--- Log opened Fri Apr 13 00:00:07 2018 --- Day changed Fri Apr 13 2018 00:00 < wiresharked> qman__: What is an NMC and APC? 00:01 < Criggie> APC is American Power Conversion, a company that make UPS (Uninterruptable Power Supplies) 00:01 < qman__> APC SmartUPS 1500 - https://www.ebay.com/itm/APC-SUA1500-1500VA-980W-120V-Smart-UPS-Power-Backup-Tower-USB-New-Batteries/272866202663?epid=129656826&hash=item3f8817d427:g:dyUAAOSw1cNaAjPq 00:01 < qman__> APC AP9617 NMC - https://www.ebay.com/itm/APC-Smart-Slot-AP9617-UPS-Power-Backup-Battery-Remote-Network-Management-Card/312088311329?epid=129715308&hash=item48a9e9b621:g:Zs4AAOSwCBFaxO1~ 00:01 < Criggie> a NMC is a Network Managemement connector/console/controller 00:02 < Criggie> A NMC is a feature of the higher-end UPSs so you can manage them over the network 00:02 < Criggie> a cheaper UPS would have a serial or a USB port intended to be managed by one computer/server 00:03 < Criggie> the bigger UPSs will run several computers/servers so network is a better way to tell them all if the mains goes out, or if battery is running low 00:03 < Criggie> wiresharked: How's that ? 00:03 < qman__> yeah, one of those towers will run 4 PCs easy 00:04 < qman__> excluding stuff like altcoin mining and such 00:04 < wiresharked> Criggie: I'm not sure. I'll have to ask adam. And sorry if I'm invading his privacy by showing his name here 00:05 < Apachez> depends on how much power you need under how long time 00:05 < qman__> I live in an area with a pretty unreliable grid, enough so that we have generators with automatic transfer switches, so I've been in the UPS game for a while 00:06 < Apachez> a 1600VA UPS will be able to push roughly 100W for 1 hour or so 00:06 < Apachez> also type of UPS will affect the outcome 00:06 < Apachez> you normally want lineinteractive or online ups 00:06 < Apachez> the later is the better but also more expensive 00:06 < Apachez> aka doubleconversion 00:07 < qman__> yeah 00:07 < qman__> I find that bang for buck, those old APC units can't be beat 00:07 <@pppingme> Apachez whats your math on that? I get about 1/4 of an hour 00:07 < qman__> there's better stuff out there but you'll be hard pressed to power more gear cheaper 00:07 < Apachez> which gives how many milliseconds there is between the external power goes poff until the batteries have fully replaced the sinewave 00:07 < Apachez> some cheap ups only output squarewaves and not all equipment like this 00:07 <@pppingme> of course I'm assuming battery size 00:07 < Apachez> pppingme: real life measurements :) 00:08 < qman__> I've run 3 PCs and two LCD monitors off one for about 70 minutes 00:08 < qman__> with fresh batteries 00:08 < Apachez> so using a tesla powerwall or whatever they are called is probably fine as a ups replacement 00:08 < Apachez> other than that eaton pro series are good quality/price range 00:09 < Apachez> yeah the batteries decrease quickly over time 00:09 < Apachez> dunno how many power cycles modern lead bats are speced for 00:09 < qman__> I'm less concerned about runtime now that we have the generators 00:09 < qman__> only really need 5 minutes 00:09 < Apachez> but li-ion (like the one in your smartphone) is often speced for 1000 loadcycles 00:09 < qman__> heat is a big factor in battery life 00:10 < Apachez> doing ups can quickly be expensive :) 00:10 < qman__> if you keep them cool enough, you can get around 3 years out of them 00:10 < Apachez> for more highend installations you normally want a A/B auto power selector 00:10 < Apachez> so you can perform maintenance on your ups setup without losing power while doing so 00:10 < qman__> yeah 00:11 < qman__> I actually have three units in my server rack, and everything in there has at least 2 power supplies, so I can service them whenever 00:11 < Apachez> and for larger installations you normally end up with dedicated UPS rooms where the batteries are placed "baremetal" 00:11 < qman__> I have two bigger ones that I'm going to replace that setup with, but I need some 30 amp plugs to hook them up 00:11 < obcecado> in the end its a microcomputer managing battery banks 00:11 < Apachez> automatic transfer switch is the buzzword for those auto A/B selectors 00:12 < obcecado> at least in my $dayjob 00:12 < Apachez> at night you become the batman of ups? :P 00:12 < obcecado> heh 00:14 < qman__> the raspberry pi connected to a serial port UPS isn't a bad idea though, the BackUPS Pros are a bit cheaper for obvious reasons and you'd get around the HTTPS problem 00:14 < Apachez> and its low on powerconsumption too 00:14 < Apachez> <5W 00:21 < jamesc> when one talks about a devices "internal router" 00:21 < jamesc> is that referring to dhcp 00:21 <@pppingme> no, dhcp != router 00:21 < jamesc> not a physical router though 00:22 < jamesc> like i am looking at this application, and it talks about "using your device's internal router" 00:22 < jamesc> hmm maybe i misreading it 00:22 < jamesc> sorry 00:23 <@pppingme> I'd need way more context, but its probably someone just throwing terms around that is clueless about the actual subject 00:26 < xamithan> internal router... the NIC card ? 00:29 < TechSmurf> Anyone with opinions on HP 10GbE (5900AF) switches? 00:36 < Criggie> TechSmurf: Send me a redundant pair..... oh hey its you again 00:37 < Criggie> :-P 00:37 < TechSmurf> lulz 00:37 < TechSmurf> Any other FCoE-capable 10Gbase-T would be fine too 00:37 < Criggie> I'm hanging out for a pair of juniper ex4300 when we shut down the physical DC at work. 00:38 < Criggie> currently using a 2960 and a procurve thing. 00:38 < TechSmurf> damn fcoe/dcb switches are esspensive 00:38 < Criggie> Never used them personally sorry.... always had iscsi instead 00:38 < TechSmurf> iscsi just isn't performing at a level I can tolerate 00:40 < Criggie> OK fair enough. 00:41 < TechSmurf> and converged fcoe seems to be the the most sensible solution 00:42 < qman__> I'm using infiniband 00:49 < TechSmurf> I've already got 10GbaseT adapters 00:50 < qman__> the reason I'm using infiniband is because it's cheap used 00:50 < qman__> adapters are around $25, so are cables, and switches are around $200 00:50 < qman__> and that's 20G 00:51 < qman__> I have a half dozen servers hooked up for less than the cost of one 10GbE switch 00:51 < qman__> and it's faster 00:51 < Criggie> that's why I use iscsi - its fast enough for my porpises though not for yours, bu tthe sounds of it. 00:51 < Criggie> purposes 00:52 < qman__> 40G isn't all that much more used either 00:54 < qman__> so yeah, ethernet is nice because it's familiar, but it's not worth the price premium to me 00:54 < qman__> IPoIB isn't that hard, and IB also does native storage 00:55 < xamithan> How much cheaper you talking 00:56 < qman__> https://www.ebay.com/itm/SUN-X2821A-36-PORT-INFINIBAND-SWITCH/152877945966?epid=16009720241&hash=item23983c546e:g:ui0AAOSwyytatJDz 00:56 < qman__> that much cheaper 00:57 < qman__> https://www.ebay.com/itm/Sun-X4237A-375-3606-Dual-Port-40Gb-sec-4x-QDR-Infiniband-Host-Channel-Adapter/172569650408?hash=item282df3e4e8:g:u5sAAOSwueNamXsD:sc:USPSPriority!48446!US!-1 00:57 < qman__> https://www.ebay.com/itm/IBM-40GB-S-MELLANOX-INFINIBAND-EXTERNAL-QSFP-PASSIVE-COPPER-QDR-3M-CABLE-59Y1901/141651524229?epid=1023838323&hash=item20fb16ba85:g:HQkAAOSwwq1ay~K4 00:58 < qman__> you can get 40G for less than I paid for my 20G stuff a few years ago 01:13 < raynold> ahh it's a wonderful day 01:14 < TechSmurf> qman__: You make a compelling argument 01:16 < quazimodo> so i installed bind9 on my local machine, got it working with google's dns and then added some of my own rules 01:16 < quazimodo> it works 01:16 < quazimodo> but, it takes between 10-30 seconds to begin pinging a host 01:16 < TechSmurf> qman__: At those prices I could outfit my whole rack for the cost of one new intel CNA 01:16 < quazimodo> web pages through chrome load after 5-15 seconds (or that's what it feels like) 01:17 < quazimodo> thing is, I didn't really do much configuration at all on bind9's defaults other than to add 8.8.8.8 and 8.8.4.4 forwarders 01:17 < petemc> rndc querylog 01:17 < petemc> that turns on verbose logging, look at the logs to see if you can see delay 01:17 < quazimodo> is this expected, based on crappy default config? (ubuntu 16.04) 01:18 < petemc> bind9 should work out of the box as a caching name server. you shouldnt have to get it working with googles dns 01:18 < myth0d> anyone know if FTLX1471D3BCV-I3 sfp module works with x520 card? 01:19 < TechSmurf> speaking of intel CNAs... 01:21 < quazimodo> petemc: so you think by adding the 8.8.8.8 and 8.8.4.4 forwarders i've hamstrung it somehow (btw how does bind9 know what DNS to forward to if it's not specified?) 01:23 < petemc> bind is a dns server.. 01:24 < myth0d> TechSmurf: any ideas? 01:25 < TechSmurf> myth0d: I have zero experience with SFP 01:25 < myth0d> :( 01:26 < TechSmurf> I mean, it looks like it's right... but... ... ... I can't be certain :P 01:26 < myth0d> just looking about my office for tranceivers, and the i3 has me thrown off 01:27 < TechSmurf> ooh 01:27 < TechSmurf> ooooh 01:27 < TechSmurf> https://qdms.intel.com/dm/i.aspx/E23EA4D2-98DC-43B0-9447-9E0E6F04CB20/PCN114167-01.pdf 01:28 < quazimodo> petemc: ok so petemc's got me confused. I thought we can use bind9 on the local intranet to host zones within the current intranet, but that in order to be able to resolve any other site in the world that bind9 dns needs to forward to another dns, such as the one provided by the internet provider or something like google's DNS 01:28 < TechSmurf> myth0d: that pdf should answer your question 01:29 < quazimodo> or did I miss the point, and bind9 knows how to send us along the right way without needing to forward to anyone (and in that case why do we have a placeholder forwarders section in the default config) 01:32 < petemc> quazimodo: bind can talk to the necessary server to get a response to a query without being told who to ask. it is probable that the other server it speaks to is also running bind. some people like to tell bind which servers to ask, hence forwarders 01:32 < myth0d> TechSmurf: i read that earlier. it doesn't specifically say they're compatible 01:33 < TechSmurf> An intel document outlining changes to the SFP modules for the x520 range isn't enough for you to believe it's compatible?! :P 01:41 < TechSmurf> myth0d: the -IT is 10base-LR, the -I3 is 10base-LX... 01:41 < TechSmurf> err 01:42 < myth0d> hmmm, you sure TechSmurf 01:42 < myth0d> ? 01:44 < myth0d> honestly i dont know the difference between the two of them. a while since i did networking theory 01:44 < quazimodo> petemc: ok 01:44 < quazimodo> i'll try 01:44 < TechSmurf> hrm 01:45 < TechSmurf> myth0d: man, I'm staring at any info I can find and I can't figure out the difference either 01:46 < quazimodo> so i guess i need to figure out why bind is taking so long to resolve 01:46 < quazimodo> i just switched to it and it was literally 15 seconds before it pinged google, switch back to ISP bind and boom, instant 01:47 < TechSmurf> myth0d: scratch my earlier statement... they're both 1000base-lx/10gbase-lr... 01:48 < petemc> quazimodo: rndc querylog , tail -f /var/log/daemon.log 02:22 < quazimodo> thank you petemc 02:22 < nojeffrey> Spanning tree: lets say I have 3 switches connected like a triangle, all trunk ports, one should get disbled as "Statue:err-disabled Reason:bpduguard", I'm trying to build a redundent loop between buildings so one should be shut down from the beginning, but if another port in the future dies, I want STP to enable this original err-disabled link, is it safe to enable bdpuguard recovery timer to say 30 02:23 < nojeffrey> seconds? 02:39 < nojeffrey> Also if I run: "spanning-tree mode ?" I have 3 options, mst, pvst and rapid-pvst, the pvst ones are Cisco propiertry, how can I run just standard RSTP as I want to mix in Ubiquiti switches 02:40 < luxio> what books/resources should i look at to learn about networking 02:43 < nojeffrey> luxio This guy did a kickstarter for CCNA training, very good: https://www.youtube.com/channel/UCQZc6wrc__wo9oYOqvi9N_Q 02:46 < c|oneman> cool 02:47 < c|oneman> I think the biggest thing keeping me from CCNA (besides the annoying subnetting chapters) is purchasing boat anchor lap equipment 02:54 < Kingrat> use packet tracer or gns3 02:54 < Kingrat> you dont really need to mess around with physical hardware for ccna, unless you really want to 02:56 < c|oneman> I guess. 03:26 < infinisil> Hey there, I have a super weird problem with ncat 03:27 < infinisil> On host A: `ncat -l 1500 -c 'cat img.jpg'` and on B: `ncat A 1500 | feh -` leads to a currupted image about every second time 03:28 < infinisil> Not reproducible on the same host 03:29 < infinisil> And when I do this on A instead: `cat img.jpg | ncat -l 1500` it works too! 03:29 < xz> is it image of cat by any chance? 03:35 < infinisil> Kinda :) 03:38 < infinisil> The corruption is always very similar for the same image but different runs 03:38 < infinisil> It makes no sense :( 03:39 < Criggie> infinisil: is it running on the same host or over a network link ? 03:39 < infinisil> Over the network 03:43 < Criggie> infinisil: okay - do you have any error counters incrementing in ifconfig ? 03:44 * infinisil takes a look 03:47 < infinisil> Criggie: Yeah.. The dropped packed count goes up constantly 03:52 < Criggie> infinisil: okay you hav enetwork problems. Change patch leads first cos its easy. Then change all the cable, then change out the NIC 03:53 < infinisil> But shouldn't tcp prevent this? 03:53 < Criggie> Oh step 2, try a different switch port. 03:54 < Criggie> in theory, yes. But obviously somehting's coming in wrong rather than just delayed by retransmissions. 03:55 < infinisil> Huh 03:55 < infinisil> But I mean the entire point of tcp is that this doesn't happen 03:56 < infinisil> So you think my router doesn't conform to tcp? 03:56 < infinisil> or something along the line at least 04:03 < infinisil> Eh I'm still not sure, I can't see a clear correlation of ifconfig errors and the corruption happening 04:03 < infinisil> I'll try in a different network tomorrow 04:24 < tacobellman> hello 04:24 < tacobellman> anyone here? 04:31 < jrc> ya 05:03 < comet23> what's the most difficult concept to understand about computer networking? 05:14 < b18c5> everything to me lol 05:17 < b18c5> what is ACK ? 05:19 < bubbalum_> response to SYN in IP. 05:19 < bubbalum_> I should say TCP (correct myself...) 05:27 < b18c5> i am not sure .. i am playing around with tcpdump 05:50 < ericlee> Hi, anyone ever read "Urgent Mechanism" in the boo tcp illustrated vol1? 05:50 < ericlee> s/boo/book/ 06:32 < skyroveRR> ericlee: not quite, what are your thoughts on it? :) 06:33 < xamithan> This is probably a stupid question but is tab completion available on most router|switches ? 06:34 < ericlee> skyroveRR, just read the chapter and makes me confused: "When sender's TCP receives such a write request..." 06:34 < ericlee> how a sender TCP receives a write request? 06:34 < skyroveRR> xamithan: most new ones, pre-2010 era, yes. 06:36 < ericlee> that confused me. 06:40 < Criggie> infinisil: I have no idea - but something is happening, and its bad. The error counters should be 0 in a good network. 06:41 < Criggie> infinisil: you might want to check the error counters on all your switch ports too, if possible. 06:41 < Criggie> But start with the fixes I suggested. Swap out patch cables, change switch port, then try a completely differnet run of cable, then swap the NIC 06:42 < Criggie> Use halving to isolate the cause of the problem, and replace that bit. 06:42 < skyroveRR> xamithan: sorry, post-2010 era ;) 06:43 < xamithan> I understood the meaning =o 06:43 < xamithan> Most of the gear I touch is from around 2004-2008 06:44 < Criggie> -grin- new is not necessarily better, though it is generallty faster and mostly lower power. 06:53 < ericlee> can http keepalive support different HTTP methods on one stream? 06:54 < ericlee> i am asking because I didn;t see any doc says it's a NO. 07:48 < whatsupdoc> Hi, can someone explain why traceroute google.com does not work? 07:49 < whatsupdoc> https://i.imgur.com/BRpkwxs.png 07:51 < whatsupdoc> omg it worked!! 07:56 < d3r3k> how experience is 10GbE hardware compared to fiber? 07:56 < d3r3k> the office already ran copper cables :( 07:59 < Mead> The fiber cable isn't that more expensive, terminating it is the major expense 08:01 < d3r3k> Mead: office remodel is done, it's too late. 08:16 < linux_probe> lawl 08:48 < dionysus69> I have double port forwarding with one ssh 08:56 < dionysus69> how can I check if both are operational? 09:01 < arahael> dionysus69: What ports are they? You could try connecting to them? 09:03 < vasa> Hi , how to find sudden drop of network in Linux 09:04 < vasa> Like TCP ACK not complete 09:29 < dionysus69> arahael: ok they work :) I had a different problem :) 09:44 < cgm9> hi all ; for a opengear console server.. what is the easiest way to disconnect a session that is using some particular serial port ? 09:44 < cgm9> (assuming is set with "singleconn=on" 10:07 < ypo> Hello! if one router goes down (e.g. power loss) will traceroute, reach to there and times out , or will it fail completely ? 10:07 <@pppingme> it will start timing out at the step it can't complete 10:12 < ypo> pppingme: thank you ! 10:27 < ice9> in order to communicate over SIP, both accounts must be on the same SIP server or can be different? 10:29 <@pppingme> ice9 sip servers can talk to each other or route calls over the pstn as well 10:30 < ice9> pppingme, so i can just add the other buddy sip account @ his server? 10:30 <@pppingme> depends on how the server is setup 10:30 <@pppingme> are these two home servers or what? 10:31 < ice9> pppingme, for example if i have jitsi account and the other contact ekiga account 10:31 <@pppingme> but what/where are the servers? 10:31 < ice9> pppingme, remote servers provided by both apps 10:32 <@pppingme> so you each have a server? 10:32 <@pppingme> not sure what you mean by "remote servers provided by both apps" 10:37 < ice9> pppingme, they are public sip servers! 10:42 < gryffus> Hello, i would like to test WAN speeds on my local LAN. I would like to use tc for limiting 5Mbit, 10Mbit and 15Mbit. How should i use tc to best simulate real-world 5Mbit conection? 10:43 < gryffus> (all is on Linux) 10:45 < gryffus> Solved: https://github.com/magnific0/wondershaper 11:04 < MikeSeth> it's friday the 13th 11:04 < MikeSeth> i bet yall rolling out production upgrades 11:05 < detha> not yet, got to wait for 16:00 local time with that 11:05 <+sep> https://isitreadonlyfriday.com/ 11:09 < inc0gn1t0> So i wanted to remote connect to a device, but also wanted to have voice control over that device (like tts commands), what would I use for my remote tunnel? Ssh can't relay sound to and fro can it? What about vnc? Or is there something specifically for this? 11:15 < MikeSeth> inc0gn1t0: SSH has channel multiplexing and can relay arbitrary TCP connections, on top of which you can pipe 11:17 < inc0gn1t0> Still learning a little. Could you explain slightly more lame? 11:17 < inc0gn1t0> *lamen 11:18 < MikeSeth> inc0gn1t0: SSH can provide [multiple] tunnels to a host which act as bidirectional pipes 11:18 < MikeSeth> what you write to the tunnel on one end can be caught on the other end 11:18 < MikeSeth> and vice versa 11:19 < MikeSeth> emestee@bg-ops:~$ echo er mah gerd | ssh devbox wc -w 11:19 < MikeSeth> 3 11:19 < MikeSeth> see what's happening here? 11:20 < inc0gn1t0> Ermahgod is piped to ssh and written as a file? I think 11:21 < MikeSeth> inc0gn1t0: no, it is piped via ssh to the other end of the tunnel; the standard output of the other end of the pipe is attached to the standard input of wc -w 11:22 < inc0gn1t0> I get it. Srry. And what does the command wc -w option do? 11:23 < MikeSeth> inc0gn1t0: you can just as well pipe a sound file or an output from a device 11:24 < MikeSeth> wc -w reads the standard input and counts words in it 11:24 < MikeSeth> emestee@bg-ops:~$ echo lol dongs | ssh devbox wc -w 11:24 < MikeSeth> 2 11:25 < inc0gn1t0> So then would I need a local vocal library? Or could I use say, amazon echo cloud vocal library and do the same if they both were connected to the speech server 11:26 < inc0gn1t0> (That sounded confusing..lol) 11:27 < MikeSeth> inc0gn1t0: where do you want to do the parsing 11:27 < MikeSeth> (tts is text TO speech, I assume you want it the other way around) 11:28 < inc0gn1t0> Well, a digital assistant program (like echo) needs both right. Stt to send, then is processed, and tts allows me to hear the response to what I asked 11:29 < MikeSeth> the response would be from the device correct? 11:30 < MikeSeth> what would make most sense to me is to send and receive text to the device, and convert voice to and from text locally, respectively 11:30 < inc0gn1t0> Device A will have the mic and speaker. Device B will have the AI. I want to communicate with B, through A 11:30 < MikeSeth> "the device" here is B and "locally" is A 11:30 < MikeSeth> yes, ssh would work neatly 11:31 < inc0gn1t0> Tyvm MikeSeth 11:56 < nHeck> Now I can do with SQL but not mysql ... 11:57 < nHeck> can someone give me 3 minutes to moount the dumps? I'll do de queries alone 12:32 < hey2> lol… 12:32 < hey2> had a coworker set the MAC address of an interface to "0xFFFFFFFFFFFF" as a way of "unassigning" its hardcoded one to check something 12:32 < hey2> not sure what to think 12:34 < Irritiable|LT> hey2: "That's a big number?" 12:35 < djph> "dumbass" 12:35 < Irritiable|LT> "F?" 12:35 < hey2> what? 12:35 < hey2> 255? lol 12:37 < linux_probe> F-F-F-F-Fail 12:37 < hey2> :-| 12:38 < djph> hmm? 12:38 < nHeck> I created a db, used it, it was empty, then i ran source : error 2 12:38 < nHeck> ??? 12:38 < djph> guess you'd better read the manpage to see what 'error 2' is 12:39 < hey2> man man 12:40 < MrLawrence> Hello, I am looking to reference the IEEE Ethernet (802.3u in particular) standards in my work, however I've encountered a "paywall" on their site to access the document. Any other literature which is publicly available which describes the details of these standards? 12:41 < nHeck> perfect ty, did take relative paths 12:42 < nHeck> its pulling data in <3 thanks a lot 12:42 <+catphish> MrLawrence: google will likely have an illegal copy of that standard somewhere 12:42 < grawity> MrLawrence: the majority of 802.3 specs is still freely available, even though nowadays you have to register for an account 12:42 < nHeck> now 25more gigabytes 12:42 < nHeck> and ill expose that girl ;D 12:43 < nHeck> I have aclue for you all guys: when someone refuses to get a hand on your phone for a few weeks: the're scare of you listening to them? 12:44 < nHeck> am i wrong? 12:44 < nHeck> she asked if it'll be off, i told her you could turl it off 12:44 < nHeck> she said "i dont want to be bother with calls" 12:44 < nHeck> what calls if its off?" 12:44 < nHeck> How pathetic liars are thoses? 12:44 < grawity> wat 12:46 < MrLawrence> grawity, you are correct actually, it's freely available on their site (I also did not have to register) 12:46 < nHeck> (in her head i study IT so the thinks i'd hack her... that b**) 12:46 < hey2> what 12:47 < grawity> funnily, I can't actually find where 802.3u is available 12:47 < grawity> meh, I wish I had downloaded *all* of that stuff before they started watermarking it 12:47 < grawity> now I've just got bits and pieces 12:53 < tiny> Hi. I have dual homed boxes on linux. This means two NICs/networks. Is there a simple rule (ip route/rule...) that sends traffic to interface that it came from? Otherwise I need to manage multiple complicated routing rules. 12:54 < MrLawrence> grawity, https://ieeexplore.ieee.org/Xplore/guesthome.jsp search for the standard there, should be able to access it 13:16 < lithiumpt> tiny: http://lartc.org/howto/lartc.rpdb.multiple-links.html , this? 13:17 < tiny> I would like to ommit all the network naming (that is 10.x.x.x, ...) if possible 13:17 < tiny> just based on devices 13:18 < tiny> A paket might have same source address but different destination (one or the oner IP on the NICs I have in the boxes) 13:19 < tiny> And it might come from many different source IPs. This means tedious task of keeping routing tables on many hosts up to date. 13:19 < tiny> pita 13:22 <@pppingme> you don't update routing on all your hosts, you do it on your routers, and let the routers trade routing information 13:25 < tiny> pppingme: yeah in an normal environment, however I didn't ask that. 13:26 < lithiumpt> maybe a little more info on the purpose of the multi wan/lan 13:26 < lithiumpt> this may be an xy problem 13:30 < tiny> lithiumpt: guarding internal sensitive fast ethernet network on one NIC, other NIC is gigabit and placed to server client connections. Resources (I'd need separate virtual servers) 13:30 < tiny> those are just two 13:39 < lithiumpt> ok, just like a normal service+management network setup 13:40 < lithiumpt> different subnets? 13:40 < tiny> yes 13:41 < tiny> I have it working but as said I'm using source and to fields 13:41 < lithiumpt> how are you acessing the host? via dns? 13:41 < lithiumpt> you may need two separate dns names 13:42 < tiny> no, directly via IP 13:42 < lithiumpt> host.service.local and host.management.local, each resolving for the different host interfaces' IP addresses 13:42 < lithiumpt> humm 13:44 < lithiumpt> yeah i see your problem 13:44 < tiny> so, considering i have two GWs, can routing be done just based on the information on which NIC packet came trough? 13:56 < lithiumpt> you may want to look into iptables marking 13:57 < lithiumpt> you could MARK packets and then route them according to that 13:57 < lithiumpt> but you will also need to build the routing tables 13:57 < lithiumpt> which need IPs for ethernet devices 13:57 < lithiumpt> ppp devices do not 14:15 < nazarewk> what is the most straightforward way to alias port 1443 to port 443? 14:15 < nazarewk> (i need to run gitlab on multiple ports) 14:15 < nazarewk> and it supports just one by default 14:20 < detha> nazarewk: DNAT 14:26 < nazarewk> could you come up with an example of forwarding port 1443 to 443? 14:28 < infinisil> Is there any reason other than convention that home routers always use 192.168.X.0/255 instead of the 10.X.Y.0/255 range for its subnet? 14:29 < djph> because users are dumbs. 14:30 < djph> case in point - your netmasks. 14:30 < rr> for plug and play /24 will do just noice 14:31 < TJ-> infinisil: generally because 254 IP addresses will be enough and the smallest private range is 192.168.0.0/16 whereas 10.0.0.0/8 is larger, and is sometimes used by ISPs (cellular for example) 14:33 < TJ-> before CIDR it was down to picking a Class C range, which is 192.168.X whereas 10. is a single class A 14:33 < infinisil> Hmm alright 14:33 < infinisil> Thanks 14:33 < bezaban> they don't always do either :) 14:33 < bezaban> but a lot more often than not 14:36 < detha> nazarewk: google says http://proghowto.com/iptables-redirect-port-80-to-port-8080 , replace 80 and 8080 with 1443 and 443 14:39 < zenix_2k2> one question, this statement in python = accepting the client's connection: "sock, address, port = socket.accept()" but the "port" is the client's port or the client-gateway's port ??? 14:40 < zenix_2k2> sock, (address, port) = socket.accept() i mean, sorry 14:41 < djph> I imagine it's the port the program is listening on 14:42 < zenix_2k2> but clients don't really listen, that is what servers do 14:42 < detha> logic says the port the connection came in from, the program knows what port it has bound to (hopefully) 14:42 < zenix_2k2> listen for connections i mean and if that was what you meant 14:42 < djph> indeed. but ACCEPTING the client's connection is something that servers do. 14:43 < zenix_2k2> Oh, but it can't be the port it is listening on... cause i have already bind my socket to a specific port already 14:44 < zenix_2k2> like one of my scripts i used port 8080 to bind but when the "port" var = something like 14024, i am not sure but it is not 8080 14:44 < zenix_2k2> and i do believe that the port which i binded to... is the listening port 14:45 < zenix_2k2> or it is not ? 14:45 < detha> correct 14:45 < detha> 14024 is the port the client connected from 14:45 < zenix_2k2> "connected from" ? 14:46 < zenix_2k2> usually i can't imagine how it is connected from, i can only imagine "connected to" 14:46 < detha> a connection is 5 things: protocol, source address, source port, destination address, destination port. 14:47 < detha> in your case, 8080 is the destination port, 14024 is the source port 14:47 < zenix_2k2> HHHHmmmm... so it is my client's port 14:47 < zenix_2k2> but let's imagine that we are not in the same LAN, so will it be my client's port or my "client-gateway's port" 14:48 < zenix_2k2> or the router i guess... not sure which term is correct 14:48 < djph> connected from should not change 14:48 < djph> source IP will get mangled by NAT, but the source port should not. 14:48 < djph> ... well, assuming there's NAT in the mix anyway. 14:48 < detha> It is the port the connection comes from. If there is PNAT involved, it would be the outgoing port of the PNAT device 14:49 < zenix_2k2> did you mean "NAT" or you actually meant "PNAT" ? 14:50 < detha> I specifically meant PNAT 14:50 < detha> With NAT there is no difference as djph said 14:50 < djph> detha: Port ... Network Address Translation? 14:51 < djph> ... I've always seen port translation as 'PAT' though 14:51 < djph> meh, what do i know 14:51 < zenix_2k2> Ok, new terms 14:51 < zenix_2k2> let's me do some searching very fast here 14:52 < detha> PNAT or PAT, both are used 14:53 < djph> detha: fair enough. Haven't seen "PNAT" before, so just checking I was on the right page 14:55 < zenix_2k2> yea same here, i only knew about NAT 14:58 < djph> nah, I've seen NAT / PAT before. Just not "PNAT" as one acronym. 14:58 < zenix_2k2> well, one level ahead then 14:58 < RJ45> I'm getting an Average ping of 0.234ms from my main rig to my router, with just a TP-link switch in-between them. I know this is generally a good ping, but is it theoretically possible to improve on this? 14:59 < ItsaLoonie> using a new vpn and went to dns leak test and found that its using a digital ocean server as one of its servers. does that take away much from the privacy/security of the vpn? just not sure how that means for my data. 14:59 < RJ45> I have an Intel Gigabit NIC, and a modern Linksys router with OpenWRT 15:00 < Dalton> lol 15:00 < Dalton> .2ms and you want better? 15:00 < RJ45> Dalton: I just wanna experiment, mostly just in theory 15:00 < djph> RJ45: yes. prove to physics that the speed of light is wrong. 15:00 < Dalton> what are you even testing with? 15:01 < Dalton> out of curiousity 15:01 < RJ45> the ping command in Linux 15:01 < Dalton> maybe your kernel is slow to ping... etc etc 15:01 < RJ45> $ ping 192.168.1.1 15:01 < Dalton> network stack 15:01 < Dalton> what distro? 15:01 < RJ45> Ubuntu Mate 16.04 15:01 < djph> ItsaLoonie: "it depends" 15:02 < Dalton> 64 bytes from 192.168.200.1: icmp_seq=1 ttl=64 time=0.171 ms 15:02 < Dalton> 64 bytes from 192.168.200.1: icmp_seq=2 ttl=64 time=0.138 ms 15:02 < Dalton> 64 bytes from 192.168.200.1: icmp_seq=3 ttl=64 time=0.149 ms 15:02 < Dalton> 64 bytes from 192.168.200.1: icmp_seq=4 ttl=64 time=0.133 ms 15:02 < Dalton> 64 bytes from 192.168.200.1: icmp_seq=5 ttl=64 time=0.134 ms 15:02 < Dalton> bad average 15:02 < RJ45> Dalton: wow, that's like, half of mine 15:02 < RJ45> what's ur set-up? 15:03 < RJ45> 100 packets transmitted, 100 received, 0% packet loss, time 101359ms 15:03 < RJ45> rtt min/avg/max/mdev = 0.142/0.234/0.293/0.026 ms 15:03 <+xand> you poor dear 15:03 < Dalton> i had more but i didn't want to spam (some bot priv noticed me bitching) 15:04 < RJ45> lol, xand ur still on IRC after all these years?? 15:04 < Dalton> that is to a Ubiquiti Edgerouter Infinity 15:04 <+xand> 2018-04-13 14:04:42 -NickServ(NickServ@services.)- User reg. : Sep 19 17:42:20 2004 (13y 29w 5d ago) 15:04 < Dalton> and some ubuntu system 15:05 < Dalton> with a random INC 15:05 < Dalton> NIC 15:05 < RJ45> Dalton: damn, ur getting better Wifi pings than my wired pings 15:05 < Dalton> not wifi 15:05 < Dalton> gross 15:05 < djph> he didn't say it was wifi 15:05 < djph> Dalton: 10g from the box? 15:05 < RJ45> oh, I thought Ubiquity only did Wifi stuff 15:06 <+xand> ubiquity might but ubiquiti do switches and routers too :P 15:06 < djph> switches, routers, wifi, PTP microwave, fiber/SFP/DAC, copper cable ... 15:07 < RJ45> any idea of how I could go from 0.23ms to closer to 0.1ms? 15:07 < Dalton> no not 10g 15:07 < Dalton> 1g SFP 15:07 < Dalton> then into a Cisco 2960X switch 15:07 < Aeso> RJ45, you can solve that problem with money, sure 15:07 < djph> RJ45: money 15:08 < Dalton> then to that ghetto c2d box that can outping his fancy system 15:08 < detha> djph: now that you put the list like that, I miss something in their range. 15:08 < RJ45> Aeso: djph: I need 'bout tree fiddy 15:09 < zenix_2k2> anyway what does PNAT stand for ??? i have been searching but no result shown 15:09 < djph> detha: I think it's just patchcables, or they were talking about it to go with the unifi SFPs 15:09 < detha> zenix_2k2: port and nerwork address translation, iirc 15:09 < RJ45> zenix_2k2: it's when ur NAT, has pee on it 15:10 < zenix_2k2> oookkkkkkk 15:10 < lithiumpt> Port NAT 15:10 < lithiumpt> it's just a specific case of DNAT 15:10 < lithiumpt> where the dst port is changed 15:11 < zenix_2k2> now that sounds way more understandable 15:11 < KnightsOfNi> Is anyone familiar with DNS, A records, zones, spf, etc.. ? 15:11 < ||cw> KnightsOfNi: just ask 15:11 < KnightsOfNi> ok 15:12 < KnightsOfNi> Got a server and a domain... I am using my own DNS records ns1.mydomain.com and ns2.mydomain.com 15:12 < KnightsOfNi> I point these to IPs on the webserver 15:12 < KnightsOfNi> but at my registrar it still has settings for a-record 15:13 < KnightsOfNi> should I leave these as default or should they also be pointing to the server IP if you are using your own dns servers? The site loads fine, with the A-record set to the default IP from the registrar 15:13 < KnightsOfNi> I don't understand how this can be working 15:13 < RJ45> is a Killer NIC worth a shit? 15:13 < lithiumpt> I think you are confusing nameservers with dns records 15:13 < ||cw> you need to change the name servers with the registrar. but before you do that, thing of redundancy. 15:14 < KnightsOfNi> yes I thought they're the same lithiumpt ? 15:14 < KnightsOfNi> DNS servers 15:14 < ||cw> I have one DNS server i host, and I use HE's service for a secondary. 15:14 < lithiumpt> a domain has to have nameservers, a nameserver does the actual name<->ip translations 15:15 < KnightsOfNi> ok 15:15 < KnightsOfNi> but what about the a-record 15:15 < KnightsOfNi> how is the site loading without that a-record pointing to the server? 15:15 < ||cw> KnightsOfNi: well, it has an a record. 15:15 < ||cw> could be cached as well 15:16 < detha> KnightsOfNi: A-records at your registrar only come into play when you use their DNS service 15:16 < detha> (and as glue for the NS records) 15:16 < KnightsOfNi> @detha: ok, but do I have to set something in my own CPANEL then? 15:16 < ||cw> KnightsOfNi: when you do a whois on your domain, that will tell you what DNS server IPs will be queried for your A records. 15:17 < KnightsOfNi> ||cw ok so it will use the A -record that I specify on my own server? 15:17 < KnightsOfNi> It's so confusing! 15:17 < ||cw> so you then need to set your A records in those DNS servers. you can use nslookup or dig locally to see what the TTL is, to see when the cached record on your local servers expires 15:18 < lithiumpt> your site is working probably because of caches 15:18 < ||cw> KnightsOfNi: it's just a chain of lookups. like using the index or table of contents in a book 15:18 < lithiumpt> if you defined those two nameservers, and did not configure them 15:18 < lithiumpt> it will not work 15:19 < KnightsOfNi> What do you mean with configure them? Set their IPs? 15:20 < djph> given they're nameservers, I suppose the configuration would've been the zonefiles 15:21 < Apachez> at your registrar you configure which dns servers to use 15:21 < Apachez> these dns servers are called "authoritive" for your domainname (aka zone) 15:21 < Apachez> these dns servers must have this zone configured before things start to work 15:21 < lithiumpt> why are you using custom nameservers when you don't know how to set them up? 15:21 < KnightsOfNi> Apachez: but where? On my server or at the registrar? 15:22 < KnightsOfNi> I'm trying to learn how to set them up 15:22 < Apachez> KnightsOfNi: as lithiumpt just asked, why do you try to use your own dns servers when you have zero knowledge? 15:22 < KnightsOfNi> To learn how it works?? 15:22 < Apachez> start by using whatever dns feature your registrar provides 15:22 < Apachez> then you can take your time to learn 15:22 < KnightsOfNi> I can't find a good tutorial or course that explains how these all interrelate 15:23 < Apachez> you need 2 or more dns servers that will act as authoritive for your zone 15:23 < lithiumpt> a nameserver is a program 15:23 < lithiumpt> like a web server 15:23 < Apachez> you normally configure one as master and the others as slaves 15:23 < Apachez> that is when you change content of your zone you only do this on the master and then the master will inform the slaves that the zone has been updated and the slaves then fetch a current copy of the zone 15:23 < KnightsOfNi> + I want to use my own so that when someone does a domain lookup, you don't see the info from the host 15:24 < Apachez> huh? 15:24 < KnightsOfNi> From the registrar I mean 15:24 < Apachez> what info is it you want to hide? 15:24 < Apachez> who owns the domain? 15:24 < KnightsOfNi> ns1.godaddy.com 15:24 < KnightsOfNi> Yeah I don't want that 15:24 < Apachez> that have nothing to do with dns 15:24 < KnightsOfNi> ns1.webhost.com 15:24 < Apachez> its what your registrar registers at the tld whois 15:24 < Demos[m]> Whois is separate 15:24 < lithiumpt> DNS is a pretty complex subject. 15:25 < Demos[m]> Also SOA is separate from NS 15:25 < Apachez> some registrars put their own name as owner and tech contact in the whois for the domainname 15:25 < Apachez> so technically they own your domain 15:25 < UncleDrax> true story 15:25 < Apachez> and then proxy any abuse letters etc 15:25 < KnightsOfNi> I don't mind my address as owner info 15:25 < Apachez> some other will put up your name as owner and/or tech contact 15:25 < Demos[m]> It’s a key value store. Just like mongodb 😀 15:25 < Apachez> this depends on the registrar 15:26 < ||cw> KnightsOfNi: no one actually cares what your NS hostnames are 15:26 < KnightsOfNi> but I guess I just need to find a good resource to learn this properly 15:26 < Apachez> some registrars do both and charge an extra fee to "hide" the owner 15:26 < Apachez> note however that fedz will still get this info 15:26 < KnightsOfNi> ||cw it looks unprofessional to have ns1.dreamhost.com or something 15:26 < ||cw> no it doesn't 15:26 < Apachez> "looks unprofessional"? 15:26 < KnightsOfNi> all big companies use ns1.companyname.com 15:26 < Demos[m]> Huh? 15:26 < Apachez> how many do you think looks at which dns servers your domainname is using? 15:26 < djph> because they have people who know what they're doing 15:27 < UncleDrax> 99% of your users will never see your whois records because they don't care. depends what biz you're in though I suppose 15:27 < Apachez> most companies nowadays use offloading even for dns records 15:27 < Demos[m]> Nobody looks at your NS records unless they are debugging or smth 15:27 < djph> ^ 15:27 < ||cw> that's because big companies can afford to have geologically redundant systems under their full control 15:27 < Apachez> so you will see shit like cloudflare and netnod etc show up as authoritive nameservers 15:27 < djph> and even then, it's just "oh, I can go yell at cloudflare again" 15:28 < Apachez> with this said I use my own dns servers 15:28 < Apachez> so its a good lecture 15:28 < Apachez> but in your case you seems to do it for the wrong reason 15:28 < ||cw> KnightsOfNi: have all your name servers point to your web server IP looks unprofessional. it looks like you don't understand DNS or care about redundancy or resiliency 15:28 < Demos[m]> Hey am I coming through on irc? 15:28 < KnightsOfNi> So why do you use your own Apachez 15:28 < Apachez> I did it because I wanted control of the zone data and to learn dns 15:28 < Demos[m]> Matrix may have crapped out for me again 15:28 < Apachez> but this was in mid 90's when I started this 15:29 < lithiumpt> at least fire up some other VPS and run the nameservers there 15:29 < lithiumpt> not on the same machine as the webserver 15:29 < KnightsOfNi> Found this: https://www.lynda.com/Server-tutorials/Managing-DNS-Essential-Training/453346-2.html 15:29 < lithiumpt> but then again, setting up a DNS server is not easy. 15:30 < djph> Demos[m]: nope. 15:30 < ||cw> KnightsOfNi: on mine, if you whois you only see HE's servers, and they are all secondary to my local primary. I do it this way so i can edit records files instead of using the gui because that's what I've been doing since 1997 15:30 < Demos[m]> Huh? It’s not that bad 15:30 < KnightsOfNi> ||cw: I don't know what any of that means :) 15:30 < Demos[m]> Key things is that NS, SOA, and Whois are all separate 15:30 < djph> Demos[m]: well, I was just saying 'no' to your comment about hte matrix crapping out 15:30 < Apachez> back then registrars providing authoritive dns wasnt a thing 15:30 < Demos[m]> Oh 15:31 < Apachez> SOA and NS is a record in your zone 15:31 < ||cw> KnightsOfNi: it means while I have my own local DNS server, it's not used directly. I offload the task of redundancy and uptime to HE.net 15:31 < Apachez> same here 15:31 < KnightsOfNi> What's HE? 15:31 < Demos[m]> Registrars still don’t tend to provide authoritative dns. 15:31 < Apachez> he.net also have anycasted dns servers etc 15:31 < Apachez> hurricane electric 15:31 < Apachez> an electronic company who went isp and became a good boy :) 15:32 < KnightsOfNi> I'm going to watch that course and then re-read this chat log 15:32 < Apachez> they have free ipv6 tunnels, free authoritive nameservers etc 15:32 < KnightsOfNi> see if it makes more sense then 15:32 < Demos[m]> Oof I gotta set up our v6 tunnels 15:32 < Demos[m]> And try and get that sweet 100gb link 15:32 < ||cw> KnightsOfNi: for leaning, setup a couple virtual machines and setup some fake domains to play with DNS locally. don't break your domain 15:33 < KnightsOfNi> ok 15:34 < Demos[m]> Is it possible to ask a dns server if it’s doing iterative resolution or if it’s forwarding? 15:34 < KnightsOfNi> ||cw: I have a homestead box running 15:34 < Apachez> one thing to watch out when it comes to dns is to not become a public resolver 15:34 < Apachez> because then evil hosts can use your box as a reflecator for ddos attacks 15:35 < Apachez> like faking srcip, sending udp 53 dns query to your server who then replies to what it thinks was the sourceip 15:35 < Apachez> the sourceip your open resolver response to is the actual victim 15:36 < Apachez> so evil user sends like a 100 byte packet to your dns server who then floods victim with a 10kbyte answer or so 16:10 < _BIGSHOT_> for plex what port should i enter in firewall? 16:10 < _BIGSHOT_> i have 32400 for tcp 16:10 < _BIGSHOT_> port range in firewall 16:14 < mAniAk-_1> 32400 16:17 < _BIGSHOT_> i am behind nat 16:17 < _BIGSHOT_> my routers ip and public ip don't match 16:20 < djph> _BIGSHOT_: so you're behind CGNAT then? 16:20 < _BIGSHOT_> could be 16:20 < _BIGSHOT_> i am not sure 16:20 < mAniAk-_1> so what ports are forwarded to your router? 16:20 < _BIGSHOT_> 32400 TCP 16:20 < _BIGSHOT_> i am trying to make plex remotely accessible 16:22 < _BIGSHOT_> djph, you there dawg 16:22 < _BIGSHOT_> what should i do 16:23 < ne2k_> lel 16:23 < mAniAk-_1> _BIGSHOT_: well something needs to be forwarded to your router for it to work 16:24 < _BIGSHOT_> how to do that 16:24 < mAniAk-_1> depends on your isp 16:24 < mAniAk-_1> if its even possible 16:24 < ne2k> forwarded TO your router? 16:24 < ne2k> wut 16:24 < mAniAk-_1> double nat 16:24 < ne2k> CGN? 16:25 < _BIGSHOT_> dunno if it's cgn 16:25 < ne2k> _BIGSHOT_, I missed the start. what are you trying to do? 16:25 < _BIGSHOT_> what to do 16:25 < _BIGSHOT_> i want plex to contact plex server remotely 16:25 < mAniAk-_1> talk to your isp? 16:25 < _BIGSHOT_> plex server running locally 16:25 < djph> _BIGSHOT_: if your router's WAN IP address is 10/8, 100.64/10, 172.16/12, or 192.168/16 ... you're sunk. 16:26 < djph> *you're likely sunk. 16:26 < ne2k> _BIGSHOT_, ok, so add a DNAT rule on your Internet router to forward from its public address to the internal address of your server 16:26 < _BIGSHOT_> djph, it is 100.67.X.X 16:26 <+xand> that's not a proper internet connection then 16:26 < ne2k> _BIGSHOT_, then you don't have a real internet connection and cannot do it 16:26 < mAniAk-_1> _BIGSHOT_: talk to your isp then 16:26 < djph> _BIGSHOT_:CGNAT - you're sunk. Your ISP is NAT'ing on their edge. 16:27 < _BIGSHOT_> djph, no way to overcome this? 16:27 < ne2k> _BIGSHOT_, you could buy a supercheap VPS and run a proxy 16:27 < djph> _BIGSHOT_: switch ISPs, or see if they'll give you a public (probably at a cost, of course). 16:27 < mAniAk-_1> _BIGSHOT_: your isp has to do it, or you buy a server on the internet and use a vpn 16:29 < ne2k> _BIGSHOT_, https://i-83.net/ this is supercheap, a couple of quid a year, and has unmetered net access 16:30 < ne2k> _BIGSHOT_, provided all the applications you use can be persuaded to use arbitary ports, it might be a good choice 16:30 < ne2k> the really cheap ones are all gone but there are loads of providers around 16:59 < dami0> hi, i've got isc dhcp v4 and an old linux box and i'm trying to turn off DNS updates from DHCP, but server-side only 16:59 < dami0> the server being the server running dhcpd 16:59 < dami0> is there any way to actually do that or will i have to configure the client to not update DNS? 17:04 <@pppingme> dami0 just set the server to pass the dns you want the client to have 17:19 < wr> can a cisco switch accept range of mac addresses on a single port vlan? 17:20 < Phil-Work> wr, you're going to have to expand on that 17:20 < ne2k> wr, wut 17:25 < UncleDrax> range of MACs to do what now again? 17:25 < wr> single vlan 17:25 < UncleDrax> what about it? 17:26 < UncleDrax> you're going to have to rephrase what you are asking, as it's not appearent what you mean 17:26 < ne2k> wr, do you know how a switch works? 17:26 < wr> have one vlan on a switch, and want to restrict by mac 17:26 <+catphish> wr: a range of MACs for what purpose? 17:26 <+catphish> oh, a MAC ACL 17:27 < wr> ne2k, some part yes 17:27 < ne2k> wr, consult the documentation for your product 17:27 < UncleDrax> you want a MAC ACL, or port-security ? 17:27 <+catphish> i'd say it depends on the switch, but some definitely can 17:27 < ne2k> UncleDrax, what exactly is "port security"? 17:27 < wr> UncleDrax, guess both 17:27 <+catphish> port security is a limit on the number of MACs i believe 17:27 <+catphish> rather than a fixed list 17:28 < UncleDrax> ne2k: the port-security featureset that can do things like 'I will only learn N MAC addresses on this port and will only accept traffic from those MACs' 17:28 < UncleDrax> ie: https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html 17:28 <+catphish> what UncleDrax said :) 17:28 < ne2k> UncleDrax, ah, it gives you a convenient way to build an ACL; you say "allow n macs, let them be learnt, and then staticize them" 17:29 < wr> ne2k, "You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the workstations that are allowed to access the port." 17:29 < UncleDrax> that is a thing you can do with it, yes 17:29 < UncleDrax> so it's very similar to a dynamic MAC ACL (but not configured like an ACL) 17:30 < wr> UncleDrax, i think this it, mac acl is on device and port security on port? 17:31 < wr> a Vlan only goes on one port? or can it have more? 17:32 < UncleDrax> VLAN will go wherever you tell it to, and however you tell it to do so 17:32 < wr> UncleDrax, so to be clear, i can make a vlan and tell it to use ports 4,5,6 on a switch? 17:33 < UncleDrax> as access ports or trunk ports, sure. 17:33 < wr> UncleDrax, same goes for router too? to connect the switch to a router? 17:34 < MikeSeth> wr: think of it as many numbered virtual cables running inside a physical one 17:34 < ne2k> wr, I suggest you go back a bit and work out what a LAN is, what a switch is, and what a 802.1Q tag is 17:34 < UncleDrax> yus 17:34 < MikeSeth> ne2k: your nickname gave me a flashback 17:35 < wr> ne2k, i know what they are 17:35 < ne2k> wr, so then what is a VLAN? 17:35 < wr> virtual lan 17:35 < ne2k> wr, so you don't need to be asking these questions 17:36 < ne2k> MikeSeth, ISA, dip-switches on cards, BNC connectors, having a laugh by disconnecting the network terminator... 17:36 < wr> ne2k, i know my needs better than you 17:36 < MikeSeth> ne2k: IPX. 17:37 < ne2k> MikeSeth, indeed. Novell Netware 17:37 < MikeSeth> BINDERY 17:37 * MikeSeth is now properly outraged 17:37 < ||cw> wr: "same goes for router too?" depends on if the router supports the same vlaning 17:37 < ne2k> wr, I'm trying to be helpful; I'm trying to gauge your level so that I can give you appropriate help 17:38 < ne2k> wr, some things you say make me think you are at a rather lower level of understanding that you seem to think you are 17:38 < ne2k> wr, which is always dangerous 17:44 < UncleDrax> as to if your router can support receiving dot1q tagged packets, that will depend highly on the hardware. if you should even be doing it will depend highly on your network design/need. 17:45 < UncleDrax> (well not the hardware, but the software the router is running) 17:48 < grawity> also hardware for the extra mtu 17:48 < wr> UncleDrax, ACL is on packets or Mac's? or both 17:49 < UncleDrax> well an ACL is applied to a packet. At what level it applies to (MAC, IP, etc..etc..) depends on the capabilities of your device and how you have it configured. 17:50 < wr> ne2k, if you are here to level people i guess you are in the wrong place, i know what i know and ask like everybody else to clear things 17:51 < UncleDrax> wr: the problem is we get all types here.. so trying to asses at what level someone is at is helpful for at what level you describe how to answer thier question 17:51 < wr> ne2k, you didnt know port security and a switch has it, and that i know it, so... 17:51 < ne2k> wr, "port security" is a brand name 17:52 < wr> UncleDrax, a question is a question, to reply something if need to level people, you never know exactly what a person knows 17:52 < ne2k> wr, I don't care whether you know lots of know nothing; I just want to understand how much you know so that I can answer your question in a way that you can understand. I took your question and gave you a suggested course of action, to which you said "I know all that" 17:52 < wr> ne2k, a switch is a switch but a cisco switch is a lot of juice 17:53 < ne2k> so.. 17:53 < UncleDrax> sure but answers can come in lots of varying levels of detail 17:53 < UncleDrax> 'a lot of juice'? 17:53 < djph> ne2k: I think you should just stop before you bloody this brick wall you're smashing your head into. 17:54 < hendrikz> djph: agreed 17:54 < ne2k> djph, you're probably right 17:55 < ne2k> wr, apologies for any offence 17:55 < djph> happens on occasion 17:55 < wr> ne2k, so if someone asks, what is port security, and you try to know if the person knows what is a switch, it's kinda avoiding question 17:55 < UncleDrax> so to change topic.. anyone have opinions on how to impl CGNAT correctly? correctly here meaning, it works ofc, but is also not a super PITA to end-users? 17:56 < wr> UncleDrax, do you know what is a NAT? 17:56 < UncleDrax> wr: it's a little bug that flys around and bites you. 17:56 < wr> i'm gonan try to level people 17:56 < wr> *gonna 17:56 < ne2k> wr, you are being a pillock 17:57 < wr> ne2k, i need to level you, first, sorry 17:57 < redrabbit> do you guys consider .network (the TLD) good N 17:57 < redrabbit> ? 17:58 < redrabbit> not a big fan of the new TLDs in general but that one seems fine 17:58 < ne2k> wr, do you actually want help with your questions or what 17:58 < UncleDrax> wr - you should stop taking something personally that wasn't intended as such. don't confusing trying to baseline a skillset as an insult. 17:59 < ne2k> redrabbit, imo, they're all hideous. that one seems particularly retarded as there is already .net 17:59 < atsu> UncleDrax, NAT always causes problems. If you can, deploy IPv6 ontop of IPv4 NAT 18:00 < atsu> UncleDrax, Also make sure you use the IPv4 subnet designed for CGN. 100.64.0.0/10 IIRC 18:00 < redrabbit> ne2k: i guess you're right 18:00 < UncleDrax> atsu: ya was gonna dual-stack with v6 native. but i'm sure since this will be residental-type end-users someone will be stuck trying to port-forward something-alike on v4 18:00 < ne2k> UncleDrax, to answer your question, the "least hideous" way to do it would appear to me to be some sort of ISP account control page where you can request a real IPv4 address if you need it, for a reasonable charge 18:00 < redrabbit> good call. 18:01 < atsu> UncleDrax, Yeah, it's unavoidable. Especially PS4 users, since PS4 still doesn't fully support IPv6 18:01 < wr> UncleDrax, :P, wasn't taking it personally, but normally reply to question, i don't ask what is a NAT 18:01 < ne2k> UncleDrax, the vast majority of people will never care, and those who do can easily get what they need, and will be happy to pay if it's reasonable 18:01 < atsu> So it still cries when it can't do a IPv4 port 18:02 < UncleDrax> atsu: yeap, and stuff like PS4s will be a concern :/ 18:04 < UncleDrax> ne2k: i'm not sure we (as an organization) are able/willing to create a mechanism to rent statics per-user/month 18:05 < UncleDrax> (translation, our billing system is too dumb) 18:05 < UncleDrax> ya.. tbh i'm just trying to keep the calls to the HellDesk down 18:06 < UncleDrax> and I'll be dammned if I start handing out public v4 space via 802.11 18:06 < atsu> These are end devices? Or routers? 18:06 < ne2k> if you only have one VLAN on a switch, it's not really virtual, is it 18:06 < ne2k> it's more just a LAN 18:07 < atsu> UncleDrax, Are your clients mostly routers? Or user end devices? 18:08 < ||cw> ne2k: that's a bit philosophic... is the native vlan really a vlan is it's the also the only vlan? 18:08 < UncleDrax> atsu: They will be end-devices. We do MDU/Dorm-style Internet if you like. 18:08 < atsu> You could do some uPnP 18:09 < atsu> Then you're keeping the PS4s happy and still using NAT 18:09 < ne2k> ||cw, this is what I'm always going on about. I much prefer to talk about what is actually going on, and not to use ambiguous, often vendor-specific terminology 18:09 < ne2k> CGUPnP 18:09 < atsu> lol 18:10 < UncleDrax> mmmm good point. I usualy banhammer UPnP so hard I didn't even think about it as an option. 18:10 < UncleDrax> since on wiredline with public IP it's no-no 18:10 < ne2k> ||cw, that's why I said, "What is a VLAN?" What do you REALLY mean when you use that term? 18:11 < UncleDrax> is UPnP actually a think at that level? 18:11 < ne2k> UncleDrax, I f***ing hope not 18:11 < UncleDrax> tbh ive never looked at it beyond writing an ACL for it 18:11 < UncleDrax> nah, just trust the end device.. it'll be fine! 18:12 < ne2k> UncleDrax, could you have smartypants customers request a block of static ports? 18:12 < atsu> I'm not aware of any devices that can do large scale uPnP because it's usually oriented towards single network. I know Mikrotik does it and pretty sure Ubiquiti EdgeOS does 18:12 < UncleDrax> this would be on SRX 4100s 18:13 < atsu> I don't think SRX does 18:13 < ne2k> e.g. 43000-43099 will be forwarded to me, and I can do with as I please 18:13 < ne2k> like those cheapo nat vpses 18:13 < atsu> Static ports are hard because of overlap 18:13 < atsu> and plus level of knowledge required from the client 18:13 < UncleDrax> ne2k: ya, but i'm worried about the management of that. doing that for possibley 1000s of end-users.. 18:14 < ne2k> UncleDrax, you asked for technical ideas 18:14 < UncleDrax> which.. being students, rotate every few months so you get a fresh set of end-users 18:14 < UncleDrax> this is true 18:14 < UncleDrax> I did forget to play the L8/9/10 constraints on the question :] 18:14 < ne2k> UncleDrax, strike a deal with a VPS provider to offer cheap ones to smartypants customers so they can do as they wish 18:14 < UncleDrax> *place 18:14 < UncleDrax> man I can't type today 18:14 < atsu> Oh god, students? Yeah, you're going to get game console related port forwarding complaints 18:15 < ne2k> in fact, are they paid-for hosted VPN services that give you a dedicated address? you could just point people to one of those 18:16 < atsu> I've done student housing wifi. You will get complaints if you don't have a port forwarding solution for consoles 18:16 < UncleDrax> I'm sure someone does it 18:16 < UncleDrax> atsu: ya, what's what I'm expecting 18:16 < ne2k> "our network doesn't support what you want to do." 18:16 < UncleDrax> we used to do captive portal login and consoles were a huge PITA then 18:16 < ne2k> don't the console or game providers have proxies or meetup servers? 18:17 < UncleDrax> ne2k: depends on the specific game and xbox does it different then x-bone, different then Sony.. blahblah 18:17 < _BIGSHOT_> ne2k, if i use aws will it be ok? 18:18 < atsu> So many games are peer to peer 18:18 < ne2k> _BIGSHOT_, i'm sure you can run a VPN/proxy thing at AWS 18:18 < _BIGSHOT_> ne2k, so i need to install plex on aws server but how to connect it? 18:20 < ||cw> _BIGSHOT_: same way you connect it any other way? 18:20 < UncleDrax> anywho. appriciate the input.. got months to get something impled, but even I hate I have to do it, but there's a crunch on and all. 18:20 < ||cw> I don't even want to think about what plex on an AWS will end up costing 18:20 < Maarten> Its not just games.... students will want you to open up a "port" under the guise of a "game" and then run torrents and such :P My solution would be simple: You want unrestricted internet access? Rent your own room somewhere with its own internet connection. Otherwise, shut up and enjoy your www-only experience ;) 18:20 < _BIGSHOT_> ||cw, i am noob can you tell me in short? 18:20 < _BIGSHOT_> the thing is alexa echo needs access to local server which has plex on it 18:20 < ||cw> _BIGSHOT_: you follow plex's instructions? can you be more specific? 18:21 < _BIGSHOT_> but since my ip is NATted it can't access 18:21 < ||cw> what IP is nat'd 18:24 < ne2k> _BIGSHOT_, no, I was meaning connect your home network over a dial-out VPN to your proxy and then forward from the proxy's static internet address through the VPN to the server in question 18:25 < _BIGSHOT_> ne2k, so VPN connection will be duplex? 18:25 < ne2k> it wouldn't be a very useful VPN if it weren't 18:25 < _BIGSHOT_> ||cw, my router and public ip is different 18:25 < ne2k> ||cw, CGN, basically 18:26 < atsu> Sounds like it 18:26 < _BIGSHOT_> i want to play local server music by giving command to echo dot but my connection is NATed 18:26 < _BIGSHOT_> with plex media server 18:29 < zenix_2k2> guys is there anyhow i can forward connection on port 8080 to port 5000 for an example ??? like i have 2 scripts, one script is listening on port 5000 and another script is trying to connect on port 8080 but i want those 2 to be connected together 18:29 < pekster> CGN and you want to support external connections? You'll either need to use IPv6 for that (if you're behind CGN your ISP _really_ should provide you v6 support and a suitable DHCPv6-PD to use) or you'll need to VPN out to an endpoint that does have a usable public IP 18:29 < pekster> _BIGSHOT_: ^ 18:29 < zenix_2k2> on the same machine 18:29 < _BIGSHOT_> pekster, can you suggest me any free of charge or neglible cost solution to this problem? 18:30 < _BIGSHOT_> almost free is also fine 18:30 < pekster> IPv6. Free and now everything has a public IP 18:30 < _BIGSHOT_> just to see how plex works 18:30 < _BIGSHOT_> nah here still IPv4 is playing around 18:30 < pekster> As far as transit works, that's not usually free unless you already own/lease space somewhere, and transit might still factor in 18:30 < _BIGSHOT_> i have unlimited bandwidth connection only it's NATed 18:30 < pekster> How on earth is an ISP doing CGN but not IPv6. Switching ISPs would be ideal, if that's an option. This one sounds borderlin clueless 18:31 < Maarten> _BIGSHOT_, move the plex server to where your alexa is. Cost: manual labor and time. :P 18:31 < _BIGSHOT_> Maarten, how to do that? 18:31 < _BIGSHOT_> amazon is free for 1 year 18:31 < Maarten> oh its on AWS.... 18:32 < _BIGSHOT_> Maarten, i want free solution 18:32 < Maarten> well, get a better ISP ;) 18:32 < atsu> You can get a IPv6 tunnel from Hurricane Electric for free 18:32 < _BIGSHOT_> this is better ISP compared to already present, one new guy is coming but it will take 6 months 18:32 < atsu> https://tunnelbroker.net 18:33 < ne2k> atsu, that probably won't work if you're on CGN 18:33 < atsu> Crap, you're probably right 18:34 < pekster> This is where the now-shutdown sixxs and their aiccu "nat-traversing" v6 tunnels would have been useful 18:34 < _BIGSHOT_> come on folks use your networking knowledge to overcome my problem... IPv6 is not an option 18:34 < pekster> AFAIK no other tunnel provider has implemented aiccu, so that's a non-starter. Some other places offer different solutions, either VPN or PPTP-based 18:34 < ||cw> zenix_2k2: sure, how is os.router specific. or just change the port, which is usually pretty easy 18:35 < pekster> _BIGSHOT_: Your setup is basically broken; you don't have "Internet" access, you have "access as a client with zero control over your actual public presnse", like being given a port on someone else's router. If you want to host externally, lease space on a public PoP and terminate a VPN there 18:35 < pekster> That will probably cost you. That's just how it is when you have a crappy ISP that doesn't sell you proper Internet and you want to accept inbound connections 18:36 < astsu_> Don't blame the ISP too much. IPv4 addresses are expensive 18:36 < astsu_> Although not doing IPv6, you can blame them 18:36 < pekster> Otherwise, set your layout up such that you don't need to accept inbound connections. That wasn't an option given your original request, so "you're out of luck" especially if "free" is a requirement 18:36 < ||cw> _BIGSHOT_: you don't have a networking problem. you has a "following plex's instructions" problem. if your ISP wont let you have forwarded ports, follow their relay instructions 18:36 < ne2k> pekster, I believe these alexa skills require an inbound connection 18:37 < zenix_2k2> ||cw: well i mean in my localhost, not actually my router 18:37 < ||cw> zenix_2k2: then it depends on your host. 18:37 < ||cw> should be fairly easy with linux iptables. 18:37 < ||cw> idk what windows or mac takes 18:37 < zenix_2k2> thank god this program is on linux 18:38 < pekster> ne2k: That seems unlikely unless one is "hosting" services provided _by_ the smart-speaker-thingy. Notwithstanding uPnP, statefull firewalls generally require manual configuration to accept inbound, which is often a non-starter for non-techies to configure 18:38 < zenix_2k2> so which command should i use cause i am not too professional in iptables 18:38 < ||cw> zenix_2k2: then you just want a REDIRECT rule, plenty of examples for that out there 18:38 < pekster> Now accept _reply_ traffic to something an IoT device _initiated_ is different; that's just a client connecting to the cloud 18:39 < ne2k> pekster, my understanding is that if you want to add a custom skill to alexa, such as to allow alexa to control your plex, you have to let amazon's servers send commands to it on a publicly addressable connection 18:39 < ne2k> I could be wrong 18:40 < ||cw> ne2k: that is true. and plex has instructions for doing it via a relay service that they offer. 18:42 < _BIGSHOT_> ||cw, i enabled "Secure connections - required" but still it's not relaying 18:43 < ||cw> then ask plex what's wrong with their instructions? 18:43 < pekster> ne2k: To the plex, sure. I'd be surprised if they shipped any "IoT client thing" that required a direct inbound connect. OP is (I think) putting plex on AWS, so _that_ needs to accept inbound, but AWS does not to do CGN :P 18:44 < pekster> Usually all this IoT crap phones-home to the vendor's C&C server for web-portal based control (spooky for differnet reasons if you consider how rarely the firmwares are updated, but I digress..) 18:44 < ne2k> pekster, no, I suggested what you suggested (PoP, VPN, forward from that), and I think he mistook that for advice to put Plex on a hosted server 18:44 < ||cw> _BIGSHOT_: I have a hard time believing that your ISP fully NATs you and doens't allow any port forwarding at all 18:44 < _BIGSHOT_> yes 18:45 < astsu_> They probably sell static IPs 18:45 < ||cw> I do know there are some that give your router a private address, but there's a 1:1 DNAT to that with a public IP typically 18:46 < zenix_2k2> ||cw: i found this command --> iptables -t nat -A OUTPUT -p tcp --dport X -j REDIRECT --to-ports Y, and it worked fine but i want that every time a connection has been redirected to the port, i NEED to run that command again in order for the second connection to be forward 18:46 < _BIGSHOT_> ||cw, so relaying won't work here either? 18:46 < zenix_2k2> just like there will be multiple connections on port 8080 for example and each one will be forwarded to a specific seperated port on my localhost 18:46 < ||cw> _BIGSHOT_: sure it will 18:47 < zenix_2k2> so what do i actually need to do, should i put in some arguments in that command ? 18:47 < _BIGSHOT_> ||cw, i enabled relaying and i see green lock on my server but still it says no remote access 18:47 < ||cw> _BIGSHOT_: the relay sets up a connection from your plex to the plex relay server and holds it open waiting for commands 18:48 < ||cw> _BIGSHOT_: if none of this is working, i suggest you contact plex's support. 18:49 < _BIGSHOT_> ||cw, echo dot says access is not available to my local server 18:50 < _BIGSHOT_> List of IP addresses and networks that are allowed without auth <-- should i add my echo dot's public ip here? 18:50 < _BIGSHOT_> ||cw, 18:50 < ne2k> anyone use the virtual media feature of the eRIC KVM? I have a hosting provider that is giving me dedicated servers and I want to install the OS from an ISO, and the IP KVM supports reading an ISO file from a Windows share. I've tried sharing to it from both the SMB server on RouterOS and from Windows 7, and in both cases I just get "no workie" from the eric 18:51 < ne2k> https://help.fasthosts.co.uk/app/answers/detail/a_id/1296/~/installing-software-on-a-dedicated-server-from-a-remote-iso-image#configure_eric 18:56 < _BIGSHOT_> yo dude ||cw what to do? relaying is no good 18:57 < _BIGSHOT_> man dis suckz butt 18:58 < atsu> ne2k, Since no one else said anything, I'd spin up a FreeNAS VM and try SMB on that 18:58 < _BIGSHOT_> no 1 can relieve dis connundrum 18:58 < _BIGSHOT_> conundrum 18:59 < atsu> ne2k, suprises me that Mikrotik didn't work. You allowed anon access? 18:59 < ne2k> atsu, they say only Windows is supported. I've contacted support 18:59 < ne2k> atsu, tried both ways, guest and user/pass 19:00 < ne2k> the thing that annoys me is complete lack of any debugging output from the KVM. 19:01 < zenix_2k2> anyway, how can i get to normal after executing this command --> iptables -t nat -A OUTPUT -p tcp --dport X -j REDIRECT --to-ports Y 19:01 < atsu> Time for a new hosting provider :P 19:01 < _BIGSHOT_> man seems dis is a diphikult proablemz fo yo folksies 19:01 < zenix_2k2> it is gonna redirect "X" port to "Y" port, and now i can't really directly connecting to port "Y" 19:06 < _BIGSHOT_> man it seems ive goot more netwroking knowlegdgezz than yall 19:06 < _BIGSHOT_> ||cw, i particularly disliked his way of discussing & then disappearing 19:08 < purplex88> when we're saying "there's an upper bound for average speed" does it mean a speed above average? 19:08 < Sircle> I have this log of past. Is there a way to get user id who did this? Apr 12 13:39:55 u kernel: [137628.771390] ssh OUT connection IN= OUT=ens3 SRC=107.161.18.128 DST=222.124.146.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=42652 DF PROTO=TCP SPT=56260 DPT=22 WINDOW=0 RES=0x00 RST URGP=0 19:08 < _BIGSHOT_> purplex88, it's bound mean speed can't increase no matter what you do 19:08 < _BIGSHOT_> it means* 19:09 < zenix_2k2> so hi ??? 19:10 < purplex88> _BIGSHOT_: the average speed cannot increase? 19:10 < _BIGSHOT_> yes 19:12 < _BIGSHOT_> purplex88, are you solving your professors given assignment/ 19:12 < _BIGSHOT_> ? 19:12 < purplex88> just reading through articles 19:12 < _BIGSHOT_> ahh gud boyh 19:12 < _BIGSHOT_> purplex88, give me link to it 19:13 < ||cw> _BIGSHOT_: I'm a busy person, sorry your free support is dissatisfactory 19:14 < ||cw> I'll give you a double you money back refund 19:14 < UncleDrax> schwwweeet 19:14 < UncleDrax> i'm gonna start paying you then 19:14 < _BIGSHOT_> ||cw, aha busy meaning - guy working for dough from 9 to 5pm, with w/e lil knowledge one goot 19:14 < _BIGSHOT_> no offense 19:15 < _BIGSHOT_> dude ||cw relay was totally uncalled for 19:16 < ||cw> so you got it working? 19:16 < _BIGSHOT_> Nah 19:17 < superguy> I have an OpenBSD server running OpenBGPd with IPv6 addresses. What's the simplest way to distribute the IP addresses virtually to a remote point? 19:17 < superguy> Something readily accessible like SOCKS/SSH is prefered. 19:18 < djph> that's not how you "distribute" IP addresses 19:19 < superguy> Yes, djph, IPv6 connectivity is not available where I live. There is no physical access to the server. 19:20 < djph> then either use a HE tunnel, or ... well, if you own the block(s), suppose you can tunnel them yourself 19:21 < superguy> I have my own blocks, I just want to... let's say, partition it? 19:21 < Sircle> Any ideas whats happening here? cat /var/log/kern.log.1 19:21 < Sircle> Apr 5 03:15:36 u kernel: [271606.816287] TCP: request_sock_TCP: Possible SYN flooding on port 80. Sending cookies. Check SNMP counters. 19:21 < Sircle> Apr 5 06:15:35 u kernel: [282405.727758] SGI XFS with ACLs, security attributes, realtime, no debug enabled 19:21 < superguy> Dynamic IPs, dynamic IPs and NAT everywhere. :( 19:21 < djph> superguy: sounds like you're looking for something akin to a HE tunnel (IIRC 6in4) 19:22 < superguy> Sircle: Are you sure that you aren't under attack? 19:22 < _BIGSHOT_> superghuy 19:23 < Sircle> superguy, why would you ask that? is it something suspecious? 19:23 < _BIGSHOT_> suspicious 19:23 < superguy> Sircle: Yes. That's what the message was. dmesg? 19:24 < Sircle> kern.log 19:24 < Dagger> (FWIW Dialog Axiata are in fact doing v6 in .lk. I have no idea who they are though; possibly a mobile provider rather than landline) 19:24 < Sircle> I have this log of past. Is there a way to get user id who did this? Apr 12 13:39:55 u kernel: [137628.771390] ssh OUT connection IN= OUT=ens3 SRC=my-ip-here DST=222.124.146.2 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=42652 DF PROTO=TCP SPT=56260 DPT=22 WINDOW=0 RES=0x00 RST URGP=0 19:25 < superguy> djph: Yes, but with my own block and supporting dynamic IP addresses (v4). HE doesn't seem to like account sharing and if someone else wants to use my addresses, they want authorization for both an ASN and a block. 19:26 < djph> superguy: no, I'm saying you want something *like* it, not that you necessarily want a tunnel *from* HE 19:26 < superguy> HE wants both an ASN and a block or we can use one of their blocks but there is no way to go 'block only' with them. That's why I wanted to look for my own options, djph. Just some background. :) 19:27 < superguy> Dagger: IPv6 not working here even from Dialog Axiata. They are the largest mobile cell network provider IIRC. 19:27 < djph> superguy: ... for the third or fourth time now - "it sounds like you want to do something similar to HE... I think they use "6in4" to do what they do" 19:28 < djph> superguy: now, it's up to you to read up on "6in4" and determine if yes that is in fact what you were looking for. 19:28 < superguy> djph: Oh! Thanks! I will look more into it. 19:28 < Dagger> https://stats.labs.apnic.net/ipv6/AS18001?c=LK&p=1&v=1&w=1&x=1 <-- stats say it's working for some people, at least 19:29 < Dagger> bear in mind 6in4 isn't a huge fan of NAT. the most common way to tunnel stuff around is probably OpenVPN 19:29 < Dagger> the *standard* way is IPsec, but who ever uses that 19:29 < superguy> Dagger: IIRC it was working years before but it is no longer working. I hope they improve it with their 4G deployment, at least. 19:30 < electricmilk> Its solarwinds that will Spam not just for life but even after reincarnation. Right? 19:30 < electricmilk> I'm considering downloading their Kiwi Syslog free version 19:30 < ||cw> Sircle: not unless ssh itself logs it somewhere. parse everyone's bash history maybe? 19:31 < electricmilk> But hesitant to give them my personal info if they are going to spam me 19:31 < electricmilk> Perhaps someone could recommend a free/open source system log server. 19:31 < Sircle> ||cw, few accounts dont have bash history. e.g apache 19:32 < superguy> Dagger: Thanks. Does OpenVPN support anything simple like username-password authentication than manually setting a load of CA bundle and certs up? 19:32 < superguy> Last time I looked up, it was PPTP and it didn't work out on my phone. 19:33 < ||cw> Sircle: apache making ssh connections would be bad 19:33 < Sircle> yes 19:33 < Dagger> superguy: it does pre-shared key, at least 19:35 < superguy> Dagger: Thanks, I will look the docs. :) 19:35 < grawity> superguy: the client can authenticate using username/password, yes 19:36 < grawity> the server still uses a TLS cert, but you can stick that inline in the .conf / .ovpn file 19:36 < superguy> grawity: So I will have to manually load up the certificate again, right? If it's a server TLS certificate, can I use the letsencrypt one? 19:37 < grawity> what do you even mean by "load up" anyway 19:37 < grawity> yes, the server can use a LE cert, but clients still need to be told about it 19:37 < grawity> openvpn is a bit against the usage of public pki 19:38 < superguy> grawity: Adding it to the ... Wait, so these don't follow the typical CA hierarchy with the system bundle? 19:39 < grawity> openvpn doesn't use the system bundle by default 19:39 < grawity> it can be told to, although don't forget to also use the correct options for hostname verification 19:40 < superguy> Is there any certificate-less method? Android (client) probably doesn't use the system bundle too, then. 19:40 < grawity> (that's another thing it doesn't do by default.) 19:40 < grawity> no, there's no certificate-less method 19:40 < grawity> (I'm purposely ignoring the static-key option here because it results in *more* config) 19:40 < Dagger> if you configure OpenVPN to accept all certs from a particular CA... that's fine if it's a private CA which you only use for issuing certs to permitted clients 19:40 < grawity> Dagger: that's the default :( 19:40 < Dagger> it's not so great if the CA in question is LE, since anybody can get a cert from them 19:41 < superguy> I mean, built-in Android one. Thanks, grawity and Dagger. I was considering LE cert for the server because I already have a domain name with a cert. 19:41 < grawity> the built-in Android VPN client does not do OpenVPN 19:41 < SporkWitch> Dagger: certs are necessary to know you're actually connecting to the end point you think you are; if you aren't, you've lost the entire point of a vpn 19:42 < grawity> superguy: what is your main concern here? the amount of manual configuration to enter into the phone? 19:42 < tds> well you can run openvpn without any keys/encryption at all, so you haven't quite lost all of the point, depending on what you're trying to do 19:42 < SporkWitch> Dagger: you don't necessarily need robust PKI, a simple self-signed cert is sufficient, just include the cert in the openvpn config file that you send to the client 19:42 < pekster> superguy: In almost all cases you want to create your own CA for use with OpenVPN; you can bundle that with the config you send clients, and if you choose you can have the clients exclusively use usernames so they don't need a per-client certificate 19:42 < grawity> openvpn has easy-rsa for making a CA in one command, by the way 19:43 < SporkWitch> ^ 19:43 < SporkWitch> it's really easy (no pun intended) 19:43 < pekster> superguy: Optionally you can re-use the same client certificate in addition to passwords, if the server allows multiple connects from the same cert (just a config option.) It'll be 2-factor auth, but you can't revoke just 1 client's cert of course 19:43 < tds> ^ easy-rsa works nicely, much easier than doing it all manually with openssl (which easy-rsa just uses) 19:43 < superguy> SporkWitch: It can also be done with PSK, I don't know whether VPNs support it, though. There are multiple Zero-Knowledge methods for verifying a PSK. 19:43 < superguy> Oh, I wonder what did I just step on... 19:43 < pekster> PSK does not support multi-client, FYI 19:44 < grawity> or at least openvpn's psk mode doesn't 19:44 < pekster> Right 19:44 < grawity> tbh 19:44 < SporkWitch> superguy: honestly, you're going to expend more effort trying NOT to use PKI than just doing it the "right" way 19:44 < grawity> a) use IKEv2 and the "strongSwan for Android" app 19:44 < grawity> b) use ocserv and the "OpenConnect" app 19:44 < grawity> both have very minimal config on the client side 19:44 < grawity> url, username, password 19:45 < grawity> you can use a cert from public pki 19:45 < pekster> Is there only opportunistic server verification then, or are you expected to have a publicly-verifyable cert in that case? 19:45 < pekster> That would mean OP would have to get an LE cert first, for strong validation of the server 19:45 < grawity> usually the latter ... although openconnect also has an option to remember the cert, SSH-style 19:46 < pekster> Well, anyone not checking SSH fingerprint on connect could have just been MITM'd :P 19:46 < SporkWitch> official, first-party openvpn for android https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en 19:46 < pekster> OE has its place, but not if you need strong validation you're not sending credentials somwhere unexpected 19:46 < grawity> then just get a goddamn cert? 19:47 < pekster> Sure, but if the sales pitch is "no certs needed, no PSK required" then the compromise is either setting up a (validating) cert or trusting OE 19:47 < superguy> pekster: I have seen that most people I noticed couldn't care less about SSHFP. 19:47 < pekster> Just making it clear what the trade-offs are here for OP to decide which of the 3 or so solutions mentioned fits best 19:47 < pekster> Yes, many people get security very wrong 19:47 < tds> heh, I was about to mention sshfp ;) 19:48 < grawity> superguy: what do you mean by "SSHFP" 19:48 < tds> grawity: it's a dns record containing the ssh host key fingerprint, so you can verify it 19:48 < tds> (and then have the record dnssec signed so you can trust it) 19:48 < grawity> yes, wasn't really asking you though 19:49 < superguy> grawity: SSH FingerPrint, pun intended. It is both the record type and fingerprint itself. 19:49 < superguy> Nobody configures it, nobody verifies it. 19:49 < superguy> I use VNC over HTTPS to verify the keys. 19:50 < SporkWitch> i mean, if you're paranoid, it's easy enough to just connect with web console from the hosting provider first, and manually add the key to known-hosts 19:50 < pekster> Verification that you trust gets murky too, even if the zone has dnssec, which DNS server validated it and what was the last-mile delivery after that "trusted" validation 19:50 < superguy> For the first time. Then, HTTPS usually works. 19:50 < pekster> Right, tune your tin-foil to suit your own security needs 19:50 < grawity> SporkWitch: hopefully said "web console" runs over tls 19:50 < _BIGSHOT_> grawity, do you have echo dot? 19:51 < SporkWitch> grawity: one hopes, but when we're dealing with other people's computers, rather than one we have physical access to, you've got to trust the host at least that much or EVERYTHING is moot 19:51 < grawity> the fuck is echo dot 19:51 < _BIGSHOT_> amazon's echo dot 19:51 < SporkWitch> grawity: amazon's thing 19:51 < tds> pekster: I'd hope that most people using sshfp are running their own resolver that validates dnssec on their local box 19:51 < grawity> the voice assistant thingy? over my dead body 19:51 < superguy> Amazon Globglogabgalab. 19:51 < _BIGSHOT_> grawity, y sooo much hate? 19:52 < bobpc> has anyone in here used cat8 cables 19:52 < pekster> tds: One would hope, but say an employer set it up and road-warriors use it; does $employer manage mobile boxes with thier own resolvers then to do the validation locally? That kind of thing.. 19:52 < grawity> tds: iirc, the ldns library was reasonable regarding that – only accepted AD bit from localhost, did its own validation otherwise 19:52 < pekster> Of course, in that example the managed system could just bootstrap the known_hosts file too :) 19:52 < grawity> _BIGSHOT_: 1) I don't *do* voice commands. it is not a thing that I use 19:53 < _BIGSHOT_> ah and 2)? 19:53 < bobpc> 100Gbps 19:53 < superguy> tds: DNSSEC looks scary to the beginners. The other difficulty is in having the 'TLD' support DNSSEC in the first place, then the registrar. At least where I live... 19:53 < grawity> _BIGSHOT_: 2) I'm not a fan of always-on microphones in my room 19:53 < bobpc> I agree 19:53 < _BIGSHOT_> ahh you don't want aliens to here your groaning voice? 19:54 < SporkWitch> at least the google home mini, and i believe max, have a physical microphone switch (PRESUMABLY it's physical, anyway, not purely a softswitch) 19:54 < _BIGSHOT_> hear 19:54 < bobpc> how can I repair the software repos on antergos? 19:54 < grawity> (it doesn't help that every time I *did* try "ok google" on my phone out of curiosity, it completely refused to listen to me) 19:54 < bobpc> doesn't resolve the configuration file 19:54 < superguy> With a secret NSA soft switch (two way switch). LOL. 19:55 < SporkWitch> grawity: are you non-white? Tumblr told me that all AIs are racist :P 19:55 < bobpc> haha 19:55 < _BIGSHOT_> SporkWitch, are you female? 19:55 < bobpc> Have you seen that military AI plane that controls itself and does its own routes? 19:55 < bobpc> That shit is insane and non ethical for the human race... 19:56 < Apachez> what could possibly go wrong? 19:56 < electricmilk> _BIGSHOT_, Females don't exist on Freenode. Its all frustrated workers in IT that have aspergers. Anyone else is lying. 19:56 < bobpc> It said that by 2020 it would wipe the human race with a nuclear weapon I don't think they would survive a nuke themselves 19:56 < grawity> by 2020, the human race will have been wiped by tide pods 19:56 < electricmilk> lol 19:56 < bobpc> LMAO 19:56 < Apachez> terminator movies are damned good 19:57 < Apachez> watch out for shit happening in august ;) 19:57 < superguy> A good ending would be the AI plane self-destructing itself after knowing that Cisco routers route faster. 19:57 < bobpc> haha good one superguy 19:57 < Apachez> Skynet becomes self-aware at 02:14 am Eastern Time after its activation on August 4, 1997 19:58 < fnDross> it'd be funny to see 2 AI's debate if thier world was flat or a digital realm 19:58 < bobpc> that actually happened already... 19:58 < superguy> bobpc: Thanks. :) 19:58 <+catphish> i just learned yahoo got bought, bad times :( 19:58 < bobpc> watch the video on youtube fnDross 19:58 < SporkWitch> Apachez: no, it happens later, remember? the events in Terminator 2 set back the timeline 19:58 < superguy> An old saying: Internet is the place where men are men, women are men and children are FBI agents. 19:58 < bobpc> Back to the Future of AI 19:58 < SporkWitch> catphish: by whom? 19:58 <+catphish> verizon :( 19:59 < SporkWitch> catphish: well, it's not like their credibility can get any lower lol 19:59 <+catphish> On June 8, 2017, Yahoo shareholders approved the company's sale of some of its Internet assets to Verizon for $4.48 billion. The deal officially closed on June 13, 2017. 19:59 < superguy> catphish: Seriously? At least you got to know earlier than I got to know it... 19:59 < bobpc> So who thinks Cisco routers will catch up with Donald Trump running AI 19:59 <+catphish> i guess verison is now where startups go to die 20:00 < superguy> bobpc: Cisco and Juniper for the next election. 20:00 < bobpc> wooooo 20:00 < superguy> catphish: Google used to be that place... 20:01 <+catphish> lol https://news.ycombinator.com/item?id=12157064 20:01 < SporkWitch> i'm actually hopeful some of the sexism suits against google win; they did get caught red-handed discriminating against white mails overtly lol 20:01 < compdoc> males? 20:02 <+catphish> SporkWitch: discriminating against white males in tech is legal, at least here 20:02 < SporkWitch> yes; i don't know what's happened to my brain in hte last couple years, but i've been making a LOT of phonetic typos recently 20:02 < Apachez> Cameron was dubious about casting Schwarzenegger as Reese as he felt he would need someone even bigger to play the Terminator. Sylvester Stallone and Mel Gibson were offered the Terminator role, but both turned it down.[22] The studio suggested O. J. Simpson for the role, but Cameron did not feel that Simpson would be believable as a killer.[23][24] 20:02 <+catphish> in fast many people campaign for the concept 20:02 < jkemppainen> > but Cameron did not feel that Simpson would be believable as a killer 20:02 < jkemppainen> HAHAHAHAHAHAHAH 20:02 < Apachez> OJ simpson as the killer? 20:02 < Apachez> sure... why not ;) 20:02 < jkemppainen> that is so poetic 20:03 <+catphish> Apachez: ha 20:03 < SporkWitch> catphish: fuzzy situation in the US. the laws put in place in the 60s make it clear favouring or disfavouring anyone based on race, sex, religion, or age is illegal, yet we also have affirmative action laws on the books, which literally favour minorities and women on the basis of race and sex, and by extension, disfavour whites and men 20:03 < superguy> catphish: Superpower transform from Yahoo to Verizon. 20:04 < SporkWitch> under the anti-discrimination laws, the affirmative action ones are blatantly illegal, yet they still exist and are allowed 20:04 < electricmilk> Apachez, HAHAHAH thats the greatest thing ever 20:04 <+catphish> SporkWitch: it's simple here, we have protected classes, but there's an exception for positively supporting a group who is a significant minority in a particular role 20:05 <+catphish> SporkWitch: in tech, that means pretty much every group that's not white men 20:05 < SporkWitch> catphish: personally i liked australia's solution: blind applications (no name, race, sex, etc.; you don't know any of that until you talk to them directly). They stopped doing it when it resulted in FEWER women getting hired in tech, though (revealing what we already knew: they don't want equality, they want supremacy) 20:05 < SporkWitch> catphish: thing is, by definition, that is actively HARMING everyone not a member of that group. 20:05 <+catphish> correct, but that's legal 20:06 < SporkWitch> catphish: if there are a finite number of positions, and you decide who gets it based on one of those protected classes, you are, by definition, punishing someone else for the same reason 20:06 <+catphish> SporkWitch: the problem is that given zero discrimination, people will choose roles that match their culture, and some people think that's bad 20:06 < SporkWitch> catphish: well yes, because equality of outcome requires totalitarianism 20:06 <+catphish> like me, as a white male, i'm unlikely to work in an afrocarribean hairdresser shop 20:06 < SporkWitch> catphish: it's antithetical to freedom 20:07 < SporkWitch> catphish: you're unlikely to be hired even if you wanted to and were the best candidate lol 20:07 < superguy> grawity, Dagger: Thanks for the ideas, I am reading more on VPNs. 20:07 <+catphish> SporkWitch: but maybe those hairdressers want more diversity, so they go out of the way to train up some white men, and maybe that's ok 20:07 < SporkWitch> even here in the US, where we don't have quotas (yet), my rate of call-backs when i was looking for work more than doubled when i started marking "decline to answer" on the demographics info 20:08 < electricmilk> Anytime diversity is an employment law shit gets ridiculous. Just hire whoever is most qualified 20:08 <+catphish> i don't know, personally i think things are the way they are because the market dictates, it, whether that's good or bad i couldn't say 20:08 < Apachez> https://www.telegraph.co.uk/films/0/terminator-timeline-guide-extremely-confusing-story-far/ 20:08 < SporkWitch> catphish: we both know that when people talk about diversity they only mean getting rid of whites and men. Hence all the "incredibly diverse" pictures that have zero men and zero whites (one was all black women lol) 20:08 <+catphish> as an employer i genuinely believe i would never discriminate against a woman, but no woman has ever applied for a programming job at my company 20:09 < electricmilk> That's the thing...IT jobs generally appeal to men more than women 20:09 <+catphish> and really i don't know what more i can do to help this situation 20:09 < superguy> catphish: Yes. There were affirmative action laws here on education as well and then they finally ended up almost equalizing everything. 20:09 < electricmilk> Why is that so controversial? 20:09 < SporkWitch> catphish: that's the funny thing, the actual research shows a bias IN FAVOUR of hiring women and minorities, because of the political climate. Even if it's not a conscious bias, it's there. That's why australia's blind applications backfired: when they were going purely on merit, without even KNOWING race or sex, fewer women and minorities made the cut, because they no longer had that favourable 20:09 <+catphish> electricmilk: that's the thing, apparantly we (the managers in the industry) should be changing this 20:09 < SporkWitch> bias working in their favour 20:10 < superguy> catphish: Public education system and quotas in Sri Lanka. It was location based. 20:10 <+catphish> electricmilk: i have no great opinion one way or the other 20:10 <+catphish> SporkWitch: that's a pretty well known fact, no tech conference dares do blind selection of speakers any more, because they end up 100% men 20:11 < superguy> Our education system is still shit, though, regardless, but people have come enough way to be almost equal in hogher education by location. 20:11 < SporkWitch> electricmilk: because the activists strawman the reality of PREFERENCE as "aptitude." When you say "fewer women are interested in X" they hear (and repeat) "women aren't as good at X" 20:11 < superguy> higher* 20:11 <+catphish> but, people want diversity, and particularly at conferences where you have speakers, some forced diversity is good, it can help attract more people to the industry as a whole 20:11 <+catphish> but ultimately, you can't get over the fact that all industries have a culture, one that's unlikely to change fast 20:12 < electricmilk> Bah I wish we'd just stop focusing on gender and race so much 20:12 < SporkWitch> catphish: when it comes to something like a conference, i can get behind it, though not if it means bringing someone on that isn't truly competent in their own right. By all means, bring on a competent female programmer; don't bring on briana wu 20:12 <+catphish> like, i couldn't work at a bank, i don't want to wear a suit, i just wouldn't fit 20:12 < electricmilk> I hate racism and sexism as much as the next person 20:13 < grawity> unfortunately, that usually means "not very much". 20:13 <+catphish> it seems like we're all agreed on this, and yet it's hard to find this diversity, and usually one just gets shouted at no matter what 20:13 < SporkWitch> electricmilk: want an even stronger reaction, start talking about IQ distributions. Men have more outliers, women cluster more towards the middle. As a whole the difference is negligible, but when it comes to the true stand-outs, you're dealing with the people at the extreme top of the curve, and there's more men there. 20:14 < Sircle> Is there a way to log any outbound requests (made by any application e.g apache to fetch a webpage / file from internet or a user initiating ssh or downloading something by wget)? 20:14 < jkemppainen> SporkWitch: ?!?!?!?!? 20:14 < electricmilk> SporkWitch, One problem is we can't even have those type of conversations 20:14 <+catphish> Sircle: you can use a firewall to log connections, or for http you could use an http proxy to log 20:14 * jkemppainen pretends to have a hilarious snowflake meltdown 20:14 < SporkWitch> catphish: one of the funny things about the studies showing the benefits of diversity is that those diversity hires aren't actually the ones bringing anything tangible themselves, but rather the diverse environment causes the white males to speak up more and be more bold in their suggestions lol 20:15 < superguy> Sircle: May probably not work with encrypted requests. 20:15 <+catphish> SporkWitch: my worry is the opposite, that forced diversity potentially stifles the existing (commercially successful) environment 20:15 < Sircle> catphish, how to do with firewal? 20:16 <+catphish> Sircle: just log connections, like -j LOG in iptables 20:16 <+catphish> though you won't see much except IPs being logged 20:16 < jkemppainen> catphish: I couldn't agree more. I noticed this in academia as well. 20:16 < SporkWitch> catphish: as it's typically done, it does, which is largely a result of prioritizing "diversity" over merit 20:17 <+catphish> the thing is that startups are often created by friends, people with chemistry, in-jokes, generally they have no filter 20:17 < Sircle> catphish, iptables -I OUTPUT -p tcp --dport 80 -j LOG --log-prefix "apache OUT connection " ? 20:17 <+catphish> Sircle: yes 20:18 < SporkWitch> ip6tables doesn't seem to like the log-prefix flag; need to figure out the new way to do it 20:18 < Sircle> catphish, how to log only outbound connections only? 20:18 <+catphish> Sircle: -I OUTPUT 20:18 < SporkWitch> Sircle: use source port in the output chain 20:18 <+catphish> no, use the destination port in the output chain, like (s)he did 20:19 <+catphish> that will log outbound connections to web servers only 20:19 < SporkWitch> i thought we were logging on the webserver; my mistake 20:19 <+catphish> ah, no, i think this is a client 20:19 < Sircle> is there a way to log all this in a separate file ? 20:19 < _BIGSHOT_> SporkWitch, are you worried about your inability to compete? or are you worried about others taking over your job? 20:19 <+catphish> Sircle: you'd have a look at your syslog config, probably 20:19 < Sircle> I do not want to clutter other logs 20:20 < Dagger> -j NFLOG + ulogd2 20:20 < Dagger> it can be configured to log into a pcap file, which seems like the sane way to log network packets to me 20:21 < SporkWitch> _BIGSHOT_: neither, i'm annoyed by the fact that even if i CAN compete it won't matter. I'm a strong believer in meritocracy, and i know that means sometimes I won't be the best, but i can live with someone that's a better fit getting the position over me (i took it in stride just a couple months ago; the guy that just edged out ahead of me had exposure to one of our systems that i didn't, which 20:21 < Dagger> (of course, that's if you can work out the ulogd.conf config format...) 20:21 < SporkWitch> put him ahead). I have a problem if the only reason i didn't get it is because i'm the wrong colour or because i have external genetalia 20:21 < grawity> tbh, if all you want is a pcap file, you can `tcpdump -i nflog -w blocked.pcap` 20:22 < _BIGSHOT_> ahh come on SporkWitch fairer color is naturally more attractive and appealing... 20:22 < _BIGSHOT_> for me it is 20:22 < _BIGSHOT_> i can't stand ugliness 20:23 < Dagger> grawity: ...I was unaware that was an option. in my defence, the manpage doesn't mention it either 20:23 < _BIGSHOT_> for optimum performance of my brain I want beauty and that too everywhere 20:23 < SporkWitch> unless the position is public-facing, attractiveness isn't relevant, competence is. You can be the loveliest thing in the world to look at, but if i have to do your job for you in addition to my own, i have no patience for you. 20:23 < SporkWitch> stupid is also unattractive 20:23 < Dagger> also running a bunch of tcpdump processes is a bit meh, but okay 20:23 < grawity> well it's only one process in this case 20:24 < grawity> no difference from running a ulogd process 20:24 < SporkWitch> Sircle: what is your end goal? Why are you interested in this particular traffic? Are you trying to isolate a rogue process? Detect malware? 20:24 < Sircle> I am getting this but I want to see the url pinged as well. Is there a way? Apr 13 11:23:56 u kernel: [215869.953279] apache OUT connection IN= OUT=ens3 SRC=107.my ip here 28 DST=91.189.88.152 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12894 DF PROTO=TCP SPT=59650 DPT=80 WINDOW=4887 RES=0x00 ACK URGP=0 UID=105 GID=65534 20:25 < superguy> Sircle: Also... Be sure to have enough space for tcpdump dumps, that thing grows very quickly. 20:25 < SporkWitch> Sircle: if it's encrypted, you need to log session keys or you'll only get the FQDN, not the URL 20:26 < grawity> tcpdump has options to rotate the dumpfiles 20:26 < SporkWitch> ^ 20:26 < Sircle> SporkWitch, detect malware; yes 20:26 < grawity> for URLs... well, if you -j NFLOG *the entire connection* (or at least the first few packets), then the HTTP requests will get recorded in the pcap 20:27 < grawity> if you only log SYNs, then no 20:27 < grawity> if you expect the kernel itself to extract URLs, also no 20:27 < SporkWitch> Sircle: okay, so really you can't trust the client anyway, you need to monitor at the firewall; if it's that you suspect you have malware and are trying to track it down, just boot a liveos and run clamav. if this is proactive to catch something new as it starts up, have clamav running on the system and checking new files 20:30 < ||cw> clamv won't catch zero day targeted attacks tho, which is the only thing that gets through my firewall/proxy/scanner anyway 20:31 < Sircle_> SporkWitch, I want to see which urls are being hit and which .php file is doing it (its some sort of .php file/code) 20:32 < SporkWitch> Sircle: you won't be getting the full URL if it's encrypted, and you can't trust a compromised device. you'd be able to get the destination IP at the firewall, though (as in a firewall NOT on the compromised host) 20:32 < ||cw> Sircle_: you're not gonna get the php file, but if you dump and decode you might get something in the request that you can grep for, assuming it's not obfuscated, which it probably is 20:33 < ||cw> in which case, you need to audit your files, find out what shouldn't be there, what has code in it that it shouldn't 20:33 < ||cw> diff can help 20:33 < SporkWitch> unless we're dealing with hardware-level doping... 20:33 * SporkWitch dons tin-foil hat 20:34 < ||cw> it's not a lenovo is it? :D 20:34 < Sircle_> SporkWitch, host is not compromised, just few .php injected. 20:34 < Sircle_> ||cw, how to dump ? 20:35 < SporkWitch> ||cw: my work laptop is lol 20:35 < ||cw> eh, you're doing it the hard way. diff your code tree with a known clean backup copy 20:35 < ||cw> SporkWitch: me too :( 20:36 < SporkWitch> ||cw: what is with the two-finger scroll on those? You have to remove BOTH fingers for it to stop scrolling and start moving the cursor again? so dumb, and defeats half the benefit 20:36 < ||cw> mine's new enough that they aren't injecting tho 20:36 < ||cw> I haven't noticed that, guess i just naturally lift both 20:37 < ||cw> but that's more a synaptic driver thing isn't it? 20:37 < SporkWitch> ||cw: i have, heavily, because it's convenient 20:37 < SporkWitch> ||cw: both my 2011 vaios, in win7 and in linux, as well as my current asus laptop running win10, all behave as you'd expect: remove one finger and the cursor starts moving again. All using synaptics. 20:38 < SporkWitch> ||cw: the lenovo, as soon as you start scrolling with two fingers, it's locked into scroll mode until both fingers are removed (and no, scroll lock for the touchpad is not enabled) 20:38 < ||cw> ¯\_(ツ)_/¯ 20:39 < SporkWitch> another nice convenience about the normal behaviour is you can actually just keep one finger stationary and just repeatedly swipe the other on the pad to scroll; admittedly these are little things, but it's the little inconveniences that add up to big frustrations over time 20:40 < Sircle_> ||cw, I have few sites like wprdpress based that is nto on git 20:40 < Sircle_> so I cannot diff 20:40 < Sircle_> ||cw, there must be some way to trace fast 20:40 < SporkWitch> Sircle_: but do you have backups? diff is not purely a git thing 20:40 < ||cw> you don't have backups? 20:40 < Sircle_> SporkWitch, a lot changed since then 20:41 < grawity> so your backups are what, 6 months old? 20:41 < grawity> then they're not backups 20:41 < SporkWitch> then no, there is not a fast or easy way to do it, because your backup policy is shit lol 20:41 < grawity> also even if a website isn't based on git, it's still imho a good idea to put it on git 20:41 < grawity> you install wordpress, you run `git init`, and commit everything 20:41 < SporkWitch> it's wordpress, though, so just assume it's fucked; you can't spit without a new wordpress vuln ending up in MSF 20:41 < grawity> (and deny access to .git via webserver config, of course) 20:42 * SporkWitch he says as he actually considers using wordpress due to an inability to find any other forum software that isn't utter shit 20:42 < grawity> wordpress is forum software now? 20:43 < SporkWitch> grawity: pretty sure it has support for decent forums 20:43 < Sircle_> grawity, why deny access to .git? 20:44 < SporkWitch> grawity: i spent yesterday buggering about with SMF, which i'd used in the past, but the stable release doesn't seem to have had much done on it in years (heck, i got to manually fix some database entries because of a bug whose issue was dated 2013) 20:44 < SporkWitch> Sircle_: so that the repo can't be compromised as easily 20:44 < grawity> Sircle_: so that people won't be able to `git clone` your config.php and your mysql password... 20:44 < Sircle_> hm 20:44 < SporkWitch> that too lol 20:44 < Sircle_> git is private rep. 20:44 < grawity> SporkWitch: news to me, only ever seen wordpress used for blogs 20:45 < Sircle_> noone can just clone it 20:45 < grawity> Sircle_: well denying access to .git is exactly how you make it "private" 20:45 < Sircle_> ok 20:45 < grawity> I'm not talking about some repo on github or gitlab 20:45 < SporkWitch> grawity: well that at least makes it easier to not use, then :) lol. i am still stuck trying to track down something decent. I did finally get SMF sending email correctly with exim4, but i don't like HOW it sends it, and it doesn't let me configure it particularly well. 20:45 < grawity> I'm talking about the one inside the .git directory 20:45 < Sircle_> k 20:46 < SporkWitch> vbulletin looks really nice, but i can't justify 250 bucks for an experiment lol (we've got around 10k people on a discord server; i want to reduce clutter by moving some of the stuff to forums which are better suited to things like guild recruitment and trade advertising) 20:47 < SporkWitch> (no way to know if people will actually use it to justify the expense) 20:49 < SporkWitch> correction, 400, since apparently the mobile support isn't included >_< lol 20:50 < SporkWitch> grawity: looks like there's several decent forum plugins for wordpress 21:05 < ironpillow> hi all, question regarding access points. When an access point says it works with both PoE and PoE+, does that mean when I plug it into a PoE+ switch the AP receives higher power and it will increase it's tx range? 21:11 < ||cw> ironpillow: no 21:11 < ||cw> ironpillow: well, unless it actually needs more than 15W, which seems unlikely 21:12 < ironpillow> ||cw: ok. the PoE injector I received with the AP is 48V and 0.5A. The AP works when I plugged into just a PoE switch. 21:14 < ||cw> POE is 48V, .5A is just the max the power supply can handle. it's good to not push the PSU to its limits 21:14 < ||cw> see if your AP has specs on how many watts it actually uses 21:15 < ironpillow> specs say less than 24W 21:15 < ironpillow> oh I thought PoE is 24V and POE+ is 48V 21:17 < ||cw> passive POE is often 24V, 802.3af and 802.3at are both 48V 21:21 < TandyUK> ironpillow: passive POE isnt really POE at all, its 'we have some spare cores in the 100Mb cat5e cable, lets throw some random voltaghe down them and see what happens...." 21:22 < ironpillow> ||cw: ah...i see. 21:22 < _BIGSHOT_> hey TandyUK how's it hanging' in the UK? 21:22 < TandyUK> proper poe is either 802.3af or 802.3at, whic hnegotiate with the deviceo nthe other end whether it wants/needs power, and if so how much, _before_ firing power randomly down the cable 21:22 < Apachez> active poe is more like "can you handle it BIATCH!?" 21:22 < Apachez> and then you pump 40 amps over the tp so it almost melts 21:22 < TandyUK> theres also 'Hi-POE (as yet un classified afaik) which can dleiver up to 60W over cat6 cable 21:23 < ironpillow> TandyUK: got it 21:23 < ironpillow> Apachez: :) 21:23 < TandyUK> _BIGSHOT_: im sitting actually 21:23 < ||cw> there's also phantom passive poe that can work over gigE 21:23 < ||cw> well, work WITH gigE 21:38 < xdroop> Anyone here know anything about Cisco FirePower(tm) 21:38 < xdroop> I want to know if it is safe to emtpy /var/sf/SRU 21:38 < xdroop> I want to know if it is safe to emtpy /var/sf/SRU 21:42 < ironpillow> is there anyway to test the power consumption of the access point 21:42 < Aeso> ironpillow, most managed poe switches will give you power draw per port 21:43 < ironpillow> Aeso: oh sweet didn't know that. I have Tplink tl sg108pe. 21:43 < ironpillow> time to read up it's documentation 21:44 < Aeso> Hm. Anyone have strong feelings about EVPN vs OSPF+PIM for VXLAN underlays? EVPN is untested waters for us, but the siren song of vendor interop is calling to me. 21:49 < nobody> hi :) 21:58 < PartyZen> on openstack - hello ! ill be happy if anyone could answer that, i run mitaka but something strange for me - i thought computes also have namespaces like neutron ... how can it be they dont ? how the isolation is done then between projects ? if no namespaces to separate them - only iptables is what separates them ? 22:04 < BitShack> Anyone know how to telnet over ssl? 22:06 < ||cw> BitShack: you mean ssh? :D 22:07 < BitShack> Ssh didn't work 22:08 < BitShack> And I know the server works, the server isn't mine though so I cannot change the port 22:09 < tpanarch1st> hi, would a mariadb question be welcome here as they are a touch on the quiet side and it seems they are struggling with working out a resolution as much as I am 22:09 < tpanarch1st> I thought i'd ask as a courtesy 22:10 < rainyXP> BitShack Are you trying to connect to telnet or ssh? 22:10 < BitShack> Telnet 22:10 < BitShack> it connects but no data tranfers 22:11 < BitShack> So I cannot see anything going on, and I'm assuming it is not connecting 22:11 < BitShack> It works on most networks without filters however... 22:11 < rainyXP> Is telnet being blocked by your firewall? 22:11 < ||cw> BitShack: openssl s_client maybe? 22:12 < BitShack> On android? 22:12 < BitShack> Using VX ConnectBot? 22:12 < ||cw> is it actually telnet or you want to test a TCP protocol manually? 22:12 < BitShack> Its actual telnet 22:13 < ||cw> telnet over ssl doesn't really make a lot of sense 22:13 < BitShack> Only way I can connect... 22:13 < BitShack> That's how I'm on irc rn 22:13 < ||cw> and how's that 22:14 < ||cw> how do you do it from a desktop 22:14 < BitShack> I'm on androif 22:14 < BitShack> I do not have access to a desktop 22:14 < ||cw> ... 22:14 < BitShack> All I did was change to port 7000 and turn on ssl 22:15 < ||cw> that's a raw ssl socket 22:15 < ||cw> it's not telnet 22:15 < BitShack> Ik 22:15 < BitShack> I'm not using telnet 22:15 < BitShack> I'm using andchat for irc and vx connectbot for telnet 22:16 < ||cw> ok, so what are you actually trying to do 22:16 < BitShack> Connect to telehack.com through telnet, using SSL so it allows me through 22:16 < BitShack> Port 23 22:17 < ||cw> if the server ins't ssl, you cna't use ssl 22:17 < BitShack> Good point 22:17 < BitShack> >_> 22:17 < ||cw> ssh to a shell account and telnet from there 22:18 < BitShack> Only local ssh allowed 22:18 < BitShack> Portscan reveals open ssh port on the routers 22:18 < BitShack> That's it. 22:19 < BitShack> So am I fucked unless I can get outside somehow? 22:19 < BitShack> Oh btw this device is wifi only 22:19 < ||cw> find a shell account with alternate ports 22:19 < BitShack> Gtg anyways... 23:12 < navy_seal9614> so I have openvpn server and nginx server on the same vps. I connect to OpenVPN via tunneling. I tried making a HTTP request to nginx, and the tcpdump reports that source of the request is my actual IP (not the vps ip like it supposed to). Why so? DNSleaktest shows vps ip btw. 23:34 < Apachez> navy_seal9614: because openvpn doesnt nat 23:36 < qman__> navy_seal9614: if you want to access the site via openvpn link, you must use a route that is pushed from openvpn 23:36 < qman__> i.e. if you hit the public web name and you're not redirecting all traffic over the vpn, it won't use the vpn, because it's pointing at a public ip 23:38 < wiresharked> Apachez: I would use a VPN in school, but I don't want to get in trouble for trying to get around Snapchat or instagram blocks.. 23:49 < wiresharked> qman__: Is it OK to use a VPN in school? 23:50 < qman__> that's up to the school's IT policy 23:51 < qman__> if you're using it to bypass restrictions they've placed, probably not 23:51 < wiresharked> qman__: Well some students at my school always use a VPN to get past blocks, and nobody's been caught 23:51 < qman__> that doesn't make it ok 23:51 < qman__> read the policy 23:51 < qman__> you probably were already supposed to have read and signed it 23:52 < qman__> it will be very clear whether it's allowed or not 23:52 < wiresharked> Maybe not, although I'm not trying to condone any criminal behavior here 23:54 < d3r3k> wiresharked: in my country, breaking the terms of service isn't automatically illegal. 23:54 < qman__> it depends on jurisdiction and interpretation of the law 23:54 < d3r3k> indeed. 23:55 < qman__> a lot of US federal laws basically boil down to using any computer network in any unauthorized way being illegal 23:55 < qman__> this is obviously very broad and not enforceable as such, but it does get enforced when they want it to 23:55 < d3r3k> I got expelled from high school for making a fake screenshot. 23:55 < wiresharked> Although using a VPN to get around snapchat or instagram being blocked isn't illegal, sheesh. It's not like I'm trying to commit a crime 23:56 < qman__> it could be, depending on jurisdiction 23:56 < d3r3k> wasn't illegal at all, but I still got in trouble :p 23:56 < qman__> as I said, there are a lot of broad, draconian laws on the books 23:56 < wiresharked> Well, let's not try and get into that here 23:56 < d3r3k> wiresharked: probably bad advice, but here's what my thought process in life: what's the worst that could happen? 23:57 < qman__> in the US, the worst that could happen is a felony charge and some possible jail time 23:57 < b18c5> most sites now are going doing the google,facebook terms 23:57 < b18c5> if your browsing you agreed 23:57 < qman__> depends on how badly you piss them off 23:57 < wiresharked> qman__: Although sometimes using a VPN to speed up your school's wifi is OK 23:57 < qman__> most of the time, they don't do that, but sometimes they do 23:58 < d3r3k> qman__: not quite, it depends on how badly you piss off the cops and/or legal system. 23:59 < qman__> the much more likely outome is being banned from use of the school's network up to and possibly including explusion 23:59 < qman__> if it violates the policy, that is 23:59 < qman__> so read the policy 23:59 < d3r3k> speaking as somebody who has gone through that, it was totally worth it. 23:59 < qman__> they will tell you, precisely, what you are and are not allowed to do 23:59 < d3r3k> wasn't a big deal, actually helped my career/life by not having to attend high school. --- Log closed Sat Apr 14 00:00:10 2018