--- Log opened Tue May 08 00:00:12 2018 00:05 <+catphish> that guy really went the extra mile in making that card 00:05 < ^7heo> what card? 00:07 < ^7heo> nevermind, I already regret asking 00:21 <+catphish> lol 00:47 < djph> ^7heo: you know you want one of those cards 00:47 < djph> ... maybe even two 00:47 < djph> they'll go perfect with your thicknet quake II arena 01:13 < batch> hi, can someone tell me some nice tutorial or source to set up a network bridge? i can only find garbage online which are all very different en confusing so i'm really stuck ? 01:14 < tds> batch: what os/distro is this on? 01:14 < batch> trying to use systemd-networkd and archlinux-ARM 01:15 < batch> hope that's not an issue tds.. 01:15 < rewt> by bridge, do you mean have multiple network interfaces join their respective networks so as to appear as 1 big network? 01:15 <+catphish> its a less common distro than usual :) 01:15 < tds> ah, I could tell you how to do it with old fashioned ifupdown config, but not with systemd-networkd, sorry :/ 01:15 < batch> well rewt let's say i want to create something like this: https://www.glennklockwood.com/sysadmin-howtos/rpi-wifi-island.html 01:15 <+catphish> i can tell you how to do it with debian, or manually, but not with systemd 01:16 < tds> though that does remind me, I need to fix my network-manager bridge config on my desktop... 01:16 < batch> tds well maybe that's a nice beginning though 01:16 <+catphish> making a bridge is trivial to do manually with "brctl" 01:17 < batch> catphish i love to hear about it 01:17 < tds> that page looks like it's just routing between the networks, rather than bridging 01:17 <+catphish> brctl addbr br0; brctl addif br0 eth0; brctl addif br0 eth1 01:17 < rewt> batch, so essentially using a pi to connect multiple wired devices to wifi 01:17 <+catphish> basically make the bridge, add the interfaces, done 01:18 < batch> rewt yeah exactly 01:18 <+catphish> batch: oh, you don't want a bridge at all 01:18 < rewt> a straight bridge may not work in that case -- some wifi APs don't like multiple devices on the same wifi link 01:18 < batch> but i wanna switch between a wireless and a wired profile so i'll be using more upstream interfaces 01:18 < batch> ewh 01:19 <+catphish> rewt: no wifi AP will support this without special wds config afaik 01:19 <+catphish> anyway, you need routing, not bridging 01:19 < rewt> i have heard of some cases where it works, but haven't seen it myself 01:20 < batch> i made the routing work once 01:20 < batch> but then i rebooted and the iptables where gone 01:20 < batch> didn't note them down 01:20 < batch> :'( 01:20 <+catphish> batch: simplest way is with masquerading 01:20 <+catphish> enable ip forwarding, then just apply a masquerading rule to your upstream interfaces 01:21 <+catphish> oh, that's what the guide linked above advocates :) 01:21 < batch> ix.io/17g8 like that? 01:21 <+catphish> although that guide is poorly written 01:21 < batch> i tried this but seems like it's really not enough at all 01:22 < batch> and yeah 01:22 < batch> seems like nobody is using stuff like this in 2018 01:22 < rewt> batch, -o xwan0 for MASQ, and both FORWARDs can be ACCEPT 01:23 < rewt> (without the state stuff) 01:23 < batch> orly 01:23 < batch> hmm 01:23 < tds> or if you're lazy and trust all the interfaces, just don't bother with any forward rules and set the chain to allow ;) 01:23 * batch tries 01:23 < rewt> or that 01:23 < batch> -j ALLOW ? 01:23 < rewt> yes 01:23 < rewt> no 01:23 < rewt> ACCEPT 01:24 < batch> :p 01:24 < tds> ...actually, in their guide they added forward rules but don't have any reject/drop rules 01:24 < tds> lol 01:24 < rewt> iptables -A FORWARD -P ACCEPT 01:24 < rewt> hmm no 01:24 < batch> i like to learn iptables in detail but i feel like that'll really take weeks.. idk lol 01:24 < rewt> iptables -P FORWARD ACCEPT 01:25 < tds> if you're modifying /etc/iptables/rules.v4 (for iptables-persistent on debian, not sure about the arch equivalent), you can just edit the chain definition at the start of the table 01:29 < batch> now also what route do i actually need to add 01:29 < batch> i bet i'm missing too much crucial stuff in my idea 01:30 < rewt> just make sure you have different subnets on each of the pi's interfaces 01:30 < rewt> and have it act as a dhcp server for the wired one 01:30 < batch> i'm having internetconnection 192.168.1.10 as xwan0 and 10.0.0.1 as xlan0 making the new network for the wired devices to it 01:31 < rewt> that works 01:31 < tds> do you have control over the router on the 192.168.1.10 network? 01:31 < batch> yes 01:31 < tds> if you can add a static route on that, it would be much nicer than using NAT :) 01:32 < batch> oh hmm yeah but i want it to be a portable project so i guess that's no usecase here 01:32 < tds> ah yeah, you probably just want to do the iptables nat rules then 01:33 < rewt> also note that this way, the xlan0 devices can only communicate with the wifi router (and beyond), not with any other devices on 192.168.1.* 01:33 < batch> what really? without isolating it? 01:34 < batch> what era are we living in pfff 01:34 < batch> :p 01:34 < tds> an era where everyone deploys ipv4 and nat44 everywhere, rather than proper routed ipv6 ;) 01:35 < rewt> there's no route on the 192.168.1.* devices for the packets to find their way back to 10.0.0.* 01:35 < djph> tds: so, the last 15 years then? :D 01:35 < Terminus> tds: way too many servers still not on ipv4. also, my ISP still hasn't gotten on the ipv6 bandwagon. >_< 01:36 < Terminus> off the top of my head, the only common services that have ipv6 are google, facebook, and netflix. 01:36 <+catphish> i hope generic routers will support ipv6 PD both as client and server 01:37 < Terminus> and i can't use my ipv6 tunnel with google or else it will think i'm in SG which is definitely not correct. 01:37 <+catphish> so thet people can easily spawn child networks without having to mess with routing 01:37 < tds> the software support for PD generally seems pretty bad at the moment 01:37 < batch> PD for PissDrunk? 01:37 < Terminus> catphish: LOL it's a race to the bottom with CPEs here. they've already cut out bridging. ugh. 01:38 < tds> it's a complex one to solve, updating any delegated prefixes to other routers, deprecating the old RAs, updating dns/whatever, dhcpv6, etc 01:38 < batch> ooh prefix delegation 01:39 < rewt> i wonder if android will ever support dhcpv6 01:40 < Terminus> first thing i want to see solved is native RDDNS with win10. i don't really like the idea of using dhcpv6 when router advertisements are good enough. 01:40 < tds> Terminus: oh, is that still not implemented yet? 01:40 < tds> I guess that would explain why dns stopped working in my windows VM 01:41 < Terminus> tds: AFAIK, no. there's a 3rd party RDDNS client for windows though. 01:43 < Terminus> durrr... it's RDNSS. these initialisms always confuse me. 01:44 < Terminus> tds: i may be wrong. i'm seeing conflicting reports about it but as i'm on a mac right now, i can't check. i'll check again when i'm on my desktop. 01:44 < tds> ah yeah, just checked that VM, I had to set a static one :/ 01:56 < genewitch> I am ip 10.1.1.1, server is 10.2.2.2, docker on there is 172.17.0.3 . I get on 10.1.1.1 and ssh to 10.2.2.2 -p 22, i want that to go to sshd on 10.2.2.2. anyone else connects to 10.2.2.2 -p22 gets redirected to 172.17.0.3:2222 - existing iptables http://projectftm.com/#r4RCrTIOm9H3Jc1Hob1hkw <-here 01:58 < genewitch> how do i do that? 02:05 < xamithan> Just do a regular forward rule and use the source of 10.1.1.1 02:05 < xamithan> Then do another rule below it the same way but without the source 02:10 < kremator> guys, theorically, which is the maximum bandwidth available trough coaxial cable in it's latest iteration? 02:11 < kremator> obviously, in ideal conditions (a.k.a never in real life) 02:12 < Kyosh> umm 02:12 < Kyosh> 300Mbps? 02:12 < Terminus> tds: just checked here as well. no RDNSS on win10 1803. 02:12 < djph> kremator: "it depends" 02:12 < xamithan> Wouldn't that depend on the type of coax ? 02:13 < djph> type of coax, what you're transmitting over it, encapsulation thereto 02:13 < kremator> Kyosh: what, is coaxial able to pull that? i though the maximum for it was something along the lines of 10 Mbps 02:13 < djph> I mean, you use coax as antenna leads on PTP microwave, and that can run ~gbit 02:13 < xamithan> This looks pretty good for coax, 10.1Gbps: https://www.zdnet.com/article/nokia-gets-10gbps-symmetrical-speeds-off-hfc-in-lab-test/ 02:13 < kremator> xamithan, djph, that's why i specified in it's latest "iteration" or its newest type of cable 02:14 < djph> kremator: "coaxial" cable is simply a cable with two conductors along the same axis. 02:14 < kremator> djph: oh 02:14 < Terminus> i was about to say that coax as far as i know has always maxxed out at 10 mbps and 802.3 deprecated it back in 2011. 02:15 < Terminus> that's for 10base2 though. 02:15 < xamithan> There is some coax that does over 1Tbps 02:15 < djph> Terminus: that was more an issue of the design of "Ethernet over Thinnet" than anything. 02:15 < kremator> djph: well, idk if you know it, but i was referig to the cable that used to be used to transmit TV signals (aswell as internet in the 90's) 02:15 < xamithan> So it does really depend on a LOT of factors 02:15 < djph> (or was it ethernet over Thicknet ... but meh) 02:15 < kremator> that cable here is called "coaxial cable" 02:15 < Terminus> twinax can do 10 Gbps but that's twinax, not coax. 02:15 < kremator> i think it's called thickwire and thinwire properly but idk 02:15 < djph> kremator: yes, that is "coaxial" cable. And again, you're asking the wrong question. 02:16 < kremator> djph: care to elaborate please 02:16 < Terminus> even if we're talking coax, the other question is what kind of coax? https://en.wikipedia.org/wiki/Coaxial_cable#Standards 02:16 < djph> kremator: RG6/RG59 is used all over the place. The throughput depends on the baudrate, and symbolrate 02:17 < djph> I mean, that's like asking "how much throughput does the air have" 02:18 < kremator> ok i go that, then im fucked up because i do not know the type/revision used in rural US 02:18 < kremator> semi-rural* 02:18 < djph> ... anywhere from "11mbps" (802.11b) to 1+ gbps (802.11ac) 02:19 < kremator> welp 02:19 < djph> kremator: what information are you *really* looking for? 02:20 < xamithan> Probably just the docsis 3.1 specs 02:20 < xamithan> Which all rural US cable uses nowadays 02:20 < djph> xamithan: "probably" ... but who knows :) 02:20 < kremator> djph: i was just asking how with some folks in other chnnel, how was possible in rural US to get so fast speeds(5-10 MBps) with 90's coaxial cable platform 02:21 < djph> because 10 MBps is 80 mbit, and well within the spec of docsis 3.0 02:21 < xamithan> 90s coax could do 100mbps easily 02:21 < kremator> djph, xamithan, shit, i didint know, ty for the clarification and the enlightment 02:22 < djph> https://en.wikipedia.org/wiki/DOCSIS 02:22 < djph> really, the only reason that "coax" died off was "cat5e is easier to work with" 02:22 < kremator> djph: "died" 02:23 < kremator> is not like half of the "last mile" platform in US does still use it 02:23 < Terminus> so far all i'm not seeing coax media converters go beyond 100 mbps. 02:23 < djph> died off in ethernet applications 02:24 < kremator> djph: oh ok 02:24 < djph> OFC coax is used in other applications every day 02:24 < kremator> djph: yeah because for outdoor, they do use either fiber optic or twisted pair right? 02:24 < djph> Terminus: "Ethernet" media converters? 02:25 < djph> kremator: depends on what you mean by "for outdoor". Cat5e (and later) UTP/FTP cabling took over in the mainstay of ethernet applications. Fiber is also a big player. 02:26 < djph> twinax cabling is getting pretty common in between switches in the same rack 02:26 < xamithan> They used RG11 or some thick gauge for outdoor wiring here 02:26 < Terminus> djph: yup. 02:27 < xamithan> I think all inside is RG6 02:28 < wallbroken> hello 02:28 < wallbroken> how "workgroup" name could be usfeul? 02:28 < Terminus> in any case, i doubt i'll ever need to transmit digital signals over coax. 02:28 < wallbroken> some host must be on the same workgroup to communicate? 02:29 < djph> Terminus: because "ethernet". They never took the signalling past fast-ethernet (although, at least according to the spec, RG5/RG6 should be fairly decent at the ... whatsit 250 MHz carrier rate for cat5e) 02:29 < djph> wallbroken: it's effectively a "light domain" for windows PCs. 02:30 < Terminus> djph: also we skipped over DOCSIS here and went straight to GPON. 02:30 < wallbroken> i just set different workgroup for two hosts 02:30 < wallbroken> but i still can reach each other 02:30 < wallbroken> so, how it is useful? 02:30 < djph> Terminus: yeah, PON is nice 02:30 < djph> wallbroken: they should(tm) be in the same workgroup 02:31 < djph> but different workgroups won't prevent them from working 02:31 < wallbroken> please can you explain better with an example? 02:31 < Terminus> the progression of the majority of internet connections here went dialup -> ADSL -> GPON 02:31 < wallbroken> being in two different groups, each client can reach the different one 02:32 < kremator> Terminus: ADSL is great for countries that are not wastelands, once the country becomes a wastelands, the ADSL cables (twisted pair) it's the first thing to get stolen 02:33 < genewitch> iptables -t nat -A PREROUTING ! -s 15.5.22.14 -i ens3 -p tcp --dport 22 -j DNAT --to 172.17.0.3:2222 <-- this worked i think 02:33 < Terminus> kremator: oh lol. one of the big reasons the telco here is deploying fiber heavily is because they're sick and tired of copper being stolen to the point that poorer areas may get fiber first. 02:33 < djph> wallbroken: the workgroup is "supposed to(tm)" make some things easier / possible (e.g. autodiscovery), but being in different ones won't stop them from communicating 02:33 < genewitch> i mean, i get the correct sshd, and another machine gets the docker sshd 02:34 < djph> Terminus: oh, you're in Detroit? :) 02:35 < wallbroken> djph, what do you mean with autodiscovery? 02:35 < Terminus> djph: no. philippines actually. =P 02:35 < djph> like seeing things in "network" 02:35 < djph> Terminus: close enough. 02:36 < wallbroken> i'm talking about "workgroup", and not "homegroup" 02:36 < djph> Terminus: although 'poorer areas' ... it's all pretty bad over thataway, isn't it? 02:37 < Terminus> of course now it will take time for people to realize that the cables are fiber and they can't be sold like copper. 02:37 < djph> I'd kill someone if they tried stealing my fibre 02:37 < Terminus> djph: there are some isolated areas that are pretty much first-world environment with cost of living to match. 02:37 < wallbroken> djph, the host can discover the other also being on a different workgroup 02:38 < djph> Terminus: dunno about that. Know some people who work in ... errr ... makati city(?) and $10 was still like a stupid amount of money to them (but then again, maybe that's still a comparatively poor area, hell if I know) 02:38 < Terminus> djph: to be fair, the houses in my area cost 500k USD. 02:38 < kremator> Terminus: good to hear that man, at least the poor does have faster connection to the biggest info. and education source 02:38 < kremator> Terminus: is that 500k for a house in US a fuckton or cheap? 02:39 < djph> 25 million pesos, eh? 02:39 < Terminus> djph: depends on where in makati. makati CBD is expensive. like 800 USD/mo gets you a 22 m^2 unit to live in. 02:40 < kremator> Terminus: here some of the thieves that tried to steal a backbone line realised those werent internet cables too late.... after the shock of 5000 AC watts 02:40 < Terminus> restaurants average at 30 USD in makati as well. 02:40 < djph> Terminus: dunno where they live. work with them, and I'd *hope* they didn't live in shitholes 02:40 < kremator> Terminus: where do you live? 02:40 < Terminus> kremator: somewhere in manila. 02:41 < djph> Terminus: but yeah, they were like super crazy like "are you shitting me" when I paypal'd them like $10 or $20 02:41 < kremator> Terminus: oh nice, hwo things are there? 02:41 < Terminus> djph: it really depends on how you live. the thing is, we do have the option of anywhere from a $1 to $100 meal. 02:42 < Terminus> kremator: heavy traffic as always. 02:42 < Terminus> and now i gotta bring my gf to her office. i'm off. 02:43 < kremator> :/ why now? did her car got broken, or is just that now you have an stable couple 02:43 < djph> probably more "they only have the one car" 02:43 < koala_man> haha, upgrading to fiber to prevent copper theft. That's awesome 02:43 < kremator> djph: yeah, i know that, but he says like he wasnt riding her to work before so... 02:44 < kremator> koala_man: we tried to do that, until cable guys and the whole ISP realised that they could sell the fiber optic in colombia so.. 02:44 < djph> well, it's just shy of 9AM there 02:50 < lorfds> I have a situation where I have started working at a company where the network was treated like it was in someone's basement...1000ft ethernet cable runs between different spots in the warehouse, $3 switches pasting various things together...it's a mess 02:51 < djph> set it on fire and throw it out the window 02:51 < djph> also, 1k ft runs of copper wouldn't work. 02:51 < lorfds> i'd like to try to start logging what's happening on the network to try and unwind the hairball...any thoughts on the best way to start approaching this 02:52 < djph> honestly, if it's really that bad; don't even try. Just rip that shit out and start over. 02:52 < lorfds> unfortunately, i have to disassemble the airplane while it's flying 02:52 < lorfds> which means that I can't start from scratch 02:52 < lorfds> but i want to hone in on the key points of disfunction 02:53 < djph> fix your MDF, fix the IDFs, fix the hosts 02:53 < lorfds> for example, i have on area that is covered by wireless, but where we are having constant dropouts...i don't know if it's because of the way the wireless network is setup, or if it's the switching/routing, or if it's channel collissions, etc 02:53 < djph> don't try to "unfuck" what's there - write it off. Run new (fiber) between the MDF and IDFs, to new switches, etc. 02:54 < lorfds> we're in the process of doing that...but let's just say i want to "unfuck" it...what's the best software to monitor how fucked it currently is 02:54 < djph> you don't have to tear it all down to nothing 02:55 < lorfds> well...with this we might...it's literally chaos 02:56 < djph> software isn't going to fix the physical problems. It probably won't even help you sort them out (especially with dumb switches) 02:56 < djph> hence the "write it off and just run new backbones" 02:57 < djph> Once your new backbones are in place; work in an IDF at a time, and swap the hosts from the "old network" to the new. 02:58 < djph> fix/map out each IDF as you go 02:58 < djph> last step, walk the building and rip out as much of the now-defunct hardware as you can find. 02:59 < lorfds> what's the price to do a fiber run in a warehouse typically? 03:00 < djph> dunno, but pre-terminated 4-strand is like $100 for 100 meters 03:00 < djph> *pre-terminated OUTDOOR 4-strand 03:00 < lorfds> is this something you can do yourself, or is that a terrible idea? 03:00 < djph> maybe $200 03:01 < cluelessperson> lorfds: yes, use excel 03:01 < cluelessperson> Start at the top, list all the ports, 1-48 03:01 < djph> sure you "can" do fiber yourself, but it's pretty fiddly -- unless you're going to be doing A LOT (like a college campus) 03:01 < cluelessperson> list where each port goes 03:01 < cluelessperson> map out the netowrk 03:01 < cluelessperson> djph: doesn't fiber installation require certification in some places? 03:01 < djph> then it's not really worth the cost to get the kit (so pay the extra and get pre-term ... or hire in someone) 03:02 < djph> cluelessperson: sure, if the *business* wants the install certified ... but since it's "complete fucking nightmare" right now, I think "certified" is the last thing on their minds 03:02 < djph> cluelessperson: or do you mean like an electrician's license? 03:03 < cluelessperson> djph: Some places consider fibre runs to be dangerous 03:03 < djph> cluelessperson: never seen that. but then again, I don't live in California. 03:03 < cluelessperson> djph: a theater owner I contracted for got certified for like $4000, and ran his own lines underground 03:03 < cluelessperson> djph: I was in Texas also. :P 03:03 < cluelessperson> California hospitals are bullshit too 03:04 < djph> that doesn't sound like it was for the "fiber" itself 03:04 < cluelessperson> djph: probably for installing it underground, not sure 03:04 < djph> probably more the "run it underground" 03:04 < djph> obviously, one would need to look into their local laws. 03:04 < cluelessperson> djph: Yeah. He was a drive in theater owner. The booths are little airconditioned sheds 300 meters out 03:05 < djph> here, as long as I'm doing "low voltage", I don't need anything special. 03:06 < djph> beyond city permits for the most part (there are one or two places I don't do biz in, because I'm not taking out $10m in insurance when I barely do $2k worth of work over a year) 03:15 < Criggie> genewitch: Mine was a 64 kbyte Hercules mono 8 bit ISA with a parallel port too. It was so expensive, we borrowed it from dad's workmate along with a paper-white screen. 03:34 < Terminus> djph: heh, looks like we're in the same TZ. AU? 03:35 < lorfds> we are running our database in a vm that is also hosting our dns server 03:35 < lorfds> is that a bad idea? 03:35 < Terminus> oh, wait you said "there" meaning here. i thought you were saying it's almost 9AM in your TZ. 03:36 < Terminus> lorfds: yes. what's the point of VMs if you're putting your DB and DNS in a single VM? 03:36 < Terminus> i'd understand if they were related services but DB and DNS are pretty far from each other. 03:36 < Whiskey`> maybe they dont own the bare metal 03:37 < Whiskey`> lorfds: more info required. 03:37 < Terminus> Whiskey`: even if it's on IaaS, they can't spare the $5 for a dedicated DNS instance? 03:39 < Whiskey`> Terminus: well thats what the more info is is about 03:39 < Whiskey`> namely, who set it up, so what made thme decide to do it this way 03:40 < Whiskey`> but also the "another $5" adds up in a hurry 03:40 < koala_man> DNS is a distributed DB, so let's just put all the DB stuff in one vm 03:40 < Whiskey`> ive got something like 70 $5 instances 03:40 < Whiskey`> koala_man: ha! good man 03:41 < Whiskey`> I like that reasoning, sounds VERY much like a CEO 03:43 < Terminus> Whiskey`: i get that they add up but everything in moderation IMO. =) 03:44 < Whiskey`> For sure 03:45 < Terminus> also, if you're to the point where all the costs add up that you can just run your own infrastructure, i'd say just run your own infrastructure. 03:45 < Whiskey`> If only 03:45 < Whiskey`> I still get ddo's over a gb/s in size 03:45 < Whiskey`> so, nope 03:46 < xamithan> Can't get DDoS'd if the traffic never leaves your infra 03:46 < Whiskey`> all my crap is public facing. anything that doesnt need to be, isnt. 03:50 < Terminus> i wonder how many upstreams you can tell to blackhole the DDoS... 03:51 < Whiskey`> not enough to make it worth my time to deal with 03:51 < cluelessperson> koala_man: I'd like to download ALL dns possible 03:51 < cluelessperson> if that's possible 03:52 < Terminus> well your costs don't make it worthwhile to implement your own infrastructure yet then. =) 03:52 < cluelessperson> I want the ability to search through all example.coms and find what's available 03:52 < cluelessperson> rather than relying on other shithole companies 03:55 < Whiskey`> Terminus: its got the other direction. my time is worth MORE then it takes to manage it 03:55 < Whiskey`> gone* 03:55 < Whiskey`> so it same me time by just farming it out 03:56 < Terminus> cluelessperson: you could start with https://www.iana.org/domains/root/db but what you're trying to do sounds like a lot of work to me. 03:56 < Whiskey`> holy shit i need to stop being up for 30 hours 03:56 < Terminus> Whiskey`: it's all a balance anyway. either do it yourself or pay somebody to do it for you. up to you which one you go with. 03:57 < cluelessperson> Terminus: why would it be a lot of work? 03:57 < Whiskey`> Terminus: yea. i manage the VM's but i let linod handle all the metal 03:57 < Whiskey`> cluelessperson: beucase there the . db is like 20? TB in size 03:57 < Whiskey`> and thats just root, its not even any sub's 03:57 < Terminus> cluelessperson: lots of parsing. you also won't get the records under each domain, just the records for the domain itself. 03:58 < cluelessperson> Terminus: well, my goal is to offer a domain searching service. :) 03:58 < cluelessperson> 20TB isn't a big deal 03:58 < Whiskey`> you want ot do this but came here ot ask? 03:58 < cluelessperson> Whiskey`: kinda want to, but haven't committed 03:58 < cluelessperson> too much money to commit yet 03:59 < Whiskey`> lol 03:59 < Whiskey`> its going to be a lot for sure 03:59 < Terminus> Whiskey`: i go with digital ocean myself. got a lot of stuff there. still cheaper than leasing rackspace from a datacenter and buying all the hardware. 03:59 < Terminus> plus all the manpower costs of running it yourself. 03:59 < Whiskey`> Terminus: yea i cant remember why i didnt use them? 04:00 < Whiskey`> and for sure. wifes work moved from gapps to rackspace nad shits been a mess 04:00 < Terminus> Whiskey`: linode was simply on the market first? 04:00 < Whiskey`> im not allowed to do anything for them cause i am a family member 04:00 < Terminus> Whiskey`: i mean rack space as in an entire rack, not rackspace the company. 04:00 < Whiskey`> Terminus: might be, ive bene with them for ever and a day 04:00 < lorfds> what's the best windows software for monitoring syslog events? 04:00 < Whiskey`> Terminus: yes i know you meant that, it just reminded me of what they did 04:01 < Terminus> Whiskey`: ah... 04:01 < lorfds> i want to run a syslog server on windows 04:01 < Whiskey`> lorfds: a vm runnign linux.... =) 04:01 < tds> hmm, to me 20TB sounds unreasonably large for a zone file, eg for .com 04:01 < Whiskey`> tds: there is a hell of a lot more then just .com 04:01 < Whiskey`> i said . 04:01 < Whiskey`> so .com, org, net, porn, xxx, what all 04:01 < Terminus> plus you need to keep it all updated. 04:02 < Whiskey`> ^ 04:02 < tds> well, if you want the zone file for . it's pretty small 04:02 < Whiskey`> one would assume at least weekly but many times/day would be best 04:02 < Terminus> basically what cluelessperson wants to do is run his own whois server with all data cached on his servers. 04:02 < cluelessperson> Whiskey`: Dude, 10-20TB of NVME caching, 100GB of ram, and 50TB of HDD storage is no probabaly 04:02 < cluelessperson> no problem* 04:03 < cluelessperson> that's like $20,000, easy startup for a company 04:03 < Whiskey`> cluelessperson: no thats a pretty simple deal, 10k or so in hardware 04:03 < cluelessperson> Whiskey`: yeah, it can definitely be done 04:03 < Whiskey`> your going to spend more for hosting andracking those boxes 04:03 < cluelessperson> Whiskey`: or I can buy them and host them myself 04:03 < Whiskey`> cause you are not going to get by with just a gige 04:03 < Whiskey`> got 10gig at home? 04:04 < cluelessperson> Whiskey`: 1G, but I think I can get 10G 04:04 < Terminus> lol 10GB at home. that shit needs rack space at equinix, etc. 04:04 < Whiskey`> or some palce damn close 04:04 < cluelessperson> Terminus: 10G is delivered to my apartment 04:04 < cluelessperson> Terminus: might even be a 100G line 04:05 < Whiskey`> that doesnt mean it is availble to you 04:05 < cluelessperson> sure 04:05 < Terminus> cluelessperson: and how many networks can you peer with? 04:05 < cluelessperson> Terminus: dunno 04:05 < Whiskey`> 0, maybe 1 04:05 < tds> sure, but if you want to run a reliable service have you got redundant diverse 10G feeds, multiple power feeds, cooling, etc? 04:05 < Whiskey`> and that isnt even talking site diversity 04:07 < Whiskey`> might as well spin up some aws buckets 04:07 < Whiskey`> and leave them insecured 04:08 < Terminus> cluelessperson: if you really want to give it a go, go download the root zone from verisign using the URL i gave you earlier and start parsing. 04:09 < tds> that's not really any use, you'll need to get zone files from every tld you're interested in finding domains for 04:09 < Terminus> verisign handles .com so go there. 04:10 < Terminus> tds: the link i gave him has all TLDs. he needs to start somewhere. 04:10 < tds> yeah, there's a form somewhere 04:11 * dogbert2 got his synology DS218+ today from the amazon locker :P 04:11 < Terminus> nevermind. apparently http://www.internic.net/domain/root.zone is the entire thing. 04:13 < tds> for .com, this is the form you want: https://www.verisign.com/assets/zonefile_access_request_form.pdf 04:13 < Whiskey`> heh 04:14 < Criggie> dogbert2: you got me all excited - I thought it was an 8 drive SAN 04:14 < Criggie> its a little 2 drive jobbo. 04:14 < dogbert2> yeah...but I don't need more than a RAID-1 unit for home use :P 04:15 < Whiskey`> .... 04:16 < Criggie> dogbert2: heh I like the synology stuff for its "just bloody works" features. 04:16 < Criggie> My parents have one that runs a h264 camera. 04:16 < Terminus> also it's bloody slow for anything other than file sharing. XD 04:16 < Criggie> yeah you wouldn't confuse one with a proper san 04:17 < dogbert2> yeah...that's why I bought it...don't want to fuss and mess with it...just need to pick up 2x6TB or 2x8TB HDD's a week from Friday at Fry's 04:17 < Terminus> mainly my frustration with how much time it takes to process my clicks on its admin panel. 04:17 < dogbert2> which one do you have Terminus 04:17 < Criggie> yeah the webgui is always lethargic 04:17 < Terminus> dogbert2: don't have one. i was configuring it for another guy. can't remember the model. 04:17 < Criggie> The parent's one spent ~4 months analysing their photos. 04:17 < dogbert2> that's something than can improve on :P 04:18 < Terminus> for home use, my desktop is already up all the time. i just need HDDs and i can just share files from it. should save me the cost of a separate NAS. 04:18 < Terminus> i just don't have $1k USD for HDDs right now. haha 04:19 < Criggie> yeah - the nas will use less power than a desktop 04:19 < Terminus> not if desktop is already running all the time. 04:19 < Terminus> also, modern desktops are really power efficient. 04:20 < Criggie> whatever power the desktop uses, the nas will be lower. 04:20 < Terminus> my point is, desktop only is cheaper than desktop + NAS in terms of power for me. =P 04:20 < dogbert2> with everything running, the draw against the UPS is 110 watts 04:20 < Criggie> true - I thought you were replacing. 04:21 < Terminus> besides, i wouldn't buy a damned synology. 04:21 < Criggie> I think the `rents one is 19W operating and about 4W not spinning. 04:22 < dogbert2> probably draw about 2.2-2.5 Kwh a day 04:25 < dogbert2> to run the computer for a month plus all the other gear comes out to about 6-8 bucks a month 04:35 < lorfds> what does "ARP cache poisoning - conflicting SNOOP entry found" mean? 04:41 < Criggie> lorfds: not sure what kit you're using, but multiple different MAC addresses are claiming to own the same IP address. Could be innocent, like an apple device using one IP on its wired and wireless interfaces, or it could be malicious. 04:42 < CuriousMind> Hi I am back from school 04:52 < lorfds> https://paste.debian.net/1023781/ 04:52 < lorfds> how would i debug this? 04:52 < lorfds> or do i have to? 05:00 < dogbert2> LOL...drug testing policies have gone to pot as companies battle for workers 05:01 < tds> lorfds: try and locate the devices using the mac addresses, if they're both set to use the same IP then fix it 05:03 < lorfds> ok thanks...what does this mean: %DATAPLANE-4-DOSATTACK: BAD_PACKET: Bcast/Mcast ICMP not allowed? 05:04 < purpleunicorn> Can someone help me set up znc bouncer from the source website 05:05 < tds> lorfds: I'm not familiar with whatever is generating that message, but it sounds like something is sending out broadcast traffic and being blocked 05:08 < lorfds> i can remote into the box....how would i figure out where the broadcast traffic is coming from? 05:09 < lorfds> i tried netstat -a 05:09 < lorfds> but not really sure what im looking fo 05:09 < lorfds> r 05:09 < tds> for linux you can just use tcpdump to capture traffic 05:10 < lorfds> one entry has listening on 127.127.127.127:3939 05:11 < lorfds> that seems bizarre 05:11 < moriarty> https://www.csoonline.com/article/3269871/security/bitcoin-network-3-to-10-times-more-evil-than-the-rest-of-the-internet.html 05:12 < tds> lorfds: could be some kind of rdp server (eg xrdp), netstat -p (you may need to run it as root) will tell you what process it is 05:13 < lorfds> tds: i am remoted into that machine...so that makes sense 05:15 < rewt> sounds like you need to stop using that "hack detection kit" or w/e because it's way too paranoid 05:37 < purpleunicorn> can anyone help me get the bouncer on my server 06:07 < whatsupdoc> Hi, can someone explain to me why selective repeat needs an extra bit? 06:12 < Criggie> whatsupdoc: sorry - I've never heard of it. 07:02 < cluelessperson> hm 08:08 < Project86__> I'm setting up a wan pentesting test lab. If I want to use VPN to route the traffic and payloads and whatnot through. Do i use server side, or client side to perform attacks? 08:08 < energizer> my home wifi is terrible, what hardware should i get? 08:10 < Project86__> energizer: a diff isp 08:10 < energizer> Project86__: not available 08:25 < energizer> alright my working theory is that my wifi goes down when im uploading a lot of data 08:26 < energizer> router's fault? 08:26 < detha> your fault - if you hadn't uploaded so much data the wifi would have kept working 08:27 < energizer> good point 08:27 < detha> define 'down'. Other devices are also disconnected? 08:27 < energizer> yeah 08:28 < detha> What make/model is the access point? 08:31 < energizer> detha: TP-Link AC1750 Archer C7 08:32 < energizer> this one https://www.amazon.com/TP-Link-Archer-AC1750-Smart-Router/dp/B00BUSDVBQ 08:33 < masber> good afternoon, my iptables rules are blocking traffic from my local computer 129.94.15.158 to 129.94.72.19:9995, could someone please help me to understand which rule is rejecting it? https://bpaste.net/show/0779f1fb3fb0 08:33 < detha> energizer: no particular experience with that, but 'generic multi-purpose device' by the looks of it. Do you see it rebooting or things like that? 08:34 < detha> masber: iptables -vvnL shows hit counters, see which one is increasing when something is being blocked 08:35 < energizer> detha: nope 08:36 < masber> detha, ok! thanks I found it 08:36 < detha> energizer: do you have anything connected on the ethernet side? try pinging the router (and things internet) from the ethernet side, then replicate the problem; see if that side also disappears 08:37 < energizer> detha: ok ill give that a shot 08:37 < detha> masber: one of those /26 rules? 08:38 < masber> detha, nop, there are some REJECT rules that didn't show in my previous command. This is the one causing the problem 127 9503 REJECT tcp -- eth2 * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 reject-with icmp-port-unreachable 08:39 < energizer> detha: are there any routers you'd recommend for home? im not really in the know here 08:45 < detha> energizer: I generally stay away from recommending things, it depends a lot on what you need it for. 08:46 < energizer> detha: fair enough 08:47 < detha> In the 'plastic multi-purpose device', no preference. one step up is mikrotik or ubiquity, after that come things where you 'have to speak to the VAR, and if you need to ask the price you cannot afford it' 08:48 < energizer> are "mesh systems" worth looking at? 08:49 < energizer> eg https://www.amazon.com/dp/B072ZN4PSB 08:50 < detha> 'it depends'. if you have a bunch of people all watching HD video and copying movies over wifi, probably yes. For a one- or two-person household probably no. But those are rule-of-thumb, there are exceptions 08:50 < energizer> ok 08:50 < energizer> thanks 09:14 < regdude> Hi! Can someone name protocols that rely on broadcast MAC address? I can think of DHCP and ARP, but there are a lot more 09:14 <+pppingme> regdude you get mostly out of the IP world' 09:17 <+pppingme> regdude is this ##homework ? 09:17 < regdude> ppingme: no 09:17 < regdude> LANtastic - that is an interesting name 09:29 < AlexeyX> Hi there! Who knows about pureftpd? ChrootEveryone is disabled, but user in chroot ( 09:36 < AlexeyX> Is it possible to exclude from chrootEveryOne only one user? 09:53 < regdude> AlexeyX: dont do this, but try adding a soft link to the root in that directory 09:53 < regdude> a very bad fix 10:10 <+xand> AlexeyX: if you want security don't use ftp 10:38 < Atro> Anyone has any clue about palo alto and SFP's? 10:41 < at0m> Atro: "anyone" doesn't usually buy you any help. be more specific. 10:42 < Atro> at0m: nevermind, i had a struggle with Palo Alto's idea of "not supported", due to the vaguenss of its output 10:42 < Atro> but it seems to be working now, so its not needed anymore 11:27 < cluelessperson> Hey guys, I need help against someone bad, and I'd like to use wireshark to try and capture a full HTTPs session including in browser shared keys 11:27 < cluelessperson> I hope to be able to record the stream in entirety as a legal proof 11:27 < shtrb> detha, https://www.theverge.com/circuitbreaker/2018/5/7/17327584/edge-computing-cloud-google-microsoft-apple-amazon you were saying something about FEPs few hours ago ? 11:28 < shtrb> cluelessperson, you need to be also to decrypt it (your browser may support SSLKEY export) 11:29 < shtrb> cluelessperson, check SSLKEYLOGFILE for your system so you could decrypt the data 11:32 < djph> cluelessperson: this session - is it going to be made with keys that you own (i.e. teh destination server is yours) 11:32 < cluelessperson> shtrb: where's SSLKEYLOGFILE ? 11:32 < cluelessperson> djph: sure 11:33 < djph> then install the keys in wireshark (they've got a howto in their wiki). 11:33 < shtrb> cluelessperson, it's env varibale you setup to be able to decrypt SSL/TLS traffic 11:33 < detha> shtrb: interesting, thx. The cycles of centralization/decentralization. This time with a difference, power usage and compute are decentralized, control stays centralized. 11:34 < grawity> how do you define 'compute' as a noun, though 11:34 < shtrb> We only need ISPs give us power on wire to run our equipment 11:34 < grawity> I mean I kinda get it, but it still tickles my parser in the wrong way 11:35 < shtrb> just imagine, if we could get 12V/90V over the phone lines that could power our modems/routers 11:35 < detha> grawity: the word means what management wants it to mean.... 11:36 < shtrb> cluelessperson, like here https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/ 11:36 < detha> shtrb: remember the days of POTS? When the CO powered all phones? 11:36 < shtrb> cluelessperson, just remember to create the file and verify before you start 11:37 < Apachez> shtrb: https://www.youtube.com/watch?v=nm6DO_7px1I 11:37 < Kryczek> shtrb: aren't phone lines 50V? 11:37 < Apachez> 48V 11:37 < Apachez> but its shitty amount of current 11:38 < Apachez> and many phonelines are like kilometers in length 11:38 < Apachez> and are being removed currently 11:38 < Apachez> so nope 11:38 < Apachez> a dead end 11:38 < djph> IIRC, it's 12v standby, 48v for the ringer 11:38 < shtrb> now it's just IP and then a fancy sip client in a box 11:38 < Kryczek> Apachez: apparently 48V is US, others have 50V :P 11:38 < Apachez> I think its 48V around here too 11:38 < Apachez> which is why the stations are DC powered at 48V 11:39 < shtrb> Kryczek, the ring is 90V 11:39 < shtrb> *was 11:39 < djph> and technically, it's -48v; so the copper doesn't corrode 11:39 < grawity> TIL 11:39 < djph> or something like that 11:40 < Kryczek> Apachez: why are phone lines being removed? Don't they need them for DSL? 11:41 < grawity> Kryczek: I think Apachez meant specifically in areas where FTTH has been rolled out already 11:41 < djph> grawity: nah, AT&T is letting the copper rot on the poles if that's the case 11:41 < djph> grawity: I mean, new shiny fiber, but if you don't get the ftth service, the copper's still there 11:45 < shtrb> Shouldn't FTTN give us power ? 11:45 < shtrb> *what comes after the fiber 11:47 < Apachez> Kryczek: not around here 11:47 < Apachez> phonelines costs to maintain over time 11:47 < Apachez> and since the govermnet phonecompany went private owned they dont care about long term stuff 11:48 < Apachez> telia tries to kill all phonelines where possible and replace with broken 3G/4G instead 11:48 < shtrb> 5G is going to change all of that 11:48 < Apachez> doing stuff over the air is shitty when you need latency and reliability 11:48 < Apachez> its a nice redundancy however IF the lines goes poff 11:49 < Apachez> whats shitty with 3g/4g is that as soon as you have a powerfailure the cellnetwork dies within minutes 11:49 < Apachez> and you get cfonnected to some 2G transmitter miles away 11:49 < shtrb> but wireless has it benifits , you really hate all the kids using their phones and plaing games ? just use a jammer or pray for a thunderstorm 11:49 < Apachez> along with the other 100k users 11:49 < shtrb> 2G still exist ? 11:49 < Apachez> so visiting the powercompany status page is like below 1 kbps 11:49 < Apachez> yeah masterstations still uses it 11:50 * shtrb wonder if people would start leaching on the power like they did when lived near power lines in the past 11:50 < Apachez> you mean from the phonestation? 11:51 < Apachez> they had circuits to kill the wire if there was no ongoing call 11:52 < shtrb> Apachez, no , in the past (think 1960s ) if you lived near a power line sometimes they could use some electrical appliance wihtout physically connecting to the tower 11:52 < Apachez> personally I would prefer smaller phonestations with ups power and diesel and then fiber to those 11:52 < Apachez> this way you can still use alarmsystem and eldersystems (whatever they are called in english) 11:52 < Apachez> along with having fiber at the same time to your home for the bulk traffic 11:53 < Apachez> shtrb: yeah utilizing magnetism they produce near ground 11:53 < Apachez> of course the power companies claimed this was perfectly safe 11:53 < shtrb> and I think I seen some "project" that utilized wifi to power some leds 11:53 < Apachez> but went nuts when people drained the lines this way :D 11:54 < shtrb> I wonder if people tried , if your radio is on my property I can use it 11:54 < Apachez> https://www.youtube.com/watch?v=ZyfXvFicp8M 11:54 < Apachez> some nutty ukrainians or wherever they come from 11:54 < Apachez> many good clips on power :) 11:55 < Kryczek> Apachez: ah sorry to hear :/ 11:56 < shtrb> wtf ? a Nokia powered form thin air 11:56 < Apachez> https://www.youtube.com/watch?v=hvQ9H9K7XeM 11:56 < Apachez> shtrb: nots not thin air 11:56 < Apachez> you stand in a electrical magnetic field 11:57 < shtrb> I know , but it looks like that if you don't know about it 11:57 < Apachez> the same principal as how your electrical tooth brush charges 11:57 < shtrb> It look like a cool project to show the school kids 11:57 < Apachez> also the power lines needs to be in a bad configuration for this to happen 11:58 < Apachez> you can minimize the magnetic output by arranging the 3 phases in a triangel with a ground in the middle of it 11:58 < Apachez> or have a ground cable to run along with the powerline 11:58 < Apachez> the later is done in cars to minimize magnetic fields 12:05 < Kryczek> Apachez: maybe it still happens in that configuration? I knew the fluorescent tube trick, I thought everyone knew so I guess it's quite common? 12:06 < Kryczek> e.g. https://www.youtube.com/watch?v=J5PKoNYRm9M 12:06 < Apachez> http://hillaryclintonillness.com/ :D as seen on john oliver... 12:16 < cluelessperson> Hey people 12:16 < cluelessperson> djph: https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/ 12:16 < cluelessperson> djph: that works :D 12:42 < mAniAk-_-> ofc it works 13:33 < djph> goddammit, openssh & openssl-crypto; I hate the both of you 13:35 < djph> ... oh, and rhel, and the qa team 13:35 < bezaban> damn you electrons! 13:38 < djph> nah, I like them 13:38 < bezaban> aaall of them? 13:39 < shtrb> djph, just switch prod and testing systems 13:39 < djph> bezaban: well, at lest the ones whipping around to make this mess all work. 13:39 < djph> shtrb: the funny thing is, then test would work; and prod wouldn't 13:39 < bezaban> they are mostly well trained 13:41 < djph> the BEST part of that is, prod actually uses the crypto libs / GEX modulos we (well, *I*) want it to. 13:46 < djph> also, damn everyone with "engineer" in their title who I've had to hand-hold through "this shit is wrong - it needs to do this other thing" 13:48 < djph> okay, I feel bet... wait, where'd my coffee go?! 13:48 < mast> My coffee has a strange taste today. 13:49 < djph> maybe you need something stronger to get the taste of hooker spit out 13:49 < Apachez> too soon djph 13:49 < Apachez> too soon... 13:50 < shtrb> let them play the floor is lava 13:50 < shtrb> (hope ore not in Hawaii ) 13:50 < djph> shtrb: only if we can fly to Hawaii first. 13:50 < mast> And the goddamn creams gone bad 13:51 < Apachez> creams? 13:51 < Apachez> around here that shit isnt allowed to be called cream 13:51 < Apachez> so they named it "white" 13:52 < Apachez> "coffee with white" 13:52 < Apachez> thought first some black live matters looneytics was around 13:52 < mast> But couldn't that be powdered as well? 13:53 < Apachez> sure if its real cream 13:53 < Apachez> but this shit doesnt even come from a cow 13:53 < Apachez> only stuff coming from a cow is allowed to be called cream 13:55 < mast> I've started using 35% cream 13:56 < MrNaz> Does Cisco use their software licensing regime to force people to upgrade their networking equipment ? 13:56 < MrNaz> What happens to your network equipment when your software license expires? 13:56 < mast> It usually gets sold on eBay 13:56 < dogbert2> hey Apachez 13:57 < Apachez> hi diggybert 13:57 < Apachez> MrNaz: you do the math 13:57 < dogbert2> lot of used network gear out there (perfectly good gear, btw) 13:57 < Apachez> I prefer gear which doesnt need licenses just for updates 13:57 < dogbert2> got my Synology DS218+ NAS yesterday from the amazon locker :P 13:58 < mast> There was a deal on them recently yeah? 13:59 < shtrb> Apachez, do you also call coffee by it's collor ? black /brown/moca/pink etc 14:00 < shtrb> Apachez, and how do feel about almoid milk ? 14:01 < Apachez> shtrb: you mean shitty water you get out of smashing almonds in water? 14:01 < Apachez> well whatever floats your boat 14:01 < Apachez> its still not cream 14:01 < Apachez> and hence not allowed to be called cream 14:01 < mast> HAha 14:02 < zzero1> when the juniper srx220 and when srx320 first came out ? 14:02 < Apachez> arent they eol by now? 14:02 < Apachez> so ehm 2010 or so? 14:03 < shtrb> You can't use expired cisco equopment (post EOL) ? 14:03 < Apachez> sure 14:03 < Apachez> but you dont get updates 14:03 < Apachez> and its a bad thing to use gear filled qwith backdoors 14:03 < Apachez> that went public 14:03 < shtrb> You mean like intel cpu not being updated (five year old ones ) 14:04 < Apachez> and whatelse 14:04 < shtrb> it was a nab on intel not fixing a bug in their older cpus 14:04 < shtrb> fuck they should replace the cpus with a fixed one 14:05 < Apachez> funny note, there is a speech about backdoors in early huawei products... these were based on "stolen" code from cisco... not many words out on that the very same backdoors also existed in cisco products... 14:05 < mast> Soon my obnoxious offer on this ibm server will be rejected 14:05 < dogbert2> LOL - listening to "Because I got High" 14:05 < mast> And then I can move forward with my life 14:06 < dogbert2> though there is a lot of decent network gear for labs and stuff on amazon and ebay 14:06 < mast> I bought an ibm x3650 m3 for $38 last month 14:07 < mast> Which will not happen a second time 14:07 < dogbert2> Joseph Stalin: I was gonna feed the people 14:07 < dogbert2> , but then I got high 14:07 < mast> I was going to let them out of the Gulage, but then I got high 14:08 < sliddis> Are there any cons to using 40Mhz wide channels on wifi if I can manage to get them none overlapping in my environment? 14:08 < regdude> there is also a lot of decent networking gear for free... in GNS3 14:08 < djph> sliddis: less energy density than 20 MHz, so range may suffer 14:08 < djph> sliddis: also more open to interference 14:08 < regdude> not all devices support 40MHz properly 14:09 < djph> regdude: ehh, if they're 5 GHz, they'd better 14:09 < dogbert2> hey djph 14:09 < djph> 'sup dogbert2 14:09 < sliddis> Ok this is a macOS/IOS only site with "new macs"... 2015+ atleast. And yes, both radios are set to 5GHz of course :) 14:10 < dogbert2> ohhh...not much...I don't want to get out of this chair, because I got high :) 14:10 < regdude> djph: 5GHz is quite good with 40MHz, but not so good with 2.4GHz 14:10 < sliddis> djph: its a high density setting, so i dont want too much range, since it can cause slow and sticky clients. (i turned up basic rates to fix that) 14:10 < djph> regdude: and he implied "can manage to get them non-overlapping" -- that rules out 2.4 at the gate ;) 14:11 < regdude> I was focusing that as he is installing it in the middle of nowhere 14:11 < djph> er s/implied/stated/ 14:11 < sliddis> it is actually in the "middle of nowhere". but again, I am talking 5ghz yeah 14:11 < sliddis> since 99% of todays wifi card drivers will prefer 5ghz most of the time 14:12 < djph> sliddis: Note that it's not a "huge" loss in range (in ideal open air conditions, I think you tend to lose about 25-33% of the range that you'd get at 20MHz) 14:13 < Apachez> for a given tx power 14:13 < sliddis> djph: ok sure. Range won't be the problem here, I belive 14:13 < Apachez> think of the tx power as the area 14:13 < Apachez> if you get twice the width the length will shorten to maintain the same area (tx power) 14:13 < Apachez> or just try 14:13 < Apachez> make sure you limit amount of channel collissions 14:14 < zzero1> Apachez: I think so 14:15 < sliddis> I am more afraid the bandwidth will be a problem to be honest. 14:15 < zzero1> but I wanna know how many years these where sold and supported 14:15 < sliddis> 20Mhz vs 40Mhz 14:16 < zzero1> I wanna know their lifespan in terms of software updates 14:16 < djph> sliddis: huh? why would bandwidth be a problem? 14:17 < sliddis> I mean if I used 20MHz channels 14:17 < djph> sliddis: you'll have 8 (probably) non-overlapping channels 14:18 < djph> at (approx) 150 mbit (802.11n) / 180 mbit (802.11ac) throughput. 14:19 < djph> err s/throughput/PHY 14:19 < djph> or for 40 MHz, approx 300 (n) / 400 (ac) mbit PHY 14:19 < djph> assuming, of course, 2x2 MIMO 14:20 < sliddis> Yeah 14:21 < sliddis> 1Gbps line 14:21 < sliddis> The bottle neck will always be the wifi, but im not sure what the user experience will be going from 40 to 20 mhz channels 14:22 < djph> about double 14:22 < djph> :) 14:23 < sliddis> ;) 14:23 < sliddis> Double happy users sounds good 14:23 < djph> note that it depends on how many clients are on an AP -- I mean, an overloaded AP is still an overloaded AP 14:24 < sliddis> What actually determines the PHY mode? MCS index and channel width? 14:24 < djph> but as long as the AP isn't overloaded, then yeah, the clients will see APPROXIMATELY that things take about half as long to do. 14:24 < djph> sliddis: yep. 14:24 < sliddis> Some of my users are pushing 40GB data per DAY 14:24 < djph> er, maybe a wire then? 14:25 < sliddis> Theyre using only fucking office365. its amazing 14:26 < djph> not that 40G is "a lot" (I mean, you're talking roughly 1600 seconds of airtime (GB -> MB -> mb = 40 * 8 * 1000 = 32000 / 200 = 1600) ... or just shy of 30 minutes. 14:26 < mast> office365 and visits to websites that rhyme with ornhub? 14:28 < sliddis> djph: well, there are about 30 users on the most saturated AP, and each user ranging from 2 to 40GB data.. still both radios on ap running 5Ghz 14:30 < mawk> 32000/200 is 160 14:31 < mawk> but you meant 320000 I guess 14:31 < sliddis> Anyways, why are so many users having so low RX PHY rate? Could that be an indication that the AP TX output is too low? 14:39 <+catphish> i'd suggest there's too many reasons to count, but trying different power levels may be a good idea, no harm setting it high if you don't need to worry about overlapping APs, or roaming 14:40 <+catphish> also, one would want to do the usual steps to reduce interference 14:42 <+catphish> "lots of users" rarely equates to fast wifi, but lots of things worth trying 14:42 <+catphish> i'd also worry less about the PHY rates and more about the actual throughput 15:37 < zzero1> Apachez: I figured as much 15:40 < c|oner> is "some routers give ping lower priority" true, or is it just something cranky old network guys say 15:40 < c|oner> I see that repeated all over the internet like it's some empirical truth, which I guess means it's been baked into people's brains by some cert 15:41 < TotallyNotKim> > it's been baked into people's brains by some cert 15:41 < TotallyNotKim> lmao 15:41 < TotallyNotKim> this is gold 15:41 < mAniAk-_-> c|oner: sort of, there's a different between traffic through and to a router (or traffic through a router that forces the routes to create a response) 15:43 < mAniAk-_-> c|oner: traffic to a router, it's control plane, is usually rate limited, not really lower priority but youll have drops, same for traffic through that was dropped that the router sends some icmp response for 15:43 < regdude> wat 15:45 < mAniAk-_-> c|oner: ping through a router can be equal to all other traffic if there's no QoS configured, or it can be rate limited or dropped before other traffic 15:45 < mAniAk-_-> wat wat 15:45 < c|oner> right, I would assume that in most cases for through traffic it wouldn't be given special preference one way or another 15:46 < mAniAk-_-> yep 15:51 < shibumi> anybody using gobgpd here? 15:51 < shibumi> How can I do auto route discovery for VXLAN evpn? 15:59 < drathir> mornin/evenin... 16:04 < cluelessperson> anyone know how to get chrome to stop redirecting http to https 16:04 < cluelessperson> stupid shit 16:04 < cluelessperson> that server isn't evne listening on port 443 16:04 < mAniAk-_-> http://stuff 16:06 <+xand> cluelessperson: it wouldn't do that unless it got a 301 or HSTS header before 16:07 < tds> or if it's on the hsts preload list 16:48 <+catphish> cluelessperson: it will only do that if there's a permanent redirect cached, or HSTS 16:49 <+catphish> cluelessperson: clearing the cache will solve the first, but servers with HSTS MUST listen on HTTPS 16:53 < cluelessperson> catphish: thanks 16:53 < cluelessperson> Question about ipv6 16:53 <+catphish> Answer about ipv6 16:54 < cluelessperson> is it suggested to rotate ipv6 addresses in order to obfuscate hosts? 16:54 <+catphish> for an end user, yes, see privacy extensions 16:54 <+catphish> this is a standard feature of most operating systems now 16:54 < shtrb> after dealing with an ISP for the last few days , do not expect privacy to be implemented correctly 16:55 <+catphish> in this case it's nothing to do with ISPs 16:55 <+catphish> ipv6 clients choose their own address within the network 16:56 < cluelessperson> catphish: sure, but is that publicly available to ping/connect? 16:56 < cluelessperson> catphish: natting is sorta a nifty built in firewall 16:56 < cluelessperson> and I think that concerns people 16:56 <+catphish> cluelessperson: that would be entirely dependent on your firewall 16:57 < cluelessperson> which is nice that it completely seperates their functions. 16:57 <+catphish> if you can implement nat, you can implement a stateful firewall 16:57 < cluelessperson> catphish: I don't like the idea of my servers permanently advertising their MAC address 16:57 < cluelessperson> catphish: I have a firewall. :) 16:58 < cluelessperson> just learning about ipv6 16:58 < cluelessperson> Texas was backwards ass and didn't have ipv6, I'm in Seattle now, with 1G and ipv6 and lots of fun 16:58 <+catphish> cluelessperson: there's no reason you have to use your MAC in your ipv6 address 16:58 < cluelessperson> it seems by default, debian may determine your ipv6 based on mac address 16:59 <+catphish> that's certainly how SLAAC addresses are determined, but i wouldn't normally use those addresses for a server 16:59 < cluelessperson> catphish: what would you use? 16:59 <+catphish> i'd use a static address 16:59 < cluelessperson> what makes a statis ipv6 address? 16:59 < wallbroken> https://www.google.it/maps/@41.2599791,16.4329019,3a,15y,272.54h,134.66t/data=!3m6!1e1!3m4!1sa9oCheX9s-MXYS1nZEGOPQ!2e0!7i13312!8i6656 16:59 <+catphish> cluelessperson: it's the same as ipv4, you just choose it yourself 16:59 < wallbroken> why on this camera is there a laser beam warning symbol? 16:59 < cluelessperson> for the moment, I'm using SLAAC, it's not like my MACs are going to change by themselves. 17:00 <+catphish> so if your ip range is 2a00:1:2:3::/64 then you might choose 2a00:1:2:3::123 as your IP address 17:00 <+catphish> cluelessperson: slaac is fine though, and if you're worrying about your MAC address being known, you need to think about why that's a problem on a server 17:01 <+catphish> hint: it's almost certainly not 17:01 < cluelessperson> wallbroken: hard to tell for sure. Cameeras use beams for focusing, range finding, might be a speed camera, who knows. 17:01 < shtrb> catphish, and than the ISP share the prefix for all it's clients or read the customer real ip 17:01 < cluelessperson> catphish: I just don't want the public to know it 17:01 <+catphish> shtrb: pardon? 17:01 < wallbroken> cluelessperson, it's a monitoring camera for sure 17:01 <+catphish> cluelessperson: why not though? 17:01 < shtrb> catphish, sent with a huge delay 17:02 < wallbroken> maybe that's for ID car reading? 17:02 <+catphish> cluelessperson: i mean, you're welcome not to use your MAC in your IP, and most people don't for servers, but i can't think of any harm 17:02 < cluelessperson> wallbroken: no 17:02 < wallbroken> cluelessperson, why? 17:02 < cluelessperson> catphish: because the mac is a hardware identifier that doesn't change, but the prefix might 17:02 < cluelessperson> so they can track you/hardware unless you obfuscate it 17:03 < cluelessperson> catphish: or they use it to pinpoint exactly what machine might torrent something 17:03 <+catphish> cluelessperson: but it's a server, its identity is not a secret 17:03 < cluelessperson> catphish: No, but by obfuscating data and making it harder to track THAT PARTICULAR HARDWARE it offers protections. 17:03 < shtrb> There is also the EIR which should include any MAC sold in your area (state), so a MACs are registered on selling date 17:03 <+catphish> cluelessperson: as an end user, you use privacy addresses if you don't want your personal identity to be trackable, but for a server where it has a dns name, it makes no sense to hide it 17:04 < shtrb> but EIR will become obsolete and closed post GDPR laws 17:04 < shtrb> s/EIR/Central Equipment Identity Register/g 17:05 < cluelessperson> wallbroken: It could be an IR laser. 17:05 <+catphish> i'm not aware of any such register, except maybe for cellphones 17:05 < cluelessperson> wallbroken: or maybe just a bright LED 17:05 < wallbroken> cluelessperson, it's a laser, there is th symbol of laser warning 17:05 < cluelessperson> wallbroken: Yeah! Bright LED packages often come with those warnings because they're high enough power to do eye damage. 17:05 < shtrb> catphish, It comes from the mobile phone but now even laptops with modems are registered with all their MACs 17:06 < cluelessperson> wallbroken: No no. It's infrared LEDs for night vision and lighting up license plates in the dark. 17:06 < shtrb> *from the mobile world 17:06 < regdude> wallbroken: isnt that simply nightvision? 17:06 <+catphish> shtrb: i've never seen such a database here 17:06 < drathir> wallbroken: laser focus ? 17:06 <+catphish> shtrb: seems like it would be a nightmare to maintain 17:06 < cluelessperson> wallbroken: Yes, they use the laser symbol as a general "eye damage" symbol 17:07 < shtrb> catphish, It's register once (their form do not have a way to transfer ownership) 17:07 < wallbroken> cluelessperson, "class 1 laser product" 17:07 < wallbroken> means laser 17:08 < wallbroken> not bright light source 17:08 < cluelessperson> wallbroken: They probably use a laser that they can specifically widen to cover an area, but sticking your eye right up to it will do damage. 17:08 < cluelessperson> wallbroken: Infrared lasers are a thing, and act plenty fine as a light source. 17:08 < cluelessperson> Lasers are good to a camera for these things. 17:08 < wallbroken> cluelessperson, there are laser cameras used to track objects 17:08 <+catphish> shtrb: never seen anything like that here anyway, but seems plausible that it would exist in some countries 17:09 < cluelessperson> Aiming, focusing, lighting 17:09 < cluelessperson> wallbroken: Not really. 17:09 < regdude> even those cops use lasers to write you a ticket for speeding 17:09 < cluelessperson> regdude: and lidar. :D 17:10 < cluelessperson> wallbroken: Class 1 means <=5mw. that's weak, your basic pen laser. 17:10 < wallbroken> cluelessperson: https://www.tradeindia.com/fp1440068/SD-Infrared-Laser-Camera-RC0676.html 17:10 < cluelessperson> probably not enough for lighting then 17:10 <+catphish> shtrb: i wouldn't be allowed to share such information because of data protection laws for a start 17:10 < wallbroken> this is a lasesr camera used to track things 17:11 < cluelessperson> wallbroken: who knows 17:11 < shtrb> catphish, that is why I said with GDPR it will be probably become obsolete 17:11 < cluelessperson> Governments are all sorts of evil 17:11 < wallbroken> cluelessperson, open the link, is written 17:12 < djph> because *everything* on the internet is true 17:14 < wallbroken> cluelessperson, so, you guess that IR laser illuminator is just for that? 17:14 < wallbroken> not to tract objects? 17:14 < wallbroken> *track 17:14 < cluelessperson> wallbroken: that's not the same camera 17:14 < cluelessperson> you linked a rectangular body, the maps link shows a round/cylinder 17:15 < drathir> mostly camera should it explained in spec/manual... 17:15 < cluelessperson> wallbroken: also, why would they waste money for a good lasermapping/tracking camera to point at a bridge? 17:15 < ash_work> why can't I ping anything from my vbox on a 'nat service network' ? 17:15 < cluelessperson> the bridge is like 100 feet away 17:16 < cluelessperson> 200 feet 17:16 <+catphish> wow nice camera 17:17 < wallbroken> cluelessperson, my smartphone detects IR light, so, I'll go there at night checking for the light source 17:17 < cluelessperson> wallbroken: :P that's a good idea. 17:17 < shtrb> any cam can detect IR light 17:18 < TandyUK> wow i thought the hikvision ptz's we have with 36x optical zoom were good - they can read inch high text off a fence ~800M away 17:18 < djph> unless you put an IR filter on it 17:18 < wallbroken> maybe at police station will tell, "oh, what does that dude is doing?!" 17:18 < shtrb> djph, and that is why we remove it:) but most cams can detect it 17:19 < shtrb> don't use a cam if you are in the UK 17:19 < wallbroken> TandyUK, what do you think about that camera? is it for tracking? or just for illuminatingthe road? 17:19 < TandyUK> our ptz? 17:19 < wallbroken> https://www.google.it/maps/@41.2599791,16.4329019,3a,15y,272.54h,134.66t/data=!3m6!1e1!3m4!1sa9oCheX9s-MXYS1nZEGOPQ!2e0!7i13312!8i6656 17:19 < wallbroken> that on the link 17:19 <+catphish> hikvision cameras seem pretty cool 17:19 < acos> What s a good window size for testing 10g on iperf? 17:19 < acos> Wow you people are 1288 strong 17:20 <+catphish> acos: try the defaults :) 17:20 < cluelessperson> --- Is there any reason not to setup IPv6 AND IPV4? 17:20 < acos> Default is 63KB 17:20 < drathir> TandyUK: hi, hi ^^ 17:20 <+catphish> most people don't need to change window scale settings 17:20 < cluelessperson> I'm under the impression many people may not support one, so it's good to support both 17:21 < acos> Ah cool. Makes sense. Just trying to see how fast this point to point 10g setup will go 17:21 <+catphish> cluelessperson: the only reason is effort vs reward 17:21 < cluelessperson> catphish: what do you mean? 17:21 <+catphish> cluelessperson: it's always best to support both, but configuring both is twice as much work 17:21 <+catphish> you have to manage 2 sets of IP ranges, 2 sets of firewall rules, deal with twice as many routing issues 17:22 <+catphish> it's better, but it's doubtless more work 17:22 < cluelessperson> catphish: ah, yeah I've noticed. 17:22 < Dagger> doing v4 is the easiest way to support connectivity to legacy v4 hosts though, so... shrug 17:22 < cluelessperson> catphish: well, example, my friend only uses ipv6 on his servers. 17:22 < kurahaupo> cluelessperson: when you've run out of 10.0.0.0/8 in your data centre, you might as well give up on v4. Then v6 only makes sense 17:22 < cluelessperson> catphish: My old work only had access to ipv4 17:22 <+catphish> cluelessperson: it's extremely rare only to support ipv6 17:23 < Dagger> I'd argue it's not quite twice as much work, because you can mostly share the design between the two 17:23 < ewew> what about vxlan ? 17:23 < wallbroken> https://www.youtube.com/watch?v=218EEgPDDFM 17:23 < wallbroken> this is for tracking 17:23 < cluelessperson> what is a vxlan? 17:23 < kurahaupo> catphish: what counts as "extremely rare"? 17:23 <+catphish> kurahaupo: "nobody does this" 17:23 < cluelessperson> catphish: what kind of "tracking" ? 17:23 < ewew> https://en.wikipedia.org/wiki/Virtual_Extensible_LAN 17:23 < Dagger> e.g. doing a firewall for both v4 and v6 for me consists of wrapping the firewall rules in "domain (ip ip6) { ... }" which is a small part of the work 17:24 < kurahaupo> catphish: would you like a tour of my work? 17:24 <+catphish> Dagger: what you gain in sharing design, you lose again when you realise how many things don't work out of the box with ipv6 yet :) 17:24 < cluelessperson> catphish: that's neat 17:24 < kurahaupo> catphish: "nobody" is literally wrong 17:24 < Dagger> most stuff works fine :p or is just plain severely broken 17:25 < cluelessperson> ewew: my firewall doesn't support dns, you have to set the ranges yourself 17:25 < wallbroken> ok, somebody in comment clarified that "This is a Dahua SD6AL230F-HNI, and uses optical tracking which has nothing to do with lasers. The laser is for IR illumination and because it's so powerful, I do not recommend using that camera low down, because otherwise the images will end up washed out and overexposed." 17:25 < bezaban> kurahaupo: maybe he only meant it figuratively then 17:25 < cluelessperson> wallbroken: So, when you said tracking, I thought you might mean laser scanning like the xbox kinect 17:25 < cluelessperson> wallbroken: because that's obviously a static mounted camera, it doesn't move 17:26 <+catphish> kurahaupo: you are of course correct, for private services, ipv6 only makes the most sense 17:26 < kurahaupo> catphish: perhaps "nobody with fewer than ten million devices" might be closer to true 17:26 < cluelessperson> wallbroken: Also, people won't waste money on laser tech for motion/computer vision when companies like the one I worked for just write their own computer vision stuff :d 17:26 <+catphish> for public services, we're sadly still slaves to ipv4 17:26 < drathir> wallbroken: dahua have pretty affordable prices ones... 17:26 < wallbroken> cluelessperson, that on the video is cool because it has a blade to wash 17:27 < wallbroken> so that's vandalproof 17:27 < wallbroken> in the city, guys are used to paint cameras and make them out of service 17:28 < kurahaupo> catphish: it's moving. The are ISPs who give out real v6 but only cgNAT v4 17:28 < kurahaupo> Especially mobile 17:28 < cluelessperson> wallbroken: good, fuck the government 17:28 <+catphish> sure, but they're nowehere near dropping that ipv4 :( 17:29 < acos> Thanks catphish, seem to be getting 4.24Gbits/sec. Think that is low for 10g? 17:29 <+catphish> well you'd want to aim for 10Gbps :( 17:30 <+catphish> i couldn't say what to tune first though 17:30 <+catphish> others here may have pointers 17:30 < drathir> https://www.youtube.com/watch?v=adCDQjND70Y 17:30 < acos> It bounces between 3.1 and 5.1 during the test with spikes. 18:16 < digi_> I have two dns A records, say site1.mydomain.com, site2.mydomain.com and a computer running two qemu virtual machine instances. both instances have port 80 and 22 open (so i have two local ip adresses for them). I would like to forward site1.mydomain.com to the first qemu instance, and site2 to the second qemu instance, does anybody know how to do this, or what manual i should read? 18:17 < digi_> ( all things run Debian 9 ) 18:19 < drathir> digi_: 1:1 source - destination nat in iptables? but that only guess... 18:20 < subvhome> I have an HP switch that when im the only device connected to it ... i get perfect ping responses.. as soon as another device connects to it, lets say another switch (with all empty ports except the uplink) the switch begins to experience random lag spikes 18:21 < digi_> how would iptables know if site1.mydomain.com or site2.mydomain.com is the source? 18:21 < subvhome> hardware monitor on the switch doesn't show any CPU or Memory spikes.. the switch is new out of the box. 18:23 < digi_> since they both point to the same ip adress. 18:24 < drathir> digi_: it should match ip assigned to domain... 18:25 < drathir> digi_: with the same ip best vhosts in apache... 18:26 < drathir> digi_: but still needed one webserver... 18:27 < drathir> digi_: probably kind of trick with different ports or some proxies probably there needed if two web servers... 18:27 < digi_> like running apache on the host that serve the qemu's? and configure vhost forwarding from there? 18:28 < digi_> ( i could put all sites in one apache vhosts config ) but the thing would be a sandbox for different webservers. 18:29 < drathir> digi_: yep apache in qemu and all 80/443 traffic to it and vhost will handle domain name requests in theory and serve correct content even if one ip for both... 18:29 < digi_> i thought of using multiple ports, http 8080, 8081, 8082 for each server apart. 18:29 < digi_> aah. i see. 18:29 < digi_> i will figure it out, tnx. 18:30 < drathir> digi_: yep vhost allow separate content to be served eg different websites based on domain... 18:31 < drathir> digi_: its np, You can also wait for better ideas there too... 18:33 < digi_> np? 18:33 < drathir> digi_: also take a look on haproxy, maybe it allow to ilter and sending traffic matching correct domain to different webservers... 18:33 < drathir> digi_: np=no problem ^^ 18:33 < digi_> :) 18:34 < digi_> i will take a look at haproxy 18:36 < mawk> np = non polynomial 19:19 < nextloop> what are the pro and cons of blocking ICMP inbound for a normal home/office network? 19:20 < E1ephant> nextloop: http://shouldiblockicmp.com/ 19:36 < mawk> E1ephant: if you allow ESTABLISHED and RELATED traffic with conntrack there isn't anything else to allow except echo-request no ? 19:36 < mawk> icmp errors go into RELATED traffic 19:36 < mawk> for a terminal host 19:37 < mawk> + the relevant NDP messages like router advertisement or neighbour solicitation 19:44 < E1ephant> so allow echo request? 19:44 < nextloop> E1ephant: thanks. so I take from that that "time exceeded" and "destination unreachable" messages should be allowed inbound 19:45 < E1ephant> mawk the point is don't block/break icmp 19:45 < E1ephant> I would, yes. 19:45 < E1ephant> maybe rate-limit 19:45 < mawk> it was a question E1ephant 19:45 < mawk> do icmp errors go into RELATED traffic ? 19:45 < mawk> sorry 19:46 < E1ephant> oh oh, tbh good question, I am not that familiar with conntrack 19:46 < E1ephant> if it's just going on tupel values, like protocol/port 19:46 < E1ephant> then I would think no in lots of cases 19:46 < E1ephant> since TCP traceroute, will still get (look for) ICMP ttl expired back 19:47 < E1ephant> the tuples wont match 19:53 < detha> conntrack attempts to classify ICMP errors for TCP/UDP as 'RELATED'. That said, I consider ICMP the only thing where 'default allow, deny specifics' applies. You don't want things like ICMP redirect from the outside, and I vaguely remember some evil about timestamps. 19:59 < mawk> detha ? 20:00 < mawk> there isn't an infinite number of ICMP types 20:00 < mawk> why not just classifying them all ? 20:01 < E1ephant> mawk: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml :) 20:01 < mawk> I see 20:01 < mawk> well still 19 types 20:02 < mawk> with enough motivation you classify them all 20:02 < E1ephant> I mean you could, but the important ones are echo reply and ttl expired 20:02 < mawk> yeah 20:03 < E1ephant> dest unreachable is debatable maybe, imho you'll get people to stop scanning quicker with unreachable 20:03 < E1ephant> as opposed to just drop 20:03 < E1ephant> but sure, target dependant 20:04 < mawk> yes that's my opinion too 20:05 < tds> iirc isn't there an rfc on filtering icmpv6 types? 20:05 < mawk> yes tds 20:05 < tds> ah, 4890 20:05 < mawk> https://tools.ietf.org/html/rfc4890 20:05 < Apachez> since icmp is lacking verification you should always throttle icmp if you choose to allow it 20:06 < mawk> that's the one I followed to filter icmpv6 tds 20:06 < mawk> but overall I ended up just allowing echo-request and stuffing the remainder in RELATED traffic 20:06 < mawk> and allowing everything from fe80::/64 20:07 < mawk> but I'll change it, it doesn't seem too great of an idea now that I know that a third of the datacenter is on the fe80::/64 link 20:07 < Apachez> normally you want icmp echo request, echo reply, ttl excceded and source quence 20:07 < Apachez> the others can be dropped happily 20:07 < mawk> what about fragmentation needed ? 20:08 < mawk> source quench is deprecated according to iana 20:08 < mawk> https://tools.ietf.org/html/rfc6633 20:08 < Apachez> not really 20:16 < detha> mawk: I do. On strict machines, it looks something like this: http://paste.debian.net/1023887/ 20:17 < mawk> I see 20:19 < zzero1> when was the juniper srx-220 first available for purchase? I wanna know how much time was available for purchase as new 22:06 < ash_work> is it unwise to have only 1 user account for controlling production servers? (ie through a mgmt server) 22:11 < toxync19> [neuro_sys@tox] Sounds like single point of failure 22:13 < drathir> ash_work: not really You can tight security only to allow that server access, but wise is not keep there unsecured keys etc... And You need care about that server and easier maintain with low app on board one than multiple ones... 22:15 < toxync19> [neuro_sys@tox] Ah, for a moment I thought having that user account owned by only a single person (who might die because of bus factor) 22:15 < drathir> ash_work: consider something like cjdns to management access also or separate vpn network... 22:15 < ash_work> toxync19: well, not with multiple mgmt servers and/or backup of the mgmt server (to the point where you could spin up another instance of the ansible container with the same keys and it can ssh in to any prod box) 22:15 < ash_work> drathir: I didn't understand your sentence too well 22:16 < drathir> ash_work: separate access disallow enter from clearnet directly...\ 22:16 < ash_work> toxync19: but yeah, that is a concern 22:29 < ash_work> toxync19: I'm open to suggestions 22:37 <+catphish> morning 22:38 < ash_work> <3 catphish 22:38 * tds waves 22:39 * catphish just got back from a drinks party with his ISP, good times :) 22:39 < tds> is this the little local one you were trying to get a upload plans sorted with? 22:39 <+catphish> yeah 22:39 < tds> nice :) 22:40 <+catphish> the gist of the upload speed issue is that they don't want to lose sales of traditional leased line products by overspecing their home-priced products 22:41 <+catphish> which while annoying, makes perfect sense 22:41 < tds> ah yeah, I guess that makes sense 22:42 < tds> I guess at some point the differentiating factor might be all the residential lines behind cgnat, and only the business ones get proper public v4 :/ 22:42 <+catphish> well the real factor is the SLA, business lines have a couple of hours SLA, home lines are like 3 days 22:43 <+catphish> but i can see why they want to discourage business users thinking they don't need to pay for the SLA, then whining when it's down 22:43 <+catphish> i'm just a weird middle ground of power user who wants all the spec but really don't need the SLA/support 22:44 < tds> yeah, I'm sure there are various other people in similar situations 22:44 <+catphish> but yeah, it's purely an attempt not to canibalise business sales, which seems reasonable to me 22:45 < tds> I was wondering the other day if there are any ISPs that'll do v6 + bgp sessions on residential lines, but that seems unlikely 22:47 <+catphish> i imagine the same thing applies 22:48 <+catphish> small ISPs *can* but they probably want users with special requirements to pay leased line prices 22:53 < tds> yeah :/ --- Log closed Wed May 09 00:00:13 2018