--- Log opened Thu Apr 26 00:00:03 2018 --- Day changed Thu Apr 26 2018 00:00 < Dagger> it's fairly reliable, but let's not talk about the speed 00:00 <+catphish> i did cheat my measuring from may LAN router 00:01 <+catphish> Dagger: my wifi latency is 4.2ms, so i actually have slower connection to my AP than i do to london (100+ miles away) 00:03 < wiresharked> Dagger: Does flow control really improve performance? 00:04 < tds> catphish: you'll be happy to know that the rtt over your home connection is better than over the uni internet here ;) 00:05 < wiresharked> tds: And yet the belkin N300 doesn't support ac 00:06 < tds> eh, no need for this fancy ac stuff, just use a wire 00:06 < Dagger> catphish: so, I consider wiresharked's constant stream of random questions to which they don't care about the answers to be trolling, even if the questions are somewhat vaguely on-topic 00:06 <+catphish> Dagger: yes, he always does that] 00:06 < xamithan> Just put the kid on ignore|squelch, thats what I do 00:06 < Dagger> catphish: I'm sure it's going to take a lot to make you want to ban them, but could you at least keep an eye on them? 00:06 <+catphish> Dagger: you can ignore him, or we can ban him 00:07 <+catphish> he's been doing it for months, i was waiting for someone to complain 00:07 < Dagger> because I don't think that on-topic trolling should be a "get out of jail free" card for trolling 00:07 < Dagger> well, you may consider this a complaint :p 00:07 <+catphish> he's gone now 00:08 < Dagger> and yeah, I can ignore, but that doesn't solve the issue for the other 1200 people here (plus it leaves me seeing only half of converstions) 00:09 <+catphish> i can't stand his nonsense 00:10 < Chojuan> question, I ping gateway 192.168.1.1 trough wifi RTT 0.749/1.053/2.098/0.394 and I ping google RTT 0.078/0.099/0.103/0.015 how ping works? 00:10 < Dagger> we've had someone very similar in #a&a over the past year or two. really annoying 00:11 < tds> Chojuan: could just be that the gateway is bad at replying to icmp 00:11 <+catphish> Chojuan: gateway is just slow 00:11 < Dagger> (different hostname, so probably not the same person... although they both use web gateways) 00:12 < cyberbootje> Hi all, i'm trying to test LACP on 3 servers using a 10G switch, also with LACP enabled. Is it possible to split network speeds from 1 server to 2 servers? What i mean is, can i aggregate an LACP bond (2 x 10G) and do 2 x an iperf test to 2 other machines that have 1 x 10G each and basically saturate the 20G bond on 1 host and saturate both other machines that have 10G each ? 00:12 <+catphish> cyberbootje: yes 00:13 <+catphish> cyberbootje: LACP uses a hash to determine which link to use, so it may be that the 2 connections use the same link, or different links, it's luck 00:14 < cyberbootje> well for some reason i'n not able to saturate 20G 00:15 <+catphish> cyberbootje: well what do you see? both connections sharing the same 10G link? 00:15 <+catphish> there was a 50% chance that would happen 00:15 < redrabbit> https://www.dnsperf.com/#!dns-resolvers 00:15 < redrabbit> im sold on 1.1.1.1 00:15 < cyberbootje> i tried tweaking and using jumbo frames, all i get is exactly 5.15Gbit on eacht host 00:15 < redrabbit> just tried it 00:16 < redrabbit> sites load in a flash 00:16 < tds> redrabbit: just run tests from your own network, that's the best way to tell how it'll affect you 00:16 <+catphish> in flash? eww 00:16 < tds> but if you really care about dns latency, run your own internal caching forwarder/recursive resolver :) 00:16 < cyberbootje> catphish: so basically the bond thinks it's a 10G link while with ethtool it says 20000GB 00:16 < redrabbit> tds: i do that 00:16 <+catphish> cyberbootje: the bond is 2 x 10G LACP 00:16 < cyberbootje> yes 00:17 <+catphish> that wasn't a question, it was a statement 00:17 < cyberbootje> both fiber 00:17 < redrabbit> i replaced the cache source 00:17 < cyberbootje> lol 00:17 <+catphish> that has specific consequences, it means that each connection will use a random link 00:17 < Kingrat> if you can, on your hosts/switches, i suggest trying layer3+4 hashing policy 00:17 < Kingrat> it could help 00:18 <+catphish> (not really random, based on a hash, the hash can be configured to use layer2, or layer 2+3, or layer 2+3+4) 00:18 < cyberbootje> it is set to layer2 00:18 <+catphish> cyberbootje: you probably want the 2+3+4 so that every tcp connection uses a random link 00:18 <+catphish> rather than each host being assigned to a link (layer 2 hashing) 00:18 < tds> this has always confused me - I thought lacp worked at layer 2, so how does it hash based on source/destination IP/ports - does linux/whatever just look at the ip packet inside the ethernet frame to calculate the hash? 00:18 <+catphish> tds: yes 00:19 <+catphish> the OS calculates the hash by whatever headers you tell it to inside the frame 00:19 < cyberbootje> hmm ok 00:19 < cyberbootje> i have an option between L2+L3 or L3+ L4 00:19 <+catphish> with layer2, it will alswys use the same link to talk to the same host, pretty much useless 00:20 < tds> hmm, so how would that handle any non-ip ethernet traffic, would it just ignore the contents and hash based on mac addresses instead? 00:20 <+catphish> if you do l3+l4 then each tcp connection will get a random port, that's what you want 00:20 <+catphish> be sure to configure it on both sides 00:20 < cyberbootje> catphish: but the other side has no bond 00:21 < cyberbootje> as in, the other hosts 00:21 <+catphish> cyberbootje: the other side is the switch 00:21 < cyberbootje> hmm ok 00:21 <+catphish> switch one side, host the other 00:21 < Apachez> oh noes not THE switch 00:21 * Apachez runs away screaming with his arms well above his head 00:21 < cyberbootje> that's set to lacp "standard" whatever that may be 00:21 < Apachez> when you do lacp you need to verify two things 00:22 <+catphish> cyberbootje: if you can't change the switch config, don't worry, just means traffic the other way won't be balanced so well 00:22 < Apachez> 1) set the lacp timer to "short" (that is the lag will form within 1 second instead of 30 or so seconds) 00:22 <+catphish> Apachez: i didn't know that was a thing 00:22 < Apachez> 2) change hashalgo into (if possible) srcip+dstip+srcport+dstport, sometimes this is called layer3+layer4 algo 00:22 < cyberbootje> catphish: i probably can change it, il will have to check what it supports 00:22 < Apachez> catphish: running away screaming? 00:23 <+catphish> cyberbootje: well set them both to l4 if possible 00:23 <+catphish> but it's fine if they don't match 00:23 < Apachez> yeah and the point 1 and 2 above must be done at all participating devices (switches) 00:23 < Apachez> yeah but suboptimal 00:23 < Apachez> flows in one direction will be somewhat loadbalanced while flows in the other direction will only use one cable 00:24 < cyberbootje> i would need to crack open the documentation 00:24 <+catphish> i was suposed to be learning iscsi tonight 00:24 < Apachez> so in A->B you get redundancy + increased bandwidth 00:24 < Apachez> while B->A you only get redundancy 00:24 < Apachez> also note that increased bandwidth means total bandwidth, a single stream/session will still only be able to use the capacity of a single cable 00:24 <+catphish> l2 hashing still works, just means it's assigned per mac only 00:25 < Apachez> but if you download 2 files at once the l3+l4 hashalgo, unless you are really unlucky, will end up using two cables (one cable for one filedownload and the other cable for the other download) 00:25 < Apachez> yeah but then a single host wont be able to push more than a single infrastructure link 00:25 <+catphish> not really that unlucky, with 2 links its a 50% chance 00:25 < Apachez> depends on how the hashalgo is being used 00:26 < Apachez> some devices will use a roundrobin 00:26 < Apachez> some will just do a bitwise match and if even it goes link1 or odd then link2 00:26 <+catphish> i thought it was always the latter 00:26 <+catphish> way less processing needed 00:26 <+catphish> otherwise you'd need a table 00:27 < Apachez> if we look at portnums you have more odd ports than even ports 00:27 < Apachez> and this goes both ways 00:27 < cyberbootje> well for now it does not work so i will need to check what the switch can do 00:27 < Apachez> so you will end up with an odd combo is more likely than even combo 00:28 < cyberbootje> bummer, don't think it can handle it 00:29 <+catphish> well it'll work for traffic from that server at least 00:29 < cyberbootje> or i'm just stupid 00:29 < cyberbootje> any chance you know the switch? VDX 6740 00:31 < cyberbootje> other way around works perfect 00:31 < tds> cyberbootje: what direction do you mean by "other way around"? 00:31 < cyberbootje> 2 x host(1 x 10G) --> 1 host (2 x 10G lacp) 00:32 < cyberbootje> i get 9.89Gbit on each machine 00:32 < tds> hmm, that could just be the switch hashing based on l2 info and not l3 then 00:33 < drac_boy> hi 00:33 < cyberbootje> tds: probably, but i'm afraid the switch can do standard LACP only 00:33 < cyberbootje> need to check it in the morning 00:34 < drac_boy> just curious about it but what do you think about a full size wifi card versus buying a mini-to-full slot adapter and using a mini wifi card? (its the same antennas on rear in either setups anyhow) 00:38 <+catphish> drac_boy: really shouldn't matter 00:39 <+catphish> cyberbootje: yeah thats your switch hashing 00:40 < drac_boy> thanks, suspected cost was the only possible difference catphish :) 00:40 <+catphish> cyberbootje: you could change the MAC on one of the 2 x 10G hosts until it works :) 00:41 < cyberbootje> catphish: i'm going to try that 00:42 < cyberbootje> for now i'm googling and i find it hard to believe a Brocade VDX can't do this 00:47 < CannedSpinach> if I can't resolve a server's hostname on my own network, what are the troubleshooting steps? 00:47 < CannedSpinach> it resolves fine on one computer but struggles with another 00:48 < Chojuan> man hosts 00:49 < cyberbootje> catphish: changing the mac of one slave brakes connectivity to one of the other hosts 00:50 < xamithan> setup the computer with the same DNS that resolves on the other computer 00:51 < CannedSpinach> xamithan: is there a file to transfer or something? 00:51 < CannedSpinach> the problem computer is using the same hosts file as another computer that connects just fine 00:52 < xamithan> Maybe, if the entry is in the hosts file 00:52 < nuka-cola_> CannedSpinach: on linuxes its /etc/resolv.conf, on windows or macs i have no clue 00:52 < Chojuan> there is a problem with 802.1AX 00:52 < cyberbootje> catphish: think i found it, i would need this right? 00:52 < cyberbootje> dst-mac-vid Destination MAC address and VID based load balancing 00:52 < cyberbootje> src-dst-ip Source and Destination IP address based load balancing 00:52 < cyberbootje> src-dst-ip-mac-vid Source and Destination IP and MAC address and VID based load balancing 00:52 < cyberbootje> src-dst-ip-mac-vid-port Source and Destination IP, MAC address, VID and TCP/UDP port based load balancing 00:52 < cyberbootje> src-dst-ip-port Source and Destination IP and TCP/UDP port based load balancing 00:52 < cyberbootje> src-dst-mac-vid Source and Destination MAC address and VID based load balancing 00:52 < cyberbootje> src-mac-vid Source MAC address and VID based load balancing 00:53 < drac_boy> 0_o 00:53 < xamithan> spamming it up 00:54 < drac_boy> yep 00:54 < cyberbootje> sorry, didn't expect it to push it out one per line ugh 00:54 < CannedSpinach> nuka-cola_: would modifying the problem computer's hosts to redirect said domain name to the server's local IP address work? 00:55 < xamithan> Do you even run a home DNS server CannedSpinach ? 00:55 < CannedSpinach> xamithan: I don't believe so, I just have a bunch of DIY projects on my raspberry pi 00:56 < Chojuan> edit hosts easy way 00:57 < xamithan> Then just throw whatever you want in the hosts file 00:57 < CannedSpinach> xamithan: I am sort of concerned about the root of the issue here though 00:58 < CannedSpinach> it's a domain name ending in .local 00:58 < CannedSpinach> and the server was previously connected to on the same machine. I just recently reinstalled the OS and restored the config files from it. so it should be behaving mostly the same. I don't know why it has developed this issue. 00:58 < CannedSpinach> could there be some networking software I forgot to reinstall? 00:58 < xamithan> Nope 00:58 < xamithan> Just add an entry to hosts 00:59 < tds> if you're using .local, it's possible you're using multicast dns for that 01:00 < xamithan> The machine probably had its own DNS server setup and you didn't know 01:00 < CannedSpinach> I am reading now that I need to install Avahi 01:02 < tds> if you want multicast dns, you'll want something like that 01:02 < CannedSpinach> https://unix.stackexchange.com/questions/43762/how-do-i-get-to-use-local-hostnames-with-arch-linux 01:06 < Chojuan> add 192.168.1.100 example.local to hosts 01:09 < Apachez> I would go for src-dst-ip-port 01:35 < guest09328> I want to configure a Remote Access IPsec VPN on a Cisco ASA 5505, using the IPsec VPN wizard. Why do i have to expose certain hosts/networks, in order to be able to make split-tunneling? Why i can't expose the whole network, and still use split-tunneling? Let's say that i want to be able to tunnel to all the corporate resources, but still be able to have unencrypted access to the internet? 01:37 < tds> guest09328: I'm not familiar with cisco stuff, but for a split tunnel vpn like that you'd normally just push a route to cover all of your internal network (eg 10.0.0.0/8), rather than routes per individual hosts 01:37 < redrabbit> is there a way to use secure dns with the new cloudflare service on the edgerouter lite? 01:37 < redrabbit> DNS over HTTPS (DoH) 01:38 < cluelessperson> so reporting back on Unifi stuff 01:38 < cluelessperson> Unifi's equipment seems to work pretty well for enterprise environments 01:39 < cluelessperson> has a couple of caveats here and there, but once you figure it out, which is a pain in the ass, it works 01:39 < cluelessperson> examples like, Their G3 micro security cameras don't see hidden networks. You have to connect to a network then hide the network 01:39 < cluelessperson> or, their Security Gateway doesn't really support management vlans 01:40 < cluelessperson> through the gui anyway 01:42 < Apachez> meep meep https://imgur.com/gallery/LDGUvhq 01:43 < Chojuan> devices with auto connection to hidden networks are vulnerable 01:43 < guest09328> tds: I know, that is what confuses me. "To expose the entire network behind the most secure interface to remote VPN users without NAT, leave the Exempt Networks field blank" - i am leaving the field blank. I then tick the "Enable split-tunneling to let remote users have simultaneous encrypted access to the resources defined above, and unencrypted access to the internet". Then, i am getting the error: "In order to enable split 01:44 < redrabbit> !reload 01:44 < xamithan> vulerable to what 01:44 < guest09328> of your network in the Exempt networks field above 01:44 < guest09328> Why should i expose only *some* of the network, and not the whole network? 01:44 < Chojuan> to attacks 01:45 < cluelessperson> Chojuan: vulnerable in what way? 01:45 < cluelessperson> I doubt hidden wifi is more vulnerable than wifi 01:45 < Chojuan> I heared about it some time ago, I am not security expert 01:46 < tds> guest09328: I'd expect you to have to add to an included networks list at some point, I assume "excluded networks" is if you're doing the opposite (ie default route over the vpn, but let all the clients push youtube traffic over their original default gateway to save on bandwidth) 01:46 < Chojuan> I am not sure, but they are continuos asking for AP's 01:47 < xamithan> attacks from what 01:47 < Chojuan> client is continuos asking for hidden AP 01:48 < E1ephant> cluelessperson: yeah, and support is probably not quick to address those issues, but then again $super_cheap 01:48 < xamithan> Maybe your client sucks 01:48 < E1ephant> you can't whitelist the mangement in-band? 01:48 < E1ephant> or limit it to one tag? 01:48 < E1ephant> that is kinda weak 01:49 < cluelessperson> E1ephant: who are you talking to? 01:49 < E1ephant> you re: ubnt usg 01:49 < cluelessperson> E1ephant: You can, it's just a major PIT 01:49 < cluelessperson> PITA 01:49 < E1ephant> ah 01:49 < cluelessperson> E1ephant: So, when you bring up a UNIFI network, you bring up the USG first (defaulting to 192.168.1.*), connect a controller, switch, configure the controller provision 01:50 < cluelessperson> E1ephant: Basically, trying to provision blank USG and SWITCH from a VM server is really hard 01:51 < xamithan> So from some google searching it says that probes sent every 60 sec with ssid name if your ssid is hidden. But if it isn't hidden then people get the ssid name anyway. I still don't see how this makes it any less secure or more suspectable to attacks as the ssid name would be available for anyone to see in either case Chojuan 01:51 < E1ephant> ah yeah, weird you can't go controller first 01:51 < cluelessperson> E1ephant: the vm server tags the management network, need to somehow get the switch up, configure it to tag management the USG port, reset the USG 01:51 < cluelessperson> reconfigure the USG with the controller 01:51 < cluelessperson> PITA to get right 01:52 < cluelessperson> E1ephant: I mean you can, maybe I did it weird 01:52 < cluelessperson> my scenario was hard though 01:52 < xamithan> According to some it would make it so people could setup rogue APs for a MITM attack, but that is ridiculous as they would have to know the password or have the security key. Which means you'd already be compromised 01:52 < cluelessperson> E1ephant: shouldn't be an issue for anyone else 01:52 < ntd> so, we opened a new branch, HQ stood for all the planning, execution and directions. turned out to be an unmitigated disaster, too many layers of bs and we kinda opened on schedule but work is still being done two months later 01:52 < cluelessperson> xamithan: yeah 01:52 < E1ephant> if there is a usable api for unifi seems somewhat automatable 01:53 < E1ephant> or easier to get running with ansible or something similar 01:53 < ntd> so, then we're refurbishing an existing location bossman wanted us to handle it ourselves 01:53 < E1ephant> but that said, doesn't look like there is an awesome, well documented API. 01:54 < E1ephant> a couple unofficial ones it seems 01:54 < ntd> six weeks out, i had to coax the org in overall charge into communicating with the electrician 01:55 < cluelessperson> E1ephant: I'm sure there is, I did everything through GUI 01:55 < cluelessperson> E1ephant: What made it MUCH harder for me is that my VM server puts that controller VM on a tagged port 01:55 < ntd> two weeks later, now they're talking, now they know just how insane this timetable is 01:55 < E1ephant> aye that is supposed to be their selling point tho, ease of use 01:55 < cluelessperson> so getting the unifi usg and switch toa point to work with the controller is hard. :D 01:55 < E1ephant> especially that unifi stuff 01:55 < cluelessperson> E1ephant: oh it's easy, I'm just being really strict and paranoid 01:55 < cluelessperson> :D 01:55 < E1ephant> :> 01:55 < ntd> and i got flak for interfering. not explicitly 01:56 < ntd> anyone with experience? 01:56 < E1ephant> ntd: job hunt? 01:56 < E1ephant> sounds pretty redic 01:57 < E1ephant> or if you're contracting, just keep going, the money is still green? 01:57 < E1ephant> contracting/consulting? 01:59 < ntd> hey, i have no choice. shit must have be done in four weeks 01:59 < ntd> and these are the contractors i have to work with 02:00 < ntd> and ofc, for us to be able to berate hq for doing it their way, we must be better with limited resources 02:03 < Chojuan> limited resources are a barrier to acomplish a mission 02:03 < ntd> hq had a lot and they shit the bed 02:03 < E1ephant> que: shia bouf just do it 02:04 < ntd> i have 14 good men, none detached from reality 02:05 < Chojuan> you have to identify barriers first 02:07 < ntd> yeah, gonna ride those electricians hard 02:07 < ntd> they will hate me later, but the job gets done now 02:52 < RogerFederer_> merokoyui fuck off 02:52 < merokoyui> wtf 02:52 < Quatermass> haha 02:52 < RogerFederer_> this is not a tennis channel 02:52 < merokoyui> why are you here, you harasser 02:53 < RogerFederer_> i was here first 02:53 < RogerFederer_> why are you stalking me? 02:53 < Quatermass> both of you get a room and/or take it to /msg children 02:53 < merokoyui> uhm ive been here for a while bruh 02:53 < merokoyui> no i'm setting him on ignore 02:53 < merokoyui> jfc 02:53 < RogerFederer_> it says you joined approximately 8 minutes ago 02:53 < RogerFederer_> fucking loser 02:54 < merokoyui> i meant ive been joing this chan for a while now 02:54 < merokoyui> jfc 03:22 < whatsupdoc> Hi can someone explain the difference between a routing table and a forwarding table? I still cannot get it 03:24 < forgotten> whatsupdoc: i believe a forwarding table is basically the same thing as a MAC table 03:24 < Quatermass> lol more homework 03:24 < forgotten> layer2 stuff 03:24 < whatsupdoc> Quatermass: please 03:24 < forgotten> just a diff name someone might use 03:25 < whatsupdoc> Learning != homework 03:26 < whatsupdoc> Ok 04:02 < rice_crispy_pop2> pretty sure someone is intercepting my wifi 04:03 < light> sharing is caring 04:04 < rice_crispy_pop2> hmm 04:05 < jim> rice_crispy_pop2, do you have control over the wireless access point? 04:05 < xamithan> Wifi throwing them packets the wrong way? 04:05 < rice_crispy_pop2> I think they are doing it from a Naval ship 04:05 < rice_crispy_pop2> because there were some navy people spying on my twitter 04:13 < Quatermass> rice_crispy_pop2: You've been looking straight into the sun again, haven't you. 05:29 < Queenslayer> Hi guys, I want to setup a small windows server environment with 3 client desktop PCs. Was wanting to know whether the desktops have their own connection to the internet or do they all go through the server? 05:30 < light> Why would they go through the server? 05:30 < Queenslayer> Filtering, firewall? Or do I have the concept wrong? 05:30 < light> Don't you have a router that does this already for the server? 05:30 < Queenslayer> No, it's shite 05:31 < Queenslayer> It's a standard broadband router 05:31 < light> Well, you may want to get a decent one then 05:31 < Queenslayer> That's what I was hoping i could avoid 05:31 < light> If your server goes down for maintenance all your users will lose connectivity 05:32 < light> But sure, you can do firewalling on a router VM 05:32 < Queenslayer> I'd have a backup for redundancy anyway 05:32 < light> You want to create redundant high availability firewalls in front of your broadband router? 05:32 < Queenslayer> Downtime would be minimal 05:33 < Queenslayer> It's not the worst router mind 05:33 < Queenslayer> When I say standard I mean not a Juniper Cisco level router 05:34 < Queenslayer> Internet traffic would be very low 05:34 < light> If it's just for fun go right ahead 05:34 < Queenslayer> That's what it is. A lab environment to test stuff out and learn more about it 05:35 < light> Put pfsense in a VM then 05:35 < Queenslayer> Noted. Thanks light. You must be in the US to be available at this time 05:36 < Queenslayer> Windows Server Hypervisor should do the trick right? 05:37 < light> ESXi is better in my opinion 05:37 < light> But yeah, hyper-v will work 05:37 < Queenslayer> Yeah esxi would be great but HyperV for simplicity for now 05:38 < Queenslayer> Will faff around with the machines to get best performance 05:40 < Queenslayer> light: I've got loads of desktops lying around. Is it worth trying to turn one of them into a gateway router/firewall? 05:41 < light> Yeah why not 05:41 < Queenslayer> To take load off sever 05:41 < light> Go for it 05:42 < Queenslayer> light: cool. Any software in mind? Or should pfsense suffice? 05:44 < E1ephant> opnsense, vyatta, vSRX, just plain old bsd+pf 05:44 < Queenslayer> E1ephant: copied, pasted... thanks mate. 05:48 < Queenslayer> Guys you've been great. Love this channel for precisely this expertise. Say Hi to zapotech when he comes 05:48 < Queenslayer> Saves hours on Google 05:51 < forgotten> i haven't seen zapotech in a long time 05:58 < Quatermass> Maybe they mean zapotah...or was s/he banned 05:58 < hagbard__> Question, what happens if a prefix is announced, (let's assume a typo), from two different AS? 06:08 < hagbard> I guess this answers my question, https://bgp.he.net/report/multi-origin-routes 06:09 < psprint> Anyone familiar with sockets API? I want to send ARP packet, but 2 projects that I looked at (arp-scan, arping) use pcap library to do that, like if it wouldn't be possible with sockets 06:11 < Queenslayer> forgotten: Quatermass yes, must have been zapotah 06:11 < Queenslayer> Not been here for a while 06:12 < Queenslayer> He was a fellow Brit as far as I remember? 06:33 < hagbard> psprint: if you're still around, the answer to your question is, "sort of." 06:36 < psprint> hagbard: ah, so bad news 06:36 < hagbard> psprint: The long answer is that ARP packets are layer2/ethernet. (You'll notice that's why they're referred to as, "frames" instead of "packets.") Most OS have a method for allowing direct access to an Ethernet card and often that's using the socket API as datagrams. 06:36 < psprint> hagbard: or you mean you know sockets API 06:36 < hagbard> psprint: in linux, you'd be using AF_PACKET and SOCK_RAW in your socket() call. 06:37 < hagbard> psprint: your bind() call gets more complicated, as you need to bind to a specific network interface 06:37 < hagbard> psprint: So, my answer is, there is no cross-platform interface for this, no. 06:37 < psprint> I use lwip on an MCU (stm32). I'm already sending pings, with this socket: s = lwip_socket( AF_INET, SOCK_RAW, IP_PROTO_ICMP ); 06:38 < hagbard> psprint: alright. 06:38 < psprint> ok so not portable, but it's for specific MCU 06:38 < hagbard> psprint: The portability problem is solved by the libraries, like pcap that you mentioned. 06:38 < hagbard> They have #ifdef'd code for each particular OS implementation. 06:39 < hagbard> What, in a broader sense, are you trying to accomplish? Is there any particular reason why you can't/dont want to use libpcap? 06:40 < hagbard> Ie, if you want to send specific ARP requests from your MCU, I bet that your lwip library has either, A, hooks for sending/receiving raw ethernet frames and/or, B, has some way of accessing the ARP/neighbor table. 06:41 < psprint> Well I might use pcap, but I would have to find FreeRTOS compatible version, not sure what about STM32 MCU hardware 06:41 < hagbard> The lwip stack you mentioned earlier. Is it opensource? 06:42 < psprint> yes, I'm already accessing arp table, but want to try other method. Yeah LWIP is full of hook stuff, I guess I can access frames 06:42 < psprint> yes 06:42 < hagbard> Well, ARP frames are stupid easy to generate/receive/decode. 06:42 < hagbard> They're all fixed-length fields. 06:43 < hagbard> Just define a struct for the ethernet header and arp request fields, cast a pointer to it. 06:44 < hagbard> Having done this before, please believe me. Ethernet headers are trivial to parse for sending and receing ARP. In fact, using the word "parse" is overdoing it. 06:45 < psprint> good to hear 06:46 < hagbard> psprint: I happen to be bored, waiting for something else (tape backup. yes. I know it's 2018.) and you've piqued my curiosity. Which version of FreeRTOS are you using? 06:47 < hagbard> I love how, "straight to business," this code is, meaning lines 91-104. https://github.com/aws/amazon-freertos/blob/master/lib/FreeRTOS-Plus-TCP/source/FreeRTOS_ARP.c 06:47 < psprint> well I can reveal that I use CubeMX application from ST, the point is you click "Use FreeRTOS", "Use LwIP", "Enable ethernet", etc. and generate working code :) so I didn't dive into version they provide 06:48 < hagbard> Ok, I stopped marveling it when I realized the author decided MAC_ADDRESS_LENGTH_BYTES is somehow something that would ever change. 06:48 < psprint> hehe 06:48 < psprint> you have to be prepared, it might happen one day ;) 06:48 < Criggie> ethernetv6 will support 256 byte mac addresses. 06:49 < hagbard> psprint: Alright, then I would say my answer to you is the solution you need will likely be rather specific to library you're using for the rest of IP. I'd check the ST documentation for their bundled FreeRTOS and/or FreeRTOS documentation on the LwIP internanls. 06:50 < hagbard> Criggie: Will 3/4's of them be essentially constant, like ATM addresses? 06:51 < Criggie> yeah probably :) 06:52 < hagbard> Wow, I'm getting old. I can't remember how much of a native ATM address was some crazy bullshit ISO/ASN.1 prefix.. I just remember a lot of 99 bytes 06:52 < Criggie> love you some cells ? 06:52 < hagbard> long time ago, in a different world and a different era. 06:54 < hagbard> Yeah, here we go, ATM addresses were 20 bytes. 39.99.99.99.99.99.99.... 06:58 < hagbard> Ok, I stand corrected. I guess the 39.99.99.99.99 stuff was an IBM convention for some of their ATM stuff. 07:00 < psprint> hagbard: ok, thanks 07:01 < hagbard> I'm still amazed at how widely-used ATM is. Please correct me if I'm wrong, but most of the DSL standards use ATM, with the ethernet most people are used to provided as ATM LANE? 07:08 < hagbard> psprint: Again, I don't know what you mean to do. If you want to send arbitrary ARP requests, FreeRTOS_OutputARPRequest(uint32_t ulIPAddress) seems the fastest/easiest. If you want to intercept the replies, then you probably need to hook their event for that. 07:08 < psprint> hagbard: I'm basically doing network discovery 07:08 < hagbard> psprint: You'll find the details for accessing the network device raw in the "porting" documentation for freertos-tcp 07:09 < hagbard> psprint: neat trick that used to work better in the old days. ping 224.0.0.1. It's multicast all hosts. 07:10 < psprint> you have better network, this pings the host it is ran on (loopback?) on OS X (checked now) 07:11 < hagbard> The neat part about it, is that you can sometimes use it to discover hosts on the same ethernet segment configured for a different local subnet. Ie, hosts that a regular OS would not issue an ARP for. 07:12 < hagbard> psprint: So, you may have to specify which interface. If run on your loopback, then I wouldn't expect a reply from any other host for obvious reasons. 07:12 < hagbard> psprint: are private messages ok? 07:13 < psprint> cool, I'm basically in such situation, silently counting on that Mac, which does NAT on en0 (Ethernet) onto en1 (wifi, local network) will forward ARP query from en0 to en1 and then forward back the response 07:13 < psprint> hagbard: yeah 07:14 < hagbard> So, I don't entirely follow what you mean. I'm assuming normal, traditional, layer 3 NAT where layer 2 ARP would never be forwarded. 07:16 < psprint> yeah, I'm expecting this actually, i.e. expecting problems, but I'm hoping that I can configure OS X firewall (pf) to do the en1 <-> en0 ARP forwarding. Effect should be like this, but bidirectional heh: sudo dumpcap -i en1 -f arp -w - | sudo tcpreplay -i en0 - 07:16 < hagbard> Ok, no offense, but I still don 07:17 < hagbard> Ok, no offense, but I still don't follow what on earth you're trying to do / what you're smoking. 07:17 < hagbard> Because it sounds like you're trying to bridge the network interfaces, but only for ARP packets? 07:19 < psprint> hagbard: I want to jump over that's-the-reality obstacle, i.e. do ARP discovery from host that's not on the network (it's attached to computer that *is* on the network) 07:20 < psprint> the reality == ARP is for network segment 07:21 < hagbard> Right, so, then the NAT you mean is changing the source and destination of the IPv4 addresses of the ARP requests to match the different subnets? 07:22 < psprint> w8 I will draw this 07:22 < hagbard> You'll find IP implementations follow conventions, typically called the, "open" model, where they'll answer an ARP request received on any interface if its for an IP associated with any interface configured on the host, regardless of what interface it was received on. 07:23 < hagbard> Other IP implementations follow the, "closed" model, and will only respond if the request received is for the address configured on the interface that it was configured for. 07:24 < hagbard> for what it's worth, I don't understand how any of the OS X/NAT/ARP forwarding relates to the STM MCU situation, either. 07:30 < cluelessperson> Can osmeone here suggest something? 07:31 < cluelessperson> I want to have several VMs with say, 2, 8 TB of data available to them 07:31 < cluelessperson> should I make a massive iscsi 10TB drive? 07:31 < cluelessperson> or should I create NFS shares? 07:31 * cluelessperson is really against NFS shares on his storage server 07:32 < hagbard> Why? 07:33 < hagbard> So, NFS allows the client to defer all the processing and overhead of the filesystem to the server. 07:34 < cluelessperson> hagbard: to the storage server? 07:34 < hagbard> This is assuming that you mean the VM is going to mount the nfs filesystem natively. If you're talking NFS vs iSCSI for your network ESXi datastore, then that's different. 07:34 < cluelessperson> hagbard: because I like how secure and easy it is to have 1 massive iscsi pipeline, rather than managing like 5 samba/nvs shares between servers 07:35 < hagbard> So, samba is unrelated to NFS. 07:35 < cluelessperson> they're both filesharing over network 07:35 < hagbard> Yes, but, it's a bit like gas and diesel cars. They're both cars, they go from place A to B, but sometimes the details matter. Like, at the gas pump. 07:35 < hagbard> Don't get me wrong, though, I do appreciate your point about less management. 07:35 <@pppingme> cluelessperson do you already have a storage server with that much space? 07:36 <@pppingme> or are you building from scratch? 07:36 < cluelessperson> pppingme: VM_Server -10G-> ZFS Server(14TB) 07:36 < cluelessperson> pppingme: hagbard You know, I think the problem is more, "how do I backup a zvol" ? 07:37 < hagbard> cluelessperson: Which VM platform? VMWare/ESXi? And, would you be storing a virtual disk image via NFS or actual files? 07:37 <@pppingme> yuck, personally I wouldn't trust zfs to store for a vm setup 07:37 < cluelessperson> hagbard: testing proxmox for now 07:37 < cluelessperson> pppingme: Yuck? 07:37 < cluelessperson> pppingme: I love ZFS 07:38 < hagbard> pppingme: The surprising part to me is that administering NFS on ZFS is about the easiest NFS administration I've ever found. 07:38 <@pppingme> its way too fragile, and no mainline linux distrib has picked it up, there's a reason for that 07:38 < cluelessperson> pppingme: fragile how? 07:38 < hagbard> I'm guessing pppingme has been burned in the past by it. 07:38 < cluelessperson> sounds like a configuration issue 07:38 <@pppingme> I've seen way too many horror stories that all are based around zfs 07:38 < hagbard> pppingme: Tell me a networking product or protocol that doesn't have horror stories. 07:39 <@pppingme> nope, never used it personally, but have seen it used, and the 'net is just full of horror stories 07:39 < cluelessperson> hagbard: pppingme Honestly, the only reason I'm avoiding large iSCSI pipeline is because I'm afraid it'll be hard to backup the ZVOL 07:39 < hagbard> (To be fair.) 07:39 < cluelessperson> ifI can bakcup the zvol easily, then it's not an issue 07:39 < cluelessperson> pppingme: I've had no issues with ZFS and I fucking love it 07:39 < cluelessperson> snapshots are amazing, deduplication, encryption 07:39 <@pppingme> the real horror is that the stories don't come down to user screwups, but massive data loss then dev's blame it on hardware or anything else except the crap protocol it is.. 07:39 < cluelessperson> iSCSI ZVOLS 07:39 < psprint> Uh I accidentally quitted 07:40 < cluelessperson> pppingme: I've never seen that 07:40 < hagbard> psprint: you didn't miss much. 07:40 < hagbard> cluelessperson: I believe the notion is you don't backup the zvol itself, you'd have whatever is using the zvol back the data up. Otherwise, how are you going to guarantee consistency? 07:41 < hagbard> Ie, I don't backup my external harddrives by cloning one to the other at a sector level. Instead, I copy the files from the first to the second. Ideally, with some kind of logic to only copy over changes. 07:41 < cluelessperson> hagbard: consistency pf what? 07:42 < hagbard> cluelessperson: The filesystem that's presumably stored on that block device. 07:43 < hagbard> pppingme: I'll say one thing about ZFS. When running on Solaris and on Sun Hardware. It served me admirably well and reliably. 07:43 < hagbard> But, those days are long gone. 07:43 < hagbard> And, no, I didn't bother with a support contract. 07:44 < hagbard> These were Sun x4540's. 07:44 < cluelessperson> hagbard: I mean, as long as the backup is the same, it doesn't matter what files are on it 07:44 < cluelessperson> as long as the blocks match, the files will too 07:45 < hagbard> cluelessperson: 07:45 < hagbard> err 07:45 < hagbard> You're talking about offline backups, then. Like, you shut down the VM and then do the backup, right? While nothing is accessing it? 07:46 < cluelessperson> hagbard: in this case, I don't really care about the VMs themselves, just the data they're working on 07:46 < hagbard> Incidentally, I think you'd be better off asking this in, possibly, a more proxmox dedicated channel. 07:46 < hagbard> cluelessperson: That's my point, the data. You don't want to back up your data, for example, while the VM is half-way through writing out a file, right? 07:47 < cluelessperson> sure 07:47 < aeo1ack> weechat crashed twice, I'm on irssi now 07:47 < cluelessperson> hagbard: presumably, ZFS can snapshot the ZVOL, then backup and delete the snapshot 07:48 < hagbard> So, unless you're running your backup software inside the VM - where the software is interacting with the OS kernel running inside the VM - then you can't guarantee the backup is consistent without shutting the VM down. Files aren't being written out to disk very often and, generally, the process happens quickly. 07:48 < hagbard> But, you still run that risk of getting an incomplete file, for example. 07:49 < hagbard> If you take a zvol snapshot, there's no synchronization with the OS in your VM to confirm everything meant to be written to the disk has been written. This is essentially the same situation/scenario as when a computer loses power. 07:50 < hagbard> I believe this may be related to why you're having difficulty finding solutions for backing up your zvols. 07:50 < cluelessperson> hagbard: so for now I have a 1TB ZVOL shared over iSCSI, and I could make multiple SAMBA file shares, but it's more to manage 07:51 < cluelessperson> iSCSI for system drives, SAMBA shares for storing large files (torrents, NVR cameras) etc 07:51 < hagbard> Would you be storing files on the samba shares or would be storing a big virtual-disk image? 07:51 < cluelessperson> files 07:51 < hagbard> Ok, that's a big difference. 07:51 < hagbard> In that case, I would totally do NFS or CIFS for the file data. 07:52 < cluelessperson> hagbard: CIFS? 07:52 < hagbard> iSCSI for the system drives, sure. If they're not that big, though, just keep em local on your file server. 07:52 < sandman13> can you configure both sFlow and NetFlow on a device that supports both? 07:52 < hagbard> CIFS is the protocol used by samba. 07:52 < cluelessperson> hagbard: the reason for SAMBA is because torrents need to be shared to the local network, to windows machines 07:52 < cluelessperson> ah 07:57 < GenteelBen> cluelessperson: you share torrents?! 08:01 < cluelessperson> GenteelBen: that is literally what torrents are for 08:10 < GenteelBen> cluelessperson: torrents are for keeping. 08:11 < GenteelBen> https://lh3.googleusercontent.com/-0Rb3WW40RZc/TiiMoFIVYpI/AAAAAAAAA90/wL1TJqXu6rc/w530-h353-n/1310782030392.jpg 08:12 < GenteelBen> That's me when I find a new game soundtrack torrent. 08:12 < ubuntu> hello guys! 08:13 < GenteelBen> ... 08:13 < cluelessperson> GenteelBen: what 08:15 < whatsupdoc> anynone to help? plz 08:16 < whatsupdoc> https://i.imgur.com/Km81fPA.png 08:20 < whatsupdoc> https://www.youtube.com/watch?v=lNA8tGRBJko 08:20 < pathrocle> i developed a ftp server that saves some data into a database, on a beaglebone... the client wants the device to be scaned with nessus first, but i have no clue what exactly he wants 08:23 < `7hr34t_hvntr> anyone able to speak to why wireshark colors TCP keep-alive and TCP retransmission the same color, red text on black bg 08:24 < whatsupdoc> :'( 08:27 < `7hr34t_hvntr> is there some way to maybe pop out two hosts in wireshark without losing my place in all of the packets im lookig at 08:27 < `7hr34t_hvntr> say like a new window with just traffic between those two hosts 08:35 < whatsupdoc> https://i.imgur.com/OtzLZQa.png 08:36 < whatsupdoc> Anyone?????? 08:57 < realbadhorse> Is there any program I could use to set a `nice` equivalent for network usage? 08:57 < `7hr34t_hvntr> anyone know why during what looks like about 30 smb sessions, a host would send out echoes to each of those smb servers right aroudn the end of the connection 08:58 < `7hr34t_hvntr> looks like it corresponds with a bunch of retransmissions and keep-alives 09:01 < Mandrake> hey guys! 09:11 < GenteelBen> Yo Mandrake. 09:11 < GenteelBen> When are you going to find a nice Womandrake and settle down? 09:13 < light> He doesn't want to sap and impurify his precious bodily fluids. 09:14 < hypercore> is there any way to force update DNS records? 09:14 < light> rndc reload 09:14 < hypercore> light: is that via my domain registrar? 09:14 < hypercore> *is that done 09:15 < light> wat 09:15 < hypercore> light: what is rndc reload? 09:15 < light> what are you trying to accomplish? 09:15 < SlashLife> hypercore: You mean you updated your DNS record and now you want to force my cache to be updated without waiting for the TTL to pass? 09:15 < light> ipconfig /flushdns 09:16 < hypercore> i've changed the ip of my vps on my hosting provider, but it's still pointing to the old VPS 09:16 < light> lol 09:16 < hypercore> i want to update it to the new VPS's ip 09:16 < hypercore> SlashLife: yeah 09:16 < light> step 1, did you change the A record? 09:16 < SlashLife> No, it likely is not. You just have someone in between who *caches* that record. 09:16 < hypercore> light: yeah 09:16 < light> step 2, wait. 09:16 < SlashLife> And no, you cannot force them to recheck. 09:16 < hypercore> that's all i wanted to know, thanks 09:18 < SlashLife> If you have records which you expect to change in the near future, or which you change regularly, you should lower your TTLs ahead of time. 09:19 < SlashLife> (Which still won't solve the caching and waiting thing - you'd just have to wait *shorter*.) 09:21 < hypercore> SlashLife: good to know, thanks man 09:28 < Mandrake> GenteelBen haha lel, yet still nice to find tho 09:39 < tpanarch1st> Hi, what’s the most advisable way to transfer an ssh certificate to an iPhone please? 09:42 < sep_> tpanarch1st, "to an iphone?" i would guess that is application spesific. 09:44 < tpanarch1st> Ah maybe 09:44 < tpanarch1st> Like, I figured sending myself an email is hardly appropriate :-) 09:45 < jvdmr> tpanarch1st: through iCloud, or via AirDrop, I guess? 09:46 < jvdmr> but yes, it's at least partly application specific, because whatever app you want to use has to support opening files somehow 09:47 < jvdmr> if it expects you to copy/paste the key (as in the file's contents), I would suggest Notes 09:47 < tpanarch1st> Mmm that is an idea 😊 09:47 < jvdmr> which is still iCloud, I guess 09:47 < tpanarch1st> Food for thought! 09:47 < tpanarch1st> It’s a shame apple doesn’t have anything specific for this 09:47 < tpanarch1st> But then, according to them, Apple users don’t use Linux 09:48 < jvdmr> now that I think of it, Apple does support ssh keys in Keychain 09:48 < jvdmr> but again, the ssh app on your iPhone would have to support using Keychain then 09:49 < tpanarch1st> Yeah - I don’t get why Apple will not just let people use Linux since they are sooo close 09:49 < tpanarch1st> Seems daft to me and I think that’s where the issues start as they don’t really want people to use Linux for some reason 09:50 < jvdmr> I'm not sure what you mean there - like have a Linux version of iTunes to sync your iPhone with? or some other tool? or actually run Linux on your iPhone? 09:50 < tpanarch1st> Like Linux version of iTunes 09:51 < tpanarch1st> Cos Apple stuff really comes into its own, to me, with iTunes 09:51 < jvdmr> ah, yes, I do agree that's a shortcoming 09:51 < tpanarch1st> It’s got to be totally deliberate since Apple stuff is built on Unix anyway right? 09:53 < tpanarch1st> But I’ve bought Shelly so I’m looking forward to testing that out as I wanted to access my server shells from my iPhone in bed lol! If I fall asleep the laptop will fall off the end of the bed! 09:54 < jvdmr> I've got Termius, but haven't tried putting in ssh keys so far 09:54 < jvdmr> every time I need to use it I tell myself I'll get to it soon, but it's been a while now :p 09:55 < tpanarch1st> Ah fairs 😊 I’ve locked down password access altogether so i’ll be damned if I’m going to downgrade my security just because Apple want to be awkward 😊 09:55 < tpanarch1st> Hehe - yeah we all have jobs we don’t look forward to! 09:57 < tpanarch1st> Maybe a silly question but if you ssh over WiFi, does that mean the data transmitted is secure (like a https certificate) 09:57 < hey2> yes 09:58 < tpanarch1st> 😊 09:58 < hey2> just dont use telnet 09:58 < hey2> or do 09:58 < tpanarch1st> Hehe 09:59 < tpanarch1st> That’s nice, right thanks you two - I need some sleep as my friend has been over overnight and I’m slowly going barmy ha 09:59 < hey2> "you two"? :-o 09:59 < hey2> I am going barmy right now too, out of boredom 09:59 < tpanarch1st> Yes you and jvdmr both helped me 09:59 < hey2> I didn't see that 10:00 < tpanarch1st> Ah fairs 😊 have a good day/evening 10:00 < hey2> I have been sitting here monitoring equipment for 4 hours now 10:00 < tpanarch1st> Ugggghhhh 10:00 < hey2> nothing has broken 10:00 < hey2> just got an alert a minute or two ago, got excited to go do something 10:00 < tpanarch1st> Download word cookie on your phone! 10:00 < hey2> and it is the same piece of equipment that has been dropping packets intermittently for weeks 10:00 < tpanarch1st> Glad nothing has broken though! 10:00 < hey2> so disappeared immediately after lol 10:01 < tpanarch1st> Oh so you are trying to spot a fault 10:01 < hey2> No 10:01 < tpanarch1st> Ah I guess that’s annoying 10:01 < hey2> I am in a datacenter right now monitoring servers 10:01 < hey2> and nothing is broken 10:01 < tpanarch1st> But clearly something is wrong and you’re having the devils own job trying to find it then 10:01 < hey2> No, nothing is wrong 10:01 < hey2> everything is fine 10:02 < tpanarch1st> Oh, the packet drops? 10:03 < TotallyNotKim> ayyy. Is there a way to debug dns on debian? I got this in my resolv.conf, but it doesnt seem to append the search domains. I tried with the trailing . and without, no luck :( 10:03 < hey2> That is just a bad configuration 10:03 < tpanarch1st> Oh fairs hey2 10:03 < hey2> I don't have credentials to log in and check it, I just got alerts for it 10:03 < hey2> it's a different teams responsibility 10:03 < hey2> sweep it under the rug for the time being 10:03 < hey2> lol 10:04 < hey2> Just hard to stay up @ 1am with nothing to do, and I have to be here until 8am 10:04 < tpanarch1st> Indeed! Takeout and a few beers mate 10:04 < hey2> can't drink 10:04 < Emperorpenguin> ^ 10:04 < hey2> might go make an easymac or something 10:05 < hey2> I got the new issue of 2600 to read I suppose 10:05 < Emperorpenguin> what do you mean you can't drink 10:05 < Emperorpenguin> how are you alive 10:05 < hey2> I'm not supposed to drink beer at work lol 10:05 < tpanarch1st> Hey TotallyNotKim i’m rubbish at networking to be honest but I do know that dig could be your friend... 10:05 < Emperorpenguin> you're not _supposed_ to 10:05 < Emperorpenguin> doesn't mean you _can't_ 10:05 < hey2> Honestly 10:05 < hey2> if I drank alcohol right now 10:05 < hey2> I would fall asleep 10:05 < Emperorpenguin> good point 10:05 < Emperorpenguin> then beer + coffee 10:05 < tpanarch1st> Ah sensible hey 10:05 < hey2> and the person who takes over my shift in the morning would find me in the chair with everything on fire 10:06 < Emperorpenguin> = bathroom 10:06 < TotallyNotKim> tpanarch1st: yeah, have to find out what evilish combi of arguments I need 10:06 < tpanarch1st> You don’t want any trouble on your watch hey2 10:06 < hey2> I mean 10:06 < hey2> I "KIND" of do 10:06 < TotallyNotKim> matter of fact, I spied on DNS using tcpdump and theres really only one A request happening 10:06 < hey2> because it is something to do at this point 10:06 < TotallyNotKim> without the search domains 10:06 < hey2> but… I suppose this is the paradox of IT work 10:06 < hey2> Nothing is broken, why am I here? 10:06 < tpanarch1st> TotallyNotKim: I’m rubbish at man but if you’re a better tech than me, maybe you can understand man dig 10:06 < hey2> Everything is broken, why am I here? 10:07 < tpanarch1st> hey2: just go home and leave your printed debug “connection failed - alcohol=0 fatal error” on the desk 10:07 < hey2> I would 10:07 < hey2> but this is my first time back at work in almost 2 weeks too 10:08 < hey2> I was on vacation in the Cayman Islands 10:08 < hey2> they're going to think I developed an alcohol problem 10:08 < tpanarch1st> Hey2 “fatal error on line 2000 - holiday < 6 months connection failed. “ 10:09 < tpanarch1st> Hey2 I wonder how many of us end up watching stuff so it’s thing whilst getting a touch inebriated 10:09 < tpanarch1st> Do* 10:10 < tpanarch1st> TotallyNotKim: there is also #dns - I find them rather strict but they might be worth calling on... 10:10 < tpanarch1st> Also go back to the basics, make sure syntax is correct etc 10:11 < tpanarch1st> And dns can take a little while to propagate too 10:11 < TotallyNotKim> tpanarch1st: that's just typical irc elitleism haha 10:11 < TotallyNotKim> the dns server is local 10:11 < hey2> its always DNS 10:11 < tpanarch1st> What is elitism? 😊 10:11 < hey2> l33t15M 10:12 < tpanarch1st> Hmm? 10:12 < TotallyNotKim> tpanarch1st: "The belief that certain persons or members of certain groups deserve favored treatment by virtue of their superiority, as in intelligence, social standing, or wealth." 10:13 < tpanarch1st> Oh sure I know the word but yeah I see where you are perhaps coming from 😊 10:13 < tpanarch1st> yeah, irc can be a hard place! 10:13 < TotallyNotKim> tpanarch1st: yeah, my dumbass doesnt know how to spell haha. IRC is great, if you manage to deal with all kind of people 10:13 < TotallyNotKim> there"s the ones you can talk to and these that deserve a /mute 10:14 < tpanarch1st> TotallyNotKim: it’s worth stating what you want to achieve, see if someone else will chip in here 😊 10:15 < TotallyNotKim> got no time for that right now. I thought maybe I was missing something, but the same config works on my test-machine, so something is broken down the line 10:15 < TotallyNotKim> I'll just write the name out for now, let's see if I got time to fix anytime soon 10:15 < TotallyNotKim> haha 10:15 < tpanarch1st> Possibly, sometimes taking that step back with some of the great minds in here can move you leaps and bounds forward though! 10:16 < TotallyNotKim> tpanarch1st: I solved about 100 problems by just starting to type them out here haha 10:16 < tpanarch1st> Maybe do that then - sometimes when you set out your issue it gets you thinking 😊 10:17 < tpanarch1st> Worth asking #debian - “I’m doing x which works in this scenario, but not in y scenario, why” 10:18 < tpanarch1st> But there’s a lot of gifted people here who likely use Debian and work with DNS regularly too anyway 10:19 < TotallyNotKim> wtf, I never posted the link 10:19 < TotallyNotKim> http://paste.debian.net/hidden/cc1b1938/ 10:21 < mgolisch> are there any public dns servers that that redirect on nxdomain? 10:21 < mgolisch> want to test something 10:21 < mgolisch> like that return some bogus address for non existent domains/hosts 10:22 < TotallyNotKim> you arent stealing crypto money, are you? 10:22 < TotallyNotKim> but no, I dont think that should happen 10:23 < TotallyNotKim> or do you mean like forwarding 10:23 < tpanarch1st> I have no idea what I’m reading so I shall keep quiet. I just about know what an a record is! 10:24 < adnn> What exactly is happening at the "is the channel idle?" stage ? What's the computer scanning for, technically ? https://upload.wikimedia.org/wikipedia/commons/1/1d/Csma_ca.svg 10:25 < tpanarch1st> Bed for me, the very best of luck with your night shift hey2 , TotallyNotKim good luck with the dns and hope you still rich quick (please share some with me) mgolisch 10:25 < tpanarch1st> Get not still* 10:26 < TotallyNotKim> gn8 10:26 < tpanarch1st> 😊 11:04 < rigoewba> hi i'm in a corporate network and have 2 pcs on my table a new and an old and trying to copy the data via ftp. i already copied some but after a while the connection gets lost 11:05 < djph> use literally anything else 11:05 < rigoewba> ping says general failure on the old and timeouts on the new. everything else is pingable and works just fine 11:06 < rigoewba> the ping and the connection comes back after a longer while didn't measure the time. perhaps the network is restricted. can that be? to protect such traffic? 11:13 < djph> that wouldn't be "normal" to just randomly shut down ports because of traffic (although, FTP is cancer, so maybe) 11:16 < rigoewba> that's what i thought. \\hostname\share doesn't open even when they're seeing each other.. 11:17 < hey2> FTP is cancer? 11:17 < hey2> Watch yo mouth, boi 11:18 < mast> I love watching huge screens of "Permission Denied" scroll across my screen 11:18 <+xand> FTP is a pile of shit 11:18 < rigoewba> it annoys me shitless. not only because i already copied about 60gibs but bc i can't let things go.. i want to solve it and now. :) 11:19 < hey2> xand I bet you use TFTP 11:19 <+xand> yep 11:19 < mast> And like only for like super trivial stuff tho 11:19 < rigoewba> windows is so cool. "unspecified error" :D u must luv it. 11:20 < mast> Its only because I'm dicking around in ubuntu and I have no idea what I'm doing 11:20 < idint> guys which tcp congestion algorithm is better suitable for a BGP server running on Linux, cubic or htcp ? 11:21 < pathrocle> how can i buy and use a ssl certificate for lan? 11:22 < djph> idint: fairly certain (although, I'm not fully caffeinated yet) BGP isn't a TCP protocol ... 11:22 < djph> pathrocle: https://letsencrypt.com 11:23 < djph> granted their certs have to be renewed every 90 days, so it's a bit of a pain. 11:23 < pathrocle> djph, with no acces to internet 11:23 < tds> djph: iirc it's tcp on port 179 11:23 < djph> pathrocle: then why bother using a public CA? 11:24 < pathrocle> djph, i don't know.... its for a bank client.... they want https for a platform that runs on the intranet.... 11:24 < djph> tds: indeed it is ... *sigh* wonder what I was thinking of then. 11:24 < djph> pathrocle: OK, so let them be their own CA. 11:24 < idint> not sure if talking about BGP specifically is relevant here, could be OSPF or any, the server is making tcp connections 11:25 < idint> i mentioned BGP just to give an idea of bandwidth needs 11:25 < djph> pathrocle: I mean, if it's "all internal comms", then you have full control of everything; write up your own certs and be your own CA. Unless there's a requirement that it come from a public CA 11:26 < rigoewba> well. here is something. network discovery is turned off. i remember turning it on but it jumps back. no matter even if i open an admin cmd window and put netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes in. 11:26 < bezaban> closed internal networks have a number of problems with public ca certs 11:26 < djph> probably getting windows GPOs pushed out to you. 11:26 < rigoewba> it says updated 48 rules Ok. but the sharing center shows off again 11:26 < bezaban> or rather the browsers do 11:27 < rigoewba> how could i copy already 60gibs then? :D 11:27 < bezaban> no ocsp / crl 11:28 < rigoewba> what to do then? how to copy the data other than dig for a hdd and a usb application for it? 11:28 < djph> bezaban: yeah, but at the same time, it depends on "which part" is disconnected from the rest of the world. We've got some bits here that are "gapped(tm)", but you can still access them from setting up a connection via a gateway. 11:28 < djph> rigoewba: ask your IT department? 11:29 < rigoewba> yeah. he's my friend. he says this shouldn't happen. :D and he thinks its a crappy cable. (?) 11:29 < at0m> rigoewba: take the disk out of the old machine, insert it into the new, copy data from disk to disk 11:30 < at0m> for 60GB, that's a helluva lot faster 11:30 < rigoewba> its a laptop - pc situation 11:30 < bezaban> djph: yeah indeed 11:30 < bezaban> djph: used to proxy out certain requests. Java applets running internally would fail on code signing certs etc 11:30 < rigoewba> but i'll just get a hdd from home tomorrow. im tired of this. (btw its not company stuff only music and games :D ) 11:31 < at0m> rigoewba: yea, or external enclosure/esata/.. probably all faster than network 11:31 < rigoewba> gpo is checking every change instantly? didn't know that. i thought it only checks stuff at startup or so.. 11:32 < rigoewba> well what can i do right? good thing this is an it support company :D 11:32 < djph> bezaban: yeah, our gapped crap is just typical https. honestly, I think it's only gapped because some manglement types stack-overflowed in a meeting. There's literally no benefit to moving these behind the stupid gateway. 11:33 < tafa2> Does anyone know where I can get the latest version of Cisco AnyConnect without a Cisco account? :) 11:33 < hey2> hmm 11:33 < djph> your IT department? 11:34 < hey2> you mean, this? 11:34 < hey2> https://software.cisco.com/download/home/286281283/type/282364313/release/4.6.00362 11:34 < rigoewba> they've taken away my 24" displays (ok they were good for pretty much nothing one with only vga connector lol) and i got 15 year old 4:3 19" displays instead. 11:34 < rigoewba> tells everything huh? 11:35 < tafa2> hey2 yeap 11:35 < rigoewba> whops. 11:36 < mgolisch> its refreshed with whatever your group policy refresh interval is set to 11:36 < mgolisch> usualy 60mins 11:37 < tafa2> djph I am the "IT dept" - don't have any Cisco kit 11:37 < tafa2> so no access 11:37 < rigoewba> so the network discovery isn't set back via it.. cuz it happens pronto. never mind thanks for the help. gotta go bye 11:37 < hey2> Did you not get the link I sent you 11:37 < hey2> lol 11:37 < hey2> Oh 11:37 < tafa2> hey2 - you need to login to download the client 11:37 < hey2> You need a contract 11:37 < hey2> that sucks 11:37 < hey2> Well, for what its worth 11:37 < hey2> I have anyconnect on my computer right now :-p lol 11:39 < mgolisch> why do you need that client if you dont have any gear to use it with? 11:39 < mgolisch> if its for accessing a 3rd parties vpn they should provide the client to you 11:40 < hey2> omgord 11:40 < mdm_> what's happen ? 11:40 < hey2> the sky is falling 11:41 < mdm_> hihihi 11:58 < GenteelBen> mdm__: someone forgot to put 50p in the freenode electricity meter. 11:59 < hey2> only 50 pence? 12:02 < tafa2> mgolisch I'm using OpenConnect 12:03 < tafa2> And it's compatible with AnyConnect - just wanted to give it a go 12:04 < mgolisch> ah i see 12:06 < mgolisch> so anyone know of any public dns service that redirects nxdomain? 12:07 < Gollee> what do you mean 12:13 < mgolisch> like one that returns a fake ip for nxdomain 12:14 < mgolisch> some isps do that to redirect you to some guideing page incase you fatfingered the url 12:14 < Gollee> why would any public dns server do this? 12:14 < Gollee> noone would use it 12:14 < Gollee> service* 12:15 < mgolisch> no idea, i just wondered if there was any that does that, guess ill just fidle around with a local dnsmasq to return some fake ips for some domains, want to test some measures against that bs, causes alot of pain with our vpn 12:53 < djph> Gollee: because we(your ISP) get all that sweet, sweet ad revenue from you, peasant. 13:14 < oo_miguel> hmm.. is it possible that tcp dumps shows SOME outgoing packages but the tcpdump on the target computer does not show them? Or is this definitely an ERROR? 13:15 < tds> oo_miguel: that's certainly possible, it suggests there's packet loss between the computers 13:15 < oo_miguel> this is what tcpump tells me about the outgoing package: Flags [P.], seq 1:394, ack 1, win 229, options [nop,nop,TS val 3643158 ecr 710050678], length 393: HTTP: GET /DATA/GEN/www 13:16 < oo_miguel> and it retries every second, but nothing is received... but other packages work fine 13:16 < oo_miguel> (the browser genearting this package retries..) 13:17 < oo_miguel> any suggestions where to start troubleshooting/finding the reason of the package loss? 13:35 < banisterfiend> hi, with ipv4 the local loopback ips are: 128.0.0.0/8 ad with ipv6 it's ::1 but what is the 'prefix length' for ipv6 so i can properly captur the range of valid local loopback ips 13:40 < MaxFrames> hello 13:40 < djph> fairly certain loopback in v6 is just ::1/128 13:40 < MaxFrames> I need to backup a device via tftp and the device is behind nat; what are the steps to make it work? 13:40 < MaxFrames> the tftp server is outside the nat 13:41 < djph> ohgodwhy 13:41 < MaxFrames> the server sees the incoming connection, with the original (un-natted) ip address as source, but the next phase (recontact the host) times out, I guess I need to port forward something? 13:41 < djph> or masquerade the outbound tftp session 13:42 < MaxFrames> how does this work? 13:42 < djph> NAT masquerade? 13:42 < MaxFrames> yes 13:43 < djph> poorly :D 13:43 < djph> sparknotes version -> "all packets leaving the interface X get their source address re-written to that of the interface they're exiting" 13:43 < MaxFrames> I mean: there is an outbound nat rule, so the packets are coming to the server actually from the nat router's external ip 13:43 < MaxFrames> so that part is taken care of 13:44 < MaxFrames> but then afaik tftp implies that the server initiates a tftp connection to the client, on a random port 13:44 < thothcastel__> is one able to exclude ip addresses through asdm or only through cli? cisco aa 5525 13:44 < thothcastel__> asa 13:44 < djph> then the router SHOULD also be getting a response from the TFTP server saying "this response is related to that request you just sent" 13:44 < djph> although ... it's been for fucking ever since I've actually used TFTP 13:45 < djph> so maybe it doesn't behave quite right :( 13:45 < MaxFrames> it's udp so it's stateless 13:46 < MaxFrames> all this because stupid Cisco does not allow to save a config via http 13:49 < djph> ugh, right, fucking UDP 13:50 < Emperorpenguin> MaxFrames: you can do ssh 13:51 < MaxFrames> sftp? 13:51 < Emperorpenguin> scp 13:51 < Emperorpenguin> Not sftp 13:52 < MaxFrames> I don't have that option. Only TFTP, FTP and SFTP 13:52 < Emperorpenguin> Oh then I meant sftp 13:53 < Emperorpenguin> Although it's not real sftp you can't use filezilla 14:06 < MaxFrames> that would work through nat? 14:09 < grawity> what makes it "not real sftp" 14:10 < grawity> scp isn't "fake sftp", it's nowhere even close to sftp... 14:10 < SemiControl> Hi 14:12 < SemiControl> How long does it takes to transfer a domain to another person? 14:12 < grawity> I think it depends on registrar 14:12 < grawity> and on registry 14:14 < SemiControl> grawity, godaddy.. whats the usual time 14:16 < SporkWitch> SemiControl: depends on other stuff as well, such as the transfer protection feature that's usually enabled by default; prevents transfers for 60 days after certain changes are made, such as contact info updates 14:19 < SemiControl> SporkWitch, If we talk about godaddy for e.g when a domain is requested to be transfered to another person (change of email and contact of "registrant") a confirmation email is sent to the email of old registrant, if he agrees/clicks on a link, then the "transfer process starts". I just wanted to get an idea that when the WHOIS records actually update and the domain actually gets transfered ( at a point where it is not reversable back 14:19 < SemiControl> to the old registrant without consent of new registrant) 14:19 < SemiControl> grawity, ^ 14:20 < SporkWitch> you'd have to check their policies, that said, get off godaddy asap, horrible company 14:23 < grawity> I thought it's more of a registry thing (verisign for .com) than registrar thing 14:24 < grawity> I've only done transfers between registrars, not between owners, but 14:25 < grawity> I remember that I had mentioned it on IRC and someone (who had previous experience with .com) told me to expect up to a few days :/ 14:25 < grawity> (but it was a few minutes for .eu though) 14:25 < SemiControl> SporkWitch, whats the average time? 14:31 < SporkWitch> read their policy; the only standard thing is the 60 day protection 14:37 < thothcastel__> How many site2site vpns can be configured with a single internet link (single public ip) 14:38 < grawity> normally I'd say no practical limit 14:39 < SporkWitch> could probably make an argument for 2^16 14:41 < grawity> do you mean multiple vpns between the same pair of sites 14:41 < grawity> or many sites, one vpn each? 14:46 < dogbert2> well, the practical limit is usually memory and CPU in the device in question :) 14:47 < k_> hi dear people, i am having a problem; i have a piece of software called houdini installed on my laptop (windows) that is running license server that serves floating license. While i am in office everything works perfectly, I point my fedora workstation to laptop ip and it takes license without and problems while it totally refuses to do so at home. Any clues ? Thanks in advance :) 14:48 < k_> my home workstation runs fedora too, i tried disabline firewall but no luck. I can however ping laptop from my desktop 14:48 < ne2k> what is the canonical way to get both static and dhcp addresses on one interface in linux (ubuntu; ifupdown) these days? I've read that auto eth0 eth0:0; iface eth0 inet dhcp; iface eth0:0 inet static; should do the trick, but the static address doesn't get assigned if the dhcp doesn't work 14:48 < SporkWitch> i chose 2^16, since it doesn't matter how much RAM and how many CPUs you throw at it, there's only 2^16 ports to work with 14:49 < SporkWitch> set the static first 14:49 < SporkWitch> (might also need to do 0:0 and 0:1 in that setup, can't remember) 14:49 < ne2k> SporkWitch, dhcp apparently doesn't work on alias interfaces, so I've read, hence doing it this way round 14:50 < SporkWitch> that doesn't sound right... 14:50 < SporkWitch> i could see only getting one per physical interface, unless you spoof a mac on the aliases, but otherwise the DHCP server wouldn't know 14:50 < detha> SporkWitch: why would each tunnel need a separate port? 14:51 < SporkWitch> detha: how else does the OS know which traffic is for which application? 14:52 < ne2k> SporkWitch, https://askubuntu.com/questions/452317/both-dhcp-and-static-ip-addresses-simultaneously-on-one-interface been working from this 14:53 < Roq> He doesn't state what kind of VPN he is talking about 14:53 < Roq> But there are deffinitly limitation in regards to how many VPNs your hardware can support 14:53 < detha> SporkWitch: by looking at which SPI it comes in on? (or whatever the ssl based ones use for tunnel ID) 15:56 < jvwjgames> I am having issue with inbound calling to my pnx 15:56 < jvwjgames> outbound calling works great 15:58 < detha> Just tell people 'Don't call us, we'll call you' 15:58 < jvwjgames> lol nice 16:06 < oo_miguel> I have found some veeery strange behaviour that I expereince only from my network: having two very similar http requests, that vary only by one single letter length. one is delivered to the target and the other is not: see examples: https://pastebin.com/11PbyJeb 16:07 < oo_miguel> in both cases the tcp connection is built up (syn, syn-ack, ack) but in the second case the http request is never deliverd 16:11 < djph> err, what is the difference? 16:12 < oo_miguel> one a more :) 16:12 < djph> it's not part of the bullshit "aaaaaaaaa" that you put in there, is it? 16:12 < oo_miguel> it is exactly! one single 'a' more 16:12 < oo_miguel> I suppose i could simplify it more, maybe exchange the complete request wit a's 16:12 < djph> or, y'know, not use completely fucked data? 16:12 < oo_miguel> but I am very tired. It took me the whole day to break my problem down to that 16:13 < djph> it took you all day to realize "fucked data = no workie"? 16:13 < oo_miguel> no 16:14 < oo_miguel> data with exactly the legnth of the second request 16:14 < oo_miguel> first works fine 16:14 < oo_miguel> returns 301 at once 16:14 < detha> oo_miguel: MTU issues? 16:14 < djph> then go look at the server and/or upstream firewall to see why one byte matters 16:14 < E1ephant> ^ 16:14 < djph> or rather, if the request even makes it 16:14 < E1ephant> does it get all the bytes? 16:15 < oo_miguel> I experience this problem from my home network only. I am directly connected to my isp router. not sure how to debug it 16:15 < oo_miguel> but I get it happens on different devices, so It is not a driver problem local to my machine i suppose 16:16 < detha> oo_miguel: start with setting MTU on your machine to something low, like 1280, and try again 16:17 < Jordi_> I have a problem related to congestion control in TCP that I am confused about. 16:17 < E1ephant> yeah smells like MTU bad with that information 16:18 < oo_miguel> detha: just did "sudo ifconfig eth0 mtu 1280 up", and it did not help 16:18 < Jordi_> Say you have a 1 GBPS link between city a and b. You need to transfer 10 KB payload from a to b. How long does that take assuming congestion control mechanisms are in place. 16:18 < Jordi_> Is that even enough information to answer that question? 16:18 < Aeso> Jordi_, that's going to depend on a couple of things: The latency between the locations, the packet loss on the line, the congestion window scaling of the sending host, etc. 16:19 < djph> Jordi_: 80,000 bits / 1,000,000,000 bits per second. = not very long. 16:19 < detha> oo_miguel: so much for that theory, then. Is this only on one particular site, or all over? 16:19 < djph> and then add 10 minutes because the network engineers are chewing on the fiber again 16:19 < Jordi_> djph: I didn't understand what you meant 16:20 < Jordi_> Wouldn't I require the window size at least to solve the problem? 16:20 < Jordi_> Aeso: That's all the information I have. Link speed and payload size. 16:20 < Aeso> Jordi_, without more information I can't give you any more detail 16:21 < djph> Jordi_: either the question assumes you have other information (e.g. we set the scenario up there, now this is question 2 of N concerning said scenario", or your professor is an ass. 16:21 < Jordi_> I see. Can you point me to some sources where there are solved examples to illustrate how I would go about solving this? 16:22 < Jordi_> djph: I feel like my professor gave me incomplete information. I was just wondering if there are some default values I could assume with which I could solve this 16:22 < Aeso> oh, it's _that_ kind of problem 16:22 < Aeso> we're not going to do your homework for you, sorry:) 16:23 < djph> Jordi_: If it's anything like I used to get in uni, the "information" was provided in a story, or other setup (e.g. the chapter itself) that you were expected to read before answering the questions. 16:24 < Jordi_> I had this in my exam today without any other information. 16:24 < Jordi_> Aeso: I don't want you to solve it for me. I'm just trying to get a feel of how I would solve it, man. 16:24 < Jordi_> *could 16:25 < ne2k> Jordi_, I really don't understand why people persist with these ridiculous questions 16:25 < Aeso> Jordi_, well, let's start with the basics. Do you understand the TCP protocol and it's congestion mechanisms? 16:25 < Aeso> If not, you have a fair bit of reading ahead of you. 16:25 < Jordi_> Reno and Taho? 16:26 < Jordi_> I understand how additive increase and multiplicative decrease and stuff like that works. 16:27 < Jordi_> But not enough to apply in this problem, I suppose :) 16:27 < Jordi_> ne2k: Me or my professor? 16:27 < Aeso> Draw yourself a diagram of the packetflow, it'll help. 16:27 < ne2k> Jordi_, the professor 16:27 < Jordi_> Ah okay 16:27 < ne2k> Jordi_, how can it possibly be answered without much more information? 16:27 < Aeso> Jordi_, without more context on this class it's going to be tough to know how specific he wants you to get 16:28 < Aeso> this is the physics equivalent of ignoring friction and drag while studying kinematics 16:29 < jvwjgames> I am having a firewall issue with my sip server outbound calls work with full two way audio but inbouns calls fail 16:30 < Aeso> jvwjgames, check your connection expiry timers. The firewall may be timing out the state before the host/server send another set of keepalives 16:30 < djph> there were no distances or RTTs involved, right - it was just "10 KB from city a to b at 1gbps" ? 16:31 < Jordi_> Given the information, I basically added twice (payload by link speed) to put it on the wire and then (distance by speed of light) for transmission for . Oh god, I feel like a moron. 16:31 < Jordi_> djph: It was exactly that. 16:31 < jvwjgames> i am using udp not tcp 16:32 < ne2k> djph, the question just says "congestion control mechanisms". it doesn't mention TCP 16:32 < Jordi_> djph: "Find the time required to send 10KB of payload from city A to B using a link which supports a link speed of 1 GBPS: 16:32 < djph> ne2k: crap, did I say TCP congestion? 16:33 < ne2k> djph, no 16:33 < Aeso> ne2k, what does that even mean, though? IP has no congestion control mechanisms afaik 16:33 < Jordi_> But we only "had" TCP congestion control to study for the exam 16:33 < ne2k> Aeso, the question doesn't even say it's IP 16:33 < djph> Jordi_: (10 * 1000 * 8) / 1,000,000,000 16:33 < Aeso> ne2k, shit, that's true 16:34 < ne2k> Jordi_, well, only you know from the context what are reasonable assumptions to make. 16:34 < Jordi_> djph: So that plus twice the transmission time? Is that the time I would calculate given these values? 16:35 < Jordi_> Oh wait. Not twice. You wouldn't count the ack time. So just propagation + transmission time? 16:36 < Aeso> This question really is garbage. 16:36 < djph> Jordi_: all you know is A to B at speed 16:36 < djph> so who cares about distance, it's just payload / speed 16:36 < detha> payload/speed + 1/2 RTT 16:37 < ne2k> "Slow Start" redirects here. For the Japanese manga series, see Slow Start (manga). # lel 16:38 < Jordi_> Aeso: What is the least amount of information which would make this an okay question? 16:38 < Aeso> ne2k, I would totally read a manga about TCP congestion mitigation :P 16:38 < jvwjgames> Fixed i needed to add allow sip guests 16:38 < Aeso> Jordi_, for a real world answer or for this ultra-theoretical magical world question? 16:39 < Jordi_> Not 'real world' real world, maybe passable for a textbook question? 16:40 < Jordi_> Say given maximum window size is 10 and that starting window size is 1 16:40 < ne2k> djph, you would care about distance if city A was Cuvier and city B was Chasm City 16:40 < detha> Jordi_: for a text-book question, speed, RTT, what protocol or what the protocl overhead is, and the assumption 'zero packet loss' 16:41 < djph> ne2k: sure, but on a shitty test / quiz you don't 16:41 < Aeso> Jordi_, so if you ignore packet loss and assume it's a direct L1 connection between hosts, you need to know the RTT, the MTU, and the TCP window size settings of each host in addition to the file size and link bandwidth 16:42 < Jordi_> detha: Speed of light? For RTT let's assume distance is provided, protocol is TCP?. By protocol overhead do you mean how much header is added? What's zero packet loss here? 16:43 < Aeso> Jordi_, RTT includes your propogation time so you don't have to worry about speed of propogation, distance between cities, etc. 16:43 < Jordi_> So file size: 10KB, link bandwidth: 1 GBPS, TCP window size: 10, MTU: 1KB and RTT = 2* d/c 16:43 < detha> Jordi_: in modern times, if you are given distance, work on 2/3 speed of light 16:44 < Jordi_> detha: Makes sense. 16:44 < Jordi_> Aeso: Ah right. Okay. 16:44 < Jordi_> So how would I calculate it now? Do I have to do additive increase from window size 1 or start off with window size as 10? 16:45 < Jordi_> Here I guess the window would never overflow since 10/1 == 10 packets. Assume window size is 5 then. 16:46 < ne2k> Jordi_, why would you assume MTU = 1000 bytes? 16:46 < Aeso> Jordi_, well, it's 1.5 RTT for the TCP handshake (again, assuming TCP). After that the sender fills it's initial window (you say one packet, the payload size of which will be MTUsize - headers 16:47 < Aeso> the receiver ACKs (+1 RTT), the sender sends two packets, etc etc until you've sent the entire payload 16:47 < Jordi_> I just assumed packet size = MTU here 16:48 < Aeso> but it's worth noting that most hosts start with a larger window size than 10 16:48 < Aeso> err than 1 16:49 < andrzej> hey 16:49 < andrzej> if I have 2 FastEth cards in the machine then to be able to use them as one logical nic with about 200Mbit speed I have to connect them up with 1Gbit switch because 100Mbit will be limited to 100Mbit ? 16:49 < Jordi_> Aeso: Yeah I suppose. 16:49 < Aeso> Google did a bunch of testing on performance and discovered that an initial window of 10ish iirc and Linux adopted it as default 16:50 < Aeso> here's the paper if you're curious: https://research.google.com/pubs/pub41330.html 16:51 < Jordi_> Aeso: Does that calculation assume the initial window size was 1? Wouldn't time vary because of the fact that I need to do additively increase the window size? 16:52 < Aeso> Jordi_, it does, which is why I'm pointing out that it's not very real-world. 16:53 < Jordi_> Aeso: Oh okay. it's just that since the question was under congestion control, I thought I should consider it. 16:54 < Aeso> Without any details about how much other traffic is on the line, there's not much for the congestion control to do. Which is part of why I think it's a garbage question. 16:56 < Jordi_> Hmm. I could just dump 10 Kbytes into this link without any congestion control, couldn't I? 16:56 < Aeso> Jordi_, as UDP packets, sure 16:56 < Jordi_> Oh. As TCP what changes? Need to consider 3 way handshake or something else? 16:57 < Aeso> I mean you could configure your host with an initial window size to whatever you want; it's your host after all. But it's generally considered bad practice. 17:00 < Jordi_> Aeso: Now if I consider congestion control, would incrementally increasing the size of the window by 1 / current window size be sufficient to calculate total time? 17:01 < Jordi_> So basically what I mean is, start with window size 1, send 1 packet, recieve ack, set window size = 1 + 1 = 2, send 2 packets, window size = 2 + 1 = 3 and so on until I get to send 10 packets? 17:02 < Aeso> Jordi_, sure. 17:02 < Aeso> Though you'll have sent that 10KB file a long ways before that. 17:03 < ne2k> I think I'd settle for djph's initial answer 17:03 < Aeso> Same. 17:05 < Smallville> Trying to fix Ethernet of a desktop that was working yesterday. I reinstalled the network driver. I used Complete Internet Repair 17:05 < Smallville> Nothing works 17:06 < Smallville> I booted into Linux cd. Ethernet works. 17:06 < Smallville> The desktop is running windows 7. 17:07 < Smallville> If I do a system restore, from last week, will Ethernet work? 17:07 < ne2k> Smallville, what makes you think it's software related? 17:08 < ne2k> Smallville, please describe your network setup. all devices, all interfaces, addresses/masks on interfaces, and interconnections 17:08 < Smallville> Internet worked using Linux parted magic cd 17:09 <+catphish> should i get one of these? any better options for a large screen for side by side work? http://www.dell.com/ed/business/p/dell-u3417w-monitor/pd 17:09 < Smallville> If internet works on Linux then it’s not hardware issues 17:10 < ne2k> Smallville, seems reasonable. is the NIC recognized in Windows? what does device manager say about it? ipconfig? route? 17:10 < ne2k> catphish, two smaller screens? three smaller screens? 17:11 <+catphish> ne2k: i have 2 normal screens right now, but thought this might be nicer 17:11 < Smallville> NiC is listed in device manager. Brand and model 17:12 < Smallville> Ipconfig results are blank as if there is no nic 17:12 < ne2k> catphish, I find two screens annoying, because you end up either having a join right down the middle, or having one that is the "main" one and one that is the "other" one that you have to turn to see 17:12 < Jordi_> ne2k, Aeso, djph: Does this look right? https://paste.debian.net/1022182/ 17:13 < ne2k> catphish, I prefer three for that reason; one large one in the middle that is the main one, and two identical smaller ones to the sides that are subsidiary 17:13 <+catphish> ne2k: yeah right now i have to find myself turning to see the the secondary one 17:13 <+catphish> interesting 17:13 < ne2k> catphish, you still have to turn, but I prefer the symmetry of it 17:14 < ne2k> and /most/ stuff can be done on the large central one 17:14 < ne2k> of course, there is an argument that says it just makes you context switch more and you're therefore far less efficient. better to have only one small screen and actually just focus on a job 17:14 < ne2k> depends on the job, though 17:15 < Aeso> Jordi_, the bits in the middle should be 1 RTT each. The server doesn't wait for an ack for every packet: That soft of defeats the purpose of the window. 17:16 < Aeso> Also if the sender is the initiator, it's only 1RTT for the handshake 17:16 <+catphish> that curved one has roughly the same resolution as my 2 current ones, so thinking it'd be nicer 17:16 < Smallville> Network tray icon says no connections available 17:16 < detha> ne2k: very true. I also went to 3 screens 17:16 < Jordi_> Aeso: The only time I can't assume 1 RTT for k packets is when that many packets/segments(?) can't be put on the link simultaneously? 17:17 < ne2k> catphish, I can't comment on curved other than to say a) my gut says you're paying through the nose for a gimmick and b) it /might/ be annoying. or it might be great 17:17 < Jordi_> Why is it 1RTT if the sender is the initiator? 17:17 <+catphish> ne2k: i think i'll give it a go 17:17 <+catphish> they do a 34 and a 38 inch version, the latter seems excessive 17:18 < Aeso> Jordi_, well the receiver is going to communicate it's max receive window in the handshake, and that will define the max number of packets the sender will put on the line without an ack 17:19 < Aeso> also it's 1RTT because the sender can send the last step of the handshake (an ack) and immediately start putting packets on the line 17:19 < detha> Jordi_: if initial window > BDP, the calculation changes a bit yes 17:21 < Aeso> whereas if the receiver initates the transfer, the sender has to wait to receive that ack before it can start sending data 17:22 < Jordi_> Aeso: When I say 1 RTT for 3 packets, say, doesn't that mean I'm counting the time taken to put a packet on the line only once? Sure transmission of 3 packets is almost equal to 1 packet so that is negligible 17:24 < Aeso> Jordi_, the reason it takes a RTT is because you put as much data on the line as tcp slow start will let you, and then you have to wait for an acknowledgement from the receiver before you can send more 17:24 < Jordi_> Aeso: Oh so basically the last Ack piggy backs on the 1st packet? But the recieving window is only 1 packet right? 17:25 < Aeso> the receiving window is much larger than your tcp slow start (hopefully) 17:25 < Aeso> so you send one, wait for ack, send two, wait for ack, send 3, wait for ack 17:26 < Aeso> the RTT delay doesn't have anything to do with how you're sending, but rather that you have to wait for ack to send more 17:26 < Jordi_> Aeso: Yeah so you're saying 1 RTT is enough for 3 packets because you'd be putting in packet 2 and 3 while waiting for 1's ack? But wouldn't you have to similarly wait for 3's ack at the end? Isn't it 1 RTT + 2 * propagation delay (for 2nd and 3rd packet) 17:28 < Aeso> Jordi_, as soon as you get the ack back for 1, you can put another packet on the line. There's a window of time where the sender is both sending new packets and receiving acks at the same time 17:28 < Jordi_> Oh shit only 1 ack is sent for all three 17:28 < Aeso> actually no, though it's normal to get a single ack back for two packets 17:30 < Aeso> but since you're sending and receiving acks at the same time, it's just a RTT delay between 'pulses' 17:31 < Jordi_> So if the ack was recieved for all 3 together, then I would have to wait, 1 RTT + 2 * Prop delay right? 17:31 < Jordi_> If the ack is sent for all 3, I'd be waiting for 3's ack to come before sending anything again right? 17:32 < Aeso> Jordi_, something like that, but that's not how TCP works 17:32 < Aeso> here, watch this: http://packetbomb.com/how-to-troubleshoot-throughput-and-tcp-windows/ 17:32 < Aeso> this guy does a lot better job at explaining this better than I do 17:33 < fnDross> anyone have any good resources about zones, with examples..? 17:34 <+xand> what kind of zones 17:34 < fnDross> ones that lede uses 17:34 < fnDross> seeing posts/comments that conflict 17:35 < fnDross> and wordings of things where it looks like my guest network would fall under 17:38 < djph> sparknotes version of zones 17:38 < Jordi_> Aeso: One other thing is I've applied additive increase without using slow start in the beginning. Should I fix that? 17:39 < Jordi_> The video you sent (nice intro!) shows a graph where slow start is used first. 17:39 < djph> (1) you define them, (2) you define what interfaces they include, (3) you define EVERY interaction of EVERY zone. 17:39 < fnDross> tryin to make find out if https://ibin.co/3wZx0gWjNDUu.jpg semi safe&functional 17:40 < fnDross> mainly the way input/output/forward applies to that Kzone(guest network) 17:40 < djph> why are you using TWO routers?! 17:41 < djph> I take that back .. three 17:41 < fnDross> cause i get 3 ip's from my isp, to take out xbox one traffic load from all other devices 17:42 < djph> that's not how multiple IPs work 17:42 < fnDross> and these arent power house systems 17:42 < djph> you get three IPs and one (1) set amount of bandwidth. 17:42 < fnDross> xbox makes alot router congestion 17:43 < djph> so then get decent router (and/or AP). 17:43 < fnDross> im suppose to get 1 set amount 40/10... but speed tests all give 30-40 ish 17:43 < fnDross> in a slump no $$ atm 17:46 < Aeso> Jordi_, additive increase doesn't kick in until slow start gives way to the congestion control algorithm, correct 17:46 < fnDross> also its so xbox default ports dont need to be changed 17:46 < Aeso> also most people aren't using additive increase congestion control algorithms anymore 17:46 < Aeso> but again with this real world vs theoretical 17:48 < Jordi_> Aeso: How would I add in slow start into this? 17:48 < Jordi_> Is this explanation technically correct? https://paste.debian.net/1022189/ 17:48 < Jordi_> I'm using the feynmann method to understand this problem by trying to write down exactly what I understand is happening. 17:49 < djph> hmm, link's just a blank page : 17:49 < Aeso> Jordi_, yeah, that's about right 17:49 < djph> ... stupid firefox 17:49 < fnDross> djph: even with a normal config of 1 router(no vlans etc), the dir-601 gets rebooted[hoping to find a free/$3.99 replacement] 17:49 < Aeso> but again, slow start operates differently 17:49 < Jordi_> Yeah, let me write up another with slow start 17:50 < djph> fnDross: it's unfortunate you're stuck with such shit hardware ... honestly, grab whichever is the best device you have and try with just that one running ... 17:52 < fnDross> did that at first.... as soon as one of the xbox that using it.. cpu spikes to max and sits there 17:52 < fnDross> that 601 gets pummeled tho 17:53 < nickster> quick question, maybe 17:54 < nickster> im currently trying to push DNS A(ipv6), B, and C to all devices on LAN 17:54 < nickster> I set this up in the opnsense general settings 17:54 < nickster> but, if i go to the interface, the dns servers listed there are 127.0.0.1, A, B, C 17:55 < nickster> is the 127.0.0.1 as a dns server broadcasting the address of the router or is something else going on 17:56 < aaa_> https://www.youtube.com/watch?v=nRmMkiTB_uE 17:56 < Jordi_> Aeso: How does this look? https://paste.debian.net/1022191/ 17:56 < Jordi_> And can you tell me what other factors I would need to consider in the real world? 17:58 < Aeso> Jordi_, this looks pretty good. Some things to consider: TCP slow start usually starts with 2 packets, not one. Most modern servers are configured to start with 10, even. 17:59 < Jordi_> Aeso: Ah okay! Thanks. I feel like I actually learned something :) 17:59 < Jordi_> Also what other factors would I need to consider if I were to do this in real world? 18:00 < Aeso> Jordi_, yeah, so congestion and packet loss will absolutely shit on your parade as far as these calculations are concerned 18:01 < Aeso> but if you're really curious you can go find papers on equations that take packetloss percentage and tell you your max practical bandwidth 18:03 < Jordi_> Again RTT is equivalent to 2 * (d / 3 * 10^8) + 10^3 / 10^9 everytime right? Or would that change according to whether I'm using slow start (where I could increase window size after every ack) or additive increase (where window size can only be increased after "window size" amount of acks have been recieved or 1 ack for all the "window size" segments has been recieved)? 18:04 < Jordi_> Aeso: By packet loss you mean packet loss due to congestion control itself right? 18:04 < Jordi_> That only occurs when LM, the max window size is less than 10 in this case right? 18:05 < Jordi_> *congestion 18:05 < detha> Jordi_: that sets a minimum value for RTT. Real-world, there may be switches/routers in between that make it larger 18:05 < Aeso> Jordi_, either or, the whether there's a problem with a link or the switches buffers are full, TCP doesn't know or care 18:07 < detha> Packet loss happens. Sometimes due to congestion, sometimes due to dirty or faulty optics, or other reasons 18:08 < Jordi_> I thought TCP assumes heavy / light congestion for all packet loss? 18:09 < skyroveRR> It does, but it won't work in rare cases.. 18:10 < Jordi_> Would RTT = 2 * (d/3 * 10 ^ 8) + (10^3 / 10^9) even be correct assuming I don't care about switches in between? I just want to know if I need to consider the time to put multiple segments on to the wire or not. 18:10 < Jordi_> skyroveRR: Responding to me? 18:10 < skyroveRR> Yeah 18:10 < Jordi_> Ah okay. 18:32 < Arfed> for a server, can multiple clients ever share the same source port? 18:33 < Arfed> I'm considering creating a hash table for fast IP lookup on a server - and the source port seems to be a natural way to match and IP to connection state 18:37 < grawity> source port from client perspective? 18:37 < jquinby> it appears so: https://superuser.com/questions/1179009/ephemeral-port-collision 18:37 < grawity> or did you mean the local port on the server end? 18:37 < grawity> if at least one of the IP addresses are different, then the port pair can absolutely be the same among several connections 18:39 < Arfed> Thanks - that answers that then - I'd have to use a more complicated hash mapping then - maybe not worth it 18:41 < Arfed> what's an accepted fast ip lookup method, with e.g. maximum 200 connections? 18:41 < Arfed> anything better than binary searching? 18:42 < ne2k> Arfed, what are you actually trying to do? are you reinventing the wheel? 18:43 < grawity> I think ipset and nft sets just use hashtables 18:43 < Arfed> I'm just trying to have a fast method of matching an IP to a connection state 18:44 < grawity> what for 18:44 < grawity> detecting duplicate connections from the same IP? 18:44 < ne2k> Arfed, but that doesn't explain what you're actually doing 18:44 < grawity> for ~200 conns, I think a hashtable will do 18:45 < Arfed> I want the program to perform well under a flood of packets, so that matching IP to state doesn't harm performance. are hashtable's better than binary searching? 18:45 <+catphish> Arfed: one normally hashes on src ip, src port, dest ip, dest port, protocol 18:45 <+catphish> Arfed: so as long as all 5 things don't match, you're good 18:45 < grawity> what do you mean "a flood of packets" 18:45 <+catphish> if all 5 things do match, it's the same connection :) 18:45 < Arfed> e.g. an attack on the server, flooding packets 18:46 < grawity> that doesn't explain a thing. 18:46 < grawity> are the "connections" via TCP or via UDP? 18:46 < Arfed> udp 18:46 < Arfed> custom protocol based on udp 18:46 <+catphish> i think i've missed what the actual question was here 18:47 < Arfed> I want a fast way of matching an IP to a connection state, for UDP packets 18:47 <+catphish> for a udp server, you try to be stateless, if you can't, you make a table, indexed on remote_ip, remote_port 18:47 <+catphish> you wouldn't normally match just an IP, you'd match IP+port 18:47 < grawity> "table" as in a hashtable, I assume 18:47 < Arfed> ya IP+Port 18:47 <+catphish> no, table as in table 18:47 < Arfed> an array? 18:47 < grawity> as in array? 18:47 < ne2k> isn't this what the IP stack is for? 18:48 < grawity> "indexed by IP" so with 2**32 entries? 18:48 < grawity> or a linked list? 18:48 < Arfed> the problem with an array is that linear searches are slow 18:48 <+catphish> ne2k: OSs don't make a socket for each client in UDP, so no 18:48 < grawity> they do if you ask 18:48 < grawity> you can connect() a UDP socket 18:48 <+catphish> really? cool 18:48 <+catphish> i've never done that 18:48 <+catphish> well, not as a server 18:49 < Arfed> that's a good point - what does the OS do the route packets in that circumstance? 18:49 < grawity> so like, one socket for receiving initial contact, then create a new one for every client? 18:49 < ne2k> why not have a look at some well-known UDP-based server, such as ntpd or bind, does it? 18:49 < grawity> those don't have active associations as such, do they 18:49 <+catphish> anyway, i don't know how you'd actually store the data in memory, probably just an array, then use a btree or similat to find the entry you want quickly 18:49 < ne2k> Arfed, are you needing to keep state on the server, then? 18:49 < Arfed> it's valuable to seek wider knowledge on it - e.g. I didnt know about ntpd or bind until now ;) 18:50 <+catphish> i usually use a "hash" in ruby, does all this for me 18:50 < ne2k> Arfed, well, as grawity says, they may be a red herring 18:50 <+catphish> maybe that's what you meant by a hash table? if so, sorry 18:50 < Arfed> yes keep state on server - for about 200 connections 18:50 < detha> for 200 entries, it probably doesn't matter 18:50 <+catphish> grawity: sorry, hashtable is exactly what i meant! 18:50 < grawity> yeah those are named so because they're a hashtable or something similar under the hood 18:50 < Arfed> it matters - linear search is too slow 18:51 < detha> even a linear search would be fast 18:51 < ne2k> Arfed, just use srcip.srcport as the key for a hash. what language are you writing this in? 18:51 < Arfed> its slow 18:51 <+catphish> Arfed: yeah, you want a hashtable, where the key is the remote ip and remote port, very easy really 18:51 < grawity> though I've seen some projects use e.g. tries in place of hashtables everywhere 18:51 <+catphish> what ne2k said 18:51 < UncleDrax> so who wants to come do scheduled customer-interface moves for me? (for free... and yes at like 0300 local...) 18:52 < Arfed> how slow is hash generation itself though? 18:52 < grawity> (atheme, freenode's nickserv, uses patricia tries for everything) 18:52 <+catphish> a hashtable with srcip.srcport as the hash, each 18:52 <+catphish> hash generation likely isn't slow 18:52 < grawity> Arfed: measure, but it's usually reasonably fast to deal with this 18:52 < Arfed> millions of hashes per second - not slow? 18:52 <+catphish> Arfed: you have to choose hashtable, or simple list with sequential search, your choice, time both 18:52 < ne2k> Arfed, why are you worrying about things that take nanoseconds when you're dealing with network comms that takes milliseconds? 18:53 < Arfed> because millions of packets means millions of hashes 18:53 <+catphish> both will be fast for 200 entries on a modern CPU, i'd always use the hashtable though, it scales 18:53 < ne2k> Arfed, what language are you writing this in? 18:53 < Arfed> c++ 18:53 < ne2k> Arfed, urgh 18:53 < Arfed> hash table lookup speed is constant, for the most part, and limited by the hash function speed, right? 18:53 < ne2k> Arfed, are you running this server on an arduino or something? 18:53 <+catphish> Arfed: for millions of packets you are going to need to put in some work, some testing, we can't design that for you 18:54 < Arfed> ok but is it reasonable to assume millions of hashes is likely to be slow 18:54 <+catphish> time it 18:54 <+catphish> are we talking 1 million lookups, how many entries? 200? 18:55 < grawity> in python, one million hashtable (well, set) lookups takes rougly 0.1 of a second 18:55 < grawity> on my laptop 18:55 < Arfed> 1 million lookups - number of entries probably doesnt matter, as id imagine its hash-speed limited 18:55 < Arfed> 0.1 second is long 18:56 <+catphish> by the way, my laptop, with ruby, can do approx 10 million hash lookups per second 18:56 < detha> ~200 entries means few insertions/deletions, so I would use use a sorted array and binary search instead of hashing each packet. binsearch is < 8 comparisons 18:56 < Arfed> ok. nevermind I think my approach of using a binary search on an array, is probably best 18:56 < Arfed> yea that's the way I went 18:56 <+catphish> 2.3.7 :012 > t = Time.now; 10000000.times do |n|; hashtable[n]; end; puts Time.now - t 18:56 <+catphish> 0.551772404 18:56 < Arfed> just making sure it's the most suitable 18:56 <+catphish> 0.55 seconds for 10 million lookups 18:56 <+catphish> so use the hashtable :) 18:56 < ne2k> Arfed, methinks you are optimising too early 18:56 < grawity> how many packets per second is 1 Gbps? 18:57 < grawity> with 64-byte packets, let's say. 18:57 < Arfed> oh this is optimizing code that's 20 years old 18:57 < Arfed> not quite too early ;) 18:57 <+catphish> 1Gbps = 1.4Mpps 18:57 <+catphish> so my laptop running this under ruby could handle 10Gbps 18:57 <+catphish> so use the hashtable :) 18:57 < grawity> right, so at this rate even mine be able to handle some 5-6 Gbps – per core, if you're multithreaded 18:58 < grawity> I assume your ISP will be calling you well before that 18:58 <+catphish> that was 1 core of my laptop, 10M hashes in half a second lol 18:58 < ne2k> it might not be on the Internet 18:58 < grawity> ne2k: but then why worry about a DDoS 18:58 <+catphish> so optimize away, but use a hashtable with srcip.srcport 18:58 <+catphish> good luck 18:58 < ne2k> grawity, I wasn't readin 18:59 < Arfed> ah no, it's optimizing for single threaded - for now 18:59 < ne2k> anyone know how to, properly, so it actually works, get both a static and a dhcp address on the same interface on modern debianish OS? ifupdown. ubuntu 16.04 server 19:00 < Arfed> 0 byte UDP packets are about 0.5 million roughly, at 1 Gbps 19:00 < ne2k> i.e. working so that if DHCP isn't available at boot, it still has the static, and then when DHCP comes to life it picks it up and still has the static as well. 19:01 < ne2k> auto eth0 eth0:0; iface eth0 inet dhcp; iface eth0:0 inet static; looks like it might work, but appears to go wrong if dhcp is not available at boot 19:10 < ice9> which vpn clients that supports IKEv2 on Linux? 19:15 < FreePizzaKid> Hello, I have a server running with Apache2, and I'm trying to make my logs available through my browser. Basically I have 3 site : a drupal, a redmine and a phpmyadmin. I created a logs folder in each of their installation path, and in my Vhost, i set the logs to write i, said logs folder (for example ErrorLogs /var/www/html/drupal/logs/error.log for the drupal site, etc) 19:15 < FreePizzaKid> In each logs directory, there's a .htaccess, like this one : https://pastebin.com/pyhEQ0Ym 19:16 < FreePizzaKid> I can access the drupal one, but the phpmyadmin gives me a 403 and the redmine a 404, and I don't understand why 19:18 <+catphish> Arfed: nope, 1.4Mpps 19:18 < kottt> Not the best place to ask, since this isn't a networking problem. Linux or Apache channels might be better. 19:18 < kottt> @FreePizzaKid* 19:18 < UncleDrax> from https://httpd.apache.org/support.html -> "The #httpd channel on the irc.freenode.net IRC network is a good place for quick questions. If your questions require a more in-depth answer, you will likely be encouraged to move the question to the mailing list.". (I can't personally speak to if #httpd is populated/useful) 19:18 < Smallville> hey 19:19 < skyroveRR> Hi 19:19 < FreePizzaKid> oh ok thanks, I'll try to ask there 19:19 < Smallville> desktop internet not working, I know ethernet works because internet works on linux cd 19:19 <+catphish> FreePizzaKid: must be something different about those files, if they're all in the web roots check their permissions 19:19 < Smallville> makes it a windows 7 issue. 19:19 <+catphish> Smallville: best use linux 19:20 < Smallville> not my pc 19:20 <+catphish> i didn't suggest it was :) 19:20 < Smallville> linux not an option 19:20 < Smallville> ok sorry 19:21 < Arfed> catphish: 0 length UDP is 28 bytes, ya? that's almost 0.5 million per Gbps 19:21 < Smallville> i did a system restore to when the ethernet was working 19:21 < Smallville> restore worked but the ethernet is still saying "not connected, no connections available" 19:22 < Smallville> i reinstalled the network driver from Dell website 19:22 < detha> Arfed: assuming ethernet, minimum frame length is 64 bytes or so 19:23 < Smallville> the NIC is listed with the correct brand and model numbers in device manager 19:23 < Smallville> i just don't know what the issue is. I tried everything 19:23 < Smallville> any ideas please? 19:24 < drudge`> maybe the NIC is bad? 19:24 < UncleDrax> walk through the layer cake to troubleshoot NICs for Great Justive. 19:25 < drudge`> did you try uninstalling the tcp/ip stack on windows if you're sure the nic is good (live cd working with internet) 19:25 < UncleDrax> *justice 19:25 < Smallville> yes i used Parted Magic 19:25 < Smallville> ethernet works 19:26 < drudge`> try unchecking/removing/re-adding ip4 from the adapter properties? 19:26 < Smallville> hmm 19:26 < Smallville> ok i'll brb 19:29 <+catphish> Arfed: firstly, 1,000,000,000 bits per second is 125,000,000 bytes per second, simple maths says that 125,000,000 / 28 = 4.4 million, however the minimum ethernet frame size is 64 bytes, so the maximum rate should be 125,000,000 / 64 = 1.9Mpps, however in reality, for reasons i'm not sure of, maybe the interframe gap, the actual rate is 1.4Mpps 19:30 <+catphish> Arfed: i don't know how you got 0.5 million, but the correct number is 1.4 million :) 19:30 < Arfed> ya I missed a dot, and went 0.5 instead of ~5 ;) How much of a factor is the ethernet frame in internet communications? 19:31 <+catphish> the frame header is 18 bytes, how much of an impact that has depends on your frame size 19:31 <+catphish> and the minimum size if 64 bytes 19:32 <+catphish> so for 1 byte of payload, you have 63 bytes of overhead, but for 1500 bytes of payload, only 18 19:32 <+catphish> small packets are very inefficient 19:32 < Arfed> doesn the ethernet frame change with each hop? 19:32 <+catphish> yes 19:32 < Arfed> so it's not really counted as part of e.g. DDoS attacks? 19:32 <+catphish> in fact some hops might not use ethernet at all (though most do in 2018) 19:33 <+catphish> Arfed: its totally up to you how you count it 19:33 < Arfed> okey - I'd tend to count it minus the ethernet frame 19:33 <+catphish> most people would say if it fills a 1Gpbs pipe then it's a 1Gbps DoS 19:33 < Arfed> as I'd be measuring the throughput of a DDoS attack - not the capacity of a pipe 19:33 < Smallville> drudge`: the Ethernet adapter properties isn’t retaining the default gateway address 19:33 <+catphish> Arfed: up to you :) 19:34 < Smallville> It clears after I reopen properties 19:34 < drudge`> sounds like an issue 19:34 <+catphish> Arfed: attacks of tiny packets are more likely to be measured in pps 19:34 <+catphish> since their aim is not really to saturate links, but to upset the software 19:35 < Arfed> ah, it's just a different variety of a DDoS 19:35 <+catphish> so their bit rate doesn't matter much :) 19:35 <+catphish> yep 19:38 < fly_agaric> hello i have a problem with a hardware firewall. i created a vpn account for a external company. its a client-to-side vpn and i set the vpn account as source and the server which should be reached by vpn as destination. unluckily the account can reach all hosts in the company. 19:39 < fly_agaric> i looked at the rules and its a allow rule so the communication to every host except this one host which i allowed should be dropped right? 19:49 < ziggylazer> Anyone in #networking ? 19:49 < Hooloovo0> no 19:49 < Aeso> not a one 19:50 < S_SubZero> ##notworking 19:50 < ziggylazer> Well thats a shame 19:50 < xssposed> lol 19:50 < ziggylazer> since this is ##networking 19:56 < xssposed> not sure where to ask, but i figured id ask here: im starting school in the fall so i can actually get a degree in something im passionate about. ive taught myself programming and have worked with malware, networking, security, webdev bs such as front ends/backends etc, but im not sure what to get into. for instance, im going into cs, but cs alone is purely trash. i'll solely learn the rudimentary of cs and thats not what i want. i just dont know 19:56 < xssposed> what field to get into that would incorporate my interests. i figured perhaps engineering, but thats not entrely what i enjoy. i then figured networking, but that hardly involves any programming. any suggestions? 19:57 < Dalton> i went networking cause i had/have no interest in programming 19:57 < djph> ... anything except windows admin ... 19:57 < S_SubZero> what do you want to do? 19:58 < Dalton> i want to be a lumberjack 19:58 < xssposed> LOL 19:58 < S_SubZero> you'd be ok 19:59 < xssposed> what about malware analysts? that should involve both networking and programming 20:00 < qman__> well, if you don't know what you want to do, then you probably shouldn't be starting school 20:00 < xssposed> every female has their expiration date and im not looking to marry rich, therefore, no 20:00 < xssposed> i dont have forever 20:01 < qman__> no, but my point is that school isn't the only path, and isn't really a good idea if you don't know what you want 20:01 < djph> Dalton: and that's okay, you'll sleep all night and work all day. 20:02 < xssposed> i do know what i want, im just uncertain about the field 20:03 < qman__> that's a self contradictory statement 20:03 < qman__> anyway, the best way to figure out what you want to do is to start doing stuff 20:03 < qman__> and find out if you like it 20:03 < xssposed> i like writing exploits, i like finding bugs, but i also enjoy reverse engineering 20:04 < qman__> that's good, and leads to a few avenues in security, particularly penetration testing 20:05 < qman__> trouble with those is there isn't a defined career path, most people who succeed in that field run their own businesses or work as contractors 20:05 < xssposed> penetration testing is a meme 20:05 < xssposed> requires zero skill 20:05 < xssposed> i want a challenge 20:06 < djph> IDK, some of those security types are quite good. 20:07 < qman__> that sort of skillset isn't valued that highly in traditional IT departments, unfortunately 20:07 < qman__> they're more concerned about building stuff 20:07 < qman__> than tearing it down and breaking it 20:08 < qman__> people who are really good at that can be very succesful, but almost always doing consulting, not working for some large company 20:09 < qman__> lots of money to be made, but not a lot of stability 20:09 < djph> qman__: yeh, I was talking about the couple of security contract types I've come across 20:09 < qman__> infosec folks in most large companies are writing policies and processing logs and stuff 20:09 < qman__> things I personally find way too boring 20:10 < xssposed> id most likely work for a company to gain some experience and learn what i dont already know and branch off anyways ;-; 20:14 < xssposed> what about security engineer? 20:14 < xssposed> is that a thing 20:15 < qman__> yes, but it's mostly the same as regular infosec, defining policies and standards, testing security products, etc 20:16 < qman__> helping systems engineers find and follow good practices 20:16 < qman__> I'm a systems engineer, I started my career working for managed service providers and now I build stuff for a large company 20:17 < xssposed> i see 20:17 < qman__> I build the platforms that the software engineers use to run their software 20:18 < xssposed> and how is that for you? 20:18 < xssposed> do you enjoy it.. 20:21 < xssposed> and could you define platform? im familiar with what software engineers do, but i initially thought they built their own platform to work with their software, unless im not understanding the term correctly 20:22 < Dalton> not always 20:22 < Dalton> they might be able to work in an environment but not have the right to install/modify said environment 20:23 < xssposed> in other words, you provide the hypervisor and they build the actual os? 20:23 < xssposed> just an example 20:23 < Dalton> i was thinking even less then that 20:24 < Dalton> but yes 20:25 < xssposed> ahh okie 20:25 < djph> he provides a shell / framework program, the software guys then put in the other bits to make it do whatever task 20:26 < xssposed> i get it now :) 20:28 < kottt> xssposed: CS degree is quite trash, unless you're really into computing theory. an assoc. degree in software dev or engineering or finding some kind of (legitimate) cybersec program would probably be way more gratifying 20:28 < kottt> source: im graduating CS and hate it 20:28 < panda_man> I graduated CS and loved it 20:28 < kottt> eh 20:28 < Dalton> i skipped CS cause i didn't want to be a programmer 20:28 < djph> I got halfway through CS and hated it. Moved to Info Systems, and liked it better 20:28 < Dalton> ^^ started there 20:29 < kottt> okay i dont hate CS, but i hated the entire program because the profs were awful, the course material did basically nothing to prepare me for anything, and it felt like a 50,000$ waste of time 20:29 < xssposed> kottt: yes, but dont i need cs to be able to get into those fields? 20:29 < xssposed> ive heard cs alone was trash from several people -.- they told me i was wasting my money and to make money online 20:29 < kottt> lots of ways in besides a CS degree 20:30 < djph> kottt: sounds like you had my profs 20:30 < kottt> though im not a professional, and am currently trying to get the hell out of my student job in a NOC 20:30 < xssposed> wait, so i can get into 'info systems' rather than getting into cs 20:30 < S_SubZero> my community college had an "Industrial Science" track which was CS without the math. Cuz math is hard -.-; 20:30 < kottt> literally anything with a salary >40k would be a dream job right now 20:30 < kottt> (in eastern maine) 20:30 < xssposed> i dont care how much ill be earning, i just want the knowledge and ill be alright 20:31 < djph> "Computer Science" is really focused on the math / architecture / theory from what I remember; and isn't really set up to get you to be *useful* in a corp environments 20:32 < xssposed> i have a bio degree, so i have taken a few math courses and i already know c, python, js, asm 20:33 < kottt> then an undergrad CS degree would be torture but probably at least quite quick 20:33 < kottt> and easy 20:35 < xssposed> lol thats what i was thinking 20:35 < xssposed> it should be a breeze 20:36 < S_SubZero> I dud an online straight Information Technology degree which was stuff that gets ya past A+, Net+, Project+, Security+, a web cert, javascript, python, etc. I loathed the java class and didn't like databases much but most of the classes were pretty fun 20:36 < kottt> ah.... 20:36 < xssposed> i love databases stuff 20:36 < kottt> Certs would probably be a better use of your time? 20:36 < xssposed> not a fan of java though, albeit it is a nice language 20:36 < xssposed> esp for software 20:37 < kottt> again, not a professional, IDK, but i imagine employers would look at somebody with a bio degree and A+, CCNA, etc and at least bring you in for interview 20:37 < xssposed> ive written a signal bot in java which was torture.. definitely a lot of googling 20:38 < xssposed> bio degree was bcos i was aiming for dental 20:38 < djph> java can die in a fire 20:38 < xssposed> not happy with dental 20:38 < Aeso> in the IT world the major doesn't really matter 20:38 < Aeso> even 'IT' programs don't count for much because their cirriculums are antiquated before you even get the degree 20:39 < kottt> at least you can make some great jokes about it tho xssposed 20:39 < xssposed> LOL true 20:39 < kottt> "yeah i got into dental for a bit, but god, it was like pulling teeth" 20:39 < koala_man> I feel like Marie Antoinette with my free degree and entering the job market before the 2008 crash 20:39 < xssposed> xD 20:39 < S_SubZero> Aeso: I was in the python class for three days, promptly started writing a project at work in python, it was so interesting. ^^ 20:40 < kottt> koala_man: let them eat cake Marie antoinette, or head in a basket marie antoinette? 20:40 < koala_man> cake one 20:40 < kottt> ah 20:40 < S_SubZero> my bonus for that was enough to pay for my entire school 20:40 < xssposed> kottt: i initially loved it, but after working for someone bcos i needed x amount of hrs for dental school, i realized it was hell. it explained why dental students and dentists had the highest suicide rate 20:41 < koala_man> nice 20:41 < kottt> aw jeez 20:42 < koala_man> dental schools have their perks though, like stuffing people's mouths full of instruments, asking them questions, and watch them choke trying to answer it 20:42 < kottt> id be real curious to hear what's so bad about it 20:42 < xssposed> presuming the job market is tough in IT? im personally not too concerned. i know how to make money online with my projects 20:42 < kottt> because left to my imagination i assume it's angst over people not flossing 20:42 <+catphish> as per last night's complaining, iscsi is seriously complicated 20:42 < koala_man> "When did you last floss?" "Don't you remember, you were there" 20:43 <+catphish> why must it be so complicated 20:43 < xssposed> she had me work as her unlicensed hygenist, secretary, manager, and role play dentist when she was too busy 20:43 < xssposed> it was stressful 20:44 < xssposed> she taught me everything 20:47 < xssposed> the idea of it was fun.. being able to fix other peoples problems and relieve their pain and knowing you did itf, it was gratifying. but the stress was overhwelming 20:47 < drudge`> Smallville did you uncheck/remove ip4 from the adapter properties and re-add it? you may or may not need the windows cd 20:48 <+catphish> xssposed: sounds like you're a generalist, skills in general hacking, debugging, figuring things out? 20:48 <+catphish> and you have a terrible attitude towards women :( 20:48 < djph> catphish: he does? 20:49 < xssposed> only bcos many dont like me 20:49 < xssposed> and perhaps the indoctrination that i either get a job, or im stuck being someones property the rest of my life 20:49 < xssposed> makes me feel caged 20:50 < S_SubZero> I did contract IT at a college that had a dentistry department, and I was their guinea pig fo rlike practice cleanings and stuff. It was a gesture by the staff since my employer didn't give me health insurance. My teeth were -so- clean. 20:50 <+catphish> that's stupid, but on topic, you basically do whatever you feel like, unfortunately that may change frequently, maybe work as a contractor 20:51 < xssposed> LOL yes, most dental schools ask their students (generally their 3rd year) to do practice cleanings 20:52 <+catphish> we all have to get a job to earn money to live 20:52 < xssposed> i know they visit prisons and offer cleanings 20:53 < xssposed> making money isnt difficult. i just want knowledge. this is subjective of of course, but the more i know, the more i can be creative with my work 20:53 < drudge`> knowledge is fun 20:53 <+catphish> well just learn as you go, hack things til you understand them then move on :) 20:53 <+catphish> that's how hackers learn 20:54 < xssposed> ive been doing that 20:54 <+catphish> then you're good 20:54 <+catphish> just make the money (if that's so easy) and learn as you go 20:54 < xssposed> i tried surroudning myself with engineers, hackers and anyone knowledgeable to learn what they know 20:55 <+catphish> that's ideal 20:55 <+catphish> just keep doing what you do 20:55 <+catphish> drift between jobs until you find a team you love working with, and stay there i guess 20:56 <+catphish> what i'm getting at is that one doesn't need to choose a named career path and stick to it, that's the joy of being a hacker, just do whatever is fun, and try to make money with it 20:56 < xssposed> i was making money, just not the way i wanted to if that makes sense 20:57 < xssposed> i was thinking that too catphish 20:57 <+catphish> well it's normal not to get the right job right away, try things, wait til you fit in 20:59 < xssposed> ;-; i guess im scared i wont be able to do it forever 20:59 < xssposed> and when im cornered and left to find a legitimate job, i wont be able to bcos i wont have a degree 20:59 <+catphish> well you can't do it forever, one day you have to retire, and die, or maybe you get sick of it and go work on a farm instead, whatever 21:00 <+catphish> well getting a degree in CS is a good idea, but if you hate it, don't worry, just get a job, get some commercial experience, it counts for a lot 21:01 <+catphish> if you're lucky you get a job with a great team and work your way up 21:01 <+catphish> or you just end up as a contractor, billing by the day, which you can do once you have commercial experience 21:01 <+catphish> many options 21:01 < xssposed> contractor sounds boring >.> 21:02 <+catphish> you prefer to find a team and stick with them? 21:02 < xssposed> if theyre smarter than me 21:02 <+catphish> in any case, if you have no qualifications maybe you have to get an entry level job, or grind at a degree first 21:02 < xssposed> i get bored if i know more than someone and im left teaching them rather than vice versa 21:02 <+catphish> but it doesn't take too long 21:03 <+catphish> well live with it 21:03 <+catphish> the first 3 years of your career you will be treated like an idiot, you just have to live with it 21:03 <+catphish> after that, you get some respect 21:03 <+catphish> but a good employer will let you contribute if you're good 21:04 <+catphish> anyway, just try things, do what you enjoy, take it from there, be willing to accept entry level jobs in an industry you find interesting 21:04 <+catphish> i never went to university, i hate formal education 21:04 <+catphish> i get bored too easily 21:05 < xssposed> yeah, ill just dive into cs then and go from there 21:05 < galileo_> my friend got a degree in CS 21:06 < xssposed> im debating between: malware analyst, security engineer, systems engineer, or software engineer 21:06 <+catphish> why choose? 21:06 <+catphish> you can do all those things 21:06 < xssposed> can i? 21:06 < xssposed> ah 21:06 < xssposed> i see 21:06 < xssposed> you make a point 21:06 < galileo_> i did all his homework for him so i pretty much have a degree in CS 21:06 < xssposed> LOL galileo 21:07 <+catphish> xssposed: i mean, if your degree makes you choose, then sure, you have to choose for that, but i meant when it comes to work 21:07 <+catphish> you can find a security company and build a role that incorporates all those aspects 21:07 < xssposed> i see what youre saying. if my degree requires choosing, choose. but overall, i can still do it all 21:07 <+catphish> yes 21:08 <+catphish> over time you will find what you enjoy, what i'm saying is that the degree doesn't tie you down 21:08 <+catphish> in fact many people here get a degree in something totally unrelated, like geology :) 21:08 <+catphish> it doesn't matter that much, as long as you have the skills 21:08 < kottt> to, as they say 21:08 < kottt> "pay the bills" 21:09 <+catphish> must learn iscsi 21:09 <+catphish> (me) 21:09 < hagbard> Anyone here ever had to go to London to do datacenter work? Where did you stay? I'm going to the Equinix sites (LD4/LD6) in Slough. I definitely don't want a hotel in Slough. 21:09 < Phil-Work`> can't say I ever look at people's education history when hiring 21:09 < Phil-Work`> experience is worth infinitely more than a bit of paper 21:10 <+catphish> experience is way more important indeed 21:10 <+catphish> though there's no denying having a degree will help in many cases 21:10 < hagbard> I'd say the, "knack." is the most paramount with experience definitely the second most important. 21:10 <+catphish> i have a combination of engineers with degreed in CS, degrees in unrelated things, and no degree :) 21:11 < xssposed> what about starting that first job? i dont mind starting somewhere small and gaining experience, but they'll take me as a joke once i tell them im self taught 21:11 <+catphish> xssposed: not at all 21:11 < Phil-Work`> xssposed, if they do, you're looking at the wrong companies 21:11 <+catphish> any employer who doesn't think self taught is better isn't worth working for imo 21:12 < xssposed> :) i appreciate the advice guys, thank you 21:12 < hagbard> There's, "self-taught," and "bumbled and tripped through getting things to work." The first is admirable and desirable, the second is often a recipe for disaster. 21:12 <+catphish> being self taught usually means your knowledge is more practical, though sometimes people have theory gaps 21:12 <+catphish> the best is both, people who teach themselves, then get a degree :) 21:13 <+catphish> hagbard: the second should be the first step to the first :) 21:13 <+catphish> but not always 21:13 < Phil-Work`> I'm not convinced I learned much in my CS degree 21:13 <+catphish> i don't have one, thought it would be boring 21:13 < Phil-Work`> though I may be tainted by the rediculous sums of money they are taken from my pay each month for the loan 21:14 <+catphish> i put the money towards a house instead 21:14 <+catphish> xssposed: good luck 21:14 < Phil-Work`> my degree was (relatively) cheap as compared to now 21:14 < xssposed> thank you 21:15 < Phil-Work`> something like 95% of new graduates will pay 9% of their salary for 30 years before the loan is written off 21:15 <+catphish> mine wouldn't have been too bad compared to now, indeed 21:15 <+catphish> thats insane 21:16 < Phil-Work`> only that very small percentage will earn enough to ever pay it off 21:16 <+catphish> xssposed: where are you anyway? 21:16 < Maarten> I got a college degree in computer sciences, application management..... what did I learn? Novell Netware. Building databases in dbase III and dbase IV. Token Ring. - when I got my diploma it was 1996.... and within less than 2 years, all before mentioned technologies were so obsolete, it wasn't even funny anymore. 21:16 < xssposed> wdym? 21:16 <+catphish> xssposed: what country? 21:16 < xssposed> america 21:16 <+catphish> unlucky 21:16 < xssposed> unfortunately >.> 21:17 <+catphish> lol 21:17 < xssposed> i have plans to move to the uk someday 21:17 <+catphish> well i know american companies value degrees a lot more than the rest of the world, so i'd definitely suggest persisting with it, but don't worry about the exact subject 21:17 <+catphish> and self-learn at the same time the stuff you really enjoy 21:18 < xssposed> they do, thats why i was quite hesitant 21:18 <+catphish> american companies have a weird thing for that stupid piece of paper i've heard 21:18 < xssposed> yes! 21:18 <+catphish> so maybe get it, but don't stress about it, just do whatever is easy 21:18 < xssposed> lol they really value that piece of paper 21:18 <+catphish> and focus on your own real learning 21:18 < Phil-Work`> Maarten, I didn't have that problem due to the degree being almost 0% practical skills 21:18 <+catphish> you can always try to do contract work on the side 21:18 < Phil-Work`> learned Java to a very (very very) basic level 21:19 < Phil-Work`> beyond that, all theory - little of which is applicable to me these days 21:23 < mawk> what's a TSO packet ? what's an UFO packet ? 21:27 < grawity> a regular packet that goes through TCP Segmentation Offload, and likewise for UDP Fragmentation Offload 21:27 < xssposed> https://en.wikipedia.org/wiki/Large_send_offload 21:27 < mawk> I see 21:28 < Phil-Work`> I was hoping aliens would be involved 21:29 < mawk> so with TSO, the kernel hands the NIC one big TCP packet 21:29 < mawk> around 64k 21:29 < mawk> maximum 21:33 < mawk> so in my tuntap application, if I add the correct flag for send offload, the kernel will hand me big/unchecksummed packets 21:35 < xssposed> you should do it and see what happens :) 22:01 < Smallville> drudge`: i fixed the issue. Driver didn't uninstall fully the first time. I removed the remaining registry keys relating to broadcom, then installed the driver again. now it works perfectly 22:18 < __ddd__> TCP server/proxy question: say I have a server with 100 connected clients. the server will use a file descriptor per connection, yes? Say I use a proxy (stunnel) to allow clients to connect via TLS to a TLS-incapable server. Are there now 2 or even 3 file descriptors used per connection? 22:18 < ||cw> yes? 22:19 <+xand> using stunnel will create additional TCP connections 22:20 < lordvadr_> __ddd__: When you say "TLS-incapable server", do you mean a server-daemon running locally, or an external host? 22:20 < lordvadr_> And, for the most part, each socket is an fd. 22:20 < __ddd__> server-daemon running locally, let's say. let's say it requires usage of tcp over loopback, no unix sockets 22:20 < fly_agaric> hello guys, a configured a vpn policy on our firewall. vpn_group_acc_xy in source and destination one server + the service port 22 tcp. however the vpn user can reach the server port 22 but can also reach every other service on the host + all other host in the network. what did i do wrong? 22:21 < grawity> for both tcp/ip and unix, you have one socket (and therefore one fd) per stream connection 22:21 < grawity> meaning stunnel will use two sockets (and two fds) for every tunnel 22:26 < lordvadr_> __ddd__: stunnel will have one fd for the bound socket, one fd for each connected session, one fd for each outgoing session. The daemon will have an fd for the bound socket, and an additional fd for each connection. 22:26 < lordvadr_> So, 3N + 2 will be the socket count for N connections. 22:31 < __ddd__> thanks grawity lordvadr_ for breaking that down, that was my naive assumption but I wanted to make sure I wasn't oversimplifying things. is there ever a situation where the max allowed files reported by /proc/[pid]/limits aren't true? or can I fully trust that 22:34 <+catphish> __ddd__: yes, stunnel will use 2 sockets per connection (server and client) then the backend will also use one, i believe the limits reported in proc should be correct 22:35 < __ddd__> let's say I exceed 64k clients, does stunnel handle using different ips so as to not run out of ports? the real clients are on different IPs (they are websocket clients), so the 64k port address space limit is not currently a concern 22:37 < lordvadr_> __ddd__: How you bind sockets is one matter (the general answer to your last question is "no"), but the open FD limit is solid. 22:37 < ||cw> __ddd__: how close are you to that? I'd assume that by the time you get anywhere near that the other server resources will bottleneck and you'll need to scale out anyway 22:38 < lordvadr_> You can increase it, but it starts making little sense. If 64k isn't enough, would 640k be enough? How about 6.4m? 22:38 < djph> I can't forsee a future where people will need more than 640K ... 22:38 < grawity> at this point you might prefer haproxy or nginx, for they're actually optimized for high client counts 22:38 < grawity> I'm not even sure if stunnel would be multithreaded or anything 22:42 < __ddd__> grawity stunnel does support multithreading. I'd ideally like the ability to scale up to 100k - 200k connections before scaling out, and as I understand it this is a reasonable goal for a websocket server. 22:44 < __ddd__> the websocket server does little more than push jobs to beanstalkd tubes and send/receive messages 22:44 < lordvadr_> __ddd__: At those kinds of loads, I'd suggest looking into other proxy solutions just to be sure you're getting what you want out of it. I'm not sure stunnel was designed for that kind of scale. 22:44 <+catphish> __ddd__: if you're looking at running out of tcp ports i'd seriously consider using a different method to proxy, ideally a unix socket 22:45 < lordvadr_> It's not on the application to manage which IP outbound connections come from. 22:46 <+catphish> with a unix socket you wouldn't have that problem, and you can just increase the fd limit as far as you need to 22:46 < __ddd__> catphish that's probably a good idea and not to difficult to switch to unix socket 22:46 < __ddd__> *too 22:46 <+catphish> it's ok, i'm just smarter than everyone else here :) 22:47 < __ddd__> I know, you've set me straight before ;) thanks again! 22:47 < lordvadr_> Don't encourage him. 22:47 <+catphish> lol i'm kidding of course, but good luck and keep asking here if you get stuck :) 22:52 < __ddd__> catphish do you have any experience with stunnel? I like its simplicity, and if possible i'd like to use it to "wrap" my websocket server instance(s) with TLS capabilities, and once I need more instances I would use something like HAProxy to proxy to different _machines_ -- should I avoid stunnel even for the per-machine proxying? 22:52 < mawk> unix sockets can even work without a filesystem 22:52 < mawk> using abstract domain unix sockets 22:53 < mawk> it's like loopback with ports being an arbitrary string 22:54 <+catphish> __ddd__: personally i use haproxy on the loadbalancer, and nginx on the individual hosts 22:55 < __ddd__> mawk yeah I dig unix domain sockets, I'm stuck using a crappy websocket server library because language choice and legacy code, not sure if it supports unix domain sockets well -- checking now 22:55 <+catphish> nginx handles the translation from tcp to unix socket, and you can do ssl on either nginx or on the haproxy 22:55 <+catphish> nginx can also serve out any static content at the same time 22:56 < mawk> __ddd__: if you're lucky it supports it 22:56 < __ddd__> didn't nginx add websocket support only recently? I'm a little worried about connections dropping 22:56 < mawk> you just have to give a path with a leading \0 22:56 < mawk> why would they drop ? 22:56 <+catphish> __ddd__: i've been doing it for years, never had an issue 22:57 < __ddd__> http-geared proxies don't usually expect long-lived connections. depending on user activity, some of these connections could last quite a long time 22:57 <+catphish> __ddd__: if your websocket server doesn't support unix sockets, i'd just forget about using a proxy on the app servers, and just do the ssl on the loadbalancer, assuming your lan is trusted to send cleartext 22:57 <+catphish> __ddd__: modern http proxies are just fine with websockets 22:57 < mawk> keepalive is a thing, __ddd__ 22:57 < mawk> they are long-lived connections, perfectly supported by nginx 22:58 < mawk> so I don't see why there should be a problem with websockets 22:58 <+catphish> i run a lot of websockets through both haproxy and nginx, no issues 22:58 < __ddd__> well that's good to hear 22:59 <+catphish> interestingly i've never run out of ephemeral ports on my loadbalancers, never really considered it 22:59 <+catphish> they have a lot of IPs though, probably enough for a million connections 23:00 < mawk> they are aware of the number of available FDs I guess 23:00 < mawk> and they just throttle incoming traffic/raise the limit 23:00 < mawk> maybe 23:01 < tgodar> so... I don't understand how HSTS works or I'm doing something wrong. How can I load repeatedly load a site over HTTP when the response is sending the Strict-Transport-Security header? 23:02 < mawk> did you load https at least once ? 23:02 < djph> you don't, because HSTS is a TLS thing 23:02 <+catphish> a bug once pushed me to a few hundred thousand connections, i started running into FD limits on the backend applications, increased them and it was all good 23:02 <+catphish> tgodar: i think you need to redirect to https first 23:02 < tgodar> mawk: if I load once over HTTPS then yes, forces that. 23:02 < tgodar> catphish: sounds like it. 23:02 <+catphish> tgodar: and send the hsts header over tls 23:03 <+catphish> it's a bit silly, but i think that's how it works 23:04 < tgodar> It just goes against what I understood the advantage to be, avoid that initial HTTP request... but now I think about it more... 23:04 <+catphish> you can't avoid the initial http request :) 23:04 <+catphish> (obviously) 23:04 < tgodar> right :) 23:05 <+catphish> unless you get your hsts preloaded in the browser 23:05 < tds> if you redirect from the bare domain to www (or vice versa), I think it's also recommended to do http://example.com -> https://example.com -> https://www.example.com so you get hsts recorded for both domains 23:05 < tgodar> tds: thanks for pointing that out 23:05 <+catphish> any time you do a redirect it's silly not to redirect to ssl at the same time 23:08 < tgodar> so HSTS doesn't actually have anything to do with a global list right? What was that initiative called? Chrome doing anything on that front? 23:08 < guest09328> How can a PC become a gateway to corporate, if split-tunneling is enabled? 23:09 < tds> tgodar: that would be hsts preloading (which catphish just mentioned :) 23:09 <+catphish> tgodar: yeah you want hsts preloading 23:09 <+catphish> https://hstspreload.org/ 23:09 <+catphish> i really should submit all my sites to it 23:10 < tds> if you own a tld you can even submit the entire tld for preloading :P 23:10 < tgodar> I need to read up on some stuff. Thanks! 23:11 < tds> my main issue with preloading is that it requires enabling includeSubDomains, which I don't feel comfortable enabling for my environment 23:11 < tgodar> word. Does low max-age when testing prevent preload submission is what I'm wondering now 23:12 <+catphish> i literally always use ssl, i can pretty much do all my domains 23:13 <+catphish> i dont think i have any webservers any more that would allow a non ssl reqiest 23:14 < tgodar> ok, so they don't add to the preload list automatically, always a manual submission? Man I really had some misunderstandings 23:14 < __ddd__> thanks again catphish mawk etc. 23:15 <+catphish> tgodar: yep :) 23:15 < tds> ah yeah, I have a few embedded devices (eg switches) which don't support SSL, otherwise I would enable it 23:15 < irwiss> tds: much easier now with LE wildcard certs though :) 23:17 < tds> irwiss: hmm, I'd say if you're copying a single wildcard cert to every switch then you're doing it wrong ;) 23:17 < tgodar> surprised the CA's haven't put a hit out on LE yet :) such a racket 23:17 <+catphish> i just access those devices by IP i guess 23:18 < tds> it makes a lot of sense if you terminate all ssl on a single reverse proxy or have dynamic subdomains, but I feel like copying around a single wildcard cert is bad practise when you can easily obtain lots of individual DV certs 23:19 < irwiss> i'm reversing everything http over a single nginx which has the certs 23:19 < tds> catphish: heh, I'm far too lazy to type in full v6 addresses all the time ;) 23:20 <+catphish> good think my management LANs are ipv4, i actually have no idea why 23:20 <+catphish> probably the odd old hardware device didn't support ipv6 and running both seemed silly 23:20 < tgodar> thanks guys, gotta run but plan to sit in here and listen more in the future. 23:21 <+catphish> have fun 23:35 < LFSveteran> not sure what to do..... 23:35 < LFSveteran> Situation: 23:35 < LFSveteran> I have an openvpn server 192.168.10.1 23:36 < LFSveteran> a linux system with tun0 192.168.10.2 23:36 < djph> is not punctuation. 23:36 < LFSveteran> and the linux system has also a second eth 23:37 < LFSveteran> from another system I want to reach 192.168.10.1 through that system 23:37 <@pppingme> so where is this other "system" ? 23:38 < LFSveteran> same LAN as that routing linux system 23:38 <@pppingme> ok, so you have an openvpn server with two nics? whats the 2nd nic for? 23:38 < LFSveteran> no not the server, the "router" 23:38 < LFSveteran> the server is WAN side 23:39 <@pppingme> you're description is coming across in too many pieces.. 23:39 < LFSveteran> openvpn server somewhere reachable with 192.168.10.1 through the vpn tunnel 23:40 < LFSveteran> the client that has connection has a tun interface with 192.168.10.2 through eth0 23:40 < LFSveteran> the client also has a eth1 with 192.168.0.2 23:41 < Phil-Work> mind. blown. 23:41 < Phil-Work> draw a diagram :S 23:41 < LFSveteran> mom 23:41 < rypper714> Nice 23:41 <@pppingme> I was just getting read to say that 23:41 <@pppingme> I think a picture with how all the pieces are laid out would help 23:42 < rypper714> Yes indeed. Curious myself to see it. 23:42 < LFSveteran> guess so, pictures always say more than 1000 words 23:42 < Phil-Work> and 1000 line breaks 23:42 < LFSveteran> I'm sure it's a quite basic question 23:42 < LFSveteran> :) 23:42 < rypper714> Lol true 23:42 < LFSveteran> ah found a white board 23:49 < LFSveteran> https://awwapp.com/b/udiysgr5y/ 23:53 < ironpill_> hi all, question about certificate authority cert. when I go to my 802.1x wireless network and when I type in my credentials, it ask me if I trust this CA and when I do it downloads a CA and a server certificate. Can a server send CA certificate? 23:55 <@pppingme> still not clear from drawing.. is "router" both connecting to internet and running vpn client? 23:55 < LFSveteran> yes 23:57 <@pppingme> ok, so we have a router that also runs vpn client, now what is the goal, for "pc 192.168.0.3" to be able to access stuff *on* "vpn server" or *behind* "vpn server" ? or what? 23:57 < LFSveteran> the vpn server 23:57 <@pppingme> ok, so "on" vpn server ?? 23:58 < LFSveteran> on the vpn server are running some services that are accessable with 192.168.10.1 23:58 < LFSveteran> the vpnserver is not serving as a gateway to other networks 23:59 <@pppingme> ok, but you want pc's behind the client on the router on the left to be able to access just the services on the vpn server, right? 23:59 < LFSveteran> yes --- Log closed Fri Apr 27 00:00:00 2018