months 04:03 < HEROnymous> avery, find an entry level job with a good team of senior folks who will mentor you. 04:04 < SporkWitch> remarkably i don't know of anything network-focused; overthewire.org is great for systems security, though 04:04 < SporkWitch> (and their "bandit" line is a great intro to basic shell usage) 04:05 < avery> hero would you happen to have the knowledge that I'm seeking? 04:16 < SporkWitch> pekster: brilliant, and very nicely put :) 04:18 < pekster> Yup. Clever attack vector too, as the resulting binary has no indication outside of a detailed audit of its low-level (in today's terms, assembly) operation 04:18 < SporkWitch> pekster: i also like the call-out of the inadequate laws; a mere 2 years later we got the horrifying knee-jerk overreaction that is the CFAA of 1986, which offers penalties for what Thompson rightly classified as vandalism and trespass that are harsher than we have for male rapists 04:18 < pekster> Of course, the odds that every single copy of say gcc or such are vulnerable is basically zero, but it's a nice thought experiment, much as Orwell did 04:18 < SporkWitch> exactly my point and perfectly in context; i was in tin-foil mode, after all 04:20 < SporkWitch> building a reasonable threat model is the thing that so many seem to skip, even if they're not full-blown skiddies but just people wanting to be secure and not really knowing how things work; the threat model is almost always ignored, resulting in either insufficient precautions, or unnecessary impact to usability 04:21 < pekster> Yup, and often the solutions to a journalist going into hostile lands are much different than a domestic business traveller, or a concerned and low-profile member of society at large 04:22 < pekster> What is "right" for one target group is at best borderlin worthless for another, if not counter-productive 04:23 * pekster wanders off to observe another threat model presented in season 3 of MagGyver 04:23 < SporkWitch> exactly why building a reasonable threat model is THE crucial part of security 04:24 < SporkWitch> s/Mag/Mac/ 04:24 < pekster> Yes that. Mechanical keyboard is on order :P 04:24 < SporkWitch> cherry blues? 04:24 < pekster> Browns. Blues are too loud, even with the dampening rings :\ 04:25 < SporkWitch> that's the point! 04:25 < SporkWitch> everyone in the office must know what a typographic god you are! 04:25 < SporkWitch> (yeah, i'm the asshole with blues on his keyboard at work :P) 04:25 < pekster> This is for a home office, so my sanity counts for more. Or put another way, everyone in my office _already_ knows how good I am ;) 04:26 < SporkWitch> i use blues at home too; i like it. it's not ideal for twitch gaming, but i honestly don't find the travel and weight to negatively impact FPS games, and those are the only ones that really require twitch on a keyboard 04:26 < pekster> We hvae a co-worker with blues at home though, and he never mutes his phone on conferences; it's supremely annoying 04:26 < SporkWitch> off; when i work remote i even mute my mic to take a drag from a cigarette; it's just a matter of being polite 04:27 < SporkWitch> s/off/oof/ 04:44 < potatoe> does anyone know what curl -sim3 does? I found a flag for -I but nothing for -m 04:44 < potatoe> in man curl 04:50 < inire> -m, --max-time SECONDS Maximum time allowed for the transfer 04:56 < SporkWitch> potatoe: you know man accepts vi commands for things like searching, right? :) 05:28 < jrc> I've got a loose/bad port either on my patch panel or my switch, how can I figure out which one it is? The problem is, it only goes down randomly once a week, so I can't reliably reproduce the failure condition 05:30 < SporkWitch> jrc: http://www.flukenetworks.com/ 05:32 < jrc> I have a TDR I don't know how that could help me though 05:32 < instantp10neer> I have two buildings connecting with powerline networking. Building A has an analog telephone line with a few handsets. Is there a way to run the telephone line to Building B by converting the signal to digital, sending it over with the powerline networking traffic, then back to analog and connecting it to the punchdown for B's 2-4 handsets? 05:32 < jrc> when the connection is working, which is almost always, it's working 100% 05:34 < Criggie> instantp10neer: no not really. 05:34 < Criggie> instantp10neer: you could use VOIP phones, or your existing analogue phones with ATAs 05:34 < SporkWitch> jrc: unless one or the other is somewhere it's more likely to be jostled than the other, that sounds like something other than a physical connection issue 05:34 < instantp10neer> Criggie, what is an ATA? 05:34 < SporkWitch> Analogue Telephone Adapter 05:35 < SporkWitch> for exampel, Cisco SPA-112 05:35 < SporkWitch> s/pel/ple/ 05:35 < jrc> SporkWitch: it's definitely physical. when it goes out all I have to do is tap the patch cable and it comes back 05:35 < jrc> I've been playing this game for a month 05:35 < SporkWitch> jrc: okay, which side are you tapping? that's probably where the issue is lol 05:36 < jrc> it's only 6 inches 05:36 < jrc> tapping anywhere moves both sides 05:36 < SporkWitch> jrc: put in a longer cable? there's really no sophisticated solution here, heh 05:36 < SporkWitch> sometimes the caveman solution _is_ the solution 05:37 < Criggie> instantp10neer: Here's a product - allows 4 POTS phones over a fibre run. https://cdlnz.com/FRM220-FXS-4 and https://cdlnz.com/FRM220-FXO-4 at the other end 05:37 < Criggie> you need fibre though, not powerline. 05:37 < Criggie> and each end is $1400 NZ which is $1100 USD so $2200 USD total 05:37 < Aztec03> hey can y'all help a friend of mine? 05:37 < Criggie> instantp10neer: do you *need* phones ? 05:37 < SporkWitch> that's insane lol; almost definitely cheaper to either convert entirely to voip or add a couple ATAs 05:37 < Criggie> instantp10neer: cos cellular works too. 05:38 < Criggie> SporkWitch: yeah but it supports 100 KM of fibre :))) 05:38 < SporkWitch> Criggie: change your name to cringie, it fits your solution better :P 05:38 < Aztec03> now ask these fellas your questions 05:38 < babyfoxy> is it computer>router>VPN>internet? so a vpn wont protect me from the wifi provider snooping? 05:38 < Criggie> SporkWitch: best solution is to install some gig fibre and run voip over a separate VLAN. 05:39 < Criggie> powerline's always a bit iffy. 05:39 < Criggie> But if it works then that's good. 05:39 < Criggie> Aztec03: just ask :) 05:39 < SporkWitch> the fibre is probably overkill for that too; voip is cheap in terms of bandwidth, unless you're doing unicast "broadcasts" 05:39 < Aztec03> Criggie, babyfoxy be the friend 05:39 < Criggie> babyfoxy: okay, you ask your question. 05:39 < babyfoxy> is it computer>router>VPN>internet? so a vpn wont protect me from the wifi provider snooping? 05:39 < SporkWitch> (i think this is the part where i mention i work for an enterprise VoIP provider lol) 05:40 < jrc> the fluke ceo and the snapon ceo must play golf together and laugh about their pricing 05:40 < SporkWitch> babyfoxy: don't spam, and you haven't provided any context, there's an infinite number of topologies you could set up 05:40 < Criggie> SporkWitch: I used to - we had some clusterfucks with people putting 15 calls over an ADSL link 05:40 < babyfoxy> SporkWitch, i was told to ask again 05:40 < Criggie> SporkWitch: over the internet and then expected it to work while using th esame link for browsing. 05:40 < SporkWitch> babyfoxy: no you weren't, the logs are right here 05:41 < babyfoxy> SporkWitch: yes i was 05:41 < SporkWitch> babyfoxy: no, you weren't, and you're a worse liar than the Clintons: https://hastebin.com/logixejiyi.vbs 05:41 < babyfoxy> SporkWitch: yes i was 05:41 < Criggie> babyfoxy: VPN has two problems - it says "LOOK AT ME I'M HIDING" and the traffic has to be un-encrypted at the other end to be useful. 05:41 < Criggie> babyfoxy: so someone is seeing your bare-naked traffic, even if its not your provider. 05:42 < Aztec03> https://pastebin.com/ytLXhQCU 05:42 < SporkWitch> you know you're retarded when the logs are right there and you still deny it... 05:42 < babyfoxy> Criggie: do you know a way i can stop a wifi provider from snooping? 05:42 < SporkWitch> yeah, move the VPN to the client 05:43 < Criggie> babyfoxy: is the wifi provider the ISP or is it a wireless hotspot service ? 05:43 < SporkWitch> irrelevant 05:43 < babyfoxy> Criggie: hotspot service 05:43 < Aztec03> hey 05:44 < Aztec03> SporkWitch, 05:44 < Aztec03> https://pastebin.com/ytLXhQCU 05:44 < Criggie> ok - is the router yours and under your control and traffic between you an dthe provider secure ? 05:44 < Aztec03> read 05:44 < Criggie> no 05:44 < Criggie> babyfoxy: as SporkWitch says, run the VPN endpoint on your phone/computer 05:44 < Criggie> babyfoxy: its like wearing trousers that are too short - you want the ends of the VPN to go right to the foot, not stop at mid-shin. 05:45 < Criggie> and THAT is a mixed metaphor 05:45 < SporkWitch> Aztec03: she was told to ask the actual question; she repeated the nonsensical one instead 05:45 < SporkWitch> Criggie: don't give the kids ideas; they'll make it a fashion, like manbuns 05:45 < babyfoxy> SporkWitch: wrong 05:45 < Aztec03> she repeated her question, what more do you wish from a person wanting information from those who are privy to provide it? 05:45 < Criggie> thehehe 05:46 < Criggie> consider a postcard and an envelope 05:46 < Criggie> the VPN adds an envelope around your postcards. 05:46 < Aztec03> nobody learns shit grasping at straws like that 05:46 < SporkWitch> Aztec03: an actual question instead of nonsense lacking any context? 05:47 < SporkWitch> Criggie: speaking as a long-haired man, btw. you're gonna grow it out, own that shit; manbuns are retarded 05:47 < Criggie> hey this is nifty (and cheaper) https://cdlnz.com/NV-600A $207 NZD for each end. You use a dry pair and get 100 Mbit VDSL over it. 05:48 < babyfoxy> SporkWitch: the question was nonsensical to you alone while also you showing inability to explain why, so it's your failure to rationalize since others clearly understood 05:48 < SporkWitch> Criggie: or pick up a couple spa-112's for less than 40USD each https://www.amazon.com/Cisco-SPA112-Port-Phone-Adapter/dp/B00684PN54 05:49 < SporkWitch> babyfoxy: it's nonesensical for reasons already explained; your illiteracy and mental deficiencies are not my problem 05:49 < babyfoxy> SporkWitch: wrong 05:50 < SporkWitch> babyfoxy: i'm sorry, maybe simply stating "wrong" works in your tumblr hugbox, but in the real world, you have to support your claim 05:50 < Aztec03> how is a person seeking knowledge supposed to learn, if some teachers are so abrasive when the students present their queries? 05:50 < SporkWitch> babyfoxy: your nonsense was responded to with an explaination of why it was a bad question; when told to ask the actual question you responded with the same question 05:50 < babyfoxy> SporkWitch: wrong 05:51 < jkemppainen> why are we having a metadebate about the question 05:51 < Criggie> SporkWitch: yeah the ATA idea is good, if he has something to log into. 05:51 < Aztec03> Now I feel bad for suggesting this place was where the answer would be found. 05:51 < jkemppainen> can't we just stick to the actual question 05:51 < Criggie> Aztec03: sorry, there is no good answer 05:51 < Aztec03> now I have egg on my internet-face. 05:51 < jkemppainen> and not some weird metadiscussion 05:51 < SporkWitch> jkemppainen: we still haven't gotten one 05:51 < Criggie> Aztec03: "don't do bad stuff in public" 05:51 < Aztec03> thx Criggie you're alright in my book 05:51 < babyfoxy> Criggie: thank you from me as well 05:52 < SporkWitch> jkemppainen: sorry, we did EVENTUALLY get the actual question, and it was answered 05:52 < babyfoxy> SporkWitch: without you 05:52 < SporkWitch> babyfoxy: i was actually the first to answer it; again, your illiteracy and mental deficiencies are not my problem 05:52 < babyfoxy> SporkWitch: wrong 05:53 < Aztec03> goddamn the human race would be better without these dumb ego battles 05:53 < Aztec03> wtf. 05:53 < SporkWitch> [23:42:41] Criggie: do you know a way i can stop a wifi provider from snooping? 05:53 < SporkWitch> [23:42:50] yeah, move the VPN to the client 05:53 < SporkWitch> holy shit this generation is hopeless 05:53 < babyfoxy> SporkWitch: that was a follow up 05:53 < SporkWitch> babyfoxy: no, it was the actual question 05:53 < babyfoxy> SporkWitch: wrong 05:54 < Criggie> Aztec03: damnit, I'll try harder :) 05:54 < jkemppainen> jesus christ 05:54 < Criggie> SporkWitch is right 05:54 < SporkWitch> original question was nonsense lacking context; it's meaningless without it; the second was an actual question, promptly and accurately answered 05:54 < babyfoxy> Criggie: no 05:55 < SporkWitch> i get paid to be tolerant of stupid; you aren't paying me 05:55 < Aztec03> Criggie, no worries, I'm tryna change the interaction for the better is all 05:56 < SporkWitch> Aztec03: provide guidance on how to ask better questions, don't encourage repitition of bad ones 05:56 < Aztec03> I shall. 05:57 < Aztec03> At the same time, you're smart as a whip; you could ease-up on insta-responses for obvious noobs 05:57 < Aztec03> she don't mean no harm 05:58 < babyfoxy> SporkWitch: take your own advice 05:58 < SporkWitch> Aztec03: same question posted twice in the span of a minute; the spam called out, and an explaination of why it's a bad question, in the same message 05:58 < SporkWitch> babyfoxy: what is your native language? 05:58 < jkemppainen> oh, jesus christ already 05:58 < babyfoxy> SporkWitch: above you 05:58 < SporkWitch> i'm unfamiliar with that language; perhaps that explains your inability to understand basic english 05:59 < babyfoxy> SporkWitch: wrong, failure to rationalize again 05:59 < Aztec03> damn stop the straw-man shit 05:59 < Aztec03> this is clearly going nowhere. 05:59 < SporkWitch> Aztec03: not a straw man, an attempt to give the benefit of the doubt. because either they're not fluent in english, or they're just an insufferable, entitled, braindead cunt 05:59 < Aztec03> help her, instead of attacking her 06:00 < SporkWitch> all help was responded to with being a cunt 06:00 < Aztec03> I get that you're upset about whatever you've experienced in the past with 'dummies' and trolls 06:00 < babyfoxy> SporkWitch: wrong 06:00 < SporkWitch> yes, you've established that you are very wrong and incapable of forming coherent thoughts or arguments 06:00 < babyfoxy> SporkWitch: wrong 06:00 < Aztec03> a little segue into positive responses would probably change the whole course of conversation 06:01 < SporkWitch> Aztec03: you can't fix stupid, mate, and this cunt is beyond help 06:01 < Aztec03> why not try, with some pomp, verve, style, and grace? 06:01 * Aztec03 will never stop the same 06:02 < SporkWitch> Aztec03: because the response to it was cuntery 06:02 < Criggie> babyfoxy: what's your end goal here? 06:02 < Aztec03> I feel things like that too; only I try my best to catch myself before knee-jerk reacting to those feels 06:02 < SporkWitch> Criggie: asked, answered, and solution already provided 06:02 < babyfoxy> SporkWitch: many assumptions, and many false statements, it's pathetic to assume, you make yourself useless filth being blown around by all around them 06:03 < jkemppainen> holy hell, why is this still going on 06:03 < SporkWitch> babyfoxy: yes, you've made several false statements; so far you've confirmed all assumptions 06:03 < babyfoxy> Criggie: pointing out the truth, as IRC's main purpose through out all channels 06:03 < babyfoxy> SporkWitch: wrong 06:03 < SporkWitch> jkemppainen: because babyfoxy is the standard, braindead, entitled millenial cunt 06:03 < babyfoxy> SporkWitch: wrong 06:03 < SporkWitch> i rest my case ^ 06:04 < babyfoxy> SporkWitch: be useful 06:04 < SporkWitch> babyfoxy: i have, as has been quite clearly demonstrated 06:04 < babyfoxy> SporkWitch: you have not 06:04 < Criggie> Later all - coffee's more interesting than watching this mess. 06:04 < babyfoxy> Criggie: have fun 06:04 < SporkWitch> babyfoxy: your inability to read help provided doesn't change reality 06:04 < babyfoxy> SporkWitch: i am reading fine 06:04 < babyfoxy> SporkWitch: better than you 06:05 < jrc> I found the fluke tester I want 06:05 < jrc> unrelated, does anyone have $5600 I could borrow? 06:05 < SporkWitch> assuming that is true and you're reading fine, that means you're trolling 06:05 < Aztec03> jrc ooh! what fluke>! 06:05 < Aztec03> ?!* 06:05 < babyfoxy> SporkWitch: cry a lot 06:05 < Criggie> jrc: mmmmm fluke porn... shaare a link ? 06:05 < Criggie> jrc: hardware fappage :))) 06:05 < SporkWitch> jrc: yeah, they have expensive toys, but they're such nice toys! lol 06:05 < TV`sFrank> jrc: I do. Will accept your organs and limbs as collateral 06:06 < jrc> https://www.ebay.com/itm/Fluke-Networks-DSX-5000-Versiv-Cat6-Cat6a-LAN-Cable-Certifier-Tester-DSX-5000/173257388866?epid=889903876&hash=item2856f1f342:g:164AAOSwjrlax8fG 06:06 < Criggie> jrc: my cable tester cost $20 10 years ago. Its not fluke :-\ 06:07 < SporkWitch> more details on that kit: https://www.amazon.com/Fluke-Networks-DSX-5000-120-Permanent/dp/B00DGHAOM8 06:09 < jrc> must be nice in data center situations where you have a blank check for stuff like that 06:09 < Aztec03> baus 06:10 < Aztec03> would be nice 06:10 < SporkWitch> jrc: going back to the voip discussion, i've had customers that basically did this with power injectors: https://i.imgur.com/JcspoU2.jpg 06:11 < jrc> lol 06:11 < SporkWitch> they'd connect the "data in" on the injector to the pc-pass-through on the phone 06:11 < Spice_Boy> I want to do something like expr 5 - 3 but get those values from a file, not the command 06:11 < Spice_Boy> ie, a file contains 5, and another file contains 3 06:11 < SporkWitch> Spice_Boy: perhaps you might try giving, i don't know, CONTEXT 06:12 < SporkWitch> because as long as we're just throwing out random things without any context, i want multi-server support 06:12 < TV`sFrank> And ask in the proper channel 06:12 < Aztec03> ha! 06:12 < Spice_Boy> okay, that's 2 who don't know 06:12 < SporkWitch> Aztec03: still on the cunt's side? still think i'm too harsh? 06:12 < Spice_Boy> bash 06:12 < Aztec03> (to that imgur you linked SporkWitch) 06:12 < SporkWitch> how would we know? we had no context 06:13 < Aztec03> naw matey, I'm just a neutral kinda fella 06:13 < TV`sFrank> Spice_Boy Proper channel for bash is NOT ##networking 06:13 < Aztec03> I support you both 06:13 < Spice_Boy> TV`sFrank: honestly... the amount of non-networking shit that goes on in this channel.... give me a break! 06:13 < jrc> SporkWitch: is that image not the solution to the illusive "free energy" problem?? 06:13 < TV`sFrank> Spice_Boy: I feel so sorry for you that you have absolutely no objectivity. Have a great night/day. 06:14 < TV`sFrank> Entitled Generatio ™ 06:14 < SporkWitch> jrc: no, that was solved ages ago by Uncyclopedia. cat-with-toast device as the primary; storm troopers and redshirts in a box as a backup when the toast needs to be rebuttered 06:14 < TV`sFrank> n* 06:14 < Aztec03> Spiceboy... were you... a bee at one time... by any chance? :o 06:14 < Aztec03> nvm if not; it's a very specific thing 06:14 < SporkWitch> Aztec03: oh gods, are goontards invading freenode now? 06:14 < Aztec03> naw naw an old forum 06:14 < Aztec03> just wondering 06:15 < SporkWitch> Aztec03: i assumed the bee was a reference to SA's goonswarm 06:15 < Aztec03> naw, was way diff 06:15 < SporkWitch> (you might have played EVE Online if...) 06:15 < Aztec03> a fine forum for learning certain sciences 06:15 < babyfoxy> SporkWitch: felt alone? perhaps a blanky 06:15 < Aztec03> bad babyfoxy! leave it! 06:15 < SporkWitch> yeesh, where's catphish when needed 06:16 < TV`sFrank> Seems it's Winner Hour here 06:16 < SporkWitch> TV`sFrank: pretty much 06:16 < Aztec03> :/ 06:16 < SporkWitch> TV`sFrank: welcome to eternal september, 30 years and counting 06:16 < TV`sFrank> heh 06:16 < SporkWitch> (well, almost 30 years) 06:16 < TV`sFrank> the new #defocus :P 06:17 < SporkWitch> do they even still have #defocus? freenode's management went on an SJW huboxy binger a couple years back 06:17 < SporkWitch> even ##linux tolerates blatant and obvious trolling now, as long as the character played is dumb 06:18 < TV`sFrank> No they canned it due to sustained excessive shaboogans 06:18 < SporkWitch> s/huboxy/hugboxy/ 06:18 < SporkWitch> s/binger/bender/ 06:19 < TV`sFrank> Also possibly because it "may have been" the reason for the Friday Night DDoS's 06:19 < SporkWitch> (i think my favourite was a 12 month ban in which the ##linux-ops chat included one of the ops calling me a genius while telling off the troll, then banning me anyway lol) 06:19 < TV`sFrank> heh, probably crocked on Sterno or something 06:19 < SporkWitch> TV`sFrank: and yet they removed the +b for all TOR endpoints... 06:21 < SporkWitch> (also, he wasn't being sarcastic in calling me a genius; i used to have a /regulars cloak there, i'm pretty sure i was being groomed for op at one point lol; you get drunk one time and post a bash fork bomb, with all caps "DO NOT ACTUALLY DO THIS" in the same single message...) 06:22 < SporkWitch> (is natural selection not a thing any more? lol) 06:23 * Aztec03 sighs the long sigh 06:23 < SporkWitch> (for the record, not saying i'm a genius, saying that it was clear he didn't say it sarcastically) 06:23 < Aztec03> I think she mighta fed me a line, too 06:23 < Aztec03> doesn't matter. 06:23 < Aztec03> she gone. 06:24 < SporkWitch> Aztec03: hmm? what's that? my refined spidey sense was RIGHT about the cunt obviously trolling being a cunt and a troll? 06:24 < Aztec03> Yes. You were probably right, SporkWitch 06:24 < SporkWitch> semi-sorry, a few beers in, so i'm not above an i-told-you-so 06:24 < Aztec03> I eat crow, now. 06:24 < lupine> hmm, I've never tried crow 06:25 < Aztec03> shit, cheers. I got some whiskey left 06:25 * Aztec03 cheerses SporkWitch 06:25 < SporkWitch> if my goddamned roommate would actually pay his rent on time so i didn't have to hold an extra 650 aside for his share + late fee, i'd have whisky too >_< 06:25 < TV`sFrank> lupine: the Crow I know is one wacky robot :P 06:26 < Aztec03> I'm tryna switch to wine myself; Bukowski was right, whiskey be too quick. 06:26 < SporkWitch> but no, he's 10 years my senior but can't pay his goddamned bills on time and i get to pick up the slack until i can find replacements for the empty rooms >_< 06:26 < SporkWitch> Aztec03: your problem is drinking whiskey; you need some good single malt WHISKY 06:26 < Aztec03> hee! I made a sour-mash whiskey, once 06:27 < SporkWitch> http://www.electricscotland.com/poetry/banff/story4.htm 06:27 < Aztec03> hang, I'll link ya 06:27 < Aztec03> https://homedistiller.org/forum/viewtopic.php?f=32&t=48891 06:27 < Death916> switch to beer why wine smh 06:27 < Death916> whiskey to wine is a wierd swap 06:27 < Aztec03> oh I love beers 06:28 < Aztec03> beers are rather /too slow/ 06:28 < SporkWitch> Death916: because WINE lets you run stuff without Windows :P 06:28 * SporkWitch plays a rimshot 06:28 < Death916> lol 06:28 < Aztec03> I dig anything by Three Floyds 06:28 < Aztec03> lolol 06:28 < Death916> they have beers with comparable abv to wine 06:28 < Aztec03> my faves are Zombie Dust, Alpha King, and Gumballhead 06:29 < Aztec03> also Yum Yum 06:29 < TV`sFrank> Death916 Yeah but they often taste like mud :P 06:29 < SporkWitch> honestly, i love red wine, but i can't do it; even when i was still in my 20's, one glass of red and i've got a hangover (and back then i could do a handle of jack to myself and be right as rain at 0800) 06:29 < lupine> there's some very good whiskey around 06:30 < lupine> even some irish stuff is good 06:30 < Death916> yall have expensive taste haha 06:31 < SporkWitch> Death916: ardbeg 18; US$40 (sometimes less) for 750ml, and DAMNED good; better than any of the "usuals" (e.g. glen fiddich and others that people will pay 200 for a bottle of blended shit) 06:32 < SporkWitch> and really, if you're drinking more than 2-4 fingers of single in a sitting, you may as well be drinking well 06:32 < Spice_Boy> (2:12:35 PM) TV`sFrank: Spice_Boy Proper channel for bash is NOT ##networking <-- as I said... not always networking chat 06:32 < Death916> not too bad 06:32 < Aztec03> aw fuck I LOVE glenfiddich 06:33 < Aztec03> good-ass scotch 06:33 < Aztec03> 18 yr best! 06:33 < Aztec03> aw Spice_Boy were ye a bee or not in some past life? 06:34 < SporkWitch> Spice_Boy: that your question wasn't topical is secondary to the fact that it was a shit question with no context 06:35 < TV`sFrank> ^ 06:35 < SporkWitch> Spice_Boy: and if you'd like to argue that fact, then answer my question about multi-server support 06:36 < SporkWitch> no? that's what i thought 07:30 < Aztec03> Are Cisco Catalyst 3750E's or X's any good as a refurb/used purchase for a small-ish enterprise with plans on expanding in time? 07:36 < Maarten> Aztec03, its quality hardware. Only issue might be that Cisco won't support them if they weren't procured through their channels.... not a big issue if you know your stuff and you have a lot of other avenues to pursue support from, but not so great for mission critical if you need like 2 hour support from cisco. 07:46 < Aztec03> noice. 07:47 < Aztec03> I don't mind actual Cisco support atm 07:47 < Aztec03> or, don't mind not having it* 07:47 < Aztec03> pretty straightforward for my setup 08:02 < quazimodo> GUUUUUUUYYYYSSS how do i override the nameserver address of mysite.com, to point to the cloudflare nameservers, so that I can test cloudflare on my machine 08:06 < TV`sFrank> vi /etc/resolv.conf 08:10 < quazimodo> TV`sFrank: I don't know how to make that only work for a particular domain? 08:10 < quazimodo> like, mysite.com => jack.ns.cloudflare.com 08:17 <@pppingme> quazimodo put it in your hosts file, or setup a dns server on your network (this is what I do) 08:19 < TV`sFrank> hosts file can map hostname to another hostname? I thought you could only map ip's and hostnames 08:19 <@pppingme> you just point your original hostname to the IP of the new one 08:20 < TV`sFrank> ah ok that makes more sense than what I was thinking heh 08:20 <@pppingme> the only "gotcha" is if cloudflare changes the ip of jack.ns.cloudflare.com 08:21 < TV`sFrank> nod, but even then you could probably get a list of ips for it and put them all in hosts file 08:21 < TV`sFrank> bit of a PITA but eh :) 08:21 <@pppingme> I assume this is only for temporary testing, right? 08:22 < Aztec03> also thanks for the tip earlier, Maarten 08:27 < quazimodo> I'm confused, i thought that our system goes to our appointed DNS and says 'where are the records for mysite.com', which goes to n servers that point along till the name registartion company says 'records are at jack.ns.cloudflare.com' 08:27 < quazimodo> atm the case is that it says 'the records are at something.aws.com' 08:28 < quazimodo> i want my machine to think all the records fro mysite.com are at jack.ns.cloudflare.com 08:29 < quazimodo> When i use dig @jack.ns.cloudflare.com mysite.com i get back the ip that it resolves to, but that's not jack.ns.cloudflare.com. I can put that ip it /etc/hosts but it kinda skips the whole cloudflare nameserver 08:35 < detha> quazimodo: you can run dnsmasq or bind and tell it to always forward requests for *.example.com to jack.ns.cloudflare.com. But normally anything would ask the .com servers where to look for example.com 08:36 < quazimodo> detha: right, so i need to run dnsmasq eh 08:36 < quazimodo> can i run bind locally 08:36 < detha> you can. 08:37 < quazimodo> cooly, i think my router has dnsmasq running, maybe i can override there? 08:37 < detha> but why do you want to override whatever the registrar has ? 08:38 <@pppingme> detha temporary testing of a new host not yet ready for the public 08:39 < quazimodo> yep 08:51 < quazimodo> So i guess it would be a forwarded zone, with the options forward only, forwarders: { ip of cloudflare ns } 08:51 < quazimodo> yeah? 08:56 <@pppingme> it could be 08:56 < detha> that would work yes 09:07 < quazimodo> thanks 10:18 < arahael> Why do many IT admins only allow port 80, and 443 traffic? 10:19 < arahael> (Bit of a mini-vent, that, I'm sure that question serves as a fair summary) 10:20 < detha> Because Security !1!!11! 10:21 < arahael> It's *so stupid* :( 10:22 < MikeSeth> to prevent end user initiatives 10:22 < detha> Actually it's not. Default deny, allow what is needed, both in- and out-bound 10:23 < MikeSeth> that is pretty much it 10:23 < arahael> So much networking now happens over port-443-https. :( 10:27 <+catphish> arahael: it's a matter of deny by default, and open other ports as needed, best practice in many situations 10:28 <+catphish> many security certifications rightly require this 10:29 <+catphish> there's nothing uniquely special about 80 and 443, they're just the first 2 ports that users will need to use, and hence will be opened pretty much immediately under such a policy 10:30 < detha> FSVO opened.... Proxied or with a DPI firewall in between user and wild west web 10:30 <+catphish> i've yet to experience anyone doing MITM on 443, but i believe it does happen 10:32 < arahael> catphish: I'm mainly talking about a *refusal* to open ports as required. Port 80 and 443 only. 10:32 < detha> couple of years ago we had a cloud-hosted app. once in a while a user would capture data, and the app 'lost' the data. Turned out that filling out http forms with lots of fields in quick succession set off the anti-exfiltration in the firewall 10:33 <+catphish> arahael: well then "why" would be a question you'd have to ask the specific admin 10:33 < detha> (and that was https, with all office machines booby-trapped with a cert that trusted the firewall) 10:33 <+catphish> arahael: sometimes it's just a matter of effort, they don't want to document and manage lots of one-off requests 10:34 <+catphish> but there's no good reason beyond that afaik 10:35 < arahael> catphish: I'm aware of all that, it's really pretty much a rant. I've been "re-educated". Port 80 and 443, good. Nothing else. Got it. 10:35 <+catphish> arahael: huh? 10:35 < arahael> catphish: Indeed. 10:35 <+catphish> that doesn't represent any of what was just said 10:36 < arahael> catphish: The long and short is they don't want to do it. 10:36 < arahael> catphish: Doesn't really matter how they explain or elaborate it. 10:36 <+xand> in what situation 10:36 <+catphish> arahael: laziness basically 10:36 < arahael> catphish: Indeed. 10:36 < arahael> Anyway. 10:36 <+xand> on what kind of network? 10:36 < arahael> xand: It's irrelevant, really. 10:36 <+catphish> i usually see it on things like edu guest networks 10:36 <+xand> no it's not 10:37 < arahael> xand: Then you've misunderstood the situation. 10:37 <+catphish> arahael: fuck off 10:37 <+xand> if there is a business need to open ports then management can require it to be done 10:37 < arahael> Woah, sure. 10:39 <+catphish> xand: i find that it's more a problem when there's no business, and hence no business reason compelling it, like in edu, just people just wanting to use their "personal" connections for things 10:39 <+xand> catphish: eduroam has a mandatory list of firewall holes 10:40 <+xand> and that's what most edu wifi is 10:40 <+catphish> at least one university i've visited had this default policy, no idea if they's make exceptions as i was just a visitor hence didn't ask 10:40 <+xand> it's a lot bigger than just 80/443 10:40 <+catphish> this was UWE, i was a guest, ssh didn't work 10:40 < SlowJimmy> Could the entire internet be made to work like the onion network? 10:40 <+catphish> SlowJimmy: no 10:40 < SlowJimmy> i mean like the tor network 10:40 <+catphish> SlowJimmy: it's another layer on top 10:40 < SlowJimmy> catphish: can you ELI5 why? 10:40 < SlowJimmy> ah 10:41 < SlowJimmy> so couldn't you put that layer on top of everything? 10:41 <+catphish> SlowJimmy: each hop in tor requires the adjacent hops to be known 10:41 <+catphish> therefore you still need a non-anonymous underlying network 10:41 < SlowJimmy> so the way the internet is designed prevents this 10:41 <+catphish> that's not what i said 10:41 <+xand> also you often want to know the client IP address etc. 10:42 < SlowJimmy> could something be designed in theory from the ground up that works anonymously that does everything the internet does? 10:43 < arahael> SlowJimmy: YOu'd always end up leaking some sort of metadata. 10:43 <+catphish> SlowJimmy: tor does this 10:43 <+catphish> the internet is made in layers, if you want encrypted layered routing, that is a layer on top 10:43 < SlowJimmy> arahael: I see! 10:43 < SlowJimmy> catphish i see 10:43 <+catphish> arahael: not really true, tor doesn't leak metadata, it's just that it requires a regular routable network underneath 10:44 <+catphish> each pair of adjacent nodes need a normal way to communicate 10:44 < arahael> SlowJimmy: For instance, Tor users are still vulnerable to browser fingerprinting, and ISP's can still figure out that you're using Tor. 10:44 <+catphish> you could simple use tor for all internet traffic if that's what you wanted 10:44 < arahael> (It's why Tor users are encouraged to use the Tor browser, if I recall) 10:45 < SlowJimmy> If everybody including joey's mum used tor would that not mean that basically all internet traffic would be somewhat secure from drag net surveillance? 10:45 <+catphish> oh yeah, if you use tor you have to be careful what you actually send down it 10:45 <+catphish> SlowJimmy: basically yes 10:45 <+catphish> SlowJimmy: but it's not worth the overhead 10:45 < SlowJimmy> arahael: this browser finger printing is analyzing your browsers plug ins and screen size and so forth? 10:46 < arahael> SlowJimmy: Essentially. 10:46 <+catphish> SlowJimmy: yes, exactly that 10:46 < SlowJimmy> catphish: I try to always use https just so drag net surveillance will be less feasable but tbh a lot of big websites still dont support real encryption 10:46 <+catphish> everything your browser sends can help uniquely identify it 10:46 < arahael> SlowJimmy: HTTPS still reveals the host, so you've leaked that bit, but it's still a big improvement. 10:47 <+xand> it doesn't necessarily reveal that 10:47 <+catphish> SlowJimmy: it all comes down to what you care about in terms of privacy 10:47 < arahael> xand: Well, the IP address, surely? 10:47 <+catphish> SlowJimmy: if you don't want your ISP knowing what websites you visit, it's much harder than if you just don't want hackers getting your bank password 10:48 < SlowJimmy> catphish: I do not want to live in a panopticum but want to have freedom from the inquiring eyes of others no matter who they are 10:48 < arahael> In practice, I'd say: VPN to a country that doesn't care. 10:48 < SlowJimmy> catphish: it's not that I have any tangable reason aside from privacy itself 10:48 <+catphish> SlowJimmy: so you fall into the "don't want your ISP knowing what websites you visit" category, then you need tor 10:49 <+catphish> SlowJimmy: that's really an unnecessary level of paranoia in my opinion, but if you really don't want that, there's no other way to avoid it afaik 10:49 < SlowJimmy> catphish: the ISP is one part but the websites I visit is not the end all be all, what about my emails? what about the private companies collecting data and selling it 10:49 < SlowJimmy> what about private persons hacking into your stuff and taking it over 10:50 <+catphish> SlowJimmy: that's much easier, you choose what you tell them, that's all down to you 10:50 <+xand> 1. don't use facebook 10:50 <+xand> :P 10:50 <+catphish> if you give a company your data, they have your data, if you don't, they don't 10:50 <+catphish> fortunately, gdpr will (at least in europe) make it a lot clearer 10:51 < SlowJimmy> what about search engines? i did not agree but they still are extracting data about me 10:51 <+catphish> SlowJimmy: as i just said, they only know what you tell them, simple as that 10:51 < SlowJimmy> and also facebook and instagram and twitter and other companies track you outside their own website 10:51 < SlowJimmy> even if you do not have an acccount 10:51 <+catphish> they aren't mind readers, they know only what you send them 10:52 < SlowJimmy> catphish: with facebook just think about on how many pictures you are on that are on the website that have been uploaded by people who know you yet you did not agree 10:52 <+xand> SlowJimmy: well you can have them prosecuted under GDPR perhaps ;) 10:52 < SlowJimmy> or they acquire the data from people using websites with these facebook buttons 10:52 <+catphish> SlowJimmy: well if someone else shares your personal data, there's nothing you can do about that 10:53 < SlowJimmy> xand I don't want to prosecute them lol 10:53 <+catphish> SlowJimmy: humans are not covered by gdpr, only businesses 10:53 < SlowJimmy> catphish what about all the data you create just by being online? 10:53 <+catphish> SlowJimmy: it's up to you what you send, simple as that 10:53 <+xand> catphish: true but it would apply to data they hold even if someone else supplied it. 10:54 <+catphish> if you ask your isp to connect you with a website, then they know, if you don't, they don't 10:54 <+catphish> xand: that's true, if it's personally identifiable 10:54 <+catphish> if someone tagged me in a photo on facebook, i could ask facebook to delete that information 10:54 < SlowJimmy> why are isp necessary? 10:54 < SlowJimmy> could people do what the isp does for them for themselves? 10:54 <+catphish> SlowJimmy: get rid of your ISP, and you'll see 10:54 < SlowJimmy> lol 10:55 < SlowJimmy> could in theory every person act as their own isp? 10:55 <+catphish> SlowJimmy: you're free to buils your own tier1 network 10:55 <+catphish> *build 10:55 < SlowJimmy> given the infrastructure was publicly owned or something 10:55 < linux_probe> they;re not, if you want to be amish/off-grid and I dont mean the darwin moronic youtubers claiming off grid then posting videos to make $$$$ 10:55 <+catphish> what infrastructure? 10:55 <+xand> catphish: and the photo presumably. 10:55 <+xand> as it's PII 10:55 < linux_probe> only thing worse than them are the darwins following/watching :))) 10:55 <+xand> sounds messy 10:55 <+catphish> xand: i was just contemplating, is the photo PII? 10:56 <+xand> maybe it depends on the content of it 10:56 <+catphish> xand: if so, can i ask facebook to try to identify me in every photo they hold, and delete them? 10:56 <+catphish> madness 10:56 <+xand> dunno :) 10:56 <+catphish> me neither, it's a good question 10:56 <+catphish> it certainly *seems* personally identifiable 10:56 < SlowJimmy> catphish: i mean the cables and the computers that make up the isp's stuff 10:57 <+catphish> SlowJimmy: all the ISPs in the world? what about the networks in people's houses? 10:57 <+catphish> SlowJimmy: and how will you connect to them all? 10:58 < SlowJimmy> I meant if the cables and the servers and what have you that the ISP uses to provide their service would be provided for free by the tax payer then could everybody do whatever the ISP is now doing FOR them by themselves? 10:59 <+catphish> SlowJimmy: then the government would be the ISP, i don't think that's better 11:00 < SlowJimmy> what does the ISP actually do to connect you? 11:03 <+catphish> they just manage those routers and cables you mentioned 11:04 < SlowJimmy> tbh that seems like a lot of trust put into that entity no matter who it is 11:05 < SlowJimmy> Is there privacy in numbers? 11:06 < SlowJimmy> Since a lot of people use any given ISP then they cannot actually infringe only on the privacy of a small fraction of users 11:07 <+catphish> yes, you have to trust your isp with whatever data you send in the clear 11:07 < SlowJimmy> then sending data in the clear is a mistake 11:07 <+catphish> SlowJimmy: the best policy is to assume that everything you send in the clear is *public* 11:07 < detha> s/your ISP/any ISP between you and the destination/ 11:07 <+catphish> detha: best just to assume everyone can ready it 11:07 <+catphish> *read 11:08 <+catphish> the point is, the internet is not a private medium, it's not supposed to be 11:08 < SlowJimmy> there are few private mediums 11:08 <+catphish> if you want to send data privately, you encrypt it, and even that doesn't protect you against people knowing who you're communicating with, that's why tor is a thing 11:09 < SlowJimmy> so tor can remove the metadata and the encryption can protect the content 11:09 <+catphish> SlowJimmy: as detha said, remember *your* isp is not the only one involved, your data travels through many networks before reaching the destination 11:09 <+catphish> SlowJimmy: actually tor does both 11:09 <+catphish> but yes 11:10 < SlowJimmy> isn't then using tor more important than using encryption since metadata is much more dangerous to society than the actual content of the communicatiosn? 11:10 <+catphish> most people don't consider the metadata to matter, so they just use https 11:10 <+catphish> no 11:10 <+catphish> people don't care 11:10 < SlowJimmy> ok they do not and i cannot blame them 11:10 <+catphish> just like i don't wear a scarf over my face when i walk to the shops, i don't care if the public see what shop i visit 11:10 < SlowJimmy> but technically the metadata is worse, right? 11:11 < SlowJimmy> well a scarf is one thing but what about the credit cards? 11:11 <+catphish> it's up to you what you consider private 11:11 < arahael> SlowJimmy: No, not worse, but considering the scale of the logging/snooping, the metadata is the useful bit! 11:11 <+catphish> credit cards are the data, that's what encryption protects 11:12 < SlowJimmy> arahael: i see! 11:12 < SlowJimmy> catphish: if you buy your stuff in the store with a credit card than your shopping behaviour might become available to advertisers 11:13 <+catphish> there's a lot of commercial value in knowing what websites you visit, what shops you visit, but online this data can be very easy to collect, in real life not so much 11:13 < arahael> SlowJimmy: That does, infact, happen 11:13 <+catphish> SlowJimmy: yes, you trust your credit card company with this, and this is the kind of thing GDPR is there to protect us against 11:13 < SlowJimmy> or even your bank might rethink that credit you asked for if they see a pattern of recklest spending 11:14 < detha> the irony of the situation is that things like https and tor protect against snooping on data in transit. With things like facebook and google, the only thing I want to be protected against is accumulation of data in the endpoint. 11:14 <+catphish> of course it's up to your bank if they want to lend you money, and how you spend it is very much their business if they're lending it to you :) 11:14 <+catphish> detha: luckily that's very much in the category of "you choose what you give them" 11:14 < arahael> In practice, credit unions just assume you've already spent up to your credit limit, these days. 11:15 < detha> catphish: not really. facebook like buttons etc. 11:15 < SlowJimmy> arahel lol 11:15 <+catphish> arahael: that's a big assumption, certainly here all lenders report the exact balance to credit reference agencies 11:15 < detha> there is a reason facebook forbids sites to use a copy of the like button, it has to come from facebook servers 11:16 < SlowJimmy> wait what do you mean it has to come from facebook servers? 11:16 < SlowJimmy> ther wiring behind those buttons? 11:16 <+catphish> detha: that's true, fortunately they will now need your permission to do this 11:16 < arahael> catphish: Possibly country specific. In Australia, at least, credit agencies have just started being required to share more information - and to use the credit limit as part of the credit score, regardless of how much of the limit you've actually used. 11:16 <+catphish> SlowJimmy: yes 11:16 < detha> SlowJimmy: so they can track you from site to site. Referrer plus fbcdn cookie 11:17 <+catphish> arahael: well in the UK they use whatever they want, but the main piece of information they have is your balance 11:17 <+catphish> detha: this is already illegal in europe without permission i believe 11:17 <+catphish> but most people give that permission without even thinking :( 11:17 <+catphish> they're like "cookies, yeah sure whatever 11:18 <+catphish> "give me my free content now!" 11:18 < detha> most sites stop working without, so yeah. 11:19 < arahael> It's really different using the internet in EUrope: Every website asks you to store cookies, explicitly. 11:19 < arahael> (Google, included) 11:19 < SlowJimmy> most sites assume that you agree to the cookies by visting them, which is a foregone conclusion 11:19 <+catphish> originally browsers prompted for cookies, users got so fet up of it, they just changed it to accept all by default, now that's rather backfired, i almost wish they'd restore the old behaviour and allow the site to provide an explanation along with the cookie 11:19 <+catphish> SlowJimmy: technically they need consent 11:19 < detha> The whole cookie permission thing could have worked, had they passed that law 15 years ago 11:20 < SlowJimmy> catphish: But do I have any way to deny that consent? 11:20 <+catphish> SlowJimmy: your browser has a setting 11:20 <+catphish> detha: browsers used to ask, people didn't like it, so the default now is accept all, really it'd be nice if they went back to asking by default, with an explanation for each one :) 11:21 < arahael> SlowJimmy: In firefox, I set cookies to only last the browser session. Ie, I close the browser: All cookies get deleted. Still enough to track me, but the damage is less. 11:21 < arahael> catphish: It'd be wonderful, indeed. 11:21 <+catphish> arahael: that's pretty sane 11:22 < SlowJimmy> arahael: at least you made a decision and didnt just click next 11:23 < arahael> SlowJimmy: I often do. On the iPhone, I use the duckduckgo browser most of the time... And the browser in miniKeepass for where I actually like the cookie, though I do wonder how sandboxed it is. I hope it's sandboxed. 11:24 < arahael> Still, it means that what I do in duckduckgo is unlikely to be tracked with facebook, as I never use facebook on that browser. 11:25 < SlowJimmy> if you still have the app you are screwed though 11:25 < SlowJimmy> and I assume a lot of people who use facebook on their phone have the app 11:25 < arahael> SlowJimmy: I don't. 11:25 < SlowJimmy> on a phone the apps can sometimes access the hdd as you know 11:25 < arahael> Installed it though, but quickly deleted it... The facebook app is pretty awful. 11:26 < detha> easier. I never used facebook, and all of facebook and its cdn is blocked in the firewalls 11:26 < SlowJimmy> i mean they can access what other apps have stored 11:26 < arahael> SlowJimmy: Not on the iPhone. 11:28 < SlowJimmy> Shouldn't text based browsers be more secure? 11:28 < SlowJimmy> since there are no flash ads invovled 11:28 < arahael> They typically do less. 11:28 < arahael> No flash on iPhone either. 11:30 < SlowJimmy> detha how did you block all that in your firewall? 11:30 < SlowJimmy> you just banned the IP of fb? 11:31 < detha> all 80/443 is proxied through squid, hard blacklist in squid on domains 11:31 < arahael> That works. 11:32 < detha> Works mostly. For some other things I have a cron job doing DNS and AS lookups every hour, and populating a pf table with the resulting IPs/ranges 11:32 < SlowJimmy> how do you know what to put on the hard black list? 11:33 < detha> a fancy version of curl $site | grep http 11:34 < arahael> detha: I suppose you'd whitelist the amazon ip addr ranges? 11:34 < detha> aws yes 11:35 < detha> too many different things flipping in and out of there 11:35 < SlowJimmy> doesn't google provide similar services? 11:35 < detha> gce and friends? 11:35 < SlowJimmy> ye 11:36 < arahael> detha: dns blocking will help with those, at least. I feel we're moving towards an age where blocking by IP is getting less effective. 11:36 < detha> same applies. but most of those are 'variable' IPs, so one can only catch it on domain lookup 11:37 < detha> and yes, by-IP is getting a lot less effective. Same for e-mail, RBLs don't really work effectively any more 11:38 < arahael> I use a VPN most of the time - except at work - and I notice that a lot of the networks that block email, work well with the VPN. Weird. 11:39 < arahael> (In particular: My local shopping center's public wifi) 11:39 < SlowJimmy> Why would they even block Mail? 11:40 < detha> one word: spam 11:40 < bezaban> blocking mail how? A lot of providers filter 25 and rightly should :) 11:41 < djph> detha: spam, spam, spam, spam, spam, spam, spam, spam, users are dumb, spam, spam, and spam 11:41 < arahael> If nothing else, it means spam doesn't come from that IP. 11:41 < detha> my one ISP just redirects any outgoing tcp/25 to their mail server, and rate-limits the %#^ out of it 11:41 < arahael> detha: That's a *really* good way of doing that. 11:42 < bezaban> or just use imap 11:42 < arahael> bezaban: Most places block imap, smtp, and pop3. 11:42 < bezaban> arahael: never seen that, seen a lot of blocking 25 though 11:42 < detha> imap is a strange thing to block 11:42 < djph> my ISP did that, a quick call of "hey guys, this one thing I have is crap, and needs 25 ... yes, yes I understand if I start spamming you'll fine me to hell and back ... okay, thanks!" 11:43 < arahael> detha: It means that if you want email, you're more likely to suck it up and use the corporate email. 11:43 < arahael> detha: Rather than your own email system. 11:43 < detha> Or just use gmail/whatever through a https interface 11:44 < arahael> detha: Plenty of loopholes, sure, but it means you can't use your local email client. 11:44 < arahael> Still, in this age, that's becomming less and less effective as people move to putting the entire internet over http. 11:45 < djph> I think you mean "https" 11:45 < arahael> djph: I wish. 11:45 < SlowJimmy> djhp i doubt it 11:45 < detha> arms race. first firewalls just blocked ports. Now firewalls do DPI. 11:46 < djph> there's a push to move things to https ... http (no tls/ssl) is going away ... 11:46 < arahael> djph: Yeah, I like that. 11:46 < arahael> I do wonder why google is encouraging it, though. 11:46 * arahael doesn't trust google. 11:47 < djph> because they've got clout in the "industry" 11:47 < detha> I don't like it. It has pushed every office into 'you can't have internet unless you trust our firewall cert' 11:47 < arahael> detha: Mine's done that too. 11:47 < djph> true, it has downsides. 11:48 < arahael> detha: They don't appear to be mitm'ing, though. 11:48 < detha> arahael: why google does it? google wants your data for themselves, no one else can have it 11:48 < arahael> detha: But it really urks me that *nothing is stopping them*. 11:48 < arahael> detha: How does https help with that? 11:48 < SlowJimmy> detha: maybe google is doing well if the internet is doing well 11:49 < arahael> SlowJimmy: And yet, Google kept Flash alive. 11:49 < arahael> On linux, for instance, Google Chrome is the only supported flash implementation. 11:49 < detha> arahael: it stops, for example, your ISP from seeing your search history. Google still has it though 11:49 < arahael> detha: Ah, there's that, true. 11:50 < SlowJimmy> what about gnash? 11:50 < djph> although my office hasn't done that. the bossman is level-headed enough to realize MITM'ing the connection means we're *potentially* opening ourselves up to an "oh hey, so we found that doing that was sending cc info to china" 11:50 < arahael> SlowJimmy: Who supports gnash!? 11:51 < arahael> djph: Yeah, once the office introduced certs like that, I stopped logging into any of my more private accounts. (Such as indeed, my CC account) 11:51 < SlowJimmy> arahael: Not sure who exactly, been a while since i used flash... 11:51 < djph> I mean, it's not like we're not reading your email (you sick fuck) ... but at least we're not sending your cc to china :) 11:52 < SlowJimmy> arahael: i think icecat? used to... 11:52 < djph> but then, bossman is a graduate of BOFH-U 11:52 < bezaban> I don't mind the certs for internal resources etc, but I do mind the mitm, but that doesn't seem to be happening here :) 11:52 < arahael> djph: Yeah, when Google was reading my mail, I switched providers. 11:53 < arahael> djph: It really stinks when BOFH happens. 11:54 < djph> arahael: I dunno, my BOFH is quite an agreeable sort. I just have to remember that the file cabinet is really a bulkeraser, and to test the floor tiles before walking through the computer room 11:55 < arahael> djph: To be fair, I think a lot of the "BOFH" happens as a result of impatience: Not wanting to explain or discuss the request. 11:55 < djph> ... must've been when I rewrote rm to replace /home/mydirectory with rm -rf /home/bofh ; rm -rf /root 11:56 < arahael> djph: ... And indeed, the expectation that anyone below you in the organisation has no clue! Why would they be running 'rm', anyway? They have a policy of not deleting files! 11:56 < arahael> (Certainly felt that way) 11:57 < turtle> ya'll hoard them or something? 11:58 < djph> turtle: "them"? 11:58 < turtle> files 11:58 < djph> yes 11:58 < djph> at least I do. 11:58 < djph> minimum two backups (plus the drive it's on) 11:58 < turtle> "these are my system libraries from 2004 i keep them around because i might use them some day" *hoarders theme music* 11:59 < turtle> "just one more night with the poop!" 11:59 < djph> nah, unless I forgot about a disc somewhere, I only keep backups for ~18 months. 12:00 < djph> well, except the tax returns (digital + paper) - those are 5 or 7 years ... whichever the IRS wants me to keep 12:08 < arahael> I tend to keep my files "forever", but I try to clean them out from time to time. Eventually. (Never really happens). 12:08 < arahael> I don't hoard music or videos though, which keeps the sizes down. 12:15 < djph> I mean, I'm not saying I don't still have the files somewhere (that old hdd I forgot about, or some old backupdir that I forgot to clean when I wrote better scripts ...) 12:16 < arahael> djph: Unencrypted ad-hoc backups... Those were the days. :) 12:18 < djph> arahael: to be fair, I'm pretty sure my scripts are still doing that 12:27 < arahael> djph: To be fair, the main reason I encrypt mine is because I now backup to the cloud. :) 12:27 < arahael> No way in hell I'll send those up in the clear! 12:28 < Sircle> I suspect php is making bruteforce ssh attempts on other remote machines (maybe an app or wordpresss got compromised). How can I check if it is really php? 12:28 < Sircle> I have restricted OUTBOUND ssh via iptables so I can investigate. THings are in control now. how to know if it was php? how to know which process / user is attempting to make ssh connections? 12:28 < arahael> Sircle: That would depend on the server. 12:29 < Sircle> its ubuntu vps 12:29 < arahael> Sircle: netstat, perhaps. 12:29 < Sircle> arahael, any specific command? 12:29 < arahael> Sircle: However, it might be sensible to simply block outgoing ssh entirely. 12:30 < arahael> Sircle: I don't do much sysadmin, to be honest. I'm a programmer. 12:30 < arahael> Software Engineer. 12:30 < djph> arahael: oh, quite right. my backups are too large (kids pics / holiday plays / etc) to make that worthwhile (at least due to filesize / bandwidth ... cost is annoying too) 12:31 < Sircle> arahael, I blocked port 22 for outgoing by IPtables. You have better ideas? 12:33 < arahael> djph: Yeah... I don't have that many pics, or movies. A couple of GB, perhaps. 12:34 < arahael> djph: I don't backup my VM's, either. 12:34 < arahael> Nor applications. 12:35 < djph> arahael: yeah, I didn't have that much data ... and then kids ... o_O 12:35 < MaxFrames> hi 12:36 < arahael> djph: :) 12:36 < arahael> djph: Once (if!) I have kids, I expect to have a more comprehensive home network. 12:36 < arahael> djph: Right now, it's just a gateway, and one's personal devices... And the wife's personal devices... 12:36 < MaxFrames> does anyone know if J4858C (HP part number) and 3CSFP91 (3Com part number) are the same GBIC? 12:38 < djph> your best source of info would be if HP has the supplier's model number noted somewhere (they likely don't) 12:38 < MaxFrames> there used to be a code converter page on HP's web site but it has been removed 12:39 < MaxFrames> I need a gbic for a temporary connection, I have a 3com available and I would not want to buy a new one if this one's ok 12:40 < djph> stick it in the slot, see what happens 12:40 < MaxFrames> can the switch be damaged (hp 2530) if the gbic's not compatible? 12:40 < djph> it just won't work 12:40 < djph> unless you 300-pound gorilla it into the slot or something 12:40 < MaxFrames> lol 12:45 < detha> arahael: if/when you have kids, be prepared for 'sh*t where's all my bandwidth gone?' 12:46 < cnf> kids be throttles, you 12:46 < cnf> yo* 12:46 < cnf> don't need moar than 512KB/s 12:46 < detha> s/throttles/throttled/ ;) 12:47 < arahael> detha: That already happens. 12:47 < arahael> detha: My wife is addicted to youtube and netflix. And we have only mobile internet. 12:47 < MaxFrames> both gbics are multimode and 850nm 12:48 < arahael> detha: If I had kids, though, and I had that issue, I'd definitely be keen to look into traffic shaping. ;) 12:49 < arahael> And some seriously restrictive firewalls. Then again, what's the point? Once they argue and win access to youtube, they'd have *everything*. 12:50 < detha> exactly. those devices get thrown in their own vlan, with speed limiter, and only minimal restrictions on where they can go 12:53 < arahael> I don't think I'd want my kids to have access to anything without supervision. 12:55 < arahael> We spend way, way too much time on the internet. 12:56 <+catphish> i never go on the internet 12:56 < detha> he said on the internet 12:56 <+catphish> i think he was stating the problem, not solving it :) 12:56 < cnf> arahael: yeah, keep them on a leash 12:57 < detha> arahael: technical restrictions on youngsters just leads to an arms war, hidemyass proxies, etc. etc. 12:57 < djph> least until they're old enough to know things like "their 'friend they met in a chatroom' doesn't need to know their street address" 12:57 <+catphish> maybe, or just kids who don't know anything about reality 12:58 < djph> catphish: given that near on all millennials don't know anything about reality, i don't think restrictive internet rules was a cause 12:58 <+catphish> it's funny, my generation learned all this ourselves, yet we feel the next generation will be incapable of doing so 12:59 <+catphish> anyway, my opinions on parenting are meaningless since i'm not going to have children 12:59 < arahael> catphish: There is a theory that each generation tries to make their kids avoid the same mistakes. 12:59 < djph> catphish: your generation was also probably told "it's nice outside, take your bike and get out. you can come home for lunch" 12:59 <+catphish> djph: yes 12:59 < detha> catphish: small difference, in the olden days the internet still forgot. Today's internet doesn't forget. Ever. 12:59 <+catphish> djph: that's the kind of thing i believe in 13:00 <+catphish> detha: that's indeed a problem :( 13:00 < djph> detha: the internet forgot? 13:00 < arahael> Today's internet is *crazy*. 13:00 <+catphish> my 12 year old yahoo chats have been deleted thank god 13:01 <+catphish> the scary thing is recording *everything*, no opportunity to make mistakes and put them behind you 13:01 < arahael> The real issue, is the teenage politics: That stuff will keep with you _forever_. 13:01 <+catphish> yep :( 13:01 < arahael> So if you were a freethenipple fan as a kid... You probably got away with it. Do that now, online... Messed for life. 13:02 <+catphish> one of my best friends is still someone i met on yahoo chat on the other side of the world, i finally met them in person *16* years later 13:02 < djph> detha: http://archive.org 13:02 < detha> djph: there's no record there of, say, ancient BBSs or the earlier network chats 13:03 <+catphish> indeed, in fact basically nothing until fairly recently 13:04 < detha> and since google fscked up dejanews, much of the old usenet has also disappeared from public view 13:04 < arahael> It's one of the reasons I *always* use a VPN now, but even there, I only started that like, weeks ago. :( 13:04 <+catphish> i don't really care, i'm old enough not to share anything i regret these days 13:05 <+catphish> but as a teenager it could be devastating 13:05 < arahael> The real issue is HR. 13:05 < arahael> Ie, the workforce. 13:07 < arahael> Particularly if your drunken night at the uni was plastered everywhere. 13:07 < arahael> (No, that didn't happen to me!) 13:07 < detha> Also, an example from an interview 10 years ago, $youngster wants to rent a room. $landlord looks up $youngster on myspace/FB, and says 'No, not interested. Too much of a late-night party animal' 13:08 < arahael> I'd bet that happens today, absolutey. 13:08 < arahael> *absolutely. 13:10 < arahael> So if anything, the internet is even more scary. (I never use my name online, though I do use my name on my domain name... It was required when I signed up. Australia. *sigh*) 13:11 < ^7heo> it's not australia specifically 13:11 < ^7heo> valid IDs are required for more and more domains 13:11 < ^7heo> which is bs since you can basically just run a free "DNS resolver" and get as many of those as you want ;) 13:12 < ^7heo> because you know, *free* DNS resolver. 13:15 < arahael> I'm still trying to get rid of facebook. :( 13:15 < arahael> All my friends use it. :( 13:26 < djph> detha: fair enough 13:27 < MikeSeth> arahael: get new friends 13:27 < MikeSeth> /problem 13:27 < djph> family was horrified when I told them "oh hell no, no pics of my kid on FB" 13:28 < djph> then when I highlighed the important bits -> "All your stuff is ours, kthx. --facebook" <-- they at least stopped acting horrified in front of me that I was like "no" 13:28 < MikeSeth> famil was horrified, cps was horrified, facebook was horrified, cia was horrified 13:28 < djph> granted it hasn't stopped them from posting pics of their goblins 13:29 < MikeSeth> i will just reiterate my general support for abortion coupons as gift items 13:29 < djph> errr 13:30 < MikeSeth> no no 13:30 < MikeSeth> there's no "err" 13:31 < arahael> MikeSeth: CPS!? 13:31 < arahael> Oh, sarcasm. 13:31 < MikeSeth> Oh, sarcasm! 13:31 < arahael> MikeSeth: Imagine if CPS used facebook as part of their investigations, though! 13:31 < djph> arahael: they'd get even LESS done! 13:32 < antgo> my wan link starts to drop packets over 90% and gives me a 1k+ to 10k+ lag as soon as i connect to a remote icecast stream. lan is 192/24 but 2nd hop in mtr output is 10.0.0.1, started to notice drops a hour ago. could you see me through ways of where do I go from here? 13:32 < djph> tell your ISP to unfuck their network 13:33 < antgo> djph: is what I asked the link owner to do, awaiting updates. what i wasn't aware is that the isp side of the link can be on a 10/* network, is that pretty normal? 13:33 < arahael> What's a 10/* network? 13:34 < antgo> 10/8 or 10/24, a.k.a. 10/idk as in I don't know their subnet mask 13:35 < djph> sure, you can route over RFC1918 space. It's kinda wrong if they're NATing you to 10.x though -- should be 100.64/10 (CGNAT / RFC6598) instead 13:35 < arahael> Ok, whilst I understand subnets, this is over my head. :) 13:36 < djph> but at least it's not HP's or AOL's space, like some shit ISPs in India do. 13:36 < antgo> djph: I see. thanks for the refs, I fetch them now 13:37 < detha> ISPs routing traffic through rfc1918 space is perfectly normal, they are just too cheap to use proper space. 13:37 < djph> too cheap, or too small, or ... 13:37 < detha> djph: add Africa to that :p 13:37 * arahael wonders when he'll finally have IPv6, and if it makes any difference. 13:38 < djph> detha: haven't seen anyone from Africa in here complaining about that yet. 13:38 < detha> djph: now you have 13:38 < djph> detha: stop being such a shit ISP then 13:38 < djph> :D 13:39 < detha> traceroute from here to 8.8.8.8 has 10/8 and 20/8 addresses in it.... 13:40 < djph> 10/8 ... meh, 20/8 ... hmm, just shows for ARIN. Too lazy to break it up though 13:40 < detha> 20/8 was some US defense contractor, if I remember correctly 13:41 <@pppingme> 20/8 is valid, broken down to several people 13:42 < djph> detha: no idea, stupid arin isn't showing a breakdown, and I really don't want to walk through the /16s 13:42 < djph> ... or, well, anything between /8 and /16 13:42 < djph> (or hell, smaller) 13:43 < detha> 20.0/11 is "Microsoft Routing, Peering, and DNS" 13:43 <@pppingme> 10/8 is probably your isp using rfc1918 13:43 < detha> pppingme: yeah. 13:43 < detha> but the 20/8 hops shouldn't be there. 13:45 <@pppingme> if it goes through any of ms's cloud stuff it might 13:45 <@pppingme> whats the specific 20. ip's? 13:45 <@pppingme> or it could be some isp still using it like rfc1918 space 13:45 <@pppingme> seemed like I remember a decade ago 20/8 was DOD 13:46 < detha> 20.0.0.x. Which is on equipment that MS would have nothing to do with (highsites, tik and ubnt gear) 13:47 < djph> well, MS owns 20.0/11, so ... 13:47 < djph> Azure perhaps? 13:47 < detha> The whole 20/8 used to be CSC corp, and rarely got used 13:47 < detha> MS probably uses it in Azure yes 13:47 < djph> hmm, they picked it up 2017-10-18 13:48 < djph> csc, wasn't that something like "corp service corp" or somrthing 13:48 <@pppingme> it appears ms has had pieces of 20 since 1998 14:00 < ^7heo> one does not need routing when using a SOCKS tunnel, does one? 14:08 < djph> ^7heo: at some point I'd expect one to need routing somewhere. Although I expect that the routing would be in whatever link is encapsulating the tunnel, rather than the tunnel itself 14:08 < ^7heo> I dunno, I'd expect the routing to happen as if it would be done on the remote SOCKS server. 14:09 < ^7heo> otherwise, what interface would I even set for the routing, locally? 14:09 < MikeSeth> routing is the selection of an interface and the gateway for the outbound packet 14:09 < djph> ^7heo: I mean, in order to set up the proxy, you need to talk to it. Once you're directing traffic over the tunnel, then the routing should be handled by the endpoint 14:10 < ^7heo> I feel like sometimes in this channel, there's a random markov-google bot 14:10 < ^7heo> that selects random things as input, and outputs wikipedia. 14:11 < ^7heo> djph: I have an SSH socks tunnel that works properly when used over firefox; however over tsocks I can't do much with it. 14:11 < ^7heo> I mean, I can tsocks curl 14:11 < ^7heo> that works 14:11 < djph> ^7heo: hm ... never used tsocks 14:11 < ^7heo> yeah well 14:12 < ^7heo> what I don't get is that I can access any route that behind the router, but nothing local 14:12 < djph> ^7heo: blame systemd and/or openssl :) 14:12 < ^7heo> I'm not using systemd, ever. 14:12 < ^7heo> but yeah I could blame openssl, easily. 14:12 < ^7heo> what's NOT to blame with openssl anyway? 14:12 < djph> unfortunately, I think systemd 14:13 < djph> well, until it makes ssld 14:13 < ^7heo> dat gunna b fun. 14:13 < arahael> I don't mind systemd, unless I need to use docker. 14:13 < ^7heo> for me it's the other way around. 14:13 < djph> ^7heo: it's gonna make all your problems with openssl look like a walk in the park 14:13 < ^7heo> I mind systemd, unless I need to use docker. 14:13 < ^7heo> then whatever, shit's fucked anyway. 14:14 < ^7heo> djph: possibly yes. 14:14 < arahael> ^7heo: Ha... Because I was going to say that systemd and docker are incompatible. 14:14 < djph> docker looks interesting from time to time ... but then I start reading, and am like 'why in the hell would anyone even *use* this" 14:14 < ^7heo> what a fucking surprise. 14:14 < ^7heo> djph: for mocking during tests. 14:15 < ^7heo> a-la travis. 14:15 < ^7heo> but even then there are better alternatives. 14:15 < ^7heo> so... 14:15 < arahael> djph: It's really elegant to be able to spin up stuff in a relatively controlled environment. 14:16 < djph> ^7heo: ah, so it's a convoluted way of performing unit tests 14:16 < ^7heo> djph: yeah more-o-less. 14:16 < ^7heo> arahael: elegant is such a poor choice of phrasing. 14:16 < arahael> Not unit tests. System tests. 14:16 < ^7heo> arahael: convient, sure. 14:16 < ^7heo> elegant, fucking not. 14:16 < djph> I suppose that's a good idea ... but it seems that "spinning up a clean / controlled enviornment" will end up with "well it passed the tests ... and then deleted all of PROD" 14:17 < ^7heo> nah the real issue is that it's a fucking hack on top of hacks and if you actually try to do system tests like arahael suggests, you're gonna run out of isolation pretty fast. 14:17 < ^7heo> if I had to run system (as in OS) tests, I'd do it over proper virt. 14:17 < ^7heo> definitely not systemd or rkt or else 14:17 < ^7heo> s/systemd/docker/ 14:18 < ^7heo> same shit, different names. 14:18 < arahael> Proper virt is relatively slow, though. 14:18 < arahael> But it's really not about virtualisation, as I learned the hard way. 14:18 < arahael> It's all about the docker file <-- That's really nice, you can version it, etcetera. 14:19 < ^7heo> docker, the answer to people who don't understand make. 14:20 < djph> ^7heo: I thought that was man make 14:20 < ^7heo> eventually, we're all gonna need rockets to go do groceries. 14:20 < ^7heo> djph: nah, man make, you need to read stuff in a terminal. 14:20 < ^7heo> djph: with docker, you can read "nice web javascript-enriched stuff"™ 14:20 < ^7heo> you know, because you need to justify using a 100$ mouse at work. 14:21 < djph> ^7heo: well, at least you didn't say "you can watch 48 minutes of YT tutorials for something that reading would take 2 mins" 14:21 < ^7heo> well that alternative is available tho. 14:21 < djph> ^7heo: they tried that. I showed the reigning BOFH that I was a contender. 14:22 < djph> He was impressed I could get that much voltage multiplication in that small of a mouse. 14:23 < arahael> ^7heo: Don't use make to manage your build tools. Use make to manage the compilation, only. 14:24 < ^7heo> djph: found the problem. tsocks(1) has a 'reaches' config field. 14:25 < ^7heo> that means "don't use the next hop for this" 14:29 < djph> ^7heo: hooray manpage? 14:30 < ^7heo> djph: well that still does not explain why firefox won't work with it. 14:30 < ^7heo> djph: because it's fine that I can curl to my server, but I need a fucking browser... 14:31 < djph> ^7heo: wait, didn't you say before that ff worked? 14:33 < ^7heo> djph: for remote sites yeah 14:44 < dogbert_2> sheesh...college freshman switches majors when he finds out how much math is required for a comp sci degree :) 14:46 < javi404> dogbert_2: haha 14:46 < javi404> WTF they switch major too? comp sci can't be more math and computer engineering or EE 14:46 < dogbert_2> yeah...LOL 14:46 < javi404> I suck at math because I have ADD 14:47 < javi404> but I could feel the answers and guess them right 14:47 < javi404> haha 14:47 < javi404> best explanation I can give anyway. 14:47 < javi404> I haven't hung here in a while 14:47 < javi404> i need to more often 14:48 < dogbert_2> javi...a lot of students show up to college completely unprepared to handle coursework... though back when I started, you wanted a comp sci degree, it was calc I/II, linear algebra, applied stats, Diff Eqns, Abstract Algebra, and Numerical Analysis 14:54 < Spice_Boy> a degree you say? 15:03 < dogbert_2> yeah, that was the math requirement for a bachelor of science in Comp Sci back in 1981 when I attended college 15:03 < cleveland> Hi! I have 2 security critical small networks. Both networks must have internet access through the same router. I want to keep these 2 networks physically segregated, so no VLANs allowed. Which devices should I be using for this? 15:04 < Epic|> Wire cutters 15:04 <+xand> cleveland: you can't physically separate them if they share a router... the router can firewall between them 15:04 < Epic|> Just drop traffic between them 15:05 <+xand> yeah that 15:07 < cleveland> So if I have 172.16.0.0/24 and 192.168.0.0/24, both using the same router, the most security paranoid way to make things work would be dropping the traffic between them? 15:07 < jvwjgames> hello 15:08 < jvwjgames> hello 15:08 < MikeSeth> cleveland: the most security paranoid way would be having two disjoint internet gateways 15:08 < MikeSeth> and total absence of any physical connection 15:08 < cleveland> MikeSeth: sure. Beside that what would be the second best solution? 15:10 < MikeSeth> a separate management vlan for the router and switches with physical security of the ports on which it is enabled, and two physical networks for the targets, plus the router firewall or access control rule to block traffic between these networks, as well as a policy document that enumerates these conditions and automated method of periodically testing them 15:10 < jvwjgames> i have a question someone posted a spam support ticket on my site and yes i have captcha active and there IP got logged what is best practice for reporting it 15:11 < MikeSeth> jvwjgames: the abuse dept of their ISP 15:11 < jvwjgames> how do i find that out 15:12 < MikeSeth> jvwjgames: look it up in whois 15:12 < jvwjgames> ok what if it is anoth contry 15:12 < MikeSeth> as long as it's a civilized country, it'd work 15:12 < jvwjgames> ok 15:15 < jvwjgames> ok thanks do i have to pay anything also it is in EU so i have the Abuse infon it is from RIPE 15:16 < quazimodo> i can't quite figure this out 15:17 < quazimodo> bind seems to be up, it's forwarding to 8.8.8.8 but when I switch NetworkManager to use 127.0.0.1 as the DNS, nothing works 15:17 < quazimodo> no domains resolve 15:19 < djph> read the log 15:23 < cleveland> MikeSeth: So the phisical structure would be the router connected to 2 switches (port security enabled), one for each LAN. Logically I would also have a router management VLAN and a firewall in the router dropping packets between the networks. Did I get it right? 15:24 < Sircle> one of our domain got suspended. Registrar says it was registered under someone elses name. Registrar is not giving registrants name (maybe a clercal mistake in our company). What are the changes we can recover it? 15:25 < tds> Sircle: if it's a uk domain you force a transfer via nominet if you have access to the contact email, otherwise you're probably stuck sorting it out with the registrar 15:26 < Sircle> its a .com registered with reg.ru 15:26 < Sircle> tds, how to know the contact email? 15:26 < tds> if it's a com domain nominet won't help 15:26 < tds> but you may be able to find the details via whois 15:27 < Sircle> tds, whois is empty for this domain 15:27 < Sircle> I messaged you 15:28 < tds> yeah, looks like it's using some kind of contact privacy service 15:35 < MikeSeth> cleveland: yes, the point of the former is to exclude [as far as possible] any possibility of the router being tampered with from network A to get into network B 15:35 < MikeSeth> of course it is not as strong a guarantee as physical separation, but in practical terms its very close 15:37 < Sircle> tds, what are my changes now? 16:30 < Smallville> hello 16:31 < Smallville> i have a little issue with Sharp printers saying "selected servers are not found." 16:31 < Smallville> I can print to them but I can't scan to email 16:31 < djph> check DNS 16:31 < Smallville> Sharp MX4101N, MX-M753N, and MX-2600N 16:32 < Smallville> DNS is good 16:32 < djph> and it's correct on the printers? you haven't done something silly like typo the IP address, or block traffic originating from the printers to some other VLAN? 16:33 < Smallville> they were all working 20 minutes ago 16:34 < Smallville> i restarted the routers and they stopped scanning to emaik 16:34 < Smallville> *email 16:34 < freakynl> Maybe the SMTP server is no longer reachable 16:34 < djph> then check your router / firewall 16:35 < djph> and next time don't forget to make sure the running config is also the boot config 16:35 < cleveland> MikeSeth: dumb question now. Am I able to configure private LANs with different network ranges using these two switches and then connect the switches to the router? I mean, suppose I configure switch A and its LAN with IP 192.168.0.0/24. Switch B and its LAN with IP 172.16.0.0/24. When I connect both switches to the same router/gateway, will PCs in each LAN access the internet? 16:36 < Smallville> Hmm 16:36 < djph> cleveland: the switch IP addresses likely won't matter. They will, of course, affect whether you can manage them or not 16:37 < Sircle> What makes a registrar a registrar and gain control over records of a domain? 16:37 < MikeSeth> cleveland: switches wont care about your layer 3 IP configurations, beside the management vlan and IP and ACL used to configure the switch 16:37 < djph> as long as you've got vlan tagging (or not) correct, a switch will happily forward ethernet frames to the correct destination 16:37 < MikeSeth> cleveland: they will relay the traffic to the router 16:40 < cleveland> Right so if IPs do not matter for switches, this means the only thing that prevents a device in layer A communicating with layer B is the firewall/ACL in the router. Is that correct? 16:41 < cleveland> *a device in NETWORK A ... 16:41 < MikeSeth> cleveland: no no no no. Since you don't have a physical connection between A and B beside the possibility of packet forwarding between interfaces on the router, the only thing that potentially *enables* a possibility of communication is the router 16:44 < cleveland> Oh, right, the router ports are independent. The firewall/ACL is an extra precaution after all? 16:44 < djph> no 16:45 < MikeSeth> depending on the router it may or may not be, if the router is a linux box that's configured to never route anything to anything by default that's one thing, if it's pfsense with permissive rules that's another thing 16:45 < MikeSeth> but it needs to be explicit in any case 16:45 < djph> if you have two networks, and a router (and y'know, working configs) ... the router will happily forward packets between both networks. 16:46 < djph> that's its job afterall. 16:46 < MikeSeth> djph: I'm assuming 'router' in this case is a firewall 16:46 < djph> yeah, it gets a little fuzzy when the router / firewall are the same box 16:47 < MikeSeth> because if this is the only setup, then an actual ROUTER would be the opposite of what you want here 16:47 < djph> generally when that happens (at least in my experience, and I've not experienced *every* permutation there is), the firewall defaults to permissive. 16:47 < MikeSeth> djph: e.g. pfsense would 16:47 < djph> or most generic nix boxes 16:48 < djph> dunno juniper / cisco so much (I *recall* that they were permissive by default, but it's been ages since I've touched one) 16:48 < cleveland> Ok, so what if the router is a soho one? By plugging my switches into the router ports, what would happen? 16:50 < djph> they'd most likely be on the same network, what with soho "routers(tm)" being multiple devices crammed into one box, generally one of which being "a switch". 16:50 < djph> also, a wireless AP and even sometimes a modem. 16:51 < djph> ... at least that's what the usual suspects (Netgear, Dlink, Linksys, tptrash, etc.) generally do. There *may* be others that're slightly more business-oriented that behave better. 16:52 < cleveland> Hm ok, so if the 'router' I am talking about is a soho, how would I make two separate networks? Would I need to plug the 2 switches into a real router/L3switch and then this guy into the soho router? 16:52 < djph> depends. what make / model are you talking about? 16:53 < cleveland> Linksys E1200 16:53 < cleveland> this is the soho I am referring to 16:54 < cleveland> Now for the 'real' router I do not know. What difference does the model make? 16:55 < djph> you would set it on fire, throw it out the window, and then install a proper router. an inexpensive example being a Ubiquiti ER-X. Alternately, I hear mikrotik makes some that aren't awful. There are always the "small business" offerings by Cisco / Juniper / HP / etc. 16:55 < cleveland> lol 16:55 < cleveland> I will make that happens 16:56 < djph> Note that few (if any) of these will offer "features(tm)" like wifi or a switch (although the ER-X can be setup as such). 16:57 < Sircle> What makes a registrar a registrar and gain control over records of a domain? 16:57 < djph> they wanted to be one at some point, and probably paid the right people to get named one. 16:59 < cleveland> So if I plug my switches into a decent router and this router into the internet cable, that sould do it? And no communication between networks at first? 17:00 < djph> for the first part, yes. For the second, "it depends". Many routers are permissive-by-default (i.e. "allow all" ACLs) 17:00 < cleveland> The problem with poor linksys (beside it being crap as it seems) is there are no actual router ports available, but a weird switch embedded. Is that correct? 17:00 < djph> correct 17:01 < djph> it is a router + switch + wireless AP all crammed into one box 17:01 < djph> the two "routed" ports are the "WAN" port, and the "whatever is wired to the switch-chip on the motherboard" 17:02 < MikeSeth> if that is the case you probably would want to force vlan tags on both network connections to the router 17:04 < cleveland> Could I say that using a real router and 2 switches would be more secure than using this vlan solution? 17:05 < ||cw> not really 17:06 < ntd> ththat e1200 can do what you want it to with owrt/lede 17:08 < djph> .... VLANs or physical LANs going through two interfaces are, well, pretty much identical 17:10 < Sircle> What makes a registrar a registrar and gain control over records of a domain? 17:12 < ntd> sev factors 17:12 < ntd> ofc they have a deal with icann, regional tld registrars etc 17:16 < uxfi> oh 17:19 < djph> I'm fairly certain Sircle is at this point a chatbot 17:24 < Droog0x> Straight as a sircle. 17:26 < Sircle> :) 17:28 < DammitJim> pretty open ended question.... why does one put a server on the DMZ vs internal network? 17:29 < ||cw> when you want it on the internet and not on your LAN 17:30 < DammitJim> so, if the server is being accessed from the internet? 17:36 < Smallville> I changed smtp to Gmail. Now printer says ‘communication with server is lost ‘ 17:36 < Smallville> When trying to send scan to email 17:37 < ||cw> Smallville: latest firmware? probably google changed something. ask support 17:38 < Smallville> Support isn’t helpful 17:38 < Smallville> You guys are the experts 17:40 < ||cw> Smallville: your printer needs to support whatever google requires. that's really all there is. it's not like the printer is open source and we can tell you what code to change 17:41 < ||cw> you can enable smtp on a google account. 17:42 < Smallville> Ok I’ll try it 17:43 < detha> printer probably tries to submit through port 25. gmail wants 587 17:47 < Apachez> ? 17:47 < Apachez> gmail accepts on tcp25 last time I checked 17:48 < ||cw> how long ago was that? 17:48 < ||cw> for receiving they do, but for senting with auth it's 587 17:48 < Apachez> ahh yes 17:48 < Apachez> if you want to use them as a spamrelay you need to auth 17:50 < phre4k> Smallville: since we're the experts, I expertly recommend that you don't use google but host your own email 17:52 < Smallville> I used ports 587 (TLS) 17:52 < Smallville> And I tried 465 ssl 17:52 < Smallville> I do host my own email 17:53 < Smallville> But I used brighthouse smtp server 17:54 < Smallville> Scanner stopped scanning to email. So I’m trying to switch to gmail smtp server 17:58 < MikeSeth> 587 + starttls + auth it is, then 17:59 < Smallville> Ok 18:02 < cleveland> I have a VM with a virtual interface (VirtualBox) running over a Debian9 host. I want this VM to be my gateway for a physical LAN (PCs + switch). Can I do it just by setting the virtual interface in bridge mdoe? 18:02 < cleveland> *mode 18:04 < ||cw> cleveland: yes, if you have 2 nics in the host and/or use vlans properly 18:05 < cleveland> ||cw: 2 nics, one for the LAN and the other for external communication? 18:06 < ||cw> yes, and don't put an IP on the host on that external NIC 18:06 < ||cw> just have the guest bridged to it 18:06 < ||cw> and also have a 2nd vnic on the guest bridged to the LAN nic, which the host can have an IP on. 18:07 < ||cw> I recommend a static address on the host, then the router guest can host DHCP for everything else 18:34 < HEROnymous> hey guys 18:34 < HEROnymous> anybody in here know anyone associated with AS 6 ? 18:41 < Apachez> HEROnymous: AS6 Bull HN Information Systems Inc. ? 18:41 < Apachez> https://bgp.he.net/AS6#_whois 18:45 < HEROnymous> Apachez, right, both of those contacts are bogus - phones don't connect, emails bounce 18:45 < skyroveRR> Hi HEROnymous 18:45 < HEROnymous> howdy 18:53 < tds> HEROnymous: interesting, as6 seems to have the same issue as as3 on bgp.he.net where many prefixes are listed 18:53 < tds> I suspect someone is messing with as paths and feeding that data to route collectors 19:11 < electricmilk> Anyway to tell the history of a website going down? Staff opened ticket that they couldn't access homedepot.com. Tested and sure enough it didn't resolve. Tried from VPN and went right through. Checked firewall logs and nothing is showing that it was blocked. Tested again and resolved. Checked from another workstation and resolved. 19:11 < electricmilk> Wondering if perhaps it was a DNS issue...or if the site just went down for a short period 19:14 < Peng_> Seems unlikely Home Depot would have a DNS outage, they use Akamai. 19:14 < electricmilk> hmm I just found a tool called currentlydown.com that states it has been up 19:14 < electricmilk> Peng_, Perhaps an issue with our DNS server? 19:15 < mast> Not sure how it compares, but I've always used 'http://www.isitdownrightnow.com" 19:16 < electricmilk> I've noticed sometimes our content filter doesn't give the message which is odd. When trying to access anonymous proxy sites it just gives a "This site can't be reached" error but the firewall still logs it 19:16 < electricmilk> With this case...no logs 19:16 < flying_sausages> Hey guys, I've got a question about starting an internet connection using mmcli and a PPP modem (Iridium Satellites). I've got calls and texts running with mmcli already, and I can also use the pppd to get to the internet, but I'm wondering if this is also implemented in mmcli and if so, how. 19:16 < electricmilk> Was also complaints of walmart.com not being available last week...but no logs 19:16 < flying_sausages> I also managed to get up and running using a 3g ublox modem but I'm puzzled how to get this running now, would this also be using --simple-connect? What are the bearer options? 19:19 < flying_sausages> this is what I get when I get the information about the Iridium modem, so this should have some useful info https://pastebin.com/jy7u2q0W 20:11 < debron> Hello.. Is possible to limit network bandwith to other computers in my LAN, from my computer by software? doesnt look possible 20:11 < electricmilk> debron, No access to firewall / router? 20:12 < debron> router, yeah 20:12 < electricmilk> Which router? 20:12 < debron> a mitrastar 20:12 < debron> movistar ISP 20:13 < electricmilk> debron, This is just a home or small office setup? 20:13 < debron> home, yeah 20:13 < electricmilk> It might be possible with messing with QOS settings...looks like a pain in the ass https://www.reddit.com/r/networking/comments/39oktj/limiting_kbps_of_a_specific_ipmac/ 20:14 < electricmilk> There is software that limits use of other users using Wifi..but is considered an attack tool...if you are managing the network I suppose its alright though 20:15 < electricmilk> The router might have network throttling or some similar setting to limit bandwidth, but usually this is set for ALL devices 20:17 < Maarten> debron, you typically would control traffic from the router that handles your incoming/outgoing internet. Your router may have certain QoS settings to ensure no one gets all the speed. (Note that this screws up speed tests in most cases too, but it works) - You can't do it from your computer. There are programs however - such as NetLimiter for Windows - that you can install on the workstation you want to control and give them only a certain LAN 20:17 < Maarten> speed, but that would affect LAN communication as well as internet. 20:18 < debron> thanks electricmilk 20:20 < jeffspeff> i'm having an odd issue. one vlan on my network is having very slow internet access. running speed tests show the connection at 1-2Mbps down and about 8Mpbs up. I installed iperf on a machine in that vlan and a remote server and tested on ports 5021, 80 and 443. On all 3 tests it reports about 25Mbps which is more accurate. Any suggestions on how to diagnose this further to figure out what/where my speed is being throttled? 20:20 < debron> thanks both, Ill read from here 20:21 < debron> someone installed a PLC in my network and at some times in the day its almost impossible to use internet 20:21 < debron> :/ 20:22 < Kremator> debron, PLC? Power Line Connection? 20:22 < debron> yeah 20:22 < Kremator> well that's an easy fix, kill the person who installed it 20:22 < debron> lol 20:22 < jeffspeff> lol 20:22 < Kremator> then remove the PLC device 20:22 < debron> i wish sometimes 20:24 < jeffspeff> I can't figure out what the issue could be with that vlan. It's an office that my company just acquired so I'm trying to figure out how things are setup and configured. My first thought was a proxy hiding somewhere but I would have expected the iperf port 80 and 443 tests to reflect slow bandwidth if that were the case. 20:25 < electricmilk> When I was in school the IT guy thought it would be a great idea to install around 9 wireless routers around the campus in random locations with DHCP enabled... 20:25 < electricmilk> And he did this RIGHT before leaving on a 7 day vacation 20:25 < krzee> LOL 20:25 * jeffspeff barfs 20:25 < electricmilk> Took down nearly the entire campus 20:25 < krzee> drop timebonb, leave for vacation 20:25 < krzee> sounds fun! 20:25 < krzee> did he disconnect his phone too? 20:26 < jeffspeff> one if he was a real pro! 20:26 < jeffspeff> lol 20:26 < jeffspeff> *only 20:26 < electricmilk> So after trying to crack the admin password...my teacher and I just walked around the school with his phone following the wifi signal 20:26 < electricmilk> and unplugged. 20:26 < electricmilk> Sometimes its the simplest solutions that work best 20:26 < nobody> hi everyone :) 20:26 < detha> jeffspeff: only one vlan? 20:26 < krzee> lol yep! 20:26 < electricmilk> hi nobody 20:26 < jeffspeff> detha, multiple vlans configured 20:27 < jeffspeff> only 1 is having the issue 20:27 < jeffspeff> i've inherited this mess, i mean network 20:27 < detha> mtu issues somehow? try with a client with lowered MTU, see if that makes a difference 20:28 < jeffspeff> i have done iperf tests to a remote server connected via ike tunnel and an iperf test to a public iperf server; all of which show about 25Mbps. wouldn't an MTU issue be reflected in iperf tests and not just browser traffic? 20:29 < detha> it should 20:30 < ||cw> tried a different browser? 20:30 < jeffspeff> IE and Chrome 20:30 < jeffspeff> also checked settings for any proxy configs 20:30 < jeffspeff> and checked dhcp options for proxy as well 20:30 < ||cw> wireshark it? 20:31 < jeffspeff> next step i guess 20:31 < detha> silly test, go to somthing like whatismyip.com and see if that is somehow routed out a different link 20:31 < krzee> banisterfiend: hey man... so you wanted to know how the routing table works...? 20:31 < krzee> banisterfiend: what OS are you on? 20:31 < banisterfiend> krzee i'm kind of interested specifically how openvpn works though :) so....(1) it sets up a tun device (2) but how does this tun device get an ip address, not via dhcp right? (3) the tun device sends all its data via the gateway (i.e 192.168.1.1) right? 20:32 < banisterfiend> krzee i'm actually on windows, but you can explain in terms of osx/linux if it's easier 20:34 < krzee> banisterfiend: openvpn server can assign the address static or dynamic, or it can be ptp with each side assigning its own ip, there are a few options related to that. the vpn client only sends all traffic to the vpn server IF you configure it that way (which is a matter of adding routes, as seen in the openvpn manual under --redirect-gateway) 20:34 < krzee> banisterfiend: but the questions you asked in #openvpn were really just related to the routing table 20:34 < krzee> so take a look at route print (windows command) 20:34 < krzee> that shows your routing table, the most specific entries count 20:35 < banisterfiend> krzee but route print doesnt' appear to show me which interface 20:35 < krzee> it shows you which ip address, which coresponds to an interface 20:35 < krzee> so same same kinda 20:35 < banisterfiend> how do i know which ip address corresponds to which interface? 20:36 < krzee> ipconfig/all 20:36 < electricmilk> Ugh our Exchange server is constantly trying to reach SMTP servers in China, Chile, Turkey, and Russia. What gives? 20:37 < banisterfiend> krzee nice 20:37 < electricmilk> I understand it if its the other way around (which is also happening) and those countries are contacting our Exchange server...but why is their source traffic from exchange going to China every couple minutes? 20:37 < krzee> electricmilk: ...did your admin leave on vacation yesterday?? 20:37 < krzee> lol 20:37 < electricmilk> haha 20:37 < electricmilk> I think we have something nasty going on here 20:38 < krzee> ya sounds viral 20:38 < electricmilk> Arg 20:38 < krzee> i wanna tell you to lsof, but windows =/ 20:38 < banisterfiend> krzee could you explain how the routing table could be setup for openvpn?like if the tun device is set as the default route...then how could openvpn ever talk to the outside world? won't the traffic just go round in circles? ultimately a route has to go to the router right? 20:38 < electricmilk> Well at least I have firewall blocking 20:38 < ||cw> electricmilk: returning a rejection message? 20:39 < Phil-Work> banisterfiend, you usually have a single route to the router for the public IP of the OpenVPN server 20:39 < krzee> banisterfiend: after setting up routing you then need to go to the server and configure NAT so the openvpn client packets get NAT'ed out to the internet 20:39 < krzee> you kinda turn the vpn server into a router for the vpn clients, if that makes sense 20:39 < electricmilk> ||cw, Where would I be looking for a rejection message? All I'm seeing is the firewall blocking incoming and outgoing connections to problematic countries 20:39 < Carll> electricmilk: Check for compromised accounts? 20:40 < electricmilk> ooo 20:40 < electricmilk> I need to clean up exchange 20:40 < banisterfiend> interesting 20:40 < krzee> oh and yes, what Phil-Work said is also part of --redirect-gateway as youd see if you read openvpn manual --redirect-gateway as i suggested 20:40 < electricmilk> I have no idea how to see which account its coming from 20:40 < ||cw> the exchange logs and queues I guess. I don't use exchange 20:40 < electricmilk> We are moving to Office365 soon..thank god 20:40 < ||cw> I know what I'd check on exim... 20:40 < krzee> ||cw: lol ya thats where im stuck with helping him too 20:41 < Carll> electricmilk: The logs will hold the answers. 20:41 < Phil-Work> some servers also push exclude routes for their own public IP 20:41 < electricmilk> Got it. Thank you. I'll just search for the IP's in the logs 20:41 < banisterfiend> so if i tcpdump on the tun device it just looks like normal packets, but when i tcpdump on the eth device then every single desintation will just be going to the public of the openvpn server....and this public ip has its gateway set as the ip of the router? e.g 192.168.1.1 ? 20:41 < banisterfiend> cc krzee & Phil-Work ^ 20:42 < Phil-Work> I've seen others push two /1s instead of 0.0.0.0/0 and also an exclude route for their own IP to try to override the local default route 20:42 < krzee> what do you mean "public ip has its gateway set as the ip of the router" ? makes me think you dont understand routing 20:43 < krzee> Phil-Work: yep thats the def1 flag to --redirect-gateway 20:43 < krzee> which if he EVER reads --redirect-gateway in the manual he will learn 20:43 < krzee> banisterfiend: go read that now, before your next question. 20:44 < banisterfiend> krzee heh possibly true - but i mean set things up so that if the destination is the public ip of the openvpn server, then it goes out the gateway rather than back in through the vpn 20:45 < krzee> theres more than just default gateways 20:45 < krzee> most specific matching route wins 20:45 < krzee> netmask is how you can tell 20:45 < krzee> !google cidr cheatsheet 20:46 < krzee> damn, no bot 20:46 < krzee> https://oav.net/mirrors/cidr.html 20:46 < krzee> so look at netmasks, as you go higher its more specific 20:46 < electricmilk> Any opinions on forcing users to redirect to Google/BING,Yahoo Safe search? 20:46 < banisterfiend> krzee i tried to read what you asked me to, but it's a bit terse, i think i might need a little more guidance. Can you explain how packets that are destined for the public ip of the openvpnserver end up going out the router, whereas other packets go through the tun device? 20:46 < tds> banisterfiend: afaik openvpn adds in the route for the /32 via the original gateway by default 20:47 < krzee> banisterfiend: based on most specific route matching 20:47 < tds> (or the /128 if you're not using legacy ip ;) 20:47 < krzee> its nothing openvpn specific, you jjust need to understand routing 20:47 < banisterfiend> tds yeah exactly, i thought that's what i was saying by " public ip has its gateway set as the ip of the router? e.g 192" it's a /32 route for that public ip so it has to match the whole ip right? 20:47 < krzee> which is why we came here 20:47 < krzee> this is the best place to learn things like routing 20:48 < krzee> yes, it adds a /32 route which is the most specific possible 20:48 < tds> banisterfiend: since it's a /32 route it only covers that single IP (for v4), and since it's more specific it'll be preferred over any default routes 20:48 < krzee> exactly :) 20:48 < tds> ^ :) 20:48 < banisterfiend> ok cool 20:49 < banisterfiend> so if i look at: route print -4. i should see a route with the public ip/32 with its gateway set as my router ip? 20:50 < krzee> banisterfiend: and cool, i have no problem explaining stuff in --redirect-gateway i just wanted to be sure you read the manpage on it first =] 20:50 < Carll> Is there any privacy service, for free to offer; DNS servers that block trackers with 24-hour logs, free temporary emails, etc? -- I think I may look into configuring something.. 20:50 < tds> it's 2018, use ip -6 route these days ;) 20:50 < kenlumbo> I have a BGP question. I have 2 peers, one is primary, with 2nd as backup. 2nd is backup via local pref and advertising communties to make the backup peer change their local pref, also as path prepend. My question is I'm adding another peer, but I would like this peer to only be active if the first 2 are down. Anyone have a nice doc that would help? I'm not sure if this is possible or not... 20:50 < krzee> banisterfiend: it depends on your settings, but when using --redirect-gateway the answer is yes 20:50 < kenlumbo> adding a 3rd peer* 20:50 < tds> kenlumbo: I'd just path prepend lots, and set an appropriate local pref 20:51 < kenlumbo> yeah...but that doesn't help their local pref 20:52 < kenlumbo> providers don't obey the as path if their local pref is set differently for their peers 20:52 < kenlumbo> which some do 20:52 < tds> if you path prepend enough (and they only compare based on paths), then they shouldn't ever prefer the route you're sending over the direct peering until the other routes disappear 20:52 < kenlumbo> some providers do 20:52 < kenlumbo> level3 being one 20:53 < kenlumbo> because of their local pref for their peers 20:53 < tds> ah, if you're saying that they're messing with preference inside their as, there isn't a great deal you can do other than communicating with them or setting communities 20:53 < kenlumbo> yeah, which I'm doing, but when doing this with 2 peers, then one will take over, and you can't control which.... 20:55 < detha> kenlumbo: if your upstream supports it, send a 'do not advertise to l3' community when you don't want traffic over that link 20:56 < banisterfiend> krzee do you have any experience with WFP ? 20:56 < krzee> dont know what it is... maybe? 20:57 < krzee> world food program? 20:57 < kenlumbo> World Freedom Power 20:58 < krzee> oh windows filtering program 20:58 < krzee> nah i dont actually use windows 20:58 < krzee> i just know basic networking commands cause of helping people in #openvpn lol 20:59 < Sircle> Placing a virtual machine inside a VPS OS. Putting all the apps in the VM and making the outer VPS OS as firewall. Is this sane and have any benefits? 21:01 < banisterfiend> krzee ah ok...i have one more retarded question. I have a VM that i'm running windows in....and my router gateway ip (192.168.1.1) is not there, it seems to have become: 10.5.11.5. how is this possible? is it because the 'gateway' is really just a tun device sitting on my laptop? 21:01 < banisterfiend> or so, could you explain how that crap works? confusing.heh 21:01 < ||cw> Sircle: can you even run a VM in a VPS? 21:02 < Sircle> yes 21:02 < krzee> the "gateway" is the other side of your VM software) 21:02 < Sircle> yes 21:02 < banisterfiend> krzee i guess so 21:02 < ||cw> Sircle: I'd assume it has the same benefits that any vitalization does 21:02 < tds> you'll be reliant on whatever hypervisor the VPS host uses exposing vt-x/amd-v inside the VMs 21:04 < Carll> Sircle: why not use 'containers'? 21:05 < Sircle> Carll, whats that? 21:06 < krzee> banisterfiend: and dont worry, your questions are pretty normal... not everybody is a networking eexpert... and from your hostname it seems you're pretty skilled in other areas of computing lol 21:06 < ||cw> Sircle: docker, for one 21:06 < Carll> Sircle: https://www.docker.com 21:06 < tds> there are things like LXC as well 21:06 < banisterfiend> krzee heh i'm a programmer that suddenly has to learn about all this networking stuff i never bothered with before :/ it's quite confusing 21:07 < krzee> banisterfiend: just remember i was nice if you ever see me in the ruby channel, as i know NOTHING about it lol 21:07 < Carll> Sircle: "Containers make it possible to isolate multiple applications running on a single server as well as implement software across multiple servers or move it easily from one environment to the next." 21:08 < banisterfiend> krzee with openvpn there's so many ip addresses: (1) the local ip address of the tun device (2) the public ip address of the openvpn endpoint (3) the ip address you're 'given' by the vpn and which you appear to have from the outside world. Is that accurate? 21:08 < krzee> banisterfiend: vpn's can be used for more than redirecting gateway, but in your very specific usage, yes 21:09 < krzee> banisterfiend: a vpn is merely an encrypted virtual network cable connecting 2 machines... you can do many different things with it 21:09 < krzee> ONE of those things is redirecting your internet connection to change IPs 21:10 < tds> banisterfiend: one thing to keep in mind, I'd say the "ip you're given by the vpn" is the ip on the tun device, though that might then be nated out to appear to be another address to the rest of the world 21:11 < wadadli> What are points that are typically included in a networking project proposal specification? 21:23 < javi404> Is it Friday yet? 21:23 < krzee> YES! 21:23 < krzee> YES IT IS! 21:23 < Carll> Close. 21:27 < Sircle> I wonder if I can have 2 or 3 fiber connections but still be able to use one ip 21:27 < ||cw> it's certianly friday somewhere 21:28 < ||cw> Sircle: if the device supports link aggregation, sure. used to do it with T1 liens back in the day 21:29 < Sircle> Can ips be bought? 21:29 < ||cw> yes 21:29 < Sircle> e.g I use dsl but I get a static ip no matter what isp / dsl I use? 21:30 < ||cw> not that easily, no. 21:30 < ||cw> you can get portable blocks, but it takes time and effort to switch where they go 21:30 < Sircle> portable blocks? 21:32 < Sircle> ||cw, whats that 21:32 < krzee> smalllaptop ~ # date +%A 21:32 < krzee> Thursday 21:32 < krzee> :( :( 21:32 < krzee> no no its not :( 21:33 < ||cw> a block of IPs that are portable, as in you can have them rerouted via differnt providers 21:33 < ||cw> but what you want is probably just dynamic dns 21:33 < ||cw> or maybe a VPS you can bounce your services off of 21:35 < Sircle> ||cw, like a proxy vps? 21:35 < ||cw> lets start with: what are you trying to accomplish 21:37 < Sircle> I have unstable ISP and want to host a web server 21:38 < ||cw> so get web hosting 21:38 < ||cw> don't even need a full vps 21:38 < qman__> if you want more flexibility, a vps is also good, you can get one for $5 a month or less 21:39 * Sircle is a fan of full blown systems 21:39 < Sircle> with more control 21:40 < Carll> Sircle: Consider using a VPS? 21:41 < ||cw> $5 is a whole lot cheaper than the last time I looked 21:41 < Carll> Sircle: I can give you a ref. code for discount (two months free) depends on your preference. 21:41 < krzee> but you can also use dynamic dns, ive run a website on a dynamic ip before 21:42 < krzee> i do agree to use a vps tho 21:42 < krzee> Carll: foor which vps provider? 21:42 < krzee> for* 21:42 < Carll> ||cw: I only pay $5 for 20GB D. & 1TB B. with 1GB ram. 21:42 < krzee> i know a guy who was in the market, he might still be 21:43 < Carll> krzee: DO & Linode. 21:43 < qman__> linode, digital ocean, ovh, etc 21:43 < krzee> oh nice, i think he was going linode, please pass the code! 21:43 < qman__> I use linode 21:43 < Carll> Linode is cool, DO offers more Disk. 21:44 < Evidlo> Sircle: the non-static ip problem can be fixed with a dynamic dns service 21:44 < Evidlo> self-hosting can be a learning experience though 21:44 < Carll> krzee: I'll PM you, okay? 21:44 < krzee> yes please 21:45 < ||cw> linode's plans are confusing, it's limited by bps, not total transfer? 21:46 < qman__> it's limited by total transfer 21:46 < qman__> the bps is the line rate 21:46 < qman__> more expensive plans can get faster lines 21:46 < Carll> ||cw: look at 'transfer' 21:46 < ||cw> there isn't one https://www.linode.com/pricing 21:47 < ||cw> oh, there. i'm blind 21:47 < Sircle> Evidlo, dyndns will route my trace for free? 21:47 < Carll> ||cw: Pretty cool provider. Very reliable. 21:48 < qman__> dyndns has ads 21:48 < qman__> use afraid.org if you need dynamic DNS 21:48 < qman__> but if you get a VPS you won't need dynamic DNS 21:49 < qman__> linode's DNS is pretty good, unlimited zones, and has a REST API 21:49 < qman__> 15 minute update time 21:50 < Carll> qman__: exactly. 21:50 < Carll> qman__: where you based? 21:50 < bindi> cloudflare dns 21:51 < Carll> I use cloudflare free dns. 21:51 < HEROnymous> cloudflare free dns is actually great 21:51 < Evidlo> I didn't say dyndns. I said dynamic dns 21:51 < HEROnymous> cloudflare in general runs a pretty tight ship. 21:53 < Sircle> so what cloud flare does is route your public requests to your vps and roundrobin itself if one is down? if so, why would cloudflare rougte all data through tiself for free? 21:53 < Maarten> too bad so many network devices (such as Cisco wireless controllers) abuse 1.1.1.1 for their own use when they aren't supposed to. 21:54 < Evidlo> For example, suppose I have example.com registered with namecheap. I can configure my router (or any computer on my network) to automatically send a message to namecheap with what my current IP is every hour. 21:54 < Evidlo> then namecheap will update the example.com record to point to me 21:54 < Evidlo> you could also use cloudflare, but I think most registrars provide a dynamic dns service for free 21:54 < Evidlo> Sircle 21:56 < Sircle> ok. does name cheap and godady provide dyndsns free service? I gues if they do, i would have to install some application on my host machine taht will tell the service of its ip evry minut? 21:57 < qman__> no 21:58 < qman__> as I said, if you need dynamic DNS, use afraid.org 21:58 < xamithan> hosting on dynamicdns is just bad all a round 21:58 < qman__> they offer free service, no ads, and fast updates 21:58 < JyZyXEL> does dnsmasq already have support for the 1.1.1.1 DNS Over HTTPS thingy? 21:59 < Sircle> I have to install a client on the machien wehere fiels sit 22:06 < krzee> i second gman's suggestion to use afraid.org 22:07 < krzee> they're good! 22:09 < S_SubZero> better than your nick reading skill I hope!! 22:14 < scivola> Is anyone seeing any fallout from the rogue AS hijackings today? 22:14 < scivola> I don't see anything on twitter about it, so I assume not, but wanted to check anyways 22:14 < scivola> ref: https://bgp.he.net/report/peers#_prefixhistory 22:37 < tds> scivola: I suspect it's just someone messing with as paths and sending that data to route collectors, rather than actual hijacking 22:47 < scivola> tds: sounds about right 22:48 < tds> either way, it's a bit annoying that suddenly bgp.he.net claims that my isp is MIT ;) 22:49 < scivola> lol 23:04 < DF3D2> if i have a /24 block of public ip's and I run internet facing services off of them, only opening the ports necessary --- that isn't any less secure than having one public ip and using NAT and doing the same thing is it ? 23:04 < DF3D2> this is all on pfsense so everything not opened is DENY anyway 23:06 < Apachez> DF3D2: open port is open 23:06 < Apachez> the drawback of having everything on one ip is when you need redundancy 23:06 < ||cw> DF3D2: if the hosts are multihomed on the lan anyway, no. 23:06 < Apachez> or if you want to do anycasting and stuff like that 23:07 < ||cw> you can do multiple IPs on one firewall if you want 23:07 < DF3D2> we are doing multiple ip's on one f/w 23:07 < DF3D2> an entire /24 block in fact 23:07 < ||cw> but yeah, redundancy is an issue, but that can be solved 23:08 < DF3D2> a software vendor claimed I was "wrong" for not using one public ip and nat 23:08 < DF3D2> and I disagree, but im not a networking guru 23:08 < ||cw> if all your things are listing on different ports, you don't need more than one 1 ip 23:08 < DF3D2> they aren't many are listening on the same ports 23:09 < ||cw> I'm not sure there's necessarily a "wrong" either way 23:09 < DF3D2> but even that COULD be solved with nat anyway 23:09 < ||cw> not really. http you could reverse proxy, but pretty much everything else needs a 1:1 on the ports 23:10 < ||cw> though if you can change the ports... but that's less typical 23:10 < DF3D2> yeah I think the /24 block with transparent firewall is better anyway 23:10 < DF3D2> seems to be easier to deal with 23:11 < ||cw> it is certainly a matter of managing it. personally, I'd rather nat. makes swapping out a server on the same public IP stupid simple 23:14 < guest09328> Let's say i have a TRUNK attached to a router interface, and the other interface of the same router should be an IPsec peer. Is it mandatory to make an object-group in the ASA, which will aggregate the VLANs as the other-side LANs, for the purpose of defining the VPN-TRAFFIC (for the extended ACL) or i can go with separate ACEs? 23:15 < Apachez> you mean TAGGED interface? 23:16 < DF3D2> ||cw, thats true, lots of ip's to manage then 23:16 < DF3D2> spreadsheet helps 23:16 < DF3D2> heh 23:18 < guest09328> Apachez: Yes 23:24 < ||cw> guest09328: IPsec is a routed tunnel, you need a bridge to be able to pass the L2 vlan frames 23:25 < ||cw> hope you have a fast link though, bridging broadcast domains over a wide area network seems like asking for trouble 23:28 < qman__> it is at scale, but if you just have a few client computers connecting it's not a huge deal 23:28 < qman__> if you're trying to bridge two actual networks, though, you'll probably have some issues 23:28 < Apachez> being able to push vlan tags remotely is often a nice feature 23:28 < qman__> if you do need L2 site to site, you probably want to filter some stuff out with ebtables 23:29 < qman__> or to get a really fat pipe 23:38 < qman__> a client of one of my previous employers needed to send L2 traffic over a 3-site VPN so that they could do paging on their VoIP phones 23:38 < qman__> it wasn't pretty 23:42 < wiresharked> So today I had to fix a VOIP phone in a bus garage that was getting too little voltage. The ethernet is fine, turns out that something in the chain between the device and the switch was there that it didn't like. The specs state that it should be between 48 to 50 volts, it was getting 34 23:42 < sawgood> qman__: you got multicast paging working to remote sites over a VPN? 23:43 < sawgood> very nice .. even SIP IP based paging to remote sites is impressive! 23:43 < wiresharked> But SIP is an old protocol 23:43 < pi-> Suppose I have a crowd of 10,000 people with mobile phones. One of them taps a button and all of them play a sound. How to go about doing something like this? How low can I get the latency? 23:44 < Criggie> wiresharked: damaged cable?, and possibly a long run making it more sensitive? 23:45 < ||cw> qman__: I think I'd have setup a multicast repeater instead 23:45 < wiresharked> Criggle: Yeah, because the guy I was working with connected the device directly to the switch, and it's working fine now 23:47 < Criggie> wiresharked: OK good work. Time for either a new run of cable, or a local PSU ? 23:48 < Criggie> wiresharked: the linksys/cisco phones are happy with POE and a local PSU at the same time. 23:48 < qman__> yeah, I wasn't the one who set it up, but I know many, many solutions were attempted and that one was arrived at after they all failed 23:48 < Criggie> I like centralised UPS on a POE switch for all phones/cameras/APs 23:49 < Criggie> but its not always possible. 23:49 < ||cw> couple rpi and some socat magic should do 23:49 < sawgood> Criggie: which UPS do you use? Does it have CAT-5e or just a USB for the PC? 23:50 < ||cw> sawgood: I have a couple USB with rpi and apcupsd and ssmpt, works well enough for basic alerts 23:50 < ||cw> ssmtp^ 23:50 < sawgood> yeah me too ... .nice to hear! 23:51 < Criggie> sawgood: depends how good the budget was at purchase time :) I have a couple of APCs at home with NICs but they're in need of new batteries. Theres another serial APC and in th ehouse I have a USB APC on the firewall/switch. 23:51 < sawgood> I want a UPS with Ethernet, but they are too costly! 23:51 < ||cw> if I had more than a couple I'd probably get the net card 23:51 < wiresharked> Criggie: So is it the case that VOIP devices can act up if they have a non-local PSU hooked in? 23:51 < Criggie> sawgood: yes, yes they are. Batteries are consumables and don't last more than 6/7 years. 23:51 < ||cw> in that case it would be the management software justifying it 23:52 < Criggie> wiresharked: I've never had a problem that has been related to ppower over POE 23:52 < sawgood> APC UPS with Ethernet and fresh new batteries are always costly 23:52 < qman__> used ones aren't 23:52 < qman__> that's what I run, old APC SmartUPS units with NMCs 23:52 < Criggie> sawgood: yeah I bought a set of new batteries for "cheap" but they weren't up to specs. 23:52 < Criggie> highly disappointed. 23:53 < ||cw> wiresharked: it depends on the phone and what you mean by non-local 23:53 < qman__> the only issue I have with them is that the NMCs are so old that the HTTPS can't be used with modern browsers 23:53 < wiresharked> qman__: Well that's silly 23:54 < qman__> it's annoying but still not a bad choice given the cost 23:54 < wiresharked> Criggie: It could have been a bad or failing power supply unit somewhere 23:54 < qman__> an old APC for $100-150, an NMC for $20, and a set of batteries for $100 23:54 < qman__> rock solid setup, lasts around 3 years before it needs new batteries 23:55 < Criggie> wiresharked: if your POE switch is naffed then you have other problems too. And one UPS/switch is cheaper than a UPS per desk, and less inconvenient than a power supply per phone locally. 23:56 < qman__> I've got probably a dozen of them, and I've yet to have one fail beyond needing new batteries and a couple blown fuses 23:57 < wiresharked> Criggie: And they also said that the districts billing site was down because of an issue with NFS over vmware 23:58 < qman__> if you don't need the NMC you can get a BackUPS Pro for a bit less, otherwise the same guts 23:59 < qman__> serial port only on those, though 23:59 < Criggie> serial port works fine - I prefer them to USB ports. 23:59 < qman__> the trouble is that it's a custom pinout 23:59 < qman__> so you need an APC-specific cable --- Log closed Fri Apr 13 00:00:07 2018