--- Log opened Wed May 30 00:00:37 2018 00:00 < qman__> The port(s) that the internet is attched to should not have access to tye management interface 00:01 < qman__> If that's possible in your setup, you've done it wrong 00:01 < djph> qman__: I know that, you know that. The guy asking the question probably doesn''t 00:01 < qman__> Yep 00:02 < qman__> That's what I'm getting at 00:02 < Panda_Dub> hmm, thanks qman__ 00:02 < djph> i'm getting at "i need more beer" 00:02 < qman__> I probably wouldn't use an l3 switch directly on the internet at all due to that possibility 00:03 < qman__> But if you trust your firmware and set it up right, it's not unreasonable 00:03 < Panda_Dub> actually I was wondering if any attack could access the network by frame manipulation 00:03 < qman__> I'd prefer a firewall in front 00:03 < Panda_Dub> Yeah, I did see this layout and was wondering if it was extremely vulnerable 00:04 < Panda_Dub> or something like that 00:04 < djph> if you set it up right, vulnerable -> maybe. "extremely" so, probably not' 00:04 < djph> but that all relies on "you set it up right" 00:05 < Panda_Dub> thanks guys 00:08 < evilbug> is it such a faux pas to use stranded cable inside walls? 00:12 * spaces let Whiskey` be known as Whiskas 00:22 < djph> evilbug: yes 00:22 < evilbug> djph: why? 00:23 < djph> the keystone IDCs aren't designed for stranded 00:24 < evilbug> ah 00:24 < djph> same with patch panels 00:31 < evilbug> what about them? 00:31 < evilbug> djph: 00:32 < djph> the IDC (punchdown) isn't designed to make a connection with stranded - it'll cut the wire 00:32 < GenteelBen> spaces: 8 out of 10 IRCers prefer Whiskey`. 00:32 < evilbug> gotcha. thanks for the info. djph 00:34 < mmlj4> anyone going to SELF on the 9th in Charlotte NC? 00:37 < derpingit> i'm looking into buying a ubiquiti AP that supports MU-MIMO. are there any USB wireless adapters that support wave2? 00:41 < djph> maybe 00:44 < spaces> GenteelBen the kittens here like Whiskas more ;) 01:06 < jcarpenter2> Is it possible for a service to listen on a port only on a certain host? For example, to have one service listen on port 8545 for requests to 127.0.0.1 but a different service listen on that port for requests to [our external IP]? 01:06 < turtle> uh, yeah 01:08 < jcarpenter2> oh this is good, corroborated 01:24 < Frostyy> just a general question about it. I have 5 ISP provided static IPs. I have the first one used for my router. I would like to set up a route to have another one go straight to a server located behind my router which is a Synology DS718+, while retaining the ability to access it with a local IP. Is this possible? 01:26 < xamithan> Sure why not 01:28 < Dat> I have two servers, server a acts as a vpn server and server b connects to server a to be connected via vpn, I am doing port forwarding on server a to server b (vpn internal ip) the problem I am having is when clients connect they show up with the ip of the vpn gateway ip on server a. Is there away around this? I'd like to see the clients real ip address. 01:29 < tds> how did you set up the "port forwarding"? if I'm correctly understanding that, it sounds like the VPN server is doing DNAT as you'd expect, but also doing SNAT and changing the source address to its own address? 01:32 < Dat> I set up port forwarding via iptables I am using dnat to the vpn ip and snat on vpn range 01:32 < Dat> ip range* 01:33 < Dat> the vpn ip would be on server b 01:34 < tds> can you upload the output of iptables-save? 01:34 < tds> it sounds like you might have an extra snat rule that you don't want 01:35 < Dat> sure right now all clients show up with servers a's vpn ip address instead of the real ip 01:40 < xamithan> Isn't that the point of the vpn? 01:40 < Dat> tds: http://dpaste.com/1N2936V 01:41 < Dat> xamithan: well i wanted to know if there was away around it 01:41 < Dat> other than that its working as expected 01:41 < xamithan> split tunneling 01:41 < Dat> hrmm 01:45 < Dat> not sure if that will work 01:46 < tds> hmm, I may be missing something, there don't appear to be any dnat rules in there? 01:46 < xamithan> I don't see any either, unless the syntax is different 01:46 < Dat> external client still needs to access the server thats behind the vpn (server b) 01:46 < Dat> tds: thats what my iptables-save looks like 01:47 < tds> just to check, which server did you run that on? 01:47 < Dat> server a (that runs the vpn server) 01:47 < tds> what rule(s) did you add to do the port forwarding? 01:49 < tds> just to confirm I'm correctly understanding this - server b is running some kind of web server/whatever, and requests are being forwarded from server a with the connection between them being over a VPN, and requests coming from the internet have a source address of server a's address rather than the original client? 01:51 < Dat> it would be something like dnat to 10.4.25.65:7100 (vpn ip on server b) proto tcp dport 7100 dst server_a_public_ip 01:51 < Dat> tds: yes 01:52 < Dat> server a's vpn ip address that is 01:52 < xamithan> Wouldn't that be a vpn software setting 01:53 < Dat> so when I am looking at the logs on server b for lets say web traffic it all shows the ip of server a vpn ip. 01:53 < Dat> xamithan: not that I am aware of. 01:53 < tds> did you add that dnat rule before you ran iptables-save? 01:53 < Dat> yes 01:54 < tds> oh, I'm making the assumption that you're doing dnat with an iptables rule, is that the case? 01:54 < Dat> yes I am doing dnat with iptables 01:54 < Dat> I think I see the problem 01:55 < Dat> there are no POSTROUTING statements in the last dpaste 01:55 < Dat> let me try again 02:00 < Dat> http://dpaste.com/2W3R9T0 02:01 < tds> ah, that looks better 02:01 < tds> you likely don't want the -o tap_soft -j MASQUERADE rule, since that'll SNAT any traffic leaving over the vpn interface as being from the vpn server 02:02 < tds> (assuming that tap_soft is your vpn interface) 02:03 < Dat> yes thats whats happening everything is showing up as being from the vpn server 02:03 < Dat> tap_soft is the vpn interface 02:06 < pnus> What is the fastest way to scan /64? 02:06 < lupine> pnus: the only thing that you can really do is send a multicast request and see what you get back 02:06 < lupine> and you can only really do that if you're on the same broadcast domain 02:07 < lupine> ndp, etc 02:07 < tds> scanning through rdns records may work as well, depending how the network is set up 02:08 < lupine> IME v6 rdns is distressingly uncommon :/ 02:08 < lupine> but worth a try 02:09 < tds> yeah, I've seen some networks that do automatic rdns with dhcpv6 though, so worth trying 02:10 < lupine> since it's hierarchical I guess you can just go hunting for NXDOMAIN? 02:11 < tds> yeah, exactly, there are various tools that'll scan through a /64 pretty quickly 02:12 * tds is sure I found a talk on this online a while ago, but can't find it now 02:13 < tds> ah, got it: https://media.ccc.de/v/33c3-8061-you_can_-j_reject_but_you_can_not_hide_global_scanning_of_the_ipv6_internet 02:21 < Dat> tds: if I don't masquerade I can't connect to the server b from server a's ip 02:22 < tds> so do connections to server A's ip from outside still work, just not from server a itself, or does that break completely? 02:23 < tds> also, I'm assuming that server b has a default route pointing back at server a over the vpn tunnel, or is that not the case? 02:26 < Dat> tds: connections to server a still work, connections that are supposed to be forwarded from server a to server b do not work. 02:26 < Dat> server b does not have a default route pointing back to server a 02:27 < tds> ah, that'd do it then 02:27 < tds> if you want to preserve the original source address, you'll need a route to send traffic back to the source via server a 02:28 < tds> you probably want to look into policy routing (tl;dr connmark packets on the way in, restore mark on the way out, switch routing table based on mark), iirc openvpn have docs on it? 02:28 < Dat> so server b needs a route to server a 02:28 < tds> server b needs a route to all possible source addresses (ie the whole internet) via server a 02:29 < tds> since otherwise it won't be able to reply to incoming connections 02:29 < Dat> hrmm okay let me fix that then 02:30 < tds> but if you still want outgoing connections originating from server b to *not* go via server a, as mentioned above, you want policy routing 02:37 < `whoami`> tds: probably a really dumb question, but isn't it possible to -j DROP with ipv6 ? I haven't seen the video yet, will do ASAP. 02:37 < tds> yes, you can still drop with v6 02:39 < `whoami`> mh okay, the title is confusing me a little bit :) 02:42 < Dat> even with the route 02:42 < Dat> still doesn't connect unless i masquerade 02:45 < tds> odd, I suspect it might be worth doing packet captures during a connection just to confirm all the nat rules work 02:46 < tds> the snat rule for outgoing connections looks slightly suspicious, I wouldn't expect replies from server a to have ctstate new, so it's possible they're not being snated 02:50 < sammm> hey, not sure if #windows is a better place to ask this, but here I go: I've set my DNS server in windows (in the TCP/IP adapter settings) and added a route which allows me to access the network where the DNS server resides... I can use nslookup just fine and it resolves correctly. the issue is that things like ping, other applications don't seem to like using the default gateway to query for the DNS server rather than my route that i've added... any ideas 02:50 < sammm> seems to be na issue with WINSOCK vs TCP/IP stack? 02:51 < compdoc> ping dont return? routing 02:52 < sammm> ping doesn't resolve the ip 02:52 < sammm> but nslookup does 02:52 < compdoc> oh 02:52 < sammm> and i've set the DNS server to what nslookup is using 02:52 < compdoc> if dns is correct, try flushing cache 02:53 < compdoc> what dns server you using? 02:53 < sammm> dnsflush dont work 02:53 < sammm> unbound 02:53 < sammm> it's just for name resolution in AWS 02:53 < compdoc> doesnt work, or doesnt help 02:53 < sammm> doesnt help* 02:54 < compdoc> this dns server is on another subnet? 02:54 < sammm> it is 02:54 < Dat> tds: hrmm i will have to work on this more for now I'll have to monitor tcpdump on server a to catch the clients real ip 02:54 < compdoc> did you add a route in windows, or how does that happen? 02:55 < sammm> hahahah, wtf if I add the TLD to my ping (e.g. ping test.com.) it works 02:55 < djph> having a proper name is kinda important 02:56 < Harlock> dns can't look up what isn't there 02:56 < sammm> djph: I understand that, but I'm trying to use the AWS powershell tools to push some things to s3, and it isn't resolving the bucket names because of this issue it seems 02:56 < Harlock> so it makes sense 02:57 < djph> there's no issue if you're not telling the system how to resolve a host 02:57 < Harlock> tpyically one sets domain suffixes in dhcp to get aroudn that 02:57 < sammm> hmmm 02:57 < djph> e.g. ping host with no search domain won't work 02:58 < djph> but if you have "search yourdomain.com", ping host gets converted to "host.yourdomain.com", THEN the lookup is done 02:59 < sammm> Harlock: what I did was add DNS suffix '.' in the adapter properties of windows... now it's resolving 03:08 < redcheckers> what am i missing if i want to set up a reverse dns for a newly acquired vps, and someone said it should be in the dns settings for the ip holder? 03:11 < adip_> hi, I have a question. I tknow that connecting 2 NICs to the same lan is pointless (apr magic? idk). What if some NICs are connected to different vlans, and there is a router between vlans? 03:17 < Maarten> adip_, there are use cases for that with certain server configurations. It sdepends on what you are trying to do.... 03:17 < Maarten> uh.... !ops 03:17 < Maarten> I don't think them shells are gonna be friendly ;) 03:18 < Maarten> StevenR, xand ^ 03:19 < Maarten> or... am I wrong and some shell host got back on the internet after an outage? :D 03:24 < adip_> Maarten: I'm wanted to test some lacp/bonding configurations but I need one working connection for ssh. 03:24 < adip_> and I wanted separate, faster vlan for storage. 03:25 < lupine> Maarten: matrix is some PoS modern web thingy for instant messaging and chatrooms 03:25 < lupine> it's pretty awful, as you can see 03:28 < Maarten> lupine, thanks ;) 03:29 < Maarten> adip_, storage vlans are common with SAN/NAS implementations.... 03:37 < adip_> Maarten: it's for nfs between my home servers. I'm just asking if traffic won't go through Interfaces connected to other vlans. 03:46 < djph> adip_: why would it? 03:51 < adip_> djph: I don't know, I hope it wont. There are no firewall rules between vlans 03:51 < evilbug> why the f do consumer routers pick up the trend to allow configuration solely through a mobile app? :| 03:51 < djph> VLANs won't cross other than by routing ... 03:51 < djph> because you're too fucking stupid to use a webui 03:52 < djph> or, the horrors ... a cli 03:52 < evilbug> it's so counterintuitive... 03:52 < evilbug> srs irl doe 03:52 < evilbug> at least implement the option of a web ui alongside the app... 03:53 < djph> but that's extra effort (less profit) and the stupids buying it will call for support (so, again, less profit) 03:53 < evilbug> that's one thing i always hated about apple routers. 03:53 < evilbug> for a long time you were shit out of luck if you wanted to configure it without an apple device. 03:54 < evilbug> Maarten: still around? 03:56 < djph> we don't care, we don't have to, we're apple 03:56 < evilbug> djph: my folks are looking at getting a house up in the mountains, 9600 sq. ft. property, and i'm looking at networking solution for them. 03:56 < evilbug> irl i think i'll go enterprise style. 03:56 < djph> edgerouter plus edgeswitch plus UAPs 03:56 < djph> or USG plus US plus UAPs 03:56 < lupine> noooooooooooooooooooooooooooooooooooo 03:57 < djph> shutup mikrotik whore 03:57 < djph> :P 03:57 < evilbug> i was thinking pfsense router, 24 port poe managed switch, ubiquiti uap. 03:57 < djph> sure, whichever 03:58 < evilbug> i'd need 12-16 ports for everything including running wire to rooms. 03:59 < evilbug> fuck, actually a 48 port switch might be smart considering ip cameras in the mix. 03:59 < djph> maybe 04:00 < evilbug> all or almost all 24 ports would be used if all devices are taken into account. 04:01 < djph> yup, I like to upgrade to a bigger switch if I'm at 80% capacity 04:01 < evilbug> yeah, that makes sense. 04:02 < djph> err, during planning stages anyway. A switch that's already there is already there, and at the discretion of the customer 04:02 < evilbug> in this case there's nothing there :) 04:03 < djph> yeah, so if you're counting 80% or more utilization, I'd be saying get the next size up 04:12 < spaces> I can't get no sleep, and god seems to be a DJ 04:19 < inire> LoFi 04:40 < Android> internal network collapsed 04:40 < Android> internal network down 04:54 < Android_> internal network down 04:57 < Android_> has any heard from ghost exodus? 05:06 < Android> internal network down 05:11 < Android_> any heard from G.E.? 05:13 < Android_> internal network down 05:14 < Android_> are you claiming the rouge military we call police? 05:14 < Android_> the sherrif doesnt care if the leftover militants quit or not 05:15 < Android_> we be pretending somebody wants them patroling the streets harassing people for turning on computers? 05:16 < alan1> Ubuntu. I'm having trouble with dns hostname resolution. I can resolve internet hosts (google) but not names on my local network. They're accessible via ip.address. dig myHost @my.router.i.p yields the right answer. What might be the problem? 05:16 < Android_> bob 05:16 < Android_> is that you helping? 05:16 < Android_> internal network down 05:17 < Android_> earth 20 05:17 < Android_> earth 20 do you read 05:17 < Android_> internal network down 05:20 < Android_> max hi 05:20 < Android_> this spot works 05:20 < Android_> three nets 05:20 < Android_> can you privide a list of pre cloaked irc nets? 05:21 < Android_> three nets 05:21 < Android_> max4858 talk 05:21 < Disconsented> Ask freenode staff for that 05:22 < Android_> for precloaked nets? 05:22 < Android_> the problem with my brcm driver 05:22 < Android_> I suspect it is rw in air 05:22 < Android_> not secure 05:23 < Android_> this spot can work if the software is right 05:23 < Android_> air power and water 05:23 < Android_> nawapa 05:23 < Android_> nawapa! 05:24 < Android_> disconnected ask fn staff for net list or G.E. whereaboyts? 05:25 < Android_> disconsented 05:25 < Android_> net list or G.E. whereabouts 05:26 < Android_> from dax? 05:26 < Android_> dax was last staff right? 05:27 < Android_> what am I supposed to do with leftover military 05:28 < Android_> after krump cut the paychecks off 05:29 < Android_> what do they do move into cities 05:29 < Android_> the homosexuals 05:30 < Android_> more qbasic swarms which can kill from reflex 05:30 < Spice_Boy> spaces I got it 05:30 < Android_> disconsented any alternative to irc 05:31 < Android_> ssh is about it 05:31 < Android_> real hardware 05:31 < Android_> without public ip exposure 05:35 < Android_> did the servers get abandoned 05:42 < Android> no voltage 05:43 < Android> do you know where G.E. can be reached? 05:44 < Android> what is the status of the texas city state 05:49 < Maarten> evilbug: I am now.... sort of :) 05:50 < evilbug> Maarten: mind if i ask what city in socal you're in? 05:50 < evilbug> or are you in the mountains first? 05:51 < evilbug> was looking for isp recommendations if you happened to be in pine mountain. 06:01 < evilbug> hello. my name is evilbug and i have a network setup fetish problem. 06:01 < evilbug> i can't get into gpus, gaming, etc. but networks light my fire. 06:01 < evilbug> at least personal ones. 06:13 < blocky> i had a dream about routing tables the other night 06:15 < evilbug> you kinky bastard! 06:27 < zergut> Hello, how to ensure if apache is stopped? 06:32 < Maarten> evilbug, I am in Orange, CA 06:33 < Maarten> sorry I walked away again, setting up some flood sensors in my new kitchen (in case stupid things like the fridge water line breaking) - the automatic shutoff valve for the water isn't cooperating though :D 06:33 < evilbug> zergut: task manager/system monitor/top/cli stuff 06:33 < evilbug> Maarten: i don't need you then!!! 06:34 < Maarten> fine!!! ;) 06:34 < evilbug> Maarten: this place where my folks want to buy the house seems to be really shitty in terms of isps and isp uptime. 06:34 < evilbug> up in the mountains, remote. 06:35 < Maarten> anywhere "boonies" is shitty. You buy there for nature, peace and quiet, the view.... you don't buy there for internet. 06:35 < Maarten> compromises, etc 06:39 < evilbug> Maarten: right but again, only verizon cell service exists up there so wifi would be necessary for phone coverage. 06:39 < Maarten> evilbug, or a landline.... 06:40 < evilbug> Maarten: excuse me, sir. please stop. 06:40 < Maarten> hey if you buy in the boonies you may have to deal with 1980s communication standards. ;) 06:40 < evilbug> sir. 06:40 < evilbug> please. 06:40 < evilbug> stop. 06:41 < evilbug> i mean the current options aren't horrible (based on the reviews from people there) but there are downtimes. 06:42 < Maarten> well, it depends.... are isp's up there reliable enough that you can always call 911 over wifi? I don't know how old your parents are, but that might be an issue.... a landline typically never goes down, unless they cut the wire on the pole leading up to your house. 06:43 < evilbug> my folks are in their 50s and i'm sure they'd get a landline but their cell is on them often and there's also the use of facetime, skype, etc. 06:43 < evilbug> so wifi coverage in the yard isn't unwelcome. 06:44 < Maarten> I hear ya. I whatsapp with my folks in europe all the time. Voice quality is great. 06:44 < evilbug> plus my grandpa is going to be up there and he's very limited in terms of tech, even a modern landline phone. 06:44 < Maarten> note you only need about 2 Mbps for skype/facetime, it actually isn't that hoggish of bandwidth. 06:45 < evilbug> i know. 06:45 < Maarten> oh for your grandpa you can get a rotary phone! they sell them that work with voip, and/or newer phone systems. Maybe get one of them classic 1920s one you hang in the hall ;) 06:45 < evilbug> the network i'd set up for them would be solid but it's the shoddy service up there that i'm worried about. 06:46 < evilbug> Maarten: my grandpa has a laptop and an iphone but he's used to what he's used to and won't figure out new shit on his own. 06:46 < Maarten> You could get a gateway with 2 WAN ports and have 2 ISP's. One of them should be up most days, right? ;) 06:46 < evilbug> man, that's expensive. 06:47 < Maarten> evilbug, yes. It depends on what is more important. 24/7 internet, or your wallet :P 06:47 < evilbug> actually there's apparently a local isp up there that has 24/7 uptime but they cap at 50gb/mo. 06:47 < Maarten> you don't get to 50 GB just facetiming and skyping, so as long as they lay off the torrents and the netflixes, you should be fine... ;) 06:47 < evilbug> bro, balance. i'd like a nice isp at a nice price. if i had rapper #cashmunny then i'd get all the isps there. 06:48 < Maarten> rappers with cashmunny don't buy ISP's, they buy chicks, booze, and dope. Oh, and cars. 06:48 < evilbug> YEEEH 06:52 < Maarten> i'm lucky. My ISP has gone down twice since I got it in 2016, both times for pre-announced maintenance, and in the middle of the night. 06:53 < evilbug> well you're in the city. 06:53 < evilbug> i'm good in the city too :) 06:54 < Maarten> yep 07:01 < blocky> do routers generally get unhappy when packets enter and exit via the same interface? 07:06 < light> you might end up with a routing loop if you route the packets back where they came from 07:07 < blocky> i am trying to put a vpn endpoint behind the gateway without adding static routes to all the hosts inside the lan 07:07 < blocky> so i thought they could just send their replies to the gateway and then the gateway would bounce them back to the vpn host, which is on the same subnet 07:07 < blocky> not actually the same physical ethernet port i suppose 07:11 < spaces> I have a problem which I cannot find 07:11 < light> you probably want different subnets for your VPN clients and your LAN 07:12 < spaces> he sure wants, he actually needs to 07:13 < spaces> has anyone found my problem ? 07:13 < teaearlgraycold_> Cloudflare DNS down for you guys? 07:14 < Maarten> spaces its under the fridge. 07:15 < Maarten> Pinging 1.1.1.1 with 32 bytes of data: 07:15 < Maarten> Reply from 1.1.1.1: bytes=32 time=3ms TTL=54 07:15 < Maarten> nope not down 07:15 < teaearlgraycold_> Request timed out for me 07:15 < teaearlgraycold_> Hmmm. 07:15 < evilbug> i'm using that and my internet works. 07:15 < Maarten> must be your isp 07:15 < evilbug> ^ 07:15 < evilbug> #pwnd 07:16 < teaearlgraycold_> Yeah it goes dark 3 hops out :( 07:16 < teaearlgraycold_> 2 hops* 07:16 * teaearlgraycold_ shakes fist at Verizon 07:16 < evilbug> i like hops. 07:16 < ossifrage> teaearlgraycold_, are you having some sort of weird outage (with Verizon?) 07:17 < evilbug> hops are nice. 07:17 < evilbug> b/c verizon can suck it. 07:17 < evilbug> objectively speaking. 07:17 < teaearlgraycold_> ossifrage, it's back now 07:17 * teaearlgraycold_ shrugs 07:19 < spaces> Maarten no it's not, I just was there 07:20 < teaearlgraycold> Is there VPN software I can use that will let me whitelist/blacklist sites to route over the VPN? 07:20 < Maarten> spaces, problems have a nasty habit to hide just as you approach them..... 07:21 < spaces> Maarten yes, looks the same as like women 07:22 < teaearlgraycold> Or perhaps by port 08:00 < ossifrage> whatever verizon weirdness happened earlier took out my socks tunnel, but not other connections 08:02 < ossifrage> That is really weird, a website that worked earlier now says: "Incompatible ipv6 address found! IP: ..." 08:06 <+pppingme> ossifrage the whole message might help 08:07 < ossifrage> pppingme, all that was left is my ipv6 address (from a vps provider) 08:07 <+pppingme> then they've blocked you 08:07 < ossifrage> pppingme, if so, it isn't from using the site, only from logging in, very strange 08:08 <+pppingme> or the fact you're using a vps and they've had too much abuse from paranoid and clueless users 08:09 < ossifrage> (I have another connection open to a different part of the site, but I haven't logged in there in a while) 08:23 < ossifrage> pppingme, I ended up having to turn off ipv6 on the vps sshd to get it to work again (just turning it off in firefox didn't help) 08:27 < ossifrage> I went back over my logs and none of my previous logins where via the ipv6 address (but the socks tunnel had been up for >20 days) 08:40 < hiya> Anyone here using Freebox with OpenVPN? 08:40 < hiya> I need help with configuration file 08:48 <+pppingme> hiya ask your question, it may be more generic than you realize.. 08:49 < hiya> pppingme, Freebox my friend has won't upload .ovpn file and claim that there is configuration errors, but won't tell us what error etc 08:50 <+pppingme> post the ovpn file somewhere 08:50 < hiya> ok 08:52 < hiya> pppingme, https://bpaste.net/show/6b57510a0d0f 08:52 < hiya> I have commented out tun-ipv6 because it gave error, but it still wont' upload only 08:57 <+pppingme> is openvpn being started interactively, or as a service? 08:57 < hiya> pppingme, I just upload it to the OpenVPN client option in Freebox 08:58 <+pppingme> ok, but does freebox start it in the background as a service, or interactively? 08:59 < hiya> I think it setups it as a service or daemon only, because it works normally post reboot as well 09:00 <+pppingme> in that case, line 17 is invalid.. "auth-user-pass" by itself is only valid for an interactive setup, you either need to create a file with auth info, and name that file with auth-user-pass, or eliminate it 09:00 <+pppingme> obviously depending on what the "server" wants 09:01 < hiya> pppingme, but the client UI in Freebox has option to give USERNAME / PASSWORD respectively 09:01 < hiya> So, it must be having it somewhere? 09:02 < dminuoso> Hi. Im trying to trouble shoot some issues with a webserver. Does anyone know of a way to have Chrome _always_ trace network requests even when the devtools are closed? 09:02 < Hail_Spacecake> howdy 09:02 <+pppingme> so its started interactively?? (I know nothing about freebox) 09:02 < Hail_Spacecake> I've got a linux box behind a comcast router at my new apartment 09:02 < dminuoso> The problem appears random, and I kind of need the trace enabled beforehand. 09:02 < phocking> dminuoso: it's called tcpdump/wireshark 09:02 < dminuoso> phocking: running wireshark all day long? =) 09:03 < hiya> pppingme, Well, I have similar issue as you, I know about OpenVPN but nothing about freebox. I need check syslog of router/device. THanks! 09:03 < Hail_Spacecake> er, by "router" I mean the combined router/cable modem thing 09:03 < phocking> dminuoso: i don't know, if you really need to look at the flows and have a days worth of that information 09:03 < Hail_Spacecake> at my old place, I could run `dhcpcd ` and get a v6 address (as well as a natted v4 address) and that v6 address was world-visible 09:03 < phocking> it shouldnt take a day to reproduce a problem 09:03 <+pppingme> hiya so its complaining when you "upload" the config file to the box? 09:03 < dminuoso> phocking: it sometimes does. 09:03 < Hail_Spacecake> however, I'm doing that now on hte new modem and I can't ping it from an unrelated computer 09:04 < dminuoso> phocking: It's a random thing that I simply dont know how to reproduce 09:04 < hiya> pppingme, Yes, it says, its bad, first it said --tun-ipv6 option is bad, and I commented it out. Now it won't even tell me what is bad 09:04 < Hail_Spacecake> ip addr show dev shows two separate /64s 09:04 < phocking> try running tcpdump with a filter 09:04 < Hail_Spacecake> which have "scope globl dynamic mngtmpaddr noprefixroute" 09:04 < Hail_Spacecake> and I don't actually know that much about v6 networking, so I'm not sure what those words mean 09:04 <+pppingme> hiya for fun, comment out the auth-user-pass and see if it complains 09:04 < phocking> so you only get the host you are attempting to reproduce from 09:05 < hiya> pppingme, Yes, I am thinking about it as well. 09:05 < hiya> Will let you know 09:05 < Hail_Spacecake> but "global" means it should be able to be pinged from the outside world, right? 09:05 <+pppingme> Hail_Spacecake obviously pending any firewall rules on the host or gateway.. 09:06 < Hail_Spacecake> right, I had some firewall rules configured on the gateway but haven't changed them since last this worked 09:06 < Hail_Spacecake> er, on the host I'm trying to talk to, not the gateway 09:06 < Hail_Spacecake> which I guess in this case would be the router 09:07 < Hail_Spacecake> am I missing anything to try debugging? 09:38 < Android> low function on internal network 09:49 < plitter> I've been playing around with tcpdump and have a pretty big log and when I look at it I see this .hj.........U.[............................ !"#$%&'()*+,-./01234567nternalID> i have never seen that in a tcpdump before 09:51 < microwaved_> looks like someone slammed the keyboard sending over a bunch of gibberish info 09:51 < plitter> could it be that the terminal can't handle some of the data and is adding things from other parts of the dump? 09:52 < microwaved_> hmm not sure.. 09:52 < microwaved_> hold on 09:52 < Android> internal network sleeping 09:52 < Android> possibly damaged 09:52 < microwaved_> yeah looks like a message not understood turning into some message that doesn't make sense 09:53 < plitter> ??? 09:53 < plitter> have to admit, that doesn't make sense for me... 09:55 < plitter> as in what does that mean? 09:55 < Android> relocate 09:55 < Android> geo ip move 09:55 < Android> put command 09:55 < dminuoso> Different question.. when you folks maintain your firewalls. How do you name objects? Do you name them by the IP address of the thing you are handling? Or would you give them semantic names? 09:56 < microwaved_> i give them the names of our vrf's and for that we use greek names 09:56 < tehjanosch> we do dns names 09:57 < microwaved_> and we have a couple dns aswell 09:57 < dminuoso> Is there a valid reason to _only_ use IP addresses? I mean that sounds like intentionally avoiding abstractions. 09:59 < plitter> I found where the 01234567 comes from. tcpdump -ttttvvvAi enp63s0 icmp and then ping something then !"#$%&'()*+,-./01234567 should be at the end 09:59 < plitter> change interface accordingly 10:00 < plitter> but then I don't understand where -> nternalID> so I am having problems with a weak wifi signal upstairs. Obcviously other than moving the router what solutions are out there that actually work? It would handy to get something out of the box that just solves the problem. 10:03 < tehjanosch> throw a cable 10:04 < Kingsy> tehjanosch: it has to be wireless, the devices that need the connect do not have ethernet 10:04 <+xand> a decent access point 10:04 < tehjanosch> in my opinion there is no other proper solution to either add an access point or move your access point 10:04 <+xand> but depends on your house layout... may simply need two 10:05 <+xand> and yes the location is important... 10:05 < Kingsy> xand: when you say add an access point, what kinda hardware? 10:06 <+xand> access point = wireless router without the router part. personally I use unifi ones 10:07 < Kingsy> xand: could you link me to something that would do the job? 10:10 < Kingsy> xand: something like --> https://www.4gon.co.uk/ubiquiti-unifi-uap-single-unit-p-4743.html?osCsid=c5936e0b65dc0978f033bcb028a5eb89 ? 10:22 < contrapunctus> o/ 10:29 < contrapunctus> I have a TP-Link Archer C7 AC1750 for my house, bought a couple months ago. Of late, it seems as though the 5GHz network has less coverage compared to when I first started out with it. The position of the router hasn't particularly changed. One of my suspects is a firmware update - as far as I can remember, this issue seems to roughly coincide with that. Any ideas on what might be causing this? 10:37 < plitter> is it possible to use tcpdump to print a range of packages? f.ex. package number from 3-7? 10:39 < microwaved_> contrapunctus: use a heatmapper 10:41 < microwaved_> contrapunctus: and yes could be but make sure you check the patchnotes or the forum whether others are complaining aswell , and heatmapper to be sure , but there are also other devices that can interfere with the signal or distort it 10:44 < Android> if you move me out nuemann 10:45 < Android> the pistachios have a heart for a logo 10:45 < Android> move me out 10:58 < multifractal> My broadband is slow, somtimes painfully slow. But no company offers a fibre-optic or even coaxial line in my area (despite it being in a central urban location). Am I all out of options? 10:59 < Disconsented> Maybe wireless of some kind, otherwise yeah 11:00 <+catphish> multifractal: either wifi, or look at installing your own fibre 11:00 <+catphish> the former is more likely to be practical 11:00 <+catphish> you'll need somewhere to connect the wifi to though 11:00 <+catphish> unfortunately, there's often just nothing you can do :( 11:01 < multifractal> catphish: How does that work? A receiver with an aerial? Are there any common drawbacks? Do you know of any UK providers? 11:01 <+catphish> multifractal: where are you? 11:02 < multifractal> London 11:02 <+catphish> you can't get a decent connection in london? 11:03 < multifractal> ... 11:03 <+catphish> have you had your line tested for faults? seems incomprehensible that amywhere in london wouldn't be within a few hundred metres of a VDSL cabinet 11:03 < ahyu84> anyone know what is Kanso? 11:04 < multifractal> Well I put my postcode into all major providers' websites and all are saying that their fast services are not available in my area. Why else do you think I would be asking here? Just because I want to make my life difficult? 11:04 <+catphish> multifractal: and yes, a receiver with a directional antenna, pointed at an ISP or a friend who has a better connection 11:04 <+catphish> multifractal: i'm sorry for trying to help 11:05 < multifractal> catphish: my apologies, don't want to appear ungrateful 11:11 <+catphish> multifractal: this might help https://labs.thinkbroadband.com/local/broadband-map#6/51.414/-0.641/ 11:14 <+catphish> you must be very unlucky to be inside the m25 and not get a decent VDSL connection :( 11:18 < djph> or cheap 11:19 <+catphish> djph: money isn't really an issue, everyone has a phone line, speed is based on luck, not money :) 11:19 <+catphish> djph: unelss you have money to install your own fiber :) 11:19 < djph> catphish: or you chose to be cheap and got the crapass connection (or is their no "tiered" access in teh UK?) 11:20 <+catphish> djph: not really, the cheapest providers still give you unmetered line rate 11:20 <+catphish> djph: your speed is just luck based on your line rate, generally if you pay more for an ISP it's for reliability and support, not speed 11:22 <+catphish> djph: actually that's not entirely true, there's still 2 options (long distance copper, or short copper to a roadside fibre), but both are cheap 11:23 < djph> must work different over there, since over here we have stuff like "$9.99 - super basic -> 5mbps / 1mpbs" or "19.99 marketing wank -> 15 mbps / 1mbps" or "29.99 turbo marketing wank -> 25 mbps / 2 mbps" (etc.) 11:23 <+catphish> djph: yeah, that's not really a thing here, everyone lets you max out your line speed 11:23 <+catphish> (because the lines are so shit) 11:23 < phre4k> when I'm blocking ports 135,139,445,5933 (Conficker), should I set the action to DROP or REJECT? 11:24 <+catphish> phre4k: doesn't matter at all, both will block it 11:24 < skyroveRR> But REJECT will be more sensible. 11:24 <+catphish> the only time you get tiered service is on cable / FTTH, where your line speed exceeds what the ISP would want you to have for cheap 11:24 < phre4k> catphish: yes, but what's best practice here? REJECT would mean the system doesn't try anymore, right? So less log entries? 11:24 < skyroveRR> phre4k: REJECT. 11:24 < skyroveRR> Yeah. 11:24 < phre4k> skyroveRR: thanks, what I thought 11:24 <+catphish> phre4k: REJECT sends a response, DROP sends no response 11:25 < skyroveRR> phre4k: let the other guy know what has happened instead of being silent. 11:25 <+catphish> you're less likely to see retries with REJECT 11:25 <+catphish> since you explicitly told them nothing is there 11:25 < phre4k> yeah, which would also lower traffic 11:25 <+catphish> but many people believe you should totally ignore all traffic you aren't interested in 11:25 < phre4k> I mean, one entry is enough, right 11:26 <+catphish> so it's up to you, i prefer REJECT 11:26 < phre4k> this is outbound traffic. Someone apparently hooked up a Windows XP machine to an internet-facing network and I'm trying to catch it in the logs as I can't pcap all the traffic for the whole day 11:27 < phre4k> catphish: nice, three opinions and all would use reject. Case closed. 11:27 < phre4k> thank you guys. 11:27 < phre4k> is there a possibility for DoS with provoking reject messages? 11:28 < skyroveRR> A DoS doesn't care about reject messages in the first place. 11:28 < skyroveRR> It just keeps sending. 11:28 < phre4k> hm, yeah. 11:28 < skyroveRR> The only aim is to overwhelm the bandwidth pipe. 11:29 < phre4k> is there a method to automatically block internet access to computers hitting a certain firewall rule in EdgeOS? 11:29 < skyroveRR> If you host a web server on a 30/30, and I have a 60/60 connection, and you put in a file of about 100M, I'm already choking your pipe to its full. Simple DoS. 11:30 < skyroveRR> Why do you want to "automate", phre4k ? 11:30 <+catphish> i don't believe edgerouter can do any kind of dynamic rules / IDS 11:31 < djph> it can't 11:31 < djph> although, given the firewall rule, it could be "reject" and there would be your "automatic no more internet" 11:31 < Gollee> phre4k: I use Drop for everything coming from the internet, Reject on anything not allowed coming from the LAN. Also, drop takes less resources in the firewall while reject requires more processing as a response has to be crafted and sent. So if there's a DDoS just dropping will save more resources. 11:32 < skyroveRR> Gollee: hmm that's good to know. 11:35 < phre4k> catphish: I might script Snort to configure the edgerouter then? 11:36 <+catphish> phre4k: that might work 11:36 < phre4k> this company is a nightmare, age old computers, management refuses to upgrade, I told them they have viruses in their network, they don't care, I told them the PCs are so old they might not be able to find repair parts… 11:37 < phre4k> and on top of all that, the employees think they can just install whatever shadow IT they like to 11:37 < phre4k> I don't blame them really 11:37 <+catphish> none of those things are automatically a problem (apart from the viruses) 11:37 < djph> get out? 11:38 < djph> sounds like a non-profit. is it a non-profit? 11:38 <+catphish> i mean, i see no problem using old hardware til it dies, as long as it's serving its purpose 11:39 <+catphish> oops 11:41 < skyroveRR> :) 11:42 < djph> catphish: agreed, but it also depends on "what" that old hardware is. I mean xp/vista, with said OS sill on them? probably more sane to just get a couple $599.99 PCs from Dell and call it a day 11:42 <+catphish> djph: well that depends what they're being used for 11:43 <+catphish> djph: i see no harm still using DOS if it works, i guess the problem mostly comes when you run untrusted code on them 11:44 < djph> well, given it's users installing whatever, I figured it was "office work". industrial applications (e.g. a CNC machine), yeah, sure, run XP till it dies 11:44 <+catphish> my thought too, but yeah, if people are installing random crap and browsing the web, more care needed 11:45 < djph> yup. And realistically, "office work" is somewhat improved by having newer PCs / versions of everything 11:46 <+catphish> on the other hand, if you just have offline machines doing word processing, and your staff know how to use office 97, why not stick with it 11:47 <+catphish> there's a reason why intel's CPUs have infinite backward compatibility :) 11:48 < test1337> oi 11:48 <+catphish> wonder what the oldest OS you could run on an intel i7 is 11:48 <+catphish> i'd guess IBM DOS, but not sure if there's anything older 11:49 < djph> catphish: definitely, I mean I've got a couple PCs in the local library like that - they ONLY run the copy machine 11:49 <+catphish> maybe CP/M 11:50 < djph> (although, no user access either -- they're just there to run the library card scanner .... those firewall rules must be a bear 11:50 <+catphish> lol 11:50 < djph> I miss the old terminal-style library catalog search. The new (from late 90s / early 2000s) webUI is 10 billion times more awful 11:51 < djph> and no, it's not the website design (that's always been pretty good) ... it's just not as easy 11:54 <+catphish> i'm trying to figure out what the 8086 ran when it was launched in 1978, MSDOS wasn't launched until 3 years later 11:55 <+catphish> maybe only proprietary stuff until IBM designed the PC 11:56 < linux_probe> https://en.wikipedia.org/wiki/Category:8086-based_home_computers 11:56 < linux_probe> likely CP/M 11:57 <+catphish> wonder if CP/M would run on an i7 :) 11:57 < bezaban> https://en.wikipedia.org/wiki/86-DOS ? 11:57 < linux_probe> pc-dos also 11:57 < linux_probe> was ibm's 11:57 <+catphish> PC-DOS is MS-DOS 11:58 <+catphish> launched 1981 11:58 < linux_probe> im sure there was other junk 11:58 <+catphish> i didn't know MS bought DOS from someone else 12:00 < djph> "bought" 12:01 < linux_probe> well, to be fair not many folks would have been "computing" prior to that 12:01 <+catphish> djph: "In July 1981, a month before the PC's release, Microsoft purchased all rights to 86-DOS from SCP for $50,000" sounds like they bought it 12:02 < djph> I know 12:02 < djph> :) having a jab at them 12:02 <+catphish> i enjoy they they hid the fact they'd already sold it to IBM 12:02 < djph> also, I thought it was only licensing agreements 12:03 <+catphish> originally they licenced it, then they agreed to licence it to IBM, at which point they bought it 12:03 < djph> ah 12:04 <+catphish> they didn't tell the original owners about the IBM deal, so they got a great deal 12:07 < linux_probe> ah-hah 12:07 < linux_probe> https://en.wikipedia.org/wiki/Operating_system#History 12:07 < linux_probe> if it;s right 12:07 < linux_probe> got only knows, none the old farts form back then are still alive im betting lol 12:07 < compdoc> was a good deal 12:09 < phre4k> is there a list of suspicious outgoing ports, protocols and so on which I could use for NIDS? 12:25 < djph> all of them 12:27 < djph> realistically, no. You can find the (default) ephemeral port range of the OS you're using though, and look for stuff outside that (note - some protocols, such as NTP use defined ports from teh client side as well. These are always outside the ephemeral port range) 12:28 < djph> Trouble is, unless someone's trojan was stupid and used a set port, you're not going to really be catching anything 12:28 < djph> *Trouble with that approach is [...] 12:29 < easy_ref123> is there a way to use graphical applications (eg. sublime_text, meld) on a remote box without installing X on it? 12:31 < rudi_s> easy_ref123: No, you can sshfs the remote filesystem though. 12:31 <+catphish> well there are some really obvious protocols, SMB for example has no business making WAN connections 12:31 < djph> catphish: of course :) 12:31 <+catphish> SMTP maybe, if you know what SMTP users *should* be using 12:32 <+catphish> but i would imagine windows filesharing ports would be the main one, and the main thing an infected windows PC is going to be scanning for 12:33 < djph> probably 12:33 < phre4k> catphish: Microsoft themselves provide a WAN SMB share: https://docs.microsoft.com/en-us/sysinternals/#sysinternals-live 12:34 < easy_ref123> rudi_s, thanks. 12:34 <+catphish> phre4k: lol, whitelist it i guess :) 12:34 <+catphish> or don't 12:34 < easy_ref123> rudi_s, I could do it with VNC but requires an X server? 12:36 < rudi_s> easy_ref123: Yes (and a VNC server). 12:36 < rudi_s> If you just want to edit (small) files, sshfs should be the simplesy way. 12:36 < rudi_s> *simplest 12:38 < easy_ref123> sshfs is a recursive transfer utility? 12:40 < rudi_s> easy_ref123: No. 12:40 < rudi_s> It mounts a remote directory per ssh on the local system. 12:40 < rudi_s> So any editor can just edit a "local" file (which gets transparently synced to the server on changes). 12:40 < usr123> Http guide states that 504 gateway timeout - the response is coming from a gateway or proxy that has timed out waiting for a response to its request from another server. What is another server here? and isn't my gateway inside the application server? 12:40 < rudi_s> Quite useful for many things. 12:42 < phre4k> do we have a pentesting channel on freenode? 12:42 < easy_ref123> rudi_s, ah, nice. Only small files? When does a job become too big for sshfs? Is it suitable for most web tasks? 12:45 < rudi_s> easy_ref123: Depends on your network connection. It must transfer the file. 12:45 < rudi_s> (It supports range edits so it will work for big files if you have a fast internet and an editor which doesn't open the whole file.) 12:46 < rudi_s> (I used for disk images with a few TiB - but of course those are never read as a whole, only parts of it.) 12:46 < djph> well, "on changes" means that you'd have to save the file 12:46 < rudi_s> Yeah, but have to read it first. 12:46 < djph> exactly 12:47 < djph> doesn't really matter if the editor reads in the whole file or not (just affects how long it'll take to open) 12:47 < djph> ... err open, and save when you're done. 12:48 < usr123> rudi_s: Hello, I get an HTTP 504 gateway time out 12:49 < djph> usr123: a gateway between your "application server" and "whatever is trying to access it" 12:50 < regdude> if I want to test IPv6 only in a local network, what addresses should I use in order not to break anything? I want to test if DHCP6 Server is working properly without IPv6 from WAN 12:50 < djph> e.g. if you're using azure or something, it's probably be a loadbalancer at MS 12:51 < djph> regdude: not sure there are any "reserved for testing" address spaces in v6 12:51 < usr123> djph: So is it not in my control? And I'm sending an http request, my server also takes in http requests, why do I need a gateway 12:54 < regdude> djph: well, this does something, not sure why: https://simpledns.com/private-ipv6 12:56 < djph> usr123: because "a gateway" is another name for "a router" (or, like the error says, "a proxy") 12:58 < djph> usr123: unless both the server and PC you're testing from are on the same physical subnet (e.g. 192.168.0.0/24), there will be at least one gateway in between. 13:01 < usr123> djph: No, my server is on AWS. And my client is a different device sitting somewhere else. Anything I can do to prevent this. Also, if the router or proxy doesn't hear back from my server, isn't it the server's fault somehow? 13:06 < djph> usr123: yeah, get the gateway(s) in between fixed. 13:07 < djph> 500-series answers are "I tried doing exactly what you asked, but I was incapable of doing it for some reason" 13:08 < djph> 503 is specifically "I, the gateway (proxy), sent the server that was gonna actually handle the request the information; and it came back with nonsense" 13:09 < djph> err whoops, that's 502, sorry 13:10 < djph> 503 is "I, the server, am not here right now, please try again later." 13:11 < djph> and your error (504) is "I, the gateway, didn't hear back from the server that was supposed to process this within $timeout " 13:12 < djph> Trouble with 504 is that it could be a precursor to 503-style errors, or just general network overload, or a stupidly configured $timeout time, or ... 13:14 < lupine> it is not "please try again later", exactly. In particular, you don't know if your request succeeded or not, so you shouldn't automatically retry non-idempotent requests 13:15 * lupine glares are lighthttpd 13:17 < djph> lupine: for 503? 13:18 < djph> 503 is "Service Unavailable", and considered to be a temporary state. 13:20 < lupine> for all 5xx errors 13:20 <+catphish> afaik all 5xx errors are considered a temporary state, basically "something went wrong, or timed out, we don't know what state your request ended up in, feel free to try again later" 13:20 < djph> I didn't say "for all 5xx errors, try again later". 13:20 < lupine> the problem is in "feel free to try again later" 13:20 < lupine> for non-idempotent requests, unconditionally retrying again later will sometimes lead to duplicates 13:20 <+catphish> you can always try again later, just be wary that your request may have made changes already 13:21 <+catphish> what lupine said 13:21 < lupine> one way to avoid this is to examine state before retrying the request. Another is to include a unique id of some kind in the request and all retries, and configure the server so it will reject follow-up requests 13:22 < lupine> computers are hard. let's go shopping :/ 13:23 < djph> Although, by their nature, 5xx errors are supposed to imply "I can't do what you want right now", not "I got halfway through doing what you wanted" 13:27 <+pppingme> it could potentially also mean "I can't do what you want, and what you ask will never be possible" in the case of a malformed request 13:28 < djph> true 13:28 < djph> although aren't malformed requests '400' ? 13:29 <+pppingme> if the server knows its malformed 13:29 < djph> ah, fair enough 13:32 < usr123> djph: Hey, all that info was really helpful. Thanks. So, is there a known reason why a router might not hear back from the server? 13:33 < djph> network issue. server issue. idiot windows admin put a stupid timeout on the gateway. 13:33 < djph> other things that I'm not awake enough to consider 13:33 <+pppingme> or really good timing of a lighting strike 13:41 < LWong> Can someone point me towards some efficient distance computation algorithms? 13:41 <+catphish> pppingme: IMO a server that is working properly should *never* reply with a 5xx, no matter how bad the request 13:42 <+catphish> of course, in reality, bad requests cause internal errors all the time 13:42 <+catphish> LWong: in what context? 13:43 <+catphish> routing protocols all have their own algorithms, might want to read up on how ospf / bgp camculate distance for example 13:43 <+catphish> there are likely standard algorithms, but would depend exactly on the problem you want to solve 13:43 < LWong> catphish: Between mobile stations in a GSM network 13:47 <+catphish> i don't know much about GSM 13:47 <+pppingme> LWong what information or tools do you have? 13:47 < mmlj4> I wouldn't know the first thing about GSM 13:49 < LWong> pppingme: Every system can get its GPS location. 13:49 <+pppingme> distance between two gps points is easy, formulas are all over the internet.. 13:50 <+catphish> distance between GSM base stations is actually quite important because of time division multiplexing 13:53 < LWong> What about mobile stations instead of base stations? 13:53 <+catphish> LWong: the simplest approach is simply to have the devices stream their gps locations to each other, then they can calculate the distance simples 13:55 < LWong> catphish: Too costly. Are there algorithms that do better? 13:55 <+catphish> i don't really see how you could do it any other way 13:56 < compdoc> when I run the host command, it shows ip addresses that no longer exist on a server. how can I clear that out? 13:57 <+catphish> compdoc: assuming the records have been deleted from DNS, wait for their cache to expire 14:43 < Spice_Boy> has anyone come across a .enc file? I'm under the impression it's an encrypted file, but not sure where they are common 14:44 < djph> they're not "standardized" if that's what you mean 14:44 < Spice_Boy> I'd never heard of them until recently 14:44 < Spice_Boy> where are they used at all? 14:44 < dminuoso> file extensions in general are not standardized. 14:45 <+sep> Spice_Boy, try the file command on it. 14:46 < djph> quick check through fileinfo.com shows it's an "encoded file", "cabal online data file", "electronic navigation chart", "copysafe protected pdf", or "encore musical notation" 14:46 < Spice_Boy> I also found a lotus 1-2-3 reference, which is ancient 14:47 < dminuoso> Spice_Boy: I'd look at the first few hunred bytes with a hexviewer. 14:47 < Spice_Boy> ah you saw that page too 14:47 < Spice_Boy> I have a funny feeling it's an encrypted file 14:48 < dminuoso> Spice_Boy: also use `strings` 14:48 < Spice_Boy> .ssq.enc 14:48 < Spice_Boy> dminuoso: tried strings... nothing 14:48 < dminuoso> Spice_Boy: If its encrypted with deniable encryption, then you wont know whether its encrypted.. 14:48 < tbcsj> hi all 14:49 < dminuoso> If its some binary file format you'd usually be able to find some kind of pattern in the header 14:49 < djph> where'd you get it from? 14:49 < Spice_Boy> it's the Tesla powerwall firmware file 14:49 < Spice_Boy> ends with .ssq.enc 14:49 < tbcsj> Does anyone know how I can configure a GRE tunnel on junos ACX routers, to run an IGP over the top? 14:49 < Spice_Boy> .ssq is probably the real extension of whatever it actually is 14:50 < tbcsj> Junos docs says GRE doesn't support routing protocols over GRE 14:51 < djph> although .ssq just pops up with ODBC script 14:53 < Spice_Boy> djph: does that sound right for a 90MB firmware file? 14:55 < Spice_Boy> I'm thinking not 14:55 < Spice_Boy> nevermind 14:58 < dminuoso> Spice_Boy: what is your actual problem/question? 14:58 < Spice_Boy> don't worry 14:59 < dogbert_2> some ph33r = 05:58:32 up 9 days, 11:35, 2 users, load average: 0.07, 0.02, 0.00 15:09 * dminuoso .oO( if your server has an uptime in excess of 6 months, you are either blessed with really skilled admins or really bad admins. ) 15:11 < kottt> think we had a wireless controller here running for 735 days once 15:11 < djph> or it doesn't need reboots all that often (although, I suppose all those spectre kernel patches kind of win out) 15:12 < dminuoso> djph: That was kind of my point. ;-) 15:12 < dminuoso> If your server uptime is beyond 6 months it means you either have skilled admins that know how to use kexec, or they suck dearly because they havent patched the kernels yet 15:13 < djph> I've got one here that's been up for a year, it HAS the patches, just ... ugh, rebooting. (although it's also nothing important... oooh, you know it has a shitton of porn on it) 15:16 < dminuoso> djph: My perspective is this: If it s a private server, then security ensures some idiot doesnt put child pornography on your server and cause problems for you. 15:16 < dminuoso> If its a company server, keep your servers patched mkay? 15:17 < djph> dminuoso: if "some idiot" can access a server that's only connected to my "lab(tm)" (literally zero connectivity to internet), I think I have more pressing concerns. 15:17 < djph> ... like "what're you doing in my house!?" 15:17 < dminuoso> djph: Id just kick back "Go ahead - its all encrypted anyway!" 15:18 < djph> but yeah, all the servers here are like ... uh ... 3 month uptimes? 15:19 < dogbert_2> LOL...I've had servers and networking gear at 200+ days 15:19 < djph> well, except that one. I really oughta, but ... I have better things to do than wait for a P4-dualcore with 1G of RAM to reboot 15:19 < djph> dogbert_2: oh yeah, they rebooted because spectre / meltdown. 15:20 < dogbert_2> though I had lunch with a couple of women CTO's this weekend...interesting topic, trying to get more women into IT (I told them, you ladies have brains, you went into to mgmt/executive positions, they just LOL'd) 15:20 < dogbert_2> they can't do what I know how to do, and I certainly can't do their jobs... 15:20 < dogbert_2> yeah, djph 15:21 < dminuoso> Well if you do it right, you'd live patch anyway. 15:21 < dogbert_2> I finished firmware upgrades to the last of 60 switches last friday...no fun at all, given all the Change Management stuff I have to write and get approved 15:22 < dogbert_2> though one of the things that these women told me is the # of candidates who don't make it more than 15 mins in an interview...that's just bad 15:31 < djph> meh, they're not critical systems. I don't care if they're down for 10 minutes 15:35 < dogbert_2> hehehe :) 15:36 < kottt> what do you mean by making it more than 15 minutes in an interview? 15:36 < kottt> <_< 15:41 < dogbert_2> kottt, you'd be surprised the # of applicants who don't show up to an interview properly dressed 15:41 < kottt> >_> 15:42 < turtle> so I'm not supposed to have my dick out? 15:44 < dogbert_2> I've seen more good candidates bounced in the 1st round due to poor appearance and dress than you could possibly imagine 15:46 < UncleDrax> turtle: in some jobs, i'm sure that's a requirement 15:46 < kottt> agh... have an interview this afternoon, went with blue-jeans and a button-down because i got too damn fat to wear my good dress-pants <_>; 15:47 < dogbert_2> kottt...I've never gone to an interview unless I'm wearing dress shirt (pressed), tie, dress slacks (pressed), dark socks/hosiery, and shined shoes... 15:47 < dogbert_2> and I've been working in IT for almost 36 years 15:48 < jaelae> my current job . i wasnt even looking for a gig and they offered me a 50k increase in pay so i went and bought a sweet suit showed up to manhattan for the interview 15:48 < jaelae> and everyone was in tshirts 15:48 < jaelae> looking at me like im a jerk 15:49 < jaelae> i still got the job so i guess you cant really underdress. dressing right can only help 15:49 < dogbert_2> yeah...well, I know quite a few corporate execs...the women are always well dressed... 15:50 < dminuoso> dogbert_2: "properly dressed" really depends on the job, the type of company and the country. 15:50 < UncleDrax> one should dress up for an interview.. if you care about trying to get the job at all 15:50 < dogbert_2> exactly, UncleDrax 15:50 < dminuoso> dogbert_2: Some interviewers even explicitly ask for casual dress code 15:50 < UncleDrax> well for any formal 'sit down' interview 15:50 < dminuoso> Its not the norm, but it exists. 15:51 < dminuoso> Also there's such a thing as overdressing. 15:51 < UncleDrax> if it's a practical interview, ya, dress appropriately. 15:51 < dogbert_2> dminuoso...had that at my last interview...I still went to it in dress shirt/slacks, tie, shined shoes...had a job offer 4 days later 15:51 < djph> oops, byebye fileserver :| 15:51 < dminuoso> dogbert_2: correlation does not imply causality. 15:51 < UncleDrax> true. wearing white-tie to a job interview, unless you're applying for the part of James Bond in a Spy Movie, is over dressed 15:51 < djph> stupid kernel patches 15:52 < dogbert_2> UncleDrax...Business Formal is usually reserved for mgt or better... 15:52 < dminuoso> dogbert_2: if the HR folks in front of you are all sitting there with jeans and a shirt 15:52 < dminuoso> and you come overdressed like that despite being asked for casual 15:52 < dminuoso> then that can backfire just as badly. 15:53 < UncleDrax> true. it's been a longt ime since I've interviewed, but I also never explicitly had anyone specify a dress code 15:53 < dminuoso> there's basically only one rule for job applications, whether its for the CV, interviews or anything else 15:53 < UncleDrax> but ya, if they do that, then follow instructions 15:53 < dogbert_2> dminuoso...I've bounced more candidates who came in dressed like you've described... 15:53 < dminuoso> "If it helps, do it. If it doesn't, don't" 15:53 < dminuoso> That's the one and only rule in job applications. 15:53 < dminuoso> Whether it helps really depends on the situation. 15:54 < UncleDrax> still if 'casual' was specified, that means 'business casual' to me. 15:54 < dogbert_2> a well dressed person in an interview shows me three things without having to say a word, attention to detail, focus, and potential for advancement 15:55 < dogbert_2> A rule I always remember, don't dress for the position you want, dress for the position above the one you want 15:55 < dminuoso> dogbert_2: that's just esoteric crap. 15:55 < dminuoso> whether or not I polish my shoes has absolutely nothing to do with how much I care about detail and correctness of software. 15:56 < dminuoso> I know plenty of HR folks might go that way 15:56 < dminuoso> but its still nonsense 15:56 < dminuoso> dogbert_2: Someone who knows how to dress but is shit at his job has managed to make a good first impression. 15:56 < dogbert_2> yeah...well, in my career, I've interviewed at least 400+ people for technical positions...in addition to being interviewed 15:56 < dminuoso> Now you're already biased for him. 15:56 < dminuoso> Which is how tons of shit people get good jobs. 15:57 < dogbert_2> dminuoso...bias doesn't imply incompentence...if they don't have the skills, it's going to come out in the technical interview, and I've seen plenty who get bounced after 15 mins despite being well dressed 15:58 < dminuoso> And if Im badly dressed but technically excellent? 15:58 < UncleDrax> comes down to how the interviewer feels about that 15:58 < UncleDrax> an interview is usually about impressing meatsacks. 15:58 < dogbert_2> you're going to lose pretty much every time vs a well dressed person 15:58 < UncleDrax> so it's by nature, subjective 15:59 < Spice_Boy> dogbert_2: agree 15:59 < dogbert_2> and that's just reality...welp, time to get my ass in the shower and ready for work... 16:22 < RazorSharpFang> Is it true that *nix machines trace routes with UDP as opposed to windows' ICMP traceroute? 16:23 < Roq> Yeah 16:23 <+xand> RazorSharpFang: UDP is the standard for traceroute yes 16:23 < RazorSharpFang> Strangely enough, a foreign server is responding to ICMP traceroutes but not UDP traceroutes. 16:24 <+xand> plenty of firewalls will just drop the udp traceroute ports 16:24 < RazorSharpFang> Even more strange, it's responding with a private IP address, yet it's beyond my router. 16:24 <+xand> that is feasible 16:24 <+xand> it means there's a bit of private address space in use en route somewhere 16:24 < RazorSharpFang> It also responds with "unreachable" if you ping it with its address. 16:25 < RazorSharpFang> Suggesting that it can't reach itself. 16:25 <+xand> nah just that it doesn't respond to ping 16:25 <+xand> could be many reasons for that 16:26 < RazorSharpFang> Pinging 10.22.25.87 with 32 bytes of data: Reply from 10.20.25.87: Destination net unreachable. - I still find that hilarious though. 16:29 < strixdio> anyone have a recommendation for a managed gigabit switch that won't break the bank? 16:29 < UncleDrax> define ($banksize) 16:29 <+xand> RazorSharpFang: 10.22.25.87 != 10.20.25.87 16:29 < UncleDrax> $100? $1000? 16:29 < strixdio> banksize=200 16:30 < UncleDrax> port count? features? 16:30 < strixdio> 24 would be good. Features: Layer2 16:30 < strixdio> preferably something I can use to learn for CCENT 16:31 < strixdio> I know I'm asking for the world, but something that's not years EoL in terms of iOS updates. 16:31 < UncleDrax> get a greymarket/refurb 3560 then 16:31 < UncleDrax> oh 16:31 < UncleDrax> man your feature list is getting big 16:31 < strixdio> yeah, LOL 16:31 < strixdio> Not sure something from my wishlist exists, maybe I'll have to settle for "best of" 16:32 < UncleDrax> So you want a 12+ port Cisco IOS switch that's still capable of support. 16:32 < UncleDrax> *GigE 16:32 < strixdio> ;) 16:32 < strixdio> I know that the support request is a stretch 16:33 < RazorSharpFang> xand, Oh shoot. That was a miss-type - it responds the same for when they ARE equal. It probably just says "Private address, not reachable" 16:33 < UncleDrax> my Cisco catalog is out of date, but I'd be skeptical a device exists. but someone might have something 16:33 < strixdio> I just worry about it being out of date from a security perspective 16:34 < flying_sausages> hey guys I've got a bit of a more abstract question. I've got a small embedded device that has Wi-Fi AP capabilities (local only) and I'd like to test the general performance for it in such a way that I could run similar enough tests on an average tp wireless router. I've got a couple identical HP ZBooks and iPhone 8s around. I'm specifically interested in performance when multple clients are using the APs at 16:34 < flying_sausages> the same time, and how does that affect bandwidth and CPU. What would you do in my shoes? 16:34 < flying_sausages> I'm thinking about iperf3 but I'm not sure if that's a good enough piece of software to measure CPU 16:35 < flying_sausages> as well as the fact I need to run separate servers for each client, so that also changes things 16:35 < strixdio> UncleDrax: https://www.ebay.com/itm/Cisco-Catalyst-WS-C3560G-48PS-S-48-Port-Gigabit-PoE-Switch-15-0-4X-GLC-SX-MM/291644797979 thoughts? 16:35 < UncleDrax> strixdio: fair enough. you can also try #cisco. you can pickup greymarket/used/refrub HW that's EoL/EoS but still solid, and usually cheap. usually requires find a sellet you can trust though 16:35 < strixdio> I'd rather just stick with ebay or something of that sort. 16:35 < Aleksandar86> hi :) 16:36 < UncleDrax> strixdio: the 3560 series would (imo) be great for learning.. since they can do some L3/routing stuff as well. they were proven workhorses. 16:36 * strixdio nods 16:37 < strixdio> oh wait... 16:37 < strixdio> are the fiber ports the only ones that are gbit? 16:37 < UncleDrax> that's vary based on specific model. consult Cisco's docco on that 16:38 < UncleDrax> https://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3560-series-switches/product_data_sheet09186a00801f3d7d.html 16:38 < strixdio> 48 Ethernet 10/100/1000 ports and 4 SFP-based Gigabit Ethernet ports 16:38 < UncleDrax> the 3560G-48PS is 48x 10/100/1000 with 4x SFP 16:38 < strixdio> :) 16:38 < strixdio> This is *not* bad at all. 16:38 < strixdio> though, they can be a little loud eh? 16:39 * strixdio chuckles to himself 16:39 < efb> hey with SSL certs, if you import an external certificate - should the private key stay password protected if your application doesn't ask you to supply the private key password 16:39 < UncleDrax> I can't speak to a 3560, but I've disabled the fans on a 3550, wedged it beteweena filing cabinet and a wall, and it was fine that way for 3 years. 16:39 < strixdio> o0 16:39 < strixdio> I didn't realize you could disable the fans. 16:39 < UncleDrax> unplug them 16:40 < strixdio> LOL 16:40 < UncleDrax> not that they were _that_ loud to begin with.. not like an ASR1001X 16:40 < strixdio> I have a few "loud enough" computers in my rack already. 16:40 * strixdio shrugs 16:40 < UncleDrax> those things are jet engines 16:40 < strixdio> I've heard switches booting and yeah, you're right. 16:40 < strixdio> but once they're on they shouldn't be too bad. 16:43 < strixdio> hmm, the PoE on a switch like this doesn't work for ubiquiti APs does it? 16:43 < UncleDrax> (and for the record, at the end of those 3 years, we moved offices.. not like the switch died) 16:44 < strixdio> oo 16:44 < strixdio> lol that's good to know 16:44 < kottt> is there a term or phrase in IT for when a user's problem disappears under observation by a professional 16:44 < strixdio> "magic" 16:44 < avu> kottt: heisenbug 16:44 < illkitten> "phantom" 16:44 < strixdio> "you have the magic touch" "your presence is all it needed" 16:45 < UncleDrax> I call it 'curse of user support', but yes, It's common enough and I think there's a term for it 16:45 < strixdio> hahahaha "heisenbug" avu thanks that's awesome! 16:45 < kottt> heisenbug... i knew there had to be something like that... 16:45 < kottt> perfect, thank you 16:45 < avu> also applicable to bugs that go away as soon as you attach a debugger 16:46 < kottt> there is a wiki article for heisenbug, which lists several additional related terms 16:46 < kottt> mandelbug: a bug that exhibits fractal behavior 16:46 < UncleDrax> schrödinbug :] 16:46 < kottt> hindenbug: catastrophic behavior 16:46 < UncleDrax> heisenbug is easier to say though imo 16:47 < strixdio> lol 16:49 < strixdio> anyone that's taken the net+ and ccent: is the ccent "easy" enough coming from a net+ perspective? 16:50 < strixdio> Perhaps I should ask, is the ccent "similar" enough to net+? 16:53 < vpnRoute_> Hello. I have a problem connecting to a host over a site to site vpn. All original hosts are accessible, but new hosts are not. Traffic to the new hosts routes through the vpn but never makes the final hop to the host. I've opened up the firewall on the host in question. I've scoured the internet for resources but I'm either using the wrong terms or something else. 16:54 < vpnRoute_> Any suggestions? 16:54 < strixdio> vpnRoute_: are you trying to access this host via DNS or via IP? 16:54 < vpnRoute_> Tried both and neither work. 16:54 < strixdio> not on a different subnet either? 16:55 < vpnRoute_> It's on the same subnet as the other remote machines yes. 16:56 < vpnRoute_> that is to say, the other remote machines that are accessible. 16:57 < strixdio> unable to ping them? 16:57 < vpnRoute_> correct. 16:57 < strixdio> the gateway is set correctly? 16:58 < strixdio> I have a thought, something to do with ARP, but I'm not a networking expert and don't know the terms well enough, sorry. 16:59 < vpnRoute_> I believe it's correct. a tracert shows traffic reaching the Entry node and the remote exit node. 17:00 < strixdio> specifically on the remote exit node. I'd imagine it needs to be directing the traffic to a device with an arp table 17:01 < vpnRoute_> Thanks for the tip. I'll look into that. 17:01 < strixdio> np, I hope it helps. Hopefully someone else can chime in. 17:21 < easy_ref123> I'm doing an sshfs mount with options, "uid=1000,gid=1000" - the mount is successful, but "mount" output for this particular mount is 17:21 < easy_ref123> http://termbin.com/zqh9 17:22 < easy_ref123> "ls -l" on the mountpoint shows my user (uid=1000), but I get a permission denied when I try to write anything to the remote filesystem 17:23 < shtrb|work> Is the file system is rw and are users allowed to write in that folder ? 17:57 < MrUnkn4> assalamuallaikum 18:22 <+catphish> easy_ref123: looking at that output, it would seem to me that you probably should be setting user_id=1000,group_id=1000, not certain though 18:23 < s7rawman> Hello I was in here ealier with the site to site vpn problem. Traffic Routes through the VPN correctly, ARP Tables on exit node are correct, Firewall on host is wide open, Host is on same subnet. I can access the other remote machines, through the tunnel, but not the new one I added. 18:25 <+catphish> s7rawman: usual problem is no route back to the VPN client subnet 18:29 < s7rawman> roger, can you point me in the right direction there. I'm still relatively new to this 18:30 < s7rawman> as in how to establish that route 18:30 <+catphish> s7rawman: i would always recommend doing a packet capture if possible, to see if packets are arriving, and simply checking the routing table at each device to make sure it has a route to both the source and destination hosts hosts 18:31 <+catphish> i don't have time to talk you through routing right now, perhaps someone else can, but basically, each device needs to have a route pointing to the vpn client, and one pointing to the host at the other end 18:36 < electricmilk> s7rawman, What devices are you using for the site to site VPN? 18:36 < s7rawman> Pfsense for my firewall, and an openvpn client on an server 2008 box. (i wasn't the one who set it up.) 18:37 < electricmilk> Well you have to setup routes on both ends 18:37 < s7rawman> Right. I have routing set up on the pfsense box. 18:38 < s7rawman> I'm under the impression that the openvpn client will just use the route settings provided by the OpenVpn server(pfsense box) 18:40 < E1ephant> if there are "push" config lines 18:40 < E1ephant> it will be on the server config 18:44 < s7rawman> Yes. I've got push and route overrides in my configs. 18:46 < Sircle> What ways are used when a company sends emails, the client responds and the company knows via the the threads (some kind of system that is not the regular inbox)? This is used in ticketing systems too I guess. I want to manage my customer base and know which email was sent to whom + its response. Handle each customer with custom tags/groups. 18:54 < Apachez> things you dont see reported in mainstream media: https://electrek.co/2018/05/30/tesla-model-3-performed-miraculously-crash/ 18:54 < Sircle> should I just use a ticketing app or a crm? 18:55 < aditya6502> Apachez: pravduh time 18:55 < failspy> window 3 18:55 < failspy> woops. :P 18:56 < E1ephant> I am the eggman 18:58 < Sircle> I am looking how to bundle all emails threds for one customer. And put tags on that customer (prospect, lead, matured, buying, satisfied etc) 18:59 < djph> Sircle: will likely depend on your chosen MUA 19:06 < Sircle> djph should I go for a crm or ticketing system? any suggestions? 19:07 < djph> crm / ticketing might be a good option 19:07 < djph> up to you 19:11 < Sircle> something tells me I would not be able to use 2 mail services at a time. Either I would be able to use mailgun for sending and receiving mails or gmail. As I can only add one MX record in dns? 19:11 < Sircle> djph, ^ 19:12 < djph> insofar as I understand it, yup 19:14 < tds> you can send from as many different services/addresses as you like as long as you can put them all in your SPF record, for delivery to your domain you can add multiple MX records with priorities, but using that with two different services likely won't work well 19:18 < Sircle> tds, so sending emails from multiple services is fine but receiving can have problems? 19:18 < djph> yup 19:19 < Sircle> djph, and there are no solution for that 19:19 < Sircle> ? 19:19 < djph> "not using multiple services" 19:19 < Sircle> k 19:19 < Sircle> thx 19:19 < tds> having your mail server relay email to a specific address out to another server (eg support@example.com gets relayed to ticketingservice.example.com) would work 19:19 < djph> I mean, there are ways around it where the "other services" are backups to the "main service" and all ... 19:20 < Sircle> k 19:20 < Sircle> I am looking how to bundle all emails threds for one customer. And put tags on that customer (prospect, lead, matured, buying, satisfied etc) are there ready made services for that I can use right away? 19:21 < tds> I'm sure there are lots of both open and closed source systems for that, most I've seen have some kind of ticket identifier in the subject (eg EXAMPLE1234) 19:23 < Sircle> tds, any names rthat can do what i want? 19:24 < tds> just google "ticketing system" or something similar, I'm sure you'll find lots of stuff 19:24 < tds> if you specifically want something open source, there are various listed on the awesome-selfhosted list: https://github.com/Kickball/awesome-selfhosted#ticketing 19:27 < Atro> Sircle: we have http://www.osticket.com/ 19:27 < Atro> it's alright, but we use it minimally 19:49 < `whoami`> hello, not sure if I should ask this in here, or in ##security, but what's your opinion on "tinc", the distributed vpn thingy ? Is it "mature" enough to use it in production ? 19:52 < Atro> the fuck's tinc 19:54 < tds> it's a mesh vpn with some nat traversal tricks iirc 19:54 < tds> I know a few people who used it with a few nodes, never tried it myself though 19:58 < Sircle> tds, Atro thx 20:04 < fattredd> How can I use openVPN to access my home computers without tunneling all my internet traffic through it? I've already got it up and running using dev tun. 20:05 < E1ephant> `whoami`: it's quite an old project, I would say quite mature. 20:05 < E1ephant> fattredd: use "push" config lines to just push specific subnets 20:05 < E1ephant> instead of a default-gw 20:06 < fattredd> Sweet. Thank you 20:09 < `whoami`> nice, as long as nobody in here says "it's a total piece of garbage", I might consider using it, thanks ! :) 20:11 < E1ephant> the main draw/feature I have seen, is that it's much like dmvpn, but it existed first 20:12 < E1ephant> if you have a TINC mesh, nodes will try and traffic direct to each other 20:12 < E1ephant> rather than any routing 20:12 < E1ephant> so "auto-mesh" of ptp 20:52 < electricmilk> How do I get 2 phones to ring on the same line in separate rooms? Currently only one phone jack is setup. (Old school POTS line) 20:53 < brianx> that tinc vpn looks lovely. all the disadvantages of openvpn's undiagnosable automagic routing without the advantage of support on as many devices. 20:54 < Harlock> electricmilk cordless phone system if you are not going to run another wire 20:55 < electricmilk> Ah yea that's not a bad idea actually 20:55 < E1ephant> brianx: lol what are you on about? 20:55 < E1ephant> brianx: how is openvpn routing "undiagnosable and automagic?" 20:56 < tds> brianx: if you have an openvpn server with multiple clients connected, even though ovpn maintains its own internal routing table iirc, doesn't the traffic still have to go via the server between any two clients? 20:56 < brianx> run ip route on a network running openvpn. what do you get? 20:56 < Harlock> electricmilk you don't need to run a wire all the way from the demarc, you can run from the other jack or tap in somewher ein between 20:56 < E1ephant> and it's source is available no? you can compile it wherever you want 20:56 < E1ephant> brianx: routes? 20:57 < brianx> nothing about all the routes in the openvpn system though. 20:57 < E1ephant> err I am using bird or quagga to push routes around 20:57 < E1ephant> I have used /31s and discontiguous /32s though without issue? 20:58 < tds> yeah, openvpn keeps its own internal routing table with iroutes defined on the clients or something like that, iirc? 20:58 < brianx> yeah, something like that. 20:58 < tds> oh wait, maybe iroutes were defined in the ccd client configs 20:58 < brianx> and there is no tool to dump them. 20:58 < E1ephant> iroute is something you push from the lcient 20:58 < E1ephant> to the server 20:58 < E1ephant> lol don't use openvpn as a routing protocol then? 20:58 < detha> brianx: I seem to remember ovpn has an option to route everything through the host instead, so you can add your own firewall rules etc 20:59 < tds> but yeah, I just do point to point with openvpn, then bgp between nodes with bird (similar to E1ephant I suspect) :) 20:59 < brianx> detha: that seems to work between 2 linux boxes. doesn't seem to work with linux based firewalls, windows, and android. 21:00 < E1ephant> I use tun/tap on client facing vpns too 21:00 < brianx> tds: yeah, openvpn for two nodes is fine. no biggie there. 21:00 < E1ephant> haven't used android in a long time, but windows is fine too 21:00 < E1ephant> I use static hold downs on "VPN concentrators" though 21:00 < detha> brianx: uhm, yeah, probably. I have never considered windows or android things as anything but 'clients, with one vpn link to somewhere' 21:01 < brianx> detha: same here. but they need to talk to the whole network and not just one hop. 21:02 < detha> that's where 'push route' comes in. Then the bird/quagga stuff between various concentrators can sort out the rest 21:02 < tds> anyway, the trick with tinc is that it includes some nat traversal magic, rather than like how openvpn has to reflect all traffic between clients via the server iirc 21:02 < detha> (and yes, my setup is also PtP tunnels and bird/quagga) 21:02 < brianx> sometimes it does "just work", but there is no way to display the routes or diagnose when you have more than point to point or a server and a couple client only connections. 21:03 < tds> detha: heh, seems like everyone's running the same thing 21:03 < detha> tinc tries to create a full mesh on its own where needed as far as I understand (only had a brief look at it a while ago) 21:03 < brianx> detha: yeah, that's what i read too. 21:04 < E1ephant> brianx: it's in the logs, you see everything that gets pushed to the client on establishment 21:05 < brianx> openvpn routing seems to be somewhat random. sometimes the router the server service runs on can be a client connecting to any device anywhere. sometimes it can't talk to anything but clients connected through the router work just fine. no config changes, no reboots, no adjustments except time (maybe some reconnects, not seeing them but could be happening) 21:06 < E1ephant> it is not random at all 21:07 < brianx> E1ephant: logging can't be left on indefinitely, there isn't room. turn it on and you can't get the existing routes out of it. restart the connections to get log entries and the situation changes, what worked might not and what wasn't working might. 21:08 < E1ephant> brianx: if your push options are changing between reconnections, you must be touching the server config, in which case your version tracking plus connect date would be enough to determine what should have been 'pushed'" 21:09 < E1ephant> but to your point, even if you don't see routes expected, you just reconnect, and observe what is pushed then? 21:09 < brianx> nope. the configs are stored on disk and the update times don't change. 21:09 < E1ephant> so you are not chanign push options then 21:09 < E1ephant> or you are hacked 21:09 < brianx> if i reconnect, sometimes it works. sometimes it doesn't. 21:10 < E1ephant> and you don't know it 21:10 < E1ephant> you need a stronger handle on your enviroment if you're "not sure" if reconnections are even happening 21:10 < brianx> right, and all they do is tweak my openvpn push settings. they don't add connections or edit configs, nothing. 21:11 < E1ephant> >tweak my openvpn push settings 21:11 < brianx> again, there isn't space to leave logging on indefinitely. sometimes it takes weeks for things to suddenly change. 21:11 < E1ephant> that is editing configs 21:11 < E1ephant> you can't keep years of openvpn logs on disk? 21:11 < brianx> nope, there isn't space. 21:11 < E1ephant> it just isn't that much data 21:11 < E1ephant> you don't have hundreds of megabytes? 21:11 < brianx> nope. 21:12 < detha> openvpn with --verbose 6 can be quite chatty 21:12 < E1ephant> I suppose that is more than fair, is v6 needed for most production though? 21:12 < detha> v1 or v2 for production 21:12 < E1ephant> if you don't have a space hundred megabytes, I would work on a mooch-based storage system asap 21:12 < brianx> i believe you need 3 to see the pushes. 21:13 < E1ephant> https://medium.com/@viralpickaxe/how-we-hacked-the-braintree-api-to-store-an-unlimited-number-of-files-302860736c25 21:14 < detha> still, I prefer openvpn routing 100 times over linux's ipsec implementation. Routing tables says 'to X'. Oh, but there's some xfrm that sneakily grabs the packet and pushes it into a tunnel 21:15 < E1ephant> policy-based in general is evil :P 21:15 < E1ephant> maybe okay for client vpn 21:15 < brianx> is there a version of that that runs on mips to? arm softfloat, arm hardfloat, x86, and x64? 21:15 < E1ephant> but yeah icky, I think 21:16 < E1ephant> probably not x86_64 21:16 <+catphish> can confirm: policy based VPN sucks mightily 21:16 < E1ephant> not a widely used platform 21:16 < E1ephant> :P 21:16 <+catphish> i use normal routing tables to push packets in ipsec encrypted gre tunnels 21:17 < E1ephant> brianx is propsing that ovpn push options change on their own? 21:17 < brianx> python isn't gonna fit on a box that doesn't have room to store a few weeks of level 3 openvpn logging. 21:17 < E1ephant> am I understanding this correctly? 21:17 < brianx> E1ephant: i'm proposing that they don't have any way to be diagnosed to identify the current state of the routing table. 21:18 < E1ephant> brianx: what does python have to do with anything mentioned here? 21:18 < detha> problem with gre tunnels: doesn't work with road warriors that are often behind nat 21:18 < brianx> is it a failure to push after a reconnect? i don't know. 21:18 < brianx> electricmilk: you said i should use python to mooch storage and linked an article talking about it. 21:19 < E1ephant> I guess I just haven't experienced this, I see routes from route on windows and nix 21:19 < brianx> i see the route to the tun. 21:19 < electricmilk> electricmilk, I think you meant someone else 21:19 < electricmilk> lol 21:19 < brianx> not what is going to happen once it gets to the tun. 21:19 < electricmilk> oops 21:19 < electricmilk> brianx, I think you meant someone else 21:19 < E1ephant> brianx: I didn't mention python, but would be doable no? 21:19 < brianx> electricmilk: yeah, that was to E1ephant 21:20 < brianx> correction... E1ephant: you said i should use python to mooch storage and linked an article talking about it. 21:20 < E1ephant> brianx: how would the client tell you what happens after the tun? 21:20 < E1ephant> brianx: no I didn't... 21:20 < detha> brianx: yeah, ovpn does its own thing with multiple clients. You can get a bit of an idea if you let it save its dhcp-allocated addresses for the clients 21:20 < brianx> E1ephant: 14:12:50 if you don't have a space hundred megabytes, I would work on a mooch-based storage system asap 14:13:29 https://medium.com/@viralpickaxe/how-we-hacked-the-braintree-api-to-store-an-unlimited-number-of-files-302860736c25 21:21 < E1ephant> brianx: you mean the article authors used python? 21:21 < brianx> the article says that they did. 21:21 < E1ephant> and it's just what they chose to code in, what prohibits you from using language of choice? 21:21 < brianx> i didn't see source, but i assume it's there somewhere 21:21 < E1ephant> is your language of choice incapable of interacting with HTTP or an API? 21:21 < E1ephant> lol 21:22 < brianx> so i need to write a ufs to store the logs on. this is sounding like a project bigger than implementing the openvpn itself was. 21:23 < E1ephant> I mean you're the one with the "less than 100mb of disk space" problem 21:23 < E1ephant> most people just have $.000002 lying around for such requirements 21:24 < brianx> zero disk space. less than 32mb of free ram including buffers. about 2k of nvram. 21:24 < E1ephant> if you're rich in hours but pour in monetary budget, seems the most feasible eh? 21:24 < detha> rsyslog..... 21:25 < E1ephant> yeah what on earth 21:25 < brianx> so i have to replace a bunch of people's home routers to use openvpn. rsyslog would be great. i'm already using that. but openvpn doesn't use syslog. 21:26 < brianx> oh, except the rsyslog logs over the vpn and one of the most common problems is that the router itself suddenly can't talk to anything even though clients connected through the router can talk just fine. 21:26 < E1ephant> can't SYSLOG=true? 21:26 < brianx> um 21:27 < brianx> wasn't aware of that option. 21:27 < E1ephant> I see it in reference to ovpn-as 21:27 < E1ephant> may be -as only, but hopefully not 21:27 < brianx> still doesn't let me see what happened when the router itself suddenly can't talk to anything even though the clients connected through the router can. 21:27 < E1ephant> I mean if you have no local storage, and no out of band 21:27 < E1ephant> and no remote access 21:28 < E1ephant> you can't just create something out of nothing 21:28 < brianx> OpenVPN 2.3.11 is the only version that will run on most of the devices. 21:28 < brianx> i have remote access. 21:28 < brianx> i have out of band. 21:28 < E1ephant> how is this openvpn's problem though, IPsec would have the same issue no? 21:28 < detha> there's always the option of running a separate instance with fixed addresses, on another port, for rsyslog 21:29 < E1ephant> can logs oob? 21:29 < brianx> i've not tried ipsec yet. as was pointed out, it's a bitch to use too. 21:29 < detha> you don't say 21:29 < E1ephant> yeah I think more difficult 21:29 < brianx> E1ephant: it might be possible to log oob. 21:29 < E1ephant> but still very verbose, well doucmented, and supported. 21:29 < E1ephant> >relatively 21:30 < brianx> the primary issue i have with openvpn is that you can't dump the routing table. period. 21:30 < brianx> recreating it from logs collected oob might be possible. 21:30 < E1ephant> love the fresh perspective by the way, sounds like a very unique problemset :0 21:30 < E1ephant> :) 21:30 < E1ephant> very cool to hear 21:31 < brianx> the ability to rsyslog is something that would be crucial to diagnosing this and i didn't know it was there. 21:31 < fishar[NYY]> lmao i have a good one 21:32 < fishar[NYY]> i accidentally named a file "?" on cisco IOS 21:32 < fishar[NYY]> took me forever to figure out how to delete it 21:32 < brianx> fishar[NYY]: iirc there is an itterate function. 21:32 < fishar[NYY]> yeah i didnt know that 21:32 < fishar[NYY]> CTRL+V 21:33 < brianx> been awhile since i used ios. left enterprise a decade ago. 21:41 < brianx> SYSLOG true is not a valid option. 21:42 < E1ephant> gah :< 21:42 < E1ephant> and openvpn-as is huge, not viable for embedded at all 21:43 < E1ephant> seems you can use the "log-append" option though, and point at the syslog file 21:43 < brianx> rebuilding the images for these devices is just too much of a headache. magic routing without the ability to **dump the route table** is just absurd. 21:43 < E1ephant> seems like append to syslog is default for lots of images? 21:44 < E1ephant> ideally you don't want to have changing ovpn routes though, either send a supernet for coverage of everything on-net, or a default? 21:44 < brianx> seems that way to me too, but it isn't for the version in these routers. might be practical for my other platforms. i have intel 64 bit that probably could run something newer. 21:45 < E1ephant> I guess does your scenario have lots of oscilating client routes? 21:45 < brianx> got me. i can't dump the route table. 21:45 < brianx> i see somewhat random results. rebooting often solves the problem temporarily, or sometimes it just suddenly starts working on it's own. 21:46 < brianx> fortunately, it is most often that the router itself can't talk to anyone else but the clients connected through the router are fine. 21:47 < brianx> my most fun is when androids break. usually when one breaks, they all do. 21:47 < detha> That sounds...odd. Almost like some client connects and somehow the router sends everything to that client, and the client doesn't know what to do with it 21:48 < brianx> sorry, was unclear. the androids rarely connect. so there usually isn't any existing connections. 21:48 < brianx> but when one can't connect, usually none of the others can either. 21:49 < brianx> the androids only use a couple services over the openvpn client so only rarely start it and it chew battery pretty fast while connected so the users remember to disconnect. 21:50 < xingu> brianx: if you have some spare cycles, might be worth a PoC with softether vpn just as a side tangent 21:51 < brianx> softether... i think i remember that. will look again. thanks xingu. 21:53 < brianx> looks a lot like the aventail product i used back in the enterprise. pretty nice. 21:54 < brianx> "A good knowledge of TCP/IP and VPNs is required to configure Virtual Layer 3 Switching and design/build a LAN-to-LAN VPN that utilizes IP routing." Yay!! that sure sounds like routing in linux without magic routing. 21:55 < E1ephant> hehee 21:55 < E1ephant> >linux networking 21:55 < E1ephant> that is where the joke lies :) 21:56 < brianx> routing in linux just works. always has for me at least. sometimes the options take a bit of work to find or figure out but once you set it up it's rock solid. 21:57 < E1ephant> eh 21:58 < brianx> it'd be nice to have the androids and windows do bridging and the linux and linux routers do layer 3 routing. it looks like it might be possible in softether too. 21:58 < detha> basic routing in linux just works. advanced trickery is possible, but may have unexpected results 21:58 < E1ephant> it's like gum and duct tape relative to real network vendors 21:58 < astor> Quick question, if a web page is visited via ip and the response is cached. Will the cached page be rendered if site is visited via hostname? 21:58 * xingu hands brianx an nforce mcp 21:58 < E1ephant> and yeah, they call everthing some non-standard name as well 21:58 < E1ephant> so half the wild goose chase is finding how linux devs think of words 21:59 < detha> brianx: by the way, #openvpn on freenode has some people that know it pretty well 21:59 < E1ephant> how much label switching are you doing in linux today? how much vrf/multiple table stuffs? 21:59 < E1ephant> you can kinda do the latter, but it's ass-pain imho. 22:00 < xingu> software based switching? whee. 22:00 < E1ephant> yeah to not even mention L2 22:00 < brianx> detha: yeah, and i've bugged them. pretty much the same results, full time logging, rebuild the route table manually from the log history... etc. nice people who tried but no results. 22:00 < E1ephant> :P 22:01 < xingu> what's really sad about linux networking is how few people have a clear mental model of how it actually works under the bonnet 22:02 < xingu> which makes me cry a little postulating at the number of man-years burnt at the stake of poorly reasoned, highly suspect conclusions 22:02 < brianx> thanks for the nforce mcp xingu. now when i have the money for a dozen machines with these in them and the willingness of the users to pay the electric bill to run them... i'll have the same speed because the internet is still he bottleneck. 22:02 < detha> 'clear model' and 'linux networking' in one sentence? 22:03 < xingu> as in "application A on end station A sends a message to application B on end station B; describe what happens and when" 22:03 < xingu> I think in ... over a decade? only one person actually impressed me with their answer. 22:04 < xingu> mostly you just get a lot of word salad. 22:04 < detha> I know what happens. I have no idea which parts of the kernel handle what :p 22:05 < agent_white> Don't worry, Windows admins get to be more oblivious. They're lucky ;) 22:06 < brianx> for the most part, most of us don't really have that much use for knowing what happens in which parts of the kernel. for connections over consumer internet, performance is plenty good enough. 22:08 < xingu> brianx: forcedeth has been a constant source of amusement 22:10 < brianx> i'm not a gamer so haven't had reason to go with nvidia video cards and my last experience with their motherboards lasted about 2 years before it hit the circular file. this current motherboard is 5 years old now and not getting replaced anytime soon. nvidia anything isn't really interesting to me. 22:13 < xingu> then there was lance, and to a certain extent tulip, and 8139c, and via-rhine, and... :) 22:13 < lupine> I find linux's routing to be much easier to understand than openbsd's 22:14 < brianx> i ran an asus motherboard (in varying roles) for 12 years and finally shut it down because of the electricity it was using. still worked fine at shutdown. 22:19 < xingu> my biggest problem with linux these days is the lack of determinism; as in, will it take one tick or ten thousand to forward 22:20 < xingu> it's great as an end station, listening to a fabric port wrapped up as a pcie endpoint (or virtual function) 22:21 < xingu> in the dataplane though? less of a hell yeah, more of a fuck no. 22:21 < brianx> even on a relatively slow consumer router, 10k cpu cycles ticks is still only a fraction of a ms. 22:21 < xingu> right, I wouldn't mind if it was always 10k ticks. 22:21 < xingu> but it isn't, it's as wobbly as hell 22:22 < brianx> it's not made for high volume data. it's fine for a desktop or a small router handling a couple users. 22:22 < brianx> the hardware under it isn't made for high volume. 22:22 < xingu> as a thing that runs a cli to make sure the broadcom blob gets pushed into the soc that does all the real work, it's fantastic. :) 22:23 < xingu> that's a pretty damning state of affairs though 22:23 < detha> linux routing is a swiss army knife. It can do almost anything (yeah, I know, mpls), but there are better versions of most of it 22:24 < brianx> that a desktop pc isn't good enough to use as a router for more than a few users? not damming at all to me. it's a pc, not an enterprise router. 22:25 < xingu> I'm talking about $5 things you buy at fry's :) 22:26 < xingu> that come with wall warts and can forward at Nx gigabit... deterministically. 22:26 < brianx> need to hook a 5 man office (that isn't doing data intensive shit) to corporate... great. need to run on a 10w appliance and connect a home user or family to the interent, great. need to run a remote video studio on it, get something real. 22:28 < brianx> that $5 fry's router is pretty impressive when you think about it. using linux as a loader and a user interface and an exception handler with all the real work done with proprietary hardware and software for five bucks... impressive. but it's not really linux, linux is not doing the fancy part. 22:29 < brianx> and by "five bucks", i mean $40 in today's money. 22:29 < xingu> right 22:31 < xingu> the basic pipeline stuff - address decode, ingres acl, trap to cpu for state table etc, police, shape... is a very robustly solved problem these days 22:32 < brianx> the police part can be ... slow. 22:32 < brianx> certainly not something the blob can handle on it's own. 22:33 < brianx> though i think it seems to know enough to figure out if a packet is interesting enough to send out to linux or not. 22:39 < brianx> who was it that decided japanese city names like Tokyo and Osaka should be used in routing examples? it's funny how common it is, it's even in the examples for softether. 23:09 < Harlock> brianx someone shoudl tell them tokyo is not a city 23:09 < brianx> what is it then Harlock? 23:10 < Harlock> it's on the same functional level as a prefecture/state/province 23:10 < Harlock> ie one down from federal/national 23:10 < Harlock> it has cities,town,villiages and districts within it 23:11 < brianx> hmm, in many countries a city is the next step down from the federal/national level. not everyone has so many layers like the us and gb. 23:11 < Harlock> japan does 23:12 < E1ephant> like district of columbioa 23:12 < E1ephant> or mexico city 23:12 < brianx> district of columbia is not quite either. not a state, but not in maryland. 23:13 < Harlock> in japan that 2nd level is usually called a prefecture in english 23:13 < E1ephant> they have congressional recogiznition now 23:13 < E1ephant> it's not far from a state 23:14 < brianx> not really. their representative has "limited voting privileges" 23:14 < brianx> and no senators at all. 23:16 < E1ephant> it's also 68 sqmi tho so seem appropriate for a "fedaral disctrict" 23:16 < E1ephant> it's soverign from any state power 23:17 < brianx> it is sovereign, always has been that. 23:51 < brianx> to be fair to the examples, they don't say it's a city. they just use the word. --- Log closed Thu May 31 00:00:38 2018