--- Log opened Sun Jun 10 00:00:52 2018 00:37 < cmj> wow 00:44 < spaces> wow waht ? 00:44 < spaces> w0t 01:05 < jason85> What happens if some CA signs a tls certificate for e.g. paypal.com (that means there are now multiple valid certificates for paypal.com) and uses that to perform a MitM on a victim? Is this possible? 01:05 < lupine> very possible 01:05 < lupine> it happens from time to time 01:06 < Apachez> yes 01:06 < Apachez> bluecoat does this through symantec ca 01:06 < Apachez> which is why google and others throw out symantec ca 01:06 < Apachez> and blacklisted it 01:06 < lupine> yeah, it tends to be a time-limited attack 01:06 < lupine> so you find it saved for high-value targets 01:11 < CustosLim3n> hi 01:11 < CustosLim3n> is there something like socat that supports socks5? 01:19 < qman__> socat does support socks5 01:33 < spaces> Apachez blacklisting is racism, we should call it block it :P 01:46 < Apachez> spaces: you can go and buy yourself a nogger icecream 01:46 < compdoc> do they sell on ebay? 01:49 < MarkusDBX> if a network card has both infiniband and ethernet, what is fastest for tcp, ip-over-infiniband or ethernet? 02:01 < Apachez> depends 02:01 < Apachez> for tcp most likely the nic itself 02:01 < Apachez> because you get overhead doing tcp over inifniband 02:01 < Apachez> however to push data infiniband wins due to how its connected to the motherboard 02:23 < spaces> compdoc get out of your chair, icecreams are not delivered :P 02:23 < spaces> compdoc go outside, it might look scare but it's not jurasic parc :D 02:23 < Apachez> the icecream company released a "nogger black" and all swedish snowflakes went mayhem =) 02:24 < Apachez> here is the original nogger :) http://www.gb.se/produkter/nogger-classic/ 02:29 < spaces> Apachez whe have that version without the innet chocolate, it's be best icecream actually 02:29 < spaces> simple and good 02:30 < Apachez> downside is that its cheap icecream 02:30 < Apachez> its made of skummjölk 02:30 < Apachez> dunno whats that in english 02:30 < Apachez> foammilk? 02:30 < spaces> milk made out of poweder 02:30 < spaces> powder 02:31 < Apachez> yeah 02:31 < Apachez> skimmed milk is the english word 02:31 < Apachez> also its filled with alot of air 02:31 < Apachez> compared to a real ice cream made out of cream and egg 02:31 < Apachez> which is far more dense 02:32 < spaces> I have now these cheap Cornetto's, 8 pieces for 1,75 euro :D 02:32 < spaces> and they are perfect! 02:33 < spaces> I hate expensive ice, why ? it's too temporary pleasure... the issue is if there is shit in it you feel bad after it 02:34 < Apachez> I love the stuff lidl sells 02:34 < Apachez> galleto or whatever their brand s 02:34 < Apachez> made out of real cream 02:34 < Apachez> and are dense and not fluffed with air 02:34 < Apachez> and good price :) 02:50 < dogbert_2> m00000000000000000000 02:51 < Apachez> dogbert_2 likes to m00000000000000000000 it m00000000000000000000 it 05:03 < SoniEx2> why do apple devices cause my wifi router to reboot forever? 05:03 < SoniEx2> why do apple devices cause my wifi router to enter a reboot loop? 05:05 < Kingrat> because apple ignores standards? or also possibly because your wireless router is bad or has firmware bugs? 05:10 < spaces> becasue Apples rot and they influence other fruits as well 05:36 * Some_Person has a TM-AC1900 that was flashed to stock RT-AC68U and not sure what to do now that ASUS is resetting these to stock on newer firmware versions... 05:55 < spaces> Some_Person huh ? 05:56 < Some_Person> The TM-AC1900 is basically an ASUS RT-AC68U router that was sold through T-Mobile at a discount. The stock firmware for it hasn't been updated in years, performs worse than the stock RT-AC68U firmware, and forces QoS settings for T-Mobile voice traffic that are not desirable. 05:56 < Some_Person> With the latest versions of the RT-AC68U firmware (as of the past few months), it automatically resets back to the T-Mobile firmware 05:59 < Some_Person> Just found this: https://docs.google.com/document/d/1NsZMONmJ70zMmoAKKQJXbTVKytaPJptWTpqih1TD5n8 06:32 < spaces> it does ? 06:32 < spaces> huh ? does it have 2 roms then ? 06:33 < spaces> Some_Person looks like someone did a nice job 07:28 < live1> hi 07:28 < live1> under pressure 07:28 < live1> how do you like the feel of the sodium pressure lights 08:45 < cluelesslol> question, why does 5Ghz wifi seem to suck every time I've tried it? 08:46 < cluelesslol> the lgtv 5gz is unusable. my laptop's 5ghz is slow, etc. :/ 08:47 < cluelesslol> like, what's the point of 5ghz if it's useless, or is it that it requires newer networking wifi to support? 08:51 < melissa666> cluelesslol, are you aware that it has shorter range and lower penetration? at close range with clear line of sight, it's significantly faster though 08:52 < melissa666> (sorry if you already know this - but it's a common reason why people think it "sucks", because they are trying to use it too far away or through too many walls) 09:27 < littl> is there a slack channel for networking? 10:54 < xqb> hello 10:55 < xqb> what does this image represent? 10:55 < xqb> http://www.i-programmer.info/images/stories/Core/Hardware/ADSL/channels.jpg 10:55 < xqb> the telephone line? or what..? 10:56 < detha> looks like DSL over copper yes 10:57 < xqb> I'm not sure from which perspective I'm looking at it 10:58 < detha> spectrum 10:58 < xqb> is that like as if the wire was cut and I'm looking at it front-view 10:58 <@xand> no 10:59 <@xand> it's not an actual picture of something 10:59 < detha> No. It says which frequencies in the signal are used for what 10:59 < xqb> ah ok 10:59 < xqb> thanks 11:00 < xqb> "It divides the frequency range available into 256 (the actual number can vary) separate 4KHz channels" 11:00 < xqb> ^ what does that mean in practice 11:00 < xqb> 4KHz part in particular 11:00 < xqb> I'm terrible at physics 11:02 < xqb> also is the same phone line used for 56Kbps modem and (A)DSL 11:02 < detha> 56K modem (to the telephone company) looks like voice, 300Hz to 3300Hz 11:03 <@xand> it is the same cable, that's the whole point of DSL 11:03 <@xand> to avoid replacing phone lines 11:03 < xqb> alright 11:03 < xqb> thanks 11:04 < dan01> So I like to play warcraft III on LAN with my friends, and I was wondering: Say we have two PCs, A and B, if A hosts the game, is it A that advertises packets on the network or does B look for possible servers? I think it's the first one, but how do you know? Thanks! 11:06 < ben8472> dan01 : pretty sure its the first one, you know about zerotier incase you wanna play over wan? 11:15 < dan01> ben8472: Nice! I have a exam on Tuesday, and I'm really stresses, How about this Friday? 11:16 < ben8472> oh i havent played it in years, i am busy on fridays but maybe on the weekend? 11:19 < dan01> ben8472: Sure 11:25 < jason85> How does iptables track UDP connections? 11:26 < xingu> jason85: it doesn't really, it just applies declarative logic designed to drop things it considers out of bounds 11:27 < xingu> jason85: logic like "is this outside packet coming from the same 4tuple as some recently-enough emitted inside packet" 11:28 < xingu> jason85: if I had the actual value of all packet scrubbers, and $5, I'd have $5. 11:28 < jason85> xingu: the 4 tuple being src/dst ip and port? 11:28 < xingu> jason85: yup. 11:30 < jason85> Yes that makes sense, thanks 12:02 < hey_> hey, any1 able to help with a noob query i have not sure related to networking 12:06 < ben8472> hey_ : just ask away, dont ask if you can ask 12:07 < hey_> huh 12:14 < sruli> i am having some trouble getting nic bonding 802.3ad to work in netplan, this is my 01-netcfg.yaml file https://paste.fedoraproject.org/paste/jslybH4dfkpSifXLACX2tQ 12:17 < sruli> ^ i cant get it to connect to the network 12:18 < sruli> the output of netplan --debug apply is https://paste.fedoraproject.org/paste/MTDppK8V~BOz6KOrAtDUyw which seems to suggest the config is ok 13:52 < Apachez> https://www.nbcnews.com/news/china/u-s-officials-prepare-thwart-chinese-spying-singapore-summit-n880896 13:52 < skyroveRR> lol 13:59 < Apachez> so if the chinese have hotel cards with builtin power and mic, guess what the muricans then have copied? :P 13:59 < Apachez> Im a bit fed up with the single sided reporting 14:01 < dminuoso> It's not like the USA have this massive intelligence gathering tapping into fiber optics *world wide*.. 14:02 < dminuoso> Spying on other countries officials, their mobilephones... 14:02 * dminuoso smiles 14:02 < skyroveRR> "Yeah, spying globally is ok, but how dare China spy on us!" /s 14:04 < shtrb> Apachez, can we have it in a more sensationalized form ? 14:05 < shtrb> How do you call the mobile phones with builtin facebook apps ? 15:22 < fefa2k> Hello guys 15:22 < fefa2k> I'm trying to wrap my head with TCP and path mtu discovery, maybe someone can help me out 15:23 < fefa2k> when a windows machine starts a new TCP connection to a server, does it do a path mtu discovery first? 15:24 < fefa2k> I tried capturing traffic but no icmp traffic showed up 15:25 < fefa2k> or does it assume it won't be smaller than 1500 bytes and that's it? 15:36 < aaro> iirc mtu discovery consists on setting the 'don't fragment' flag on packets and adjusting size if a icmp 'fragmentation needed' packet arrives in reply 15:50 < djph> PMTUD isn't normally necessary from a PC / server (I mean, it *can* do that ... ) 16:27 < matthias__> hello, i have a server with two nics having ips on the same subnetwork and set the following options https://bpaste.net/show/f817511e9ded How can I route packets from 192.168.44.10 to 192.168.44.11 over the outbound network and not internally? 16:28 < matthias__> when i ping, arp requests are received but not answered by the other interface 16:31 < light> why have you done this? 16:32 < matthias__> light: this is a laboratory and the flow has to go out and back in because of external filtering 16:32 < matthias__> the network include multiple servers with also two interfaces, same config 16:54 < varesa> I guess one way could be to put the NICs in separate namespaces 16:58 < tds> you might be able to modify that behaviour by modifying the local routing table, or the priority on the rule for it 16:59 < tds> namespaces sounds like a much nicer solution though 17:02 < matthias__> varesa: how can i do this? 17:04 < varesa> matthias__: I'm too busy right now to really help but try googling 'linux netns' for example 17:04 < matthias__> varesa: okay 17:34 < Apachez> djph: not really true 17:35 < Apachez> its the servers and clients who needs that since its they who setup the session 17:40 < jvwjgames_> is it wise to go v6 only 17:41 < tds> depending on what you have on your network, I'd say it's certainly worth considering 17:42 < jvwjgames_> i do have some TV's that are v4 only i think but just wondering why is that to be considered just want to get an opinion if i may 17:43 < tds> my view is just that it makes everything simpler to manage, and you don't have to deal with nat everywhere (other than nat64 at the edge) 17:44 < jvwjgames_> ah ya the dredid nat 17:44 < tds> it also makes sense if you run a very large network and have exhausted rfc1918 space internally 17:44 < jvwjgames_> i could disable v4 for all my NAT senitive devices 17:46 < tds> disabling v4 on individual devices doesn't make a great deal of sense (unless you just fancy testing v6-only), since you still have to maintain all the v4 infrastructure 18:13 < Apachez> yeah think of the children? 18:13 < Apachez> is pornhub even reachable through v6? 18:19 < Peng_> No. 18:20 < Peng_> Is it actually easier to make sure 100% of your stuff has IPv6 than to run IPv4? 18:43 < Apachez> "natural juice is coming out of all its holes"... jamie oliver on tv :S 18:44 < mos6502> anyone here have experience with VyOS? 18:44 * danieli lurks 18:45 < danieli> mos6502: don't ask to ask, just ask 18:45 < danieli> Apachez: ... what 18:46 < mos6502> danieli: im trying it out, just looking for tips 18:48 < danieli> that's fairly vague 19:43 < tds> Apachez / Peng_: nat64 +dns64 is a nice solution to that 19:44 < tds> ie the computer I'm on right now doesn't have a v4 connectivity, but ipv4.google.com resolves to 64:ff9b::acd9:146e and I can get to it via nat64 fine 19:53 < varesa> vyos is pretty great 20:01 < jpleau> hi. Not entirely sure if this the right place to ask, but I thought it was network related: I want to my my desktop (Running linux) as a "router" so that my Roku box would get internet through it. I only have one network interface, will this work? The end goal is to eventually forward the traffic from Roku through a VPN (ie: forward traffic from roku to vpn, and forward traffic from vpn to roku (assuming 20:01 < jpleau> roku is the destination) 20:05 < fryguy> jpleau: well, how do you plan on connecting the roku to your desktop and your desktop to another network? 20:11 < jpleau> fryguy: I would set my machine's IP as the gateway in the roku. Creating a virtual interface on the desktop and setting up iptables rules to do the work. I'm just not sure if all of this can work together 20:11 < varesa> even with a single interface that could work, by adding two IPs to the desktop interface, if you trust that the Roku stays in the subnet you give to it 20:11 < fryguy> jpleau: i meant the physical connections 20:12 < jpleau> fryguy: roku -> physical router <- my desktop is what I have available to me 20:12 < varesa> but broadcast traffic would still bypass the desktop and the roku is just an IP change away from skipping past your firewall 20:12 < fryguy> jpleau: you said you have 2 network interface on your desktop right? 20:12 < fryguy> 1* 20:13 < jpleau> fryguy: I only have one, I would have to create a virtual interface most likely. I remember a long time ago (> 10yrs) I had my own machine as a router but with 2 network cards 20:14 < fryguy> jpleau: so your desktop physicall connects upstream to your router using that 1 network interface 20:14 < jpleau> fryguy: yes 20:14 < fryguy> how are you also going to connect that 1 network interface to your roku? 20:14 < tds> hmm, I can't see why you'd even need a virtual interface or extra ip on that network for that 20:15 < tds> should just be able to point a default route on the roku at the desktop, desktop route to vpn server via the actual gateway, and a default route via the vpn, enable forwarding and configure nat if you need it 20:15 < jpleau> fryguy: The roku would be connected to the same router my machine is linked to. It wouldn't be connected to my machine. One part of me thinks it doesn't work but I have doubts 20:15 < fryguy> it would work, but it's gonna be dumb 20:16 < fryguy> what are you trying to accomplish? 20:16 < tds> if you want all of the traffic from your dekstop to go over the vpn it's pretty easy, you'll have to do policy routing foo if not 20:16 < jpleau> fryguy: Use a VPN with my Roku without buying anything else (ie: an extra network card) 20:16 < fryguy> uh. ok. 20:18 < fryguy> that'll work i guess 20:18 < jpleau> tds: That's more or less the way I see it. Besides adding ACCEPT and DROP/REJECT basic iptables rules I'm lost in it. Looking for something that could help me achieve the whole forwarding story 20:19 < jpleau> fryguy: I'm aware it's not ideal, but to me it looks like fun learning material 20:19 < tds> to enable forwarding you just set the sysctl to 1, you may need to add rules for NAT depending on exactly what you want though 20:20 < varesa> tds: true, if all the traffic is between the desktop and the roku you don't even need another subnet 20:21 < varesa> so you don't have to think about return routes from other devices 20:22 < fryguy> you'll also want to blacklist the mac address of the roku on your router to stop it from inadvertently giving it an IP via DHCP during some fallback situations and bypass the VPN 20:22 < fryguy> tons of opportunities to leak out of the VPN 20:23 < tds> yeah, if you're concerned about leaks, the best option really is to isolate the roku at layer 2 from the rest of the network 20:23 < jpleau> DHCP is disabled on all my stuff, I manage ips manually but good idea about blacklisting, just in case 20:25 < jpleau> tds: when you say adding rules for NAT, what does that mean exactly? I'll look it up online but right now I'm not sure what to search for 20:25 < tds> do you control the vpn server? 20:26 < jpleau> No 20:26 < tds> in that case if you just forward traffic to it with some random rfc1918 source address (192.168.2.5 or whatever), it won't have a route for any replies back to that address, so it won't work 20:27 < tds> so you need to SNAT the traffic from the roku to the vpn server, so it appears to originate from the desktop's ip on the vpn interface 20:27 < tds> as a very lazy rule, something like -t nat -A POSTROUTING -o tun-vpn -j MASQUERADE would do what you want 20:28 < jpleau> tun-vpn is the interface that openvpn would have created ? 20:28 < tds> yes 20:33 < jpleau> okay, I'll try to make something work. Thanks everybody 20:47 < jpleau> Well, that seems to work perfectly, awesome. I suppose I can limit the FORWARD rules to a specific IP as to not allow people from outside my network to use my desktop as a router 20:53 < jpleau> -A FORWARD -i enp3s0 -s 192.168.0.1/24 -j ACCEPT would this be acceptable? Only allow forwarding when source is from 192.168.0.x 21:00 < tds> that looks fine, you'll need to allow traffic back in the other direction though (or just allow any established connections) 21:03 < jpleau> Yeah I have the same rule for output (minus the -s). Good idea about established. --state ESTABLISHED -j ACCEPT -o , that will work even if input and outputs aren't the same interface? 21:43 < Goop> How do I get my Ubuntu desktop machine to auto-configure with my WiFi IPv6? 21:47 < lupine> look to your router 21:47 < lupine> SLAAC will be enabled and working by default 21:48 < Goop> My brother says that IPv6 is working on the network, but my Ubuntu machine doesn't seem to want to automagically give me IPv6. 21:52 < tds> I'd check that something is actually sending router advertisements, you can do that just by doing a packet capture of all icmpv6 21:52 < tds> ie tcpdump -vvni eth0 icmp6 21:55 < Goop> The command you gave me seems to be a listen thingy. What kind of stuff do I need to do to see if the router is sending IPv6 stuff? 21:56 < tds> that will let you see if the router is sending router advertisements - if you see that it is, then you need to diagnose why your device isn't seeing them and setting an IP + routes from that 21:56 < linux_probe> heh 21:58 < Goop> I'm honestly not sure what all that means. 21:58 < tds> are you able to upload the output anywhere? 21:58 < tds> you should see something like this: https://hastebin.com/copawewiro.go 21:58 < Goop> Wait, I'm starting to see stuff. 22:00 < linux_probe> how r tu ipv6 22:01 < Goop> https://paste.debian.net/1028693/ 22:02 < tds> something (likely your device) is sending a message to all routers trying to find them (a router solicitation), it doesn't look like anything is replying through 22:05 < Goop> My brother has 4 Luma devices, 3 repeat and I think only one is actually the router. 22:21 < Perme8> what kind of position should i be looking for with a ccna and a Network Management degree 22:32 < Kingrat> help desk 22:53 < spaces> I vacumed my bedroom, wow it's twice as big 22:57 < jpleau> all that work earlier and I can't change the IP / gateway settings in the Roku, sigh. At least I learned something. 23:14 < linux_probe> lmao @ Kingrat saying help desk 23:20 < spaces> linux_probe I thought you were the crack desk 23:21 < linux_probe> herp herp 23:21 < linux_probe> derp derp 23:21 * linux_probe just returned formt he shart desk 23:21 < linux_probe> aka the throne 23:21 < c|oneman> I have a yoga ball chair 23:21 < spaces> linux_probe herpes ? 23:21 < Kingrat> i thought you said you worked the short desk 23:22 < linux_probe> naw, we all shit 23:23 < linux_probe> cept for the colostomy bag fells, in iwhich it just blurts out 23:31 < petemc> whats the worst case scenario for a network with a mix of hosts that use /21 and /22 and vrrp ? 23:32 < xingu> finding out that one of those hosts is the vrrp standby 23:33 < petemc> can you elaborate xingu ? 23:37 < petemc> using brocade switches, im finding routes missing and null populated arp tables 23:46 < Fieldy> sounds like a brolapse 23:47 < petemc> brocade is indeed a pun friendly name 23:48 < lupine> brolapse :3 23:49 < linux_probe> o_O 23:50 < linux_probe> drynolube 23:55 < Apachez> too bad brocade got split up --- Log closed Mon Jun 11 00:00:53 2018