--- Log opened Wed Jul 11 00:00:33 2018 00:17 < spaces> ||cw was it you in my bathroom lately ? 00:17 < spaces> didn't I lock the door ? 00:19 < ThatGuyYouKnowTh> So, would this be the right place to ask about, like, dial up? 00:23 < spaces> just ask 00:23 < ThatGuyYouKnowTh> Oh, sorry 00:24 < ThatGuyYouKnowTh> Well, is there an equivalent to ports? 00:24 < ThatGuyYouKnowTh> Like, could I run, say, some HTTP server alongside telnet or whatever along the same phone line? 00:24 < McDonaldsWiFi> Lets say my work has a very restrictive firewall/router and I'm trying to run OpenVPN through it... I tried to run it throug 443 as TCP and it still didn't work.. 00:24 < McDonaldsWiFi> any other ideas? :P 00:25 < spaces> McDonaldsWiFi McDonaldsWiFi blocks that 00:25 < McDonaldsWiFi> ;P 00:25 < spaces> only https and https are open there 00:25 < McDonaldsWiFi> I wish I could buy a McBypass 00:25 < spaces> *http 00:25 < ThatGuyYouKnowTh> McDonaldsWiFi: Just break in and replace the router :3 00:25 < McDonaldsWiFi> here's the shit part, its actually AT&T managed LOL 00:25 < spaces> McDonaldsWiFi you get one for free if you eat too much fat there 00:25 < McDonaldsWiFi> management is trying to replace it with something we can manage soon 00:26 < McDonaldsWiFi> but shit I can't get my OpenVPN to work at all -.- 00:26 < McDonaldsWiFi> maybe I can try UDP port 53..... 00:26 < spaces> McDonaldsWiFi you simply can't 00:26 < McDonaldsWiFi> so 00:26 < McDonaldsWiFi> no go 100%? 00:26 < McDonaldsWiFi> No work around at all? 00:26 < spaces> you could try indeed DNS, dunno 00:27 < McDonaldsWiFi> I really thought routing it through 443 would do the trick xD 00:28 < Goop_> So I found an interview of Ajit Pai who was only one of the members from 2015, regarding the Net Neutrality issue. He says that Net Neutrality was not an issue; However, I do remember many articles and YouTubers with "life hacks" that told people that using a VPN would increase performance because ISP's couldn't really analyze the traffic. 00:28 < McDonaldsWiFi> the ISP landscape is a fucking joke :/ 00:28 < McDonaldsWiFi> NN is a joke too, its all a buncha shit :( 00:29 < Goop_> Are there any good sources I could find to put on my paper that say ISP's were throttling specific connections, resulting in the Net Neutrality thing in 2015? 01:34 < Johnjay> my battlenet games lag a lot when i also play a youtube vid at the same time 01:34 < Johnjay> even at low res 01:34 < Johnjay> is there some router setting i could tweak to fix this? 01:37 < light> run a speed test 01:38 < UltraPhil> >inb4 buffer bloat 01:40 < Johnjay> why 01:40 < Johnjay> i've already done that a lot 01:40 < Johnjay> i know my internet is bad 01:40 < UltraPhil> so, what's your result ? 01:40 < Johnjay> it's like 1Mbps 01:41 < UltraPhil> there you go 01:41 < UltraPhil> you didn't even need us :P 01:42 < Johnjay> well i want to traffic shape 01:42 < Johnjay> give youtube less priority and the port for bnet more priority 01:42 < Johnjay> is there a way to do that? 01:43 < UltraPhil> multiple, actually 01:44 < Johnjay> i'm using windows 01:44 < Johnjay> do i need to go into the router or can i change a setting in windows? 01:46 < rewt> bottleneck is router, so that's your best bet 01:54 < cluelessperson> Johnjay: 1Mbps cannot do HD video alone 01:55 < E1ephant> just ultra hd 01:55 < E1ephant> super mega hd 01:57 < spaces> E1ephant we already have unlimited HD 01:58 < E1ephant> increase the unlimited hd 02:07 < Johnjay> i never said hd 02:07 < Johnjay> i have it on lowest setting 02:08 < Johnjay> i'm fine with letting it buffer 02:08 < Johnjay> but it still interferes too much with my game 02:09 < E1ephant> yeah outside of shaping it down to 80% of your connection, buy more bandwidth? 02:09 < Johnjay> that's not an option at the moment 02:09 < Johnjay> and also doesn't answer my question 02:09 < Johnjay> can I manually shape traffic in my router or on my pc and if so how? 02:10 < Johnjay> if you don't know just say you don't know 02:10 < Johnjay> it's not a crime 02:10 < E1ephant> >tell me how to configure my device but also guess what kind of device 02:10 < E1ephant> so I would use mind controller 02:10 < E1ephant> given the details provided 02:12 < E1ephant> https://www.juniper.net/documentation/en_US/junos/topics/example/example-configuring-port-shaping.html? 02:13 < Johnjay> i could give you the exact model of my netgear router 02:13 < Johnjay> but i suspect that's not really what you want 02:13 < E1ephant> right, that would be too helpful? 02:14 < E1ephant> https://glazenbakje.wordpress.com/2014/11/03/netgear-utm-traffic-shaping/ 02:16 < spaces> E1ephant why that ? POS ? 02:16 < E1ephant> set the shaping numbers to about 80% of your connection, or whatever you can transmit, while still maintaining a reasonable ping time to $random_game_server 02:16 < spaces> E1ephant I hate it when my pr0n scales down, I need the Unlimited, size matters bro 02:17 < E1ephant> that doesn't appear to be a priority in this use-case 02:18 < E1ephant> if it's not obvious in your router's firmware, you probably have to flash it to something that will support such features, if it supports that. Or just limit in windows if it's just your host causing congestion. 02:19 < spaces> E1ephant size always matters 02:19 < E1ephant> does it? 02:19 < spaces> E1ephant yes, what if it does not fit ? 02:19 < Johnjay> hmm, the QoS settings on my router allow specifying priority by device or by service 02:20 < Johnjay> but it doesn't indicate how it identifies the service like skype or msn messenger. i presume by port? 02:20 < spaces> you cannot push a square into a circle as well, ask the apollo13 guys 02:25 < E1ephant> errr possibly? can be by ip, port, pretty much anything in the first 256 bytes of packet 02:25 < E1ephant> /header 03:03 * qgTG 04:13 < fairuz> Hi guys. Morning. One question how to know for sure if the router is bricked/broken? I have an Asus RT-AC55UHP. When I turned it on, it has all led except 2.4 and 5Ghz led blinking slowly 04:17 < fryguy> hard reset it using the reset button, connect a machine to the lan port, and try to access it on it's default LAN ip (192.168.1.1 or whatever). if you can't do that, then it's probably dead 04:19 < fairuz> yeah tried several ways to reset it, still blinking the same way 04:19 < fairuz> cannot ping, cannot access using lan either 04:20 < fairuz> the firmware restoration software also failed to detect the router 04:20 < fryguy> good time to buy some new hardware then 04:20 < ruben23> hi guys i have a switch with VLAN capable e.g VLAN10 - 192.168.1.0/24, VLAN11 - 172.16.20.0/24 how do i able to access the Server on VLAN11 using the VLAN10 - any idea guys.? what service should i used.? 04:21 < fryguy> ruben23: you add a route to your router 04:21 < light> ruben23: a router 04:21 < ruben23> yes i have a pfsense already and all teh VLAN are configure to the LAN port, what should be the next step.? 04:21 < fryguy> add a route 04:22 < fryguy> and maybe firewall rules 04:22 < fairuz> thanks fryguy 04:24 < ruben23> coz currently now when i try to access the Server that belong the VLAN11 i cant access it at all, please help 04:24 < fryguy> ruben23: we just told you. add a route and add necessary firewall rules 04:24 < light> can you access it from pfsense? 04:25 < light> if you can't even ping a machine on that vlan then your interfaces are probably misconfigured 04:25 < light> sounds like you're doing router on a stick right? 04:27 < ruben23> light: yes so this should be a static Routing.? im trying to check pfsense if there is routing function 04:27 < light> pfsense is on both vlans so it already has a route 04:29 < ruben23> light: so you mean once i added both VLAN10 and VLAN1 automatically it has a route.? no need to configure.? coz VLAN10- PC wants to access the Servers on VLAN11 04:29 < light> you don't add vlans 04:30 < ruben23> light: i mean added on the Pfsense Interface and they are active 04:30 < light> check connectivity by pinging to/from pfsense 04:32 < ruben23> light: ok i will now 04:42 < hfp> I almost got ipv6 working properly. The only issue I'm left with is for services that are running in my LAN. For ipv4, I have made a NAT rule that traffic coming in from WAN on port 12345 is to be forwarded to local machine's port 12345. That works very well with ipv4. But with ipv6 it doesn't work, because the WAN address isn't the one running anything on port 12345, and I'm guessing it doesn't know to 04:43 < hfp> forward to the internal machine running the service on port 12345. How do I go about fixing that? 04:43 < hfp> Is there a NAT for ipv6 or is there a better way? 04:43 < Dagger> use the IP of the machine you want to connect to, rather than the IP of the router 04:45 < hfp> I am using a domain name. myservice.exmaple.org is a CNAME to myhome.example.org which is a dynamic dns entry. Its A record is my WAN IPv4, and its AAAA is my WAN's IPv6. Should I make an AAAA record for myserver.example.org pointing to the local machine's public ipv6? 04:45 < hfp> s/myserver/myservice 04:46 < Dagger> yeah, that's the idea. you'll need one hostname for each server 04:46 < Dagger> well. only for services which don't support SRV records, but unfortunately that's approximately everything :/ 04:48 < hfp> How would SRV help? I'm not familiar with them 04:50 < Dagger> you can declare that a lookup of example.com:https resolves to, say, backend1.web.example.com:8443 04:51 < hfp> that would be nice 04:51 < Dagger> without SRV records, the service name lookup is done using a hard-coded /etc/services on the client (so "https" is always going to be port 443) and there's no way to redirect the hostname, so the final IP lookup is always against example.com 04:52 < hfp> it looks like my isp makes the ipv6 they give me dynamic, it changes on every reconnection... the ipv4 isn't fixed but it hasn't changed since I'm with them... why would they make ipv6 dynamic? 04:54 < Dagger> because, like most other consumer ISPs, they're crap 04:55 < hfp> also the CNAME for IPv$ and AAAA for IPv6 doesn't seem to work. If I `dig myserver.example.org aaaa`, I'm getting the CNAME to myhome.example.org and its AAAA 04:55 < Dagger> I can understand some users wanting a dynamic prefix, and there's definitely an argument that our software really should be able to handle dynamic addressing without us humans needing to get involved all the time, but it'd be nice to also have an option of not changing the network prefix constantly 04:58 < Dagger> ah, right, you can't mix CNAME with other record types (it doesn't make any sense based on the definition of CNAME) 04:58 < Dagger> you'll need A and AAAA records on myservice.example.org 04:59 < hfp> Yeah I'm reading the only way is to do this or add an IPv6 specific hostname separate from the IPv4 one 04:59 < hfp> i.e. myservice.example.org is IPv4 and myservice-ipv6.example.org is for IPv6 05:01 < hfp> ah what a pain, because this service is *very* particular about the CN matching the cert... 05:03 < hfp> meh, looks like I'd be better off with a tunnel broker... But the last time I tried to get this going I spent hours and had nothing to show for it 05:03 < hfp> because what good is ipv6 if I'm getting a dynamic prefix, I can't do anything with that 05:03 < Dagger> subjectAltName really ought to be supported everywhere by this stage though 05:05 < Dagger> also, you know what would be nice? if common DNS servers allowed you to use hostnames in their zone files rather than just IP literals. that way you could specify "example.com A dyn.example.com" and have it look up the IP, rather than need to hardcode a literal address 05:06 < Dagger> I guess the people writing the servers haven't figured out the benefits of using this "DNS" thingy yet 05:07 < alabaster> I don't know if this is the place to ask but does wireless AC send the same data on both 2.4Ghz and 5.Ghz at the same time. Or I guess some people have it set up to stay on one or the other generally 05:08 < hfp> alabaster: It picks one or the other AFAIK, except for some hardware that teams the 2.4 and 5.0 together for ever moar speed (not 100% sure on that) 05:09 < alabaster> hfp I'm trying to do what a million are trying to do since 2011 and learn security but trying to find a good AC card that isn't a Realtek Chipset is hard to find 05:10 < alabaster> I assume you want both most important modes but having the option to see the 5Ghz range is becoming more essential now a days right? 05:11 < hfp> it depends where you live. in cities, 2.4 is generally unusable; you'd need 5ghz to use your wifi for anything at all 05:12 < alabaster> The Great ORL 05:12 < alabaster> I'm on 2.4 05:13 < alabaster> but i'm not sure if I want to wait to be a stable wifi adapter for testing networks and learning security or buy a wifi adapter with "N" and buy another later 05:14 < hfp> are you poking around wifi networks to try and see how to crack wep etc? 05:15 < alabaster> wep no. Really just my own. But I want to have the ability to grow. Isn't WEP a non challenge?? 05:15 < hfp> pretty much 05:16 < alabaster> The internet says by either the atheros, RLT8812au / RLT8814au or Alfa which brand uses the same RLT chipsets 05:17 < hfp> yeah that's what I did when I was looking into that, I got myself a USB wifi adapter to play with kali and aircrack or whatever it was called. It's too hard to find an internal compatible wifi card 05:18 < alabaster> hfp I'm not using the internal. I'm looking to replace my wifi dongle or USB 05:19 < alabaster> hfp it's hard to find an AC chipset that is just plug n play in Kali like the Realtek's 05:19 < alabaster> I mean UNLIKE the Realteks that are buggy with Linux 05:20 < hfp> why do you want ac though, isn't 802.11n enough? it does 2.4 and 5. you generally want ac because of the faster speeds over n, but for cracking wifi networks it doesn't really matter does it? 05:21 < alabaster> DOES n do both ???? 05:22 < alabaster> I don't think it does 05:22 < fryguy> it does 05:28 < alabaster> huh Ok 05:28 < alabaster> I am dumb 05:29 < alabaster> so all I am missing is speed I probably don't really need to start out learning but will still be able to get a nice wireless N wifi USB with a fair amount of needed and cool modes? 05:29 <+pppingme> linuxmodder can you fix your connection issues? 05:29 <+pppingme> or do I just need to block 174.77.159.40? 05:30 < hfp> alabaster: for cracking n vs ac doesn't really matter imho 05:33 < alabaster> ac would be theoritically faster but not needed is what I am getting 05:34 < alabaster> unless you are being stupid and trying to watch 3 nets at once. or really funnel some information like an ill egal idioso 05:39 < alabaster> I told my girlfriend because she knows I'm trying to go for well almost ready for CCNA.. that I want to learn both at the same time. 05:39 < alabaster> so I wanted to mirror my own network 05:40 < hfp> Dagger: I got really excited about SRV records... And then I found out that none of the most popular browsers support it. 05:40 < Dagger> I did say 05:41 < alabaster> ap mirror. And let her know I wanted to try to advance mirroring of my own AP not silly injection but actually learn to mirror and see it at the same time so I figured I'd need the AC speed to decrypt and mirror at the same time 05:41 < Dagger> apt-get supports it for http(s)://, XMPP supports it... and that's about the entire set of protocols and software that supports SRV 05:41 < alabaster> would N still be fast enough at the receiving end? 05:42 < alabaster> Sorry for my security noobishness 05:43 < Dagger> oh, there's Mumble and Minecraft. nothing else springs to mind 07:04 < hey2> Is there a reason why MAC addresses couldn't be used in lieue of IP addresses in their entirety 07:05 < hey2> I understand that it has been built up, and changing now would be all but impossible... but 07:12 < light> hey2: because it would make routing impossible 07:13 < hey2> no it wouldn't 07:13 < light> a compelling retort 07:13 < hey2> I mean, subnetting and figuring out lans might be a little more difficult in retrospect 07:13 < hey2> But I am just thinking if it had been done that way from the ground up 07:14 < hey2> 2/3 combined like the TCP/IP and just eliminate ip addressing 07:14 < hey2> not actually being serious by the way, was just having a conversation and figured I'd ask - didn't think about the routing aspect of LANs though 07:17 < light> layer 2 and 3 serve different purposes 07:17 < light> and there are protocols that exist in a grey area between them, like MPLS 07:17 < hey2> I am aware that they serve different purposes 07:17 < light> combining them completely would hamstring you 07:17 < hey2> We are saying, if from 1970 onward, IP addresses weren't used 07:17 < hey2> and only hardcoded MACs 07:17 < hey2> but the LAN aspect, I didn't think about 07:18 < light> how would you find an IP address? 07:18 < hey2> You wouldn't have IP addresses lol 07:19 < hey2> Either way I realize it would be a nightmare, we were just thinking of reasons why you "couldn't" do it 07:19 < light> say you want to get to warez.ru, how do you know where to send your packets? 07:20 < hey2> well you would have DNS resolve it to a MAC address! lol 07:20 < light> ok, so now you have a MAC, how do you send to that MAC? 07:20 < hey2> but then I guess I could do macchanger or something and just mess it all up anyways 07:20 < hey2> You would do what layer 3 already does, but with MACs 07:20 < light> but you can't 07:20 < hey2> Why 07:20 < light> because a manufacturer creates 1000 network cars with sequential MACs and distributes them to 1000 different people 07:21 < light> so how do your packets know where to go 07:21 < light> cards* 07:21 < hey2> That is what I was saying 07:21 < hey2> The aspect of finding out where they are for routing would be hard in that regard, it'd be a bit of a headache with existing protocols to just swap over 07:21 < hey2> but it wouldn't be impossible 07:22 < light> well it kind of is, because there's no relation 07:22 <@pppingme> hey2 routing by L2 would require tables storing billions of routes versus the current 704,000 07:22 < light> ^ 07:22 <@pppingme> you also have the fact that not all medium actually has an L2 address 07:23 < hey2> ? I thought all switchports, NICs etc had a hardcoded MAC 07:23 <@pppingme> swithcports? NO... a switch doesn't even "need" a mac 07:23 <@pppingme> and you're assuming ethernet, not everything is ethernet 07:24 < hey2> I mean, lots of switches have 1000+ mac pools, no? 07:25 <@pppingme> that doesn't mean the switch has a mac.. 07:25 < hey2> And yeah... Like I said, I realize that this isn't a good idea, I was just talking to a coworker and didn't think about routing 07:25 < hey2> pppingme: the switches do have MACs, though 07:25 < hey2> Lots of switches have a MAC for the whole device, even 07:25 <@pppingme> nope, they don't.. the greatest majority of "home" or "consumer" switches absolutely do NOT have a mac address 07:26 < hey2> I am talking about enterprise networking equipment 07:26 < hey2> and I mean, most switch/router combos do have MACs which is what most houses use anyways 07:26 <@pppingme> and a lot of this cheap consumer stuff makes it into enterprise, especially under desks, etc.. 07:27 <@pppingme> the point is, mac's don't even come close to reasonable for routing on a wide basis 07:29 < myrat> hi all 07:30 < light> hi 07:30 < myrat> i have one problem 07:30 < myrat> with cisco c240 m3 07:30 < myrat> server 07:30 < myrat> light wosap 07:30 < myrat> i can't install second network adapter to server 07:32 <@pppingme> why not? 07:38 < myrat> pppingme 07:38 < myrat> i don't know man 07:38 < myrat> the first adapter working properly but second just unknown 07:39 <@pppingme> error? logs? smoke? 07:39 < myrat> pppingme now try to see dmesg what happen 07:40 < myrat> but bios still not see the second network adapter 07:45 <@pppingme> is it a pci adaptor or what kind? 07:46 < myrat> yeah pci 07:47 <@pppingme> try "lspci" 07:52 < myrat> pppingme it shows only first network adapter 07:52 < myrat> 4 ports 07:53 <@pppingme> then you most likely have something physically wrong.. lspci should show anything on the pci bus, even if the OS doesn't recognize or have drivers for it 07:53 < buu> it dead 07:53 <@pppingme> reseat the card, try card in another computer, etc.. sounds like a fried card.. 07:53 < buu> I just got a dead card from ebay 07:53 < buu> Maybe I can make jewelry out of it 07:54 < myrat> pppingme in another computer it works fine.. 07:54 <@pppingme> then you have a fried pci slot 07:55 <@pppingme> is it in a riser? 07:55 < buu> you could try updating the mobo bios 07:55 < buu> or update the card bios if it works in another mobo I guess 07:57 < myrat> in server have 5 pci slots i try in all of them 07:57 < myrat> mobo bios? 07:58 < myrat> other adapters works fine in server and bios see those 07:58 < myrat> pppingme what is riser? 08:00 < Emperorpenguin> A 90° thingy for PCI slota 08:00 < Emperorpenguin> Slots 08:07 < ryuo> I have a router I need to replace the pigtails, U.FL to RP-SMA, on. Any suggestions on how I can unscrew them from the case? they seem pretty tight. 08:11 <@pppingme> ryuo bigger pliers 08:11 < ryuo> pppingme: ok. that's what I thought. thanks. 08:12 <@pppingme> ryuo I've seen those connectors crimped, or dimpled before from the factory, basically making them impossible to remove 08:12 < ryuo> pppingme: i'll hope that's not the case. 08:13 <@pppingme> its usually pretty obvious, assuming you can see the entire connector.. if its on the 'back side' that you can't see, may not be so obvious 08:14 < Emperorpenguin> More brute force is always the answer 08:14 < Emperorpenguin> Sure, they might be useless afterwards 08:14 < Emperorpenguin> But you'll definitely manage to remove them 08:15 < monoxane> has anyone used fs.com switches before? 08:15 < monoxane> i cant find any information that anyones ever deployed them 08:43 <@pppingme> monoxane I've heard of them, never used them, I think most of their stuff is just rebranded stuff, not sure they actually make anything 08:44 < monoxane> yea i think they are Cangoa Perkins gear relabled 08:44 < monoxane> *canoa 08:45 < monoxane> their 1g and 10g offerings looks like bottom of the barrel stuff though 08:45 < monoxane> ill keep it in mind if budget decides to rapidly shrink 08:52 < myrat> pppingme dmesg says info like that - eth0: PBA No: FFFFFFF-OFF......added PHC on eth1 08:53 < myrat> pppingme enp2s0f0: renamed from eth0 08:57 < ryuo> myrat: ? 08:58 < myrat> ryuo hi i need to help with installing secong network adapter to my server 08:59 < ryuo> myrat: why? it shouldn't be that hard. 09:00 < ryuo> myrat: did you already install it? 09:00 < myrat> ryuo the second adapter not seeing in bios 09:01 < myrat> ryuo when i plug network cable to second adapter it blinking 09:01 < ryuo> myrat: it won't necessarily. usually only the onboard ones do. 09:01 < ryuo> myrat: what matters is what the OS ses. 09:01 < ryuo> sees 09:02 < myrat> ryuo server with ubuntu 16.04 lts 09:02 < ryuo> myrat: paste the output of this please: ip address 09:10 < ryuo> Go figure. My request for more information seemed to make them leave... 09:11 < XCE> it was top secret 09:11 < squ> !catgif 09:40 < myrat> ryuo what's up, 09:41 < ryuo> myrat: i'm still waiting for the information I asked for. 09:42 < ryuo> myrat: paste the output of this please: ip address 09:43 < myrat> ryuo ip address shows 5 interfaces: 1) lo, 2)enp2s0...5) enp2s3 09:44 < ryuo> myrat: ... that's not what I asked for. I don't want a summary. i want the actual output. 09:46 < ryuo> myrat: either way, you never really said what your issue is. 09:47 < ryuo> myrat: you have 2 ethernet devices, guessing from the names. 09:47 < ryuo> If this is really your second physical ethernet port, it appears to be detected. 09:48 < myrat> ryuo damn i lost output ip address 09:48 < monoxane> run it again then 09:49 < linux_probe> uhhh 09:49 < myrat> now my friend reinstall the server.. :( 09:49 < linux_probe> LOL 09:49 < ryuo> ...? 09:49 < linux_probe> the shart here is miles deeep 09:49 < ryuo> guess i've been trolled. 09:50 < ryuo> https://www.youtube.com/watch?v=dQw4w9WgXcQ 09:50 < myrat> ryuo no really now i cant say man 09:50 < monoxane> LOOOOOL 09:50 < monoxane> yup thats called being trolled i guess 09:51 < myrat> so sorry 09:51 < ryuo> myrat: probably time to upgrade to 18.04 anyway. :P 09:52 < eirirs> ubuntu 18.04 ?:P 09:52 < myrat> to issue this problem my friends too trying.. 09:52 < ryuo> lol 09:52 < ryuo> yea 09:52 < myrat> and one of them reinstalling.. 09:53 < myrat> ryuo they want 16.04 why i dont knkow 09:53 < monoxane> 16.04 is eol get them off it 09:53 < monoxane> there should be no difference 09:53 < linux_probe> uh-huh 09:53 < myrat> maybe it working good of something 09:54 < ryuo> monoxane: not quite. 09:54 < ryuo> monoxane: 14.04 basically is. 09:54 < ryuo> 16.04 has 3 years left. 09:54 < myrat> 16.04 lts.. 09:54 < monoxane> oh its the LTS one 09:54 < myrat> yeah 09:54 < ryuo> monoxane: yes. ubuntu LTS has an even first number and 04 for the second. 09:55 < monoxane> i use debian so nothing is LTS 09:55 < monoxane> :P 09:55 < ryuo> monoxane: well, i hear about stretch getting 3-5 years. 09:55 < ryuo> it's not too bad. 09:55 < myrat> dmesg says info like that eth0: PBA No: FFFFFFF-OFF 09:55 < ryuo> Ubuntu Desktop only gets 3. Server is 5. 09:55 < myrat> added PHC on eth1 09:55 < ryuo> myrat: ignore it. if the NIC functions, what does it matter? 09:56 < myrat> lspci showing only the first adapter which is intel 09:56 < ryuo> you have to understand kernels and hardware to parse those messages. 09:56 < ryuo> myrat: paste lspci and lsusb output please. 09:57 < linux_probe> it is super stupendous how many sheeple and idiots have mobile/vehicle hot spots now days 09:57 < linux_probe> >_> 09:57 < ryuo> linux_probe: let me guess. you detect so many you have to scroll just to find yours? 09:58 < myrat> ryuo now the server reinstalling man after when it dont i'll show anything 09:58 < myrat> but now i cant do anything 09:58 < Reventlov> "sheeple and idiots", well, why ? 09:58 < ryuo> myrat: is it a rental? 09:58 < linux_probe> no ryuo, just looking at the logs from ubiquiti AP's 09:58 < ryuo> linux_probe: I see. 09:59 < ryuo> well, got WAPs everywhere these days. 09:59 < linux_probe> it logs "neighboring" access points 09:59 < myrat> ryuo no.. 09:59 < linux_probe> vast majority of them are people with portable hotpots or vehciles with such enabled 09:59 < Reventlov> so, what's the problem? 09:59 < linux_probe> many name their vehicle by modela and their first name 10:00 < ryuo> myrat: ok.. 10:00 < linux_probe> so like. "Waynes Cruze" 10:00 < squ> linux_probe: and? 10:00 < linux_probe> aka chevrolet cruze and the fellas name is wayne 10:00 < squ> what do you propose, more original names? 10:00 < linux_probe> it;s stupid 10:00 < Reventlov> people mad at other people using WiFi 10:01 < Reventlov> shrug 10:01 < ryuo> don't mind linux_probe, he's just rambling. 10:01 < ryuo> :P 10:01 < linux_probe> no no, it's a social engineering nightmare 10:01 < squ> how? 10:01 < ryuo> "Hey you kids. Get out of my airspace." 10:01 < linux_probe> make sit very easy to pick fish out of a crowd 10:02 < linux_probe> also "targets" 10:02 < squ> what fish 10:02 < Reventlov> well, you know you can read plates, yeah ? 10:02 < squ> and query owner name in databse 10:02 < linux_probe> sure can, which make it even easier 10:02 < linux_probe> how many people use secure passphrases 10:02 < Reventlov> sigh 10:02 < linux_probe> cough 10:02 < ryuo> you know what's funny, linux_probe... those logs could be seen as evidence in the right situation of where their car was spotted. 10:03 < squ> Wayness cruze 10:03 < linux_probe> that also ryuo, but no worries 10:03 < squ> but not that Wayne 10:03 < Reventlov> also, fun fact, in Europe you would need some kind of authorization to gather these logs. 10:03 < squ> the other one 10:03 < linux_probe> since they most all have onstar or similar 10:03 < linux_probe> and sat. service lol 10:03 < ryuo> Reventlov: that's funny considering people's devices basically belch this info all over the air waves. 10:04 < squ> I understand your concern now 10:04 < linux_probe> also, them binding to phones, mics built in 10:04 < linux_probe> GPS/SAT/ etc 10:04 < linux_probe> cellular in many now 10:04 < linux_probe> NSA cars 101 10:05 < Reventlov> ryuo: not a reason :) 10:05 < squ> you can startup a service which tells when wife/husband car arrived home, for example 10:05 < Reventlov> light put your face all over the visible spectrum 10:05 < linux_probe> just use ubuiquit AP's or some of the others 10:05 < Reventlov> not a reason you can start a picture database. 10:06 < linux_probe> who's to say many vehicles dont have cameras in-built now days 10:06 < ryuo> squ: "Uh oh. Time to hide the mistress." 10:06 < ryuo> <.< 10:06 < linux_probe> most everything else does lol 10:06 < squ> it is a way to track car without gps 10:07 < linux_probe> they just track you idiot cell devices 10:07 < squ> when it was at specific location (near wifi router) 10:07 < linux_probe> 3g and 4g better yet 10:07 < linux_probe> 5g will be even worse 10:07 < squ> linux_probe: I'm trying to understand your motivation :) 10:08 < squ> what's wrong with Wayne Cruze name 10:08 < squ> :) 10:08 < linux_probe> that wasnt very bad, many have their full names 10:09 < linux_probe> or phoen numbers 10:09 < regdude> in use there is "ICE" that tracks cars using cameras in malls 10:09 < regdude> *US 10:09 < linux_probe> yep 10:09 < linux_probe> trafic cams anyone? 10:10 < Nefertiti> https://www.gnu.org/proprietary/malware-cars.html 10:11 < linux_probe> Im just trying to get the point across, people are worried about throwing away mail still :)))) 10:11 < linux_probe> yet, theylre devices are spwewing forth tonf of data 24/7, that is far worse 10:11 < Nefertiti> ^_^ 10:11 < Nefertiti> totes 10:12 < linux_probe> I drove a car with bluetooth enabled, I named it "qwertyuiopasdfghjklzxcvbnm" 10:13 < linux_probe> I also drove around sniffing many times 10:13 < linux_probe> at least the amount of total unsecured wifi has went about null, except the captive portal stuff 10:14 < MitteM112358> can someone probe me? 10:15 < linux_probe> here's on eof thr TONS of darwin "SSID's" logged "Rachel Mcfadden" 10:15 < linux_probe> gee, why not give your full name or some shit 10:15 < ryuo> hey, i found another one: "Hey mom, i'm on tv" 10:15 < linux_probe> problem is, I know where they are, I can easily find their address, and many other things.... 10:16 < ryuo> linux_probe: why do you care? you can't fix people being people. 10:16 < linux_probe> inwhich i can likely guess "stupendous" electronic door lock codes, alarms, etc 10:16 < linux_probe> by providing basic knowledge you can! 10:17 < linux_probe> people just dont think of it, because it's not disclosed, since that would kill the marketing of said junk device 10:17 < linux_probe> then again, so wuld them knowing about bump keys and the power lock picks :)) 10:17 < linux_probe> 3 seconds or less CLICK 10:18 < linux_probe> ( gee why do we like the second amendment and hold it dearly) 10:19 < linux_probe> and pray to god, we neevr have to excercise it against an idiot human ;) 10:19 < Apachez> ryuo: one can kill people, problem solved? 10:20 < ryuo> Apachez: not really a solution. 10:20 < linux_probe> they have to be well deserving of it, like the act of robbing others 10:20 < Apachez> linux_probe: best is to use dhcp within ssid's that breaks broken dhcp clients :) 10:20 < linux_probe> oh wait, I just eliminated a vast portion of the world 10:20 < Apachez> not my fault that your box suddently deleted all files just by connecting to my wifi =) 10:21 < ryuo> ... there's stuff that dumb? 10:21 < Apachez> ryuo: so the murican way in afghanistan and iraq didnt work you say? ;) 10:21 < Apachez> also utf8 in the ssid's is fun too 10:21 < Apachez> specially those specialcharacters who makes text go the other direction and shit like that 10:22 < ryuo> no comment. 10:22 * Apachez drops mic, walks off stage 10:23 < detha> ITYM egats ffo sklaw ,cim spord zehcapA 10:23 < Apachez> na more like when all chars are stacked upon each other 10:23 < Apachez> or even is being typed out vertically 10:25 < regdude> or emojis 10:25 < linux_probe> herp herp 10:26 * linux_probe thinks it;s about time to get tossed out of the next bar 10:27 < linux_probe> some slut checking out el-natural buldge and her dinklet dude getting cranky about it 10:27 < linux_probe> calling out occurs, and game over 10:31 < squ> ate 2 ice creams 10:32 < squ> !catgif 11:24 < shtrb> Did I understand correctly that an end user will soon be able to connect to ubnt's AirMax using 802.11n/ac ? 11:25 < shtrb> or there is a still need for custom device to provide the 802.11n/ac ? 11:27 < djph> the airmax 'ac' units don't do wifi ... 11:28 <+xand> they do aircon? 11:31 < OlofL> If you use radius login, with AD backend, can you somehow enable ssh key logins aswell then? speaking generally to network devices such as hp/cisco switches and routers 11:34 < shtrb> xand 802.11ac 11:36 < mcdnl> OlofL: probably, but i guess it wont be as easy as setting up eap for wireless 12:12 < wblackstone> nanosouffle it looks like he is willing to undergoe testing 12:15 < solfi> Hello 12:16 < wblackstone> does the command genkernel work? 12:17 < wblackstone> If it is in the handbook there is an epub here but no epub display. 12:19 < h0dgep0dge> hey folks, just q quick query, what domain name registrar do you recommend and use the most? 12:20 < skyroveRR> None. 12:20 < h0dgep0dge> how do you buy domains? 12:20 < wblackstone> What do you want to do? 12:20 < skyroveRR> h0dgep0dge: usually offline. 12:21 < shtrb> h0dgep0dge, all have their own issues 12:21 < wblackstone> Rafael S Rosas 12:22 < wblackstone> how are the goonies doing? 12:22 < h0dgep0dge> all i really want to do is buy domains and deligate them to my dns host, but i want to do it in style. unfortunately i can't register domains with a delorean 12:22 < h0dgep0dge> google dns looks good, but isn't available in nz 12:22 < wblackstone> siRNA for softening the id cloud in the em field of the synapses? 12:23 < wblackstone> rhineheart_m: r u listing the old goonies? 12:24 < wblackstone> I never really took to most of them but as you well know I pay attention to detail. 12:24 < rhineheart_m> Huh?! Me? 12:24 < wblackstone> Did you see me cleaving? 12:25 < wblackstone> How else can you tell if she is my wife? 12:25 < wblackstone> You see in math right rhineheart_m ? 12:26 < wblackstone> " when we said ..." 12:26 < rhineheart_m> I think it's not me. 12:26 < wblackstone> " we said it close to ..." 12:26 < rhineheart_m> You might be talking to someone else. 12:28 < wblackstone> Ok so what to do with the test subject? 12:40 < gebbione> hi folks, any idea how i can connect to the internal network IP of a server through a public VPN server ? ie i am connected to the VPN but I cannot ping the internal server ip 12:41 < bezaban> routing 12:41 < shtrb> make sure icmp is allowed 13:14 < nostrora> Hi! i made my own S/FTP cat6a ethernet RJ45 cable. which is the best between T568A et T568B ? 13:15 < Phil-Work> nostrora, it doesn't really matter 13:15 < Phil-Work> B is more popular 13:15 < Phil-Work> most pre-wired cables are B 13:16 < nostrora> and I do a straight cable or a cross cable? 13:16 < nostrora> I know that there was a time when it was important to have straight cables or cross cables. 13:17 < Phil-Work> cross over cables are rarely used these days 13:17 < Phil-Work> any device made in the last 10+ years will auto sense 13:18 < nostrora> So I'm going on a straight cable? on T568B on 2 sides ? 13:18 < pulsar12> when they develop auto sense for fiber too ? 13:18 < Phil-Work> nostrora, if you insist on making it yourself, sure 13:19 < monoxane> nostrora i use B and everyone i know uses B 13:19 < nostrora> Phil-Work: If I insist? why is it a bad thing to make your own cables? I find it cheaper in cat 6 S/FTP. and I have a good cable price per meter 13:20 < monoxane> nostrora some people dont like sitting in a room terminating cables for hours on end 13:20 < Phil-Work> nostrora, because pre-made cables are usually tested to ensure they conform completely with the standards 13:21 < nostrora> I like to sit in a room for hours to set up my computer myself ^_^ 13:21 < Phil-Work> it's extremely hard to crimp a fully conformant cable yourself 13:21 < Phil-Work> though if you're not planning on carrying 10G down it, it doesn't really matter 13:23 < Dalton> 10g on copper is silly anyway 13:25 < Phil-Work> Dalton, agreed 13:25 < Phil-Work> unless it's a DAC 14:25 < wallbroken> hi 14:26 < wallbroken> what is the difference between bonjour and avahi? 14:26 < wblackstone> hOW did I get banned from law? 14:26 < tpr> both are implementations 14:26 < wblackstone> ##law 14:26 < wblackstone> "just grab em in the biscuits" 14:26 < tpr> of mdns. bonjour on osx, avahi on other linux-like systmes 14:26 < wblackstone> lawlessness 14:26 <+xand> how should we know? 14:27 < wblackstone> duwatchulike 14:27 < wallbroken> tpr, of what? 14:27 <+xand> 2018-07-11 13:26:52 < tpr> of mdns. bonjour on osx, avahi on other linux-like systmes 14:28 < groupers> Hi, can anyone recommend an entry level firewall that will handle Gb line speed and offers geolocation filtering 14:28 < wblackstone> on point? 14:28 < groupers> In the $600-700 range 14:29 <+pppingme> what are you expecting out of "geolocation filtering" ? 14:29 < wblackstone> xand: Are you asking? 14:29 < wallbroken> tpr, ok, but it's something built by apple? 14:29 < wallbroken> or just a general standard?? 14:30 < groupers> Pppingme I realize it's not perfect but I'm looking to block any connections outside of north America 14:32 < groupers> I realize pfsense does this but I'm looking for something a little more enterprise oriented 14:34 < vavkamil> groupers, you can write simple script for that 14:35 < groupers> That's what I'm trying to avoid, creating more work for myself in the long run 14:35 < vavkamil> just use dnsmasq, check country of each IP before sending answer to client 14:36 < groupers> I don't have time to write/maintain a script when it breaks, monitor that it's getting an updated database of ip ranges, etc 14:36 < vavkamil> I have a perl script somewhere that does that 14:41 < djph> it's pretty easy - just look for the /8s that aren't owned by ARIN. *done*. 14:42 < djph> (note, networks smaller than /8 may come into play) 14:44 < groupers> Thanks for the tip, now is there a firewall it security appliance that does that and can handle between 500mbps and gb throughout for under $100k? 14:45 < dionysus69> so I had nethogs open and there was a process taking upto 100kb sec from a random ip, what kind of traffic can this be? the webserver wasn't hit by this ip 14:45 < djph> sure, a UBNT Edge Router. Will take you an hour, maybe two to ask ARIN about the ~250 /8s that aren't reserved. 14:46 < shtrb> did ubnt become the go to network solution ? 14:46 < djph> I mean, he could go for anyone, but it's a stupid-simple firewall rule. (1) create the list, (2) use the list to drop destinations. 14:47 < shtrb> I have no objectins to what you say,I'm just saying that it seems that they become the go-to solution 14:47 < djph> hell, a quick google may even return the list. 14:48 < regdude> there are cheaper solutions, UBNT is simply the most popular here 14:48 < djph> shtrb: they're definitely my goto. 14:48 < djph> regdude: cheaper that have the same featureset? like who? 14:48 < wallbroken> you know how to wake up an iphone from network? 14:48 < regdude> the one you all hate here 14:48 < wallbroken> WOL will work? 14:49 < djph> regdude: err, that being? 14:49 < regdude> MT 14:49 < shtrb> regdude, everyone hate iphone ? 14:49 < djph> I mean, there are a LOT that people hate here. 14:49 < shtrb> why hate them ? 14:49 < groupers> I was considering the Ubiquiti security gateway pro but the powers that be were determined to buy Cisco ASA until I told them throughput with all the security features enabled is much lower than the initial number they advertise, which is only for the firewall 14:49 < wallbroken> nobody knows? 14:49 < djph> 'tik? meh, never used them. Last I looked, their "cheaper than UBNT" lineup was 10/100 though. 14:49 < groupers> So they want something more expensive 14:50 < groupers> In order to feel like they're getting more value I guess 14:50 < djph> then they can go more expensive. Although, the USG would be a royal pain in the ass to configure the way you want. 14:50 < shtrb> Firewalls/IDS/smart system reduce your throughput because they need to process your data 14:51 < lupine> might* 14:51 < groupers> And I'm not a network guy so I'd prefer to do as little maintenance as possible, I don't want to be updating some list by hand 14:51 < lupine> depends on whether firewall capacity exceeds link capacity 14:51 < lupine> but also, don't use UBNT 14:52 < groupers> I don't think I can get them to spend more than $1k 14:52 < djph> groupers: good news, the list of RIR allocations doesn't really change. 14:52 < groupers> But $200 is too little 14:52 < detha> groupers: if you don't want to do maintenance, you'll have to fork out for a 'managed solution' from one of the big vendors :p 14:53 < djph> if your limit is $1k, you're looking solidly at the cheapass end of the big boys, or UBNT / 'tik ... maybe some of those other "small-business-oriented" setups... 14:54 < groupers> I can manage firmware updates and occasional monitoring but I don't have time to spend hours maintaining something 14:55 < detha> you don't. you spend a few hours setting up scripts that do it for you, and once every two years or so you have to change the scripts because one of the sources changes 14:56 < djph> detha: how often does the RIR allocation change? 14:56 < groupers> I take it an IDS that will handle that kind of throughput for $1k doesn't exist 14:56 < detha> RIR allocation doesn't change, there's nothing more to allocate. But people transfer ranges from RIPE to ARIN for example 14:57 < djph> detha: yeah, that's what I meant. 14:57 < groupers> I thought existing IPv4 ranges changed hands all the time and the list would be to be kept up to date 14:57 < groupers> *need to be kept up to date 14:58 < djph> ... I mean, if it's every month or so, that's a lot of work ... if it's once a year ... ehh... 14:59 < groupers> Has anyone built a pfsense machine and used the maxmind database that can tell me what sort of hardware is needed to get that throughput 15:00 < detha> maintaining ip ranges/geoloc/what is dynamic is a full-time job. So you either automate it, use free sources, or pay for someone to do it, either maxmind and the like or some security vendor 15:06 < djph> hm, didn't realize "x.x.x.x was NA and now isn't" (or vise-versa) happened nearly that fast. 15:06 < dogbert2> hey djph 15:06 < djph> o/ 15:07 < dogbert2> more patch-fu for BIND 15:08 < djph> good luck 15:10 < dogbert2> already submitted...other two have been merged into the master branch (NULL pointer dereference and memory leak) 15:17 < epitamizor> what would be a good linux disrto for honeypot damnvulnerable linux? 15:22 < djph> WSL 15:22 < djph> bahahahha 15:28 < shtrb> djph, you are evil 15:29 < djph> shtrb: he wants a "honeypot" - what better than the utterly broken WSL? 15:29 < groupers> What makes WSL broken? 15:29 < shtrb> https://www.microsoft.com/en-us/p/ubuntu/9nblggh4msv6 15:30 < lupine> groupers: it doesn't support various important things 15:30 < shtrb> it's like LSD , sound great at first until people will learn its consequences 15:31 < djph> "Windows" 15:31 < bad_blue_bull> hi 15:31 < groupers> I work in SMB world, which is mostly Windows, being able to compile ipxe or whatever on my Windows machine saves me some trouble 15:32 < shtrb> groupers, use a vm 15:32 < shtrb> sorry but lxss get all the bad parts from everywhere 15:32 < groupers> It's easier than using a VM 15:33 < shtrb> raw sockets ? having true access to /proc and /sys ? being able to use "Linux Kernel" ? 15:36 < tpr> wallbroken: https://en.wikipedia.org/wiki/Zero-configuration_networking 15:53 < bad_blue_bull> is there a name for a category of HTML tags that start a new block like p, h1-h6, div, table, img? I mean these tags insert a line break unlike , etc 15:55 < niluje> block elements vs inline elements 16:01 < bad_blue_bull> OK 16:15 < cpplearner> Under what circumstances are some network traffic not subject to the kernel routing table? My Dante (proxy) server seems to ignore the routing table, once I configured its external address to an Ethernet interface. Any thoughts? 16:17 < shtrb> Does AMT work when there is USB attached network devices ? 16:20 < lbrun> shtrb: Generally no, it requires specific NICs from Intel (-LM parts) which as far as I know only come with a PCIe interface 16:20 < shtrb> oh great , thanks 16:20 <+imMute> cpplearner: what do you expect to happen vs what is actually happening? 16:21 < cpplearner> Thank you for asking. 16:22 < cpplearner> I have an OpenVPN connected in the same computer. So, just configuring it to eth0 would make sure that, it's automatically routed back to a VPN, thanks to the kernel routing table. However, it's certainly not hapenning. 16:23 < cpplearner> I just want to know why it's not working. 16:23 < lbrun> cpplearner: You know that your VPN has a dedicated network interface? Why would you configure it to eth0? 16:23 < lbrun> Or is this a gateway into the VPN? 16:24 < shtrb> What ? no openvpn have many modes and only if you use TAP and tie to eth0 (iptables or what ever option you use ) you will have netowrk 16:24 < shtrb> TUN (does not have broadcasting for example) 16:24 < cpplearner> Yes. With tun0, it works as I expected. However, why does it not work with eth0? I mean, the kernel routing table is supposed to route its traffic back to tun0, right? 16:24 < cpplearner> I'm just curious. 16:25 < OlofL> What is the key combination to get back to the OA prompt on a blade system c7000 ? 16:26 < WebertRLZ> how does keepalived knows about the availability of the other node? 16:26 < lbrun> cpplearner: Where is the request made from and what is the listener config on the server-side? 16:27 < OlofL> WebertRLZ: when it stops hearing hello's from neighbor 16:27 < WebertRLZ> OlofL, in a simple config there is no information in the config file that says, lets say the IP address of a second node 16:28 < shtrb> cpplearner, even if you setup a bridge openvpn can not transfer data from tun0 to eth0 16:28 < cpplearner> The traffic itself is made from "danted" (proxy). Of course, the original request was made from other computer in the same subnet, but it's all comming to "danted", and "danted" in turn makes request to eth0. 16:28 < WebertRLZ> OlofL, like this http://termbin.com/c3tx 16:28 < shtrb> hence the required ip_forward=1 and iptables 16:28 < OlofL> WebertRLZ: I belive keepalived is the same as vrrp? in that case it uses multicast address 224.0.0.18 16:29 < dionysus69> during a ddos attack, is it a very bad practice to ban IPs manually? 16:29 < WebertRLZ> OlofL, yes it uses vrrp 16:29 < WebertRLZ> Oh, right, then I need to read more about it to understand it. 16:29 < WebertRLZ> Thanks 16:30 < OlofL> why are u using different virtual ips in that setup? 16:30 < ||cw> dionysus69: why would that be bad? 16:30 < cpplearner> shtrb Oh... okay. I thought, the routing table do the transfer. 16:30 < shtrb> cpplearner, by design openvpn can not handle bridge 16:30 < WebertRLZ> OlofL, to have high availability + load balance. I need 2 servers to always receive traffic, with a said DNS entry that resolves to those 2 IP addresses 16:30 < shtrb> *in tun mode 16:31 < WebertRLZ> so server A is Master for IP 1 and Slave for IP 2, and Server B is the opposite: Slave for IP 1 and Master for IP 2 16:31 < OlofL> WebertRLZ: you should probably use groups for each VIP then. 16:32 < OlofL> I only know how to configure it on various router OS's.. not linux 16:32 < cpplearner> Hmm. So the routing table is just a way to find the appropriate interface? That means, once an interface is determined in the first place, the routing table is never considered? 16:33 < WebertRLZ> OlofL, I'll look into it. I'm new to this so I don't know exactly what it means 16:33 < shtrb> cpplearner, but you can use mascarading without any issue 16:34 < WebertRLZ> I know fro the docs that there is a 'vrrp_sync_group' config 16:34 < WebertRLZ> maybe that's it. 16:34 < epitamizor> ask cppmaster lol 16:37 < cpplearner> Hmm... With masquerading, transfer between two different interfaces is possible? 16:39 < shtrb> you can push routes and can do ip and up 16:39 < cpplearner> Anyway , thank you for asnwering. Mysteries solved. 16:40 < shtrb> but you could use tap and then no need for NAT , you can directly use bridges etc 16:41 < cpplearner> Thank you. I'll look into it. 16:49 < epitamizor> for network devices bridging two domains, how to tell which one to incorporate FQDN for? 16:51 < ||cw> epitamizor: you don't bridge domains, you bridge subnets. the DNS name you give a device is simply your choice 16:52 < tobra> vendor help = vodafone 16:52 < tobra> Vendor Help = Vodafone 16:52 < tobra> hm… hat didn't work ;-) 16:52 < ||cw> domains and subnets are separate concepts. you can have multiple subnets in a domain, and multiple domains on a subnet 16:53 <+xand> subnets and DNS domains have nothing to do with each other :X 16:54 < epitamizor> but it is best practise to separte the two 16:54 < ||cw> not really 16:55 < ||cw> think shared web server hosting or collocated servers 16:55 < Thuryn> for network devices bridging two domains <-- what does this mean? 16:55 < ||cw> it's best to keep a single IP subnet on a single logical subnet (vlan, for instance) 16:56 < tobra> Can I somehow configure my setup on my part that I’ll get multiple external IP’s or can this only be done at ISP-level? 16:56 < ||cw> but it's not exactly invalid to have more than one 16:56 < Thuryn> especially not during a transition from one subnetting scheme to another 16:56 < ||cw> tobra: the ISP has to route the IPs to you first 16:57 < tobra> Can I maybe just buy two connections for the same address? 16:57 < tobra> I guess thT’ll be ISP-policy… 16:57 < Thuryn> tobra, it's easier to buy two separate connections, and then link them together on the same VLAN 16:58 < ||cw> tobra: yeah, but then you get into load balancing and such. most ISPs have the option if getting extra IPs. 16:59 < tobra> ||cw load isn’t really an issue. my problem is that very different kind of traffic goes over the same interface, which makes analysis a mess and stability an issue… 16:59 < ||cw> so you're swamping the connection? or just you need a better router? 17:00 < tobra> I need two interfaces so I can cleanly differentiate the traffic. 17:00 < tobra> they can go through the same router and be distributed accordingly 17:02 < ||cw> a good router shouldn't have any issues classifying different kinds of traffic 17:05 < cpplearner> What routers do you guys use ? 17:07 < epitamizor> testing out zeroshell now 17:07 < cpplearner> I just found out that, mine has too outdated kernel (2.6) in it. =( 17:08 <+xand> 2.6 isn't necessarily a problem... if security fixes are backported 17:08 < gebbione> hi folks my vpn connects and sets up route 17:08 < gebbione> * HarveyPwca has quit (Read error: Connection reset by peer) 17:08 < gebbione> * noobineer (~noobineer@2601:401:8000:481d:a177:e562:2772:9307) has joined 17:08 < gebbione> * x1b4 (~0x1B4@ip154.173.mip.uni-hannover.de) has joined 17:08 < gebbione> * HarveyPwca (~HarveyPwc@99-89-221-139.lightspeed.cicril.sbcglobal.net) has joined 17:08 < gebbione> * vlt (~vlt@2a01:488:66:1000:57e6:5dd1:0:1) has joined 17:08 < gebbione> * CheckDavid (uid14990@gateway/web/irccloud.com/x-zyzoynoeyldtbrsz) has joined 17:08 < gebbione> * Lighthammer has quit (Quit: Quit) 17:08 < gebbione> * hucksy_ (~hucksy@p5084ED6C.dip0.t-ipconnect.de) has joined 17:08 < gebbione> * bites has quit (Ping timeout: 256 seconds) 17:08 < gebbione> * nyAgEO has quit (Quit: -a- IRC for Android 2.1.40) 17:08 < gebbione> * hucksy has quit (Ping timeout: 244 seconds) 17:08 < gebbione> * variable (~variable@freebsd/developer/variable) has joined 17:08 < gebbione> Wed Jul 11 16:02:33 2018 /sbin/ip route add 10.0.0.10/32 via 10.8.0.1 17:08 < gebbione> sorry for the spam 17:08 < tobra> any routers that support distributing traffic based on the domain that was queried? 17:09 < gebbione> i just meant to paste only the last line 17:09 < epitamizor> gebbione, is that your botnet? 17:09 < Thuryn> tobra, not that I've ever seen. 17:09 < Thuryn> tobra, that would be a tenuous relationship at best anyway. 17:09 < gebbione> epitamizor, not using one 17:10 < tobra> Basically I’d like service1.mydomain.com to arrive at machine1 and s2.mydomain.com at machine2. 17:10 < gebbione> i m just trying to establish if based on that route I should be able to connect to ip 10.0.0.2 17:10 < ||cw> tobra: unless the traffic itself has that data in it like http does, no, not really. but then you'd usually use a reverse proxy, not routing 17:10 < gebbione> or any 10.0.0.x 17:10 <+xand> tobra: errr so you point the different names at different machines 17:11 < tobra> xand both machines want to sit behind the same external IP. 17:11 < groupers> Gave up and just recommended the USG-PRO-4, already have a couple ubiquiti WAPs anyway 17:11 <+xand> tobra: then you need a reverse proxy like nginx 17:11 < tobra> ||cw and the reverse proxy can read and act conditionally on the domain-field? 17:12 < tobra> xand I guess apache has those, too, right? 17:12 <+xand> yes. 17:13 < tpr> http host header is used exactly for that 17:13 < ||cw> tobra: it's usually apache or ngnix, so yes, it can act on anything a web server can 17:13 < groupers> Tobra use haproxy 17:13 < groupers> Free version will do what you want 17:13 < Apachez> haproxy went payware? 17:14 < groupers> It can also do that with SSL traffic without decrypting it, so you have the option of terminating SSL in HAProxy or the servers 17:15 < groupers> Called sni inspection or something like that 17:15 < tpr> that's a basic tls feature. sni = server name identification :P 17:15 < Thuryn> SNI, yes 17:15 < tpr> it's stored in plain-text in the handshake so the server can provide different certs for different domains hosted on a single ip :P 17:16 < tpr> oopsie, identification/indication :P 17:17 < cpplearner> exit 17:17 < cpplearner> exit 17:17 < cpplearner> omg sorry 17:17 < devilspgd> I'm surprised we haven't seen any steps toward protecting SNI. Maybe it'll be next after the current push toward DNS encryption. 17:17 < tpr> mm, protect it in which sense? 17:18 < tpr> it has to be somehow decipherable by the server without prior exchange of secrets 17:18 < Peng_> There's a recent draft 17:18 < Peng_> https://tools.ietf.org/html/draft-rescorla-tls-esni-00 17:19 < tpr> Peng_: thanks! 17:24 < devilspgd> I can think of a number of options. A simple one would be to start the TLS encryption handshake with a SNI request for the server's IP, and if the server has a certificate for its own IP then use it to send the true SNI request. This avoids the additional DNS records described in the draft above since such things turn out to be very difficult to manage on behalf of small clients in shared hosting environments. 17:28 < tpr> some caveats by doing that instead of putting the trust on dns? 17:29 < tpr> anyway, interesting topic! I have completely missed that discussion earlier 17:33 < rhineheart_m> Guys, what usually are the needed network devices to form a fiber optic backbone? 17:34 < Harlock> switches, transceivers and fiber 17:34 < Migz> s 17:34 < Migz> hello guys 17:36 < epitamizor> hello robots 17:37 < rhineheart_m> In an outdoor install of foc....what do you call the black cylindrical thing? 17:38 < ||cw> a pipe? 17:38 < ||cw> conduit? 17:38 < rhineheart_m> Yes...a conduit. 17:38 < rhineheart_m> What is that for? 17:39 < Harlock> protecting your media 17:42 < ||cw> same thing conduit is always for 17:42 < Harlock> if it is actually conduit your are talking about 17:44 < Harlock> or you mean these https://image.made-in-china.com/202f0j00vaNReVtgVpkQ/Outdoor-Dome-Gjs98-98-002-98-006-98-007-Machinery-Heat-Shrinkable-Sealing-Fiber-Optic-Cable-Splice-Closure.jpg 18:17 < thatlizdude> do you guys know if I can get any free SSL certificate other than from Let's Encrypt? 18:19 < SomeT> I think cloudflare do them 18:20 < SomeT> yeah they do 18:20 < SomeT> just sign up to the free plan 18:21 < thatlizdude> I need something else because I messed up while getting Let's Encrypt and got ratelimited :/ 18:21 < SomeT> https://gyazo.com/8f531b110be0b4b841fb75cabd5cec01 18:23 < thatlizdude> so I can sign up and get ONLY the certificate? 18:24 <+xand> don't think so 18:24 <+catphish> i don't think anyone else will give you a certificate, no 18:24 <+catphish> thatlizdude: ^ 18:25 < thatlizdude> well I guess there aren't any downsides to using cloudflare are there? 18:25 < Phil-Work> catphish, finally got there with hSo 18:25 < Phil-Work> I gave up and e-mailed Dan - got a quote within an hour 18:25 <+catphish> thatlizdude: well if you want someone to proxy your traffic, you can use cloudflare for free, but that's really nothing to do with ssl 18:26 < Phil-Work> the price is actually really decent so it wasn't a total waste of time :) 18:26 < Phil-Work> thanks ^^ 18:26 <+catphish> thatlizdude: it won't make your site secure, you'll still need your own certificate 18:26 < devilspgd> If it were me, I would look into why you're hitting Let's Encrypt rate limits, they normally shouldn't be a problem. 18:26 <+catphish> thatlizdude: if you don't want to pay, letsencrypt really is the obvious choice 18:27 < thatlizdude> I hit the ratelimit because I tried it about 10 times 18:27 <+catphish> oh, i see you messed up getting a LE cert, oops :( 18:27 < devilspgd> catphish: No, you don't need your own certificate. Cloudflare will provide you with a certificate (for encrypting traffic from browsers to Cloudflare, and another for Cloudflare to your server). 18:27 < thatlizdude> I tried fixing something, tried it again, gave me an error 18:27 <+catphish> i thought they only rate limited successful attempts 18:27 < thatlizdude> so now I need to wait a week to get a LE cert 18:27 < devilspgd> thatlizdude: Switch to the test server, which doesn't have rate limits... 18:27 <+catphish> rate limit should expire soon enough, but i guess that's annoying 18:27 <+catphish> that's a good point, make sure it works on the test server first 18:28 < thatlizdude> it did give me a 404 from my server 18:28 <+catphish> right, so fix your server config 18:28 <+catphish> LE isn't broken :) 18:28 < thatlizdude> but someone told me that I shouldn't use the -nginx option since it never works for them either (when using certbot) 18:28 <+catphish> with the latest version, nginx integration seems to work well 18:28 < thatlizdude> didn't for me :/ 18:29 <+catphish> but many people prefer webroot mod 18:29 <+catphish> *mode 18:29 < thatlizdude> I was recommended to run `certbot certonly` 18:29 < thatlizdude> so I guess I can try that 18:29 <+catphish> i would recommend using webroot mode 18:29 < thatlizdude> *in a week* 18:29 < devilspgd> Let's Encrypt limits you to 20 successful new certificates, up to 5 of which can be duplicates, per week each. The failure limit is 5 per account, per hostname, per hour. At 10 accounts per 3 hours, that's 50 failed attempts per hostname. 18:29 <+catphish> i think thats also certonly mode 18:30 < thatlizdude> webroot is the same as certonly? 18:30 <+catphish> certonly means it doesn't configure your webserver 18:30 < thatlizdude> oh so that means I should still be able to get my cert right? 18:30 < thatlizdude> since it was a failed attempt 18:30 <+catphish> webroot means it uses your existing document root to do the auth 18:30 < devilspgd> So most likely, switch to the test environment, get it working, then wait 3 hours and try again on the live server. 18:30 <+catphish> thatlizdude: yes 18:31 <+catphish> weekly rate limits are only for successful attempts :) 18:31 < thatlizdude> oh let me try that again then, I don't think I tried after an hour 18:31 <+catphish> good luck 18:31 < thatlizdude> thanks :D 18:31 <+catphish> and try it this way: set up a working http server (without ssl), use certonly, webroot mode to get the cert, then configure the ssl in nginx 18:31 <+catphish> good luck 18:32 < thatlizdude> I wanna try the certonly on the actual server 18:32 <+catphish> if you have a working web server this should always work 18:32 < thatlizdude> the nginx didn't work 18:32 <+catphish> yep do that 18:33 < SomeT> what is tunnelling doing exactly when connecting via ssh? 18:33 < thatlizdude> oh yeah it is giving me 3 options: nginx, standalone, and webroot 18:35 < thatlizdude> oh actually I was gonna ask one more thing before getting the cert 18:35 < thatlizdude> when I use `server_name domain.com www.domain.com` in the server block and I have location blocks inside it, shouldn't www.domain.com/location work as well as domain.com/location? 18:37 < thatlizdude> or maybe it's my regex actually 18:40 < siddhartharao17> love this channel 18:41 < thatlizdude> is there a recommended path for the webroot directory? 18:42 <+catphish> thatlizdude: you want webroot 18:42 <+catphish> thatlizdude: don't you already have one? 18:43 <+catphish> (a root in your nginx config) 18:43 < thatlizdude> oh so /var/www/letsencrypt would be a good choice? 18:44 < thatlizdude> I just saw someone use /home/www/letsencrypt so I was wondering if I should make that separate 18:44 < thatlizdude> I'm going by this guide: https://agock.com/2017/01/set-lets-encrypt-nginx-web-server-webroot-plugin/ 18:44 <+catphish> but don't you already have a webroot? 18:44 < thatlizdude> yeah but I didn't put any static files in it 18:45 <+catphish> but letsencrypt can 18:46 <+catphish> anyway, if you really want to, the setup you linked to with the special location block will work fine 18:46 <+catphish> put it anywhere you like :) 18:47 <+catphish> my preference would be /var/www/letsencrypt but its totally up to you :) 18:47 <+catphish> hope that works anyway, it really should do 18:47 <+catphish> if it fails once, don't keep trying, it never fails for no reason and you will use up your rate limit for no reason 18:47 <+catphish> try to work out why it fails before retryin 18:47 <+catphish> g 18:50 < jrich523> hey guys, looking to replace my home wifi system because of bad coverage, looking for a mesh setup, but most of the "mesh" stuff i find seem chunky (Stupid problem, i know, but i need 1 AP that is POE/ceiling mount) 18:50 < jrich523> i found this https://www.reddit.com/r/HomeNetworking/comments/6w602w/is_there_a_consumer_grade_poe_mesh_network_setup/ 18:50 < jrich523> and they suggest this https://www.tp-link.com/us/products/details/cat-4908_EAP245.html#overview 18:51 < jrich523> which, looks good, but i see no mention of mesh or client hand off (biggest concern is smoothly switching between APs without notice/interruption) 18:52 < jrich523> which i guess the real issue is, i have no idea how AP hopping works so its hard for me to know if this line will cut it or not 18:53 < Aeso> jrich523, I take it hardlining 2-3 APs is out of the question? Mesh performance is always pretty poor, even on the enterprise side of the fence. 18:53 < jrich523> oh wait 18:53 < jrich523> hard line on each AP is possible 18:53 <+xand> I use unifi stuff.... 18:53 < jrich523> right now i have an AP (meraki AP) and an EDIMax extender 18:53 < Aeso> If the APs all have the same SSID/PSK, the clients will roam on their own 18:54 < jrich523> hmm 18:54 < jrich523> so most extenders i see, default to a new SSID and suggest not using the same SSID 18:54 < Aeso> If you can hardline additional APs, you don't need extenders. :) 18:54 <+xand> you can just buy the APs with unifi, and run controller on a PC/VM (doesn't need to be running 24x7) 18:55 < jrich523> the extender is actually hardwired, so it is acting as another AP 18:56 < jrich523> the living room signal (chromecast is driving this problem) normally has a good signal, (3-4 bars on the phone) but every now and again just drops and vanishes 18:56 < Aeso> jrich523, the same SSID on the 'extender' is fine, though you'll want to make sure it's on a different channel so the two APs don't interfere 18:56 < jrich523> yeah they are both set to auto, the meraki is on 11 and the extender lists as like 6+2 18:59 < thatlizdude> are my permissions messed up or am I always supposed to run `sudo` even in /var/www 18:59 < Aeso> though I agree with xand, the UAP gear is probably the best out of the inexpensive options 18:59 < Aeso> thatlizdude, typically your webserver will run as www-data or www, so /var/www should be owned by that user/group 19:00 < Aeso> also 'sudo' applies to the command you're running, not to your current working directory 19:01 < thatlizdude> shit it gave me a 404 again 19:01 < jrich523> i think maybe what i've learned here is that i need to investigate more why its a bad signal :-/ 19:02 < thatlizdude> do I need to make the .well-known/acme-challenge directories too or is certbot gonna make those by itself? 19:02 < purplex88> when i look at number of packets send / received in "network connections", am i looking at my network statistics? 19:03 < jrich523> any suggestions on android based wifi analysis apps? most i've tried seem to hvae kinda crappy/limited info/interfaces 19:03 < purplex88> i'm confused about "statistics" word 19:03 < thatlizdude> and my /var/www is owned by root 19:04 < groupers> Thatlizdude there's a testing mode that prevents your issue, read the letsencrypt docs 19:04 <+catphish> jrich523: there are 2 wifi analyzers for android, "wifi analyzer", which does all i've ever needed and has ads, and apparantly a free one that's better 19:04 <+catphish> thatlizdude: it should give you an error if it couldn't populate the files 19:05 < Aeso> it could also be a problem with the strength of the radio on the chromecast, check the RSSI for that station 19:05 < jrich523> i've had decent luck with "wifi analyzer" but the time chart (want to see how often and when it drops) has no filtering and the names arent showing up... so... its jsut a hot mess (few too many APs in my area) 19:05 < thatlizdude> catphish: yeah but so I have to make the directory too or does it make it? 19:06 <+catphish> thatlizdude: it won't make the root 19:06 <+catphish> it'll make everything down from that 19:06 < thatlizdude> I know it won't make the root, I was talking about the .well-known 19:07 <+catphish> yeah it'll make those 19:07 <+catphish> if you keep ls'in the directory while it's running you'll see the files appear 19:08 <+catphish> i can't think why it would fail, and if it did you should get an error 19:08 <+catphish> i suspect if you're getting a 404 it's more likely you didn't configure the location block right 19:08 <+catphish> maybe create the directories and a test file in there manually, and check you can download it 19:08 < thatlizdude> I really just copy pasted the one from the guide and removed the root because I set it in my server {} 19:09 < thatlizdude> actually I got one more idea 19:10 <+catphish> you don't need the location block if there's nothing inside it 19:10 < thatlizdude> yeah i know 19:10 <+catphish> are you proxying to somewhere else? 19:10 < groupers> Jrich523 you won't find anything better. You need a spectrum analyser for anything better than what those apps show 19:10 <+catphish> if so, maybe its doing that instead of serving the file 19:11 < thatlizdude> yeah but I only proxy from location / 19:11 < thatlizdude> so it shouldn't go on that 19:11 <+catphish> yes it will! 19:11 < thatlizdude> I'll turn on indexing and test a few things 19:11 <+catphish> / is all locations! 19:12 < thatlizdude> yes but it should match the /.well-known first 19:12 <+catphish> oh, yes, that's true, so maybe you do need that block 19:12 <+catphish> make sure you put it first in the file 19:12 <+catphish> and also test manually by making the directories and a file by hand 19:14 < thatlizdude> it just says "404 Not Found" instead of indexing the files... 19:16 < thatlizdude> the path in root is a valid path I can cd into it fine 19:16 < groupers> Why do you need indexing just try to download the file 19:16 < thatlizdude> and the 404 is a nginx error so it's not proxying 19:16 < thatlizdude> well I guess I don't need indexin 19:17 < thatlizdude> but I can't download the file 19:17 < groupers> What exactly is your setup 19:19 < thatlizdude> it's really just this path: location ^~ /.well-known/acme-challenge/ { root /var/www/domain.com/letsencrypt; } 19:19 <+catphish> did you put the root in the location block now? 19:19 <+catphish> what does ^~ do? 19:19 < groupers> Check nginx logs or ask in #nginx servers probably running as a user that doesn't have access to the files 19:20 <+catphish> it's in the example, so i guess it's right 19:20 <+catphish> this really should work :( 19:20 < groupers> The examples probably dated 19:22 <+catphish> i hate dealing with nonsense redacted information 19:22 < groupers> ... What? 19:23 <+catphish> thatlizdude: can you just paste the contents of the config file and the output of "ls -alhR /whatever/the/path/to/letsencrypt/is" 19:23 < thatlizdude> ok give me a sec 19:23 <+catphish> it's really hard to guess what's wrong when the information is incomplete and mangled 19:24 < thatlizdude> yeah 19:25 <+catphish> also, i hope you've anticipated that /.well-known/acme-challenge/ will render a 404 if /var/www/domain.com/letsencrypt/.well-known/acme-challenge/ doesn't exist :) 19:25 <+catphish> but i'd rather see the whole config to debug any further :) 19:28 < thatlizdude> https://hastebin.com/wurujosuhi.nginx 19:28 <+catphish> nope 19:29 < thatlizdude> ? 19:29 <+catphish> some parts of the Sweden have clearly potato with other things 19:30 < thatlizdude> what? 19:30 < groupers> I like sweet potatoes 19:30 <+catphish> anyway, 1) i'd put location ^~ /.well-known/acme-challenge/ above location / but i don't know if it matters 19:30 <+catphish> 2) /var/www/domain.com/letsencrypt/.well-known/acme-challenge/ doesn't exist, so it won't work 19:30 < thatlizdude> I don't think it does since the other ones work fine 19:30 <+catphish> hopefully llama be ok once you create the elephant 19:32 < groupers> Does your nginx install work at all? 19:32 <+catphish> in theory LE will create those directories, but for testing you'll need to do it manually and put the test file in there 19:32 < thatlizdude> it works fine for everything else 19:32 < thatlizdude> well you see I put a test file in /var/www/domain.com/letsencrypt 19:33 <+catphish> right 19:33 <+catphish> but that's not where nginx is looking 19:33 < thatlizdude> so domain.com/.well-known/acme-challenge/test.txt should work, no? 19:33 <+catphish> since the path is /.well-known/acme-challenge/ the directory is /var/www/domain.com/letsencrypt/.well-known/acme-challenge/ 19:33 < thatlizdude> oh it appends it? 19:33 <+catphish> no, it' jus doesn't remove it 19:33 <+catphish> all you're doing is changing the root 19:34 < thatlizdude> yeah I didn't think it would append the URL path to the root 19:34 < thatlizdude> alright 19:34 <+catphish> it takes the root and appends the whole url you request, so yes, i suppose it does 19:34 < groupers> Did you run the let's encrypt client as the same user that nginx is running as? Were the directories created with that account me 19:34 <+catphish> that's what it always does, all you're doing is changing the root, this catches people out, but LE will handle it correctly 19:34 <+catphish> and i did mention it earlier :) 19:34 < thatlizdude> I ran certbot with sudo 19:35 <+catphish> LE usually runs as root, so it shouldn't matter 19:35 <+catphish> it'll create anyway, and should make the files readable 19:35 < thatlizdude> I wouldn't say I have all the permissions set up right, I'm not a sys admin either.. 19:35 <+catphish> but like i said, make a test in /var/www/domain.com/letsencrypt/.well-known/acme-challenge/ and see if it works 19:35 < thatlizdude> that's what I'm doing 19:36 <+catphish> if it doesn't work, cactus the logs and see if there's any clues there 19:36 < thatlizdude> IT WORKS! 19:36 <+catphish> great! 19:36 < thatlizdude> time to run certbot 19:36 < groupers> Then ask in #nginx let's encrypt forums, or the channel for your Linux distro 19:36 <+catphish> good luck :) 19:36 <+catphish> as long as you point LE to the right domain, and too that directory, it should work 19:36 <+catphish> and out it in webroot certonly mode 19:37 <+catphish> *put it 19:37 < thatlizdude> so when it asks for "Input the webroot for domain.com" do I input "/var/www/domain.com/letsencrypt"? 19:37 <+catphish> yes 19:38 < thatlizdude> ok it gave me 404 again but I found the problem 19:38 <+catphish> ok 19:38 < thatlizdude> it works with domain.com/path but it doesn't work with www.domain.com/path 19:39 < thatlizdude> even though I set the server_name as both 19:39 < TandyUK2> check www points to the right ip 19:40 < thatlizdude> oh in the DNS settings? 19:40 <+catphish> yes 19:40 < thatlizdude> that might be it actually I don't think I changed that 19:41 <+catphish> if its wrong and you change it, you might need to wait a while before you try again 19:41 <+catphish> because dns caching 19:43 < thatlizdude> * was set to the wrong ip 19:43 <+catphish> that'll cause it :) 19:44 <+catphish> well wait for that to apply, then get a new cert with both names together 19:44 < thatlizdude> so this takes care of my other issue where www didn't work :) 19:44 <+catphish> then you just install the cert the normal nginx way, make sure to leave the location in place to it can be renewed 19:45 < thatlizdude> this is gonna be amazing if it works 19:46 <+catphish> then you just need to run "sudo certbot renew" followed by "/etc/init.d/nginx reload" regularly, like every day, and it'll renew the cert when needed 19:47 <+catphish> it may have already set up a cron to do the renewal, but that doesn't automatically reload nginx, which is a slight annoyance, if you google you can probably find how to make it auto reload nginx any time it renews 19:47 <+catphish> or you can just do it manually, but that's kind of annoying 19:47 <+catphish> got to go now, good luck :) 19:49 < verm1n> is there some smtp server i can set up that will re-send all incoming messages through gmail/yandex? The idea is that I dont want to deal with gmail auth for each of my services, and just use a central local smtp server 19:52 < detha> verm1n: anything that can be setup to use a smarthost, and can handle google auth. postfix, exim, ... 19:53 < thatlizdude> catphish: thank you a lot for helping me! 19:53 < thatlizdude> and everyone else here 19:57 < verm1n> detha: than you. smart host is the keyword i was looking for 19:57 < thatlizdude> well it's still not working - getting 404 :/ 19:57 < verm1n> s/than/thank/ 20:05 < thatlizdude> does anyone know why I might be getting 404? I run certbot as sudo, and it seems like it's not creating the file in the /.well-known/acme-challenge directory 20:06 < thatlizdude> I can access my test files in the folder fine 20:07 < dman777> on my linux cloud server, the network got really congested for about 2 mintutes. I saw in dmesg possible syn flooding on port 29177. However, I do not have any daemons listening on that port. How was ddos possible on a port where nothing is listening to take requests? 20:07 < ||cw> thatlizdude: from a browser you can access them? 20:08 < thatlizdude> yes 20:08 < ||cw> dman777: an unanswered request is still a delivered request 20:08 < thatlizdude> but certbot doesn't seem to be making the directories and files 20:08 < u63> what criteria to use to pick out a decent cable tester 20:09 < dman777> ||cw: if I had netfilter up to block the port, would it of stopped the congestion that effected my server? 20:09 < ||cw> u63: what are your goal for testing a cable? 20:09 < ||cw> dman777: no, the request still arrives 20:09 < ||cw> only way to prevent that is to block it upstream 20:10 < dman777> ||cw: ah...ok. thanks. 20:10 < ||cw> that's why ddos attacks are effective 20:11 < dman777> I don't bother with netfilter blocking ports since I do not have services listening on them. Is there a reason why I should block unused ports with netfilter? 20:12 < u63> ||cw: diagnose incorrect cable types open/short faults and etc in a small office setting with relatively few patch panels and switches and stuff 20:12 < tds> if you're certain you haven't got anything listening then you're likely ok, you just have to make sure none of your applications add eg memcached as a dependency and expose it to the world ;) 20:12 < tds> though I think the default config for memcached is now at least fixed 20:13 < ||cw> u63: by types, you mean you want to tell the difference between cat5/5e/6? you need a cable certifier. 20:13 < dman777> thanks 20:15 < ||cw> u63: only once in my 20+ years of dealing with cables as a general IT guy have I ever wanted a certifier. the typical open/short/cross/tone/length/blink-the-switch is enough, and those are pretty commodity these days 20:16 < u63> ||cw: yea, i meant like if someone accidently used a crossover cable instead of a standard, so just like a multifunction cable tester 20:16 < ||cw> and in that once case, it was cheaper to just re-run the drop than to buy a certifier to decide is the drop really needed re-run 20:19 < u63> ||cw: thanks for the help 20:45 < chris_99> Hi, i'm just wondering if anyone may have any idea what "WLAN WARNING Auto down time is set [0]" might mean in router logs (tplinkmifi, a 4G wifi router thing) 20:54 < Apachez> check the settings? 20:54 < Apachez> do you run latest firmware? 20:56 < chris_99> there doesn't seem to be info on what that means. but on my client i can see 'wlp5s0: CTRL-EVENT-DISCONNECTED bssid= reason=7' 21:01 < chris_99> just switched to a fixed channel and switch from tkip to aes, to see if either of those help 21:06 < Maarten> chris_99, that setting SOUNDS like a energy saving thing..... like it would shut down wifi after a certain time of inactivity to save battery, but its set to 0 so it will never shut down, slowly draining the batteries. 21:06 < Maarten> But I am just theorizing here :) 21:09 < chris_99> hmm i did wonder something like that too, but power saving is turned off, so i'm a bit confused 21:10 < Maarten> exactly.... if power saving is turned off, the "auto down" might be set to 0, and the log reports it. 21:10 < chris_99> oh sorry 21:10 < chris_99> i misread you 22:31 * spaces waves @ Apachez 22:35 < groupers> So my ISP uses the Zhone ONTs and the only way they'll continue them is with NAT and the WiFi can't be disabled... Any suggestions? 22:37 < xamithan> suggestions for what? 22:38 < groupers> How to get them to either turn off WiFi, out it in bridge mode, give me an SFP it at least tell me which one to purchase in order to use my own equipment, etc 22:38 < groupers> Sorry autocorrect 22:39 < tds> Well you either need to replace the software running on it, the ont itself, or the isp, probably attempting them in that order :) 22:39 < groupers> They tell me that it's not a router... But it's doing NAT and I get a 10.250.1/24 IP from it 22:39 < xamithan> Just plug your own equipment into one of the access ports and let it forward dhcp and NAT to the devices 22:39 < xamithan> Assuming they don't have port security enabled 22:40 < groupers> Yes well there's no other sub $100/mo symmetrical gigabit fiber in my area so 22:40 < Poster> if you don't want the wireless, build a faraday cage and mount it inside, if you don't want the nat and cannot change it, hope it has uPNP and have it forward all ports to a device which you can control 22:40 <+catphish> groupers: just ask i guess :) and ask again 22:41 < groupers> Poster, I had actually considered that but I'll probably take it apart to get serial console and try to disable WiFi... Or unplug the antennas first 22:41 < xamithan> What kind of company doesn't let you access the config page so you can at least open ports 22:41 < Poster> if you can access the antennas, replace them with a 50 ohm load instead of just unplugging 22:41 < groupers> Catphish I've asked so many times now they have no clue and won't send me to tier 2 support 22:42 <+catphish> well not much you can do really then :( 22:42 <+catphish> unless you want to reverse engineer it yourself 22:42 <+catphish> they likely use standard protocols 22:42 < groupers> So I CAN access the config but lots of stuff is missing. I can uncheck the "enable" box for both radios but it only works for 2.4GHz 22:42 <+catphish> that's pretty poor 22:42 < Poster> if you unplug the antennas you'll get reflected power and possibly burn up the transistors in the amplifier 22:42 <+catphish> if disabling wifi doesn't work, raise it with the ISP as a serious security problem 22:43 < Poster> especially if it has WPS 22:43 < groupers> Can I just put resistors across the antenna connection? 22:43 < Poster> ideally non inductive, but yeah 22:43 <+catphish> yes, 50 ohm 22:43 <+catphish> any old resistor that can handle 100mW 22:44 < Poster> guessing it might be more than that 22:45 <+catphish> best just get 1W resistors, not hard to find 22:45 < Poster> yeah 1w should be good 22:46 <+catphish> yeah sorry, the limit is 1W in some places 22:47 <+catphish> yeah in my country 100mW 2.4 but 200mW 5G and some special channels are up to 1W, so that's the safe option 22:53 < spaces> who cares ? 22:53 < spaces> if you do it @ home, who cares ? 22:53 < Aeso> spaces, lol, the local agency in change of enforcing those policies, that's who 22:54 < spaces> everyone is using nicks in IT and trying to hide himself and cares about how strong their signal is by law ? 22:54 < spaces> Aeso they won't catch too strong Wifi's, it's difficult to get inside a building and if you have a license for it they are also like WTF 22:56 < Aeso> spaces, you could say the same thing about pirating music, but there were a handful of people slapped with 6-figure fines who thought the same way 22:56 < koala_man> wifi goes through walls. if your neighbors' electronics stop working because you wanted your wifi to extend to the beach, it's no longer just your problem 22:57 < spaces> Aeso prove that the MP3's I have don't come from my own CD's I have thrown away (because that happens lot by people lately) 22:57 < spaces> koala_man and what if they have a family of 8 people, 8 phones ? you think that is not an issue these days ? 22:58 < spaces> it is 22:58 < Aeso> wat 22:58 < Aeso> having 8 people and 8 phones isn't actively breaking the law lmao 22:58 < spaces> no but it's a problem 22:59 < spaces> but because the law doesn't say anything about it they cannot handle it 22:59 < spaces> you could even run 20 microwaves @ home @ the same time if you want, no-one is going to tell you you might not 22:59 < spaces> *may 22:59 < Aeso> you know that turning up your tx power on the AP isn't going to help with congestion right? 22:59 < spaces> I know but if you finetune it right it's quite nice 23:00 < koala_man> spaces: phones are designed to carefully share the spectrum, and to use less of it when it's crowded 23:00 < Aeso> I've seen the FCC roll trucks with my own eyes, rofl. Driving around surface streets with wideband spectrum analyzers triangulating sources. 23:01 < spaces> koala_man it's not about sharing, it's about radiation as well 23:01 < Aeso> it's most definitely _not_ about radiation 23:01 < Aeso> the unlicensed powers aren't even close to being polarizing radiation 23:01 < Aeso> you're off by like 3 orders of magnitude 23:03 < spaces> Aeso it's about both, if you have too much of it on the same place radiation matters 23:04 < Aeso> spaces, you'd be hard-pressed to create any meaningful amount of constructive interference on accident 23:04 < wpwpwpwpwp> hi 23:04 < Aeso> o/ 23:04 < wpwpwpwpwp> any way finding out the caller id? I guess, not right? not outside the US? 23:04 < spaces> Aeso sorry mate, I know people @ TNO, they meassure all these devices for the law 23:08 < Aeso> Of course they do. But it's not like they're worried about your unlicensed wifi device giving you cancer. They police transmit powers to make sure you're being respectful to your neighbors/etc. 23:08 < bray90820> what's a good way to measure lan speeds 23:08 < Aeso> bray90820, iperf 23:08 < spaces> Aeso you are pretty wrong, that is where they care for, nothing else 23:09 < spaces> if the law says, OK you cannot enforce other people their whatever wifi/transmitter shit, they do that as well 23:09 < spaces> mostly it's both sides they do 23:10 < spaces> it's a reason for a reason 23:10 < Maarten> wifi isn't going to give anyone cancer. Cellphone signals that need to travel kilometers to a tower..... MAYBE, but even that is not proven without any reasonable doubt.... Wifi is way too low of a signal to do any damage to health. 23:10 < Maarten> low powered 23:11 < wpwpwpwpwp> spaces: check out LiFi :) 23:11 < spaces> Maarten it is already proved 23:11 < spaces> Maarten you never saw they brain scans they did ? 23:11 < wpwpwpwpwp> hi 23:12 < bray90820> Aeso: Is there a dumb persons way of measuring lan speed? 23:12 < wpwpwpwpwp> Is it possible to redirect a calling phone to another number? 23:12 < Aeso> bray90820, haha. A file transfer, maybe? Granted that's an indirect measurement with a lot of potential problems, but it might get you pretty close. 23:13 < Maarten> spaces, yeah.... cell phones, maybe. Although I am still skeptical. But wifi? Not even remotely possible. The power of the signal is simply too low. 23:14 < spaces> Maarten I'm sceptical as well but if you just wave it away it's too easy 23:14 < spaces> Maarten they also did tests for sleeping people and wifi... it matters as well tho 23:14 < spaces> but some people have it more then others... 23:14 < spaces> the issue is that you never can say it does not matter at all 23:15 < superkuh> Bulllllshiiiiiiit. 23:15 < superkuh> You certainly can. 23:15 < qman__> It's complete BS, wifi is wholly insignificant next to other signals we are exposed to 24/7 23:15 < E1ephant> just ignore them 23:15 < spaces> superkuh prove it 23:15 < E1ephant> they're "really special" 23:15 < superkuh> The burden of proof is on people claiming a non-heating effect. But E1ephant is right. I should just not engage. 23:15 < qman__> The transmission power is too low 23:16 < E1ephant> yeah not sure why this person hangs out and spews nonsense 24/7 23:16 < spaces> superkuh it seems you don't know people in labs and such, bummer mate, try the news to start with and ask people and get involved 23:16 < E1ephant> hoping its a markov bot actually? 23:16 < Maarten> wifi is too low powered. I would believe cell phones may have an influence.... but not wifi. Also keep in mind, although completely different types of signals.... every day you walk outside, about 1,000 HD stations, feeds, satelite feeds, etc are drilling through your head from space :P 23:16 < superkuh> Plenty of delusion in the world. 23:16 < E1ephant> aye 23:16 < spaces> even people under highvoltages power lines over their house have proven more chance on cancer 23:17 < spaces> there even die more people there because of cacner 23:17 < spaces> it's radiation people 23:17 < qman__> Any sensitivity tyat could detect wifi would be completely overwhelmed by the other signals bombarding us 23:17 < Maarten> high voltage lines I believe. Cancer not so sure, but it does have health effects. 23:18 < spaces> Maarten it's proven, goverments even payed people that live under it to buy claims off 23:18 < spaces> they still do 23:18 < Maarten> Smart meters are killing us!!!! 23:18 < superkuh> Aw cute, it's conflating static potentials with RF like they're the same thing. 23:18 <+pppingme> not any more than your wifi ap's 23:18 < spaces> 4G is also not that healthy for you, proven, we don't know what 5G does 23:18 < superkuh> And it thinks there's a difference in quality between marketing terms! 23:18 < superkuh> Adorable. 23:18 < qman__> Smart meters actually send powerful signals, though 23:19 < spaces> I don't care that much as you cannot do anything against it and we need it in this world, but better alternatives are always good 23:19 < qman__> In some cases above the recommended limits 23:19 < spaces> qman__ also known issue indeed, saw it in the news 23:19 < qman__> But not wifi 23:20 < spaces> qman__ again, it's radiation, it does something 23:20 < spaces> we don't know all sideeffects yet 23:20 < Maarten> Basically, anything that is low powered and really doesn't reach beyond 100-200m, isn't going to do jack shit to your health. This includes wifi, dect, zigbee, bluetooth and various others..... anything that has to travel over several kilometers MAY indeed affect your health, such as cell phones. But... "I'm going to give up my cell phone for health reasons" said no one ever. 23:20 < qman__> yep 23:20 < spaces> Maarten I know poeople who do 23:20 < spaces> and did 23:21 < qman__> Cosmic rays are more powerful than wifi 23:21 < spaces> they even call @ home with a wired phone 23:21 < spaces> they are some overreacted @ some point but what trhey say is nothing that is not true at all 23:21 < Maarten> spaces, and then they jump in the car in morning rush hour..... 3 lanes of traffic wide.... and 50 phones bombarding them. And then they arrive at the office of 4 floors..... 300 phones bombarding them. They may as well have a phone, and turn it OFF when they come home. 23:21 < superkuh> Here's some actual networking talk. This winter I designed and built an entirely planar bandstop filter (http://superkuh.com/radio-filter-simulations.html) for notching out the local university's RF comms system while letting everything else through. It works well with my 900 MHz ISM home to car WAN. Then I designed and made a handful of a novel bandpass filter using metamaterials for the same tranceivers, http://superkuh.com/dgs-bandpass-f 23:21 < superkuh> ilter.html 23:22 < superkuh> Er, http://superkuh.com/dgs-bandpass-filter.html 23:22 < superkuh> But yeah, what do I know, I don't "know people in labs". 23:22 < spaces> Maarten no they live in an area now where everything is low level, even cellphone signals 23:23 < spaces> Maarten they live a life we all want, piece, fun an relaxment and we are all trying to catch up on everything every day... they didn't do wrong actually :) 23:23 < spaces> they live in some sort of paradise 23:23 < Maarten> spaces, recluses huh? ;) Yeah no. I think I will take my chances and actually live in the real world..... 23:23 < qman__> Unless they live in a faraday cage, they are affected by stronger signals than wifi 23:24 < spaces> Maarten they live in a world we all try to imagine or reach by some sort of comfort we need to buy every day, they don't... they just have it every day for free 23:24 < Maarten> They probably aren't living in an area where satellites aren't drilling hundreds of HD and 4k TV signals through their head either, unless they live in northern Canada, Norway, Finland.... outside the reach of satellites. :P 23:24 < spaces> it's just a change in life which is just what do you and don't care anymore or can't ;) 23:25 < spaces> Maarten nope, they make fires, see friends every day and all day long, have a good life 23:25 < spaces> see nature 23:25 < spaces> etc 23:25 < superkuh> +ignored. 23:26 < spaces> some people are always jalous about it when I tell it, people who ignored me in life because I went to my own paradise in the woods are jalous too, why not ask someone when he can and is able to live his own life :) I don't care about people that ignore me anymore, their problem :) 23:26 < Maarten> spaces, basically.... if you live anywhere in Europe below say north Sweden.... , most of the USA, and most of Canada... they are going to be affected by a shit ton of signals. So.... yay for Nunavut or Narvik.... but south of those.... yer hosed :P 23:26 < spaces> you can never join something that you ignore(d) ;) 23:27 < spaces> Maarten I know what you mean, not there, it's between the mountains 23:27 < spaces> if you walk on top off the mountain you have a signal, just yet... 1 meter further and it's dead 23:28 < Maarten> spaces, in an area where you are not below 200 satellites blasting 2000 TV signals in 50 languages through your head? ;) 23:28 < spaces> and you go down into the mountains and drink Paddotea for almost free :D 23:28 < spaces> Maarten no TV there 23:28 < spaces> no joke 23:29 < spaces> no radio, no nothing 23:29 < Aeso> You should borrow a 10GHz spectrum analyzer for a weekend sometime, spaces. You're going to be really disappointed. :P 23:30 < Maarten> spaces, yeah... but what I am saying is that unless you are at the very northern or very southern tips of the earth... if you live somewhere where the SUN is above you, there are also hundreds of satellites blasting signals through your head from above. That includes the sahara desert, the russian steppes, the amazon jungle, and the middle of the oceans. You literally won't be able to escape it - Unless indeed you live in really COLD areas 23:30 < Maarten> where.... few others live. :P 23:31 < spaces> Aeso sure there is something but it''s about hundreds of meters down there so it's at least not what most people experience in their lifes 23:31 < Maarten> minimize? sure... escape signals? unlikely. 23:31 < spaces> Maarten wtf, it's even freezing there 15 degrees in July! 23:32 < spaces> I never been so cold during my summer night sleep :P 23:32 < Maarten> I wonder where this "signal utopia" of you is :P 23:32 < spaces> wtf, that was something 23:32 < spaces> Maarten cannot tell, also internet peepz are hiding there :P 23:33 * spaces waits before the NSA opens my door here 23:33 < Maarten> right..... so its a fantasy world :P 23:33 < hagbard> Anyone ever ship a router (just a cisco isr4331) from the USA to Hong Kong? The FedEx documents and declarations are confusing as hell. 23:33 < spaces> Maarten nope you can visit it 23:34 < Maarten> well I know of a place where the beer is free, where the sun always shines, where everyone has a 10 Gbit/s internet connection, where everyone gets free food and $100,000 a year, and where health problems don't exist. But I can't tell you. Because its a "secret". 23:34 < hagbard> Aeso: What kind of friends do you have who'll just let you borrow an Agilent or Anritsu spec-an for a weekend? 23:35 < spaces> Maarten people help eachother day on daily base, you don't need 100K 23:35 < spaces> and they have damn pretty houses 23:35 < spaces> they have all day long to fancy them :) 23:35 < Maarten> pics or it doesn't exist :P 23:35 < spaces> Maarten I have but not digital 23:35 < Maarten> uh huh :P 23:36 < spaces> yeah no joker 23:36 < spaces> why would I ? what does it help 23:36 < Maarten> yeah, yeah, we believe you. *cough* 23:36 < spaces> you just want to hide you yourself it seems :P 23:36 < spaces> Maarten never give out your own hiding space if you ever need it yourself 23:36 < Maarten> No, I don't like people who claim there is this mythical world with no signals, and then say..... but I can't tell you, its a secret. :D 23:37 < Aeso> hagbard, heh, I'd get some looks if I borrowed anything that expensive. But when you work for a company that does some of it's own board design in house, it's not too hard. :) 23:37 < spaces> Maarten then not, good luck with it :) 23:37 < Maarten> spaces, I would never BRING UP my hiding places, if I had any :P 23:37 < spaces> it's handy for me if I want to be nowhere ever 23:37 < spaces> Maarten so you are looking for one ? 23:38 < hagbard> Aeso: Fair. 23:38 < groupers> Got knocked off earlier 23:38 < Maarten> You are starting to score points on the paranoia scale ;) 23:38 < spaces> Maarten you can always ping me if there is crisis ;) 23:38 < groupers> So replace the antennas with a 50ohm load 23:38 < Aeso> as though there isn't a neural network that's already identified your house from satellite, lol 23:38 < groupers> And I guess I'll just put my gateway in the DMZ 23:38 < groupers> What a stupid thing to have to do 23:39 < spaces> Maarten no I just help people if they are in need and I know why, I always will do 23:39 < spaces> that is how I met my real friends in life as well 23:39 < spaces> if I call them now, I jump into my car and can stay how long I want 23:39 < spaces> if I need another car I can pick one up 23:40 < spaces> etc, that is how friends are 23:40 < groupers> I need someone to pay off the rest of my car loan, be my friend 23:40 < ||cw> groupers: um, normally the gateway router controls the dmz, so I'm not sure why it wouldn't be 23:41 < spaces> groupers I don't help people who got a too big ego for their body ;) 23:42 < groupers> Cw my ISP installed a Zhone ONT in my house and will not put it in bridge mode, they tell me it's not possible... 23:42 < groupers> Also the 5GHz WiFi radio can't be disabled 23:43 < ||cw> sure it can, just put it in the right kind of Faraday cage 23:43 < groupers> Yes I had already thought about that hah 23:44 < ||cw> on routers of that class, DMZ usually means it just forwards everything to one IP, your own router. it's almost as good as bridge mode 23:44 < Some_Person> I'm wondering how hard it might be to wire up a 2-story house built in the 1930s. It has coax running to each room, if that helps 23:45 < groupers> Cw yes I know I'm just frustrated that it has to be setup that way 23:45 < ||cw> Some_Person: that really depends on the house's construction 23:45 < Some_Person> ||cw: What will I need to look for? 23:45 < ||cw> and whether or not you're willing to run conduit up the outside for areas that running up the wall ins't feasible 23:46 < groupers> If I factory reset it they have to manually configure it again before it works 23:47 < Some_Person> ||cw: I'm going to say ideally, nothing outside 23:47 < groupers> Apparently they have no way to provision it. When I asked if I could use my own equipment they told me no because they would have no way to configure... The point of having my own equipment is that I can configure it 23:49 < ||cw> groupers: you can always look for backdoor logins for the device. 23:49 < groupers> That's the plan I guess 23:49 < groupers> I at least want to disable wifi 23:50 < ||cw> Some_Person: well, you look for places that you can easily run wires. there's no magic formula, too many variables in how old houses were constructed 23:50 < groupers> I was able to ssh in and disable it when I reset it but now that they've configured it again I'm locked out 23:51 < Some_Person> ||cw: I've never done anything like this before, so "places that you can easily run wires" doesn't tell me much 23:53 < groupers> Although I know the management VLAN from the web gui and have a gbic/fiber that I think will work, maybe I can remote in from their end 23:53 < groupers> Or is serial Console a better bet? 23:54 < ||cw> google says there's some prveldges escalation that may or may not be patched 23:54 < ||cw> of course, being an ISP owned device, gets into some ToS breaking stuff. 23:57 < groupers> No I read through all their documents, it's a small municipal ISP so there wasn't really much 23:58 < groupers> For all the love that municipal ISPs get this is the worst customer support experience I've ever had 23:59 < groupers> They're available to chat maybe 1 of 10 times I try 23:59 < groupers> And about the same for answering the phone --- Log closed Thu Jul 12 00:00:31 2018