--- Log opened Sat Apr 21 00:00:52 2018 00:59 < cluelessperson> So get this 00:59 < cluelessperson> I can see a bunch of WAN mac addresses, I assume from other apartment goers 00:59 < cluelessperson> all fitting an IPv4 scheme 01:10 < CuriosTiger> cluelessperson: "apartment goers"? 01:10 < CuriosTiger> do you live in some sort of communal arrangement? :P 01:11 < cluelessperson> CuriosTiger: I live in an apartment complex. They have a fiber modem on the floor, and use lke a 1G switch to distribute gigabit to each apartment 01:12 < cluelessperson> CuriosTiger: I'm apparently seeing other people's routers 01:12 < cluelessperson> and their publix ips 01:16 <@pppingme> no such thing as a "fiber modem" 01:17 < lupine> well 01:17 < cluelessperson> pppingme: what would you call it? 01:17 <@pppingme> media converter 01:17 < lupine> it modulates the electrical data into light waves 01:17 < lupine> but shhhh 01:18 < cluelessperson> modulator 01:18 < cluelessperson> --- 01:18 < cluelessperson> So, I suspect the reason I'm seeing these other macs out there, is because I have my switch configured, 01:18 < cluelessperson> Port 1 "WAN / ISP UPLINK" Port 2 "WAN to GATEWAY" 01:19 <@pppingme> lupine thats kinda pushing it.. its not really modulating as much as lighting a light when there's a 1, and killing the light with a 0 01:19 <@pppingme> modem assumes to modulate to another medium, af, rf, etc.. 01:19 < lupine> it's a modulation 01:20 < geokoh> why would somebody have a virtual machine created on their computer with out their knowledge or ability to stop it? 01:20 < lupine> you can say "it's not much of one" as much as you like 01:21 < cluelessperson> geokoh: virtual machines can be tiny 01:21 < Maarten> cluelessperson, AT&T calls it an ONT, or Optical Network Terminal 01:21 < geokoh> does it mean they have been compromised for various reasons, or is that botnet at work? 01:22 <@pppingme> but it doesn't really ride over a different frequency, but rather is just a different representation of an identical signal 01:31 < geokoh> is it possible to temper with somebodies connection, to make them think that their current provider is not very good in an effort to try to make you switch to another isp? 01:32 < geokoh> to send some type of a disrupting signals and such? 01:33 < lupine> sure 01:33 <@pppingme> you mean in a way that mountain cable won't get pissed at you and cut you off and hand it off to the fbi? 01:33 < lupine> highly illegal though 01:33 < lupine> especiually if you're using RF, you are going to get *monstered* 01:33 < lupine> people take that very seriously and will deploy considerable resources to fuck you over 01:34 < geokoh> i get disruptions by another local companny 01:34 < lupine> RF? 01:34 < lupine> a minute ago you didn't know if it was possible 01:34 < lupine> now you're claiming it definitely happens 01:34 < geokoh> im on a rural dsl type of connection 01:34 <@pppingme> describe how you're getting "disruptions" 01:34 < lupine> excuse me if I doubt you a little 01:34 < geokoh> well i suspect that is going on 01:35 < lupine> people often suspect things that aren't true 01:35 < geokoh> based on evidence that is reocuring on youtube 01:35 < lupine> oh god 01:35 < geokoh> yes sir 01:35 <@pppingme> so your 1mbps circuit won't play youtube smoothly? 01:36 < geokoh> so , ill get waching something and , all of a sudden i get , a "distruption" or freezing in the video" than a suddle msg apeased, saying 01:36 < CuriosTiger> cluelessperson: That's probably because the "fiber modem" is little more than an Ethernet switch. 01:37 < CuriosTiger> fiber vs copper are just different transmission media. It's all Ethernet. 01:37 < geokoh> little box apears that says, " experiencing disruption? find out why" and find out why is a link to another local cable provider, trying to sell me "HD" 01:38 < CuriosTiger> ....that just sounds like lame marketing. 01:38 < geokoh> i know right 01:38 < geokoh> very lame indeed 01:38 < geokoh> it will do it twice generally, and then i can continue waching in peace 01:39 < CuriosTiger> so...your concern is that this ISP is trying to tamper with your connnection to your current ISP because they're showing you ads? 01:39 < geokoh> no 01:39 <@pppingme> Do the two isp's share L1? 01:40 < geokoh> my question is, is that other competetor, "bullying" me in sort of speak to try to make me swithc to them 01:40 < lupine> nobody here knows their motivations 01:40 <@pppingme> probably not, your connection is probably crappy to start with, and you're reading too much into seeing an ad.. 01:40 < geokoh> ok 01:40 < geokoh> thats fine 01:41 < geokoh> i just wondered if something like that would be technically possible in business 01:41 < geokoh> i know it sound paranoid 01:42 <@pppingme> if they share L1, it might be 01:42 < geokoh> im on this line of sight dsl rural thing 01:42 < geokoh> i use little round dish to connect 01:44 < tds> if you can get advertising on a page about having connection issues, and target it towards an area where you know your competitors provide bad service, that's certainly a smart marketing move ;) 01:44 < tds> but I'd doubt they're actively interfering with your connection 01:44 < geokoh> but i think i might have physical opsticals in the line of sight 01:45 < geokoh> yuh well it might be smart, but still they are shit out of luck even if i could swich, there is not physical infrustructure to diliver service, because they dont own that tower that i connect to 01:46 < geokoh> it makes no sence to target me for sales, they cant deliver better product 01:46 < geokoh> its like you cant draw blood from tone 01:46 < geokoh> stone* lol 01:46 < localhorse> i have a http+websocket server running on laptop1 and i'm connecting to it from laptop2 (loading the webapp in chrome). it can fetch the html page just fine, but the WS connection ONLY works over my Lancom router, NOT over Linksys WRT 54G (tested both ethernet AND wifi) or TP-LINK MR3020 (wifi), for those i always get timeout for the WS connection. any idea why it doesn't work over those? 01:47 < CuriosTiger> Occam's razor says it's far more likely that your ISP just sucks than that their competitor is actively sabotaging them. 01:47 < localhorse> (Lancom ethernet router) 01:50 < geokoh> curioustiger: sure, they could be engaged in a ugly secrete war of harassment, greed knows no bounds these days it seems, but i know i have limited connection speed due to technology atm 01:52 < geokoh> if something is invented that can penatrate physical objects to connect me to higher speed, then my problems might be over 01:53 <@pppingme> geokoh what speed were you "sold"? What speed to you see on reliable speed test sites? 01:53 < geokoh> weather really plays huge part in my connection and speed 01:53 < geokoh> im suposed to be on 1m 01:53 <@pppingme> 1m meaning one megabit per second? 01:53 <@pppingme> thats SLOW by any standard.. 01:53 < geokoh> thyes sir 01:53 < geokoh> agreed 01:54 <@pppingme> whats your isp say? 01:54 < geokoh> thats rural ontario 01:54 < geokoh> rural canada sucks for interweb 01:54 <@pppingme> wireless can achieve much higher and quite easily.. 01:54 < geokoh> says i need high mast, or clear cut path of line of sight lol 01:54 < geokoh> higher* 01:55 <@pppingme> how high of a mast? 01:55 < geokoh> i am connecting over about 3.5 miles distance 01:55 < geokoh> my currecnt higt is about 5 ft 01:55 < zamanf> do you guys know any iptables equivalent for windows? like blocking different types of packets, define the size of the packets, etc? 01:55 < geokoh> sorry 50ft 01:56 <@pppingme> so you're at 50 foot and they want you higher? 01:57 < geokoh> yuh preferably since the trees are growing up around me 01:57 < forgotten> zamanf: iptables equiv of what? post an iptables rule you want the windows equiv of maybe? 01:57 <@pppingme> are they guaranteeing a higher mast will fix your issue? 01:57 < geokoh> i actually cut down some trees that were in the way 01:57 < geokoh> im thinking it might 01:58 < geokoh> it helped me a bit, but there is still some in the way 01:58 <@pppingme> generally, its all or nothing... if you've got a stable connection now with minimal packet loss, its unlikely a higher tower will help 01:58 < geokoh> i know 01:59 < geokoh> i could extend my current one by sliding anought chunk undereath the old one by maybe 20 ft, for failly low price 02:00 <@pppingme> if you have enough land, and all you're supporting is a single antenna, it'd be easy to get you higher, but the real question is if that would help 02:00 < geokoh> im just using and old TV airiel mast to hang my internet reseiver on it 02:01 < Spice_Boy1> pppingme: fresnel zone 02:01 < geokoh> well i might find an old piece of tower somewhere, lot of people are getting rid of theirs these days , the cost isnt that problem with that 02:02 < Spice_Boy1> if you can get up higher away from the crap, then it would be better 02:02 < Spice_Boy1> RF line of sight is not the same as visible line of sight 02:03 < geokoh> hmm ok 02:03 <@pppingme> true, but he hasn't indicated he's in a hole or on top of everest.. 02:03 < geokoh> i know the tower i connect to sits in a lower elevation that i do 02:04 <@pppingme> how much lower? 02:04 < geokoh> about 100 ft 02:04 < Spice_Boy1> don't Canadians use metric? 02:04 < geokoh> i was trying to chart it 02:04 <@pppingme> Spice_Boy1 they're mixed. half metric, half normal 02:04 < Spice_Boy1> metric is normal pal 02:04 < geokoh> i was using google earth elevation chart and the 02:05 <@pppingme> Spice_Boy1 for rough reference, just over 3 feet is a meter 02:05 < Spice_Boy1> I know, but can't really think quick unless metric 02:05 < geokoh> lol 02:05 < Spice_Boy1> cbf converting 02:05 < Spice_Boy1> is it low or high? 02:05 < Spice_Boy1> it won't have to be super high 02:06 < Spice_Boy1> on another note, I got my librenms application working 02:06 <@pppingme> is that the stuff to query your power stuff? 02:06 < Spice_Boy1> yeah 02:06 < Spice_Boy1> works nicely 02:06 <@pppingme> sweet 02:06 < Spice_Boy1> I'll PM you and you can see it 02:08 < geokoh> one more question i have about viewing windows task manager networking graph 02:09 < Spice_Boy1> pppingme: check your PM 02:11 < geokoh> i am monitoring local area connection, how should a stable connection look? should it show a percentage of network utilization as smooth line? or is it normal to see fairlly jaggy picture? 02:12 < tds> Spice_Boy1: out of interest, what are you using to monitor power with librenms, managed PDUs with snmp or something? 02:12 < Spice_Boy1> tds: Powerwall via HTTP api, and custom librenms SNMP app on a linux box 02:13 < zamanf> forgotten, an example: iptables -A INPUT -p udp -s 1.2.3.4 -m length --length 89:1000 -j DROP 02:39 <+imMute> ugh, stupid problem at work today. 8 SG200s connected to a single SG500 with 2 connections each. the pairs are in LAG groups. from computer A (connected to the 500) I could ping half the 200s, from computer B I could ping the other half. 02:40 <+imMute> spent an hour trying to diagnose "failures" before I noticed that the other system could access the other half. figured it had something to do with the LAG groups - disconnected one of each pair and everything works perfectly. 02:40 <+imMute> oh, and the 500 is replacing an old netgear something or other, which was working fine with the LAG groups. I need a drink no. 02:41 <+imMute> but if any cisco guys are around, I'd love to hear ideas on what was going on. 03:33 < stan7> i can't open port 80 from my router, i dont know why, im on kali linux, and i wanna run apache server from public ip 03:33 < stan7> i already tried many things, do you know why? 03:34 < dogbert2> your ISP could be blocking port 80 inbound 03:34 < stan7> and how can i fix it? 03:34 < dogbert2> you'll need to port forward something like to port 80 in your router... 03:34 < xamithan> Use another port ? 03:35 < stan7> good options 03:35 <+imMute> could also be double-NAT'd 03:35 < stan7> but if i open another port 03:35 < dogbert2> I port forward on my dlink, and have a hostname via NOIP.com (DDNS) 03:35 < stan7> how can make i know apache to run another than 80 port? 03:35 < xamithan> Change the port in the config 03:35 < dogbert2> change the listen port to something else, like 8080? 03:35 < dogbert2> in apache2.conf or ports.conf 03:36 < stan7> thanks a lot 03:36 < stan7> i will try 03:36 < stan7> thanks you so much 03:36 < xamithan> Or the $vhost.conf 03:36 < xamithan> Might want to make sure kali isn't running a firewall too 03:37 < stan7> thanks a lot 03:38 < SporkWitch> xamithan: IIRC, kali defaults to no firewall, but it also used to default to no network unless you explicitly tell it to connect 03:39 < xamithan> People follow tutorials all the time without knowing what they are doing, it wouldn't surprise me if a firewall was enabled 03:39 < SporkWitch> xamithan: i mean, the real first warning sign was "kali linux" 03:40 < xamithan> Kali is a good OS 03:40 < SporkWitch> for its intended purpose, yes; the problem is 9 times out of 10 if you see a question about it, they're not using it for that lol 03:41 < xamithan> True, I don't see any scenario where running a webserver out in the internet using kali is a good idea 03:42 < SporkWitch> xamithan: depends on your definition of good idea; more accurate to say LEGITIMATE 03:44 < stan7> Port 8080 is closed. 03:44 < stan7> still same 03:44 < xamithan> Can you hit the port from within your network from a different computer ? 03:44 < stan7> when i nmap 127.0.0.1 i get this 8080/tcp open http-proxy 03:44 < SporkWitch> stan7: 1) what are you trying to do and why are you using kali for it, 2) post the output of iptables -S, 3) make sure port forwarding is configured correctly on the router and the host has a static IP 03:44 < stan7> problem is the router 03:45 < stan7> im new in networking, i just wanna open my http server from public ip not internal 03:45 < xamithan> I'm going to take a wild guess and say your forwarding isn't setup correctly 03:45 < SporkWitch> stan7: 1) what are you trying to do and why are you using kali for it, 2) post the output of iptables -S, 3) make sure port forwarding is configured correctly on the router and the host has a static IP 03:45 < stan7> maybe i didnt do correctly the port forwarding because its my first time 03:46 < xamithan> Maybe look up your model router on portforward.com and check if you are doing it right 03:47 < stan7> what is iptables? its the linux firewall? 03:47 < Demos[m]> sortof 03:48 < SporkWitch> ... 03:48 < Demos[m]> it's one of the many interfaces that can allow firewalls 03:48 < xamithan> Its a frontend for netfilter 03:48 < Demos[m]> yeah 03:48 < SporkWitch> stan7: let's start over. First, download a debian or centos ISO, now install that over your kali install 03:48 < stan7> is not a kali good os? 03:49 < xamithan> Its a good livedisc for when you are pentesting 03:49 < xamithan> Using it as a desktop or web server? no way 03:49 < SporkWitch> stan7: it's a great TOOL, but it's not for your usecase, and it's DEFINITELY not something you should be using when you have to ask what iptables is 03:49 < stan7> or maybe kali has something like firewall that dont let me open ports 03:49 < stan7> lol 03:49 < stan7> you are right sportwitch 03:49 < stan7> i wanna learn 03:49 < xamithan> Throw on Ubuntu 03:49 < xamithan> It has the most guides made for it 03:49 < stan7> lol ubuntu? 03:50 < Demos[m]> fwiw I like firewalld for my firewall management needs 03:50 < stan7> so i should start with ubuntu? 03:50 < xamithan> Until you know what iptables is, probably 03:50 < stan7> how can i learn more about networking guys? 03:50 < Demos[m]> it really, really doesn't matter that much 03:50 < stan7> reading books? 03:51 < xamithan> Take the CCENT|CCNA exams 03:51 < stan7> i really wanna learn 03:51 < xamithan> That'll learn you a lot about networking 03:51 < SporkWitch> stan7: doesn't matter much, but debian and centos are the ones you'll most likely encounter in the enterprise (more RHEL than centos, but they're fundamentally the same) 03:51 < stan7> how about debian is good option? 03:51 < stan7> so i will download debian i try with it 03:51 < Demos[m]> oh guys: realtalk, implement backups for our storage arrays (offsite and inremental). What have people had good experiences with 03:51 < xamithan> Its a good option but it doesn't do as many newbie friendly things for you like ubuntu 03:52 < SporkWitch> Demos[m]: rsync is the usual go-to 03:52 < stan7> so ubuntu 03:52 < stan7> i will download it 03:52 < xamithan> Doesn't matter really, ubuntu is based on debian 03:52 < stan7> thanks a lot for your help 03:52 < SporkWitch> stan7: depends on how you learn. if you like to procrastinate or take shortcuts, you probably won't learn much with ubuntu, since you'll just use the do-it-for-me tools 03:52 < stan7> reading books is good way to improve? 03:53 < xamithan> Labbing is the way to improve, like you are trying to do now 03:53 < Demos[m]> yeah I thinking about borg, and maybe something like btrbk 03:53 < Demos[m]> one issue is that some of our storage arrays have kernels with very incompatible btrfs implementations, so we can't use send/recv to really replicate 03:54 < dogbert2> burp 03:54 < Demos[m]> also we're talking on the order of 100-200TB for a full copy of everything 03:54 < SporkWitch> Demos[m]: this is why you do delta and incremental backups, not full copies 03:54 < xamithan> How do you even migrate something like 200TB of data to a new system =/ 03:55 < Demos[m]> right, but just poking around to figure out the incremental copy can be rough 03:56 < Demos[m]> our real problem is that a lot of it is on synology boxes and they are very, very slow and extremely buggy 03:58 < dogbert2> dang, that ain't home use stuff :) 04:13 < Demos[m]> yeah not a big fan of synology 04:24 < Demos[m]> OK another question: IdP servers, I'm looking at keycloak and it looks completely insane with all the clustering and cacheing? Also the distribution is just "download and run this bash script" am I missing something here? 04:25 < Demos[m]> is this really the best supported FOSS SAML and OAuth provider? 05:08 < fareast> anyone around to discuss pci compliance 05:09 < fareast> I ran a makeshift subnet today. 05:09 < fareast> just want to know your thoughts on it all. 05:10 < fareast> been a while since I did one. 05:21 < stan7> im already in ubuntu and still same problem Port 8080 is closed. 05:22 < linux_probe> poopbuntu 05:23 < SporkWitch> stan7: still need to set a static IP and correctly configure port forwarding 05:34 < linux_probe> lawlz 05:34 < linux_probe> https://imgur.com/gallery/tmidV9L 05:35 < stan7> im checking and i correctly configure port forwarding 05:35 < stan7> i already tried with 8080 port 05:40 < stan7> nothing related with this right? DMZ Settings 05:44 < jvwjgames> I have a question I have a router that has a WAN ip of 162.220.209.34 and on the lan side i have an ip of 162.220.209.51 i though static public ip arn't supposed to be natted so how do i get the ip 162.220.209.51 be visible from the outside world cause ican ping tracert and goto it directly but a licensing server see the ip as 162.220.209.34 05:45 < jvwjgames> and making a DMZ just breaks all other servers 05:46 < SporkWitch> 162.220.209.51 isn't on the route from the outside to the inside; it is from the inside to the outside 05:47 < SporkWitch> (traceroute shows you the nodes you send to, not what they send from) 05:47 < stan7> SportWitch: what do you mean with static ip? 05:47 < stan7> i already checked and its correctly port forwaring configured 05:47 < SporkWitch> stan7: https://lmgtfy.com/?q=static+ip 05:47 < jvwjgames> all those ip's a public static ip's 05:47 < jvwjgames> and would 1-1 NAt work 05:48 < stan7> i know whats it is but i mean... its nothing about the port is closed, or it is? 05:48 < SporkWitch> stan7: if you don't have a static ip, you have no guarantee the host's IP won't change 05:48 < jvwjgames> i do have a static ip 05:48 < stan7> i was thinking to use no ip 05:49 < stan7> for that 05:49 < SporkWitch> jvwjgam44: if the static IP comment were directed at you, i would have hilighted you; you are not the only person in this channel asking questions 05:49 < jvwjgames> anyway would 1-1 NAT work 05:49 < SporkWitch> stan7: the host needs a static IP for port forwarding 05:50 < jvwjgames> cuase the Cpanel servers are seeing the .34 as the WAN ip witch is incorrect 05:50 < stan7> so if i have not static ip i can not port forwaring? 05:50 < SporkWitch> jvwjgam44: any form of NAT will give the results you described; unless you're routing WITHOUT NAT, then the origin seen from outside is the WAN IP 05:50 < SporkWitch> stan7: sure you can, as long as you update the port forwareding every time the host changes IP 05:50 < stan7> i got it 05:50 < SporkWitch> stan7: which is dumb, so set up the damn port forwarding like we've told you repeatedly for the past 3 hours 05:50 < SporkWitch> stan7: and static ip 05:50 < stan7> i have to pay for static ip, right? 05:51 < jvwjgames> yes stan7 05:51 < jvwjgames> your ISP will be able to give you a static ip for a fee 05:51 < SporkWitch> stan7: not on your LAN, and most consumer ISPs won't offer you a static even if you offered to pay 05:51 < jvwjgames> correction some Residental ISP's 05:51 < SporkWitch> jvwjgam44: most consumer ISPs don't offer static unless you upgrade to a business plan, which often triples the price 05:52 < jvwjgames> my ISP CenturyLink does 05:52 < SporkWitch> i'm not aware of centurylink doing business with individuals... 05:53 < skyroveRR> I think jvwjgames has contacts high up 05:53 < skyroveRR> ;) 05:53 < SporkWitch> skyroveRR: more likely it's like where i work: we don't do business with individuals, but some of our customers only have 2 or 3 employees 05:54 < stan7> thanks for your help guys 05:54 < skyroveRR> SporkWitch: which ISP do you work for? 05:55 < skyroveRR> I mean... if it is fine for you to answer.... 05:55 < SporkWitch> skyroveRR: i work for a voip company, not an ISP, though we do business with some ISPs to provide our customers dedicated connections for the phones (not allowed to share which carriers we do business with) 05:55 < stan7> i will get static ip but for now its not good i can not open the port, it has to be something about port forwaring configuring 05:55 < stan7> i will keep trying 05:55 < skyroveRR> stan7: that's the spirit! 05:55 < stan7> lol 05:55 < stan7> how do you do guys when you can not fix something? 05:56 < stan7> i mean i like computers just for fun 05:56 < SporkWitch> i don't do guys 05:56 < stan7> but when you need to fix it 05:56 < skyroveRR> SporkWitch: lol 05:56 < daishun> A device on my LAN keeps sending ARPs asking who has 192.168.000.003, tell 0.0.0.0. That's its own 05:56 < daishun> .. own IP. Why is is doing this? 05:57 < SporkWitch> daishun: https://lmgtfy.com/?q=gratuitous+arp 05:57 < SporkWitch> (also, one traditionally removes leading zeros) 05:59 < jvwjgames> what is spanning tree protocal 05:59 < skyroveRR> Google it. 06:00 < jvwjgames> isn't that for switches 06:00 < SporkWitch> jvwjgam44: https://lmgtfy.com/?q=what+is+spanning+tree+protocol 06:00 < stan7> i tryied to do nmap to my public ip and i got message its filtered 06:00 < stan7> maybe its because my isp is blocking 06:00 < stan7> not my router 06:00 < stan7> could be? 06:00 < stan7> should be good idea to call to my isp and ask about it? 06:00 < skyroveRR> stan7: you don't have a static IP. Stop worrying and GET ONE. 06:00 < stan7> ok, i will 06:00 < stan7> thanks 06:00 < SporkWitch> stan7: 1) newlines are not a substitute for punctuation, don't spam; 2) they might, and they probably won't, because most consumer ISPs prohibit hosting servers on your LAN 06:01 < SporkWitch> skyroveRR: that's not his problem; he can't figure out how to set up port forwarding in the first place 06:01 < skyroveRR> Ohh. 06:01 < skyroveRR> The man will learn. :) 06:02 < SporkWitch> skyroveRR: remains to be seen 06:03 < jvwjgames> ok 06:04 < jvwjgames> STP is for switches 06:14 < daishun> I read about gratuitous arp but nothing explains why this device is sending the same one every second, none stop. 06:23 < SporkWitch> daishun: what OS is the host running? 06:28 < daishun_> I don't know what this device it. I use a shared LAN. 06:28 < daishun_> is* 06:29 < daishun_> MAC address says its Shenzhen, all I know. 06:30 < daishun_> Maybe giving it a static IP will make it shut up? 06:31 < SporkWitch> reread the article on gratuitous arp if you think that lol 07:08 < winsoff_> If someone starts an ISP, how do they get IP addresses to give to clients? 07:15 < rewt> they get them from a rir 07:15 < winsoff_> So they register as an AS with the RIR? Does this cost money? 07:16 < rewt> probably 07:20 < what_if> If I use a protocol, that is IP , but not TCP or UDP... will it traverse the internet OK ? 07:23 < Emperorpenguin> Yes what_if 07:27 < MACscr> can i do multiple out-interfaces with iptables? trying to give my vpn acess to a vlan as well. right now im using this https://paste.debian.net/1021300/ 07:28 < MACscr> but wanted to add vlan30 as well 07:28 < SporkWitch> sure 07:28 < rewt> what_if, there's plenty of protocols other than tcp and udp flowing around out there 07:35 < MACscr> SporkWitch so i just do -o eth+,vlan30? 07:37 < acresearch> people i have been trying to understand how cisco anyconnect works inorder to make it work on openconnect (my universtiy has changed their vpn setting and it no longer works with openconnect), i think i need a certificate + private key + passphrase i found the certificate and the private key but still looking for the passphrase, anyone can help understand where to look for it? how does it look like? 07:41 < MACscr> ugh, that didnt work. hmm 07:45 < MACscr> nvm, got it working 09:42 < weyland|yutani> acresearch, https://crashcourse.housegordon.org/OpenConnect.html 09:48 < acresearch> hey weyland|yutani 09:50 < acresearch> weyland|yutani: well, i have used openconnect before on the same VPN. but then they changes the settings from the university (which is why i am in this situation), i managed to find the certificate and A private key that when i use both in OpenConnect it prompts me for a PEM Passphrase,,, i am looking for it, but not sure where to look or how to looks like (file or string etc...) 09:51 < Kado> hi. I have a problem. SYN ACK is absent after SYN. tcpdump is showing only incoming SYN. I use linux/docker/swarm/wireguard. I want to know how to really debug this. Thanks 09:54 < applegal> my network is down when system goes to sleep.. and I always have to restart my modem to regain network... I don't have this problem when connecting my modem to my router, do you think my modem do not have the capability to auto config dns/ip when system goes to sleep/ 09:55 < detha> Kado: check your firewall rules 09:56 < linux_probe> failwall 09:56 < Kado> detha: I'm doing tcpdump inside of container. There is no iptables rules inside, it seems i should be able to see response 09:57 < Kado> Also there is no drop rules on machine 09:57 < detha> Kado: does the container have a route back to where the SYN is coming from? 09:57 < Kado> I can ping both containers where i make tcp connections 09:58 < Kado> they see each other. ICMP is working, but not tcp. It is frustrating 09:59 < detha> Are you sure something is listening on that port? Also, are you using tcpdump -iany ? 10:00 < Kado> Yes. 10:00 < linux_probe> lol 10:02 < Kado> I know trying to debug through strace. When I make curl request to that container where netcat is running on port 8080. Nothing is happening. So it seems even SYN packet is not getting inside process(socket?) 10:03 < slickerjet> this is going to sound like a dumb question but i dont know what keywords to google, can i plug in 2 cables into 2 ports on a dumb unmanaged netgear switch to get 2 x 1gbps total throughput? 10:03 < slickerjet> i dont need 2gbps, i need 2 x 1 gbps 10:03 < slickerjet> i dont have SFP+ or SFP :( 10:04 < detha> As far as I know, that part of the linux stack is optimized so userland doesn't see anything until 3-way has completed 10:04 < detha> slickerjet: probably the answer is 'no'. 10:04 < slickerjet> bummer, can you expound on the probably part? 10:05 < slickerjet> i am going to use a 6 port pfsense appliance, wan 1 and wan 2 are going to be at&t and comcast, i was trying to get it so any 2 machines on the network can use up to 1gbps x 2 10:05 < Apachez> slickerjet: then buy one (or two) from fs.com ? 10:05 < slickerjet> well i dont have any 'enterprise' grade gear that supports sfp+ 10:06 < slickerjet> just a pfsense appliance, and some dumb unmanaged switches, this is to try to get the best useage out of my gigabit comcast and gigabit at&t 10:06 < slickerjet> i have a peplink multi wan router - peplink balance one, but it only does 600mbps, no where near the 2 x 1gbps max possible speeds 10:07 < cousin_luigi> Greetings. 10:07 < slickerjet> i was thinking about trying my USG-Pro-4, but that wouldnt be limited to 1gbit total, i was thikning a pfsense appliance might work, just gotta figure out how to connect to the switch w/ 2 connections/ports, so i can get 2 x 1gbps 10:07 < slickerjet> im open to ideas 10:07 < cousin_luigi> What's the story with eBPF and linux? 10:07 < cousin_luigi> What's going to become of nftables? 10:25 < Apachez> slickerjet: then buy a ubiquiti xg-16 ? 10:26 < Apachez> 16 x SFP+ 10:26 < Apachez> $550 10:26 < slickerjet> i just googled that, it's a little over kill for me 10:27 < slickerjet> i have only 6 cat6 drops in my apartment, terminated to a 8 port punch down 10:27 < slickerjet> wan1 is comcast @ 1gbit, and wan2 is at&t @ 1gbit 10:28 < slickerjet> if i get that xg-16, i can then get a switch that uses SFP+ to plug the 8 port punchdown stuff into, SFP+ from that switch into the XG-16, and then i guess wan1 and wan2 into 2 of the 4 RJ45 ports on the XG-16, right? 10:29 < slickerjet> oh wait xg-16 is only a switch, so i still need a router 10:31 < slickerjet> i was thinking of a 6x1g port pfsense appliance off amazon.com, 2 of those would be for wan1 and wan2, then two of the remaining four go into a netgear dumb switch, and then from the dumb switch plugged into the 6 cat6 drops 10:32 < slickerjet> im trying to see if that would work, like the two ports from switch -> two ports to pfsense appliance, would increase the throughput to 2 x 1gbps, i know i wont get 2gbit, i just wanna see if i can get 2 x 1gbit 10:32 < slickerjet> so two separate machines can max out 1gbit each 10:43 < Apachez> well you can get more drops if you get the proper gear :) 10:43 < slickerjet> i cant run any cables in my apartment :( 10:43 < slickerjet> just a renter :( 10:44 < Apachez> use this if you need a 10G router https://www.ubnt.com/edgemax/edgerouter-infinity/ 10:44 < Apachez> or this if you are fine with 1G https://www.ubnt.com/edgemax/edgerouter-pro/ 10:45 < Apachez> or this if you want fanless https://www.ubnt.com/edgemax/edgerouter-6p/ 10:45 < slickerjet> i dont think the fanless will work, cuz SFP is just 1gbit right? 10:46 < Apachez> lets recap 10:46 < slickerjet> that means the switch i plug it into will be limted to 1gbit, which means 2 separate machines would not be able to hit 1gbit each download 10:46 < Apachez> whats the minimum you need? 10:46 < Apachez> you want 10G at home? 10:46 < Apachez> then use this as router: 10:46 < Apachez> https://www.ubnt.com/edgemax/edgerouter-infinity/ 10:46 < slickerjet> i have wan1 @ 1gbit from at&t and wan2 @ 1gbit from comcast. i have 6 cat6 drops in my apartment. i want to be able to have at least 2 different machines max out each internet 10:46 < Apachez> and this as switch: 10:46 < Apachez> https://www.ubnt.com/edgemax/edgeswitch-16-xg/ 10:47 < Apachez> and then you get the RJ45/MMF/SMF SFP/SFP+ from www.fs.com 10:48 < slickerjet> the edgerouter infinity doesnt have 2 RJ45 connections, unless im misunderstanding something, and the 16-xg doesnt have the RJ45 in quantity that i need 10:48 < slickerjet> the wan1 and wan2 from at&t and comcast are rj45 10:49 < slickerjet> also, i dont know if im' well versed enough in networking to use edgerouter, i have used USG-Pro4 before, and i like pfsense since it has a gui 11:11 < hetii> Hi 11:11 < hetii> I have such script: https://pastebin.ca/4017403 that use namespaces. The point is that from host I want to be able to telnet to service that bind inside ns2 so 11.11.11.2 11:12 < hetii> so on ns2 I run nc -l -p 1234 and on host: telnet 10.10.10.2 1234 11:16 < hetii> btw I need to go outside so please leave answer on my priv, thx :) 11:21 < Apachez> slickerjet: you get a SFP+ with RJ45 11:22 < Apachez> https://www.fs.com/c/customized-sfp-plus-2874 11:22 < Apachez> https://www.fs.com/products/66617.html 11:46 < ShalokShalom> which bandwidth measurement do you use when your goal is to distinguish between two video resolutions to send? 11:46 < at0m> kbps ? 11:46 < ShalokShalom> so, eg I want to decide if my 720p stream or the 480p one is more suitable - which tool you use? 11:47 < trae32566[w]> your eyeballs 11:47 < trae32566[w]> test from a remote machine or whatever 11:47 < ShalokShalom> for each file individually? 11:47 < ShalokShalom> I mean to automate the task 11:47 < ShalokShalom> like youtube does 11:49 < trae32566[w]> oh, yeah... good luck with that. It's gonna be complicated depending on how the video is being sent, but it would probably need to have at least both latency and bandwidth measurements. I have no idea how youtube does it though. 11:49 < Apachez> lets start this saturday with some cableporn :) https://imgur.com/gallery/odcMSQc 11:50 < trae32566[w]> I'm sure there are software packages to do what you want 11:50 < trae32566[w]> also, why host video? Is a CDN not feasible? 11:51 < trae32566[w]> really the only time you want to host something like that is if a CDN isn't feasible, or you have tons and tons of infrastructure in many locations 11:54 < ShalokShalom> I probably do it with dtube, thanks 11:56 < ShalokShalom> ? 11:56 < ShalokShalom> sry, typo 12:09 < realbadhorse> what would be better/safer for static file hosting for a semi-experienced person? ftp or auto-indexed nginx? its going to be a public server 12:11 < trae32566[w]> a CDN 12:11 < trae32566[w]> I mean really that's 99% configuration dependent as far as just those two, but seriously, consider a CDN. 12:11 < realbadhorse> huh? no idea to do so 12:12 < realbadhorse> ill be hosting it from home with a broken laptop running gentoo 12:15 < realbadhorse> its supposed to be pretty small scale so idk if i really need a cdn trae32566[w] 12:21 < redrabbit> ftp, really? 12:22 < redrabbit> its fuckin' annoying to get running and deprecated 12:41 < ShalokShalom> I guess hard he means sftp 12:43 < ShalokShalom> or she 13:24 < aaa_> hi 13:38 < zamanf> hi guys, do you know of any firewall for windows7 that does this? iptables -A INPUT -p udp -s 1.2.3.4 -m length --length 10:100 -j DROP ? 13:56 < trae32566[w]> you mean like Windows Firewall? 14:01 < zamanf> any firewall 14:05 < trae32566[w]> Windows Firewall is built in. 14:06 < zamanf> sure it is, but is it capable of doing this task? 14:06 < detha> no 14:08 < zamanf> is it possible at all under windows? 14:09 < detha> Nothing is impossible. Worst case you'd have to replace most of the windows stack with your own, but impossible? No. 14:09 < zamanf> I see 14:09 < detha> Infeasible? Probably yes. 14:10 < zamanf> maybe then I should get a router that supports iptables 14:10 < zamanf> do you guys have any experience with edgerouter? I am thinking of using it again 14:11 < trae32566[w]> I do, but I don't know if it'll do that sort of filtering 14:11 < zamanf> I remember it runs a linux os that supports iptables 14:11 < zamanf> I Will have to check again 14:11 < trae32566[w]> yes, but that's a very bad idea 14:11 < trae32566[w]> a very *very* bad idea 14:11 < zamanf> why? 14:12 < trae32566[w]> because it runs an OS that manages iptables for you, and by modifying it, you're screwing with everything. It's not supported, and it will break things. 14:12 < trae32566[w]> also, because it's not that simple. There are multiple chains and tables in play 14:13 < trae32566[w]> you need to actually understand everything going on, and that can get complicated with something like zone based firewall 14:14 < zamanf> my rule aims on a specific IP address, how this would mess with the rest? 14:15 < detha> zamanf: because the tools managing the firewall don't expect rulesets to changes, unless they are the ones doing it. 14:15 < trae32566[w]> and on top of that, who says INPUT is the chain being used? 14:15 < Arpanet69> zamanf, what does youre iptables statement do? 14:16 < trae32566[w]> Arpanet69: check the manual, it checks for packet length 14:16 < zamanf> Arpanet69, iptables -A INPUT -p udp -s 1.2.3.4 -m length --length 10:100 -j DROP 14:16 < Arpanet69> lol am not gonna check a manual for iptables :D just wanted to explain in plain englidh 14:16 < trae32566[w]> Arpanet69: https://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html#toc3.7 14:17 < aaa_> openvpn over openvpn is possible ? 14:18 < trae32566[w]> that's a terrible idea 14:18 < aaa_> lol 14:18 < Arpanet69> trae32566[w], think you should leave there only bad ideas here 14:18 < Arpanet69> :) 14:18 < trae32566[w]> Arpanet69: someone has to say they're bad ;) 14:19 < trae32566[w]> would you rather me let them do it, and encrypt traffic inside an encrypted tunnel? good idea, go ahead. 14:19 < trae32566[w]> not like there will be any MTU decrease, or any encryption overhead or anything >.> 14:20 < Arpanet69> zamanf, you can do the same thing with windosw firwall with powershell you can be very granular. 14:20 < trae32566[w]> I don't think you can do it based on packet length 14:20 < aaa_> ok ok 14:24 < Arpanet69> trae32566[w], youre right it has allot of options but packet lenght is not included 14:25 < trae32566[w]> yeah, I don't even know if iptables does that by default, it's a module, so I dunno if EdgeOS would even include it 14:25 < trae32566[w]> one sec, I can check 14:26 < Arpanet69> better go for mikrotik 14:26 < trae32566[w]> Arpanet69: zamanf https://paste.fedoraproject.org/paste/0Wozu3yyoP99IlM5Eh4ryQ 14:26 < Arpanet69> or pfsense 14:26 < trae32566[w]> that was an EdgeRouter running 1.10.2 14:26 < trae32566[w]> so no, it doesn't have the required length module from what I can see. 14:27 < trae32566[w]> Arpanet69: I doubt Mikrotik will have it either, but maybe. 14:27 < trae32566[w]> pfsense. .. no idea 14:27 < trae32566[w]> that's such a weird thing to filter by 14:30 < qman> EdgeOS is debian underneath, so it's probably the easiest one to add custom stuff to 14:30 < djph> ^ 14:31 < djph> although, it can be finicky (downside of oldstable0 14:31 < trae32566[w]> djph: 2.0 is scheduled for mid-may 14:31 < djph> trae32566[w]: yeah, but last I saw they weren't moving to stable. 14:31 < trae32566[w]> isn't mikrotik BSD underneath? 14:32 < djph> although, I could've skipped right over that comment 14:33 < trae32566[w]> I know they're incrementing a release 14:33 < trae32566[w]> no idea to what, I don't follow debian at all. 14:34 < djph> trae32566[w]: oh, so they are moving up a Debian release as well? 14:34 < trae32566[w]> AFAIK yes 14:34 < djph> good news then. 14:34 < trae32566[w]> from what I understand that means new kernel 14:34 < trae32566[w]> maybe they'll implement all the missing crap. 14:35 < detha> trae32566: mikrotik is linux/iptables underneath 14:35 < trae32566[w]> ahh. 14:36 < qman> the reason I say it's probably the easiest is you can literally install stuff from mainline debian with apt 14:36 < sysfault> is verizon fios 10/100 faster than cable 10/100? i know cable connections are shared as opposed to a dsl connection 14:36 < qman> it's a step further than just a linux kernel 14:36 < djph> sysfault: no 14:36 < sysfault> which has its own loop to the multiplexer, etc 14:36 < djph> sysfault: 100/10 is 100/10 14:37 < sysfault> so realistically they both cap out at the same speed? 14:37 < djph> assuming you're talking about "plans" offered by the ISP 14:37 < sysfault> yes i am 14:37 < sysfault> however cable seems to lag int he afternoon and night when usage is rampant 14:37 < djph> sysfault: close enough in any event. One may top out at 110 and the other at 105, depending on how they're "limiting" you to 100m. 14:37 < qman> they work the same way, but whether or not the network is overloaded is regional and ISP dependent 14:38 < djph> ^ 14:38 < sysfault> i see 14:38 < qman> if the ISP is oversusbcribed, then they're oversubscribed 14:38 < sysfault> i know dsl connections have their own path to the ISP 14:39 < sysfault> unlike shared cable 14:39 < djph> "their own path" 14:39 < djph> it's only to the DLSAM 14:39 < trae32566[w]> ^ 14:39 < sysfault> i see 14:39 < djph> *DSLAM 14:39 < trae32566[w]> it still gets oversubscribed from there 14:39 < trae32566[w]> (most likely) 14:39 < qman> the physical wire isn't that important either, because the ISP itself still needs to combine the traffic into a bigger pipe to uplink 14:40 < sysfault> man im reading the introductory text you guys suggest and tanenbaum is everywhere in that darn book. it doesnt seem to have any organization 14:40 < qman> regardless of the technology used that remains the same, so if they have too many people connected to a given uplink, it will be slow during busy times 14:40 < sysfault> i want to read it before diving into my synbex ccna study guide 14:40 < detha> sysfault: oversubscription generally happens further upstream. last-mile is seldom badly oversubscribed 14:40 < CuriosTiger> if you had asked me 15 years ago, I would have thought DSL would win the residential Internet wars. 14:40 < sysfault> because i need a general networking education before i decide to do so but that tanenbaum book isnt the easiest 14:40 < djph> detha: except in TWC-now-Spectrum land 14:40 < CuriosTiger> cable has scaled better than I thought it would. 14:40 < CuriosTiger> still asymmetric, but for residential users, that doesn't really matter. 14:41 < CuriosTiger> it's a bit more of an issue for business, but cloud hosting fixes much of it. 14:41 < trae32566[w]> djph: I never have issues with TWC throughput or latency 14:41 < trae32566[w]> I pay for 300 x 20, get 350 x 25 14:42 < djph> trae32566[w]: must be a regional thing then - they *sucked* once school let out here. 14:42 < djph> .... but AT&T rolled out fiber, and now TWC is playing "please come back, we'll charge you 3x as much for 1/3 of what you get from the other guys" 14:42 < trae32566[w]> that' 14:43 < trae32566[w]> *that's odd 14:43 < djph> that's sales drones for you. 14:43 < trae32566[w]> because here, AT&T asks for $59 / month for like 3mbit, and I pay $79 for 300 x 20 14:43 < sysfault> i was thinking about paying for a gigabit connection but only one of my systems has a gigabit controller in it 14:43 < sysfault> so i decided not to 14:43 < trae32566[w]> I could actually use gigabit. 14:43 < trae32566[w]> >.> 14:43 < djph> trae32566[w]: read it again -- rolled out *fiber* 14:43 < qman> so could I 14:43 < trae32566[w]> djph: yeah, so? They have caps. 14:43 < qman> unfortunately I'm stuck with a terrible cable connection 14:43 < trae32566[w]> very low caps. 14:44 < trae32566[w]> IIRC it's like a 1TB cap 14:44 < trae32566[w]> actually I think 500G 14:44 < djph> trae32566[w]: 1TB if you don't also get uverseTV, or pay $20 14:44 < trae32566[w]> every 100GB over is like +$10 14:44 < trae32566[w]> yeah that's fucked 14:44 < djph> we opted for TV; $18 for the package, and no cap 14:45 < trae32566[w]> v6? 14:45 < djph> possible, but I haven't had a real need to go to v6, so I don't care 14:45 < sysfault> can anyone recommend a true introductory networking text 14:45 < sysfault> or should i stick with tanenbaum 14:45 < djph> sysfault: tanenbaum 14:45 < sysfault> and take my time 14:46 * sysfault falls out 14:46 < djph> trae32566[w]: I mean, I turned it on, and I suppose it's running dualstack, but honestly I really don't care enough to really get into it. 14:49 < cluelessperson> I fucking hate ads 14:49 < cluelessperson> I hate that ads show up on equipment I purchase 14:49 < cluelessperson> I hate that ads are built into my TV 14:50 < cluelessperson> I hate that ads becoming increasingly intrusive. 14:50 < cluelessperson> I hate that by signing up for internet from TWC, they start sending me ADS in the fucking mail 14:50 < cluelessperson> I fucking hate that when I CALL them and tell them to STOP SENDING ME ADS, they continue to 14:50 < cluelessperson> FUCK ADS 14:50 < cluelessperson> and fuck you if you allow them 14:50 < cluelessperson> :P 14:51 < afx> just stop visiting places which sell ads :) 14:51 < cluelessperson> afx: that's not a choice. 14:51 < afx> it is. i dont watch tv for example 14:51 < afx> rarly 14:51 < cluelessperson> afx: you're on the internet 14:51 < cluelessperson> afx: you buy groceries 14:51 < cluelessperson> afx: you have internet service. 14:51 < afx> im on irc :) 14:51 < cluelessperson> afx: they're inescapable 14:51 < tds> if you do want to watch tv, get a non-smart one, and plug a linux box into it :) 14:51 < afx> do you use social media for free? :) 14:51 < cluelessperson> I consider ads to be malware and defacing public property 14:52 < turtle> silence consumer, take it. 14:52 < afx> turtle: lel xD 14:53 < cluelessperson> turtle: I advocate for killing congressmen for treason 14:53 < afx> he couldnt resist the offer :) 14:53 < turtle> sweet, sounds like you're on some cool lists. 14:53 < cluelessperson> capitalism and fascism go hand in hand. 14:54 < afx> i knew it xD 14:55 < weyland|yutani> cluelessperson, ever heard about adblocking? 14:56 < cluelessperson> weyland|yutani: do they have adblockers for TVs? 14:56 * cluelessperson is going to have to setup a mirroring and analysis port for network monitoring so he can firewall various domains 14:56 < weyland|yutani> cluelessperson, sure its called mute button and making pizza 14:57 < weyland|yutani> cluelessperson, if you know your way around pfsense you could use NGblock and block all those pesky ad domains 14:59 < cluelessperson> weyland|yutani: NGblock on what exactly? 15:00 < weyland|yutani> domains used by ad companys there are lists for those said domains and you block them 15:03 < cluelessperson> weyland|yutani: well, how do I block them on the network itself? 15:05 < cluelessperson> weyland|yutani: in my case, unifi security gateways 15:08 < weyland|yutani> cluelessperson, install a firewall betwwen your lan and your router 15:09 < cluelessperson> weyland|yutani: the Unifi USG operates as a firewall and router 15:17 < Apachez> any of you who have been playing with graphviz? 15:22 < cluelessperson> So, I'd like to make a script that downloads adblock lists and updates my Unifi USQ's firewall 15:22 < cluelessperson> do you have any recommendations or ideas for getting lots of lists? 15:37 < weyland|yutani> https://filterlists.com/ 15:55 < SporkWitch> did i just walk into tumblr or something? all i see is some illiberal leftist rambling incoherently (though with a VERY self-descriptive name) 16:04 < dogbert2> 16:11 < TV`sFrank> too much Winner 16:12 < purplex88> is average download speed a statistical data? 16:12 < drac_boy> hi 16:32 < slickerjet> @Apachez sorry i fell asleep - what did you mean you get RJ45 with SFP+? that means i can get the XG-16 as my switch, and maybe get a unifi router with SFP+? 16:33 < slickerjet> i am not good at networking, as you can tell :( 16:33 < RJ45> SFP is a meme 16:34 < slickerjet> sorry did i misunderstand? 16:34 < tds> slickerjet: you can get sfp+ rj45 transceivers if you really want, but they're relatively expensive 16:35 < slickerjet> oh, i dont want to spend too much money 16:36 < slickerjet> my situation is as follows- i live in an apartment, i have 6 active cat54/cat6 drops in various rooms, i have wan1 from at&t @ 1gbit and wan2 from comcast @ 1gbit, i want to make it such that any 2 machine, or group of machines, can get at least 2 gbit total, or 1gbit per port 16:36 < slickerjet> i hav the 6 drops punched down in a closet, i'm trying to find the most cost effective gear, i just thought i could plug in two ports from my pfsense appliance, into 2 ports in my dumb netgear switch, and that way i can get 2 x 1gbit total throughput, i know no single machine will go beyond 1gbit 16:36 < Apachez> slickerjet: I meant if you need 10G TP (RJ45) you can get such SFP+ modules for that ubiquiti XG-16 box 16:37 < slickerjet> but if i can have at least two indepedent machines doing gigabit each, that would saturate both wan1 and wan2 16:37 < Apachez> yeah they are expensive and limited by the powerbudget of the SFP+ interface 16:37 < Apachez> I would recommend you to use multimode or singlemode fiber instead 16:37 < slickerjet> i cant rerun any wiring :( 16:38 < Apachez> I have summarized my graphviz vs network diagrams question at https://www.reddit.com/r/networking/comments/8dbucs/tools_to_create_maintainable_network_diagrams/dxqe7zp/ in case somebody have some input regarding graphviz :) 16:40 < slickerjet> @Apachez upon some amazon.com research, i think i understand what you mean by multimode and singlemode, you didnt mean rerun my cat cables with fiber, but look for multi mode SFP+ transcivers instead 16:40 < slickerjet> 10gbit SFP+ -> RJ45 is 200$ oh my 16:40 < Apachez> no 16:41 < Apachez> I meant that you should invest in multi or singlemode cables 16:41 < Apachez> you dont have to rip out your current tp cables 16:41 < Apachez> just add the fibers too 16:41 < slickerjet> oh, i cant add fibers because i dont own the place :( they wouldn't let me 16:41 < tds> slickerjet: do you want to be able to push 2gbit to a single remote server over both connections? 16:41 < tds> since that's going to be rather more complex than just the internal network 16:41 < slickerjet> no, just 1gbit would be enough, but i'd like at least 2 different machines to be able to get 1 gbit each 16:42 < slickerjet> my friend explained, i dont want 2gbps, i want 2 x 1gbps 16:42 < slickerjet> my wan1 and wan2 are both gigabit, but RJ45 from their respective consumer grade modems 16:42 < tds> get a slightly less dumb switch and do a 2x 1g bonded link from the router to the switch, then you should be sorted 16:42 < slickerjet> bonded link = LACP right? 16:43 < tds> you'll just need to do some magic on the router to route traffic from different devices out of each connection to split the load 16:43 < tds> yes 16:44 < slickerjet> how complicated is the magic you speak of? i'm not that good at CLI 16:44 < slickerjet> just clicking a few checkboxes in the pfsense interface? 16:45 < tds> I think that pfsense has support for doing it relatively easily, yeah 16:46 < slickerjet> okay sweet, then i have all the stuff i need, my pfsense appliance comes on monday, and i can grab a nice unifi switch from my office 16:46 < tds> depending on exactly how it does it, you may have some issues with certain services if you keep switching between multiple external IPs 16:46 < slickerjet> i think i should be able to do some outbound management, from what i have experience with on my peplink multi wan router, HTTPS Persistance i sthe major one 16:47 < slickerjet> currently i have a multi wan peplink balance one, but it maxes out at 600mbps 16:48 < Celmor> I'm trying to an ftp server working but always when the client switches to passive mode he gets ECONNREFUSED 16:48 < Celmor> although those ports are allowed in iptables 16:56 < drathir> Celmor: not ssh easier? 16:56 < Celmor> why ssh? 16:56 < drathir> Celmor: more secure and easier bypass fw... 16:57 < Celmor> don't wanna allow someone to execute commands on my machine just to allow them basic ftp functionality 16:57 < Celmor> and only wanna share on my local network 16:57 < drathir> Celmor: why You should do that ? ssh allow only sftp access... 16:58 < Celmor> someone wants to access my share as a "network drive" or filezilla 16:58 < tds> it might make more sense to use something like nfs or samba 16:59 < drathir> Celmor: sshfs+bitvisessh... 16:59 < Celmor> with nfs I often have permission issues between windows and linux 16:59 < drathir> tds: yep that good idea too... or just opencloud/seafile... 17:00 < drathir> Celmor: personally think ftp it the worst from all solutions, but Yours choice... 17:01 < Celmor> I tried having sftp access into explorer integrated previously but functionality is very limited and it's slow 17:02 < tds> is this windows explorer? 17:02 < Celmor> can I limit a user to sftp access to my ssh server? 17:02 < Celmor> client uses windows so yeah 17:02 < tds> iirc that can also do webdav, which should work fine 17:02 < drathir> Celmor: m$ samba/nfs probably best integration shot... 17:02 < Celmor> looked into webdav earlier, seemed complicated to setup 17:02 < tds> but yeah, I'd probably just do samba 17:02 < drathir> Celmor: yes You can per account setup only for ssh builid in... 17:02 < Celmor> wanted to keep my host system minimal and don't have complicated servers running 17:03 * drac_boy has always used filezilla or fetch when it comes to ftp no matter the os 17:03 < Celmor> drathir, windows still has problems with nfs, even if you use NFS services in win10, but remote doesn't use win10 17:04 < Celmor> with filezilla you still need a local copy of the file and can't work with the files remotely 17:04 < drathir> Celmor: if no explorer integration needed the fastest way sftp... 17:04 < drac_boy> celmor did you bother reading manual? ;) 17:04 < Celmor> of what? 17:05 < drathir> Celmor: there could be iscsi but that way comlicated setups... 17:07 < Celmor> I could setup iscsi (my filesystem would make it easy) but then I can't access the same files locally at the same time 17:09 < Celmor> if I wanna setup sftp-only access is this still up-to-date? post has been created 5 years ago https://serverfault.com/questions/354615/allow-sftp-but-disallow-ssh 17:12 < drathir> Celmor: creating user adding user to shh group add in sshd filter by group and set sftp only, and You can allso in case block console access... 17:12 < Celmor> how do I do the latter? 17:13 < Celmor> so is the answer in the post I linked correct? 17:13 < drathir> Celmor: im written fast from head +/- steps... not readed sadly... 17:15 < drathir> Celmor: but fast look its kinda similar looks like... 17:16 < Johnjay> ok kind of a softwarish question but if i turn a raspberry pi running debian into a consumer router, how stable is that going to be? Compared to something else like pfsense or freenas or these other programs? 17:16 < Johnjay> like is it going to run for 17.3 days and then crash mysteriously? 17:16 < Celmor> drathir, so the chroot would disallow the users access to commands? 17:17 < Celmor> a pi might have higher latency/lower network throughput 17:17 < Celmor> pfsense and-the-like obviously have more features 17:18 < drac_boy> johnjay well theres two obvious network-related problems 1. it uses usb not native ethernet 2. wheres the second port or more? 17:18 < Johnjay> drac_boy: right i did see a usb stick used in the tutorial i saw. so it would have to be some kind of usb ethernet 17:18 < Johnjay> actually maybe it was just wifi lol 17:19 < Johnjay> so that's a good point 17:19 < Johnjay> Celmor: a new pi was just released with gigabit ethernet, which is why i'm askign 17:20 < Johnjay> it's got 1 ethernet jack, 4 usb 2.0, and integrated dual band wifi and BT 17:20 < drac_boy> johnjay physical doesn't matter..its likely still usb on the traces 17:23 < tds> ^ the physical gbit port on the pi 3b+ is still attached to usb 2.0, so your throughput won't be great 17:23 < tds> still better than the old 10/100 ports, though 17:24 < Johnjay> tds: er, so it's not really gigabit? 17:24 < drac_boy> I'll rather take native fast ethernet on any other board than ever bother with a sbc that uses usb but :P 17:24 < Celmor> sbc? 17:24 < tds> Johnjay: no, you'll never actually push gigabit through it 17:25 < Johnjay> so more like 280Mbit/s according to wiki spec for usb 2.0? 17:26 < Johnjay> "The new USB Ethernet controller offers gigabit connectivity at a theoretical maximum throughput of 300Mb/s, due to its use of a single USB channel." 17:27 < Johnjay> so in other words to offer more speed it would need to tradeoff some of those usb2.0 ports? 17:29 < Celmor> and need to be rewired 17:30 < Johnjay> well i mean, it's something that would have to be decided before manufacturing 17:33 < at0m> latest rpi3 has gigabit port, but ofc cant deliver gigabit either 17:34 < at0m> it does somethink like you wrote above. 17:34 < at0m> *something 17:35 < Johnjay> anyway aside from this gigabit issue 17:36 < Johnjay> what other potential issues would there be in using one of these for a home router 17:36 < Johnjay> would the bus be too limited to support multiple ethernet connections? 17:36 < drathir> Celmor: not chroot, chrot would limit to user directory only... 17:36 < Johnjay> i'm trying to figure out if it would be cheaper than buying a new wireless router 17:38 < drathir> Celmor: for limit is ForceCommand internal-sftp also for higher security You redirect shell to null one... 17:38 < tds> an ap/router should be relatively cheap and will likely work better than an rpi, you can always stick openwrt on it if you want linux 17:39 < at0m> Johnjay: technically speaking, rpi3 runs its gigalan also off an usb hub (internally), hence the more limited throughput 17:39 < Celmor> drathir, why null? what about /usr/bin/nologin or /bin/false 17:39 < drathir> Johnjay: You probably get better speed by wifi than eth unless no more shared with usb bus... 17:40 < Johnjay> tds: i wonder if you get more bang for your buck buying a small router that doesn't support wifi and plugging a raspi into it. 17:40 < Johnjay> routers cost at least $60, at least the wlan ones i know of 17:40 < superkuh> Hi. I've got a wireless serial link (56k) set up between two computers. The host on my LAN with an internet gateway and a client laptop not on the LAN with only a SLIP connection to the host. The SLIP connection is on a different subnet from my LAN on both host and client (192.168.5.0/24 SLIP, vs 192.168.1.0/24 LAN). I can ping over SLIP from host to client and vice versa fine. But now I'd like to set up internet connection sharing on the h 17:40 < superkuh> ost that can be used over the SLIP connection. I've outlined what I think I need to do at http://superkuh.com/SLIP-serial-internet-sharing.txt but I have a few questions. 17:41 < Johnjay> you can get pi0 with wireless for $24 17:41 < drathir> Celmor: yep that one null in meaning no access... 17:41 < Celmor> mine was half that price 17:41 < superkuh> First, when doing ip forwarding with iptables, do I set the ipforwarding on the SLIP interface (sl0) or on the ethernet/LAN one on eth0? 17:41 < superkuh> ie, sysctl net.ipv4.conf.sl0.forwarding=1 vs sysctl net.ipv4.conf.eth0.forwarding=1 ? 17:41 < Celmor> drathir, as opposed to /bin/nologin? 17:42 < tds> heh, I hadn't considered doing it with a pi zero, I guess that probably would be cheaper (but throughput won't be great) 17:42 < drathir> Johnjay: better save more and take something like https://omnia.turris.cz/en/ or some mitx intel boards... 17:43 < drathir> Johnjay: if You wanna power/stability for longer... 17:43 < Johnjay> well i don't really need great throughput, my internet is not gigabit or something 17:44 < superkuh> Second, when setting up the masquerade with iptables, does I set input (-i) to sl0 and output (-o) to eth0? ie, sudo iptables -A FORWARD -o eth0 -i sl0 -s 192.168.5.0/24 -m conntrack --ctstate NEW -j ACCEPT 17:44 < superkuh> And should the -s be the SLIP subnet or the ethernet/LAN one with the gateway? 17:44 < Johnjay> drathir: that is pretty pricey lol 17:44 < skyroveRR> Hi superkuh :) 17:44 < skyroveRR> And hi drathir :) 17:45 < Celmor> drathir, so if I use 'ChrootDirectory /home/sftp_user' in sshd_config and set that users home to / I can still use /home/sftp_user/.ssh/authorized_keys for authentication? 17:45 < superkuh> Hello skyroveRR. 17:45 < Johnjay> so basically as long as i'm willing to take lower throughput, the answer to my question is that a pi 0 can be used as a home router probably? 17:45 < superkuh> I guess this is probably more of a forum question than an IRC one. 17:45 < superkuh> Anyone have any good recommendations for a forum to discussing internet connection sharing of serial link (SLIP)? 17:45 < superkuh> ER, s/to/for/ 17:45 < skyroveRR> superkuh: woah! 17:46 < Celmor> johnjay1, and higher latency 17:46 < skyroveRR> Wait, serial? You still in the stone age, superkuh ? :P 17:46 < drathir> Johnjay: but its all in one solution You can put anything You want there... 17:46 < superkuh> skyroveRR, it's wireless at 915 MHz. 17:46 < skyroveRR> Oh. 17:46 < superkuh> I'm abusing an FPV telemetry dongle as fallback connection for when my high speed ubiquiti kit fails. 17:46 < drathir> Johnjay: and low power consumption tooo.... 17:47 < skyroveRR> superkuh: that's an unlicensed frequency, right? 17:47 < Celmor> you can power it just from a computers USB, or any power bank.. 17:47 < drathir> Celmor: yes its preffered using ssh keys... 17:47 < superkuh> skyroveRR, yes. But I am licensed for general class as well. 17:47 < Celmor> drathir, just wondering if that's the place since I've set the users home to / 17:47 < skyroveRR> superkuh: so that covers that? 17:47 < drathir> skyroveRR: hi, hi ^^ 17:47 < SporkWitch> Celmor: talking about a raspi? 17:47 < superkuh> If I want to boost the power in the future I can with my 25w bidirectional amp. 17:47 < superkuh> Yes. 17:47 < superkuh> I just have to avoid encryption. 17:47 < Celmor> SporkWitch, yeah 17:47 < Johnjay> drathir: right. i mean id' have to use some kind of ethernet hub to provide multiple outputs right? 17:47 < skyroveRR> superkuh: I see. 17:47 < SporkWitch> i've run 'em off solar panels before :) 17:48 < superkuh> I also designed a 910 MHz bandpass filter using split ring resonators that just finished being fabbed in China. 17:48 < drathir> Celmor: user account folder need be owned by root.., 17:48 < superkuh> http://superkuh.com/dgs-bandpass-filter.html 17:48 < Celmor> SporkWitch, what if there happens to be a cloud, suddenly router switches off, lol... 17:48 < superkuh> Specifically the iteration at this anchor, http://superkuh.com/dgs-bandpass-filter.html#yodawg 17:49 < Celmor> drathir, for security you mean? 17:49 < SporkWitch> Celmor: it wasn't meant to be pratical, i was just curious if the panel put out enough / the pi drew little enough 17:49 < tds> superkuh: that iptables rule looks fine, -s should be the lan side subnets that the traffic being nated is coming from, and you want to make sure you have a rule to allow established connections as well in both directions 17:49 < Celmor> yeah, since you can charge other things via a solar panel it'll be more than enough 17:49 < SporkWitch> s/prat/pract 17:50 < drathir> Johnjay: turris have multiple gigabit ports and if good remember usb3.0 too even hdd shoud handle w/o problems... 17:50 < superkuh> Thanks tds. 17:50 < SporkWitch> Celmor: well most stuff you "charge from a solar panel" is actually trickle-charging a capacitor of some kind, not supplying direct power to the running device 17:50 < tds> superkuh: and since you want to forward traffic in both directions, I think you'll need to enable forwarding on both interfaces (or just globally if you want) 17:50 < superkuh> Aha. Okay. 17:51 < SporkWitch> tds: correct 17:51 < drathir> Celmor: nope to chroot works sftp user folder need to be owned by root... 17:51 * tds is always just lazy and enables it on every interface :) 17:51 < skyroveRR> :) 17:51 < superkuh> I was just worried about borking my network for other things. 17:52 < tds> I saw that there was a docker interface on there, which may make life interesting when you start adding your own iptables rules, so good luck 17:53 < ska> Anyone know a network consultant in Sugarland TX area? 17:53 < superkuh> Yeah. apt-get remove didn't get rid of all docker's crap when I stopped caring about it. 17:53 < ska> If so, please PM me anytime. 17:54 < superkuh> ip link del docker0, there. 17:54 < ska> Also looking for someone in San Marcos, TX area. 17:54 < superkuh> Cleared that up. 17:54 < drathir> ska: in us crosstalksolutions guy probably could give some advices too... 17:55 < drathir> superkuh: purge ? 17:55 < superkuh> Good idea. Doing that too. 17:56 < drathir> superkuh: but not sure if it will mess with interfaces... 17:56 < superkuh> Well, it's no longer listed in my routes. So I'll just go and see what will happen. 17:56 < tds> superkuh: also, make sure you have iptables-persistent or something similar installed (with rules saved), so you don't lose everything on reboot 17:56 < drathir> superkuh: best shot that interfaces created by docker at system start get varnished after restart... 17:57 < Johnjay> these are cheap and need to have their mac addr changed: https://www.amazon.com/TOOGOO-Ethernet-Network-RJ45-Adapter/dp/B00CAMZVSC 17:57 < Johnjay> ska: what does a network consultant do? 17:59 < drathir> Johnjay: network design kinda probably hw chose etc... 17:59 < drathir> Johnjay: only not bcm based... 18:00 < Johnjay> ah ok. so basically the things i'm asking about 18:01 < drathir> Johnjay: bcm+linux bad idea mostly... 18:02 < drathir> Johnjay: kinda its fine when works its pain when come to os upgrade... 18:02 < superkuh> On my client PC connecting via SLIP to host IP, do I give the sl0 interface an IP address on the host LAN subnet? ie sudo ip addr add 192.168.0.200/24 dev sl0 then sudo ip route add default via 192.168.0.1 ? 18:03 < limon__> Is it possible to request a higher download rate from ISP where the rate has been reduced, presumably because of instability? 18:03 < Johnjay> apparently you can add an external ethernet port to the SPI interface: http://raspi.tv/2015/ethernet-on-pi-zero-how-to-put-an-ethernet-port-on-your-pi 18:04 < tds> those ENC28J60 modules are *very* slow, though 18:04 < cluelessperson> Can someone suggest a cheap 10G SFP card I can buy? 18:05 < tds> mellanox connectx2 cards tend to be pretty cheap on ebay, depending on your location 18:05 < drathir> limon__: only when dslam upgraded mostly... bc even if they give You higher queue dslam anyway wil drop You when auth/connection errors occur... 18:06 < Johnjay> you only get 3Mbit though 18:06 < Johnjay> lol 18:07 < drathir> limon__: adsl to adsl2+ upgrade could give You better quality depend at distance... 18:08 < limon__> drathir: ah that's annoying. The connection drops are due to bad weather only but it's annoying that I then have to wait for days after for the dl speed to increase 18:09 < drathir> limon__: keep on mind that instability could caused by lover queue placed in business plans there is chance more stable on rush hours... 18:09 < overyander> Hey, I'm wanting to write my own web filter for windows. from research, it looks like all web filters rely on setting proxy settings in the browser and send all web requests to the remote proxy that then does the filtering. I'm wanting to make something that runs locally on the machine and would apply to all browsers and applications even the user messes with the proxy settings. Can anyone point me in the right direction to start? 18:10 < drathir> limon__: hmmm... weather its sattelite wireless uplink? 18:11 < drathir> overyander: transparrent proxy at router with disabled access to it... ? 18:12 < limon__> drathir: No I think there are physical line problems probably, had it for ages but ISP obviously side step it or suggest 'sending a new router' -.- 18:12 < overyander> i'm needing something that runs as a local client on the pc's since they're mostly laptops and when employees travel with them there will be many different environments. 18:13 < drathir> limon__: weather should barely affect conection quality... You always can check connection stats if router support... 18:13 < overyander> I couldn't find anything to this and was looking into writing my own but I'm not sure where to start and how to properly tap into all the web requests on the machine. 18:14 < drathir> overyander: than no mess in my opinion only vpn client and filter at server side... 18:15 < limon__> drathir: it is consistent with bad weather. I presume there is a line fault somewhere. Have even had it in the past where opening the door has lead to disconnects! 18:17 < drathir> limon__: try maybe put some filters for rj11 and power of router... 18:17 < drathir> limon__: btw thats interesting indeed ^^ 18:17 < overyander> drathir i don't see how that would work. let's say you take your laptop to the airport and you log in to windows and join the public wifi. what is going to force your computer to then connect to the vpn? 18:18 < limon__> drathir: have filter on rj11 but not router power 18:18 < limon__> I will try that, thanks 18:18 < drathir> overyander: You can setup oopenvpn as service and lock admin account i guess... 18:19 < tds> if you really want to stop determined users though, you'll struggle to if they have physical control of the hardware 18:20 < drathir> oh too late... wanna say also could try to turnoff modem for half of hour to reset connection al remote side... 18:22 < drathir> tds: yea i dont see needs to mess more with notebooks if there is way to bypass that still... tunneling the fastest way i think... 18:59 < spidey91> Hello I'm having problems forwarding ports so they are open in kali linux on virtualbox, I have them open on my modem/router, on my windows firewall, and on gufw the linux firewall. But still I cant forward ports 80 and 8080 19:18 < acresearch> people for cisco vpn where can i find the .pfx file? 19:21 < djph> acresearch: "which" .pfx file? 19:22 < acresearch> djph: apparatnly i need a .pfx file to extract the certificate and private key from inorder to connect a cisco AnyConnect VPN through OpenConnect 19:23 < djph> your IT dept wouldve made it for you (most likely) 19:23 < djph> since its supposed to be "your" key 19:25 < acresearch> djph: well they won't release it, they are forcing us to use windows 19:25 < djph> then grab it from a win machine 19:25 < acresearch> djph: if i cannot extract it or find it from the anyconnect client then i guess it is gave over, i and my students must move back to windows 19:26 < djph> acresearch: its not part of the client. it would be pushed via win GPO for example 19:27 < acresearch> djph: win gpo? 19:27 < djph> group policy 19:28 < acresearch> djph: from a windows os? 19:29 < djph> no, from a mac ... what did i literally juat tell you? 19:30 < acresearch> i don't know djph i haven't used windows since 2008 i am not familiar with details of how it works 19:30 < acresearch> djph: my last ever windows machine was windows XP 19:31 < djph> so? i havent used it since 00, and i can still work out "get the certs" 19:44 < xceptioN> o/ 20:00 < tpanarch1st> hello, this is either a simple question or a rather niggly one, I have searched and searched on google but i'm not finding anything that works. I use Chromium and PVE and I'm getting rather irritated by the "invalid certificate" error that I have to bypass every time I open a new window to get into the administration panel. It is only available on my LAN. I was concerned (although I'm highly likely to have misunderstood) that to get 20:00 < tpanarch1st> a certificate to satisfy Chromium (or chrome), I would actually need to open my PVE to the outside world 20:01 < tpanarch1st> (or the admin panel to the outside world) which is obviously not a wise idea. The best mitigation is you should "close port 80 again" and "work out how to reopen it" for, say, let's encrypt's renewal. 20:02 < djph> PVE? 20:02 < tds> you could use an internal CA, or use another form of validation for let's encrypt (ie dns-01) 20:02 < tpanarch1st> I can't see that being particularly wise either unless let's encrypt can tell you "we will tie up with you at 06:59:58seconds) 20:02 < tds> I suspect he means proxmox 20:02 < djph> AH 20:02 < aditya7400> internal ca is a good idea 20:02 < tpanarch1st> yes Proxmox, apologies, they have changed the name of it somewhat it seems and they now say Proxmox 20:02 < tpanarch1st> there's a little more to this :) 20:02 * tds uses an internal ca for certs on my proxmox host 20:02 < tpanarch1st> so I did find one page pf instructions 20:03 < tpanarch1st> and I downloaded the internal cert, imported it to chromium but chromium is ignoring it. It seems Firefox is Ok with it 20:04 < tpanarch1st> -but- alas, a hell of a lot of my website passwords/autocomplete/bookmarks are in chromium so I don't fancy switching :) 20:04 < tpanarch1st> i'm on a home network with a few issues 1) No static IP 2) One Dynamic IP not Two 3) Proxmox is set to Corinthian.LAN and not a proper FQDN (I never anticipated exposing the interface to the outside world 20:05 < tpanarch1st> that's it I think :) - So tds you can see how using internal hasn't played ball and DNS is a touch tricky 20:15 < tds> yeah, an internal ca sounds like the best option then - chromium should work fine with it, I've had issues with it not displaying a new cert after swapping it on the server but at worst restarting chrome should fix that 20:17 < tpanarch1st> indeed tds 20:17 < tpanarch1st> so i've downloaded pve-root-ca.pem 20:18 < tds> ah, I'd probably recommend generating your own root then signing certs for each host with that, rather than using the built in pve one 20:18 < SporkWitch> ^ 20:18 < tpanarch1st> imported it into "authorities" on the SSL Certificate Settings area of Chromium 20:18 < tds> then you can sign certs for other internal services in the future 20:18 < SporkWitch> ... 20:18 < tpanarch1st> ah right :) 20:19 * SporkWitch starts signing certs with pve cert 20:19 < tpanarch1st> but i'm still getting the warning after doing that bit :) 20:19 < tpanarch1st> I did close and re-open chromium 20:19 < SporkWitch> what is the usecase here? What kind of server are you trying to access and with what? 20:19 < tpanarch1st> sure SporkWitch internal LAN PVE (Proxmox) Web Interface 20:20 < tpanarch1st> sick to death of having to bypass security warning but want it to be as secure as possible nevertheless 20:20 < SporkWitch> ah, so not publicly reachable? 20:20 < tpanarch1st> nope SporkWitch hence limited options AFAIK :) 20:20 < SporkWitch> tpanarch1st: https://github.com/OpenVPN/easy-rsa 20:21 < SporkWitch> it's for openvpn, but you can use it for anything that takes x509 certs 20:21 < tpanarch1st> i thought it was never advisable to allow pve web interface access to the outside world :) 20:21 < tpanarch1st> i'm **not** saying **you are*** saying that anybody :) 20:21 < tpanarch1st> and yet if you want a decent cert, they say, officially, you need to 20:22 < tpanarch1st> "blow a hole in the side of the ship to secure the ship" 20:22 < SporkWitch> tpanarch1st: use the thing i linked if you can't use letsencrypt 20:22 < tds> you can still do dns-01 for unreachable things if you want to use let's encrypt 20:22 < tpanarch1st> yeah :) What's the difference between that and the route i've taken please :) 20:22 < tpanarch1st> tds: what is dns-01 :) 20:22 < SporkWitch> tpanarch1st: reduced headache and confusion lol 20:23 < tds> but that doesn't help if you're using .lan dns names, le certainly won't give you a cert for those ;) 20:23 < tpanarch1st> tds: maybe SporkWitch 's less headache route might be easier? 20:23 < SporkWitch> easyrsa is very well-named :) 20:23 < tds> yes, absolutely, I originally said to do an internal ca :) 20:23 < xceptioN> that's hot 20:23 < tds> just saying that it's still possible to use le in scenarios where the server isn't public 20:23 < xceptioN> wrong window 20:23 < tpanarch1st> ok, cool, it's when you've got two different people with different routes you don't want to seem like you are "playing people off" 20:24 < tpanarch1st> haha xceptioN 20:24 < SporkWitch> tds: yeah, still needs a normal FQDN, though 20:24 < tpanarch1st> ok :) 20:24 < tpanarch1st> have either of you done the easyrsa route? 20:24 < tpanarch1st> partic with pve 20:25 < SporkWitch> i've used it for signed SSH keys and openvpn 20:25 < tds> it shouldn't be any different for pve, just follow the easy-rsa docs, then see the pve docs for how to install the keys on the host 20:25 < tds> s/keys/cert and key/ 20:26 < tpanarch1st> ok tds where should i install easy-rsa please? i'm thinking it's probably wise not to mess up PVE and install it on that machine, but then, if you are saying do that for all websites, then i suspect it's worth just banging it on my laptop? 20:26 < tpanarch1st> sorry i say websites - all of my machines with web interface security complaints 20:26 * SporkWitch facepalms 20:26 < BottomX> Why I can’t open the home page of ##networking why this happens? 20:27 < SporkWitch> we have a homepage? lol 20:27 < tpanarch1st> BottomX: what do you see? 20:27 < tds> yes, I'd do it on a trusted machine (eg your desktop/laptop if you trust that, a dedicated vm if you want) 20:27 < tpanarch1st> I was going to say Paragon Internet are in a right mess! 20:27 < tpanarch1st> tds: sounds like my laptop is the most sane solution 20:27 < tpanarch1st> any stumbling blocks, is it rocket science or straight forward :) 20:28 < BottomX> Just about server problem 20:28 < tds> it should be pretty simple, it's called easy-rsa for a reason :) 20:29 < tpanarch1st> excellent, well i shall open the website and have a read :) Thanks for that :) 20:30 < tds> if you fancy an even easier solution, there are also similar gui tools (eg xca) 20:30 < SporkWitch> don't do it! 20:30 < SporkWitch> GUI is a trap 20:30 < tds> easy-rsa is probably better documented, though 20:30 < djph> ^ 20:31 < tpanarch1st> are there any instructions for installing it please - the readme doesn't say :) 20:31 < tds> eh, all of these things are just running the same openssl commands behind the scenes :P 20:31 < tpanarch1st> :-D 20:31 < SporkWitch> don't mean that as a joke either; GUI admin tools for things whose primary interface is config files and CLI are a TRAP, they don't really teach you what you're doing, and they have a habit of mangling things making it almost impossible to shift to the "right" way; it's like using waterwings into adulthood, you're never actually going to learn to swim 20:32 < tpanarch1st> hehe :) I'll take your word for that so as not to confuse this anymore - i'm looking at this dauntingly as it is 20:32 < SporkWitch> tds: even with easyrsa, you at least learn some and you can see what it's doing 20:32 < SporkWitch> GUI tools hide all of that 20:32 < tpanarch1st> reet, so i presume with any program it needs to be installed and not just shoved in a directory somewhere? 20:33 < SporkWitch> limited exception: zenmap, which actually does show you the actual nmap commands it's running 20:33 < tpanarch1st> i could go on google "how to install easy-rsa" but are there any acceptable instructios 20:33 < tpanarch1st> instructions 20:33 < tpanarch1st> i was tempted to simply go to package manager 20:33 < SporkWitch> depends on the program; easyrsa is just a script to help automate some stuff for you; you need to install openssl and the other deps normally 20:33 < tpanarch1st> ohhhhh I didn't know that :) 20:33 < tpanarch1st> ahhh 20:34 < tds> iirc easyrsa is also packaged for debian, that should get you all the dependencies and a magic command to set up a new directory with the easy-rsa stuff in 20:34 < tpanarch1st> I can go and do this by probably a million tutorials but i often find i hit a problem and then i'm told i followed the wrong instructions 20:34 < SporkWitch> probably right, i know openvpn installs easyrsa as a dep itself lol 20:34 < tpanarch1st> oh sweet - so perfectly acceptable to use aptitude instead :) 20:34 < tpanarch1st> i'm on linux mint (love it) 20:35 < tpanarch1st> so deb essentially 20:35 < tpanarch1st> any wise words before I do apt-get install easy-rsa :) 20:35 < tpanarch1st> then, any decent newbie instructions for after on the web that you guys say "yeah, they are cool" 20:37 < djph> the manpage? 20:39 < tpanarch1st> djph: ah these manpages are really hard to understand :) So I like to go to easy to read tutorials but i'd rather avoid a tutorial that is wrong :) 20:39 < FalconMillennium> My dynamic IP resets every hour at around h:30-40, can I do something to prevent that? 20:39 < FalconMillennium> And my connection gets interrupted. 20:39 < SporkWitch> tpanarch1st: man man 20:39 < tpanarch1st> SporkWitch: haha :-p 20:39 < SporkWitch> FalconMillennium: scream at your ISP 20:40 < tpanarch1st> i've made that joke before 20:40 < SporkWitch> tpanarch1st: it's not a joke 20:40 < djph> so, then (until [$understand == "true" ] ; then read the manpage ) 20:40 < tpanarch1st> serious, they have actually releases a man for the man 20:40 < tpanarch1st> damn, that says a lot :( 20:40 < tpanarch1st> why could they have just not made the man more accessible 20:40 < SporkWitch> why wouldn't they? the point of man is documentation for the various commands, and that includes man itself 20:41 < tpanarch1st> yeah i can see your way of thinking SporkWitch 20:41 < tpanarch1st> :) 20:41 < SporkWitch> it's very accessible, with a standardized format. while some tools have better documentation than others, the format is generally well-adhered to 20:41 < tpanarch1st> it's like a lot, in terminal you get something like "type --help command" 20:41 < tpanarch1st> and then i type that, and i'm like "oh that doesn't work, i just get some error" 20:41 < SporkWitch> tpanarch1st: it also supports vi movement and search commands 20:42 < tpanarch1st> does it work ok with nano 20:42 < SporkWitch> you can still use arrow keys if you prefer, yes 20:42 < tpanarch1st> aha 20:42 < tpanarch1st> so like, i just typed man easy-rsa but nope 20:42 < SporkWitch> you can also use hjkl, C^D and C^U, and /pattern to search, just like in vi command mode 20:43 < SporkWitch> easy-rsa is a script, it doesn't have a manual page; it does have its own documentation though, including a readme and extremely well-commented config files 20:43 < SporkWitch> (unless it's something bundled, like adduser, scripts don't normally have manpages) 20:46 < tpanarch1st> oh right, i was just trawling man man trying to work out how to search for a manpage lol 20:46 < tpanarch1st> normally i thought it was just man and then whatever 20:46 < tpanarch1st> so that's just for commands then 20:46 < SporkWitch> generally, if there's a manpage for it ;) 20:46 < tpanarch1st> ahhh - so there isn't 20:46 < SporkWitch> unrelated, but a great and edifying read: man hier 20:47 < tpanarch1st> oh right :-p i'm sure it will be a best-seller in no time :-p 20:47 < tpanarch1st> so readme in that github area then? 20:47 < tds> easy-rsa does provide a minimal man page for make-cadir, but I think that's it 20:48 < tpanarch1st> it's supposed to be that simple, you don't need one 20:48 < tpanarch1st> i'm starting to think this is a single command 20:48 < tpanarch1st> once i find the right one 20:48 < tpanarch1st> now it's installed 20:50 < drathir> guys which fw schema is most popular this days ? ACL-based or zone-based firewalls? 21:10 < Apachez> drathir: proxy and applicatiobased 21:29 < jim> when looking at a host's ip route output, if the routes include a default route, will it always look like "default.*dev (interface) .*? 21:30 < jim> err, "default.*dev (interface) .*" (forgot the closing quote) 21:36 < tds> jim: be warned that some things (eg openvpn) will add "default routes" in weird ways 21:36 < tds> eg for v4 ovpn can do 2 /1 routes, to make them preferred over the /0 route 22:10 < SporkWitch> so with ipv6, why does my host show a /64 and /128 with different last 64? Based on logs on the distant end, the /128 seems to be the specific host, what's that /64 then? gateway? 22:10 < Apachez> tds: yeha longest prefix wins 22:11 < Apachez> with v6 you normally use the linklocal as nexthop 22:12 < SporkWitch> they're both listed as global dyanmic; only distinction between the two is the last 64 and /64 vs /128 22:34 < xingu> SporkWitch: link-local vs dhcp6 assigned global? 22:34 < SporkWitch> link local is a third address; both in question are global scope 22:35 < SporkWitch> looks like my isp is using a 6to4 tunnel, probably why i'm getting slow loads on pages 22:36 < Dagger> if it begins with 2002: then it's 6to4. but it's more likely that it's your router using 6to4, rather than your ISP 22:36 < Dagger> but also if you're using 6to4 then v4 is preferred over v6 22:36 < SporkWitch> agreed, just turned it on to see if it'd behave :P lol 22:36 < SporkWitch> and no, LAN prefix only, so you're probably right about it being the router doing it 22:37 < SporkWitch> or no, i'm not sure; in the ac-3100's settings i have it set to native... hmmm 22:37 < Dagger> addresses added as /128 are usually from DHCPv6. addresses from SLAAC or manually configured are usually /64 22:38 < Dagger> both of them will be the address of your computer, assuming they're listed in `ifconfig` or similar on the computer in question 22:39 < SporkWitch> yeah, just trying to figure it out; when i visit ipv6 test sites it shows the /128 address, not the /64 22:41 < ottomatik> Hi. Sorry for this stupid question. Is the name of the protocol "file transfer protocol" or just "ftp" ? 22:41 < Dagger> your browser has to pick one address or another to connect from. it just happens that it picks that one 22:43 < Dagger> you can try `wget -O- -o/dev/null https://ifconfig.co --bind-address ` or something similar with the other address. or just ssh in from outside or something 22:48 < ottomatik> Any one for my qu'est.. 22:49 < ottomatik> Question please? 22:49 < tpanarch1st> tds: is this an ok guide? https://www.akadia.com/services/ssh_test_certificate.html 22:49 < xceptioN> ottomatik: File Transfer Protocol is FTP for short 22:50 < xceptioN> acronym 22:51 < ottomatik> xceptioN, i understand ftp is an acronym. I just want To know if the name is "ftp" or "file transfer protocol"? 22:54 < xceptioN> ottomatik: Your question is like asking: Is the name "IP" or Internet Protocol 22:55 < xceptioN> You can use whichever. FTP is shorter, easier to type. But for report writing and talking with others, you should at least mention "File Transfer Protocol (FTP)" so they know FTP will stand for File Transfer Protocol after 22:56 < xceptioN> talking with others that aren't tech related or something I mean 22:57 < ottomatik> xceptioN, so both are considered names. Is that Correct? 22:59 < SporkWitch> initialism, not acronym 23:03 < ottomatik> SporkWitch, what's your answer for my question, please? 23:05 < SporkWitch> your question was largely answered, i merely corrected your misuse of the word "acronym." An acronym, by definition, must be pronounceable as a word, e.g. Linux, WINE, PITA. If you read / say it by speaking out the individual letters, it is not an acronym. All acronyms are initialisms, but not all initialisms are acronyms. 23:07 < ngc0202> since when is linux an acronym 23:08 < SporkWitch> ngc0202: not 100% on timeline, but it's a mixture of a portmanteau of Linux and UNIX, and LINUx Is Not Unix 23:09 < Johnjay> Gnu's not Unix either 23:09 < SporkWitch> yup 23:09 < ottomatik> SporkWitch, for me the name of the protocol is "file transfer protocol", ftp is just an abbreviation. But apparently I'm wrong 23:09 < SporkWitch> stallman does love his recursive acronyms 23:09 < xceptioN> ottomatik: its the same thing 23:09 < SporkWitch> ottomatik: it is not an abbreviation, it's an initialism 23:10 < Johnjay> you'd think from the name it's the only way you can transfer a file 23:10 < ngc0202> SporkWitch: I was under the impression it was just named after Linus, with an x at the end, possibly in reference to UNIX and possibly just because x is a cool letter 23:10 < Johnjay> Richard Stallman has a very strong opinion about saying Gnu/Linux 23:10 < Johnjay> and he will correct you no matter how many times you say linux 23:10 < xceptioN> :^) 23:11 < SporkWitch> ngc0202: the portmanteaux aspect is definite; it's possible i conflated it with GNU is Not Unix in my memory 23:11 < ottomatik> SporkWitch, in the dictionary it says an initialism is an abbreviation 23:11 < xceptioN> ottomatik: File Transfer Protocol.. FTP, same thing. Lol, don't overthink it friendo 23:12 < SporkWitch> ottomatik: which dictionary? that said, i could be mistaken there; i typically think of an abbreviation as merely removing letters, not a full-blown initialism, but you may be right. initialisms may well be a subset of abbreviations just as acronyms are a subset of initialisms :) 23:12 < SporkWitch> xceptioN: well he said it was for a paper, no? only reason i'm getting THIS pedantic, instead of just leaving it with the original comment :P 23:12 < ottomatik> SporkWitch, wiki dictionary 23:12 < SporkWitch> ottomatik: so not a dictionary lol 23:13 < SporkWitch> wikis, by definition, are not primary sources, and you'd do well to learn that quickly if you plan to be writing ANY kind of paper lol 23:13 < xceptioN> SporkWitch: he didn't say it was for a paper. I just pointed out that, if for report writing, it is good practice to always mention the full name of something first time and use the initialism/acronym/whatever between parenthesis, then from there on you can use the shorter form after 23:14 < SporkWitch> xceptioN: ah, my bad then :( 23:14 < xceptioN> Cause like, the only reason I could think of overthinking FTP/File Transfer Protocol, is for something like academia or report writting heh 23:15 < ottomatik> SporkWitch, the wikidictionary is pretty decent Ive it installed on my phone 23:15 < SporkWitch> xceptioN: yeah, i always define my terms, even if they're clear but some people may want to quibble. I had to do a paper about GMOs once, so right at the outset, to head off any nitpicky counters of "selective breeding is genetic modification!" i clearly defined genetically modified organisms as those created in a laborated through means such as gene manipulation, rather than selective breeding 23:15 < Johnjay> SporkWitch: you wouldn't make a great lawyer. they would just redefine a farm as a "laboratory for species" 23:15 < SporkWitch> ottomatik: it's also able to be modified by any random asshat; again, wikis are not primary sources. by all means, use them to FIND primary sources, but never trust the wiki 23:16 < SporkWitch> Johnjay: context matters. A legal argument is not a research paper. The point of defining one's terms in a paper is to make one's meaning clear and make straw men harder to construct. 23:19 < ottomatik> xceptioN, i' m low intelligence, i ask stupid questions 23:20 < SporkWitch> might want to look into a different career field, then... 23:23 < Johnjay> SporkWitch: if Ted kennedy could get away with murder with 17 lawyers i think they know how to manipulate context pretty well 23:24 < SporkWitch> Johnjay: again, we're not talking about a courtroom, we're talking about an academic paper and legitimate academic criticism 23:24 < Johnjay> as long as you don't quit your day job and go to law school then that's fine then 23:25 < SporkWitch> Johnjay: you have literally zero basis for making an assessment of my ability to argue to win, rather than argue to reach truth. We were discussing the writing of academic papers; you are literally the only person talking about courtrooms 23:27 < jim> is there a problem here 23:27 < SporkWitch> you have a hat in ##networking now? O.o 23:28 < jim> oh, didn't see that :) 23:28 < SporkWitch> in any case, not really; just really weak trolling and insinuations of incompetence for no reason 23:28 < jim> sowwy, be excellent to each other 23:37 < jim> hmm... novax is ralph novak's trademark on the musical instruments he builds 23:38 < SporkWitch> sounds like an antivaxer :P --- Log closed Sun Apr 22 00:00:53 2018