--- Log opened Sat Apr 14 00:00:10 2018 --- Day changed Sat Apr 14 2018 00:00 < qman__> yeah, I won't disagree with high school being a waste of time 00:00 < qman__> but generally you don't want to be expelled 00:00 < wiresharked> qman__: You are certainly correct about being banned from using school wifi. I'm a very trustworthy person 00:02 < d3r3k> wiresharked: use a VPN that's hosted on Google Compute Engine and uses SSL on 443/TCP. 00:02 < wiresharked> They can still trace traffic going through the VPN though.. 00:02 < qman__> https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act 00:04 < qman__> the law lays out some specific government/financial wording but has a bunch of "or for X Y Z" type statements that effectively mean all computers and networks 00:04 < qman__> and qualifies any data 00:04 < navy_seal9614> qman__: thanks. So what exactly happens when I make http request from my local machine (while on vpn) to my vps (both nginx server and vpn server)? Cause I'm confused, as to why dnsleaktest shows the correct ip, while when i make request to vps nginx it leaks. 00:04 < d3r3k> qman__: not a lawyer, but I don't see how wiresharked would be accessing any unauthorized data. 00:05 < wiresharked> Although, it's weird, because on every school owned computer, when I'm on my google account, hotspot shield is there, and I know I did not install it 00:06 < d3r3k> wiresharked: Chrome syncs plugins. 00:06 < d3r3k> *can sync plugins 00:06 < qman__> navy_seal9614: assuming that you are accessing the site in a way which sends your traffic over the VPN (this is not necessarily the case), you send traffic originating from the IP that openvpn assigned you, over the tunnel, to the vps, where nginx answers the query 00:06 < d3r3k> you can disable it. 00:06 < wiresharked> But I don't think that I installed hotspot shield 00:06 < qman__> navy_seal9614: nginx will see the IP that openvpn assigned to your computer in its logs 00:06 < d3r3k> maybe you left yourself logged in and somebody else did once. 00:07 < wiresharked> I had to leave myself logged in to do windows updates 00:07 < wiresharked> I prefer to use a VPN for good, not to get in trouble with police 00:10 < navy_seal9614> qman__: but is it safe to assume I am sending traffic over the vpn if when I use my browser to send requests (for example to dnsleaktest.com google.com) it shows VPS IP? 00:10 < qman__> no 00:10 < qman__> navy_seal9614: the traffic is only going over the VPN if the route to the site is sent over the VPN 00:11 < qman__> if your vpn config sends all traffic over the vpn, then it will be over the vpn 00:11 < qman__> if it doesn't, you will only send traffic for routes that were pushed in the config over the vpn 00:12 < qman__> d3r3k: this is the tricky part - (a) Whoever— (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— (C) information from any protected computer; 00:12 < qman__> probably doesn't apply in this case but there are other laws to look out for too 00:13 < wiresharked> That is why I don't try to hack into teacher computers 00:13 < qman__> that's what I'm getting at though, there's all kinds of much more specific stuff in the law, but those clauses basically supercede all of that and make accessing any "protected" information on any computer illegal 00:14 < Carll> make sure your vpn isn't DNS only; you should be good. 00:14 < wiresharked> So hotspot shield is good then? 00:14 < Carll> Or alternatively instead of VPN, use a socks tunnel? 00:15 < wiresharked> Carll: Which is not supported on android 00:15 < hukata> hi 00:15 < Carll> wiresharked: I didnt see you where on Android, sorry. 00:16 < Carll> hello hukata. 00:16 < wiresharked> They're using the VPN to get around the fact that Snapchat and instagram are blocked on the school's wifi 00:16 < hukata> more like filtering packet that goes throught the routeur 00:17 < hukata> disabling ports 00:18 < navy_seal9614> qman__: I just checked my config. And i do redirect all traffic over tunnel (push "redirect-gateway def1 bypass-dhcp" is uncommented ) 00:19 < qman__> navy_seal9614: ok, then all traffic should be routing over the VPN - you can see the evidence of this in the nginx log, you should see the traffic originating from your openvpn IP 00:19 < qman__> when you connect to openvpn, it will assign you an IP 00:19 < qman__> I think the default is 10.8.0.0/24 00:20 < qman__> but it should be in the config 00:20 < qman__> the exception is if you're doing a bridged configuration 00:20 < qman__> then you get assigned some other way 00:20 < hukata> why do u need openvpn ? are u going to install it for a intranet ? 00:24 < Carll> navy_seal9614: does DNS leak test show your routers DNS *and* your servers? 00:26 < navy_seal9614> Carll: nope 00:27 < Carll> navy_seal9614: OK, brill. I typed this up anyway; https://pastebin.com/RKBYkw9z 00:29 < navy_seal9614> qman__: i used tcp dump (on vps) to check incoming traffic on port 80 and it leaked my actual ip. 00:33 < navy_seal9614> qman__: also i have an iptable rule that should drop all incoming traffic on 80 except if it is the vps public ip. Does that even make sense? The big picture is something likee that: i have a bunch of docker containers. One of them is nginx and have http ports open. I am using that for dev purposes and want to block all ip except who the one who have access to my vpn 00:37 < mawk> if they're containers they probably don't have their own public IP navy_seal9614 00:37 < mawk> so you just have not to do NAT to it from your public ip 00:42 < sudormrf> any of you lot ever run squid in AWS as a global proxy for an enterprise? 00:42 < mawk> isn't it wiser to run it inside the company itself ? 00:42 < UltraPhil> what the hell am I reading 00:42 < mawk> you want the lowest latency 00:43 < sudormrf> mawk, doesn't work well if workforce is global and dispursed and they don't VPN back home 00:44 < sudormrf> latency to AWS is typically low 00:44 < sudormrf> dependant on user machine 00:44 < sudormrf> not looking to use it for caching 00:44 < mawk> yes 00:44 < UltraPhil> why are you looking to do this, at all, then? 00:44 < mawk> filtering 00:44 < sudormrf> ^ 00:44 < mawk> I guess 00:44 < sudormrf> and logging 00:44 < mawk> but you really want to filter the users...at home ? 00:44 < sudormrf> yes 00:45 < sudormrf> there are people that WFH 00:45 < sudormrf> they are remote employees 00:45 < mawk> is it legal ? 00:45 < mawk> oh ok 00:45 < sudormrf> yes 00:45 < mawk> off work time it wouldn't be legal in my country 00:45 < sudormrf> anything they do on a company asset needs to be monitored 00:45 < sudormrf> they shouldn't be doing private shit on a company asset, but that will never change 00:45 < mawk> why not forcing a VPN then ? 00:45 < mawk> yeah 00:45 < sudormrf> not feasible ATM 00:45 < sudormrf> that could come later 00:45 < sudormrf> but even then we need attribution 00:46 < sudormrf> and some of the additional protections afforded by a proxy 00:46 < mawk> you could do both 00:46 < mawk> use the vpn for the safety and centralization then just transparently pass traffic through squid on the VPN router 00:46 < mawk> I already made a setup like that to try out 00:46 < sudormrf> aye that will come once we replace the vpn 00:47 < mawk> how do you expect to force the computers to pass through squid ? 00:47 < mawk> at home 00:47 < mawk> by windows administrator magic I guess 00:47 < mawk> nevermind 00:48 < Irritiable|LT> Networking technology != operating system 00:48 < navy_seal9614> mawk: every container is properly NATed by the docker itself and it works. I can reach it from the outside. My question is why when I am under a VPN and make a request to that nginx instance, tcpdmp on port 80 tool shows my local box public ip? (again dnsleaktest.com shows vps ip) 00:48 < Irritiable|LT> Running *NIX system right now. 00:48 < mawk> for a corporate environment I expect the computers to be windows, Irritiable|LT 00:48 < Irritiable|LT> mawk: Why would you even assume such a thing? 00:48 < Irritiable|LT> Dear Jepeordy: What is: RedHat? 00:49 < mawk> because it's common 00:49 < Irritiable|LT> It's common to use RedHat. I agree. 00:49 < mawk> maybe redhat is common in your country 00:49 < mawk> not in mine 00:49 < Irritiable|LT> "Your country." 00:49 < mawk> here it's windows everywhere 00:49 < Irritiable|LT> I was unaware that Microsoft Windows or Linux RedHat was priced differently in different countries. 00:49 < mawk> not a price, but culture 00:49 < Irritiable|LT> Culture defines economics? 00:49 < UltraPhil> sudormrf, are you providing remote desktops to your workers, i.e. with vmware View, Citrix, or something like that? What's the workflow ? 00:49 < Irritiable|LT> That's a new one on me. 00:50 < sudormrf> they get laptops 00:50 < mawk> you said price 00:50 < Irritiable|LT> Hopefully cheap hardware laptops running either Windows XP or a Linux distro! Something good 00:50 < sudormrf> nope 00:50 < sudormrf> macos 00:50 < Irritiable|LT> Macintosh? Yuck. 00:50 < UltraPhil> sudormrf, you want to monitor all network traffic going through the laptops? Or traffic going to your company assets? 00:50 < Irritiable|LT> At least it's a *NIX based OS. 00:51 < mawk> it is a question navy_seal9614 ? 00:51 < sudormrf> all through laptops, laptops are company assets 00:51 < mawk> you should see the ip from the vpn range 00:51 < mawk> unless you're doing NAT from some kind of container holding your vpn, then you'll see the ip of that container 00:51 < mawk> but not some local public ip 00:53 < mawk> if price was the sole critera when buying stuff we would know that 00:53 < mawk> lol 00:54 < dna6a> If I want to link 2 asus routers via wired connection and mainain LAG on each router 00:54 < dna6a> do I just have 192.168.1.1 and 192.168.1.2? and link them LAN TO LAN? 00:54 < dna6a> or LAN TO WAN? 00:54 < mawk> you've got your solution ready to force the proxy on the system sudormrf ? I'm curious about it 00:55 < mawk> forcing a vpn should be easier 00:55 < UltraPhil> mawk, sudormrf Was just thinking about that; can you really force it on macos ? 00:55 < mawk> I guess using firewall rules you can forbid not using it 00:55 < sudormrf> the VPN here is trash 00:55 < mawk> which sums up to forcing it 00:55 < sudormrf> yes you can 00:56 < sudormrf> you can force it with Casper 00:56 < UltraPhil> ah ok 00:57 < UltraPhil> net traffic on AWS isn't free so I kinda doubt it's a better option from an on-prem VPN using company net? 00:58 < sudormrf> we are AWS native 00:59 < UltraPhil> I just doubt that, cost-wise, it's better to use AWS than company net 00:59 < sudormrf> possibly, but our VPN is trash 00:59 < UltraPhil> but depends on your company net 00:59 < sudormrf> yeah 00:59 < UltraPhil> have you considered hosting an openvpn on prem ? 00:59 < mawk> why is it trash ? 01:00 < mawk> openvpn isn't exactly the fastest thing on earth 01:00 < sudormrf> we are using openvpn 01:00 < sudormrf> and it doesn't scale 01:00 < mawk> indeed 01:00 < sudormrf> we are going to replace it 01:00 < UltraPhil> your users are geographically sparse? 01:01 < mawk> IPSec have much better performance 01:01 < mawk> and some new linux-android-only (for now) things like Wireguard pretty much beat them all 01:01 < sudormrf> openvpn isn't designed for large enterprises. openvpn Access Server is closer, but it doesn't do posturing 01:01 < sudormrf> it's good for home 01:01 < sudormrf> but 01:01 < sudormrf> yeah 01:01 < mawk> in terms of security, speed, ease 01:04 < sudormrf> openvpn has all of those, but doesn't scale for a large enterprise 01:04 < mawk> for security and ease yeah 01:04 < mawk> speed, maybe not 01:04 < mawk> https://www.wireguard.com/performance/ 01:05 < sudormrf> debateable 01:05 < mawk> I'd call 260 Mbps over 1 Gbps fast enough, but doesn't beat other competitors at all 01:05 < sudormrf> lots of configuration options 01:05 < mawk> yeah 01:07 < Carll> I may look into this soon actually and compare to openvpn, although my top speed is 35mbps 01:08 < mawk> using wireguard I achieve around 850 Mbps 01:08 < mawk> on my fiber connection 01:08 < Carll> mawk: have you compared against openvpn, I'm more concerned regards to pings. 01:09 < mawk> not yet but I have to set one up 01:09 < mawk> wireguard doesn't pass through crappy open wifis in macdonalds 01:09 < mawk> openvpn is good for that 01:09 < mawk> for ping time you've got a chart on my link 01:11 < lem0n> just found a really interesting issue with PXE/DHCP.. we run automated VM deployment to tons of VLANs using PXE boot.. the DHCP servers and servers replying with PXE information are separate, and there are separate sets too depending on the subnet. it usually works very reliably but have had consistent issues with one subnet.. we set a delay on the dhcp scope and it totally worked 01:11 < lem0n> im trying to figure out if theres an order for with the response from the dhcp server has to be received compared to the position of the option 60 response 01:12 < lem0n> have consistently reproduced the issue until the 100ms dhcp delay was introduced 01:13 < Carll> mawk: I just installed the TAP adapter on my windows, gonna look into it tomorrow, thanks. 01:28 < Kythlo> Hey guys inm having a issue with sending emails to one client, they keep bouncing back and i have no idea why been emailing for over 10 years but theyre bouncing back i get this error message 01:28 < Kythlo> Final-Recipient: rfc822; sgarland@arbutusclub.com Action: failed Status: 5.0.0 Remote-MTA: dns; webmail.arbutusclub.com. (96.53.49.118, the server for the domain arbutusclub.com.) Diagnostic-Code: smtp; 550 209.85.217.182 is not allowed to send mail from ashadebetter.ca Last-Attempt-Date: Fri, 13 Apr 2018 16:16:47 -0700 (PDT) 01:28 < Kythlo> I dont think id be on the spam list since we do business together 01:29 < Irritiable|LT> Diagnostic-Code: smtp; 550 209.85.217.182 is not allowed to send mail from ashadebetter.ca 01:30 < tds> ^ your spf record has include:spf.protection.outlook.com, but the IP looks like it's a google mail IP or something 01:30 < tds> so they're validating spf and rejecting the message, as they should, since you have -all 01:31 < sudormrf> openvpn is entirely based on your setup 01:31 < Kythlo> it is a google mail ip, google account but we use outlook software 01:31 < sudormrf> and the end to end things 01:33 < Kythlo> can you elaborate @tds? Im confused i dont know much about spf 01:33 < tds> Kythlo: it looks like your email is being delivered to google, so if it's a plain google apps setup, you just need to update the record 01:34 < tds> a spf record lists the mail servers which are permitted to send mail on behalf of a specific domain, and the gmail servers aren't included in the record for your domain 01:34 < tds> and that record also includes "-all", which means that any emails failing the checks should be rejected 01:34 < Kythlo> v=spf1 include:spf.protection.outlook.com -all 01:35 < Kythlo> It is plain google app setup, what do you mean by update the record? 01:39 < Kythlo> @tds any idea where i would make the change in google settings? Do i need to add my domain some where ? 01:39 < tds> Kythlo: indeed, that's the record - you will need to update the record with your dns provider (probably the registrar) 01:40 < tds> google should have docs for that 01:40 < tds> https://support.google.com/a/answer/33786?hl=en 01:42 < Kythlo> Yeah i have that up, is there a reason why it all of sudden stopped working? 01:42 < a1fa> hello.. i have a cisco asa ipsec question -- cisco router connecting via ipsec to two separate routers that do dynamic routing. one router is primary for "A/24", and other router is primary for "B/24" both are able to carry A,B traffic. Is it possible to setup two tunnels on Cisco to carry A(primary),B(failover) and B(primary),A(failover) respectively? 01:42 < a1fa> s/cisco router/asa/ 01:43 < a1fa> err/ turns out is a 3750 01:44 < tds> Kythlo: assuming you haven't changed the record recently, it's likely they just modified their mail system to check spf 01:49 < dna6a> Hi all 01:49 < dna6a> I want to connect 2 routers via wires connection 01:50 < dna6a> https://www.snbforums.com/threads/gt-ac5300-any-news-or-updates-on-support.45906/#post-397106 01:50 < dna6a> oops sorry 01:51 < dna6a> do i leave primary as 192.168.1.1 and new router as 192.168.1.2 and connect LAN to LAN or LAN to WAN? 01:52 < dna6a> Each of the routers have LAG to a NAS on each 02:54 < mast> Anyone work with Intel SR2600s? 03:19 < ironpillow> hi all can't figure out if this is a managed or unmanaged switch: https://www.tp-link.com/us/products/details/cat-41_TL-SG1016PE.html. It has vlan, qos and igmp snooping 03:19 < ironpillow> but they say it's smart switch 03:19 < ironpillow> TP link never mentions managed 03:20 < mast> "Web-based user interface and management utility simplify configuration " 03:21 < mast> Thought you probably already saw that 03:21 < mast> I have this burning need for POE 03:21 < mast> All of my switches are only POE capable when hooked into a secondary PSU 03:27 < Harlock> ironpillow smart switches are minimally managed switches yes 03:28 < ironpillow> Harlock: oh ok. thanks 03:29 < ironpillow> mast: yep saw that 03:29 < mast> :) 03:43 < SynfulAck> anyone familiar with nx-os? Got a weird problem where i can ssh into the mgmt interface but the switch can ping anything. 03:44 < SynfulAck> cant ping anything* 04:30 < DrunkRhino> Ok, this is probably something stupidly simple that I'm forgetting, but why might a machine running dnsmasq + dhcp resolve the names properly for clients querying it, but not on the machine itself? (i.e. "ping eee" works fine from my tower, which is querying my pi, but not on the pi itself) 04:33 < Kingrat> does the pi have its nameserver set as itself, or another address? 04:36 < DrunkRhino> resolv.conf points to 127.0.0.1 04:50 < fryguy> what's nsswitch.conf entry for `hosts` 04:51 < DrunkRhino> files mymachines myhostname resolve [!UNAVAIL=return] dns 04:52 < fryguy> is systemd-resolved running? 04:52 < DrunkRhino> Yep 04:52 < fryguy> what's /var/run/systemd/resolve look like? 04:53 < DrunkRhino> the resolv.conf there also 127. 04:54 < fryguy> interesting 04:54 < DrunkRhino> I mean, it's the machine handing out the leases so I'm positive it's probably just something stupidly simple that I forgot to configure. 04:55 < fryguy> if you `dig @127.0.0.1` locally does that work? 04:56 < DrunkRhino> drill eee @127.0.0.1 returns the .0.5 it's supposed to 04:56 < fryguy> and drill w/o @127.0.0.1 04:56 < fryguy> ? 04:57 < DrunkRhino> Same thing, weirdly. Ping eee returns "name or service not known" though 04:57 < fryguy> so systemd-resolved is doing something then 04:58 < fryguy> switch nsswitch so that dns is before resolve 04:58 < DrunkRhino> Bingo! 04:58 < fryguy> mine looks like `hosts: files mymachines dns myhostname 04:58 < fryguy> ` 04:58 < fryguy> and i'm pretty sure we are on the same OS 04:58 < fryguy> because my commented out one from me messing with this previously is the same as yours 04:59 < DrunkRhino> I remember that I'd futzed with nsswitch.conf before I had to re-image the SD card for the pi, but I couldn't remember what I'd done to it, and what specifically I'd fixed with that. 05:00 < DrunkRhino> Thanks for the help! 05:07 < sakjdhfsadf> what specs do i look at to know if i'm buying a long range wifi adapter? 05:42 < tpanarch1st> will these permissions make my server vulnerable please? https://docs.suitecrm.com/admin/installation-guide/downloading--installing/ 05:51 < Kalecgos> Hi, relatively new to networking, struggling with class A and B classful subnetting issues. https://i.imgur.com/BS0G3iC.png This problem, for example. I can manually write out each subnet, but when the problem is asking for Subnet ID 40's last host address, it's kind of hard to write out 41 subnets lol. Is there a formula to quickly calculate that kind of stuff? I remember my proff mentioning something about it but I can't seem 05:52 < Kalecgos> For a direct reference for the linked problem, how would I get the subnet number (network address) of the 13th subnet without manually writing out the entire 0-13 path. 05:55 < meingtsla> You may be able to start noticing patterns after writing out the first few subnets, so there's that 05:55 < Kalecgos> Yeah I did that on the quiz today, 64 host addresses per subnet, so every 4 subnets the pattern resets 05:57 < Kalecgos> So like would the first host address of that example problem's 40th subnet be 190.35.20.1? 05:58 < meingtsla> Step back a few and tell me how you arrived at that 06:01 < Kalecgos> 64 addresses/subnet, so every subnet's HA range is .1-.62, .65-.126, .129-.190, 193-254 06:02 < Kalecgos> every 4 subnets adds one to the 2nd octect, so subnet 0 = 0.xx, subnet 4 = 1.xx 06:02 < Kalecgos> 40/4 = 10 06:02 < Kalecgos> 10.1 06:02 < Kalecgos> Since it's the first host address 06:02 < meingtsla> OK that's better. You said 190.35.20.1 earlier 06:02 < Kalecgos> oops sorry 06:03 < Kalecgos> My pattern/logic looks correct though, right? 06:04 < meingtsla> Also I see you're treating 0.0/26 as the zeroth subnet. Following that convention makes the counting one step simpler :D 06:05 < Kalecgos> Yeah for this class, you have to include it in answers 06:06 < Kalecgos> Now, that's an easy pattern, just +64 or 1/4th of an octect per subnet 06:06 < meingtsla> ...as opposed to calling 0.0/26 the first subnet 06:07 < Kalecgos> in my head I know it's the first, but if I were talking to a router it's the 0th 06:07 < Kalecgos> just makes more sense on paper when I'm writing it 06:07 < Kalecgos> to me, at least 06:07 < meingtsla> Yeah 06:09 < Kalecgos> What about something like https://i.imgur.com/eM1mwhe.png 06:10 < Kalecgos> For the BA of the 1023rd subnet/subnet ID 1022 06:10 < Kalecgos> I could do that by going backwards from 162.255.255 obviously 06:11 < Kalecgos> here, let's use the same problem, but subnet ID 632 06:11 < Kalecgos> I can't mental math my way through that, and don't see a pattern to skip anything really 06:12 < rewt> you should tell your prof that classes were deprecated about 25 years ago... 06:12 < Kalecgos> We're switching to classless 06:12 < rewt> the only time you should be using them, unfortunately, is when studying for ccna, but should promptly forget about them right after 06:12 < Kalecgos> Yeah this is part of the ccna prep course 06:12 < Kalecgos> er, the precursor to it 06:13 < Kalecgos> Today was the first day of classless 06:13 < Kalecgos> which makes a lot sense to me so far 06:13 < rewt> if cisco gives you a survey about it, make sure you tell them it's been deprecated for two and a half decades 06:14 < meingtsla> Kalecgos: Wait, I thought you were counting subnets starting with 0 and not 1. Why is the 1023rd subnet not the last one? 06:14 < Kalecgos> This question is worded differently 06:14 < Kalecgos> this course is a nightmare 06:14 < Kalecgos> in the workbook, the 1023rd is the 1023rd 06:14 < Kalecgos> in tests/quizes, 1023rd is the subnet ID 1022 06:15 < rewt> omg, "borrowed bits"??? 06:15 < rewt> cisco really has to update their material 06:15 < meingtsla> The bits are not being returned 06:15 < meingtsla> Surrendered bits? Stolen bits? 06:15 < Kalecgos> all your bits are belong to us 06:16 < rewt> cisco isn't french, so stolen 06:16 < meingtsla> Ha, I wasn't even thinking of that 06:17 < Kalecgos> http://docdro.id/ZzIZAQW 06:17 < Kalecgos> here's the student version of the workbook 06:17 < Kalecgos> (the instructor version is publically searchable on my school's website from google btw) 06:18 < DoYouKnow> 23:10 < Tylak> https://twitter.com/shearm/status/984954963393744901 06:18 < Kalecgos> ,/faculty/chento/secure/lectures/ 06:18 < Kalecgos> "secure: 06:21 < Kalecgos> I really like this class because of how often the proff changes question wording 06:22 < Kalecgos> Because now on my midterm we have questions like "What is the first host address on the subnetwork that the IP address 172.20.114.25/23 belongs to?", which I think I know how to do, but has never been in this format in our quizes or workbook. 06:22 < rewt> page 9 has an error 06:24 < Kalecgos> I feel like I should have skipped this class and gone straight to intro to networking 06:24 < Kalecgos> 'cuz this class is a subnetting and binary class 06:24 < Kalecgos> and y'all aren't the first to say classes are outdated 06:25 < rewt> i'm sorry you have to go through this :( 06:26 < rewt> lol @ page 74 ... someone's not so good with making diagrams 06:28 < rewt> page 78; i wonder what answer they expect for 127.100.100.10/8 06:29 < Kalecgos> what page is it on? 06:29 < Kalecgos> I have the instructor copy, I'll check 06:30 < Kalecgos> https://i.imgur.com/J5H1Rrq.png 06:30 < Kalecgos> this? 06:31 < rewt> yea heh 06:31 < Kalecgos> "reference: inside front cover" 06:31 < Kalecgos> What front cover? there isn't a book for this class... 06:31 < rewt> but that doesn't answer the question as stated 06:31 < Kalecgos> I hate this shit dude 06:33 < rewt> inside front cover is 2nd page of pdf 06:34 < kang00> Hi any one from usa? 06:34 < Kalecgos> Ah, okay, I was going to be kinda tilted. 06:35 < Kalecgos> Well, thanks for the info guys. I'll pop in here for sure if I need to be pointed in a certain direction about stuff. 06:35 < rewt> anyways, back to your question, to calculate the start of the n-th subnet, just multiply the step between subnets by n, and if you treate the first as n=0, you should get the right answer 06:36 < Kalecgos> What do you mean step? 06:36 < Kalecgos> address range? 06:36 < rewt> the host ip 06:36 < rewt> yeah 06:36 < rewt> and that step will always be a power of 2 06:38 < Kalecgos> Would I divide the answer by 256? 06:39 < Kalecgos> the (address range x subnet )/ 256, that is 06:39 < Kalecgos> i.e 64 addresses per subnet, I want to find subnet 623's first host 06:40 < rewt> divide by 256 as req'd to get the octet values 06:40 < Kalecgos> 64 x 623 = 39872/256 = 155.75 so 165.200.155.193? 06:40 < Kalecgos> https://imgur.com/eM1mwhe 06:40 < Kalecgos> for this question 06:41 < linux_probe> lol 06:41 < rewt> yes, looks about right 06:42 < Kalecgos> Okay, fan-fuckin'-tastic 06:42 < Kalecgos> I knew I was missing something simple 06:42 < Kalecgos> I think I was doing that on my quiz today partially but we weren't allowed to use calculators 06:42 < Kalecgos> and I can't do mental math for the life of me 06:42 < rewt> just make sure you're not off by one 06:42 < rewt> easy to make that mistake 06:43 < Kalecgos> yeah NA would be .192, first HA would be .193 06:43 < Kalecgos> BA would be .255, last HA would be .254 06:43 < Kalecgos> subnet 623 address range = 165.200.155.192-155.256 06:43 < Kalecgos> 255* 06:44 < rewt> also for the multiplication part... is that 623 or 624 06:44 < Kalecgos> 623rd subnet including 0th 06:44 < Kalecgos> oh so that would be 624 06:44 < Kalecgos> sheeit 06:44 < rewt> isn't that 622 then? 06:45 < rewt> n=0 for 1st, n=1 for 2nd, n=622 for 623rd 06:45 < Kalecgos> ah yeah 06:45 < Kalecgos> that's what I meant 06:45 < Kalecgos> so subtract everything by 64 06:46 < Kalecgos> gonna save this log incase I forget 06:47 < rewt> btw, classless is much of the same, but there is no "default mask" and you're not limited to /8, /16, /32; it can be anything between /1 and /32 06:47 < rewt> well, /0 and /32 06:47 < rewt> and there's not "borrowed bits" 06:47 < rewt> -t 06:47 < Kalecgos> ye anything that's a network bit is locked away 06:47 < Kalecgos> no touchy 06:48 < Kalecgos> R E C L A I M the bits 06:48 * linux_probe couldnt pass that test 06:48 < linux_probe> where's my subnet calc lol 06:49 < Kalecgos> this is basically a math class 06:49 < rewt> pretty much 06:49 < linux_probe> >_> that what happens when you never touch anything but /24's 06:49 < rewt> heh 06:49 < linux_probe> it all goes away to the bit bucket 06:49 < Kalecgos> I just need more hands on practice, but the work book's questions are shitty and don't correlate to the quiz/tests 06:50 < Kalecgos> not kidding, there's 3 different versions of questions now that the midterm is worded entirely differently 06:50 < mast> what book is htis 06:50 < rewt> so like word problems in math class 06:51 < rewt> just have to identify the real math question and answer it 06:51 < Kalecgos> Well they're versions we haven't seen 06:51 < Kalecgos> I can extrapolate how to answer them but it's completely different 06:51 < rewt> they contain enough info to get at the answer, but there may be 2 or 3 steps 06:51 < Kalecgos> https://www.docdroid.net/ZzIZAQW/ipv4-classful-subnetting-workbook.pdf this @mast 06:52 < mast> Ah 06:52 < Kalecgos> it's not a 'real' book afaik 06:52 < mast> You know the CCENT books have decent coverage of this stuff 06:52 < Kalecgos> I just want to get this class done and move on to the next one 06:52 < mast> Wendell Odom and Todd Lammle 06:53 < whatsupdoc> Hi, does anyone know how to identify ISPs in a list of router ips? 06:53 < rewt> whatsupdoc: whois 06:53 < mast> You can even get these books for free from sites that end in iratebay 06:53 < DoYouKnow> whatsupdoc: AS # 06:53 < Kalecgos> https://www.amazon.com/CCENT-ICND1-100-105-Official-Guide/dp/1587205807 this book? 06:54 < mast> Yes that's one. People love this guy's book 06:54 < batch> hey can someone highlight me plz, tryin out something 06:54 < mast> Its dry though 06:54 < mast> Todd's book is written in more easy going language. And some people like that 06:55 < Kalecgos> I need to figure out what path I even want to go on in networking 06:55 < whatsupdoc> What do I look for in AS? 06:55 < whatsupdoc> whois 06:55 < rewt> look for the org name 06:55 < DoYouKnow> cononical organization name 06:55 < whatsupdoc> it's my university? 06:56 < rewt> which ip? 06:56 < whatsupdoc> http://dpaste.com/2FX8H57.txt 06:58 < rewt> yes, that starts out at UC Davis, and goes into google 06:58 < whatsupdoc> But where's the ISP? 06:59 < Kalecgos> If I wanted to start working on some general certs, what would the generic path be? A+>CCNET>CCNA=N+? 06:59 < Kalecgos> Or is N+ easier than I'm imagining 06:59 < rewt> whatsupdoc, looks like it's cenic 07:00 < whatsupdoc> ok that's what i was thinking also 07:00 < mast> Depending on your background you could start with CCENT 07:00 < Kalecgos> I have a lot of general IT knowledge, just starting to learn networking 07:00 < Kalecgos> hardware is my memes excluding enterprise stuff 07:01 < mast> For sure 07:01 < mast> I didn't bother getting my A+ before starting CCENT 07:01 < Kalecgos> I've heard a+ is kinda useless 07:01 < mast> I'm sure its slowed me down in a few places here and there, but to me it wasn't that big a deal 07:01 < linux_probe> Chicken Chokin Nut Adjuster 07:01 < mast> Definately not enough to make me think I should have taken the A+ 07:02 < mast> The best way to find out though is to start reading and studying the first few chapters of the Wendell or Lammle books and see if it clicks 07:02 < mast> There's also CTBNuggets courses, older ones are on you tubes, and the paid up to date ones can be great tools as well 07:03 < mast> Just start dicking around in there and see how you feel after of learning 07:03 < whatsupdoc> how do you use whois to look up AS #? 07:04 < whatsupdoc> I need to find organization whose AS number is 3, 9, 32, 1239, and 12000 07:04 < mast> Its all fun shit. And if you like have this massive fear of surveillance, government or otherwise, that helps too 07:04 < whatsupdoc> I can use online tools to get the answers, but just wondering how to do it using whois 07:05 < Kalecgos> I'm the opposite 07:05 < Kalecgos> all about data collection 07:05 < Kalecgos> maybe I should follow a google/amazon pipeline 07:05 < Kalecgos> hmmm 07:06 < whatsupdoc> networks are pretty cool. i can't believe everything is actually wired 07:06 < mast> I love it 07:06 < Kalecgos> yeah I just need to get some books 07:06 < mast> I am picking up a fun haul of stuff on Monday 07:07 < Kalecgos> sadly The Bay isn't a great pick for me, can't retain info I read on a screen for whatever reason 07:07 < Kalecgos> and fuck printing a 4082 page book 07:07 < mast> x3650 M3, C160 ironport, Trendnet 802R, two console servers just for the lols and a few upgrades here and there 07:08 < mast> Haha I hear you Kalecgos 07:08 < mast> I printed the Lammle book, but then I have a laser printer that's great on ink 07:08 < Kalecgos> hmm, maybe I should get a printer 07:08 < mast> Try the CTBNuggets videos. They are awesome. 07:09 < mast> I think its best to flesh what they talk about with some book learning, but they are super engaging 07:12 < whatsupdoc> How do you search AS numbers? 07:12 < Kalecgos> mast , if you know off hand, would it be a bad choice to print these ccnet books in B&W or is there not much color/graphics? 07:13 < mast> Black and White is fine for Lammle 07:13 < mast> haven't had a change to get through the Wendell book yet 07:18 < jvwjgames> Hello all how can i do two subnet i have one subnet block as 162.220.209.34/29 adn the other block as 162.220.209.49/28 and confused on the gateway 07:26 < whatsupdoc> Does anyone know a famous server that is located outside the us? 07:27 < whatsupdoc> I have a hard time finding one because whenever I try one they are hosted in US 07:32 < mast> www.thepiratebay.org 07:39 < whatsupdoc> I'm getting some strange results 07:40 < whatsupdoc> What's with the never ending stars? 07:40 < whatsupdoc> http://dpaste.com/2ATBJGX.txt 07:42 < dirac1> wow Paris-Sanclay university. 07:43 < dirac1> Saclay. 07:47 < whatsupdoc> ? 07:48 < whatsupdoc> It just gets dropped all the time 07:49 < whatsupdoc> dange finally found one 08:11 < raykom> Hey guy 08:11 < raykom> Guys 08:12 < raykom> I'm scared shitless, moments ago I was browsing a few adult sites and when I clicked a link on one of them it look like it had illegal content.. I immedietly exited everything 08:12 < raykom> what are the odds of the feds banging on my door 08:12 < Maarten> they are already on their way. 08:13 < raykom> .. 08:13 < Maarten> knock, knock neo..... 08:14 < raykom> I used 2 vpn's and tor but not sure if that does anything... screw these scumbags that upload this crap 08:15 < Maarten> i wouldn't worry about it. 08:15 < Maarten> though.... you could report the site to the police. 08:15 < Harlock> it's probably set up by the police 08:15 < raykom> Well i exited in less than 10 seconds and I never noted the url or anything 08:16 < raykom> I dont think tor stores the url do they? 08:16 < raykom> I could report it without accessing the site but I closed tor 08:16 < Harlock> it probably installed tracking software so they can find you later 08:16 < Maarten> tor is where most child porn gets trafficked through these days.... 08:17 < raykom> yeah I assumed that 08:18 < raykom> But the site that had the link to it was legal 08:18 < raykom> At least it looked legal 08:18 < raykom> i am sooo worried right now :( 08:19 < Maarten> 2 vpns and tor and you are worried? 08:20 < raykom> yeah 08:20 < raykom> tor is probably bait so I wold not consider that as a protection level 08:20 < Maarten> disconnect your internet. Only way to ensure the feds aren't coming. Unplug everything physically from the wall, and wait at least 4 weeks. 08:20 < dedmen> hello 08:22 < dedmen> helloooo 08:22 < dedmen> anyone online ? 08:23 < korean-walmart> no 08:26 < dedmen> this so lame 08:37 < Aztec03> dedmen tell no tales 08:38 < dedmen> what ? 08:39 < Aztec03> aw shit its just a piratey disney thing from one a those moviefilm things 08:40 < Aztec03> what's yer question though? 08:41 < dedmen> nah i just wanna learn hacking 08:41 < Aztec03> you're cool now 08:41 < Aztec03> now we are both cool guys. 08:56 < raykom> so you suppose with 2 vpn's and tor, they may consider it a mistake on my part(which is was)? 11:14 < pabed___> Hi guys , I trunked an interface on cisco 2960 , when I connect aricap 2700 to trunked port , I see its show status notconnected and it is on vlan 1 yet , why it does not change to trunk status ? 11:16 < pabed___> But when I connected the port to other 2960 switch the port's state changed to trunk , I don't know the problem comes from aircap or switch ? 11:34 < Screwsss> My emails are being sent to the wrong address 11:34 < Screwsss> Well some of them 11:35 < Screwsss> Its really random 11:39 < Screwsss> Hey 12:08 < Apachez> did raykom burn his computer yet? 12:23 < batch> hi can anyone tell me what the requierments are in iptables to forward a protocol ? 12:29 < detha> knowing how to -I FORWARD -p -j ACCEPT 12:43 < batch> detha is that all? 12:44 < batch> because, i do have a script that i found online, but i think it does a little bit too much 12:44 < batch> let me find it 12:45 < detha> batch: that is what I would define as 'forwarding a protocol'. -p tcp, -p50, ... 12:47 < batch> detha ok sweet thx for explaining, this is the script that i thought that worked because i did it some time ago but then fuzzing too much with configs and fucked up again: http://ix.io/17JZ 12:47 < batch> should work but maybe there's too much 12:48 < batch> i really need to learn iptables i think 12:54 < detha> that looks like a very simple 'anything is allowed to make outgoing connections, nothing is allowed to come in from the internet, NAT to internet' setup 12:58 < batch> ok thankyou detha ! 13:23 < zamanf> I am using an application to send udp packets from one pc to another. The packet goes through the router and the mac address changes on the way. Is there any option in routers to overcome this one and send my original mac address to the destination pc? 13:23 < Spice_Boy1> zamanf: no, that doesn't make sense 13:24 < Spice_Boy1> if it has to route, then it will go through a router, and the other interface on the router will be the new source mac 13:25 < Irritiable|LT> zamanf: You could send your MAC address via the UDP packet. 13:38 < zamanf> I see 13:38 < Irritiable|LT> My suggestion is just a band-aid solution (probably the only one). 13:39 < Irritiable|LT> That or remove the router from the equation? 13:39 < zamanf> I Will explain another situation 13:39 < Irritiable|LT> zamanf: Pure curiosity. Why do you want the receiptient to see the MAC address of the sender? 13:40 < Irritiable|LT> receipient * 13:42 < zamanf> I am using ubuntu to run a vmware windows machine. In the windows machine I run an application that interacts using udp packets with other remote machines. So, when I use wireshark or my custom made udp packet tracker, I can find the remote IP addresses that connect to the windows machine, but when I print the MAC address, it shows mine as their 13:43 < zamanf> it shows the routers mac address 13:43 < zamanf> my router 13:43 < petemc> thats how ethernet works 13:44 < zamanf> so what is the solution here? create a udp packet tracker and launch in the windows installation? 13:45 < Irritiable|LT> zamanf: Okay. You could definitely solve that by sending the MAC address through the UDP packet. 13:45 < Irritiable|LT> [06:25:43] zamanf: You could send your MAC address via the UDP packet. 13:45 < zamanf> this isn't possible Irritiable|LT 13:45 < zamanf> I mean, I can't add extra data to the packet 13:45 < Irritiable|LT> The Win32 API should be able to pull the operating system's MAC address pretty fast. 13:45 < Irritiable|LT> Ah. 13:45 < Irritiable|LT> A limitation in the utility used. 13:52 < detha> zamanf: where are you capturing that traffic? with bridged networking you should be able to see that mac address on the bridge, or on the router side 13:59 < zamanf> I am capturing the traffic from the Ubuntu 14:00 < zamanf> not sure if I can overcome this obstacle by changing the network settings in vmware 14:02 < detha> which mac address are you after? the VM's or the connecting machine's ? 14:07 < Irritiable|LT> detha: zamanf said he wants: Sending machine's MAC address to arrive at receiving machine. 14:07 < Irritiable|LT> detha: The transmit method is a UDP packet from some unknown utility. He cannot control the UDP packet data being sent. 14:07 < detha> Irritiable|LT: ah. that's a case of 'That is not how ethernet works' indeed then 14:17 < _BIGSHOT_> anybody using plex? 14:17 < _BIGSHOT_> echo dot 14:21 < LFSveteran> got an openvpn server running, client connection is established and it's able to ping the server ip 192.168.10.1 14:21 < LFSveteran> on the same machine as the openvpn server, there are also other services like samba 14:21 < LFSveteran> these are not accessable by VPN/tun0 yet, how to connect these together? 14:23 < plasma> LFSveteran: you could make them listen on the ip of the VPN/tun0, for example 14:35 < LFSveteran> a simple "bind 192.168.10.1" in the telnet config of xinetd won't work 14:35 < _BIGSHOT_> anybody using plex with echo dot? 14:37 < detha> telnet? 1990 called, they want their protocol back. 14:38 < LFSveteran2> I know , just for test 14:38 < LFSveteran2> telnet on a VPN is pretty useless 14:38 < detha> xinetd will have to be restarted /after/ the ovpn server comes up 14:38 < LFSveteran2> I did 14:39 < detha> firewall? /etc/hosts.{allow,deny} ? 14:39 < LFSveteran2> some iptables settings? 14:39 < zamanf> I used wireshark from the windows installation, I still get the router's mac address. I am not sure what can I do, to get the remote mac 14:39 < lupine> socket initiation is exactly inetd 14:39 < lupine> the more things change, the more they stay the same 14:39 < detha> zamanf: you can't. 14:39 < zamanf> detha, maybe the remote mac? 14:39 < zamanf> of the router 14:40 < lupine> if you share an ethernet segment, you can get it. if you don't, you probably can't 14:40 < batch> LFSveteran2 maybe forward per interfaces 14:40 < zamanf> the reason I need this, is because the remote IP addresses are dynamic - so I need to find a way to spot them even when they change 14:40 < LFSveteran2> https://pastebin.com/1at5ahtS 14:40 < lupine> although if you're on ipv6 you might be able to intuit it from SLAAC if privacy extensions aren't on 14:41 < lupine> zamanf: go up a few layers 14:41 < detha> zamanf: so listen for traffic on the VM's address 14:41 < lupine> give them persisten application-level credentials and stop worrying about it 14:41 < lupine> MACs are trivial to spoof anyway 14:42 < zamanf> I can't lupine 14:42 < Apachez> PCs are harder 14:43 < detha> Mainframes, even harder than that 14:44 < lupine> zamanf: yes you can 14:44 < lupine> don't be silly 14:45 < zamanf> I can't change the code of the programs that send the packets 14:45 < _BIGSHOT_> anybody using plex with echo dot? 14:54 < Apachez> only with sierra foxtrot alpha 14:57 < Irritiable|LT> [07:37:46] telnet? 1990 called, they want their protocol back. 14:57 < Irritiable|LT> Telnet was great for AT&T's Battle.net servers (used for Blizzard games) until they finally shut it off in the early 2000s. 14:58 < Irritiable|LT> Telnet bots were the most simple and the whole reason for vL Clan's private servers and their voodoo magic that StealthBot was built around (VBS). 14:58 < Irritiable|LT> VB / VBS * 15:04 < jorja> Hello 15:06 < jorja> I had a power outage and now the router I use is flashing even when there are no ether cords plugged into it and not connecting to the internet. Is it toast or is there a way to get it to work again? I have already tried unplugging it and replugging it in 15:08 < wiresharked> So I think that "gigabit lite" for ethernet adapters is something to improve latency? 15:09 < Irritiable|LT> jorja: Have you opened up the router to inspect it internally to see if any of the hardware is visually damaged? You can also smell burned components if nothing's visually there. 15:09 < Irritiable|LT> (Do not laugh at the wording on that; it has a secondary and hilarious meaning if you read it wrong.) 15:09 < jorja> I do not know how to open one or even what to look for 15:10 < Irritiable|LT> jorja: I am assuming modern routers have tiny screw holes (I doubt they're using torx screws on them). If you see any sort of melted or burned components: You have an issue. 15:10 < jorja> I am not taking iot about 15:10 < Irritiable|LT> A circuit board is typically green. If it's burned or damaged: It'll look just like anything that's burned is: Dark brown or liquified metal. 15:10 < Irritiable|LT> Also known as: Slag metal. 15:12 < wiresharked> jorja: Well, that's what happens when you overclock your computer.. 15:13 < Irritiable|LT> wiresharked: He mentioned a 'power outage.' There was a tornado near-by Texas earlier. We also had power-outages here in Texas. 15:14 < Irritiable|LT> Probably just a lightning strike. This is why if you have expensive toys plugged in walls during lightning storms and refuse to unplug them: You should at least invest in a cheap surge protector. 15:14 < Irritiable|LT> Better to lose a $100 surge protector as opposed to a $250 router / $400 TV / etc. 15:15 < LFSveteran> https://pastebin.com/h90JpeJf 15:15 < LFSveteran> added INPUT and FORWARD of TUN0 15:15 < LFSveteran> still nothing 15:17 < wiresharked> You are certainly correct about the surge protector. And I think I heard about that tornado near texas. Out here in the midwest, we're supposed to get an ice storm 15:17 < detha> LFSveteran: iptables takes first matching rule. you have a REJECT all to all before your rules 15:20 < jorja> No lighting stikes so it was not caused by lighting 15:21 < wiresharked> Probably a shorted fuse somewhere 15:22 < detha> or maybe the isp is still suffering from 'No Power'...... 15:23 < wiresharked> That would not cause a router to be burned up though 15:23 < detha> No. But it would stop it from connecting internet. And if it's TR069, also from getting a sane config. 15:24 < LFSveteran> ok, can acces telnet server now 15:24 < jorja> I am on the isp 15:24 < mervin> hello everyone 15:24 < LFSveteran> moved the rules a row higher before the reject 15:24 < jorja> I am on the internet right now 15:25 < wiresharked> detha: The configuration of the settings has nothing to do with the voltages of anything 15:25 < LFSveteran> however still no samba 15:26 < wiresharked> Is port 445 blocked? 15:26 < detha> LFSveteran: port 445/tcp, older versions samba needed 143 or something like that 15:26 < detha> 137/138, actually 15:26 < LFSveteran> I recall 445, 136 .. 139 15:27 < wiresharked> So if that's the case, then check to make sure that ports 445, 136, and 139 are all allowed 15:27 < LFSveteran> 445 open 15:27 < LFSveteran> 136 tcp closed 15:27 < detha> also, isn't some samba stuff udp? 15:27 < LFSveteran> 137/tcp cloded 15:28 < LFSveteran> 138/tcp closed 15:28 < detha> easiest way to see: tcpdump on the tunnel interface, see what the client tries 15:29 < LFSveteran> I thought I justed opened everything with the iptable rules... 15:29 < aaro> 137-138 UDP, 139 TCP 15:35 < LFSveteran> https://pastebin.com/zLjdNnSA 15:37 < detha> that appears to be talking 15:38 < LFSveteran> y 15:43 < jorja> I had a power outage and now the router I use is flashing even when there are no ether cords plugged into it and not connecting to the internet. Is it toast or is there a way to get it to work again? I have already tried unplugging it and replugging it in 15:46 < LFSveteran> not flawlessly yet 15:46 < LFSveteran> switched back to the telnet solution once more 15:47 < LFSveteran> can login, can cd but ls freezes 15:47 < detha> LFSveteran: sounds like MTU issues 15:48 < detha> set the MTU on the tunnel interface 20 or 40 lower 16:03 < adrian_1908> those of you who use iptables, do you prefer a frontend like e.g. "ferm", or do you stick to just the iptables command? 16:07 < LFSveteran> just typing iptables 16:07 < jorja> I had a power outage and now the router I use is flashing even when there are no ether cords plugged into it and not connecting to the internet. Is it toast or is there a way to get it to work again? I have already tried unplugging it and replugging it in 16:08 < detha> adrian_1908: no frontends, plain iptables, generated from templates if need be. 16:09 < adrian_1908> ok, thanks. 16:21 < Kingrat> jorja, usually the cheaper home router hardware just dies and does stuff like that, could be a bad capacitor that needs to be replaced, could also be a bad power supply you can try another one, but thats about as far as its worth going 16:22 < jorja> do not have another one 16:24 < Kingrat> is it a wierd power supply? most use a 12v/1a brick with a standard sized plug which is used on many other things, but i have seen non-standard as well 16:25 < jorja> I do not have a spare plug 16:25 < Apachez> no spare buttplug? 16:26 < Apachez> your redundancy is ashamed... 16:26 < hendrikz> o.O 16:28 < compdoc> now Im ashamed 16:59 < batch> hey, the uplink, is it more like the connection to WAN, or is uplink more like the NIC for a bridge? 17:00 < batch> NIC for a bridge into a lan 17:00 < batch> ? 17:01 < detha> uplink goes up in the drawing. it links to one thing that serves a bunch of 'what your level is' things. 17:01 < batch> hmm 17:02 < batch> so let's say the uplink in a systemd-networkd bridge 17:03 < batch> what should i imagine it like? 17:03 < batch> like, the nice that's forwarding to a bridge adapter? 17:04 < batch> s/nice/NIC 17:04 < detha> spaghetti. it's systemd 17:04 < batch> fml 17:07 < detha> bridges don't have uplinks other that what you define as 'the uplink' 17:09 < Apachez> bridges just have walk or driveways 17:15 < tpanarch1st> hey, this isn't a pure networking question but I was hoping for some non-shootdown ideas please :) 17:16 < tpanarch1st> I have an old website, no updates available (I don't really know what you call a website system) and I'm looking to explore ways of securing it as it is around 10 years old 17:16 < tpanarch1st> i'm not sure, to start, how to identify vulnerabilities with it 17:19 < Kingrat> how are you hosting it 17:23 < detha> tpanarch1st: what is your budget? 17:24 < tpanarch1st> Kingrat: currently, i'm running it on an outside host but I want to migrate it onto ispConfig eventually 17:25 < tpanarch1st> sadly, and it is a gorgeous system froma usability standpoint but they stopped updating it 17:25 < batch> me trying to make a bridge in raspberry zero with systemd: https://www.youtube.com/watch?v=hUTY5aFdN-4 17:25 < tpanarch1st> I was ever so proud of the achievements of suiteCRM to - what a well developed system! 17:26 < tpanarch1st> nice when you don't have to complain! 17:39 < we3gerg> Hello, I have a layer two switch with four VLANs. I have a server VLAN, call it 'S', and the the other three VLANs 'A', 'B' and 'C'. I want A and B to talk to S, and S to talk back to A and B. Also, A, B and C to remain uncommunicated with each other. How can I do this 17:40 < nickermire> we3gerg: sounds like you need a router and some ACLs 17:40 < we3gerg> That's what I heard, use edge router and use ACLs 17:41 < larry> what pack for wpa2 17:41 < we3gerg> but I heard of this "trunking" thing too, is that necessary? 17:41 < nickermire> depending upon the l2 switch you have, sometimes the switch will do interVLAN routing so you could then skip on using a router. 17:41 < we3gerg> I want to use the router though 17:41 < nickermire> gotcha 17:42 < nickermire> you might also be able to get away with using a opnsense/pfsense firewall as your router/fw and then just create firewlal rules instead of mucking with ACLs on the switch. 17:43 < nickermire> hope that helps. 17:43 < we3gerg> I thought ACLs were done on the router? 17:43 < larry> going through the source code explains things 17:43 < hendrikz> router on a stick 17:44 < hendrikz> ;) 17:44 < we3gerg> router on a stick, heard of this too 17:44 < larry> what pack for wpa2 17:44 < nickermire> we3gerg: the smarter l2 switches have ACL capability 17:44 < we3gerg> this is when you split one interface into sub-interfaces? 17:45 < nickermire> we3gerg: yes 17:45 < larry> that wink is somebody who plays devil is it? 17:45 < larry> using lib linear it is a pinhead attack 17:45 < we3gerg> won't that compromise routing to the outside? 17:45 < larry> if the wink is in the code nost likely it is all compromised 17:46 < larry> going through the source code explains things 17:46 < we3gerg> say, if I do router on a stick for my switch and vlans, and then I want to access the internet from one of the hosts in the vlan, that won't be compromised due to the router on a stick setup? 17:47 < Apachez> router on a stick is a bad setup securitywise 17:47 < Apachez> since you are mixing internal and external traffic in the same device twice 17:47 < we3gerg> what do you recommend? 17:47 < larry> what pack for wpa2 17:47 < nickermire> we3gerg: Right as your router would have the default gateway and be able to forward on traffic inteneded for the internet. 17:48 < larry> so pinhead can shape actions 17:48 < we3gerg> okay that's good 17:48 < larry> good is a good thing, yes? 17:48 < we3gerg> I guess I'll go with the ACLs on the router, make it happen with the firewall 17:49 < nickermire> we3gerg: if you have enough interfaces on your router, you could put a physical interface in each vlan if you're having bandwidth issues. Then, have a final interface for your uplink out to the internet. 17:50 < nickermire> Lots of ways to do these things. Usually money is the limiting factor. 17:51 < we3gerg> optimizing for simplicity, lowest cost and highest security 17:51 < detha> pick any two 17:52 < we3gerg> security and simplicity of design? 17:54 < detha> L2 switch, firewall/router with one interface per vlan, and one interface out to the interwebz. 17:55 < we3gerg> seems good except for the 1:1 int:vlan 17:55 < we3gerg> why is that necessary? 17:55 < detha> router-on-a-stick with running switch->router over one trunk is less cables, and less throughput between vlans 17:56 < we3gerg> that's okay, very little traffic anyway 17:56 < we3gerg> someone mentioned router on a stick is less secure 17:57 < we3gerg> and I'm not sure how I can prevent certain vlans from communicating 17:57 < detha> 'can be less secure', depending on how it is implemented 17:57 < we3gerg> okay: can I hook up my switch to the edge router with just one cable and manage traffic between VLANs with ACLs and route internet traffic outside? is this possible? 17:58 < detha> yup 17:58 < we3gerg> I reckon the only issue is throughput right? 17:59 < detha> unless you are running things at >90%, not really worth worrying about 17:59 < nickermire> yep 17:59 < nickermire> not sure about the security concern. 17:59 < nickermire> but I'm willing to learn something new too. 18:00 < we3gerg> okay last question, since this is the router, stuff won't be VLAN tagged, so that means I'm working with the addresses of each VLAN. How will I have one interface and multiple addresses from the different VLANs? 18:00 < detha> on your trunk cable it will be vlan tagged 18:01 < we3gerg> so I setup trunking in the router and it'll know? oof 18:01 < detha> in the router, you have vlan1, vlan2, ... interfaces and you can set rules saying 'nothing coming in on vlan2 can go out to vlan3'. 18:02 < we3gerg> really? I did not know this, been playing around in packet tracer and I did not see this 18:20 < jimm> Hi... gotta fix a program that looks at interface settings and "calculates" a masqing firewall 18:21 < larry> jimm what pack for wpa2 18:21 < jimm> given this will take some time, someone interested in helping me diagnose and fix? 18:23 < jimm> \larry, I'm not really sure :) I'm a little occupied at the moment too, otherwise I'd try to help... let people know what dist you're running... maybe you want a package that has wpa-supplicant 18:50 < larry> what pack has wpa2 19:05 < ska> Anyone used these units as firewalls (pfsense)? https://www.amazon.com/Linksys-LGS124-Rackmount-Unmanaged-Enclosure/dp/B00H1OQBLA/qid=1523568145 ? 19:08 < fryguy> i'm real skeptical you can install pfsense on that 19:09 < detha> That. 19:14 < larry> jimm: fix it? 19:25 < ska> fryguy: its comes pre-installed with it, so I think you can. I have a unit with it already on it. 19:25 < qman__> ska: that's an unmanaged switch, you can't install anything on it 19:26 < ska> sorry wrong link. 19:26 < ska> https://www.amazon.com/Hardware-Firewall-Mikrotik-Security-Barebone/dp/B0777GHHW1/qid=1512756180 19:30 < larry> where having router on usbstick 19:30 < larry> most netfilter broke 19:31 < larry> possibly first wink 19:31 < larry> what was then and what do now 19:31 < larry> David cried 19:31 < larry> about son 19:32 < larry> once they thrashed humankind 19:32 < larry> what now 19:32 < larry> for intelligence is strong sometimes in enemies 19:32 < larry> what now 19:33 < larry> look at what was then 19:33 < larry> first strike was against the firewall 19:33 < larry> what more 19:33 < larry> continue to let them think it is active 19:34 < larry> but it doesnt work 19:34 < larry> when is Mr Jones going to have fairytales 19:34 < larry> all tails from the cryptkeeper 19:34 < larry> murders 19:34 < larry> what fairytails 19:34 < larry> this is tales from the crypt 19:35 < larry> Mitnick tells tails from the crypt 19:35 < larry> jimm: so you masq something 19:35 < larry> if they access the raid 19:36 < larry> why dont you watch legion 19:36 < larry> dont you get the matrix 19:36 < larry> it is a binary world 19:36 < mateothegreat> jesus 19:37 < larry> when you have a complete double image of yopu from GCC 19:37 < larry> what you had was the Guardian Angel 19:37 < larry> in the ether 19:38 < larry> jimm: do you want a fix 19:39 < larry> or do you want to keep thinking the app layer is working 19:39 < larry> when the foundation was cracked 19:39 < larry> first strike at the firewall 19:39 < larry> how many xservers 19:39 < larry> say you have a fighterpilot 19:39 < larry> with weapons of mass destruction 19:40 < larry> tales from the crypt 19:40 < larry> and the visual cortex is fooled by an x server 19:40 < larry> presses the wrong button 19:40 < larry> boom! 19:40 < larry> bombs away 19:41 < larry> these are the scenarios that propogate wild 19:42 < larry> exponential wickedness 19:42 < larry> as it increases you enter the last days where love of men grows cold 19:42 < larry> what masq are you calculating 19:43 < larry> mental omega 19:43 < larry> jimm: 19:43 < larry> stay wide awake 19:43 < larry> this is the object of the game mental omega 19:44 < larry> reduce fractals 19:44 * larry reaches out hand 19:46 < larry> how much binary does it take to maintain h20 19:47 * larry reaches out hand too jimm 19:48 < larry> whatever richard dawkins was talking about 19:48 < larry> holding together the dna structures 19:49 < larry> what was then and now 19:49 < larry> I'm not dwelling on the past 19:49 < larry> the raiders are going 19:49 < larry> how much torture can a mind take before it goes kaput 19:50 < larry> a mirrorless network 19:50 < larry> hostme 19:51 < larry> the masq isn't really needed 19:51 < larry> your talking about shoddy nat right jimm 19:52 < jimm> sshoddy bats?! 19:52 < larry> why not use a real server 19:52 < jimm> or even a reel to reel server? 19:54 < jimm> I']m looking to put a net back together the way it was, and I might also translate the rules to nftables 19:56 < jimm> I do want to use nat (because that's how it was originally done) 19:57 < jimm> I need to figure out what's going on with the program that generates the rules 19:58 < larry> what needs to be fixed? 20:02 < jimm> well first I need to figure out the problem... the iptables rules are initially empty, then I tell it to generate the rules, and instead of making the masq nets the way it's supposed to, it blocks packets from getting to the appropriate subnet (and therefore wire) 20:03 < jimm> I dunno what the problem is yet 20:03 < jimm> and I need a way to piece together what it is 20:05 < `7hr34t_hvntr> anyone ever see google chrome sending out STUN packets 20:06 < detha> jimm: dentistry engineering, gap analysis and filling. define what it needs to do. determine what it does. the difference is the gap. fill that gap. 20:06 < `7hr34t_hvntr> is it seen in conjunction with streaming activity usu 20:08 < _BIGSHOT_> hello, since i am behind Double NAT - I am using "ngrok" to forward my port so that I can use plex remotely, does anyone know how to setup plex with ngrok?' 20:08 < _BIGSHOT_> i already forwarded plex port 32400 20:08 < jimm> what it does: looks at the definitions of some interfaces, figures out which one is the outgoing interface (i.e. going to "the rest of the internet"), then writes iptables rules which creates a masqing firewall 20:09 < jimm> ever since I upgraded (which could mean upgrade kernel), can't ping out, sendto: op not permitted 20:10 < jimm> and I'm not exactly sure what's going on 20:11 < detha> well, start by looking at what it does then 20:12 < jimm> well it makes rules... want to see them? 20:12 < detha> that would be a start 20:13 < jimm> ok, how would I export existing rules? (also, I can give you a tarball of the project, so you can see what it tries to generate, and with which information) 20:14 < jimm> I know iptables -L outputs some of the rules, how would I get all of them? 20:14 < detha> iptables-save is the preferred format 20:15 < detha> otherwise iptables -vnL 20:15 < jimm> lemme check that out 20:15 < tds> and remember to use ip6tables as well if you're using non-legacy ip ;) 20:17 < jimm> ok, looks like I'm still here... 20:22 < jimm> maybe it's not generating rules when it should be 20:34 < jimm> tell ya what... I'm having problems getting this thing to generate the rules... I gotta figure out why... but first, something came up and I gotta leave for awhile... 21:09 < nickster> I was messing with ipv6 like a month ago and never got my interfaces to obtain an address and no other machines were able to get one either. 21:10 < nickster> Today i had a weird power surge and my opnsense vm rebooted 21:10 < nickster> 10 minutes of booting up later, i now have functioning ipv6 21:10 <+catphish> maybe your ISP fixed something 21:11 <+catphish> :) 21:11 < rainyXP> Just out of interest, do you use the proxy functionality on the pfsense? 21:12 < nickster> i figured out the isp issued a /56 prefix because after changing it a few times, it finally worked with that 21:13 < nickster> my lan is set to track interface 21:13 < nickster> rebooting apparently would have solved it 21:14 < nickster> now all lan devices at home can use ipv6 21:14 < nickster> now contemplating if i want it on my vlan 21:16 < revere> What could be wrong that if I query a public dns server with dig (like 8.8.8.8 or 1.1.1.1) for a domain it returns no ANSWER, but with +trace it does? 21:16 < Peng_> revere: Several things. For what name? 21:16 < revere> The nameservers set at the registrar respond with the right answers 21:17 < Goop> How many IPv6 addresses does Cox give its customers? 21:17 < nickster> usually a /64 21:17 < revere> it's a personal domain, if it's most likely something uncommon I'll let the party hosting my dns deal with it 21:18 < nickster> http://forums.cox.com/forum_home/internet_forum/f/internet-forum/15554/ipv6-prefix-delegation 21:18 < nickster> i got lucky with charter handing me a /56 21:29 < ExploitedKernel> 21:29 < ^Gecko^> 22:00 < BlueProtoman> Suppose I have a home server and a domain I use to connect to it remotely. If I'm at home, will connections to this server via 192.168.x.x be faster than through the domain I use to connect remotely? 22:08 < Peng_> No. Maybe. 22:10 < BlueProtoman> Peng_: What do you mean? 22:10 < Peng_> Is it slow? 22:12 < BlueProtoman> Peng_: "It" being "connecting remotely"? 22:13 < Carll> The joys of networking :-) 22:16 < DoctorOfWar> BlueProtoman: The name resolution is actually pretty fast, and afer that the communication will be through ip's, so no overhead there. But depending on your gear, it will 'understand' that connection is coming back to your server 22:16 < {HD}> Does dns have variables? I am working with the new installation of Vesta CP and when I look at that the fall DNS records I see a “NS2.domain.TLD.“ are those variables or should I replace that with my actual domain name? 22:16 < DoctorOfWar> I think, I'm not a 'network' guy, so if I'm wrong please tell me =) 22:17 < {HD}> Fall = default. 22:17 < Apachez> {HD}: if you have gayporn.com your NS should most likely be something like ns1.gayporn.com. 22:17 < Apachez> and ns2... 22:18 < {HD}> Apachez: lol and I will update it to see if it works. 22:18 < {HD}> whyy does an NS record end with a '.'? 22:18 < Carll> {HD}: it shouldn't 22:19 < Carll> {HD}: ns1.domain.tld 22:19 < {HD}> example: when you change an NS record for DigitalOcean it defaults to adding an '.' onto the end. 22:20 < {HD}> And I see it pretty frequently when I search for it. 22:20 < black_13_> is this the ocrrect place to ask about why download fails because of credential errors 22:20 < Apachez> ahh yes 22:20 < Apachez> its ptr records who ends with . 22:20 < Apachez> solly 22:20 < Apachez> black_13_: this is the wrong place to ask about asking 22:21 < Dagger> *all* absolute DNS names end with . 22:21 < black_13_> Unable to locally verify the issuer's authority. WARNING: certificate common name `distributions.freedesktop.org' doesn't match r equested host name `gstreamer.freedesktop.org'. HTTP request sent, awaiting response... 404 Not Found 2018-04-14 14:56:33 ERROR 404: Not Found. 22:21 < {HD}> Oh... 22:22 < Apachez> black_13_: well go figure 22:22 < {HD}> What resource (dns for dummies) should I read/watch to learn what I need to know about DNS? 22:22 < Apachez> you are visiting gstreamer.freedesktp.org 22:22 < Apachez> that shitty servers gives you cert for distributions.freedesktop.org 22:22 < Apachez> which is wrong 22:22 < Apachez> {HD}: bind.org have a great manual 22:22 < Dagger> relative names are... I guess it depends on context; in DNS lookups, a relative name will have each of the domains in your DNS search list appended to it, and if none of the resulting names exist then it'll try appending . 22:23 < Dagger> in bind zone files, relative names have the current value of $ORIGIN appended to the end 22:23 < black_13_> Ok 22:23 < Apachez> and $ORIGIN is . 22:23 < Apachez> unless set 22:24 < Peng_> black_13_: Apachez: https://gstreamer.freedesktop.org/ WFM. Could be an obsolete client. 22:24 < Dagger> $ORIGIN starts at ., but for reverse zones you generally set it to 0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. or whatever your zone is for 22:24 < Dagger> but of course you don't generally want that being appended to your PTRs, so your PTRs tend to end in . 22:25 < Apachez> Peng_: that url worked for me with no errors 22:25 < Apachez> Common Name (CN) gstreamer.freedesktop.org 22:26 < Apachez> Common Name (CN) Let's Encrypt Authority X3 22:26 < Apachez> Issued On Monday, March 26, 2018 at 1:53:52 AM 22:26 < Apachez> Expires On Sunday, June 24, 2018 at 1:53:52 AM 22:27 < Apachez> anyone who recalls the name of that scriptbased networkdrawing thingy? 22:27 < Apachez> like visio but in text 22:27 < Apachez> and when you "compile" the textfile you have a nice png 22:28 < Dagger> and similarly, if you're doing a forward zone and have $ORIGIN set to example.com, and you try to do "@ NS ns.example.net" then it'll append example.com to both @ (producing example.com) and to ns.example.net (producing ns.example.net.example.com) 22:28 < Dagger> one of those you probably want. the other one, not so much 22:28 < Apachez> "not so much" :D 22:31 < {HD}> alright, that makes sense. I think I want to update my DNS to use the DNS of my vestaCP vps. I have my namecheap custom DNS pointing to ns1.digitalocean.com and ns2 ect but I think I wanted to point it to the ip of my vps?... 22:33 < black_13_> is there 22:33 < Blueking> are this right channel to ask about wifi networking ? 22:33 < Apachez> Blueking: yes if you can answer my question first 22:34 < black_13_> Apachez it works through chrome great but i just realized that i have a really old version of wget 22:34 * Blueking doesn't know what question are.. 22:34 < black_13_> all this is me building for source the gstreamer app 22:34 < Apachez> black_13_: I think wget will use your system CA list which is the same as chrome uses 22:35 < tds> {HD}: you can't have NS records that point directly to an IP - you'll need to set the records to a hostname (eg ns1.yourdomain.com), and then also add "glue" records (a/aaaa records in the parent zone) for the name server IPs 22:35 < Blueking> Apachez: what question ? 22:35 < tds> if you only want to have your domains resolve to the IP of your server, and not use the server as a name server, then you can just add a/aaaa records with your existing dns provider 22:36 < black_13_> https://pastebin.com/DKtR5RDD 22:37 < {HD}> tds: oh. I read about glue records recently. VestaCP creates 14 dns entries for mail and web and other stuff would I copy all thise to namecheap dns or would adding a glue to namecheap then also look at the vestacp dns? 22:38 < tds> I'm not familiar with vestacp - do you know if it acts as a name server itself, or just prints out a list of records for you to add? 22:38 < {HD}> Right now I have namecheap digitalocean and vestacp involved and I don’t know what is doing what. 22:39 < {HD}> tds: I am under the impression it could be a name server 22:39 < {HD}> But I guess I should double check that. 22:39 < tds> if you want to use it as a name server, you want to go down the route of setting your name servers to be something like ns1.yourdomain.com, and add glue records 22:40 < Blueking> I want to upgrade wifi in my house. Currently I am using two asus ac routers set in AP mode. question are: does wifi clients change to AP with strongest signal? I've googled and it seems some think client doesn't do that.. ? using same ssid on both AP units 22:41 < {HD}> tds: Ill see what I can do. 22:41 < rr1993> Blueking, They should, depends on implementation on the client device 22:42 < Apachez> Blueking: anyone who recalls the name of that scriptbased networkdrawing thingy? and when you "compile" the textfile you have a nice png, like visio but in text and when you "compile" the textfile you have a nice png 22:42 < rr1993> but i can imagine some sort of algorithm to prevent excessive switching between aps 22:42 < Blueking> rr1993: mesh wifi does this better ? 22:43 < azizLIGHT> i reset all my networking gear and i see this type of packet loss: https://imgur.com/a/b2ft8 22:43 < azizLIGHT> that is mtr 22:43 < rr1993> Blueking, i have no idea 22:45 < Blueking> :/ 23:17 < Blueking> anyone have tested asus' aimesh ? 23:26 < Apachez> at which RU (1 is bottom/floor and 42 or whatever height you might have is the top) do you prefer to place the kvm at ? 23:37 < wiresharked> djph: So is gigabit lite on ethernet adapters supposed to reduce latency? 23:38 < SporkWitch> Apachez: if you find out the name of that tool, let me know; sounds handy 23:39 < Apachez> SporkWitch: graphvix 23:40 < Apachez> SporkWitch: graphviz 23:40 < Apachez> but now I found out nwdiag for python 23:40 < Apachez> and got a boner when I tried the rackdiag part :) 23:40 < Apachez> you write a small textfile and it outputs in png, svg, pdf and whatelse :) 23:41 < SporkWitch> yeah, it sounded useful; no more manually plugging stuff in, i can just enter the descriptive information and get pretty output 23:48 < Apachez> noone with a rack enclosure close by with a kvm switch within? 23:48 < Apachez> Im thinking whats the optimal location of the kvm switch in a rack, that is at which RU --- Log closed Sun Apr 15 00:00:45 2018