--- Log opened Tue Jun 19 00:00:04 2018 01:27 < Goop> Does anyone own/maintain/develop a website that has decent amount of activity from users? 01:28 < TandyUK> Goop: i expect lots of people 01:29 < Goop> The reason I ask, is I want to start a web/mail hosting business and wanted to see if anyone is willing to let me host their website for them (for free/reduced price), so I can work out the "bugs" before selling to others. 01:30 < TandyUK> just use ab 01:30 < Goop> ab? 01:30 < TandyUK> i certainly wouldnt put anything near a test server lol 01:31 < light> apache benchmark 01:31 < TandyUK> google it, apache benchmark or something 'ab' is the program name 01:31 < Goop> There's a little more to it than I would think an Apache benchmark could accomplish 01:31 < light> the margins are slim on such businesses 01:36 <+catphish> Goop: i can't imagine anyone with substantial traffic is going to go for that offer :( 01:38 <+catphish> just make some test sites, and test them i guess 01:44 < Goop> Actually, I'm not looking for substantial staffic. I'm looking for about 20-1000 users per hour 01:49 < kwork> Goop: and exactly why ab wouldnot work for that ? 01:54 < thecha> can I set up my ubuntu server the same way as i did with this lamp server on my raspberry pi? 01:57 < compdoc> dont know. Id be surprized if all the packages will install and run 01:57 < kwork> kind of depends on what he was running on pi aswell 01:57 < thecha> can i set the whole remote thing up the same way too? 01:57 < thecha> kwork lamp server 01:58 < kwork> thecha: that says not much about the distro used on pi 01:58 < thecha> raspbian 01:58 < thecha> it is sort of a dumbed down debian 01:58 < thecha> i thought maybe since ubuntu is based on debian... 01:59 < kwork> but why use ubuntu on the serer :P? 01:59 < kwork> if you could use debian what is more similar to rasbian ? 01:59 < thecha> yesterday... in this channel... people insisted i use ubuntu or centos 02:00 < kwork> different people have different preferences 02:00 < thecha> well i also run trisquel as my main desktp pc and 02:00 < kwork> will you start drinking my favourite beer aswell :P? 02:00 < thecha> yeah so it is the same either way right? 02:00 < kwork> are all the beers the same ? 02:00 < thecha> which is it? 02:00 < thecha> i am not big on alcohol...:) 02:01 < kwork> are all the juices the same :P? 02:01 < Goop> kwork, because I have a custom storage setup that I am concerned that it may or may not work. Pinging a server doesn't really challenge the database, mailing, etc.. 02:01 < kwork> Goop: ab isnt actualy pinging a server 02:03 < thecha> kwork they are nto the same, but they are so similar that when you get an unknown juice nothing that you get will come as a surprise 02:03 < thecha> i mean they are all sweet, liquid and fruity 02:04 < kwork> thecha: as of you need to first taste them to know which one you like the same goes for distros 02:07 < thecha> fair enough 02:07 < kwork> thecha: i would say run debian but thats just my cup of tea 02:08 < kwork> everyone has their own 02:08 < kwork> most likely rasbian is most similar to pure debian :) 02:13 < thecha> what do you run on your own server? 02:14 < tds> debian on all the things :) 02:15 < thecha> sweet 02:15 < tds> but again, there are plenty of options, it's worth trying various and seeing what you like 02:15 < thecha> if you stay in the headless mode it looks the same anyways 02:17 < thecha> Ivmk3wew! 02:17 < thecha> whoops just typed my keyphrase in chat... 02:20 < TandyUK> and just told everyone 02:20 < TandyUK> happy changing :) 02:21 < tds> don't worry, it's not like there are 1271 people in here ;) 02:35 < xdroop> All I saw was ********* 02:40 < kwork> thecha: i would vote for debian aswell, but everyone has their own 02:48 < luxio> could someone else on the same network downloading a large file affect the internet speed on my device as much as if i was downloading it on my own device? 02:48 < Spice_Boy> of course 02:49 < Spice_Boy> if it goes through the same Internet pipe 02:49 < luxio> wifi 02:50 < S_SubZero> the internet pipe is the one that goes from your residence to the interwebz. 02:59 < nuun> greetings. So far all the documents I have read state captive portals only block access to internet. To engage LAN control it will require NAC and 802.1x authentication according to reads. Could captive portal do for entry to LAN what it does for internet access? 03:06 <+pppingme> nuun there's a big assumption with that statement 03:07 <+pppingme> in other words, while technically accurate, not really true 03:09 < Spice_Boy> nuun: it could yes, if done right 03:09 < Spice_Boy> internet is just a network too 03:33 < melissa666> thecha, re: your now-public keyphrase, when resetting you might want to consider this ;) --> https://xkcd.com/936/ 03:35 < melissa666> nuun, what you are suggesting is possible and trivial to implement from a technical perspective, however the reason it's not generally done is that (a) the Internet is where most of the threat lies with repressive states, due to exchange of ideas from outside their censorship bubble and (b) it would be extremely expensive to implement on all LANs (you're talking 100s of thousands to millions of networks) whereas 03:35 < melissa666> implementing censorship in a handful of large ISPs is trivial 03:37 < melissa666> However, one method that would make it possible is to place the burden of implementation on network administrators, and have extremely stiff penalties if individuals/organizations are caught not implementing state censorship/access-control protocols ... but it still wouldn't be as effective as working with cooperative ISPs 03:45 < pekster> Crypto passphrase security? Also relevant: https://www.xkcd.com/538/ 04:21 < yates_home> for years i've had my home network configured where i've disable the dhcp server on my router and instaed run the isc dhcpd on my main linux machine on the internal network 04:21 < yates_home> and i've used the same dhcpd.conf file 04:21 < yates_home> but now this: https://paste.fedoraproject.org/paste/b9toPp8Xsr3k-g969jrqX 04:22 < yates_home> https://paste.fedoraproject.org/paste/b9toPp8Xsr3k-g969jrqXg 04:23 < yates_home> why the "Remove host declaration..." ? 04:23 < yates_home> i've got that ip address mapped uniquely by mac address 04:23 < yates_home> https://paste.fedoraproject.org/paste/FhZe12gvDsqdEaGtBPxvlQ 04:24 < yates_home> don't know if it's related, but i also got a new laptop today running win10 and have been connecting it to the network. 04:25 < yates_home> any thoughts? 04:25 < dnanib> 192.168.1.0/24 - this your entire subnet? A good practice is to keep DHCP pool separate and static assignments (even via DHCP) separate within the subnet 04:26 < yates_home> how is that done via the dhcpd.conf? 04:26 < dnanib> I do: 192.168.2.0/24 as entire subnet, 192.168.2.64/26 as DHCP pool and assign statics from 192.168.2.0-63. 04:27 < dnanib> Sorry, I do it with dnsmasq. Don't recall the exact incantation for ISC DHCP 04:27 < yates_home> ok, well thanks dnanib. 04:27 < yates_home> but this has been working for years... ? 04:28 < dnanib> That's what the log is saying. "Remove host declaration freeda-wireless or remove 192.168.1.121 04:28 < dnanib> from the dynamic address pool for 192.168.1.0/24" 04:28 < yates_home> i really don't see why separating them is necessary. if an address is leased, it's not available. why the problem? 04:28 < dnanib> Maybe you should post the full config file? 04:29 < yates_home> leased whether via a fixed ip or from a pool, that is 04:29 < yates_home> sure , hang on 04:29 < yates_home> https://paste.fedoraproject.org/paste/dw7LGuRKTCtivz1qmihQRw 04:29 < dnanib> Usually a software design decision. It needs complete autonomy in assigning any IP in the pool to any mac requesting one. This sort of thing interferes with that (often optimized) algorithm. 04:30 < yates_home> so just change the "range" in the "subnet"spec? 04:31 < dnanib> Your static assignments are all in 192.168.1.101-155. So change the range to start from 192.168.1.156 or something 04:31 < yates_home> 192.168.1. ... 04:31 < yates_home> right 04:31 < dnanib> range 192.168.1.156 192.168.1.255; 04:32 < yates_home> also, while i got you on the phone ( :) ), any idea why my windows 10 laptop would be getting hosed wifi connections? 04:32 < yates_home> it connects, but it can't dns lookup, it seems. 04:33 < yates_home> i know, could be 1000 things.. 04:34 < yates_home> sometimes it can't lookup, sometimes it can. 04:34 < yates_home> dnanib: thanks, change the range did the trick. 05:37 < myxenovia> hi 05:38 < myxenovia> im learning sound for voip 05:39 < myxenovia> i dont understand why does mono and stereo matter in a record 05:39 < myxenovia> i mean there will only be one source of sound 05:39 < myxenovia> the outside of the device 06:01 < nuun> melissa666: it is a college campus LAN. We are reducing network load by imposing restrictions on the number of devices and removing full automation of network joins. 06:03 < nuun> pppingme: the assumption being that the internet is generally represented by 0.0.0.0 in most routes and code 200 means unhindered access? 06:58 < melissa666> nuun, I'm curious what kind of load you're trying to reduce by imposing restrictions on # of devices? When you say "removing full automation of network joins" are you referring to DHCP? Are you saying you'd like something akin to captive portal, where users have to authenticate to access the LAN? 07:05 < melissa666> nuun, If so, you might want to check out RADIUS --> https://freeradius.org 07:05 < melissa666> (apologies if I'm misunderstanding what you're trying to do) 07:15 < ShapeShifter499> hi 07:20 < melissa666> ShapeShifter499, greetings 07:21 < ShapeShifter499> I'm wondering if there is a bottleneck somewhere or if it's just my crappy router 07:21 < ShapeShifter499> I thought I had Gigabit speeds but I'm not seeing that 07:21 < ShapeShifter499> 30-ish or less Mb/s 07:21 <+pppingme> between devices on your lan, or to internet? 07:22 < ShapeShifter499> this is my router https://wiki.openwrt.org/toh/wd/ 07:22 < ShapeShifter499> between my LAN devices 07:29 <+pppingme> ShapeShifter499 how are you testing the speed? how did you derive the 30'ish number? 07:30 < ShapeShifter499> pppingme: it's just a file transfer using scp 07:30 < ShapeShifter499> sometimes also with Nextcloud 07:30 <+pppingme> then your bottleneck probably isn't related to network 07:31 <+pppingme> you're either maxing out a cpu core, or you're at the limit of your hard drive 07:34 <+pppingme> run iperf between the two workstations 07:34 < ShapeShifter499> pppingme: I figured. So if I had better hardware on either end, do you think that the router I linked too would be any issue? 07:34 < ShapeShifter499> *to 07:42 < melissa666> ShapeShifter499, no, at least not an issue that would limit you to 30Mbps ... the problem is elsewhere 07:45 < melissa666> I notice that you linked to openwrt btw. are you running openwrt on the router, and if so are you running scp from the router itself? if so that's probably your issue. routers are usually rather CPU/RAM constrained 07:48 * dnanib feels left out :-( 07:54 < ShapeShifter499> melissa666: no I'm fairly certain the bottleneck is at the other end. I have a Raspberry Pi but I recently got a Rock64 with 4GB of ram. I read some reports where people got high network throughput on the Rock64 07:57 < ShapeShifter499> melissa666: yes I run OpenWRT I just wanted to make sure my router wasn't the culprit 07:58 < liveuser33> shapeshifter499 why you run openwrt? 07:59 < liveuser33> how you speaking latin? 07:59 < liveuser33> quasi qam 07:59 < ShapeShifter499> liveuser33: security, up to date software. The router is a WD My Net n750 and Western Digital discontinued support 07:59 < ShapeShifter499> hmm 07:59 < ShapeShifter499> troll? 08:00 < ShapeShifter499> melissa666: pppingme thanks for the help 08:00 < liveuser33> yeah western digital is pickey 08:01 < liveuser33> why running a wd router? 08:01 < ShapeShifter499> I got three WD routers on fire sale 08:01 < ShapeShifter499> seemed like a decent deal for a router that was dual band 2.4Ghz/5Ghz 08:02 < ShapeShifter499> I think it was less than $20, maybe $15? 08:02 < liveuser33> yeah the software is important though 08:02 < liveuser33> routing is trickey 08:03 < liveuser33> if they put junk software n it , then it us next to nothing, worthless 08:03 < liveuser33> wifi can be used for point to pont jumps 08:03 < liveuser33> aside from that wifi is a mess 08:04 < liveuser33> lookng for a 5ghz client chip 08:04 < liveuser33> they sll havr differwbt firmwarr 08:05 < liveuser33> maybr not work even if hardware claims capable 08:05 < nojeffrey> Amy companies make cat5/6 patch cables in like 10cm increments? say 40cm, 50cm, 60cm, etc? 08:09 < liveuser33> if both chips are the same it is reliable for ptp 08:09 < liveuser33> other than that mayne maybe not 08:11 < liveuser33> shapeshifter499 do you miss when I ran the internet? 08:12 < liveuser33> apparently somebody took it over 08:14 < liveuser33> shapeshifter499 explainsimply one thing which changed for the worse 08:14 < liveuser33> something was going right, then some clown jumps in and screws it up 08:27 <+pppingme> nojeffrey they can probably be orcdered.. why do you want such short cables? 08:47 < nojeffrey> +pppingme trying to clean up some server rooms 08:47 < yasoob__> Hi everyone! I am trying to create probe requests using scapy on Ubuntu 16.04 08:48 < fiet> nojeffrey: Isn't it easier to make those cables yourself? 08:48 < yasoob__> This is the code I am trying to use: https://paste.debian.net/1029848/ 08:48 < nojeffrey> Thats a lot of cables 08:48 < yasoob__> The problem is that its not returning any response and no probe request is captured by the sniffer I have running on a different machine. Can someone kindly guide me a bit? I have been trying to get this working for far too long now with no apparent success 08:49 < liveuser33> hi Jeffrey 08:49 < nojeffrey> I watched this: https://www.youtube.com/watch?v=amdfzcqaTIQ&t=1s 08:49 < nojeffrey> half way through he says it's not worth his time to make his own cables and he does this for a living 08:50 < nojeffrey> liveuser33 hi 08:50 < fiet> Right. Indeed only useful when it's a handful. 08:50 < nojeffrey> I have about 5 patch panels in about 10U of rack, and thought if I could buy 20 x 40cm, 20 x 50cm, etc I could get decent cable management 08:51 < TandyUK> just make them up yourself 08:51 < TandyUK> thats what the cable management columns down the 2 sides of the rack are for ;) 08:51 < TandyUK> assuming your have proper racks and not baby racks 08:52 < TandyUK> "comms rack" vs "equipment rack" in Excel speak 08:52 < TandyUK> comms racks have a 100mm channel down each side for cable management 08:53 < nojeffrey> 3 server rooms, avg 80 cables, I;m not making 240 cables 08:53 < spaces> morning non sexy admins :P 08:54 < nojeffrey> I don't want perfect like /r/cableporn, just pretty good 08:54 < TandyUK> afaik most places you'll only get premade cables in .5m increments 08:54 < nojeffrey> closest I've found: https://www.fs.com/c/cat5e-patch-cables-593 08:54 < nojeffrey> 6". 12", 24". etc 08:54 < TandyUK> nojeffrey: then just give up lol, if youre not aiming for cableporn standards, youre not doing it right imho 08:54 < yasoob__> Can anyone please help me with my wireless probe requests problem? :) 08:56 < fiet> I've never seen cables for sale in 10cm increments. Would be nice though, but I can imagine it would not be profitable enough to keep all those lengths in stock. 08:58 < fiet> yasoob__: Is this the actual config you use? I have no experience with scapy but I can imagine you have to use actual mac addresses 08:59 < yasoob__> fiet: addr1 and addr3 are broadcast addresses because I am broadcasting the probe request and not targeting it to a specific AP 08:59 < nojeffrey> TandyUK I cant even get to a switch I need in one room, its a giant mess, to do cableporn standards I need to replace the patch panels 09:00 < fiet> yasoob__: Like I said, I have no experience with scapy. Have you put your interface into monitoring mode? (For radiotap) 09:00 < nojeffrey> fiet I see, thanks 09:01 < yasoob__> fiet: I have tried it both ways. But I was unsure as to whether I need to put it in monitoring mode even for probe requests. I thought it is only requiring when you are sniffing. Are you sure its required to have the card in monitoring mode even for probe requests? Sorry my knowledge is rusty 09:03 < fiet> yasoob__: I'm not sure how scapy works and what the source address would be, but it would make sense that it will be the hwaddress of the box itself as source and destination broadcast. So anythng responding will be responding to the source and monitoring would not be necessary. 09:04 < yasoob__> fiet: Yup I have the mac of the source box as the source mac in scapy 09:04 < yasoob__> I updated that in my code 09:04 < yasoob__> only the broadcast and the AP (addr3) are broadcast 09:04 < nojeffrey> yasoob__ scapy is also a command line tool 09:05 < nuun> melissa666, thanks. Was looking at a combination of which RADIUS would be a dependency. Would be using 802.1x and NAC. But management said to research captive portal as an option before moving to unfamiliar territory of 802.1x and NAC. 09:05 < nojeffrey> try do what you need directly in scapy first, then branch out to python 09:05 < fiet> yasoob__: What you could do is run a tcpdump/wireshark session next to it in monitoringmode and see if there is any response and your box is missing it for some reason (iptables?), or that it is not responding at all. 09:06 < yasoob__> fiet: Thanks. I guess I should try that next 09:06 < yasoob__> nojeffrey: thanks but I already tried that and considering that my code is only 4-5 lines it should not make much of a difference 09:07 < yasoob__> fiet: I think there is no iptables issue because when I issue a probe request using the network manager on ubuntu, the probe request is logged by my sniffer running on a diff machine 09:09 < fiet> yasoob__: I've made the mistake to properly check iptables way to much. Best is to disable iptables during testing to make sure. Only when you're in an environment where hat is safe to do of course. 09:09 < fiet> *that 09:11 < yasoob__> fiet: Ok best. I will take a look into that. Thanks 09:16 < discipulus> I'm running archlinux with i3wm on a desktop computer with a wired connection and I have a few issues. 09:16 < discipulus> I'm fairly sure I myself is the architect of my problems, but never the less, I can't figure out how to solve them. 09:17 < discipulus> When I installed the system I enabled dhcpcd to get internet connection. So far everything worked just fine. 09:17 < discipulus> After this I set up openvpn and NetworkManager (because I thought I needed NetworkManager to get openvpn to work). 09:17 < discipulus> From this point, every time I boot the computer it takes a few seconds for me to get a connection. After I'm logged in to the desktop I have to wait 5-10 seconds and then reload i3 to get everything to work properly. 09:18 < discipulus> I know I should not run both dhcpcd and NetworkManager at the same time, but if I disable NetworkManager it takes even longer to get a connection. The same thing happens when I try to disable dhcpcd. 09:18 < discipulus> I don't know if it's NetworkManager, dhcpcd or openvpn that is causing this issue. 09:18 < discipulus> I haven't edited any config files for either NetworkManager or dhcpcd. I've just enabled them. 09:21 < discipulus> Oh, and it seems I'm connect both to ethernet AND wifi at the same time. 09:21 < discipulus> I don't know how that is possible, but I'm sending and recieving packets on both. 09:23 <+pppingme> nojeffrey minimum cable length is 1 meter.. anything shorter causes issues 09:36 < nojeffrey> +pppingme like bandwidth or connectivity issues? 09:36 < nojeffrey> that vid I linked above, he used 6" cables and he sounds like he does this for a living 09:44 < system16> Hi. my isp now provides VDSL services and i have ADSL2+ . should i change my plan to VDSL ? 09:48 < Roq> system16: VDSL usually offers higher throughput. If the price is the same and you get more speed then yeah 09:48 < Roq> Make sure your router supports vdsl 09:48 < system16> so more upload speeds ? what about download ?\ 09:49 < Roq> More download speed aswell usually, at least in my country 09:49 < Roq> Just compare the plans on your provider's site? 09:50 < system16> i will. thanks 09:50 < liveuser33> system16 what dsl service have you? 09:50 < liveuser33> what provider? 09:51 < Roq> There is a vectored VDSL2 standard that can go up to 100/30 09:51 < liveuser33> juno sells and att sells 09:51 < Roq> ADSL2 is around 20/1? 09:51 < system16> liveuser33, what do you mean ? 09:51 < liveuser33> brand 09:51 < liveuser33> what brand 09:52 < system16> i have 16 Mbps download speed and 1 Mbps upload speed. (700 GB per month) 09:52 < system16> TCT 09:52 < system16> ^^ 09:52 < Atro> lol 09:52 < Roq> Well then VDSL will probably increase your speed :p 09:53 < system16> i dont wanna decrease my download speed tho. 09:53 < Roq> It won't. it will increase your download and upload 09:54 < liveuser33> now seems att has brand 09:54 < liveuser33> the human hosts are damaged 09:54 < system16> thanks. now i have a reason to change this pos modem router combo :) 09:54 < liveuser33> what happened 09:55 < Roq> system16: Your speed is now 16/1 (16mbit download, 1mbit upload. VDSL will have speeds like 50/5 or even 100/30 09:55 < liveuser33> what does this to humans 09:55 < liveuser33> mold 09:56 < system16> roq lol we dont have those speeds in here i think the maximum speed in this country is 40 MBps 09:56 < Atro> i can get 100Mbps with like 5 euros 09:56 < Atro> unlimited 09:57 < liveuser33> what making you with the dsl? 09:57 < system16> ? 09:58 < Roq> system16: Ah ok. It's country depended what speeds you get, but in the general rule VDSL throughput speeds (download and upload) are higher than ADSL 09:58 < system16> i tried sattelite services but they suck too . high pings...low speeds 09:58 < system16> liveuser33, ^^ 09:58 < Roq> What country do you live in? 09:59 < liveuser33> if it is radio sattelite expect high ping 09:59 < system16> un(fortunately) Iran 09:59 < liveuser33> how lonf does it take for traveling? 10:00 < Roq> Ah ok 10:00 < liveuser33> such is pingtime 10:00 < system16> lonf ? did you mean long ? 10:00 < liveuser33> yes 10:00 < system16> traveling to where liveuser33 ? 10:01 < liveuser33> interesting question 10:01 < Roq> I'm not up to date with the connectivity possiblities in Iran, but to answer your intial question VDSL is better than ADSL 10:02 < liveuser33> note the business have different angles on dishes 10:02 < momomo> I have a printer that I've successfully installed using WPS and without cables ... however, the Scanner functionality seem to work, at least with my program on Ubunut (Mint). Is there a program or an easy way to get the scanner functionality to work as well without cables ? 10:03 < system16> k thanks for helping me out. i have to go . take care 11:24 < djph> momomo: (x)sane is usually the goto for scanning. Personally though, I tend to use the "scan to sftp" for my stuff 11:27 < tya99> first world problems 11:27 < tya99> need to buy more stuff to get 11.1% discount 11:27 < momomo> djph: do you have an example of how such a command might look like / 11:27 < momomo> ? 11:27 < tya99> https://ubwh.com.au discount if you buy over $2k stuff 11:27 < tya99> EdgeSwitch8 - 150W (2x) $563.76 ($281.88ea) 11:27 < tya99> 1m Grounded, External CAT5e (5x) $117.50 ($20.88ea) 11:27 < tya99> G3 UniFi Video Camera IR - 5 Pack $957.57 11:27 < tya99> Subtotal: $1,638.83 11:27 < tya99> i need to buy more things! 11:28 < momomo> buy a 4k monitor 11:28 < tya99> if only i didn't buy my EdgeSwitch16 150W two years ago from somewhere else! 11:28 < momomo> keyboard? 11:28 < tya99> they don't sell anything but networking hardware 11:29 < momomo> ook 11:29 < tya99> and i had planned to buy the switches and security cameras already 11:29 < momomo> tya99: hosting something? 11:29 < tya99> nah 11:29 < tya99> just upgrading my security 11:29 < momomo> haha 11:29 < momomo> tya99: are you an expert? 11:29 < momomo> on networking? 11:29 < tya99> i want outside security cameras as i don't have any 11:30 < tya99> i wouldn't say so, but i am learning things 11:30 < zenix_2k2> one question, i have a UDP server running on port 8080 but i am not sure whether it has been started or run probably or not, is there anyhow i can check it ? 11:31 < djph> momomo: "command" for what? 11:31 < zenix_2k2> and btw, i am using python to make this server if that info helps 11:31 < tya99> zenix_2k2: check logs check the daemon's status use tcpdump 11:31 < momomo> djph: for scanning ... i am guessing you meant scan to mail kind of thing ? 11:31 < tya99> check ps aux 11:31 < momomo> only to ftp instead? 11:31 < tya99> to see it is running 11:31 < djph> momomo: no, I literally meant what I said. Granted, the printers I buy support that functionality 11:32 < zenix_2k2> tya99: but this is UDP 11:32 <+catphish> why is it always claimed that RAID 10 is faster than RAID 6? 11:32 < djph> catphish: no idea 11:32 < tya99> zenix_2k2: ps aux will show if the process is running tcpdump will show if any packets are coming from it on 8080 11:32 <+catphish> wouldn't RAID 6 be able to write faster as it doesn't need to write 2 copies of everything 11:32 < tya99> zenix_2k2: on that interface 11:32 <+catphish> or maybe not, maybe every write actually required 3 writes 11:32 <+catphish> i'm not sure 11:33 < tya99> zenix_2k2: tcpdump can do udp traffic 11:33 < momomo> djph: so you push a button the scanner and ends up on a server somepalce? i am guessing you don't initialize the scan from the computer? 11:33 < detha> catphish: "it depends". a raid10 using two controllers for example would be faster (as long as you don't hit PCIE limits) 11:33 <+catphish> oh, RAID 6 writes do require quite a lot of operations 11:33 < djph> momomo: yup 11:34 <+catphish> "Each write operation requires the disks to read the data, read the first parity, read the second parity, write the data, write the first parity and then finally write the second parity. This comes out to be a six times write penalty, which is pretty dramatic" 11:34 <+catphish> that explains it :) 11:34 < djph> on the other hand, the data's likely more stable than raid10 11:35 < tya99> zenix_2k2: tcpdump -i eth0 -n udp src portrange 8080 11:35 < tya99> like that 11:36 < tya99> zenix_2k2: make sure to check the service is actually running ie "ps aux |grep thing" 11:36 < tya99> zenix_2k2: no packets are going to come from something that isn't running ;) 11:37 < detha> djph: 'more stable' ? in what fashion? 11:37 < Reventlov> Can I get 802.11 radio informations, such as Antenna Signal, signal strength, etc, for a device not in monitor mode, for each frame destined by the device? (for itself, not for every frame received) 11:37 <+catphish> djph: RAID 6 can sort of handle more failures, especially if you use the extra capacity it offers to add some hot spares :) 11:38 < djph> detha: in that you can lose more drives before the array is useless 11:39 < detha> djph: as far as I remember, R6 can lose two drives, R10 betwwn 1 and half the array. So on average, R10 is safer... 11:40 < djph> detha: ah... 11:40 < TotallyNotKim> regardless of what two drives for raid6? 11:40 < zenix_2k2> tya99: ok thk 11:40 < TotallyNotKim> becuase in 10 you lose one and the next should be 50:50 lol 11:41 < shtrb> Anyone have experience with LTE/GSM modem that expose the entire interface over USB ? (getting /dev/ttyUSBx and not some android that give you ethernet device) I have three different ones and all are $!$@ androids 11:50 < meowschwitz> shtrb: er, what do you mean 'android' 11:51 < meowschwitz> i have a chinese modem dongle that acts like a flash drive and has to be modeswitched to modem so that it exposes the serial port 11:51 < grawity> shtrb: throw ModemManager at it 11:51 < meowschwitz> shtrb: http://www.draisberghof.de/usb_modeswitch/ 11:51 < grawity> shtrb: or the low-level qmi / mbim tools 11:51 < shtrb> meowschwitz, it run internally an android firmware 11:52 < meowschwitz> shtrb: that's retarded 11:52 < shtrb> grawity, used modemmanger (which failed ) 11:52 < grawity> shtrb: which failed for what reason exactly 11:52 < shtrb> neither qmi or mbim are loaded , but modem manger can see IMEI , do some AT commands (but not all ) 11:53 < shtrb> grawity, modem is not initialized 11:53 < shtrb> meowschwitz, not going to argue, 100% agree 11:53 < shtrb> mmcli give some info 11:53 < grawity> do you know whether it *supports* either MBIM or QMI, or only AT? 11:55 < shtrb> no 11:55 < Kartagis> hello 11:56 < Kartagis> can ns and mx point to different locations? 11:56 < shtrb> I do not have ANY eveidence it should (example the one I'm using now is Huawei E3131) 11:56 < grawity> Kartagis: of course 11:56 < shtrb> Kartagis, yes 11:57 < TotallyNotKim> Kartagis: did somesay tell you yes already? 11:57 < Kartagis> TotallyNotKim: yes, they said yes 12:01 <+catphish> wow, megaraid is seriously confusing 12:06 < momomo> djph: i was able to do it with sane 12:06 < momomo> xsane 12:06 < winsoff> Everybody around me is paranoid, now. Are there any no-frills IP cams that can just send an e-mail when they detect movement, or some shit? 12:08 < melissa666> winsoff, yes, implementing motion-activated cameras is trivial. you can download software like zoneminder that will do this for you 12:08 < hexoroid> I am having issues on one of my ports its picking up 169.* here are my ipconfig and route tables 12:08 < shtrb> yes 12:09 < hexoroid> all other ports on network pick up 192.168.0.1-255 just fine do i need to add route -p ADD 192.168.0.0/24 MASK 255.255.255.0 192.168.0.3 12:09 < shtrb> winsoff, check motion project 12:09 < hexoroid> so it picks up DHCP the correct way so i dont type it in manually ? 12:10 < winsoff> shtrb, melissa666: So I could just buy whatever cheapest not-garbage camera I can find, and then go from there? Interesting. 12:11 < shtrb> It need to have usb interface / network , but you could use a ~$35 pi + ~$10 webcam 12:11 < melissa666> winsoff, yes, take a look at this --> https://zoneminder.com/features/ 12:11 < shtrb> you might use even cheaper ones 12:12 < winsoff> The Pi is strong enough to do that? I guess it doesn't scale to 3/4 streams, right? 12:12 < melissa666> The pi is strong enough to handle low-res video, but definitely not high def. 12:13 < melissa666> if you wanted higher definition, you could use a more powerful board (like Rock64) or a laptop/desktop 12:13 < winsoff> Interesting. Perhaps they have something sitting around that would work. I'll have to run some designs and give them some options. 12:14 < melissa666> winsoff, if they have a computer with a USB port, the only other thing they need is a cheap (<$50) camera 12:14 < shtrb> I talked about pi because it was the cheapest opiton I could think of (a pc would be much better) - a pi is like an old pentium 3 12:14 < melissa666> (and an internet connection if they want remote monitoring vs. just getting it from disk) 12:15 < melissa666> pi is actually way faster than old pentium 3 :) ... but yeah, it's slow as shit 12:15 < melissa666> the newest pi has quad core ARM processor 12:15 < melissa666> + 1 gig of ram 12:15 < shtrb> ok pentium 4 12:15 < shtrb> :P 12:15 < melissa666> lol true 12:16 < winsoff> Are wifi-enabled cameras terrible to the network because of the constant noise, or does that vary? 12:16 < shtrb> vary , and they are a security nightmare 12:17 < Kartagis> is there a problem with root servers? 12:17 < shtrb> are knocked of from the net very easily (and if the sdcard is full it is useless) 12:17 < melissa666> winsoff, you have to keep in mind that unless you are damn good at security, every IP camera you put around your home/office is potentially accessible to hackers 12:17 < winsoff> True. I guess as long as they're not UPnP happy 12:17 < winsoff> I've never understood that--how does upnp punch holes in firewalls? Is this a standards-related thing, or can you just block that at the gear level? 12:18 < shtrb> winsof, every IP camera you put around your home/office is accessible to hackers FTFY 12:18 <+catphish> shtrb: mine aren't 12:18 < melissa666> winsoff, however, if you have good physical security, and have the camera running on a box that isn't connected to the net (just storing footage to disk), then that's not an issue 12:18 < shtrb> catphish, are they running ? 12:18 <+catphish> they are 12:18 < shtrb> plugged in ? and powerd 12:18 < winsoff> melissa666, makes enough sense. 12:19 < shtrb> they are accessible :P 12:19 <+catphish> shtrb: but they can't talk to the internet, so anyone would have a hard job getting at them 12:19 < shtrb> Even LAN ones can be tapped 12:19 <+catphish> shtrb: how? 12:19 < melissa666> ... but then again, if you're not sending the data to remote location, then if someone breaks in and destroys the computer storing the footage ... so yeah, it's a complicated decision, and involves a lot of thought into physically securing the system 12:20 < Kartagis> I have 127.0.0.1:53 in my netstat -antlp output. is is why I can't access from outside? 12:20 < shtrb> hard time != not accessible 12:20 <+catphish> shtrb: well sure, but by that logic everything is accessible 12:20 < shtrb> catphish, if talks over network you can tap on it (if you are able to correctly decode is a different thing) 12:21 <+catphish> well you'd have to physically access the network 12:21 <+catphish> but sure 12:21 < shtrb> catphish, you are 100% correct 12:21 < djph> Kartagis: if your DNS server is only listening to localhost, it won't respond to "not localhost" 12:21 <+catphish> they're not running TLS :) 12:21 <+catphish> so you could easily intercept them with physical LAN access 12:21 < shtrb> catphish, the #%@#%@ tapped the power grid ;-( 12:22 <+catphish> but if you're that close, you can see what the cameras can see anyway :) 12:22 < Kartagis> djph: the funny thing is, I just queried from inside the VPS, and no output. 12:23 < melissa666> catphish, also even if they don't have direct physical access, and are nearby ;) --> https://www.cl.cam.ac.uk/~rja14/Papers/SE-15.pdf 12:23 < shtrb> catphish, https://cyber.bgu.ac.il/stealing-data-computers-using-heat/ and https://cyber.bgu.ac.il/clever-attack-uses-sound-computers-fan-steal-data/ 12:23 < gebbione> hi folks, I am seeing a huge amount of traffic from a specific IP that I cannot identify as a search engine bot or anything legitimate 12:23 < gebbione> ie 10.42.50.60 12:23 < shtrb> but if you have an old AMD you should be safe 12:23 < gebbione> i tried some online tools to establish what the ip is but it looks like just a random ip 12:23 < shtrb> gebbione, local ip 12:24 < djph> gebbione: that's an RFC1918 addresss -- something on your (or your ISP's) network. 12:24 < gebbione> i see, it is not the real ip 12:24 < shtrb> it's real, just NATted 12:24 < djph> it may very well be a "real" IP 12:24 < shtrb> it can be on your ISP network or in your network 12:25 <+catphish> gebbione: is that an IP range you use? 12:25 < gebbione> it must be 12:25 < gebbione> i just set up the system ages ago 12:25 <+catphish> i'd suggest it must be, that IP wouldn't be routed over the internet very far 12:25 < gebbione> it must be the load balancer 12:26 <+catphish> seems plausible 12:27 < gebbione> i need to check how to get the real ips 12:28 < shtrb> catphish, https://arxiv.org/pdf/1804.04014 :-( 12:28 < Kartagis> djph: netstat -Wa includes localhost:953 12:32 < Kartagis> can you guys help? service bind9 status says running, but I can't resolve anything. 12:32 < turtle_> is it running? does it work? 12:32 < turtle_> there's your help I accept paypal 12:34 < shtrb> Kartagis, check the logs (maybe it failed to load the configured zones) 12:34 < djph> Kartagis: /etc/bind/named.conf* set correctly to respond to the local network? zonefiles all check out? 12:49 < Kartagis> does https://paste.ubuntu.com/p/bBBB8YVWsb/ indicate any issues? 12:57 < Reventlov> Can I get 802.11 radio informations, such as Antenna Signal, signal strength, etc, for a device not in monitor mode, for each frame destined by the device? (for itself, not for every frame received) 13:00 < djph> no 13:00 < djph> least I've never seen "per frame" statistics 13:02 < Reventlov> I wonder if I could share antennas across two devices, one in monitor mode, the other one in infrastructure mode 13:02 < Reventlov> and kinda split signals so that both receiver receive the same information 13:03 < light> why? radio waves can be received by multiple devices 13:05 < Reventlov> light: yeah, but if you cannot ensure that they have the same environment (for example, with centimeters apart antennas), then you're done for the measurements 13:05 < Reventlov> and centimeters matter, for 802.11 13:06 < mawk> I'd write a stub driver getting the physical layer information from the first device and injecting it into the second device 13:06 < light> why are you doing this? 13:06 < Kryczek> Reventlov: two in monitor mode yes, however if one transmits then the other one might get fried from getting RF power straight in 13:06 < mawk> yes 13:06 < Reventlov> Kryczek: yeah, good point. 13:06 < mawk> that's the problem with linking the anntenae 13:06 < mawk> so better do this in software 13:07 < Kryczek> Reventlov: what is your end goal? Maybe there is a different solution :) 13:07 < Reventlov> Kryczek: oh, I have no specific end goal. 13:08 < Reventlov> I'm doing a Phd on wireless networks and mobility, so I'm exploring tools I can use. 13:08 < mawk> else can't you place two anntenae right next to the other Reventlov ? 13:08 < mawk> if centimeters matter 13:08 < mawk> the one in monitor mode will hopefully never emit 13:08 < mawk> just receive 13:09 < Kartagis> http://paste.ubuntu.com/p/TVvrXSzCwX/ what does this tell you about named? 13:09 < Kryczek> Reventlov: in the aircrack-ng suite there is a tool (airtun-ng iirc?) that lets you emulate an AP on top of monitoring & injection, but last I checked it does not support WPA, only open and WEP 13:10 < mawk> Kryczek: doing this in the kernel doesn't look too hard 13:10 < mawk> when you're either very low level or very high level it's usually easy 13:11 < Kryczek> mawk: I agree but I think there is also an issue of some (most?) WiFi NICs doing a lot in hardware when they're not in monitoring mode 13:11 < mawk> yeah 13:11 < mawk> I see 13:11 < mawk> so let's reverse this, write the stub for the monitor mode entity 13:12 < mawk> uhm no it doesn't work 13:12 < Kryczek> another approach would be to use an ESP8266, it's a programmable WiFi NIC 13:13 < djph> Reventlov: centimeters don't matter. 13:13 < Kryczek> I think there's even code examples that handle RSSI and forwarding the packet to the OS 13:13 < mawk> and you can make the OS think it's a wifi NIC Kryczek ? 13:14 < Reventlov> djph: for multipath, it does 13:14 < mawk> how do you wire up ? USB ? 13:14 < Kryczek> mawk: tun/tap 13:14 < mawk> the crystal is stable enough for this ? 13:14 < mawk> ah, right 13:15 < Kartagis> hello? 13:15 < mawk> hi Kartagis 13:15 < Kartagis> http://paste.ubuntu.com/p/TVvrXSzCwX/ what should this tell mi about named? 13:15 < Reventlov> Kartagis: Hi. I don't know anything about named, good luck :) 13:15 < Kartagis> me* 13:16 < Kryczek> Kartagis: re-run that command as root 13:16 < Kryczek> (to see the process names) 13:16 < Kartagis> Kryczek: http://paste.ubuntu.com/p/94mwPvzW95/ 13:18 < Kryczek> Kartagis: what is your question? 13:18 < Kartagis> Kryczek: I can't resolve anything 13:18 < Kartagis> internally or externally 13:19 < Kryczek> Kartagis: you want to look at /etc/resolv.conf and your firewall rules (e.g. `iptables -nvL`) 13:22 < Kartagis> Kryczek: http://paste.ubuntu.com/p/hRk25fC5JN/ 13:22 < Kartagis> iptables has no rules 13:23 < ne2k> anyone know the MacOS X equivalent of Linux netstat -ltpn (listening, tcp, process name, no dns lookup) 13:24 < Kryczek> Kartagis: is that from the same machine? 13:24 < Kartagis> yes 13:24 < Kartagis> Kryczek: ^^ 13:24 < Kryczek> Kartagis: but your machine is 172.30.0.104, and you want to use 172.30.0.2 as the DNS server? 13:25 < Kryczek> or...? 13:25 < Kartagis> this is on amazon, might be useful to add 13:25 < Kartagis> aws 13:26 < Kryczek> Kartagis: what is 172.30.0.2 ? 13:26 < Kartagis> might be aws' server 13:27 < Atro> Whats the technical advantage of using BIRD over a general router? 13:27 < Kryczek> Kartagis: why did you install named? 13:27 < bhuddah> ne2k: lsof -i and then grepping... 13:27 < Atro> A router has ASIC's, the server you put BIRD on does not 13:27 < ne2k> bhuddah, yep, thanks, found lsof 13:27 < Kartagis> I wanted to run my DNS 13:27 < ne2k> bhuddah, actually lsof -iTCP -sTCP:LISTEN 13:28 < bhuddah> ne2k: you get the idea ^^ 13:29 < Kartagis> Kryczek: ^^ 13:31 < Kryczek> Kartagis: what for? 13:31 < Kartagis> I'm also hosting 13:35 < Kryczek> Kartagis: I am not sure what to tell you... Check that 172.30.0.2 is the correct DNS IP for AWS, or finish configuring your named and use that? 13:35 < hexoroid> all other ports on network pick up 192.168.0.1-255 just fine do i need to add route -p ADD 192.168.0.0/24 MASK 255.255.255.0 192.168.0.3 13:36 < hexoroid> so it picks up DHCP the correct way so i dont type it in manually ? 14:02 < zenix_2k2> one question guys, i accidentally did "iptables -t nat -A OUTPUT -p tcp --dport 8080 -j REDIRECT --to-ports " without knowing what was the i was redirecting to, is there anyhow to fix this ? 14:04 < JPT> iptables -t nat -L to list the rules 14:04 < JPT> iptables -t nat -D CHAIN POSITION to delete the bad rule 14:05 < JPT> Hint: If you're experimenting on a remote machine, it can be helpful to first set up a cronjob that removes all iptables rules every 10-15 minutes in case you lock yourself out. 14:05 < lpapp> hi, is anyone familiar with snmp here? 14:06 < zenix_2k2> JPT: and by bad rules, it will delete my accident ? 14:06 < JPT> -D takes a chain and the position of the rule in that chain (counting starts at 1 for some reason) 14:06 < TabsOpen> lpapp, a little bit. Nothing on v3 though 14:07 < JPT> zenix_2k2: If your accident made it into the ruleset then you can find and delete it 14:07 < JPT> Also helpful: iptables -S (similar to what iptables-save produces) can show you ALL the rules. 14:08 < zenix_2k2> ok iptables -t nat -L shows me this --> https://pastebin.com/WFjJWLv7 14:08 < zenix_2k2> but there are 2 ports 14:08 < zenix_2k2> which one ? i am not actually too familiar with iptables 14:08 < dnanib> Rules are processed top-down, stopping at first matching rule. So in your case the redirect to 37541 will take place 14:09 < JPT> zenix_2k2: Both rules say "dpt:http-alt", so they're for the same http port that i don't know right now (maybe 8080 or something). One redirects that port to 37541 and the other one to 39441 14:09 < JPT> You need to know which one you want to keep and which one to get rid of 14:09 < zenix_2k2> i tried both but it didn't work 14:10 < zenix_2k2> via some python scripts 14:11 < JPT> You could also remove both rules and do your iptables command again without a typo. :) 14:14 < screwsss> hey room 14:15 < screwsss> anyone here know all about shopping mall public wifi 14:15 < screwsss> and you know free wifi spots 14:15 < turtle> never heard of them 14:15 < zenix_2k2> ok ok ok, so let's just forget about all of these rules, is there any command that i can use to "refresh" everything ? 14:15 < zenix_2k2> cause i actually only added one rule and that result wasn't right 14:15 < screwsss> im wondering how they 'divide' the speeds they get amongst everyone connected :P 14:16 < dnanib> zenix_2k2, what do you want to achieve? 14:16 < shtrb> screwsss, what about them ? 14:17 < zenix_2k2> dnanib: i accidentally added a rule that i couldn't remember what port was it, so i am trying to refresh everything 14:18 < zenix_2k2> port 8080 in specific 14:18 < shtrb> There are many brands, some will limit per connection some will not give any restriction 14:22 < zenix_2k2> so is there anyhow ? 14:26 < Kartagis> would listen-on-v6 {any;} in options prevent listening on v4? 14:27 < light> no 14:27 < light> add listen-on port 53 { 127.0.0.1; }; for ipv4 14:28 < Kartagis> light: at the moment it's not listening on v4 14:28 < light> so add that directive 14:31 < Kartagis> it's still not resolving anything 14:31 < light> restart named 14:31 < Kartagis> what else can I look at? 14:31 < Kartagis> I did 14:31 < zenix_2k2> so hello ? 14:31 < light> are you using the right config file? 14:31 < dnanib> Kartagis, how are you testing whether it is resolving anything or not? 14:31 < light> e.g. /etc/named.conf for non-chroot and /var/named/chroot/etc/named.conf for chroot 14:32 < Kartagis> dnanib: intodns.com 14:32 < zenix_2k2> guys, is there anyhow i can check which port that port 8080 was redirected to ? 14:32 < light> ss -na | grep LISTEN 14:32 < dnanib> With this: listen-on port 53 { 127.0.0.1; }; - the reliable test is "dig @127.0.0.1 www.google.com. a" 14:34 < zenix_2k2> so anyone ? 14:34 < Kartagis> dnanib: none of my domain names are resolving, I can't get e-mail 14:34 < light> pastebin the output 14:35 < Kartagis> me? output of what 14:35 < Kartagis> oh, not me 14:35 < dnanib> Kartagis, you have done this? listen-on port 53 { 127.0.0.1; }; 14:36 < dnanib> Then your dns resolver is listening only on your loopback address. 14:36 < light> sometimes I wonder if people only read every other line I type 14:36 < Kartagis> dnanib: I did any and dig gives output 14:38 < dnanib> Please pastebin full command and output. Is dig resolving fine? 14:40 < Kartagis> dnanib: while dig did the thing (https://paste.ubuntu.com/p/dkqGsN9gzY/), I also got https://paste.ubuntu.com/p/qwXxN4b4gr/ in syslog 14:40 < Kartagis> brb, coffee 14:41 < tds> that looks a lot like you have broken ipv6 connectivity, and bind will fall back to connecting to the nameservers over v4 14:41 < dnanib> Kartagis, those syslog errors look benign. Probably your resolver ships with ipv6 addresses for root servers but your server configuration disables ipv6 14:42 < grawity> the root hints have contained ipv6 addresses sine 2008, so 14:44 < tcni> hi all, what is the correct way to implement persistent TCP connections in my server? I want clients to be able to send queries, then wait for a long time before the next one. But I get timeout if waiting too long. 14:44 < tcni> should the client send keepalives? 14:44 < grawity> "I get timeout" from where 14:44 < tcni> grawity: from socket library 14:45 < tcni> my server does a read, but if the client waits 60+ minutes, i timeout 14:45 < grawity> is the connection still alive – can you repeat the read when that happens? 14:45 < grawity> by default TCP connections live forever until either side specifically decides to kill them 14:45 < tcni> there is not read timeout? hm 14:45 < tcni> ok, guess I can retry 14:46 < grawity> read timeouts are an API thing – they're *not necessarily* an indication that the connection is dead 14:46 < dnanib> tcni, timeouts are implemented in application protocols built on top of tcp 14:46 < thecha> I want to use one emacs config across all my devices and want to have a synced org files? can i do this through my homeserver? 14:46 < Kartagis> so, what do I do? 14:46 < grawity> OP has timed out :| 14:46 < dnanib> Kartagis, you seem to be set. Is something not working? 14:47 < Kartagis> dnanib: my domains aren't resolving 14:47 < Kartagis> ;; connection timed out; no servers could be reached 14:47 < light> pastebin your named.conf and zone configs 14:47 < light> eh? 14:47 < dnanib> But you just pastebin'ed that things are resolving... :-) 14:48 < light> lookup against your name server specifically 14:48 < light> what's in your resolv.conf? 14:48 < dnanib> Kartagis, pastebin resolv.conf too then 14:50 < Kartagis> dnshttp://paste.ubuntu.com/p/SWrM7xmcxc/ 14:50 < Kartagis> dnanib: http://paste.ubuntu.com/p/SWrM7xmcxc/ 14:51 < grawity> where do files start and where do files end in that 14:52 < thecha> Hi Friend, I would like to use one emacs config across all my devices and have them all sync with a and upate new changes to a central file on my homeserver, I would like to also do something similar to my org files, can you point me to a tutorial or resource on how to do this? 14:52 < light> thecha: rsync 14:52 < thecha> ty friend! 14:54 < light> the whois records for boradental.com.tr list ns01.webcinizim.com and ns02.webcinizim.com but neither of those seem to be online/working 14:55 < tds> both of those seem to have A records pointing to the same IP as well 14:55 < tds> (which doesn't respond to queries) 14:56 < tds> if this is meant to be a public nameservers, having it listen on only 127.0.0.1 isn't much use (unless you have something else sitting in front of it) 14:56 < thecha> tds out of curiosity what function do these queries serve? 14:56 < light> also the nameservers for webcinizim.com point to itself 14:56 < Kartagis> grawity: https://paste.ubuntu.com/p/yw387DZHDS/ 14:56 < Kartagis> they point to ns01 and ns02 14:57 < Kartagis> ns01, sorry 14:57 < light> How do people resolve ns01.webcinizim.com? 14:57 < tds> glue records (which appear to be in place) 14:57 < light> Ah yes, I was just using them 14:58 < Kartagis> hmm, I don't know why it doesn't exist now 14:58 < tds> Kartagis: is there any reason you've configured it to only listen on 127.0.0.1? 14:58 < tds> unless you have something else sitting in front of that, it won't respond to queries from outside when configured like that 14:58 < light> it's safer for the internet 14:59 < Windy> am i correct in my understanding that traffic selector, proxy id, and encryption domain all refer to the same concept? 14:59 < xdroop> So if I want a CentOS 7 to bring an interface up at boot time with no IP address, how might I do that? 14:59 < light> Windy: wat 14:59 < Windy> there's the concept in IKE of a traffic selector, but it seems like vendors call it different things 14:59 < xdroop> Windy: in that they're all different parts of a phase 2 14:59 < tds> light: safer for the internet? 14:59 < light> xdroop: do your interfaces fail to come up if you omit the IPADDR line from your ifcfg-int file? 15:00 < tds> sure, you don't want to run an open resolver, your nameserver needs to be public though 15:00 < light> tds: than people that don't know how to run dns having servers that can be exploited 15:00 < Windy> in what way are they different? 15:00 < xdroop> light: I'll try that 15:00 < xdroop> Windy: ok reading more closely, yes they are pretty much teh same thing 15:00 < xdroop> (assuming for encryption domain, I know hte other two are the same) 15:01 < Windy> i think that's just the cisco term for it 15:01 < Windy> ike/ipsec is relly convoluted between vendors 15:02 < xdroop> yes, yes it is 15:02 < xdroop> knowing the right vocabulary to feed into google is 75% of the battle 15:02 < xdroop> ...and with Cisco, finding docs for the right OS version is most of the rest. 15:04 < Windy> my experience is always bringing up tunnels with other organizations too, so it can be really hit or miss as to whether the person on the other end has a clue 15:05 < xdroop> ha 15:05 < xdroop> yes 15:05 < Kartagis> hmm. all the IP addresses in zone files are different than the one in console 15:05 < xdroop> light: that worked, thank you 15:06 < light> welcome 15:19 < Kartagis> no, still unresolvable 15:20 < dnanib> Kartagis, is the Bind installation supposed to be authoritative for those domains? Then your listening on 127.0.0.1 does not make sense. 15:20 < dnanib> Remove that. What was the reason you added that in the first place? 15:20 < ALowther> Does anybody know any good sources that compare/teach information about about different VPN implementations and what they're actually doing to encrypt/secure the data?....For instance, I am curious about IKEv2/IPsec vs OpenVPN. I can find plenty of sources that have opinions or general ideas about one being better or easier to implement etc, but what is actually happening? How is each packet actually encapsulated? Is just the data-payl 15:20 < ALowther> oad encrypted, is everything encrypted and then new addressed headers are added to the now encrypted data, etc? 15:21 < Kartagis> I was told here 15:21 < meowschwitz> ALowther: openvpn is TLS, IPSEC is AH/ESP 15:22 < Kartagis> dnanib: should I remove the line or replace with any? 15:22 < dnanib> Kartagis, I joined late to the party. What did you ask for which adding that was recommended? 15:22 < meowschwitz> ALowther: both are fully opaque, for both you can enable PFS and stronger ciphers/hashes if desired 15:23 < Kartagis> I don't remember 15:23 < Kartagis> oh, now I do 15:23 < Kartagis> I asked if listen-on-v6 will prevent listening on v4 15:24 < tds> make sure you're refusing queries to any zones other than yourself before you make it listen on a public interface though 15:24 < tds> since you don't want to be running an open resolver 15:24 < Kartagis> how do I do that? 15:24 < dnanib> Kartagis, do you want to listen on v6 interface, v4 interface or both? 15:25 < Kartagis> v4 I guess 15:25 < ALowther> meowschwitz: Yes, so what, TLS encryption => [mac[ip[port[TLS[APPLICATION]]]]]; IPSEC => [MAC[IP[PORT[SESSION[APPLICATION]]]]]...CAPS = Information included in encryption 15:25 < meowschwitz> https://openvpn.net/index.php/open-source/documentation/security-overview.html 15:25 < meowschwitz> https://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload 15:26 < mcdnl> ALowther: ipsec esp encapsulates the full packet in another ipv4 packet 15:26 < dnanib> Kartagis, your config: listen-on port 53 { 127.0.0.1; }; 15:26 < dnanib> listen-on-v6 { any; }; - means it is listening on all v6 interfaces and only on the loopback v4 interface 15:26 < tds> if your provider offers v6, please configure it as well, it's not much extra work :) 15:27 < ALowther> meowschwitz: Nice. Thanks for links. 15:27 < mcdnl> ah just authenticates the content of the packet (ensures the content has not been modified) 15:27 < mcdnl> esp and ah are full ip protocols on its own, while tls is built over tcp 15:27 < ALowther> mcdnl: So there is more overhead I would assume since it's encrypting more information every packet 15:28 < mcdnl> i dont think you'd notice it that much 15:28 < dnanib> Kartagis, I think what you need is: listen-on port 53 { any; }; listen-on-v6 { none; }; 15:28 < mcdnl> with esp/tls yes, packet size increases because of the encryption 15:29 < Kartagis> no, still not resolving 15:30 < tds> what's the output of netstat -nlp? 15:30 < tds> (you want to run that as root) 15:30 < mcdnl> ALowther: i'd say the "hardest" is esp ipsec with aes256gcm / ecp384+ / sha384|sha512 and using ciphers instead of preshared keys 15:30 < tds> that should show you if it's listening on the right addresses 15:30 < mcdnl> s/ciphers/certificates/ 15:31 < Kartagis> tds: http://paste.ubuntu.com/p/3V4rZp5tpc/ 15:33 < tds> is your provider doing nat? 15:33 <+catphish> someone needs to have a chat with LSI about how on earth their RAID config works! 15:34 <+catphish> if you want RAID 10, you choose RAID 1 :| 15:34 < zamba> i'm looking for a tool to simulate latency, packet loss and so on.. what can be used for this? 15:34 < ALowther> mcdnl: Thank you 15:34 <+catphish> if you choose RAID10 you get RAID100 15:34 < dnanib> Kartagis, are you working on the server with IP 52.89.235.163? 15:35 <+catphish> on the plus side, now my raid is configured properly: Timing buffered disk reads: 3342 MB in 3.00 seconds = 1113.28 MB/sec 15:36 < Kartagis> dnanib: a quick search showed that IP address changes for EC2 instances when rebooted. 15:36 < Kartagis> dnanib: not it's 54 something 15:36 < Aeso> zamba, there's a linux package called tc that is good for that kind of thing 15:37 < tds> Kartagis: I think your glue records are out of date in that case 15:37 < Peng_> Kartagis: Stop and start may change IPs, reboot shouldn't 15:37 < dnanib> Kartagis, are you administrator for zone webcinizim.com? 15:37 < dnanib> That is where your problem is I think 15:37 < Kartagis> tds: yeah, may not have propogated yet 15:38 < Kartagis> dnanib: yes I am 15:40 < dnanib> Kartagis, then see this: https://pastebin.com/5g5giXmy 15:40 < tds> yeah, I'm still getting that old glue record from all of the nameservers for .com 15:40 < dnanib> Your nameservers are in the zone webcinizim.com and there are no glue records. So that zone has to resolve properly for the other zones to work. 15:41 < Kartagis> sorry 15:41 < Kartagis> dnanib: you were saying? 15:41 < tds> have you already updated the records with your registrar? 15:41 < tds> there's not much else you can do if that's the case 15:41 < strixdio> interesting... 15:41 < nosmelc> What's a good way to go around to about a dozen new ethernet outlets and test them all to make sure they're reliable and all get 1Gbps speeds? 15:41 < dnanib> If you are the admin of webcinizim.com then make sure its DNS works fine first 15:42 < dnanib> Use this: https://www.zonemaster.net/nojs to check if everything is fine or not 15:42 < dnanib> nosmelc, laptop + iperf? 15:42 < strixdio> I am using ssh "-D 9090", and routing all my traffic over socks5 proxy from firefox.. when I go to youtube, it tells me that there are restricted videos (which means that somehow the filter is blocking my traffic). Am I missing something? 15:43 < nosmelc> dnanib, thanks. I've worked with iperf before 15:43 < nosmelc> dnanib, I guess that's the best way 15:48 < Kartagis> dnanib: https://www.zonemaster.net/test/42478951bc6603c4 15:49 < dnanib> Kartagis, sorry: Internal Server Error 15:49 < dnanib> :-) 15:50 < Kartagis> No NS records for tested zone from parent. NS tests skipped. 15:50 < Kartagis> idk how I get this 15:51 < tds> Kartagis: have you updated the glue records with your registrar? 15:52 < tds> since there's not much else you can do until that's sorted 15:52 < Kartagis> I never changed them 15:52 < tds> did you say that 52.89.235.163 wasn't the correct IP? 15:53 < Kartagis> yes 15:53 < tds> then you need to update the glue records 15:54 < Kartagis> but there's no page to enter IP 15:54 < Kartagis> only nameserver 15:54 < Kartagis> ns01.webcinizim.com 15:54 < tds> it'll be on the config for the webcinizim.com domain 15:55 < Kartagis> shit 15:55 < Kartagis> there is 15:56 < tds> the ttl on those glue records it pretty high, so it may take a while for the change to actually affect resolvers 15:56 < tds> but that should at least fix some of the issues 15:57 < dnanib> Kartagis, the Registrar URL for that domain is Registrar URL: http://www.ihs.com.tr as per Whois. If you have the credentials to login there please look around for the interface to add NS/Glue records. 15:57 < tds> the records have changed, sounds like Kartagis has already found it :) 15:58 < Kartagis> thanks dnanib and tds 15:59 < Kartagis> I can't believe it 16:01 < dnanib> Way to go, Kartagis :-) 16:01 < tds> looks good, you're refusing queries for google.com as well :) 16:02 < dnanib> Use that Zonemaster to make sure everything is setup just right 16:04 < tds> you have some NS records you've set in the parent zone but not in the child zone on your nameserver: http://dnsviz.net/d/boradental.com.tr/dnssec/ 16:04 < tds> should be a pretty easy fix though 16:42 < jvwjgames_> when i make a virtual bridge to another adapter so that traffic gets sent out the eth0 does eth1 have to have a cable plugged in 16:43 < jvwjgames_> meaning traffic at eth1 witch has no cable but is a bridge to eth0 witch does have a cable does eth1 still need an ethernet cable 16:48 < djph> bridging two interfaces just turns them into a switch 16:48 < jvwjgames_> so i do still need a cable 16:49 < djph> does your switch need a cable in every port to work? 16:49 < jvwjgames_> ya 16:49 <+imMute> O.o 16:49 < djph> o_O 16:49 < jvwjgames_> is there a way to creat a virtual port without me needing to go the DC 16:49 < djph> your switch probably needs replaced 16:50 < jvwjgames_> oh wait sorry i read your question wrong 16:50 < jvwjgames_> no 16:51 < djph> exactly ;) 16:51 < jvwjgames_> so traffic can still route from eth1(no cable) to eth0 (cable) 16:51 < jvwjgames_> cause i can't ping pfsense after setting it up 16:52 < felda> lmao 16:53 < djph> no 16:53 < felda> if you have eth0 set as WAN it will reject all pings 16:54 < felda> and that's not what bridging is designed to do either 16:54 < felda> at least not in pfsense's context 16:54 < felda> jvwjgames_ is pfsense physical machine or a VM? 16:54 < jvwjgames_> VM 16:56 < Roq> jvwjgames_: Can you connect to the pfsense shell via the vm console? 16:56 < felda> you're going to want to make the LAN the connected port for now 16:56 < felda> once you're in you can create rules to allow access to WAN 16:56 < felda> and switch it back to WAN is the connected port 16:56 < jvwjgames_> yes i can get to pfsense via VM consle 16:57 < Roq> a dirty fix is connecting to the shell via console, disable packetfiltering (pfctl -d) and connect to the WAN address 16:57 < felda> ^ 16:57 < Roq> Now you can access the gui via the WAN address, and setup your firewall rules 16:57 < felda> you want your test VM connected via WAN because pfsense is goofy and only lets you run updates and install packages if you Internet on WAN 17:18 < CustosLimen> which should I buy for optimal range: should I buy Ubiquiti airCube-AC https://www.ubnt.com/accessories/aircube/ or Mikrotik hAP ac² https://mikrotik.com/product/hap_ac2 ? 17:21 < electricmilk> Will there be an outage if I switch all the ports on our switches using Vlan1 to a new vlan number? 17:21 < mawk> probably 17:21 < mawk> if you're asking this question maybe you shouldn't do that at office times 17:22 < electricmilk> haha k 17:22 < mawk> or wait for lunch 17:22 < mawk> I have some bad memories of a whole office mad at me for "breaking the internet" 17:23 < mawk> during my last intership as a sysadmin 17:23 < electricmilk> I will need to change the native VLan as well right? 17:23 < electricmilk> We are going to have a security audit and I know using VLAN 1 as native Vlan is a big no-no 17:23 < mawk> why 17:23 < mawk> ? 17:23 < mawk> your coworkers don't use ethernet ? 17:24 < electricmilk> Easier to do a vlan hopping attack 17:24 < electricmilk> Considered bad practice to use vlan 1 17:26 < mawk> well you've got a little more steps than just changing vlan number 17:26 < mawk> and if you're using only one vlan, i.e. no vlan at all, what are the benefits of changing the number ? 17:28 < electricmilk> mawk, Not getting dinged on the security audit but I think I see your point 17:28 < electricmilk> The whole point of VLan hopping is to acccess other Vlans... 17:28 < mawk> yes 17:28 < electricmilk> If there are no other vlans it shouldn't matter that I'm using vlan 1 17:28 < mawk> indeed 17:28 < electricmilk> But I actually do have a Vlan set on one switch 17:28 < electricmilk> But there are routes for that vlan...its just for wifi which has full access 17:29 < electricmilk> I also intend on adding a vlan I do want segmented. I just want it to have internet access and no routes internally. 17:30 < thecha> what are some secure ways to authenticate yourself to your server you ssssh into 17:31 < electricmilk> thecha, well isn't ssh itself pretty secure? 17:31 < electricmilk> If you are using an up to date version? 17:31 < tds> ssh keys + totp 2fa if you're paranoid 17:31 < thecha> electric say somebody has compromised my computer wont they gain access to my server too if i uses key pair authentication or a passphrase? 17:32 < tds> totp works nicely to solve that, or store your ssh key on a smartcard 17:33 <+catphish> thecha: you should always use a key encrypted with a passphrase 17:33 < thecha> totp? i see... 17:33 < tds> iirc google make a pam module for it? 17:34 < thecha> catphish! wont they be able to keylog the passphrase? 17:34 <+catphish> but OTP is even better since it means that even if someone got access to your computer with a keylogger, they couldn't use the key 17:34 <+catphish> thecha: yes 17:34 < Apachez> https://twitter.com/marcan42/status/1008981518159511553 HP iLO4 authentication bypass 17:34 <+catphish> thecha: ultimately if soemone has full access to your pc you're screwed 17:34 <+catphish> so you need to make sure that doesn't happen 17:35 < thecha> is there a book that can teach me how to make that at least unlikely? 17:35 < electricmilk> software based keyloggers are still a thing nowadays? Wouldn't antivirus simply detect this? 17:35 <+catphish> they could just as easily replace your ssh binary with one that connects via their proxy and intercepts your connection, auth, etc 17:35 < thecha> electricmilk! are you on a gnu/linux? 17:36 <+catphish> don't run untrusted code 17:36 < electricmilk> sometimes. Right now I'm on Windows 10 17:36 < electricmilk> (At work) 17:36 <+catphish> that's the most important thing 17:36 < thecha> electricmilk! what antivirus do you use on your gnu? 17:36 < electricmilk> Good point 17:36 < thecha> catphish! i see 17:37 < electricmilk> I remember trying to compile keyloggers on Linux back in the day and was no easy task. 17:37 < tds> doing disk encryption is also worthwhile if you're concerned about someone pulling the drive and swapping binaries for example 17:37 <+xand> or getting your data 17:37 < tds> ...but you're probably screwed at that point anyway 17:37 <+catphish> electricmilk: it's trivial if you have x11 afaik 17:37 < tds> yes, and that :) 17:37 < thecha> catphish! so no jscript no proprietary or non-free no software as a service and so forth 17:38 <+catphish> thecha: some combination of those depending on your level of paranoia 17:38 < thecha> i have an idea 17:38 < electricmilk> The threat of a keylogger seems unlikely to me on Linux. Why would someone place malicious code in a well known script that is open source? 17:38 < thecha> cant you have a software calculate md5 checksums of all your stuff after every tiny change? 17:38 <+catphish> you can trust nonfree software just like you trust a distro to compile free software 17:38 < thecha> and then aprove all changes? 17:38 < thecha> and then cosntantly check for changes in md5 cheksusms? 17:39 < tds> sure, if you want to spend the rest of your life reading source code and checking it, and probably missing errors anyway 17:39 < electricmilk> lol 17:39 < thecha> but then again the attacker could just wait for you to change things and work their changes in with yours... 17:39 < electricmilk> I simply had to realize I'm not that important. People don't care about me. Just don't be the low hanging fruit. 17:40 < thecha> using a browser that allows jscript is also letting just uncontrolled code be run right? 17:40 < thecha> that means most websites wont work for you, not that i care, just saying 17:40 <+catphish> thecha: to a lesser extent, in a sandbox 17:41 <+catphish> it's all about relative risk 17:41 < thecha> do sandboxes really isolate things? 17:41 < thecha> i see 17:41 <+catphish> yes 17:41 < thecha> well thanks for putting things into perspective 17:41 < thecha> i did not know that you are rleatively safe from this key logger worms and trojans on gnu 17:41 <+catphish> javascript can't access / modify random files on your computer 17:41 < thecha> i thought it was jus too obscure for people to often do that 17:41 < tds> well, it shouldn't be able to at least :) 17:42 <+catphish> but, sometimes browsers have bugs, and javascript can exploit them 17:42 < thecha> catphish! and then if those people are good they can step by step take over the machine? 17:42 <+catphish> similarly, opening a document, it might have something in it that exploits a bug in your word processor, same thing 17:42 <+catphish> thecha: yep 17:42 < electricmilk> Just keep everything up to date to avoid most of that. 17:42 < thecha> so you should nto broswe the web, or open any files you didnt create yourself 17:43 <+catphish> so, again, it's all about relative risk 17:43 < electricmilk> lol stop being so paranoid 17:43 < thecha> well if you can just reduce the risk reasoably that is good enough 17:43 <+catphish> if you have nuclear launch codes, you're not gonna be running javascript, or even conencting to the internet 17:43 < thecha> ok i try being less paranoid electricmilk 17:43 <+catphish> if you just have some people's email addresses to protect, you're gonna be less paranoid 17:43 * tds bets those boxes are still on xp or earlier 17:43 <+catphish> depends who is trying to attack you too 17:44 < electricmilk> Do your updates, and have strong passwords. Encrypt the HD if you are worried about the HD getting stolen. 17:44 <+catphish> more valuable data = more determined attacker 17:44 < electricmilk> Hackers typically look for the low hanging fruit. Unless like catphish said you have very valuable data. 17:44 < thecha> catphish! i am just worried about people using any easy oportunities that i present to them by my ignorance 17:45 <+catphish> thecha: the worst vulnerabilities are unpatched software and weak passwords 17:45 < electricmilk> Also, disable remote management on your router, change the default password, and have a strong wifi key. 17:46 < thecha> i thik i am gonna keep wifi off 17:46 < thecha> seems like wifi would be asking for it tbh 17:46 <+catphish> default passwords are the weakest of all :) 17:46 < thecha> lol 17:46 < thecha> catphish! case for strong default passwords 17:46 < electricmilk> Also disable WPS on the router. 17:47 < electricmilk> Strong default password is a bit of an oxy moron. 17:47 < electricmilk> Although I've noticed some routers now come with a unique management password...but I wouldn't really consider that a default password. 17:47 <+catphish> lol strong default passwords 17:48 < electricmilk> strong default password = password1 17:48 <+catphish> i wouldnt trust those unique default passwords 17:48 < electricmilk> me either 17:48 <+catphish> they're too often seeded using a MAC address 17:48 < electricmilk> Or the default wifi key. 17:48 < electricmilk> Many ISP's simply use phone numbers. It does not take long to get through EVERY possible 10 digit number with aircrack 17:49 <+catphish> default wifi keys really only exist in home kit, so meh 17:49 <+catphish> you arent using a home router as the primary defence for your important data, right :) 17:49 < electricmilk> At least its a lot better than defaulting to OPEN 17:49 <+catphish> is it? 17:49 < electricmilk> Sure 17:49 < electricmilk> The key's aren't super strong but it will stop 99% of attackers 17:49 <+catphish> i like open wifi, at least i did before ubiquitous LTE 17:50 < electricmilk> Its rare to find open wifi these days 17:50 < electricmilk> At least in my area 17:50 <+catphish> indeed, i was pretty upset about it when the trend started 17:51 <+catphish> because when wifi was invented i assumed in a few years every building in the world would have open wireless internet 17:51 < electricmilk> Plus open Wifi is susceptible to MITM attacks 17:51 < electricmilk> I remember in a lab setting up SSLstrip and was quite frightening. 17:51 < electricmilk> Yea but also if you have open Wifi aren't you legally responsible for what happens on it? 17:52 < electricmilk> What if your neighbor Bob is using it for kiddie porn or something? 17:52 <+catphish> only in germany 17:52 <+catphish> rest of the world, no 17:52 < electricmilk> interesting 17:52 <+catphish> it would be pretty ridiculous if you were really 17:52 < electricmilk> I still wouldn't want the feds knocking on my door questioning me about kiddie porn regardless if I'm not legally liable. 17:53 <+catphish> well that's your choice 17:53 < electricmilk> Some cities have free open wifi but again I don't like the idea of MITM attacks 17:53 <+catphish> use TLS 17:54 < tds> your standard approach should be to not trust the network anyway imo 17:54 <+catphish> i don't think it'll be long before browsers disable non-ssl by default with a warning 17:54 < electricmilk> Have you checked out SSLstrip? I installed it like 10 years ago in a lab but it worked beautifully. 17:54 < tds> hsts is a thing 17:54 < electricmilk> No certificate errors 17:54 < tds> (and preloading) 17:54 < electricmilk> yet everything in plaintext 17:55 <+catphish> sslstrip only works if you access a site in plain text to begin with 17:55 <+catphish> it just prevents SSL rdirects 17:55 <+catphish> it's 90% defeated by HSTS 17:55 < electricmilk> Would HTTPS everywhere prevent it as well? 17:55 <+catphish> and IMO browsers will very soon start warning about all non-tls conenctions 17:55 <+catphish> electricmilk: if browsers warned about non-https, yes 17:56 < electricmilk> Ugh that means SSL-DPI is going to become more and more standard no? 17:56 < electricmilk> I really don't want to set it up on our firewalls 17:56 <+catphish> sure 17:56 <+catphish> well don't then 17:56 < electricmilk> 90% of the techs I mention to tell me not to 17:57 < electricmilk> what's your opinion on SSL-DPI catphish? 17:57 <+catphish> it's really no different from http DPI 17:57 <+catphish> you're just looking at a different part of the packets 17:57 < electricmilk> Except you have to install the certificate on every workstation 17:57 <+catphish> i would never do eother 17:57 <+catphish> oh, that, no, NEVER do that 17:57 < electricmilk> hehe 17:57 < tds> if you want to mitm my traffic, I'll go and use another network :) 17:57 <+catphish> this will break the end to end trust that TLS relies on 17:58 < mcdnl> dpi ssl is ok but you have to be careful, there are some situations where you cant do it 17:58 <+catphish> anyone who installs your cert on their PC is essentially rending TLS worthless because you won't secure the key properly 17:58 < mcdnl> catphish: on corporate networks thats not an issue 17:58 < electricmilk> yea screw that 17:58 <+catphish> if you want to know what websites people visit just sniff the TLS handshakes 17:58 < electricmilk> Meh I just view the content filter logs 17:59 < electricmilk> I only care about the violations 17:59 <+catphish> mcdnl: it might be ok, if you validate remote certs properly, but it's not a good idea 17:59 <+catphish> it breaks end to end trust and key pinning, and other things in nasty ways 17:59 < mcdnl> catphish: usually you inspect all the traffic except for banks, healthcare and specific services that rely on certificates to authenticate 17:59 < tds> I've heard of some bank applications doing their own certificate pinning validation as well 18:00 <+catphish> mcdnl: no, usually you inspect no traffic 18:00 < electricmilk> I need to setup our Childrens center to have network access? I have strict content filtering through proxy...do you recommend I additionally setup a "parental restriction" DNS server on them as well? 18:00 < electricmilk> *access. 18:00 <+catphish> mcdnl: there are very few occasions where it's a good idea to break end to end SSL :) 18:01 < mcdnl> well, on corporate environments you have to check what users are downloading 18:01 <+catphish> mcdnl: no you don't 18:01 < mcdnl> more than "check", pass it through av/exploits/etc 18:02 < mcdnl> why not? 18:02 <+catphish> mcdnl: i'd probably use AV at the workstation for that 18:02 < detha> also, you have to check what users are uploading 18:02 <+catphish> but i suppose you could do it MITM 18:02 < mcdnl> ^^ dlp 18:02 < electricmilk> We just have really strict content filtering, IP GEO blocking, and then malware/spyware checking for unencrypted traffic. Also IPS/IDS and botnet filter. 18:02 < electricmilk> Now I need to focus on layer 2 security 18:03 <+catphish> if you trust users that little, just don't give them internet access, or a browser that allows such things 18:03 < tds> i've seen some av applications that do mitm on the local box and install their own root cert 18:03 < electricmilk> and layer 1 to be honest 18:03 < mcdnl> go for a snort 18:03 < mcdnl> and 802.1x 18:03 <+catphish> i think local AV is going to be more effective 18:03 <+catphish> but perhaps there's a case for both 18:03 < mcdnl> tell that to android users 18:03 < electricmilk> Yea not our crappy local AV. Look forward to switching soon. 18:04 <+catphish> and for identification of material that definitely shouldn't be uploaded of course 18:04 < electricmilk> Should be able to get us bitdefender for basically free 18:04 < electricmilk> (non-profit) 18:05 < tds> electricmilk: if you're going to rely on dns for filtering, make sure you block (or redirect if you want) dns traffic to other resolvers, and keep in mind that people can still do dns over tls/similar 18:05 <+catphish> if you find yourself blocking like that, you're doing it for the wrong reasons IMO 18:05 < electricmilk> tds, only as a backup. I have strict content filtering by proxy 18:05 < tds> indeed 18:06 < electricmilk> Our content filtering is pretty legit 18:06 <+catphish> if users want to get around your blocks, then you're wasting your time 18:06 < tds> and if you're blocking like that, please make your resolver dnssec-capable, since it's just annoying if not 18:06 < electricmilk> Still can be bypassed with Google Translate though which I'll just block in the hosts file for the children's center 18:07 < electricmilk> I doubt 9 year old children will get passed the blocks 18:07 < electricmilk> If they are able to then awesome..they deserve it 18:07 <+catphish> if you're doing it to prevent people accidentally being harmed, that's fine 18:07 <+catphish> but when they don't want your blocks any more, that's a different matter 18:08 < tds> and keep in mind as soon as one student/whatever can bypass it, everyone will 18:10 <+catphish> i've just never understand the value in blocking someone access to content that they *want* to access, even putting aside the futility of it, i don't see how you are benefiting that person 18:10 <+catphish> for younger children, makes perfect sense, you don't want them being accidentally exposed to things they weren't looking for 18:11 < electricmilk> How would they bypass it though? I give them standard user access so they can't install software. Have strong content filtering which includes filtering of freeware sites and portable apps. Disable setting to allow them to change proxy or VPN. DNS filtering as backup. Block Google Translate. 18:12 < electricmilk> catphish, Well for the adults its mainly to prevent malicious code from getting in the system 18:12 <+catphish> electricmilk: well that seems sane 18:12 <+catphish> i'd bypass it by using a friend's iphone :) 18:12 < electricmilk> Ransomware could bring a small non-profit like us down to our knees. 18:12 < electricmilk> lol 18:12 < tds> stopping users from running random binaries may be worthwhile, if this is windows iirc there's applocker or something 18:13 < rqh4> i used curl -X PUT http://couchbaseip:5984/db 18:13 <+catphish> electricmilk: really? if that's you you need to seriously rethink how you're storing your data 18:13 < rqh4> now what kind of request is being sent 18:13 < tds> for randomware just store everything on a fileserver with snapshots, then you can easily rollback/restore from backups/whatever 18:13 < electricmilk> I mean we do have cloud backups and whatnot but still... 18:13 <+catphish> electricmilk: don't store data in one place where it can be erased, or even writable from a single location 18:13 < electricmilk> Having to get on 50 workstations and restore everything would equal a lot of downtime 18:13 < Wulf> Good Morning. 18:14 < ||cw> electricmilk: keep re-thinking. redirect docs and desktop to the network. 18:14 < tds> if your critical data is on those workstations, you're probably doing it wrong 18:14 < electricmilk> Its not SUPPOSED to be. 18:14 <+catphish> keep docs on a server, backed up offsite 18:14 < Wulf> In Linux, is there a possibility to "NAT" an ipv4/tcp connection to ipv6/tcp without using a user space proxy? 18:15 < electricmilk> Just yesterday I was in the middle of encrypting an HD with veracrypt when we had a power outage. It was a darn Seagate 7200.12 and crashed. Staff member was NOT saving files to fileshare as company policy..now she is convinced it was veracrypt that caused it. 18:15 < ||cw> Wulf: that's not NAT anymore 18:15 < electricmilk> Getting the click of death. Ugh 18:15 < Wulf> ||cw: guess one could call it NPT? 18:15 < tds> Wulf: if you don't want to do it in userspace, you can use jool do to it in a kernel module ;) 18:15 < Windy> any palo alto users here? 18:15 <+catphish> electricmilk: better training i guess :( 18:16 < electricmilk> Yea. I sent out a reminder email and on Friday we have a staff meeting where I'll go into detail 18:16 < electricmilk> I wish we had the server space for roaming profiles 18:16 < Windy> electricmilk: roaming profiles != folder redirection 18:16 < ||cw> roaming can be a pain, bu redirecting my docs is easy 18:17 <+catphish> or just use google docs :) 18:17 < Wulf> tds: will have a look, thanks 18:17 < electricmilk> redirecitng is built-in right? 18:17 < tds> Wulf: if you don't mind userspace, tayga works as well 18:17 < electricmilk> We actually get $5,000 a year in Azure for free 18:17 < Windy> yep, it's done via GPO 18:17 < tds> what are you actually trying to do here though? 18:17 < electricmilk> I should just setup something with azure...folder redirection to Azure server or something 18:18 < Windy> i've done folder redirection with onedrive. it worked most of the time, but if it ever got out of sync it was a pain, especially for large folders 18:19 < Windy> if you just spin up a fileserver in azure that could work though 18:21 < Wulf> tds: I'm considering building an overlay network for my docker cluster where the docker containers only speak ipv6. If a connection from the internet arrives with ipv4, it somehow needs to be translated to reach e.g. a webserver container. 18:22 < tds> ah, I do something similar, I'd just drop a reverse proxy in front of the entire thing if it's all http/ssl 18:23 < Wulf> tds: of course that would be the obvious solution. That's why I'm looking for alternatives :-) 18:23 < tds> nat64 works nicely for allowing outbound connections from a v6-only network to the v4 world, but if you want to do incoming connections you either need to map individual ports or have a 1:1 mapping between v4 and v6 addresses which is a bit rubbish 18:24 < tds> do really your only option is something that can look at the http host header or sni hostname and forward based on that, unless you want to eat lots of v4 space 18:24 < tds> s/do/so 18:26 < Wulf> tds: yep. I'm trying to work around this with ipv6, but most clients are still on v4. 18:26 < Wulf> tds: is there any userspace proxy aside from haproxy which can forward connections based on SNI? 18:27 < Wulf> tds: while maintaining end-to-end encryption, the proxy mustn't terminate tls. 18:27 < tds> I use sniproxy (mainly because the configs are far shorter and I'm lazy), I think nginx will do it as well 18:29 < tds> keep in mind you probably also want support for proxy protocol to preserve original source ips, otherwise you have to match up timestamps in logs to follow requests which is a pain 18:30 < Wulf> tds: uh... right. Completely forgot about that. But I'm not sure if actually need those src IPs. 18:31 < tds> I still don't bother with it, I really should now that sniproxy and apache have native support though I think 18:31 < Wulf> tds: there's probably no way to accept() a tcp connection, recv the client hello and then ask the kernel to NAT it somewhere else? 18:32 < tds> hmm, I'd never considered that, it would be very neat if you could get it to work though 18:32 < tds> I guess you may also need to do some modification of sequence numbers? 18:34 < Wulf> tds: probably no way around that. Well, could invent a tcp option to force the target tcp server to start from a given sequence 18:40 < Wulf> tds: actually, there are syn cookies. If the proxy knows how to compute them, it could work. 18:43 < tds> Wulf: if there's a jool mailing list/similar, it may be worth asking there 18:43 < tds> since those will be the people who have experience with implementing half of this 18:49 < dnanib> Doesn't haproxy do something like that? 18:49 < dnanib> (accept() a tcp connection, recv the client hello and then ask the kernel to NAT it somewhere else) 18:50 < Wulf> dnanib: not that I know of. 18:52 < dnanib> There was some iptables magic involved. If this discussion is about the feature I'm thinking of. 18:52 < Wulf> There's "TPROXY", but not sure how it works 18:54 < Wulf> https://github.com/torvalds/linux/blob/master/Documentation/networking/tproxy.txt 18:56 < Razva> guys I'm going crazy here. I'm trying to make an iperf on two machines, with no firewall, and it just throws me "connect failed: No route to host". I've tried to specify the IP, another port, nothing. 18:57 < dnanib> Both nodes on same subnet? Could be iptabled. 18:57 < dnanib> iptables 18:57 < Razva> two different subnets 18:57 < dnanib> Then of course, look at the router between the two subnets :-) 18:58 < dnanib> Do a traceroute from one host to the other, to start with 18:58 < Razva> ping works, traceroute works 18:58 < dnanib> Hmm. Firewall most likely. Tried tcptraceroute? 18:58 < tds> Wulf: I guess it may also be worth asking in #Netfilter (and #haproxy if it exists?), people there may be more familiar 18:59 < Wulf> tds: I might when I decide that I actually want/need those features. Which is unlikely :) 19:00 < Razva> dnanib: tcptraceroute works as well 19:00 < tds> Wulf: fair enough, I can imagine you need to hit quite high traffic levels before handing it in userspace starts to become an issue 19:01 < dnanib> What was your tcptraceroute invocation? 19:03 < dnanib> It was: mark incoming traffic to the loadbalanced/proxied service via the mangle table; use policy routing to route the marked packets differently, some haproxy config stuff, mandatory routing of return traffic through the haproxy box. Sorry can't be clearer than that. I looked this up many years ago 19:05 < Wulf> tds: I'm hoping for lots of traffic. But there are tighter bottlenecks. 19:05 < Razva> dnanib: can you please check PM? 19:06 < tds> Wulf: adding more proxies would also likely be an easier solution (at least to start with) 19:10 < krzee> Razva: i agree with them that its either routing or firewall 19:10 < krzee> since you can ping, firewall 19:11 < Razva> yeah, tried on 6 different machines on different ISPs 19:11 < Razva> iperf -s on server, iperf -c server.ip -d 19:11 < Razva> doesn't works on any 19:11 < Razva> so either iperf is broken on Centos7 repo or the commands changed :\ 19:11 < krzee> iptables-save -c 19:12 < tds> I'd also check if you're able to open udp connections between the same machines on the same port with netcat or something 19:12 < tds> in case you're doing policy routing of udp only or something crazy like that 19:13 < krzee> well policy routing of udp only would be in the firewall wouldnt it? 19:15 < tds> can't you do it based on ip protocol with ip rule iirc? 19:15 < krzee> ya but that would effect ping 19:16 < tds> yeah, option is ipproto, so you could make it policy route only udp and not icmp 19:16 < krzee> but udp only afaik youd need to use the firewall 19:16 < tds> seems a bit unlikely though 19:16 < krzee> oh im missing that in ip rule add help, believe you tho i know theres a lot of options lol 19:17 < tds> yeah, it wasn't in the man page on my desktop for some reason, you can see it here though: http://man7.org/linux/man-pages/man8/ip-rule.8.html 19:17 < krzee> hey there it is! 19:17 < tds> :) 19:19 < krzee> protocol PROTO 19:19 < krzee> the routing protocol who installed the rule in 19:19 < krzee> question. As an example when zebra installs a rule it 19:19 < krzee> would get RTPROT_ZEBRA as the installing protocol. 19:19 < tds> ah, hadn't noticed it can do that before, neat 19:19 < tds> but the option I was thinking of is ipproto 19:20 < krzee> oh right 19:21 < krzee> hah he left the channel *shrug* 19:21 < krzee> thats what i get for lifting my /ignore on webchat hosts 19:22 < krzee> was going to tell him to include ip rule show, but my client wouldnt tag him lol 19:26 < shtrb> What is TXT records with TM_MDM_SERVER=IP ? 19:28 < dnanib> TM = Trend Micro. MDM = Mobile Device Manager or some such. Basically their suite of mobile security products. 19:30 < shtrb> thanks , now I'm even more clueless :) 19:32 < ntd> shtrb, mdm: mobile device management. your employers way of tracking/"managing" your phone :) 19:33 < ntd> never accept a corp phone :) 19:34 < shtrb> It's a landline :D 19:34 < shtrb> actually SIP client 19:34 < shtrb> in a fancy box 19:34 < dnanib> But the TXT record is in some sort of DNS server, right? 19:37 < shtrb> dnanib, I thought TXT records are info only (not actual servers) 19:38 < dnanib> TXT records are just that; text. Different systems use those for different purposes. 19:38 < dnanib> Since it is free text you can put in anything there 19:38 < shtrb> so I don't understand your question 19:39 < dnanib> Hmm. I was asking where you encountered this TXT record that specified a TM_MDM_WHATEVER 19:40 < shtrb> ah , dig`ing a domain (which I have issues to connect to ) 19:42 < shtrb> dig -t ANY +noall +answer service-provider-gateway.corp.com 19:44 < Apachez> ERROR: service-provider-gateway.corp.com not found 19:44 < dnanib> Yep. So that is what I said too. Your dig contacted a DNS server and the TXT record was configured there. 19:44 < shtrb> that was an example ... (not the actual domain) 21:00 < Wixy> Is anybody familiar with load balancers and/or with Cloudflare? 21:01 < fryguy> Wixy: just ask the question you really want to ask 21:03 < Wixy> The thing is I'm running some real time application on a server (one of the many around the world), that I know is on the same region a 3rd party server I use. the problem is cloudflare is in between and I want to understand more how it works, with the intention of somehow getting rid of it (if possible) and connect to the server directly 21:03 < Wixy> when I open a socket and establish a connection to 3rdparty.com, that domain actually points to cloudflare 21:03 < Wixy> so I connect to them, and I'm guessing all the traffic pass through them? 21:04 < Wixy> that's probably adding 5-15ms to my latency 21:04 < electricmilk> Darn HP switches. Running HP-2530-48-PoEP and the clock keeps settings back to the incorrect time. I set the time from CLI. Type show time and its correct..then a few minutes later it goes back to incorrect time but has the right date. Confirmed NTP is not enabled. Any ideas? 21:04 < electricmilk> Possibly I need to set the time zone?? 21:05 < tpr> Wixy: it works as a reverse (maybe caching) proxy for web-sites 21:06 < Wixy> tpr, is it possible to get rid of it? 21:06 < Wixy> not sure I can somehow get the ip of the real server 21:07 < Wixy> this latency is killing my application, I need to find a way around it 21:08 < electricmilk> ah yea it looks like the timezone did it 21:08 < electricmilk> darn HP switches ugh 21:08 <+catphish> Wixy: the only solution is to contact the owner of the other site and ask for a direct connection, they will likely refuse though 21:09 <+catphish> Wixy: there is no way you can connect to the backend server without asking for its address 21:09 < fryguy> Wixy: i'm sure cloudflare is adding less latency than you think, and one of the main points behind cloudflare is to explicitly hide what the origin ip address is 21:09 < Wixy> they added cloudflare recently, I know the latency was way lower a few weeks ago 21:10 <+catphish> Wixy: 5-15ms is pretty negligable in most http applications 21:10 < Wixy> I know, but not for me 21:10 <+catphish> what are you doing? 21:10 < Wixy> the latency I'm seeing right now is 24ms on avg 21:11 < Wixy> so even 10ms is nearly half of that 21:11 <+catphish> in any case, all tou can do is contact whoever runs the service, tell them your latency has increased, and ask if you can have a more direct connection 21:11 <+catphish> *you 21:11 < Wixy> will do, I doubt they'll do anything as you mentioned 21:11 < Wixy> and btw, I think maybe there's a workaround 21:12 < tds> you may be able to try connecting from multiple locations, and work out where the backend server is hosted from the latency 21:12 <+catphish> there's no workaround unless you know the IP of the backend server 21:12 < tds> well, unless you can persuade it to tell you I guess 21:12 < fryguy> tds, assuming that anycast DNS doesn't affect that 21:13 <+catphish> they may tell you if you ask 21:13 < Wixy> I know in this region they have 100s servers, all requests goes through the same socket so one I establish the connection that's it. but what if I connect many times, checking what the latency is on each socket, and keep the one with the lowest? 21:13 <+catphish> some people use CF to hide their servers, many just use it as a CDN so they may not mind 21:13 < Wixy> that should work I believe, provided with enough trials I'll be connected to one server that is the closest to me 21:13 < Wixy> don't know, what do you think? 21:13 <+catphish> that seems insane 21:13 < Wixy> why? 21:14 < Wixy> I can try opening let's say 100 connections, and keep the one that is the closest 21:14 < Wixy> the fastest * 21:14 <+catphish> i can't think of any reason why that would work 21:15 <+catphish> but even if it did, thats crazy hacky, compared to just discussing the matter with the provider 21:15 < Wixy> why wouldn't that work? if I open one connection, CF would connect me to server A, I open another one, now it's server B 21:15 < Wixy> server B may be on the same datacenter my server is 21:15 <+catphish> sure, but i don't see why one backend serve would be consistently faster than another 21:15 < Wixy> catphish, I will discuss the matter with this company, I just don't think they'll give me a special deal 21:15 <+catphish> it just doesn't seem likely someone would loadbalance between different data centres in that manner 21:16 <+catphish> especially in a scenario where dynamic data is involved 21:16 < tds> fryguy: I worded that badly, I just meant that cloudflare is anycast but may always be proxying to the same backend server, so you can compare the latency of requests between locations and work out where the backend servers are 21:16 <+catphish> its not impossible, just unlikely 21:16 < tds> that's assuming it's all through to a single backend server though, and it sounds like that's not the case 21:16 < Wixy> I want to understand why it wouldn't work. 21:16 <+catphish> and you'll likely always hit the closest cloudflare proxy anyway 21:16 < Wixy> can you explain further please? 21:16 < fryguy> i'm not even sure what we are trying to make work? 21:17 < fryguy> some mythical low-latency connection to some server that we know nothing about? 21:17 <+catphish> i dont understand why they'd be loadbalancing between backends in different data centres 21:17 < fryguy> i'm not sure we can possibly provide fewer details 21:17 <+catphish> but even if they were, you'd still have to go via cloudflare, which is what you said was the problem in the first place 21:17 < UncleDrax> now that's what I call a Sticky situtation! 21:18 < Wixy> i dont understand why they'd be loadbalancing between backends in different data centres 21:18 < Wixy> I see your point, maybe they don't ^ 21:18 <+catphish> what is the service anyway? 21:18 < Wixy> it's binance api 21:18 <+catphish> i'm intrigued to know what you need sub-10ms http for? crypt currency trading? 21:18 <+catphish> that's pretty much the only use case i see for this :) 21:18 < Wixy> :) 21:19 < tds> is api.binance.com meant to be a welcome to nginx page? ;) 21:19 <+catphish> i'm sure they are aware people want low latency 21:19 <+catphish> to contact them, complain it's increased, see if they can help 21:19 <+catphish> *so 21:19 < UncleDrax> ugh day trading. /unsubscribe 21:20 < Wixy> they added CL for a good reason, I really really doubt they're going to do anything about it 21:20 < Wixy> but you're right CL is probably balancing between many servers on the same datacenter 21:20 < Wixy> so in that case I understand any server would do just fine, right? 21:20 < Wixy> I mean, if I connect to a server that is low in load, then fine, I get a fast connection 21:21 <+catphish> Wixy: one thing *you* can do is test the response time from as many places as possible, get close to the CF proxy that's close to the backend! 21:21 < Wixy> but CL will start sending more clients there, and it'll... balance and average 21:21 < Wixy> catphish, you're a genius 21:21 < tds> nasty thought, you could probably try and work out where the backend(s) are with ripe atlas 21:21 <+catphish> Wixy: i am, but this is still a tedious process :) 21:22 < Wixy> actually if I cannot get rid of CL, it makes a lot of sense of getting close to THEM not to the server itself 21:22 < fryguy> required watching: https://www.youtube.com/watch?v=kpvbOzHUakA 21:22 < adleff> asked before didn't get any hits 21:22 <+catphish> Wixy: exactly 21:22 < tds> you want to be closest to a cloudflare node which is closest to a/the backend 21:22 < adleff> does anyone knows if Link Fault Signaling is mandatory on 10G interfaces? 21:22 < adleff> I'm wondering if UDLD or whatever vendor equivalent is really necessary on 10G optics 21:23 <+catphish> api.binance.com is slow as fuck from here 21:23 < tds> Wixy: also, just to confirm, how are you measuring latency? 21:23 < Wixy> it's 19ms-30ms with a confidence interval of 99.9% here 21:23 < tds> since pinging the cloudflare ip will only get you half the picture 21:23 <+catphish> 400ms from here!! 21:23 < DammitJim> for WiFi AC5300... 21:24 < DammitJim> what is the potential speed between a laptop and an access point? 21:24 < Wixy> tds, I'm actually sending requests and measuring round trip times 21:24 <+catphish> wherever that server is, it sucks :) 21:24 < tds> cool, just thought I'd make sure :) 21:25 < Wixy> I know they're in just one location in AWS 21:25 < Wixy> err, I mean region 21:25 < fryguy> api.binance.com is also cloudfront, not cloudflare... 21:25 < Wixy> but I'm guessing they hav emultiple datacenters there right? 21:25 <+catphish> oh yeah 21:26 < Wixy> you're right 21:26 <+catphish> well i'm 1ms from cloudfront, and a request to api.binance.com takes 350ms :) 21:26 <+catphish> so, i guess they're a LONG way from cloudfront's london proxies 21:26 < Wixy> yep, they're in Tokyo 21:26 < Wixy> you're right, it is cloudfront! 21:27 < Wixy> does it change anything we have been talking? 21:27 <+catphish> no 21:27 < fryguy> i'm in eastern US and getting pings of 12ms and making http requests in 70 21:27 <+catphish> same thing applies, get as close to the tokyo cloudfront as possible, or ask for direct access 21:27 < fryguy> so i'm pretty sure it's not actually in tokyo 21:27 <+catphish> i get ping of 1ms and https in 350 :| 21:28 < fryguy> oh, it's doing the tls redirection at the edge instead of at the origin, I see 21:28 < tds> hah, that would do it 21:28 <+catphish> https://paste.ubuntu.com/p/W8pFDh2FDN/ 21:28 <+catphish> fryguy: yep 21:28 < fryguy> also seems like their caching is off and they are sending the wrong headers, since static pages are always a miss on cloudfront 21:29 < fryguy> aka, some pretty basic mistakes going on here 21:29 <+catphish> its an API, there'd be no point caching 21:29 < fryguy> catphish: why not 21:29 <+catphish> it's an authenticated realtime data API 21:29 <+catphish> it's just not gonna get cached 21:30 < fryguy> hrmm, maybe 21:30 < Wixy> btw, may that happen that amazon has multiple datacenters in tokyo and my instance is running in the wrong one? 21:30 < Wixy> that would also explain why the latency has increased 21:30 <+catphish> Wixy: you can easily trace the route to the proxy 21:30 <+catphish> and then gete closer :) 21:31 < fryguy> there are multiple availability zones in tokyo 21:31 < Wixy> http://paste.debian.net/plain/1029948 21:32 < tds> surely you can do better than that :) 21:32 < Wixy> it's 30 hops away 21:32 <+catphish> that's a really poor route 21:33 <+catphish> that's 20, not 30 21:33 <+catphish> but that's poor 21:33 < Wixy> why does it say 30 at the top? 21:33 < Wixy> well, that's not the point, it's a lot of hops anyway 21:33 < fryguy> max 21:33 <+catphish> mine is 9 hops away, and only 1ms 21:33 <+catphish> the time is more important than the hop count 21:33 <+catphish> "30 hops max" max means max 21:34 <+catphish> but it reaches it in 30 21:34 < Wixy> mine is 9 hops away, and only 1ms 21:34 < Wixy> from london? wtf? 21:34 < tds> that's just to the proxy though 21:34 <+catphish> that's just to cloudfront's london proxy 21:34 < tds> I'm seeing similar latency from london, http requests are super slow though 21:34 < Wixy> oh I see 21:34 <+catphish> it's another 350ms for an actual https request 21:35 < Wixy> so any idea about how to get it better? 21:35 <+catphish> i wonder why it takes so many hops (8) to get though amazon's network 21:35 < Wixy> (not just a better route to the CF proxy, that won't help unless the CF server is close to the real server) 21:35 <+catphish> i guess amazon use a LOT of routers, but they're fast 21:35 < qman__> You can't, the rest is up to them 21:36 <+catphish> you can't move CF closer to the destination 21:36 <+catphish> well actually you can 21:36 < tds> I see quite a few hops that don't reply with ttl expired inside amazon, which is interesting 21:36 < Wixy> but there are multiple CF, I need to fine the closes to the destination, not move it 21:36 <+catphish> by finding a closer CF proxy 21:36 < Wixy> that's what I meant 21:36 <+catphish> yeah, you need to find the closest one, then get as close to that as possible 21:36 <+catphish> as i said earlier 21:37 < Wixy> I know, but that's an abstract plan, I need steps :P 21:37 < Wixy> ie, I don't know how to do that 21:37 < qman__> fire up instances in each region and test 21:37 <+catphish> mostly trial and error and guesswork 21:37 < Wixy> but I know the region, it's in northeast-1 21:38 < tds> being able to run vms inside the provider's network charged hourly is a pretty ideal situation for this kind of thing :) 21:38 < Wixy> there ther eshould be the closes CF and the actual server 21:38 < Wixy> closest* 21:38 < qman__> Cloudfront by its nature is nit particularly low latency 21:38 < Wixy> I mean, it's impossible that they don't have a CF in tokyo, right? 21:39 <+catphish> you may be able to negotiate something better with binance though, plus their API is new, they may be keen to improve things 21:39 < fryguy> they do have CF in tokyo 21:40 < Wixy> then why it takes 20 hops to reach it? it's probably even running on the same datacenter my instance is running 21:40 <+catphish> it's probably not 21:41 < fryguy> because cloudfront is on the edge, so what's happening (among other things), is your traffic goes OUT of your data center, out to cloudfront, and then back into the datacenter 21:41 <+catphish> amazon have a lot of hops, but not 20 in the same DC 21:41 < fryguy> and it's probably only sometimes in the same datacenter, since there are multiple availability zones, and depending on what cloudfront is hooked up to, might be making connections to multiple different AZs per request 21:41 <+catphish> and again, hops is not key, latency is 21:42 <+catphish> wait, are you on EC2? 21:42 < Wixy> yes 21:42 <+catphish> if so, you really should be able to get close to CF, they're both run by amazon 21:42 < fryguy> catphish: he put an EC2 instance in tokyo trying to get a better connection to this 21:42 <+catphish> well all you can do right now is try different zones 21:42 < Wixy> let me see if I'm getting it right. we all (my instance, binance and CF) are running on the same region, but we may be in different availability zones 21:43 < Wixy> what I need to do is try different AZ until I get one with the least number of hops 21:43 < fryguy> yes, and it's extremely likely that binance has multiple servers spread across the availability zones 21:43 < Wixy> ie, closest to a CF proxy 21:43 <+catphish> not least hope, lowest latency 21:43 <+catphish> *hops 21:43 < Wixy> well, that 21:43 < Wixy> I agree 21:43 < tds> it's worth testing latency of http requests as well while you're at it 21:44 < tds> since that's what you actually care about 21:45 < Wixy> right, actually I was going to ask just that. I'm not sure what number of servers they have or what number of proxies CF have, but it may be the case that the closest CF proxy is not the closest to one of binance servers right? 21:45 < tds> sure, that's possible 21:45 < tds> just try various locations and see how it goes :) 21:45 < fryguy> it depends on the request, it's going to be load balanced across multiple backends 21:45 * catphish knits now 21:45 < Wixy> so I should definitely check the latency to binance in different availability zones, not the latency to CF in a traceroute 21:46 < fryguy> different availability zones isn't going to help you 21:46 < fryguy> (probably) 21:46 < Wixy> why not? 21:46 < fryguy> because binance is going to have servers in each availability zone, and cloudfront is going to load balance across all of them 21:46 < qman__> The connection is indirect anyway 21:46 < fryguy> again, (probably) 21:47 < Wixy> if that's the case I should be the closest to CF, regardless of it being the closest to one of binance servers 21:47 < fryguy> Wixy: cloudfront isn't just one server 21:47 < fryguy> there's going to be multiple cloudfront servers as well, spread across the availability zones 21:48 < Wixy> I know, I meant the closest to one of CF servers 21:48 < fryguy> DNS is going to have you be equally close to multiple CF servers, probably across AZs 21:49 < Wixy> ok, I'll do some tests and come back with actual numbers. thank you all! 21:49 < Wixy> quick last question, what number of hops would be "normal"? you said 20 was too many, catphish 21:50 < Wixy> out of curiosity, I know it's not that important 21:52 < fryguy> 10-20 hops is pretty normal for an internet service like this. if you can bypass cloudfront and get the equivalent of a "peering" agreement (HUGE emphasis on quotes around peering there), you'd be <5 hops 21:52 < matt|class> hi. couple questions.. the place im moving to requires uh.. fiber optic internet and it's been a while since i've done any setup. 21:52 < Wixy> got it 21:53 < matt|class> the ISP will provide me with what most likely.. modem/router combo? do i need a modem for fiber optic? 21:53 < fryguy> no moderm for fiber optic 21:53 < matt|class> just a router 21:53 < tds> it seems that cloudfront have lots of hops inside their network anyway, as catphish mentioned earlier 21:53 < fryguy> probably, depends on how things are set up 21:53 < tds> ie from london I've got amazon's router on lonap as my second hop, but don't hit the actual cloudfront proxy until hop 11 21:54 < UncleDrax> or a Fiber->Copper media convert if you need it as a copper handoff 21:54 < tds> still nice and fast though, <1ms :) 21:54 < matt|class> mkay. well im doing the majority of the setup for security reasons.. now i want to separate myself from the people im sharing the network with -as much as possible- (my roommates). what is the easiest/cheapest method to do this? can i just buy something like a switch that has uh.. what's it called, different domains or vlans or whatever 21:54 < matt|class> and be done with it? 21:55 < UncleDrax> matt|class: what is the ISP physically handing you to connect with? and what is the service that comes out of it (Internet?) 21:55 < matt|class> i don't know yet, it hasn't been set up. all i have is the name of the ISP provider 21:56 < matt|class> let me check if they list anything 21:56 < bray90820> Not sure if this is the right channel for this but how would I create a loopback exemption for a windows 10 app 21:56 < fryguy> matt|class: what is the provider? 21:56 < fryguy> is it a residential thing like comcast gigabit or verizon fios, or frontier, or somebody else? 21:57 < matt|class> something called fision hotwire. shitty horrendous reviews, but it's required for the location 21:57 < matt|class> never heard of them down here honestly 21:57 < UncleDrax> ya is that *something else a Dorm-style campus housing thing 21:57 < matt|class> https://gethotwired.com/ 21:57 < tds> "EXPERIENCE THE POWER OF FIBER OPTICS" lol 21:58 < matt|class> okay. im really hoping this data isn't capped because it's telling me 20 mbits a second and "up to 1 gigaBIT of data" <-- if that's true and the monthly allotment 21:58 < matt|class> im going to shove my roommates heads up their asses for making me do this 21:58 < UncleDrax> tds: ya.. marketing people are idiots 21:59 < matt|class> fryguy - their website tells me nothing. 21:59 < tds> I'm in a similar situation though, I just have the shared network on a isolated vlan, my routers have interfaces on that vlan and establish vpn connections over it, but all the actual traffic goes via my own routers over the vpn 22:00 < tds> also means that you can nicely move your own network around between different providers, stick it behind some nat mess, whatever, and everything will just keep working 22:00 < Apachez> Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteSync(RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext) in c:\Program Files (x86)\Jenkins\workspace\release_dotnet_master\Lib\ClassLibraryCommon\Core\Executor\Executor.cs:677 22:01 < fryguy> matt|class: you are gonna be in for a bad time 22:01 < UncleDrax> matt|class: so ISP aside, you're bsically going to move into a house, get a common uplink, and you want to basically create a house-wide network and isolate each user? 22:01 < UncleDrax> tryign to make sure I understand the scope of the question 22:01 < matt|class> tds - well.. my primary concern is that this is for work, and i have no idea what kind of bullshit sites my roommates visit or what activity they have. i want their network to be as far away from mine as possible with the least likelihood of something like: 22:01 < matt|class> them being infected by a super advanced worm or something , as long as im not touched by it 22:02 < matt|class> im going into extremes here but 22:02 < matt|class> fryguy - why do you say that? 22:02 < UncleDrax> sure, but sounds like you want to basically run your own enterprise network inside the house right? 22:03 < fryguy> oh, if you just care about the internal stuff, then yah just do vlans. pretty straightforward, especially if things are wireless 22:03 < matt|class> something like that i guess. if i plug them into their own vlan separate from mine, they can't touch me right? 22:03 < UncleDrax> ya - and most switches have some sort of VLAN isolation / Private VLAN or something. but you will likely need to talk to the same Router.. so there'll be some muckery with side of it. 22:03 < tds> well at that point they'll be completely isolated at layer 2, you'll need a router with interfaces on multiple vlans if you actually want to reach the internet though 22:04 < fryguy> it becomes a firewall question at that point, they'd have to go through a router/firewall to touch you 22:04 < Phil-Work> matt|class, a lot of switches support port isolation 22:04 < Phil-Work> so ports in the same VLAN can only "talk" to a defined set of ports (usually the one connected to the router) 22:04 < Apachez> its named differently 22:04 < Apachez> most manageable switches supports this 22:04 < Phil-Work> or you can do different VLANs, but that's a bit more of a faff 22:04 < matt|class> well im looking at the cheapest most practical method. if im being given a router by the ISP it's very likely it'll only have one port to plug a switch into 22:04 < Apachez> called port isolation, protected vlan etc 22:04 < Apachez> private vlan is a different thing 22:05 < adleff> cisco has a feature called protected port which is much easier to do than private vlans 22:05 < adleff> and would achieve isolation without multiple subnets 22:05 < matt|class> so just to make sure i understand it correctly.. 22:05 < tds> for that situation I guess you have to make sure that the router won't reflect traffic back between devices on the same subnet as well 22:05 < Apachez> adleff: thats protected vlan 22:05 < Apachez> aka "switchport protected" 22:05 < matt|class> if i buy something like a cheapass old cisco switch or whatever that has vlans, i can just plug the output port into the router, and myself on one vlan and them in another vlan and that'll just work? or is it more complex than that 22:05 < Apachez> an interface which is "switchport protected" cannot speak to other "switchport protected" within the same vlan 22:06 < Apachez> on the same unit that is 22:06 < adleff> Apachez, is that not....what I said? 22:06 < UncleDrax> matt|class: it's more complicated 22:06 < Apachez> common rookie mistake is that you forget acl's 22:06 < matt|class> aight 22:06 < tds> matt|class: that'll get you all isolated, nobody will be able to reach the internet though ;) 22:06 < Apachez> so clients at sw1 cannot speak to another client at sw1 22:06 < matt|class> what cost am i looking at for a switch.. 22:06 < Apachez> but they can speak to all clients at sw2 22:06 < Phil-Work> matt|class, more complex. The router needs to be in both VLANs which means you need two subnets on the router and (probably) 802.1q support on the router 22:06 < Apachez> and clients at sw2 cannot speak to another client at sw2 22:06 < Apachez> but they can speak to all clients at sw1 22:07 < Apachez> because protected vlan is only within a switch 22:07 < UncleDrax> matt|class: so actually depending on the number of ports, this might all be things you can do in a single $60 Mikrotik or something. how many room-mates? 22:07 < Phil-Work> matt|class, how fast is the proposed Internet connection? 22:07 < matt|class> 2 + me 22:07 < matt|class> according to the website 20 mbits download, dunno upload speed 22:07 < UncleDrax> ya.. we're in $60 MT land 22:08 < Phil-Work> so you can get away with a 100mbit switch - they're 10 a penny on eBay 22:08 < Phil-Work> you can get 48 port Ciscos for $30 22:08 < matt|class> mkay. that's not too terrible. 22:08 < Phil-Work> albeit they're maybe a bit louder/hotter than you'd be comfortable with 22:08 < matt|class> it's going in one of their closets, i don't care 22:09 < UncleDrax> at this point, I would contact the ISP and specifically ask what is provided HW/demarcation. call thier hell desk and tell them you're new user just waitintg for service and you want to know what is compatible or provided. 22:09 < jge> hey all, got a quick question regarding 802.3ad the ieee presentation here: http://www.ieee802.org/3/hssg/public/apr07/frazier_01_0407.pdf (Slide 7) says it does not increase bandwidth for a single conversation, is this for a single TCP stream or source mac ? 22:09 < UncleDrax> if they only provide a media-converter and you have to have a Router anyway, then that changes what you need to buy 22:10 < Phil-Work> jge, depends how it's hashed on the devices 22:10 < matt|class> UncleDrax - yeah. the apartment has a wall panel where theoretically everything's supposed to be connected but it's screwed on.. i can only assume that's the dmark point for them. so it'll be a few days i guess 22:10 < Phil-Work> most these days will hash layer 4 so you may get different links for different TCP flows 22:10 < matt|class> since im moving on the 30th 22:10 < Phil-Work> then again, two flows may hash to the same thing and share a link 22:10 < UncleDrax> jge: in short, as the convo prob says, if you LACP 4x 1G links, no single conversation (again by hashing method) can be > 1 Gigbit in size. 22:11 < linux_probe> more like "link aggravation" 22:11 < UncleDrax> matt|class: ya.. seriouslly call thier hell/help desk and just ask 22:11 < jge> Phil-Work: I wonder what it is on Juniper QFX switches 22:11 < UncleDrax> 'What is your standard demarcation device?' once you get a model/make, you can figure the rest out via spec-sheet 22:11 < matt|class> mkay 22:12 < Phil-Work> jge, it's configurable 22:12 < Phil-Work> sec 22:12 < jge> I remember reading is L2 by default 22:12 < matt|class> i haven't even set them up yet, i'll do it this week. thanks for the help guys 22:12 < jge> UncleDrax: got it, I'm just not sure what they mean by single conversation.. 22:13 < matt|class> dnet: Failed to open device lo0 <-- unrelated.. trying to nmap my class's network.. im guessing this is probably related to priveleges? 22:13 < Phil-Work> jge: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/interfaces-lag-hashing-fields-configuring.html 22:14 < jge> I read that as single streams, I have a 20G MC-LAG (Juniper here) to a bonded 20G interface on a linux server but they're only seeing 10G (it only ever uses one leg of the MC-LAG) 22:15 < jge> it's a load balancer, and I noticed that all traffic is being generated by a single host behind this load balancer 22:16 < linux_probe> sounds like someone has learned the pitfalls of LAG 22:21 < Lope> is UTP and STP the only type of wired network that exists today? 22:21 < Lope> Many years ago I used to setup daisy chain networks, with BNC connectors, 10mbit using PCI network cards. 22:21 < jge> The set up looks like this: https://ibb.co/m0hDaJ 22:22 < Wixy> what? I still didn't change the AZ of my instance and now traceroute reports 14 hops to CF (instead of 20 as before). how is that possible? 22:22 < Lope> That involved running a lot less cable than star configuration required by UTP these days, and often 10mbit was plenty fast enough. 22:23 < jge> I see traffic hitting the load balancer only on a single leg, returning on another , never using both 22:23 < Lope> https://www.ebay.com/sch/i.html?_nkw=bnc+network+card 22:23 < jge> and 10Gs of traffic coming only from a single backend server, same source mac, that's why I was asking whether this is expected.. 22:23 < Phil-Work> jge, those two switches are clustered? 22:24 < Phil-Work> also, what OS is the LB? 22:24 < jge> Phil-Work: you could say that yea, juniper calls it MC-LAG 22:24 < jge> HA-Proxy 22:25 < Phil-Work> jge, on Linux? 22:25 < jge> HA-Proxy admin went as far as changing his hash algo to layer2-3 but still the same 22:25 < jge> That's right Phil-Work 22:26 < Phil-Work> jge, Linux supports "bond_xmit_hash_policy layer3+4" with ifenslave 22:27 < Phil-Work> that'll hash per TCP flow, which sounds like what you want here 22:27 < jge> but I thought l3-4 algo is not 802.3ad compliant 22:28 < Phil-Work> it works fine here with EX series switches 22:28 < UncleDrax> jge: a conversation is just an exchange of data between two endpoints. for HTTP it'd be your browser to www.example.com TCP Port 80. 22:28 < UncleDrax> jge: but for LACP, it's more about how you do hashing 22:29 < Apachez> no hash, no heroin ;) 22:29 < Apachez> no coke... dumdumdidum... dr alban! 22:29 < UncleDrax> jge: if you're doing hashing by L2, Server-to-Server conversation will only every use 1 link (in a simple example) 22:29 < Apachez> https://www.youtube.com/watch?v=4uPDfuC3Jck 22:31 < Phil-Work> jge, looks like on QFX the default hash mode is "l2-payload" which seemingly goes down to L4 source/dest port which is what you want here 22:31 < jge> UncleDrax: that may explain why I'm seeing it only ever traverse one leg, all that 10G traffic is coming from the same server 22:31 < Phil-Work> unless you explicitly disabled some stuff per https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/interfaces-lag-hashing-fields-configuring.html 22:31 < grimm665> Can anyone help with what seems to be an ARP problem? I am having an issue very similar to this one: https://superuser.com/questions/1294114/after-some-time-has-passed-no-arp-requests-from-any-device-get-an-answer-over-w 22:31 < UncleDrax> jge: yeap, very likely the case. 22:32 < grimm665> No ARP responses seen by Wireshark over wifi after about 30 minutes. Ethernet seems to be unaffected. 22:32 < jge> backend server that is, juniper has this explanation for how it does hashing by default: By default, the hashing algorithm uses the values in the destination MAC address, Ethertype, and source MAC address fields in the header to hash traffic on the LAG 22:32 < jge> Phil-Work: hmm, yeah nothing we changed or disabled 22:33 < Phil-Work> change the haproxy server to hash layer 3+4 and see if that makes a difference 22:33 < furi> Does anyone have any ideas what could cause TCP to lose data when sending large data (5 MiB - 100 MiB) over the loopback? Wireshark is showing the following anomalous packets: TCP retransmission, TCP spurious retransmission, TCP Dup Ack, TCP Acked unseen segment, TCP previous segment not captured and I'm not getting all the data I'm supposed to at the other end 22:34 < jge> Phil-Work: yeah, we'll give that a shot.. although that disclaimer of not being fully complaint scares me a bit ;) 22:35 < Phil-Work> it depends on your traffic profile 22:35 < Phil-Work> for TCP traffic, you'll be fine 22:35 < jge> these guys using the server push +10Gbps over my network 22:35 < jge> bastards 22:35 < jge> :) 22:35 < Phil-Work> you need to be careful with the hashing when you care about the order that the packets arrive in 22:36 < Phil-Work> TCP handles out of order packets so you'll be fine doing 3+4 with HTTP 22:39 < jge> cool, will try that Phil-Work thank you both for the help 22:47 <+catphish> well tonight i learned how to knit :) 22:47 <+catphish> good times 23:36 < bray90820> If I wanted to connect my windows 10 tablet to my home network without connecting it to the internet would I just change the DNS? 23:36 < adleff> are you herkin' the derky 23:36 < bray90820> ? 23:41 <+catphish> bray90820: you'd remove the default gateway 23:41 < bray90820> catphish: Thanks 23:41 <+catphish> this will stop it sending any data out to the internet, but lan will still work 23:41 < Apachez> not sure whats going on here but I dont get any good vibes :S https://i.imgur.com/nhvZQ7B.gifv 23:42 <+catphish> trash clearing :) 23:42 < adleff> catphish, that might not work, the tablet might just send ARP for any ip 23:42 < adleff> and if the router is doing proxy arp ... 23:42 < tds> if the network has ipv6, remember to disable whatever your OS uses for receiving RAs and setting routes from that 23:42 <+catphish> adleff: it won't 23:43 <+catphish> adleff: afaik no OS will send arp for things it has no route to on a random interface 23:43 < tds> I guess if you made it a /0 on-link it would, but that's just stupid 23:43 < adleff> are you sure about that catphish :) 23:43 <+catphish> yes 23:43 < adleff> not all ip stack implementations are exactly the same 23:43 <+catphish> maybe some weird homebrew stack 23:43 <+catphish> but not windows/linux/bsd 23:43 < grawity> and then there's http://www.networksorcery.com/enp/protocol/bootp/option027.htm 23:43 < adleff> it sounds wrong, but I have seen unexpected behavior with host routing and ARP before 23:44 < adleff> just be careful 23:44 <+catphish> it would be improbable that both these conditions would be true, but not impossble 23:46 < adleff> man I'm doing my first integrated is-is lab 23:46 < tds> huh, only just noticed that my desktop is doing ecmp when it receives two RAs from different routers, that's new 23:46 < adleff> is-is REALLY does not want L1 to have routes by default 23:46 < adleff> there's a lot of manual intervention to make L1 receive L2 and beyond. lol 23:47 < adleff> tds, that's what you'd expect though right 23:47 < tds> network-manager used to set two routes with different metrics 23:49 < grawity> fwiw, Linux didn't *support* showing IPv6 ECMP routes as such until very recently 23:49 < tds> ah, I guess it may just be that then 23:50 < tds> surely they'd have the same metric if it was displaying them incorrectly though? 23:50 < grawity> you could add them, but they'd show up as two separate routes (though with identical metrics, I'm sure) 23:50 < grawity> and maybe your RA client didn't bother using them because it was a pain 23:52 < grawity> actual multipath route support (like IPv4 already had) was added in 4.11 23:52 < tds> ah, this has changed while on 4.15 I think 23:54 < tds> yeah, just tried an out of date ubuntu 18.04 vm, that has two routes with different metrics --- Log closed Wed Jun 20 00:00:05 2018