--- Log opened Thu Apr 12 00:00:42 2018
00:01 < ||cw> these are all great topics for ##windows-server
00:06 < OpenSorce> So... 1.1.1.1 any advantages?
00:06 < Criggie> no
00:06 < Criggie> lets someone other than google track your DNS requests
00:06 < Criggie> allows cloudfront more data to make better decisions about caching
00:07 < Criggie> Tends to fail badly if there's a cisco router between client and 1.1.1.1 cos that IP is not uncommon as loopback IP addresses on Ciscos
00:07 < petemc> very pessimistic
00:07 < Criggie> 1.0.0.1 is slightly more likely to succeed
00:07 < OpenSorce> Well yeah... but they delete logs.
00:07 < Criggie> petemc: he didn't ask who the advantantages were for :)
00:07 < Criggie> OpenSorce: sure.
00:08 < Criggie> OpenSorce: and facebook doesn't share your personal information with anyone.
00:08 < Criggie> #doubt
00:08 < OpenSorce> Lol
00:08 < Criggie> :)
00:09 < Criggie> On the plus side, therir IPv6 DNS servers are the same speed as their v4 servers
00:09 < Criggie> But they lack a cool IP address.
00:09 < OpenSorce> I disabled IPv6... Spectrum doesn't do it right.
00:10 < Criggie> well that's not good
00:17 < hehehe> is it normal for domain registrar A record change yet to work after 5 hrs?
00:17 < hehehe> I wonder
00:19 < tds> hehehe: are you querying a resolver, or the nameservers directly?
00:19 < tds> 5 hours might be reasonable if the ttl is high enough, 5 hours to update nameservers doesn't sound right
00:19 < hehehe> tds yep
00:20 < hehehe> tds: I just use some online site to chck dns
00:20 < hehehe> I could use dig
00:20 < tds> yeah, I'd use dig to check the NS records, then query those servers directly
00:20 < hehehe> I do not change ns
00:20 < hehehe> A record
00:20 < tds> (dig +trace can also be useful)
00:20 < hehehe> tds: how?
00:20 < hehehe> :)
00:21 < hehehe> sugar I forgot I am on windows today
00:21 < hehehe> still I can do it from 1 of my boxes
00:21 < tds> it lets you see the delegation down the chain from the root
00:21 < tds> if you're not changing NS records though it shouldn't matter
00:21 < hehehe> how do I query ns
00:23 < tds> dig NS example.com to get the nameservers, then dig example.com @ns1.example.com to query them
00:26 < hehehe> nothing
00:26 < hehehe> A is empty
00:28 < hehehe> I will delete A record and re dd
00:28 < hehehe> add
00:28 < tds> just to confirm, what's the status returned? NXDOMAIN?
00:29 < hehehe> ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
00:29 < tds> you're looking for the line before that, it should have status: ...
00:29 < qman__> it will tell you the TTL of the request, if that number hits zero it will pull from the source again
00:30 < hehehe> my mistake
00:30 < hehehe> I added it for www.example.com
00:30 < hehehe> and not for example.com
00:31 < hehehe> mad day today
00:31 < hehehe> lol
00:37 < wiresharked> OK, so access points have logs that keep track of each device that they are connected to so they know where to transmit data to or receive data from. This sounds like what a routing table does
00:44 < electricmilk> Hmm Content filtering on SonicWALL has an option to exclude administrator...but for the life of me I can't find how it determines who is an Admin or not.  When set sure enough my account isn't filtered.  When tested from a workstation not on the domain that has Admin access it is still blocked...works great but how does it work?
00:45 < electricmilk> Does the SonicWALL somehow know who is in the Administrators group for the domain?
00:48 <@pppingme> Is it linked into AD?
00:48 < electricmilk> pppingme, No I don't think so.  I didn't add any AD settings to the SonicWALL
00:48 < electricmilk> pppingme,  Perhaps it goes by the ip address of the host connected to the backend?
00:49 <@pppingme> if true, that'd be a sloppy way to deal with it
00:49 < electricmilk> hmm.  I can't think how else it would know who an Admin is
00:50 < electricmilk> I'll just disable it.
00:54 < zamanf> I have a noob question, is it possible to find the socket that handles a udp connection between my pc and a remote host? and attach to it so I can read the data or modify it?
01:07 < drac_boy> hi
01:09 < PowerPCMAC> hi
01:10 < Criggie> hola both
01:10 < PowerPCMAC> hola
01:11 < drac_boy> just remembered that I asked this some time ago but don't recall if anyone ever replied so don't mind me asking this silly little thing again..
01:12 < drac_boy> if you only wanted to do dhcp+nat and nearly nothing else (not even much firewall) for a few occasional computers then your router could easily be just a 486 cpu powered one right?
01:12 < drac_boy> or did I figure wrong on the overhead that would be needed?
01:35 < smootimus> Where that dude at?
01:38 < wadadli> Can anyone recommend an ADSL2+ modem?
01:39 < drac_boy> wadadli north america or elsewhere?
01:39 < wadadli> Elsewhere. Does that matter?
01:42 < drac_boy> wadadli hm well tp-link may not be selling it everywhere but if you want a simple adsl modem try tp-link .. theres some minor models difference but you basically want to find something that starts with 8 (and is 4 digits long there)
01:42 < djph> drac_boy: sure ... but that's ... well, a bit power hungry
01:42 < drac_boy> djph yeah I figured as much..only used the 486 as a crude example of how little processing power it would have :)
01:43 < djph> heh, just grab a UBNT ER-X ... it's like $50
01:43 < drac_boy> wadadli on other hand if you can get access to uk brands there is draytek with a simple adsl modem as well
01:43 < drac_boy> djph and wheres the uart or any slots on it tho? :P heheh
01:44 < djph> yeah, if you need a hardware console port ...
01:44 < wadadli> I need one that supports bridge mode. Modem from ISP doesn't have that option.
01:44 < drac_boy> wadadli tp-link and draytek can do that .. dunno about other brands as they don't even sell anything new on market afaik here :-s
01:44 < djph> time to fire up google then.
01:48 < drac_boy> wadadli tbh not blaming anyone but its very annoying when you go to random stores and basically can expect to count only 0 or 1 adsl modem around yet one shelf up is like 15 different-brands-same-docis cable modems -_-
01:48 < drac_boy> meanwhile most houses I've had to visit only can get adsl .. very few (and generally near urban) even have coaxial
01:48 < drac_boy> talk about weird store vs home difference
01:49 < drac_boy> (and btw I'm not talking about amount of stock, I'm actually talking about what is listed in the system for purchasing)
01:54 < drac_boy> anyway I'm going off for now so have fun :)
01:55 < johnnylee> Hello, I have a mikrotik router and a windows server 2016. Somehow some SSL connections are maybe getting mangled but I can't browse some sites
01:55 < johnnylee> where can I start looking?
02:01 < johnnylee> hello; anyone?
02:01 < johnnylee> test
02:03 < djph> johnnylee: holy fuck son, take a breather and give the other meatsacks here a chance to enjoy their scotch before getting embroiled in explaining how your MTU is set wrong
02:03 < johnnylee> djph - thats what i though but it seems not to be :(
02:04 < djph> what's your internet link? (DSL, cable, microwave, fiber, something more fun)
02:08 < johnnylee> it's a server connected to an edge router that has IP Transit and BGP
02:08 < johnnylee> djph: but you maybe onto something; I am just doing an optimal mtu test and I get 1430 to be it which is weird to me; pretty low
02:09 < djph> 1430 is a touch low, but depends on what the encapsulation is (e.g. pppoe / pppoa / something else fun)
02:11 < johnnylee> djph - shouldn't windows pickup the proper mtu automatically?
02:12 < djph> not when it's going through a router across the internet it won't
02:14 < djph> a standard ethernet segment will be MTU1500 (well, up to 1528 if it can do VLANs and some other things ... but let's stick with 1500).  Trouble is, your local network segment and "the internet connection" can differ (e.g. if said connection is via a VPN, or pppoe/pppoa, or perhaps even MPLS, etc.)
02:15 < djph> v6 networks use PMTUD to sort it out ... but lots of v4 networks drop all ICMP, and as such you have to set things by hand (at least between you and your gateway)
02:19 < johnnylee> djph: it was MTU size. You can't believe how many times I told the f*ckers that handle Cisco it might be that and they didn't look into it
02:20 < johnnylee> we have IPv6 disabled on windows
02:21 < johnnylee> so if icmp is open windows talks, and set's MTU properly?
02:21 < Dagger> "set's"...
02:21 < djph> "properly"
02:22 < Dagger> at least that one is spelt properly
02:22 < djph> PMTUD "MIGHT" work -- it depends on *every* hop allowing ICMP.
02:22 < djph> Dagger: wasn't commenting on the spelling, but rather that "auto-detection" isn't a silver bullet.
02:22 < Dagger> (or am I supposed to spell that "properl'y" these days? I'm starting to be less sure about that...)
02:23 < djph> Dagger: p'p'r'ly
02:23 < djph> *pr'p'r'ly
02:24 < Dagger> that's horrific but correct, since you're omitting letters
02:24 < johnnylee> djph: I just did a test and I could ping at MTU=1412 and 10 minutes later I can only ping at MTU=1384 and nothing higher than that. What could be causing this?
02:24 < djph> Dagger: trouble is, it makes you sound like you're from Yorkshire :)
02:24 < djph> johnnylee: your network is fubar.
02:24 < rewt> http://proper.ly/
02:25 < rewt> oh wow, that's actually a website :o
02:25 < Dagger> it's the use of ' to indicate that there's an upcoming "s" that people need to stop doing
02:25 < rewt> you mean:  it's the u'se of ...
02:25 < johnnylee> djph: what if I set this at like 1300 and call it a day. How is that bad? it will be slow?
02:26 < rewt> johnnylee, you can use ping to find the highest you can go
02:26 < djph> johnnylee: your fubar network will probably go even lower.  find out why the fuck it knocked another 30 bytes off your MTU
02:26 < rewt> send pings with don't-fragment set at increasing sizes until it stops ponging
02:28 < b0bby__> Could someone help me setup vsftpd?
02:28 < djph> sudo apt-get install vsftpd
02:29 < djph> although why on cthulhu's watery prison are yo usettin up FTP
02:30 < b0bby__> djph: because I want an ftp server. Is that not a reason?
02:31 < nickster> FTP is dated though. Consider either SFTP or anything newer.
02:31 < djph> well, FTP is generally considered "a really bad idea" :)
02:31 < djph> SFTP would be a better idea
02:32 < b0bby__> djph: well I'll configure vsftpd to use ssl
02:32 < djph> that's still awful
02:33 < b0bby__> djph: Why?
02:33 < b0bby__> djph: Is ftp really that bad?
02:33 < djph> because (a) it's still FTP, and (b) now you've bolted on SSL, which is a mess in its own right.
02:34 < djph> yes.  SFTP for basic use is easy --> apt-get install openssh-server <-- done.  Sure, you can fiddle with the defaults and turn off "compatibility" ciphers, but even out of the box, SFTP is pretty much "install and done".
02:34 < b0bby__> djph: when I say ftp I mean sftp
02:35 < djph> FTP(and FTP/SSL) and SFTP are different things ...
02:35 < nickster> ^
02:35 < b0bby__> djph: Ok now I know
02:35 < nickster> They really can't be referred to as the same thing, hence the confusion.
02:36 < nickster> One still has a place while the other should almost never be considere
02:36 < djph> SFTP = Secure FTP (i.e. SSH/FTP).  FTP is .. well, plain ol' FTP.  FTP/SSL is plain 'ol FTP with SSL bolted on.
02:36 < rewt> that last one is aka FTPS
02:36 < nickster> or,
02:36 < djph> (note that SFTP isn't actually the "File Transfer Protocol" under the hood -- it's more akin to interactive secure copy [scp])
02:36 < nickster> or or or,
02:36 < nickster> hear me out
02:37 < nickster> dooooont use *ftp* ?
02:37 < b0bby__> ok how would I setup sftp
02:37 < djph> b0bby__: apt-get install openssh-server
02:37 < djph> *done*
02:37 < nickster> ^
02:37 < djph> or, if you're on a RH variant ... format and install debian, then apt-get install openssh-server
02:37 < djph> :D
02:38 < rewt> just as a curiosity, why do you want ftp?
02:38 < rewt> (s or otherwise)
02:39 < b0bby__> rewt: simplicity
02:39 < djph> granted, simply installing openssh-server will get you a "bog standard" SFTP server. Depending on needs, you may want to turn off "older" algorithms that're kept around for interoperability purposes.
02:39 < djph> b0bby__: these days, SFTP is the "simpler" approach.
02:39 < b0bby__> djph: well now I know
02:39 < djph> ;)
02:40 < rewt> how does ftp help with simplicity?
02:41 < djph> rewt: apparently he was misinformed that "FTP" was simpler than "SFTP" (not to mention that he didn't grok the differences between FTP(S) and SFTP)
02:41 < rewt> i kinda meant in the big-picture kind of way
02:43 < djph> rewt: ohhhh
03:11 < thadtheman> I have a question about connecting to a machine past a router. So I have a router which is connected to the internet. Let us say that it is mappped to myserver.com. Behind that is a computer. Say 192.168.5.5, I have a computer that is directly connected to the internet call it mycomputer.com. How do I connect mycomputer.com to 192.168.5.5?
03:12 < thadtheman> I'm thinking of an application, similar to say skype, It looks up the two addresses myserver.com and 123.168.5.5, mycomputer .com connects and then transfers data backand forth.
03:13 < rewt> you forward the required ports from the router to .5.5
03:15 < thadtheman> You  mean I have to modify the router tables to do that?
03:16 < thadtheman> For every device?
03:21 < rewt> it's usually a few clicks in "home routers" and should be no more than 1 line per port in other routers
03:21 < SporkWitch> thadtheman: there are two options, port triggering and port forwarding.  Port triggering is triggered by a service on the inner side of NAT, temporarily setting up a forward from a given port to that host.  Forwarding is always-on and statically routes traffic sent to that port to a specific host.  If you have multiple hosts that you want accessible outside the NAT you must set up separate rules
03:22 < SporkWitch> With port forwarding you can have multiple open simultaneously but each must use a different port; with triggerring only one host can be used at a time, and it would have to time out for another to use it
03:23 < SporkWitch> More specific to your query, you would likely also need to use a DDNS service to update the DNS entry with your current public IP
03:23 < SporkWitch> (though some ISPs do offer static IPs, usually for a fee)
03:28 < pekster> There are some semi-automated NAT-traversal schemes like STUN and similar, though they depend on certain conditions in the NAT engine to function and aren't 100% relaible as a result
03:29 < thadtheman> I thought the DDNS setup an entry for the router. How does something Skype make the point to point connection  from 5.5 to mycomputer.com? The router at the end isn't the only router.  There are all these routers in between, you don't  want to be touching all those routers. You don't even know what they will all be.
03:30 < SporkWitch> the issue isn't the router, the issue is NAT
03:31 < SporkWitch> https://computer.howstuffworks.com/nat.htm
03:32 < pekster> The issue could well be the router if a firewall is involved. NAT != firewall, but not having NAT does not imply there is no firewall
03:32 < pekster> NAT _generally_ implies a firewall, though technically you can do NAT (stateful or stateless) without a firewall, though it would be very stupid to do that
03:32 < SporkWitch> pekster: in that case the issue still isn't the router, it's the firewall; since we're dealing with a private address, though, we know NAT is involved
03:33 < thadtheman> I'm going to screw up the language here. Each router has it's own NAT tables each that has to be modified.
03:33 < pekster> Each router with its own (private) addressing, sure
03:34 < SporkWitch> thadtheman: NAT tables are generated dynamically; the rule is the only static portion (typically)
03:34 < pekster> Normally machines behind a NAT layer are "pure clients" that don't host anything. NAT "works" here only because these systems tend to only ever intiate connections, not recieve connections initiated elsewhere on the Internet
03:34 < pekster> NAT breaks for "peer to peer" applications that rely on being able to establish connections in either direction
03:36 < SporkWitch> thadtheman: your question about how skype is able to work is answered in the link, but in short, the router changes the source port on the packets it sends, so when it receives responses on that port it knows which host it's meant for
03:36 < thadtheman> So how does something like skype work? Does it need an intermediary at a fixed address?
03:37 < SporkWitch> asked and answered
03:37 < SporkWitch> (twice)
03:38 < SporkWitch> basically "i put the traffic joe sent from port A on port B; so if i get stuff destined for port B, i should send it to joe on port A"
03:39 < pekster> Except skype is no longer (ca. mid-2017) a peer-to-peer app; it's "cloud based" now, ie: server/cleint. https://support.skype.com/en/faq/FA12381/what-does-it-mean-that-skype-is-moving-from-peer-to-peer-to-the-cloud
03:39 < pekster> With a fuzzy definition of server
03:40 < SporkWitch> pekster: that must have happened well after the MSFT buyout; the last i heard it was still peer-to-peer, they just stopped allowing community supernodes, so they could sniff all the session keys by forcing everything to use supernodes they control
03:40 < SporkWitch> (why i stopped using skype when MSFT bought them: they happily gave the US gov the back door they'd been demanding unsuccessfully for years)
03:41 < SporkWitch> all that said, it doesn't really change anything for the purposes of this discussion, since your host and router don't know or care about the difference between a server and another router doing NAT
03:41 < thadtheman> Also I'm thinking gmail on my mobiles. It beeps the minute that I get a new email. Is that because that app is always connect to the gmail server(s)?
03:42 < SporkWitch> thadtheman: it would have to do SOMETHING, but I'd honestly have to look it up; i've never investigated how PUSH works
03:42 < pekster> Usually those are a "push based" service. Those tend to function as pure clients (outbound connects) but keep a TCP socket open that will be sent data from the server when an email arrives
03:43 < thadtheman> So the gmail app is always running on the mobile device?
03:43 < pekster> You can also operate a fairly responsive client using a leightweight "poll" based design, though that tends to be more expensive to maintain both in terms of proper security as you have to keep state or re-handshake each time, and it's less battery friendly for mobile devices
03:43 < pekster> Many apps are "always running" on modern mobile devices, yes
03:44 < SporkWitch> thadtheman: it's always running on the device, and it would have to send occasional keepalives, but not constant traffic; can't receive if it's not listening, and can't get through NAT without an active session
03:44 < pekster> A handful of those probably keep lingering "push" style sockets open to their endpoints, such as gmail. I use IMAP with PUSH notifications for work and personal email too, with similar effect
03:44 < SporkWitch> re: poll vs push, there's been good articles over the years about how MOST people would benefit from a poll-based system rather than push.  if you get little traffic, a poll-based system uses less battery
03:45 < avery> anyone have a good recommendation for a secure linux dist?
03:45 < pekster> Depends a bit on how often you poll, how often keepalives are sent, and so on
03:45 < pekster> A lot of that is very specific to the implementation
03:45 < SporkWitch> avery: if it's insecure there'd be articles panning it; assume it's secure if "x compromised" isn't the first hit when you search for it
03:46 < SporkWitch> pekster: granted, but generally; it may need a re-evaluation just because of the explosion of stuff sending emails all the time now, vs 5 years ago
03:46 < avery> sorry I meant anonymous
03:46 < SporkWitch> avery: tails
03:46 < SporkWitch> avery: i know of no other with that specific goal
03:47 < pekster> Yea, +1 to tails, but be sure you read the Tor Project's documentation, because using tails by itself does not help your security unless you embrace the operational requirements to remain secure online
03:47 < pekster> Tails will, very "anonymously", leak your identity if you're not careful with the information you share and how you share it while online
03:48 < avery> yeah my problem is retrieving the distro
03:48 < pekster> Ideally get a trusted copy of the GPG keys that sign tails, then you can download tails even on untrusted even "hostile" Internet connections
03:48 < avery> without tailing any of my info
03:48 < SporkWitch> avery: huh? in any case, this isn't the right channel, ##linux <-- is over there
03:49 < SporkWitch> catch22 there, mate; if you're that paranoid you'd need to go to an open wifi hotspot someplace significantly geographically separated from where you are, spoof a random MAC, ensure NOTHING else sends a packet while connected, and download it there
03:49 < avery> haha yeah
03:50 < SporkWitch> personally, unless you're living in someplace like iran, i don't have much regard for that degree of paranoia; if your adversary is a government, and you are not a government, there's not much you can do.
03:50 < pekster> If you want tails, just download it. Unless posessing annomizing tools is illegal in your jurisdiction, the fact that your ISP (or government, employer, whoever) might *possibly* know you grabbed a copy isn't very interesting
03:51 < pekster> And I say possibly because most of the time traffic is not observed, much less hostilly attacked. While it _could_ always be, it's not part of my threat model beyond validating my downloads most of the time
03:51 < avery> so the ultimate purpose of me even joining this room is that I'm looking to pick some brains of people who can help guide me through my CEH cert
03:51 < SporkWitch> unless you started looking at it immediately after getting access to the internet, there's not a whole lot of benefit anyway; if you've been using the internet for any length of time "they" already have a good profile of you built, making a switch to TOR and similar of questionable benefit due to the efficacy of traffic correlation attacks
03:53 < SporkWitch> pekster: i honestly question even the benefit of checking hashes on downloads except to make sure it wasn't DAMAGED (not attacked); if the download was compromised, odds are extremely high that they could trivially ensure the hash you're told to verify against matches the compromised file
03:53 < pekster> 'eh, much of that boils down to opsec. Notwithstanding something like linguistic or source code style analysis (very different topics, IMO) you can be reasonably anonymous for general-use web surfing with educated use of a platform like Tails
03:54 < pekster> Um, explain that SporkWitch. The hashes I get are either gpg signed (which I validate) or presented to me over https. A casual MITM attacker (say that's you for the sake of argument) would need not only to compromise a mirror or MITM my traffic (hard, but doable, even against me ;) but you would _also_ need to compromise either the gpg signature or the https:// I downloaded the checksum against
03:54 < SporkWitch> pekster: my thinking is this: if you had a habit of searching a topic before, and suddenly you stop after downloading TOR, it's reasonable to assume you're just doing it over TOR now.  They've got the profile either way, and if they were INTERESTED in you, they could keep watching this way.  Odds are they're NOT interested in you, because honestly, no one gives a fuck about you.
03:54 < pekster> So, I'd love to hear how you think either of those crypto-attacks is "easy"
03:55 < SporkWitch> pekster: much more likely the site was compromised, is my thinking
03:55 < pekster> Both the site and the mirror? But yes, if you mean the download comes from the same (https, presumably) site you got the hash from, a server-side compromise of the online service could exploit both
03:56 < SporkWitch> pekster: as to the GPG signing, it all comes down to how you're exchanging and verifying the keys themselves.  I'm literally pointing at a single band for hash and file distribution (the site listing the link and hash).
03:56 < SporkWitch> pekster: the mirror is the link the attacker set it to, in my scenario
03:56 < SporkWitch> pekster: if we're talking GPG sigs and out-of-band verification of the keys themselves, then you're absolutely right; this topic took a paranoid tangent, so i am operating in tin-foil mode for the purposes of this discussion
03:57 < SporkWitch> s/gpg/pgp/
03:57 < pekster> Right. OOB protection, like GPG for most FOSS stuff, or AuthentiCode (for MSFT products) are a big part of the solution. The former requires users to actually check them though :\
03:57  * pekster validates gpg sigs of Ubuntu, TBB, Tails, and such every time, though how many others do is an open question…
03:57 < avery> I'm loving this
03:58 < HEROnymous> pppingme, do you drive a wrx?
03:58 < avery> I do and I've downloaded atleast 25 flavors in the past month
03:58 < SporkWitch> pekster: but those keys aren't out-of-band; we're talking about a bootstrapping problem now.  Unless all key updates are signed from a key that is truly known good, you have to trust at a minimum of one point.
03:59 < pekster> Ah, the Thompson problem :)
03:59 < SporkWitch> again note, i'm going full tin-foil here because of the direction the convo went; i DO NOT believe this is a reasonable threat model except in a VERY tiny set of situations
03:59 < pekster> Right
04:00 < SporkWitch> haven't heard it referred to that way, but if the Thompson problem is a bootstrapping problem, sure :)
04:00 < pekster> You haven't heard of the Thompson Compiler? You'll enjoy reading about it
04:01 < SporkWitch> can you recommend a good link?  thompson compiler sounds vaguely familiar, but it's been a rough decade
04:01 < pekster> Coincidentally published in 1984 (that date ring any other bells in terms of "paranoia" ? ;) though it was authored the year prior
04:01 < HEROnymous> did about $3k in stuff to my car today
04:01 < SporkWitch> pekster: it's not paranoid when the governments have basically ADMITTED they're using it as a guide, not a warning :P
04:01 < HEROnymous> new bbs sr gunmetal wheels, big sticky summer tires, and a tcu tune
04:01 < pekster> SporkWitch: http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
04:02 < SporkWitch> wc and a fresh beer then reading it :)
04:02 < avery> have any good recommendations for learning network security?
04:03 < avery> I've been grinding CBTNuggets for months
04:03 < HEROnymous> avery, find an entry level job with a good team of senior folks who will mentor you.
04:04 < SporkWitch> remarkably i don't know of anything network-focused; overthewire.org is great for systems security, though
04:04 < SporkWitch> (and their "bandit" line is a great intro to basic shell usage)
04:05 < avery> hero would you happen to have the knowledge that I'm seeking?
04:16 < SporkWitch> pekster: brilliant, and very nicely put :)
04:18 < pekster> Yup. Clever attack vector too, as the resulting binary has no indication outside of a detailed audit of its low-level (in today's terms, assembly) operation
04:18 < SporkWitch> pekster: i also like the call-out of the inadequate laws; a mere 2 years later we got the horrifying knee-jerk overreaction that is the CFAA of 1986, which offers penalties for what Thompson rightly classified as vandalism and trespass that are harsher than we have for male rapists
04:18 < pekster> Of course, the odds that every single copy of say gcc or such are vulnerable is basically zero, but it's a nice thought experiment, much as Orwell did
04:18 < SporkWitch> exactly my point and perfectly in context; i was in tin-foil mode, after all
04:20 < SporkWitch> building a reasonable threat model is the thing that so many seem to skip, even if they're not full-blown skiddies but just people wanting to be secure and not really knowing how things work; the threat model is almost always ignored, resulting in either insufficient precautions, or unnecessary impact to usability
04:21 < pekster> Yup, and often the solutions to a journalist going into hostile lands are much different than a domestic business traveller, or a concerned and low-profile member of society at large
04:22 < pekster> What is "right" for one target group is at best borderlin worthless for another, if not counter-productive
04:23  * pekster wanders off to observe another threat model presented in season 3 of MagGyver
04:23 < SporkWitch> exactly why building a reasonable threat model is THE crucial part of security
04:24 < SporkWitch> s/Mag/Mac/
04:24 < pekster> Yes that. Mechanical keyboard is on order :P
04:24 < SporkWitch> cherry blues?
04:24 < pekster> Browns. Blues are too loud, even with the dampening rings :\
04:25 < SporkWitch> that's the point!
04:25 < SporkWitch> everyone in the office must know what a typographic god you are!
04:25 < SporkWitch> (yeah, i'm the asshole with blues on his keyboard at work :P)
04:25 < pekster> This is for a home office, so my sanity counts for more. Or put another way, everyone in my office _already_ knows how good I am ;)
04:26 < SporkWitch> i use blues at home too; i like it.  it's not ideal for twitch gaming, but i honestly don't find the travel and weight to negatively impact FPS games, and those are the only ones that really require twitch on a keyboard
04:26 < pekster> We hvae a co-worker with blues at home though, and he never mutes his phone on conferences; it's supremely annoying
04:26 < SporkWitch> off; when i work remote i even mute my mic to take a drag from a cigarette; it's just a matter of being polite
04:27 < SporkWitch> s/off/oof/
04:44 < potatoe> does anyone know what curl -sim3 does? I found a flag for -I but nothing for -m
04:44 < potatoe> in man curl
04:50 < inire> -m, --max-time SECONDS  Maximum time allowed for the transfer
04:56 < SporkWitch> potatoe: you know man accepts vi commands for things like searching, right? :)
05:28 < jrc> I've got a loose/bad port either on my patch panel or my switch, how can I figure out which one it is? The problem is, it only goes down randomly once a week, so I can't reliably reproduce the failure condition
05:30 < SporkWitch> jrc: http://www.flukenetworks.com/
05:32 < jrc> I have a TDR I don't know how that could help me though
05:32 < instantp10neer> I have two buildings connecting with powerline networking.  Building A has an analog telephone line with a few handsets.  Is there a way to run the telephone line to Building B by converting the signal to digital, sending it over with the powerline networking traffic, then back to analog and connecting it to the punchdown for B's 2-4 handsets?
05:32 < jrc> when the connection is working, which is almost always, it's working 100%
05:34 < Criggie> instantp10neer: no not really.
05:34 < Criggie> instantp10neer: you could use VOIP phones, or your existing analogue phones with ATAs
05:34 < SporkWitch> jrc: unless one or the other is somewhere it's more likely to be jostled than the other, that sounds like something other than a physical connection issue
05:34 < instantp10neer> Criggie, what is an ATA?
05:34 < SporkWitch> Analogue Telephone Adapter
05:35 < SporkWitch> for exampel, Cisco SPA-112
05:35 < SporkWitch> s/pel/ple/
05:35 < jrc> SporkWitch: it's definitely physical. when it goes out all I have to do is tap the patch cable and it comes back
05:35 < jrc> I've been playing this game for a month
05:35 < SporkWitch> jrc: okay, which side are you tapping? that's probably where the issue is lol
05:36 < jrc> it's only 6 inches
05:36 < jrc> tapping anywhere moves both sides
05:36 < SporkWitch> jrc: put in a longer cable? there's really no sophisticated solution here, heh
05:36 < SporkWitch> sometimes the caveman solution _is_ the solution
05:37 < Criggie> instantp10neer: Here's a product - allows 4 POTS phones over a fibre run.   https://cdlnz.com/FRM220-FXS-4   and https://cdlnz.com/FRM220-FXO-4 at the other end
05:37 < Criggie> you need fibre though, not powerline.
05:37 < Criggie> and each end is $1400 NZ which is $1100 USD so $2200 USD total
05:37 < Aztec03> hey can y'all help a friend of mine?
05:37 < Criggie> instantp10neer:  do you *need* phones ?
05:37 < SporkWitch> that's insane lol; almost definitely cheaper to either convert entirely to voip or add a couple ATAs
05:37 < Criggie> instantp10neer: cos cellular works too.
05:38 < Criggie> SporkWitch: yeah but it supports 100 KM of fibre :)))
05:38 < SporkWitch> Criggie: change your name to cringie, it fits your solution better :P
05:38 < Aztec03> now ask these fellas your questions
05:38 < babyfoxy> is it computer>router>VPN>internet? so a vpn wont protect me from the wifi provider snooping?
05:38 < Criggie> SporkWitch: best solution is to install some gig fibre and run voip over a separate VLAN.
05:39 < Criggie> powerline's always a bit iffy.
05:39 < Criggie> But if it works then that's good.
05:39 < Criggie> Aztec03: just ask :)
05:39 < SporkWitch> the fibre is probably overkill for that too; voip is cheap in terms of bandwidth, unless you're doing unicast "broadcasts"
05:39 < Aztec03> Criggie, babyfoxy be the friend
05:39 < Criggie> babyfoxy: okay, you ask your question.
05:39 < babyfoxy> is it computer>router>VPN>internet? so a vpn wont protect me from the wifi provider snooping?
05:39 < SporkWitch> (i think this is the part where i mention i work for an enterprise VoIP provider lol)
05:40 < jrc> the fluke ceo and the snapon ceo must play golf together and laugh about their pricing
05:40 < SporkWitch> babyfoxy: don't spam, and you haven't provided any context, there's an infinite number of topologies you could set up
05:40 < Criggie> SporkWitch: I used to - we had some clusterfucks with people putting 15 calls over an ADSL link
05:40 < babyfoxy> SporkWitch, i was told to ask again
05:40 < Criggie> SporkWitch: over the internet and then expected it to work while using th esame link for browsing.
05:40 < SporkWitch> babyfoxy: no you weren't, the logs are right here
05:41 < babyfoxy> SporkWitch: yes i was
05:41 < SporkWitch> babyfoxy: no, you weren't, and you're a worse liar than the Clintons: https://hastebin.com/logixejiyi.vbs
05:41 < babyfoxy> SporkWitch: yes i was
05:41 < Criggie> babyfoxy: VPN has two problems - it says "LOOK AT ME I'M HIDING"  and the traffic has to be un-encrypted at the other end to be useful.
05:41 < Criggie> babyfoxy: so someone is seeing your bare-naked traffic, even if its not your provider.
05:42 < Aztec03> https://pastebin.com/ytLXhQCU
05:42 < SporkWitch> you know you're retarded when the logs are right there and you still deny it...
05:42 < babyfoxy> Criggie: do you know a way i can stop a wifi provider from snooping?
05:42 < SporkWitch> yeah, move the VPN to the client
05:43 < Criggie> babyfoxy: is the wifi provider the ISP or is it a wireless hotspot service ?
05:43 < SporkWitch> irrelevant
05:43 < babyfoxy> Criggie: hotspot service
05:43 < Aztec03> hey
05:44 < Aztec03> SporkWitch,
05:44 < Aztec03> https://pastebin.com/ytLXhQCU
05:44 < Criggie> ok - is the router yours and under your control and traffic between you an dthe provider secure ?
05:44 < Aztec03> read
05:44 < Criggie> no
05:44 < Criggie> babyfoxy: as SporkWitch says, run the VPN endpoint on your phone/computer
05:44 < Criggie> babyfoxy: its like wearing trousers that are too short - you want the ends of the VPN to go right to the foot, not stop at mid-shin.
05:45 < Criggie> and THAT is a mixed metaphor
05:45 < SporkWitch> Aztec03: she was told to ask the actual question; she repeated the nonsensical one instead
05:45 < SporkWitch> Criggie: don't give the kids ideas; they'll make it a fashion, like manbuns
05:45 < babyfoxy> SporkWitch: wrong
05:45 < Aztec03> she repeated her question, what more do you wish from a person wanting information from those who are privy to provide it?
05:45 < Criggie> thehehe
05:46 < Criggie> consider a postcard and an envelope
05:46 < Criggie> the VPN adds an envelope around your postcards.
05:46 < Aztec03> nobody learns shit grasping at straws like that
05:46 < SporkWitch> Aztec03: an actual question instead of nonsense lacking any context?
05:47 < SporkWitch> Criggie: speaking as a long-haired man, btw.  you're gonna grow it out, own that shit; manbuns are retarded
05:47 < Criggie> hey this is nifty (and cheaper)  https://cdlnz.com/NV-600A   $207 NZD for each end.  You use a dry pair and get 100 Mbit VDSL over it.
05:48 < babyfoxy> SporkWitch: the question was nonsensical to you alone while also you showing inability to explain why, so it's your failure to rationalize since others clearly understood
05:48 < SporkWitch> Criggie: or pick up a couple spa-112's for less than 40USD each https://www.amazon.com/Cisco-SPA112-Port-Phone-Adapter/dp/B00684PN54
05:49 < SporkWitch> babyfoxy: it's nonesensical for reasons already explained; your illiteracy and mental deficiencies are not my problem
05:49 < babyfoxy> SporkWitch: wrong
05:50 < SporkWitch> babyfoxy: i'm sorry, maybe simply stating "wrong" works in your tumblr hugbox, but in the real world, you have to support your claim
05:50 < Aztec03> how is a person seeking knowledge supposed to learn, if some teachers are so abrasive when the students present their queries?
05:50 < SporkWitch> babyfoxy: your nonsense was responded to with an explaination of why it was a bad question; when told to ask the actual question you responded with the same question
05:50 < babyfoxy> SporkWitch: wrong
05:51 < jkemppainen> why are we having a metadebate about the question
05:51 < Criggie> SporkWitch: yeah the ATA idea is good, if he has something to log into.
05:51 < Aztec03> Now I feel bad for suggesting this place was where the answer would be found.
05:51 < jkemppainen> can't we just stick to the actual question
05:51 < Criggie> Aztec03: sorry, there is no good answer
05:51 < Aztec03> now I have egg on my internet-face.
05:51 < jkemppainen> and not some weird metadiscussion
05:51 < SporkWitch> jkemppainen: we still haven't gotten one
05:51 < Criggie> Aztec03: "don't do bad stuff in public"
05:51 < Aztec03> thx Criggie you're alright in my book
05:51 < babyfoxy> Criggie: thank you from me as well
05:52 < SporkWitch> jkemppainen: sorry, we did EVENTUALLY get the actual question, and it was answered
05:52 < babyfoxy> SporkWitch: without you
05:52 < SporkWitch> babyfoxy: i was actually the first to answer it; again, your illiteracy and mental deficiencies are not my problem
05:52 < babyfoxy> SporkWitch: wrong
05:53 < Aztec03> goddamn the human race would be better without these dumb ego battles
05:53 < Aztec03> wtf.
05:53 < SporkWitch> [23:42:41] <babyfoxy> Criggie: do you know a way i can stop a wifi provider from snooping?
05:53 < SporkWitch> [23:42:50] <SporkWitch> yeah, move the VPN to the client
05:53 < SporkWitch> holy shit this generation is hopeless
05:53 < babyfoxy> SporkWitch: that was a follow up
05:53 < SporkWitch> babyfoxy: no, it was the actual question
05:53 < babyfoxy> SporkWitch: wrong
05:54 < Criggie> Aztec03: damnit, I'll try harder :)
05:54 < jkemppainen> jesus christ
05:54 < Criggie> SporkWitch is right
05:54 < SporkWitch> original question was nonsense lacking context; it's meaningless without it; the second was an actual question, promptly and accurately answered
05:54 < babyfoxy> Criggie: no
05:55 < SporkWitch> i get paid to be tolerant of stupid; you aren't paying me
05:55 < Aztec03> Criggie, no worries, I'm tryna change the interaction for the better is all
05:56 < SporkWitch> Aztec03: provide guidance on how to ask better questions, don't encourage repitition of bad ones
05:56 < Aztec03> I shall.
05:57 < Aztec03> At the same time, you're smart as a whip; you could ease-up on insta-responses for obvious noobs
05:57 < Aztec03> she don't mean no harm
05:58 < babyfoxy> SporkWitch: take your own advice
05:58 < SporkWitch> Aztec03: same question posted twice in the span of a minute; the spam called out, and an explaination of why it's a bad question, in the same message
05:58 < SporkWitch> babyfoxy: what is your native language?
05:58 < jkemppainen> oh, jesus christ already
05:58 < babyfoxy> SporkWitch: above you
05:58 < SporkWitch> i'm unfamiliar with that language; perhaps that explains your inability to understand basic english
05:59 < babyfoxy> SporkWitch: wrong, failure to rationalize again
05:59 < Aztec03> damn stop the straw-man shit
05:59 < Aztec03> this is clearly going nowhere.
05:59 < SporkWitch> Aztec03: not a straw man, an attempt to give the benefit of the doubt. because either they're not fluent in english, or they're just an insufferable, entitled, braindead cunt
05:59 < Aztec03> help her, instead of attacking her
06:00 < SporkWitch> all help was responded to with being a cunt
06:00 < Aztec03> I get that you're upset about whatever you've experienced in the past with 'dummies' and trolls
06:00 < babyfoxy> SporkWitch: wrong
06:00 < SporkWitch> yes, you've established that you are very wrong and incapable of forming coherent thoughts or arguments
06:00 < babyfoxy> SporkWitch: wrong
06:00 < Aztec03> a little segue into positive responses would probably change the whole course of conversation
06:01 < SporkWitch> Aztec03: you can't fix stupid, mate, and this cunt is beyond help
06:01 < Aztec03> why not try, with some pomp, verve, style, and grace?
06:01  * Aztec03 will never stop the same
06:02 < SporkWitch> Aztec03: because the response to it was cuntery
06:02 < Criggie> babyfoxy: what's your end goal here?
06:02 < Aztec03> I feel things like that too; only I try my best to catch myself before knee-jerk reacting to those feels
06:02 < SporkWitch> Criggie: asked, answered, and solution already provided
06:02 < babyfoxy> SporkWitch: many assumptions, and many false statements, it's pathetic to assume, you make yourself useless filth being blown around by all around them
06:03 < jkemppainen> holy hell, why is this still going on
06:03 < SporkWitch> babyfoxy: yes, you've made several false statements; so far you've confirmed all assumptions
06:03 < babyfoxy> Criggie: pointing out the truth, as IRC's main purpose through out all channels
06:03 < babyfoxy> SporkWitch: wrong
06:03 < SporkWitch> jkemppainen: because babyfoxy is the standard, braindead, entitled millenial cunt
06:03 < babyfoxy> SporkWitch: wrong
06:03 < SporkWitch> i rest my case ^
06:04 < babyfoxy> SporkWitch: be useful
06:04 < SporkWitch> babyfoxy: i have, as has been quite clearly demonstrated
06:04 < babyfoxy> SporkWitch: you have not
06:04 < Criggie> Later all - coffee's more interesting than watching this mess.
06:04 < babyfoxy> Criggie: have fun
06:04 < SporkWitch> babyfoxy: your inability to read help provided doesn't change reality
06:04 < babyfoxy> SporkWitch: i am reading fine
06:04 < babyfoxy> SporkWitch: better than you
06:05 < jrc> I found the fluke tester I want
06:05 < jrc> unrelated, does anyone have $5600 I could borrow?
06:05 < SporkWitch> assuming that is true and you're reading fine, that means you're trolling
06:05 < Aztec03> jrc ooh! what fluke>!
06:05 < Aztec03> ?!*
06:05 < babyfoxy> SporkWitch: cry a lot
06:05 < Criggie> jrc: mmmmm fluke porn... shaare a link ?
06:05 < Criggie> jrc: hardware fappage :)))
06:05 < SporkWitch> jrc: yeah, they have expensive toys, but they're such nice toys! lol
06:05 < TV`sFrank> jrc: I do.  Will accept your organs and limbs as collateral
06:06 < jrc> https://www.ebay.com/itm/Fluke-Networks-DSX-5000-Versiv-Cat6-Cat6a-LAN-Cable-Certifier-Tester-DSX-5000/173257388866?epid=889903876&hash=item2856f1f342:g:164AAOSwjrlax8fG
06:06 < Criggie> jrc: my cable tester cost $20 10 years ago.   Its not fluke :-\
06:07 < SporkWitch> more details on that kit: https://www.amazon.com/Fluke-Networks-DSX-5000-120-Permanent/dp/B00DGHAOM8
06:09 < jrc> must be nice in data center situations where you have a blank check for stuff like that
06:09 < Aztec03> baus
06:10 < Aztec03> would be nice
06:10 < SporkWitch> jrc: going back to the voip discussion, i've had customers that basically did this with power injectors: https://i.imgur.com/JcspoU2.jpg
06:11 < jrc> lol
06:11 < SporkWitch> they'd connect the "data in" on the injector to the pc-pass-through on the phone
06:11 < Spice_Boy> I want to do something like   expr 5 - 3   but get those values from a file, not the command
06:11 < Spice_Boy> ie, a file contains 5, and another file contains 3
06:11 < SporkWitch> Spice_Boy: perhaps you might try giving, i don't know, CONTEXT
06:12 < SporkWitch> because as long as we're just throwing out random things without any context, i want multi-server support
06:12 < TV`sFrank> And ask in the proper channel
06:12 < Aztec03> ha!
06:12 < Spice_Boy> okay, that's 2 who don't know
06:12 < SporkWitch> Aztec03: still on the cunt's side? still think i'm too harsh?
06:12 < Spice_Boy> bash
06:12 < Aztec03> (to that imgur you linked SporkWitch)
06:12 < SporkWitch> how would we know? we had no context
06:13 < Aztec03> naw matey, I'm just a neutral kinda fella
06:13 < TV`sFrank> Spice_Boy Proper channel for bash is NOT ##networking
06:13 < Aztec03> I support you both
06:13 < Spice_Boy> TV`sFrank: honestly... the amount of non-networking shit that goes on in this channel.... give me a break!
06:13 < jrc> SporkWitch: is that image not the solution to the illusive "free energy" problem??
06:13 < TV`sFrank> Spice_Boy: I feel so sorry for you that you have absolutely no objectivity.  Have a great night/day.
06:14 < TV`sFrank> Entitled Generatio ™
06:14 < SporkWitch> jrc: no, that was solved ages ago by Uncyclopedia.  cat-with-toast device as the primary; storm troopers and redshirts in a box as a backup when the toast needs to be rebuttered
06:14 < TV`sFrank> n*
06:14 < Aztec03> Spiceboy... were you... a bee at one time... by any chance? :o
06:14 < Aztec03> nvm if not; it's a very specific thing
06:14 < SporkWitch> Aztec03: oh gods, are goontards invading freenode now?
06:14 < Aztec03> naw naw an old forum
06:14 < Aztec03> just wondering
06:15 < SporkWitch> Aztec03: i assumed the bee was a reference to SA's goonswarm
06:15 < Aztec03> naw, was way diff
06:15 < SporkWitch> (you might have played EVE Online if...)
06:15 < Aztec03> a fine forum for learning certain sciences
06:15 < babyfoxy> SporkWitch: felt alone? perhaps a blanky
06:15 < Aztec03> bad babyfoxy! leave it!
06:15 < SporkWitch> yeesh, where's catphish when needed
06:16 < TV`sFrank> Seems it's Winner Hour here
06:16 < SporkWitch> TV`sFrank: pretty much
06:16 < Aztec03> :/
06:16 < SporkWitch> TV`sFrank: welcome to eternal september, 30 years and counting
06:16 < TV`sFrank> heh
06:16 < SporkWitch> (well, almost 30 years)
06:16 < TV`sFrank> the new #defocus :P
06:17 < SporkWitch> do they even still have #defocus? freenode's management went on an SJW huboxy binger a couple years back
06:17 < SporkWitch> even ##linux tolerates blatant and obvious trolling now, as long as the character played is dumb
06:18 < TV`sFrank> No they canned it due to sustained excessive shaboogans
06:18 < SporkWitch> s/huboxy/hugboxy/
06:18 < SporkWitch> s/binger/bender/
06:19 < TV`sFrank> Also possibly because it "may have been" the reason for the Friday Night DDoS's
06:19 < SporkWitch> (i think my favourite was a 12 month ban in which the ##linux-ops chat included one of the ops calling me a genius while telling off the troll, then banning me anyway lol)
06:19 < TV`sFrank> heh, probably crocked on Sterno or something
06:19 < SporkWitch> TV`sFrank: and yet they removed the +b for all TOR endpoints...
06:21 < SporkWitch> (also, he wasn't being sarcastic in calling me a genius; i used to have a /regulars cloak there, i'm pretty sure i was being groomed for op at one point lol; you get drunk one time and post a bash fork bomb, with all caps "DO NOT ACTUALLY DO THIS" in the same single message...)
06:22 < SporkWitch> (is natural selection not a thing any more? lol)
06:23  * Aztec03 sighs the long sigh
06:23 < SporkWitch> (for the record, not saying i'm a genius, saying that it was clear he didn't say it sarcastically)
06:23 < Aztec03> I think she mighta fed me a line, too
06:23 < Aztec03> doesn't matter.
06:23 < Aztec03> she gone.
06:24 < SporkWitch> Aztec03: hmm? what's that? my refined spidey sense was RIGHT about the cunt obviously trolling being a cunt and a troll?
06:24 < Aztec03> Yes. You were probably right, SporkWitch
06:24 < SporkWitch> semi-sorry, a few beers in, so i'm not above an i-told-you-so
06:24 < Aztec03> I eat crow, now.
06:24 < lupine> hmm, I've never tried crow
06:25 < Aztec03> shit, cheers. I got some whiskey left
06:25  * Aztec03 cheerses SporkWitch 
06:25 < SporkWitch> if my goddamned roommate would actually pay his rent on time so i didn't have to hold an extra 650 aside for his share + late fee, i'd have whisky too >_<
06:25 < TV`sFrank> lupine: the Crow I know is one wacky robot :P
06:26 < Aztec03> I'm tryna switch to wine myself; Bukowski was right, whiskey be too quick.
06:26 < SporkWitch> but no, he's 10 years my senior but can't pay his goddamned bills on time and i get to pick up the slack until i can find replacements for the empty rooms >_<
06:26 < SporkWitch> Aztec03: your problem is drinking whiskey; you need some good single malt WHISKY
06:26 < Aztec03> hee! I made a sour-mash whiskey, once
06:27 < SporkWitch> http://www.electricscotland.com/poetry/banff/story4.htm
06:27 < Aztec03> hang, I'll link ya
06:27 < Aztec03> https://homedistiller.org/forum/viewtopic.php?f=32&t=48891
06:27 < Death916> switch to beer why wine smh
06:27 < Death916> whiskey to wine is a wierd swap
06:27 < Aztec03> oh I love beers
06:28 < Aztec03> beers are rather /too slow/
06:28 < SporkWitch> Death916: because WINE lets you run stuff without Windows :P
06:28  * SporkWitch plays a rimshot
06:28 < Death916> lol
06:28 < Aztec03> I dig anything by Three Floyds
06:28 < Aztec03> lolol
06:28 < Death916> they have beers with comparable abv to wine
06:28 < Aztec03> my faves are Zombie Dust, Alpha King, and Gumballhead
06:29 < Aztec03> also Yum Yum
06:29 < TV`sFrank> Death916 Yeah but they often taste like mud :P
06:29 < SporkWitch> honestly, i love red wine, but i can't do it; even when i was still in my 20's, one glass of red and i've got a hangover (and back then i could do a handle of jack to myself and be right as rain at 0800)
06:29 < lupine> there's some very good whiskey around
06:30 < lupine> even some irish stuff is good
06:30 < Death916> yall have expensive taste haha
06:31 < SporkWitch> Death916: ardbeg 18; US$40 (sometimes less) for 750ml, and DAMNED good; better than any of the "usuals" (e.g. glen fiddich and others that people will pay 200 for a bottle of blended shit)
06:32 < SporkWitch> and really, if you're drinking more than 2-4 fingers of single in a sitting, you may as well be drinking well
06:32 < Spice_Boy> (2:12:35 PM) TV`sFrank: Spice_Boy Proper channel for bash is NOT ##networking    <-- as I said... not always networking chat
06:32 < Death916> not too bad
06:32 < Aztec03> aw fuck I LOVE glenfiddich
06:33 < Aztec03> good-ass scotch
06:33 < Aztec03> 18 yr best!
06:33 < Aztec03> aw Spice_Boy were ye a bee or not in some past life?
06:34 < SporkWitch> Spice_Boy: that your question wasn't topical is secondary to the fact that it was a shit question with no context
06:35 < TV`sFrank> ^
06:35 < SporkWitch> Spice_Boy: and if you'd like to argue that fact, then answer my question about multi-server support
06:36 < SporkWitch> no? that's what i thought
07:30 < Aztec03> Are Cisco Catalyst 3750E's or X's any good as a refurb/used purchase for a small-ish enterprise with plans on expanding in time?
07:36 < Maarten> Aztec03, its quality hardware. Only issue might be that Cisco won't support them if they weren't procured through their channels.... not a big issue if you know your stuff and you have a lot of other avenues to pursue support from, but not so great for mission critical if you need like 2 hour support from cisco.
07:46 < Aztec03> noice.
07:47 < Aztec03> I don't mind actual Cisco support atm
07:47 < Aztec03> or, don't mind not having it*
07:47 < Aztec03> pretty straightforward for my setup
08:02 < quazimodo> GUUUUUUUYYYYSSS how do i override the nameserver address of mysite.com, to point to the cloudflare nameservers, so that I can test cloudflare on my machine
08:06 < TV`sFrank> vi /etc/resolv.conf
08:10 < quazimodo> TV`sFrank: I don't know how to make that only work for a particular domain?
08:10 < quazimodo> like, mysite.com  => jack.ns.cloudflare.com
08:17 <@pppingme> quazimodo put it in your hosts file, or setup a dns server on your network (this is what I do)
08:19 < TV`sFrank> hosts file can map hostname to another hostname?  I thought you could only map ip's and hostnames
08:19 <@pppingme> you just point your original hostname to the IP of the new one
08:20 < TV`sFrank> ah ok that makes more sense than what I was thinking heh
08:20 <@pppingme> the only "gotcha" is if cloudflare changes the ip of jack.ns.cloudflare.com
08:21 < TV`sFrank> nod, but even then you could probably get a list of ips for it and put them all in hosts file
08:21 < TV`sFrank> bit of a PITA but eh :)
08:21 <@pppingme> I assume this is only for temporary testing, right?
08:22 < Aztec03> also thanks for the tip earlier, Maarten
08:27 < quazimodo> I'm confused, i thought that our system goes to our appointed DNS and says 'where are the records for mysite.com', which goes to n servers that point along till the name registartion company says 'records are at jack.ns.cloudflare.com'
08:27 < quazimodo> atm the case is that it says 'the records are at something.aws.com'
08:28 < quazimodo> i want my machine to think all the records fro mysite.com are at jack.ns.cloudflare.com
08:29 < quazimodo> When i use  dig @jack.ns.cloudflare.com mysite.com  i get back the ip that it resolves to, but that's not jack.ns.cloudflare.com. I can put that ip it /etc/hosts but it kinda skips the whole cloudflare nameserver
08:35 < detha> quazimodo: you can run dnsmasq or bind and tell it to always forward requests for *.example.com to jack.ns.cloudflare.com. But normally anything would ask the .com servers where to look for example.com
08:36 < quazimodo> detha: right, so i need to run dnsmasq eh
08:36 < quazimodo> can i run bind locally
08:36 < detha> you can.
08:37 < quazimodo> cooly, i think my router has dnsmasq running, maybe i can override there?
08:37 < detha> but why do you want to override whatever the registrar has ?
08:38 <@pppingme> detha temporary testing of a new host not yet ready for the public
08:39 < quazimodo> yep
08:51 < quazimodo> So i guess it would be a forwarded zone, with the options forward only, forwarders: { ip of cloudflare ns }
08:51 < quazimodo> yeah?
08:56 <@pppingme> it could be
08:56 < detha> that would work yes
09:07 < quazimodo> thanks
10:18 < arahael> Why do many IT admins only allow port 80, and 443 traffic?
10:19 < arahael> (Bit of a mini-vent, that, I'm sure that question serves as a fair summary)
10:20 < detha> Because Security !1!!11!
10:21 < arahael> It's *so stupid* :(
10:22 < MikeSeth> to prevent end user initiatives
10:22 < detha> Actually it's not. Default deny, allow what is needed, both in- and out-bound
10:23 < MikeSeth> that is pretty much it
10:23 < arahael> So much networking now happens over port-443-https. :(
10:27 <+catphish> arahael: it's a matter of deny by default, and open other ports as needed, best practice in many situations
10:28 <+catphish> many security certifications rightly require this
10:29 <+catphish> there's nothing uniquely special about 80 and 443, they're just the first 2 ports that users will need to use, and hence will be opened pretty much immediately under such a policy
10:30 < detha> FSVO opened.... Proxied or with a DPI firewall in between user and wild west web
10:30 <+catphish> i've yet to experience anyone doing MITM on 443, but i believe it does happen
10:32 < arahael> catphish: I'm mainly talking about a *refusal* to open ports as required. Port 80 and 443 only.
10:32 < detha> couple of years ago we had a cloud-hosted app. once in a while a user would capture data, and the app 'lost' the data. Turned out that filling out http forms with lots of fields in quick succession set off the anti-exfiltration in the firewall
10:33 <+catphish> arahael: well then "why" would be a question you'd have to ask the specific admin
10:33 < detha> (and that was https, with all office machines booby-trapped with a cert that trusted the firewall)
10:33 <+catphish> arahael: sometimes it's just a matter of effort, they don't want to document and manage lots of one-off requests
10:34 <+catphish> but there's no good reason beyond that afaik
10:35 < arahael> catphish: I'm aware of all that, it's really pretty much a rant.  I've been "re-educated".  Port 80 and 443, good. Nothing else. Got it.
10:35 <+catphish> arahael: huh?
10:35 < arahael> catphish: Indeed.
10:35 <+catphish> that doesn't represent any of what was just said
10:36 < arahael> catphish: The long and short is they don't want to do it.
10:36 < arahael> catphish: Doesn't really matter how they explain or elaborate it.
10:36 <+xand> in what situation
10:36 <+catphish> arahael: laziness basically
10:36 < arahael> catphish: Indeed.
10:36 < arahael> Anyway.
10:36 <+xand> on what kind of network?
10:36 < arahael> xand: It's irrelevant, really.
10:36 <+catphish> i usually see it on things like edu guest networks
10:36 <+xand> no it's not
10:37 < arahael> xand: Then you've misunderstood the situation.
10:37 <+catphish> arahael: fuck off
10:37 <+xand> if there is a business need to open ports then management can require it to be done
10:37 < arahael> Woah, sure.
10:39 <+catphish> xand: i find that it's more a problem when there's no business, and hence no business reason compelling it, like in edu, just people just wanting to use their "personal" connections for things
10:39 <+xand> catphish: eduroam has a mandatory list of firewall holes
10:40 <+xand> and that's what most edu wifi is
10:40 <+catphish> at least one university i've visited had this default policy, no idea if they's make exceptions as i was just a visitor hence didn't ask
10:40 <+xand> it's a lot bigger than just 80/443
10:40 <+catphish> this was UWE, i was a guest, ssh didn't work
10:40 < SlowJimmy> Could the entire internet be made to work like the onion network?
10:40 <+catphish> SlowJimmy: no
10:40 < SlowJimmy> i mean like the tor network
10:40 <+catphish> SlowJimmy: it's another layer on top
10:40 < SlowJimmy> catphish: can you ELI5 why?
10:40 < SlowJimmy> ah
10:41 < SlowJimmy> so couldn't you put that layer on top of everything?
10:41 <+catphish> SlowJimmy: each hop in tor requires the adjacent hops to be known
10:41 <+catphish> therefore you still need a non-anonymous underlying network
10:41 < SlowJimmy> so the way the internet is designed prevents this
10:41 <+catphish> that's not what i said
10:41 <+xand> also you often want to know the client IP address etc.
10:42 < SlowJimmy> could something be designed in theory from the ground up that works anonymously that does everything the internet does?
10:43 < arahael> SlowJimmy: YOu'd always end up leaking some sort of metadata.
10:43 <+catphish> SlowJimmy: tor does this
10:43 <+catphish> the internet is made in layers, if you want encrypted layered routing, that is a layer on top
10:43 < SlowJimmy> arahael: I see!
10:43 < SlowJimmy> catphish i see
10:43 <+catphish> arahael: not really true, tor doesn't leak metadata, it's just that it requires a regular routable network underneath
10:44 <+catphish> each pair of adjacent nodes need a normal way to communicate
10:44 < arahael> SlowJimmy: For instance, Tor users are still vulnerable to browser fingerprinting, and ISP's can still figure out that you're using Tor.
10:44 <+catphish> you could simple use tor for all internet traffic if that's what you wanted
10:44 < arahael> (It's why Tor users are encouraged to use the Tor browser, if I recall)
10:45 < SlowJimmy> If everybody including joey's mum used tor would that not mean that basically all internet traffic would be somewhat secure from drag net surveillance?
10:45 <+catphish> oh yeah, if you use tor you have to be careful what you actually send down it
10:45 <+catphish> SlowJimmy: basically yes
10:45 <+catphish> SlowJimmy: but it's not worth the overhead
10:45 < SlowJimmy> arahael: this browser finger printing is analyzing your browsers plug ins and screen size and so forth?
10:46 < arahael> SlowJimmy: Essentially.
10:46 <+catphish> SlowJimmy: yes, exactly that
10:46 < SlowJimmy> catphish: I try to always use https just so drag net surveillance will be less feasable but tbh a lot of big websites still dont support real encryption
10:46 <+catphish> everything your browser sends can help uniquely identify it
10:46 < arahael> SlowJimmy: HTTPS still reveals the host, so you've leaked that bit, but it's still a big improvement.
10:47 <+xand> it doesn't necessarily reveal that
10:47 <+catphish> SlowJimmy: it all comes down to what you care about in terms of privacy
10:47 < arahael> xand: Well, the IP address, surely?
10:47 <+catphish> SlowJimmy: if you don't want your ISP knowing what websites you visit, it's much harder than if you just don't want hackers getting your bank password
10:48 < SlowJimmy> catphish: I do not want to live in a panopticum but want to have freedom from the inquiring eyes of others no matter who they are
10:48 < arahael> In practice, I'd say: VPN to a country that doesn't care.
10:48 < SlowJimmy> catphish: it's not that I have any tangable reason aside from privacy itself
10:48 <+catphish> SlowJimmy: so you fall into the "don't want your ISP knowing what websites you visit" category, then you need tor
10:49 <+catphish> SlowJimmy: that's really an unnecessary level of paranoia in my opinion, but if you really don't want that, there's no other way to avoid it afaik
10:49 < SlowJimmy> catphish: the ISP is one part but the websites I visit is not the end all be all, what about my emails? what about the private companies collecting data and selling it
10:49 < SlowJimmy> what about private persons hacking into your stuff and taking it over
10:50 <+catphish> SlowJimmy: that's much easier, you choose what you tell them, that's all down to you
10:50 <+xand> 1. don't use facebook
10:50 <+xand> :P
10:50 <+catphish> if you give a company your data, they have your data, if you don't, they don't
10:50 <+catphish> fortunately, gdpr will (at least in europe) make it a lot clearer
10:51 < SlowJimmy> what about search engines? i did not agree but they still are extracting data about me
10:51 <+catphish> SlowJimmy: as i just said, they only know what you tell them, simple as that
10:51 < SlowJimmy> and also facebook and instagram and twitter and other companies track you outside their own website
10:51 < SlowJimmy> even if you do not have an acccount
10:51 <+catphish> they aren't mind readers, they know only what you send them
10:52 < SlowJimmy> catphish: with facebook just think about on how many pictures you are on that are on the website that have been uploaded by people who know you yet you did not agree
10:52 <+xand> SlowJimmy: well you can have them prosecuted under GDPR perhaps ;)
10:52 < SlowJimmy> or they acquire the data from people using websites with these facebook buttons
10:52 <+catphish> SlowJimmy: well if someone else shares your personal data, there's nothing you can do about that
10:53 < SlowJimmy> xand I don't want to prosecute them lol
10:53 <+catphish> SlowJimmy: humans are not covered by gdpr, only businesses
10:53 < SlowJimmy> catphish what about all the data you create just by being online?
10:53 <+catphish> SlowJimmy: it's up to you what you send, simple as that
10:53 <+xand> catphish: true but it would apply to data they hold even if someone else supplied it.
10:54 <+catphish> if you ask your isp to connect you with a website, then they know, if you don't, they don't
10:54 <+catphish> xand: that's true, if it's personally identifiable
10:54 <+catphish> if someone tagged me in a photo on facebook, i could ask facebook to delete that information
10:54 < SlowJimmy> why are isp necessary?
10:54 < SlowJimmy> could people do what the isp does for them for themselves?
10:54 <+catphish> SlowJimmy: get rid of your ISP, and you'll see
10:54 < SlowJimmy> lol
10:55 < SlowJimmy> could in theory every person act as their own isp?
10:55 <+catphish> SlowJimmy: you're free to buils your own tier1 network
10:55 <+catphish> *build
10:55 < SlowJimmy> given the infrastructure was publicly owned or something
10:55 < linux_probe> they;re not, if you want to be amish/off-grid and I dont mean the darwin moronic youtubers claiming off grid then posting videos to make $$$$
10:55 <+catphish> what infrastructure?
10:55 <+xand> catphish: and the photo presumably.
10:55 <+xand> as it's PII
10:55 < linux_probe> only thing worse than them are the darwins following/watching :)))
10:55 <+xand> sounds messy
10:55 <+catphish> xand: i was just contemplating, is the photo PII?
10:56 <+xand> maybe it depends on the content of it
10:56 <+catphish> xand: if so, can i ask facebook to try to identify me in every photo they hold, and delete them?
10:56 <+catphish> madness
10:56 <+xand> dunno :)
10:56 <+catphish> me neither, it's a good question
10:56 <+catphish> it certainly *seems* personally identifiable
10:56 < SlowJimmy> catphish: i mean the cables and the computers that make up the isp's stuff
10:57 <+catphish> SlowJimmy: all the ISPs in the world? what about the networks in people's houses?
10:57 <+catphish> SlowJimmy: and how will you connect to them all?
10:58 < SlowJimmy> I meant if the cables and the servers and what have you that the ISP uses to provide their service would be provided for free by the tax payer then could everybody do whatever the ISP is now doing FOR them by themselves?
10:59 <+catphish> SlowJimmy: then the government would be the ISP, i don't think that's better
11:00 < SlowJimmy> what does the ISP actually do to connect you?
11:03 <+catphish> they just manage those routers and cables you mentioned
11:04 < SlowJimmy> tbh that seems like a lot of trust put into that entity no matter who it is
11:05 < SlowJimmy> Is there privacy in numbers?
11:06 < SlowJimmy> Since a lot of people use any given ISP then they cannot actually infringe only on the privacy of a small fraction of users
11:07 <+catphish> yes, you have to trust your isp with whatever data you send in the clear
11:07 < SlowJimmy> then sending data in the clear is a mistake
11:07 <+catphish> SlowJimmy: the best policy is to assume that everything you send in the clear is *public*
11:07 < detha> s/your ISP/any ISP between you and the destination/
11:07 <+catphish> detha: best just to assume everyone can ready it
11:07 <+catphish> *read
11:08 <+catphish> the point is, the internet is not a private medium, it's not supposed to be
11:08 < SlowJimmy> there are few private mediums
11:08 <+catphish> if you want to send data privately, you encrypt it, and even that doesn't protect you against people knowing who you're communicating with, that's why tor is a thing
11:09 < SlowJimmy> so tor can remove the metadata and the encryption can protect the content
11:09 <+catphish> SlowJimmy: as detha said, remember *your* isp is not the only one involved, your data travels through many networks before reaching the destination
11:09 <+catphish> SlowJimmy: actually tor does both
11:09 <+catphish> but yes
11:10 < SlowJimmy> isn't then using tor more important than using encryption since metadata is much more dangerous to society than the actual content of the communicatiosn?
11:10 <+catphish> most people don't consider the metadata to matter, so they just use https
11:10 <+catphish> no
11:10 <+catphish> people don't care
11:10 < SlowJimmy> ok they do not and i cannot blame them
11:10 <+catphish> just like i don't wear a scarf over my face when i walk to the shops, i don't care if the public see what shop i visit
11:10 < SlowJimmy> but technically the metadata is worse, right?
11:11 < SlowJimmy> well a scarf is one thing but what about the credit cards?
11:11 <+catphish> it's up to you what you consider private
11:11 < arahael> SlowJimmy: No, not worse, but considering the scale of the logging/snooping, the metadata is the useful bit!
11:11 <+catphish> credit cards are the data, that's what encryption protects
11:12 < SlowJimmy> arahael: i see!
11:12 < SlowJimmy> catphish: if you buy your stuff in the store with a credit card than your shopping behaviour might become available to advertisers
11:13 <+catphish> there's a lot of commercial value in knowing what websites you visit, what shops you visit, but online this data can be very easy to collect, in real life not so much
11:13 < arahael> SlowJimmy: That does, infact, happen
11:13 <+catphish> SlowJimmy: yes, you trust your credit card company with this, and this is the kind of thing GDPR is there to protect us against
11:13 < SlowJimmy> or even your bank might rethink that credit you asked for if they see a pattern of recklest spending
11:14 < detha> the irony of the situation is that things like https and tor protect against snooping on data in transit. With things like facebook and google, the only thing I want to be protected against is accumulation of data in the endpoint.
11:14 <+catphish> of course it's up to your bank if they want to lend you money, and how you spend it is very much their business if they're lending it to you :)
11:14 <+catphish> detha: luckily that's very much in the category of "you choose what you give them"
11:14 < arahael> In practice, credit unions just assume you've already spent up to your credit limit, these days.
11:15 < detha> catphish: not really. facebook like buttons etc.
11:15 < SlowJimmy> arahel lol
11:15 <+catphish> arahael: that's a big assumption, certainly here all lenders report the exact balance to credit reference agencies
11:15 < detha> there is a reason facebook forbids sites to use a copy of the like button, it has to come from facebook servers
11:16 < SlowJimmy> wait what do you mean it has to come from facebook servers?
11:16 < SlowJimmy> ther wiring behind those buttons?
11:16 <+catphish> detha: that's true, fortunately they will now need your permission to do this
11:16 < arahael> catphish: Possibly country specific.  In Australia, at least, credit agencies have just started being required to share more information - and to use the credit limit as part of the credit score, regardless of how much of the limit you've actually used.
11:16 <+catphish> SlowJimmy: yes
11:16 < detha> SlowJimmy: so they can track you from site to site. Referrer plus fbcdn cookie
11:17 <+catphish> arahael: well in the UK they use whatever they want, but the main piece of information they have is your balance
11:17 <+catphish> detha: this is already illegal in europe without permission i believe
11:17 <+catphish> but most people give that permission without even thinking :(
11:17 <+catphish> they're like "cookies, yeah sure whatever
11:18 <+catphish> "give me my free content now!"
11:18 < detha> most sites stop working without, so yeah.
11:19 < arahael> It's really different using the internet in EUrope: Every website asks you to store cookies, explicitly.
11:19 < arahael> (Google, included)
11:19 < SlowJimmy> most sites assume that you agree to the cookies by visting them, which is a foregone conclusion
11:19 <+catphish> originally browsers prompted for cookies, users got so fet up of it, they just changed it to accept all by default, now that's rather backfired, i almost wish they'd restore the old behaviour and allow the site to provide an explanation along with the cookie
11:19 <+catphish> SlowJimmy: technically they need consent
11:19 < detha> The whole cookie permission thing could have worked, had they passed that law 15 years ago
11:20 < SlowJimmy> catphish: But do I have any way to deny that consent?
11:20 <+catphish> SlowJimmy: your browser has a setting
11:20 <+catphish> detha: browsers used to ask, people didn't like it, so the default now is accept all, really it'd be nice if they went back to asking by default, with an explanation for each one :)
11:21 < arahael> SlowJimmy: In firefox, I set cookies to only last the browser session.  Ie, I close the browser: All cookies get deleted.  Still enough to track me, but the damage is less.
11:21 < arahael> catphish: It'd be wonderful, indeed.
11:21 <+catphish> arahael: that's pretty sane
11:22 < SlowJimmy> arahael: at least you made a decision and didnt just click next
11:23 < arahael> SlowJimmy: I often do.  On the iPhone, I use the duckduckgo browser most of the time...  And the browser in miniKeepass for where I actually like the cookie, though I do  wonder how sandboxed it is. I hope it's sandboxed.
11:24 < arahael> Still, it means that what I do in duckduckgo is unlikely to be tracked with facebook, as I never use facebook on that browser.
11:25 < SlowJimmy> if you still have the app you are screwed though
11:25 < SlowJimmy> and I assume a lot of people who use facebook on their phone have the app
11:25 < arahael> SlowJimmy: I don't.
11:25 < SlowJimmy> on a phone the apps can sometimes access the hdd as you know
11:25 < arahael> Installed it though, but quickly deleted it...  The facebook app is pretty awful.
11:26 < detha> easier. I never used facebook, and all of facebook and its cdn is blocked in the firewalls
11:26 < SlowJimmy> i mean they can access what other apps have stored
11:26 < arahael> SlowJimmy: Not on the iPhone.
11:28 < SlowJimmy> Shouldn't text based browsers be more secure?
11:28 < SlowJimmy> since there are no flash ads invovled
11:28 < arahael> They typically do less.
11:28 < arahael> No flash on iPhone either.
11:30 < SlowJimmy> detha how did you block all that in your firewall?
11:30 < SlowJimmy> you just banned the IP of fb?
11:31 < detha> all 80/443 is proxied through squid, hard blacklist in squid on domains
11:31 < arahael> That works.
11:32 < detha> Works mostly. For some other things I have a cron job doing DNS and AS lookups every hour, and populating a pf table with the resulting IPs/ranges
11:32 < SlowJimmy> how do you know what to put on the hard black list?
11:33 < detha> a fancy version of curl $site | grep http
11:34 < arahael> detha: I suppose you'd whitelist the amazon ip addr ranges?
11:34 < detha> aws yes
11:35 < detha> too many different things flipping in and out of there
11:35 < SlowJimmy> doesn't google provide similar services?
11:35 < detha> gce and friends?
11:35 < SlowJimmy> ye
11:36 < arahael> detha: dns blocking will help with those, at least.  I feel we're moving towards an age where blocking by IP is getting less effective.
11:36 < detha> same applies. but most of those are 'variable' IPs, so one can only catch it on domain lookup
11:37 < detha> and yes, by-IP is getting a lot less effective. Same for e-mail, RBLs don't really work effectively any more
11:38 < arahael> I use a VPN most of the time - except at work - and I notice that a lot of the networks that block email, work well with the VPN. Weird.
11:39 < arahael> (In particular: My local shopping center's public wifi)
11:39 < SlowJimmy> Why would they even block Mail?
11:40 < detha> one word: spam
11:40 < bezaban> blocking mail how?  A lot of providers filter 25 and rightly should :)
11:41 < djph> detha: spam, spam, spam, spam, spam, spam, spam, spam, users are dumb, spam, spam, and spam
11:41 < arahael> If nothing else, it means spam doesn't come from that IP.
11:41 < detha> my one ISP just redirects any outgoing tcp/25 to their mail server, and rate-limits the %#^ out of it
11:41 < arahael> detha: That's a *really* good way of doing that.
11:42 < bezaban> or just use imap
11:42 < arahael> bezaban: Most places block imap, smtp, and pop3.
11:42 < bezaban> arahael: never seen that, seen a lot of blocking 25 though
11:42 < detha> imap is a strange thing to block
11:42 < djph> my ISP did that, a quick call of "hey guys, this one thing I have is crap, and needs 25 ... yes, yes I understand if I start spamming you'll fine me to hell and back ... okay, thanks!"
11:43 < arahael> detha: It means that if you want email, you're more likely to suck it up and use the corporate email.
11:43 < arahael> detha: Rather than your own email system.
11:43 < detha> Or just use gmail/whatever through a https interface
11:44 < arahael> detha: Plenty of loopholes, sure, but it means you can't use your local email client.
11:44 < arahael> Still, in this age, that's becomming less and less effective as people move to putting the entire internet over http.
11:45 < djph> I think you mean "https"
11:45 < arahael> djph: I wish.
11:45 < SlowJimmy> djhp i doubt it
11:45 < detha> arms race. first firewalls just blocked ports. Now firewalls do DPI.
11:46 < djph> there's a push to move things to https ... http (no tls/ssl) is going away ...
11:46 < arahael> djph: Yeah, I like that.
11:46 < arahael> I do wonder why google is encouraging it, though.
11:46  * arahael doesn't trust google.
11:47 < djph> because they've got clout in the "industry"
11:47 < detha> I don't like it. It has pushed every office into 'you can't have internet unless you trust our firewall cert'
11:47 < arahael> detha: Mine's done that too.
11:47 < djph> true, it has downsides.
11:48 < arahael> detha: They don't appear to be mitm'ing, though.
11:48 < detha> arahael: why google does it? google wants your data for themselves, no one else can have it
11:48 < arahael> detha: But it really urks me that *nothing is stopping them*.
11:48 < arahael> detha: How does https help with that?
11:48 < SlowJimmy> detha: maybe google is doing well if the internet is doing well
11:49 < arahael> SlowJimmy: And yet, Google kept Flash alive.
11:49 < arahael> On linux, for instance, Google Chrome is the only supported flash implementation.
11:49 < detha> arahael: it stops, for example, your ISP from seeing your search history. Google still has it though
11:49 < arahael> detha: Ah, there's that, true.
11:50 < SlowJimmy> what about gnash?
11:50 < djph> although my office hasn't done that.  the bossman is level-headed enough to realize MITM'ing the connection means we're *potentially* opening ourselves up to an "oh hey, so we found that doing that was sending cc info to china"
11:50 < arahael> SlowJimmy: Who supports gnash!?
11:51 < arahael> djph: Yeah, once the office introduced certs like that, I stopped logging into any of my more private accounts. (Such as indeed, my CC account)
11:51 < SlowJimmy> arahael: Not sure who exactly, been a while since i used flash...
11:51 < djph> I mean, it's not like we're not reading your email (you sick fuck) ... but at least we're not sending your cc to china :)
11:52 < SlowJimmy> arahael: i think icecat? used to...
11:52 < djph> but then, bossman is a graduate of BOFH-U
11:52 < bezaban> I don't mind the certs for internal resources etc, but I do mind the mitm, but that doesn't seem to be happening here :)
11:52 < arahael> djph: Yeah, when Google was reading my mail, I switched providers.
11:53 < arahael> djph: It really stinks when BOFH happens.
11:54 < djph> arahael: I dunno, my BOFH is quite an agreeable sort.  I just have to remember that the file cabinet is really a bulkeraser, and to test the floor tiles before walking through the computer room
11:55 < arahael> djph: To be fair, I think a lot of the "BOFH" happens as a result of impatience: Not wanting to explain or discuss the request.
11:55 < djph> ... must've been when I rewrote rm to replace /home/mydirectory with rm -rf /home/bofh ; rm -rf /root
11:56 < arahael> djph: ... And indeed, the expectation that anyone below you in the organisation has no clue!  Why would they be running 'rm', anyway? They have a policy of not deleting files!
11:56 < arahael> (Certainly felt that way)
11:57 < turtle> ya'll hoard them or something?
11:58 < djph> turtle: "them"?
11:58 < turtle> files
11:58 < djph> yes
11:58 < djph> at least I do.
11:58 < djph> minimum two backups (plus the drive it's on)
11:58 < turtle> "these are my system libraries from 2004 i keep them around because i might use them some day" *hoarders theme music*
11:59 < turtle> "just one more night with the poop!"
11:59 < djph> nah, unless I forgot about a disc somewhere, I only keep backups for ~18 months.
12:00 < djph> well, except the tax returns (digital + paper) - those are 5 or 7 years ... whichever the IRS wants me to keep
12:08 < arahael> I tend to keep my files "forever", but I try to clean them out from time to time. Eventually. (Never really happens).
12:08 < arahael> I don't hoard music or videos though, which keeps the sizes down.
12:15 < djph> I mean, I'm not saying I don't still have the files somewhere (that old hdd I forgot about, or some old backupdir that I forgot to clean when I wrote better scripts ...)
12:16 < arahael> djph: Unencrypted ad-hoc backups... Those were the days. :)
12:18 < djph> arahael: to be fair, I'm pretty sure my scripts are still doing that
12:27 < arahael> djph: To be fair, the main reason I encrypt mine is because I now backup to the cloud. :)
12:27 < arahael> No way in hell I'll send those up in the clear!
12:28 < Sircle> I suspect php is making bruteforce ssh attempts on other remote machines (maybe an app or wordpresss got compromised). How can I check if it is really php?
12:28 < Sircle> I have restricted OUTBOUND ssh via iptables so I can investigate. THings are in control now.  how to know if it was php? how to know which process / user is attempting to make ssh connections?
12:28 < arahael> Sircle: That would depend on the server.
12:29 < Sircle> its ubuntu vps
12:29 < arahael> Sircle: netstat, perhaps.
12:29 < Sircle> arahael,  any specific command?
12:29 < arahael> Sircle: However, it might be sensible to simply block outgoing ssh entirely.
12:30 < arahael> Sircle: I don't do much sysadmin, to be honest.  I'm a programmer.
12:30 < arahael> Software Engineer.
12:30 < djph> arahael: oh, quite right.  my backups are too large (kids pics / holiday plays / etc) to make that worthwhile (at least due to filesize / bandwidth ... cost is annoying too)
12:31 < Sircle> arahael, I blocked port 22 for outgoing by IPtables. You have better ideas?
12:33 < arahael> djph: Yeah...  I don't have that many pics, or movies.  A couple of GB, perhaps.
12:34 < arahael> djph: I don't backup my VM's, either.
12:34 < arahael> Nor applications.
12:35 < djph> arahael: yeah, I didn't have that much data ... and then kids ... o_O
12:35 < MaxFrames> hi
12:36 < arahael> djph: :)
12:36 < arahael> djph: Once (if!) I have kids, I expect to have a more comprehensive home network.
12:36 < arahael> djph: Right now, it's just a gateway, and one's personal devices... And the wife's personal devices...
12:36 < MaxFrames> does anyone know if J4858C (HP part number) and 3CSFP91 (3Com part number) are the same GBIC?
12:38 < djph> your best source of info would be if HP has the supplier's model number noted somewhere (they likely don't)
12:38 < MaxFrames> there used to be a code converter page on HP's web site but it has been removed
12:39 < MaxFrames> I need a gbic for a temporary connection, I have a 3com available and I would not want to buy a new one if this one's ok
12:40 < djph> stick it in the slot, see what happens
12:40 < MaxFrames> can the switch be damaged (hp 2530) if the gbic's not compatible?
12:40 < djph> it just won't work
12:40 < djph> unless you 300-pound gorilla it into the slot or something
12:40 < MaxFrames> lol
12:45 < detha> arahael: if/when you have kids, be prepared for 'sh*t where's all my bandwidth gone?'
12:46 < cnf> kids be throttles, you
12:46 < cnf> yo*
12:46 < cnf> don't need moar than 512KB/s
12:46 < detha> s/throttles/throttled/ ;)
12:47 < arahael> detha: That already happens.
12:47 < arahael> detha: My wife is addicted to youtube and netflix.  And we have only mobile internet.
12:47 < MaxFrames> both gbics are multimode and 850nm
12:48 < arahael> detha: If I had kids, though, and I had that issue, I'd definitely be keen to look into traffic shaping. ;)
12:49 < arahael> And some seriously restrictive firewalls.  Then again, what's the point? Once they argue and win access to youtube, they'd have *everything*.
12:50 < detha> exactly. those devices get thrown in their own vlan, with speed limiter, and only minimal restrictions on where they can go
12:53 < arahael> I don't think I'd want my kids to have access to anything without supervision.
12:55 < arahael> We spend way, way too much time on the internet.
12:56 <+catphish> i never go on the internet
12:56 < detha> he said on the internet
12:56 <+catphish> i think he was stating the problem, not solving it :)
12:56 < cnf> arahael: yeah, keep them on a leash
12:57 < detha> arahael: technical restrictions on youngsters just leads to an arms war, hidemyass proxies, etc. etc.
12:57 < djph> least until they're old enough to know things like "their 'friend they met in a chatroom' doesn't need to know their street address"
12:57 <+catphish> maybe, or just kids who don't know anything about reality
12:58 < djph> catphish: given that near on all millennials don't know anything about reality, i don't think restrictive internet rules was a cause
12:58 <+catphish> it's funny, my generation learned all this ourselves, yet we feel the next generation will be incapable of doing so
12:59 <+catphish> anyway, my opinions on parenting are meaningless since i'm not going to have children
12:59 < arahael> catphish: There is a theory that each generation tries to make their kids avoid the same mistakes.
12:59 < djph> catphish: your generation was also probably told "it's nice outside, take your bike and get out.  you can come home for lunch"
12:59 <+catphish> djph: yes
12:59 < detha> catphish: small difference, in the olden days the internet still forgot. Today's internet doesn't forget. Ever.
12:59 <+catphish> djph: that's the kind of thing i believe in
13:00 <+catphish> detha: that's indeed a problem :(
13:00 < djph> detha: the internet forgot?
13:00 < arahael> Today's internet is *crazy*.
13:00 <+catphish> my 12 year old yahoo chats have been deleted thank god
13:01 <+catphish> the scary thing is recording *everything*, no opportunity to make mistakes and put them behind you
13:01 < arahael> The real issue, is the teenage politics: That stuff will keep with you _forever_.
13:01 <+catphish> yep :(
13:01 < arahael> So if you were a freethenipple fan as a kid... You probably got away with it.  Do that now, online...  Messed for life.
13:02 <+catphish> one of my best friends is still someone i met on yahoo chat on the other side of the world, i finally met them in person *16* years later
13:02 < djph> detha: http://archive.org
13:02 < detha> djph: there's no record there of, say, ancient BBSs or the earlier network chats
13:03 <+catphish> indeed, in fact basically nothing until fairly recently
13:04 < detha> and since google fscked up dejanews, much of the old usenet has also disappeared from public view
13:04 < arahael> It's one of the reasons I *always* use a VPN now, but even there, I only started that like, weeks ago. :(
13:04 <+catphish> i don't really care, i'm old enough not to share anything i regret these days
13:05 <+catphish> but as a teenager it could be devastating
13:05 < arahael> The real issue is HR.
13:05 < arahael> Ie, the workforce.
13:07 < arahael> Particularly if your drunken night at the uni was plastered everywhere.
13:07 < arahael> (No, that didn't happen to me!)
13:07 < detha> Also, an example from an interview 10 years ago, $youngster wants to rent a room. $landlord looks up $youngster on myspace/FB, and says 'No, not interested. Too much of a late-night party animal'
13:08 < arahael> I'd bet that happens today, absolutey.
13:08 < arahael> *absolutely.
13:10 < arahael> So if anything, the internet is even more scary. (I never use my name online, though I do use my name on my domain name...  It was required when I signed up.  Australia. *sigh*)
13:11 < ^7heo> it's not australia specifically
13:11 < ^7heo> valid IDs are required for more and more domains
13:11 < ^7heo> which is bs since you can basically just run a free "DNS resolver" and get as many of those as you want ;)
13:12 < ^7heo> because you know, *free* DNS resolver.
13:15 < arahael> I'm still trying to get rid of facebook. :(
13:15 < arahael> All my friends use it. :(
13:26 < djph> detha: fair enough
13:27 < MikeSeth> arahael: get new friends
13:27 < MikeSeth> /problem
13:27 < djph> family was horrified when I told them "oh hell no, no pics of my kid on FB"
13:28 < djph> then when I highlighed the important bits -> "All your stuff is ours, kthx. --facebook" <-- they at least stopped acting horrified in front of me that I was like "no"
13:28 < MikeSeth> famil was horrified, cps was horrified, facebook was horrified, cia was horrified
13:28 < djph> granted it hasn't stopped them from posting pics of their goblins
13:29 < MikeSeth> i will just reiterate my general support for abortion coupons as gift items
13:29 < djph> errr
13:30 < MikeSeth> no no
13:30 < MikeSeth> there's no "err"
13:31 < arahael> MikeSeth: CPS!?
13:31 < arahael> Oh, sarcasm.
13:31 < MikeSeth> Oh, sarcasm!
13:31 < arahael> MikeSeth: Imagine if CPS used facebook as part of their investigations, though!
13:31 < djph> arahael: they'd get even LESS done!
13:32 < antgo> my wan link starts to drop packets over 90% and gives me a 1k+ to 10k+ lag as soon as i connect to a remote icecast stream. lan is 192/24 but 2nd hop in mtr output is 10.0.0.1, started to notice drops a hour ago. could you see me through ways of where do I go from here?
13:32 < djph> tell your ISP to unfuck their network
13:33 < antgo> djph: is what I asked the link owner to do, awaiting updates. what i wasn't aware is that the isp side of the link can be on a 10/* network, is that pretty normal?
13:33 < arahael> What's a 10/* network?
13:34 < antgo> 10/8 or 10/24, a.k.a. 10/idk as in I don't know their subnet mask
13:35 < djph> sure, you can route over RFC1918 space.  It's kinda wrong if they're NATing you to 10.x though -- should be 100.64/10 (CGNAT / RFC6598) instead
13:35 < arahael> Ok, whilst I understand subnets, this is over my head. :)
13:36 < djph> but at least it's not HP's or AOL's space, like some shit ISPs in India do.
13:36 < antgo> djph: I see. thanks for the refs, I fetch them now
13:37 < detha> ISPs routing traffic through rfc1918 space is perfectly normal, they are just too cheap to use proper space.
13:37 < djph> too cheap, or too small, or ...
13:37 < detha> djph: add Africa to that :p
13:37  * arahael wonders when he'll finally have IPv6, and if it makes any difference.
13:38 < djph> detha: haven't seen anyone from Africa in here complaining about that yet.
13:38 < detha> djph: now you have
13:38 < djph> detha: stop being such a shit ISP then
13:38 < djph> :D
13:39 < detha> traceroute from here to 8.8.8.8 has 10/8 and 20/8 addresses in it....
13:40 < djph> 10/8 ... meh, 20/8 ... hmm, just shows for ARIN.  Too lazy to break it up though
13:40 < detha> 20/8 was some US defense contractor, if I remember correctly
13:41 <@pppingme> 20/8 is valid, broken down to several people
13:42 < djph> detha: no idea, stupid arin isn't showing a breakdown, and I really don't want to walk through the /16s
13:42 < djph> ... or, well, anything between /8 and /16
13:42 < djph> (or hell, smaller)
13:43 < detha> 20.0/11 is "Microsoft Routing, Peering, and DNS"
13:43 <@pppingme> 10/8 is probably your isp using rfc1918
13:43 < detha> pppingme: yeah.
13:43 < detha> but the 20/8 hops shouldn't be there.
13:45 <@pppingme> if it goes through any of ms's cloud stuff it might
13:45 <@pppingme> whats the specific 20. ip's?
13:45 <@pppingme> or it could be some isp still using it like rfc1918 space
13:45 <@pppingme> seemed like I remember a decade ago 20/8 was DOD
13:46 < detha> 20.0.0.x. Which is on equipment that MS would have nothing to do with (highsites, tik and ubnt gear)
13:47 < djph> well, MS owns 20.0/11, so ...
13:47 < djph> Azure perhaps?
13:47 < detha> The whole 20/8 used to be CSC corp, and rarely got used
13:47 < detha> MS probably uses it in Azure yes
13:47 < djph> hmm, they picked it up 2017-10-18
13:48 < djph> csc, wasn't that something like "corp service corp" or somrthing
13:48 <@pppingme> it appears ms has had pieces of 20 since 1998
14:00 < ^7heo> one does not need routing when using a SOCKS tunnel, does one?
14:08 < djph> ^7heo: at some point I'd expect one to need routing somewhere. Although I expect that the routing would be in whatever link is encapsulating the tunnel, rather than the tunnel itself
14:08 < ^7heo> I dunno, I'd expect the routing to happen as if it would be done on the remote SOCKS server.
14:09 < ^7heo> otherwise, what interface would I even set for the routing, locally?
14:09 < MikeSeth> routing is the selection of an interface and the gateway for the outbound packet
14:09 < djph> ^7heo: I mean, in order to set up the proxy, you need to talk to it.  Once you're directing traffic over the tunnel, then the routing should be handled by the endpoint
14:10 < ^7heo> I feel like sometimes in this channel, there's a random markov-google bot
14:10 < ^7heo> that selects random things as input, and outputs wikipedia.
14:11 < ^7heo> djph: I have an SSH socks tunnel that works properly when used over firefox; however over tsocks I can't do much with it.
14:11 < ^7heo> I mean, I can tsocks curl
14:11 < ^7heo> that works
14:11 < djph> ^7heo: hm ... never used tsocks
14:11 < ^7heo> yeah well
14:12 < ^7heo> what I don't get is that I can access any route that behind the router, but nothing local
14:12 < djph> ^7heo: blame systemd and/or openssl :)
14:12 < ^7heo> I'm not using systemd, ever.
14:12 < ^7heo> but yeah I could blame openssl, easily.
14:12 < ^7heo> what's NOT to blame with openssl anyway?
14:12 < djph> unfortunately, I think systemd
14:13 < djph> well, until it makes ssld
14:13 < ^7heo> dat gunna b fun.
14:13 < arahael> I don't mind systemd, unless I need to use docker.
14:13 < ^7heo> for me it's the other way around.
14:13 < djph> ^7heo: it's gonna make all your problems with openssl look like a walk in the park
14:13 < ^7heo> I mind systemd, unless I need to use docker.
14:13 < ^7heo> then whatever, shit's fucked anyway.
14:14 < ^7heo> djph: possibly yes.
14:14 < arahael> ^7heo: Ha...  Because I was going to say that systemd and docker are incompatible.
14:14 < djph> docker looks interesting from time to time ... but then I start reading, and am like 'why in the hell would anyone even *use* this"
14:14 < ^7heo> what a fucking surprise.
14:14 < ^7heo> djph: for mocking during tests.
14:15 < ^7heo> a-la travis.
14:15 < ^7heo> but even then there are better alternatives.
14:15 < ^7heo> so...
14:15 < arahael> djph: It's really elegant to be able to spin up stuff in a relatively controlled environment.
14:16 < djph> ^7heo: ah, so it's a convoluted way of performing unit tests
14:16 < ^7heo> djph: yeah more-o-less.
14:16 < ^7heo> arahael: elegant is such a poor choice of phrasing.
14:16 < arahael> Not unit tests.  System tests.
14:16 < ^7heo> arahael: convient, sure.
14:16 < ^7heo> elegant, fucking not.
14:16 < djph> I suppose that's a good idea ... but it seems that "spinning up a clean / controlled enviornment" will end up with "well it passed the tests ... and then deleted all of PROD"
14:17 < ^7heo> nah the real issue is that it's a fucking hack on top of hacks and if you actually try to do system tests like arahael suggests, you're gonna run out of isolation pretty fast.
14:17 < ^7heo> if I had to run system (as in OS) tests, I'd do it over proper virt.
14:17 < ^7heo> definitely not systemd or rkt or else
14:17 < ^7heo> s/systemd/docker/
14:18 < ^7heo> same shit, different names.
14:18 < arahael> Proper virt is relatively slow, though.
14:18 < arahael> But it's really not about virtualisation, as I learned the hard way.
14:18 < arahael> It's all about the docker file <-- That's really nice, you can version it, etcetera.
14:19 < ^7heo> docker, the answer to people who don't understand make.
14:20 < djph> ^7heo: I thought that was man make
14:20 < ^7heo> eventually, we're all gonna need rockets to go do groceries.
14:20 < ^7heo> djph: nah, man make, you need to read stuff in a terminal.
14:20 < ^7heo> djph: with docker, you can read "nice web javascript-enriched stuff"™
14:20 < ^7heo> you know, because you need to justify using a 100$ mouse at work.
14:21 < djph> ^7heo: well, at least you didn't say "you can watch 48 minutes of YT tutorials for something that reading would take 2 mins"
14:21 < ^7heo> well that alternative is available tho.
14:21 < djph> ^7heo: they tried that.  I showed the reigning BOFH that I was a contender.
14:22 < djph> He was impressed I could get that much voltage multiplication in that small of a mouse.
14:23 < arahael> ^7heo: Don't use make to manage your build tools.  Use make to manage the compilation, only.
14:24 < ^7heo> djph: found the problem. tsocks(1) has a 'reaches' config field.
14:25 < ^7heo> that means "don't use the next hop for this"
14:29 < djph> ^7heo: hooray manpage?
14:30 < ^7heo> djph: well that still does not explain why firefox won't work with it.
14:30 < ^7heo> djph: because it's fine that I can curl to my server, but I need a fucking browser...
14:31 < djph> ^7heo: wait, didn't you say before that ff worked?
14:33 < ^7heo> djph: for remote sites yeah
14:44 < dogbert_2> sheesh...college freshman switches majors when he finds out how much math is required for a comp sci degree :)
14:46 < javi404> dogbert_2: haha
14:46 < javi404> WTF they switch major too? comp sci can't be more math and computer engineering or EE
14:46 < dogbert_2> yeah...LOL
14:46 < javi404> I suck at math because I have ADD
14:47 < javi404> but I could feel the answers and guess them right
14:47 < javi404> haha
14:47 < javi404> best explanation I can give anyway.
14:47 < javi404> I haven't hung here in a while
14:47 < javi404> i need to more often
14:48 < dogbert_2> javi...a lot of students show up to college completely unprepared to handle coursework... though back when I started, you wanted a comp sci degree, it was calc I/II, linear algebra, applied stats, Diff Eqns, Abstract Algebra, and Numerical Analysis
14:54 < Spice_Boy> a degree you say?
15:03 < dogbert_2> yeah, that was the math requirement for a bachelor of science in Comp Sci back in 1981 when I attended college
15:03 < cleveland> Hi! I have 2 security critical small networks. Both networks must have internet access through the same router. I want to keep these 2 networks physically segregated, so no VLANs allowed. Which devices should I be using for this?
15:04 < Epic|> Wire cutters
15:04 <+xand> cleveland: you can't physically separate them if they share a router... the router can firewall between them
15:04 < Epic|> Just drop traffic between them
15:05 <+xand> yeah that
15:07 < cleveland> So if I have 172.16.0.0/24 and 192.168.0.0/24, both using the same router, the most security paranoid way to make things work would be dropping the traffic between them?
15:07 < jvwjgames> hello
15:08 < jvwjgames> hello
15:08 < MikeSeth> cleveland: the most security paranoid way would be having two disjoint internet gateways
15:08 < MikeSeth> and total absence of any physical connection
15:08 < cleveland> MikeSeth: sure. Beside that what would be the second best solution?
15:10 < MikeSeth> a separate management vlan for the router and switches with physical security of the ports on which it is enabled, and two physical networks for the targets,  plus the router firewall or access control rule to block traffic between these networks, as well as a policy document that enumerates these conditions and automated method of periodically testing them
15:10 < jvwjgames> i have a question someone posted a spam support ticket on my site and yes i have captcha active and there IP got logged what is best practice for reporting it
15:11 < MikeSeth> jvwjgames: the abuse dept of their ISP
15:11 < jvwjgames> how do i find that out
15:12 < MikeSeth> jvwjgames: look it up in whois
15:12 < jvwjgames> ok what if it is anoth contry
15:12 < MikeSeth> as long as it's a civilized country, it'd work
15:12 < jvwjgames> ok
15:15 < jvwjgames> ok thanks do i have to pay anything also it is in EU so i have the Abuse infon it is from RIPE
15:16 < quazimodo> i can't quite figure this out
15:17 < quazimodo> bind seems to be up, it's forwarding to 8.8.8.8 but when I switch NetworkManager to use 127.0.0.1 as the DNS, nothing works
15:17 < quazimodo> no domains resolve
15:19 < djph> read the log
15:23 < cleveland> MikeSeth: So the phisical structure would be the router connected to 2 switches (port security enabled), one for each LAN. Logically I would also have a router management VLAN and a firewall in the router dropping packets between the networks. Did I get it right?
15:24 < Sircle> one of our domain got suspended. Registrar says it was registered under someone elses name. Registrar is not giving registrants name (maybe a clercal mistake in our company). What are the changes we can recover it?
15:25 < tds> Sircle: if it's a uk domain you force a transfer via nominet if you have access to the contact email, otherwise you're probably stuck sorting it out with the registrar
15:26 < Sircle> its a .com registered with reg.ru
15:26 < Sircle> tds,  how to know the contact email?
15:26 < tds> if it's a com domain nominet won't help
15:26 < tds> but you may be able to find the details via whois
15:27 < Sircle> tds,  whois is empty for this domain
15:27 < Sircle> I messaged you
15:28 < tds> yeah, looks like it's using some kind of contact privacy service
15:35 < MikeSeth> cleveland: yes, the point of the former is to exclude [as far as possible] any possibility of the router being tampered with from network A to get into network B
15:35 < MikeSeth> of course it is not as strong a guarantee as physical separation, but in practical terms its very close
15:37 < Sircle> tds,  what are my changes now?
16:30 < Smallville> hello
16:31 < Smallville> i have a little issue with Sharp printers saying "selected servers are not found."
16:31 < Smallville> I can print to them but I can't scan to email
16:31 < djph> check DNS
16:31 < Smallville> Sharp MX4101N, MX-M753N, and MX-2600N
16:32 < Smallville> DNS is good
16:32 < djph> and it's correct on the printers? you haven't done something silly like typo the IP address, or block traffic originating from the printers to some other VLAN?
16:33 < Smallville> they were all working 20 minutes ago
16:34 < Smallville> i restarted the routers and they stopped scanning to emaik
16:34 < Smallville> *email
16:34 < freakynl> Maybe the SMTP server is no longer reachable
16:34 < djph> then check your router / firewall
16:35 < djph> and next time don't forget to make sure the running config is also the boot config
16:35 < cleveland> MikeSeth: dumb question now. Am I able to configure private LANs with different network ranges using these two switches and then connect the switches to the router? I mean, suppose I configure switch A and its LAN with IP 192.168.0.0/24. Switch B and its LAN with IP 172.16.0.0/24. When I connect both switches to the same router/gateway, will PCs in each LAN access the internet?
16:36 < Smallville> Hmm
16:36 < djph> cleveland: the switch IP addresses likely won't matter.  They will, of course, affect whether you can manage them or not
16:37 < Sircle> What makes a registrar a registrar and gain control over records of a domain?
16:37 < MikeSeth> cleveland: switches wont care about your layer 3 IP configurations, beside the management vlan and IP and ACL used to configure the switch
16:37 < djph> as long as you've got vlan tagging (or not) correct, a switch will happily forward ethernet frames to the correct destination
16:37 < MikeSeth> cleveland: they will relay the traffic to the router
16:40 < cleveland> Right so if IPs do not matter for switches, this means the only thing that prevents a device in layer A communicating with layer B is the firewall/ACL in the router. Is that correct?
16:41 < cleveland> *a device in NETWORK A ...
16:41 < MikeSeth> cleveland: no no no no. Since you don't have a physical connection between A and B beside the possibility of packet forwarding between interfaces on the router, the only thing that potentially *enables* a possibility of communication is the router
16:44 < cleveland> Oh, right, the router ports are independent. The firewall/ACL is an extra precaution after all?
16:44 < djph> no
16:45 < MikeSeth> depending on the router it may or may not be, if the router is a linux box that's configured to never route anything to anything by default that's one thing, if it's pfsense with permissive rules that's another thing
16:45 < MikeSeth> but it needs to be explicit in any case
16:45 < djph> if you have two networks, and a router (and y'know, working configs) ... the router will happily forward packets between both networks.
16:46 < djph> that's its job afterall.
16:46 < MikeSeth> djph: I'm assuming 'router' in this case is a firewall
16:46 < djph> yeah, it gets a little fuzzy when the router / firewall are the same box
16:47 < MikeSeth> because if this is the only setup, then an actual ROUTER would be the opposite of what you want here
16:47 < djph> generally when that happens (at least in my experience, and I've not experienced *every* permutation there is), the firewall defaults to permissive.
16:47 < MikeSeth> djph: e.g. pfsense would
16:47 < djph> or most generic nix boxes
16:48 < djph> dunno juniper / cisco so much (I *recall* that they were permissive by default, but it's been ages since I've touched one)
16:48 < cleveland> Ok, so what if the router is a soho one? By plugging my switches into the router ports, what would happen?
16:50 < djph> they'd most likely be on the same network, what with soho "routers(tm)" being multiple devices crammed into one box, generally one of which being "a switch".
16:50 < djph> also, a wireless AP and even sometimes a modem.
16:51 < djph> ... at least that's what the usual suspects (Netgear, Dlink, Linksys, tptrash, etc.) generally do.  There *may* be others that're slightly more business-oriented that behave better.
16:52 < cleveland> Hm ok, so if the 'router' I am talking about is a soho, how would I make two separate networks? Would I need to plug the 2 switches into a real router/L3switch and then this guy into the soho router?
16:52 < djph> depends.  what make / model are you talking about?
16:53 < cleveland> Linksys E1200
16:53 < cleveland> this is the soho I am referring to
16:54 < cleveland> Now for the 'real' router I do not know. What difference does the model make?
16:55 < djph> you would set it on fire, throw it out the window, and then install a proper router.  an inexpensive example being a Ubiquiti ER-X.  Alternately, I hear mikrotik makes some that aren't awful.  There are always the "small business" offerings by Cisco / Juniper / HP / etc.
16:55 < cleveland> lol
16:55 < cleveland> I will make that happens
16:56 < djph> Note that few (if any) of these will offer "features(tm)" like wifi or a switch (although the ER-X can be setup as such).
16:57 < Sircle> What makes a registrar a registrar and gain control over records of a domain?
16:57 < djph> they wanted to be one at some point, and probably paid the right people to get named one.
16:59 < cleveland> So if I plug my switches into a decent router and this router into the internet cable, that sould do it? And no communication between networks at first?
17:00 < djph> for the first part, yes.  For the second, "it depends".  Many routers are permissive-by-default (i.e. "allow all" ACLs)
17:00 < cleveland> The problem with poor linksys (beside it being crap as it seems) is there are no actual router ports available, but a weird switch embedded. Is that correct?
17:00 < djph> correct
17:01 < djph> it is a router + switch + wireless AP all crammed into one box
17:01 < djph> the two "routed" ports are the "WAN" port, and the "whatever is wired to the switch-chip on the motherboard"
17:02 < MikeSeth> if that is the case you probably would want to force vlan tags on both network connections to the router
17:04 < cleveland> Could I say that using a real router and 2 switches would be more secure than using this vlan solution?
17:05 < ||cw> not really
17:06 < ntd> ththat e1200 can do what you want it to with owrt/lede
17:08 < djph> .... VLANs or physical LANs going through two interfaces are, well, pretty much identical
17:10 < Sircle> What makes a registrar a registrar and gain control over records of a domain?
17:12 < ntd> sev factors
17:12 < ntd> ofc they have a deal with icann, regional tld registrars etc
17:16 < uxfi> oh
17:19 < djph> I'm fairly certain Sircle is at this point a chatbot
17:24 < Droog0x> Straight as a sircle.
17:26 < Sircle> :)
17:28 < DammitJim> pretty open ended question.... why does one put a server on the DMZ vs internal network?
17:29 < ||cw> when you want it on the internet and not on your LAN
17:30 < DammitJim> so, if the server is being accessed from the internet?
17:36 < Smallville> I changed smtp to Gmail. Now printer says ‘communication with server is lost ‘
17:36 < Smallville> When trying to send scan to email
17:37 < ||cw> Smallville: latest firmware? probably google changed something.  ask support
17:38 < Smallville> Support isn’t helpful
17:38 < Smallville> You guys are the experts
17:40 < ||cw> Smallville: your printer needs to support whatever google requires.  that's really all there is.  it's not like the printer is open source and we can tell you what code to change
17:41 < ||cw> you can enable smtp on a google account.
17:42 < Smallville> Ok I’ll try it
17:43 < detha> printer probably tries to submit through port 25. gmail wants 587
17:47 < Apachez> ?
17:47 < Apachez> gmail accepts on tcp25 last time I checked
17:48 < ||cw> how long ago was that?
17:48 < ||cw> for receiving they do, but for senting with auth it's 587
17:48 < Apachez> ahh yes
17:48 < Apachez> if you want to use them as a spamrelay you need to auth
17:50 < phre4k> Smallville: since we're the experts, I expertly recommend that you don't use google but host your own email
17:52 < Smallville> I used ports 587 (TLS)
17:52 < Smallville> And I tried 465 ssl
17:52 < Smallville> I do host my own email
17:53 < Smallville> But I used brighthouse smtp server
17:54 < Smallville> Scanner stopped scanning to email. So I’m trying to switch to gmail smtp server
17:58 < MikeSeth> 587 + starttls + auth it is, then
17:59 < Smallville> Ok
18:02 < cleveland> I have a VM with a virtual interface (VirtualBox) running over a Debian9 host. I want this VM to be my gateway for a physical LAN (PCs + switch). Can I do it just by setting the virtual interface in bridge mdoe?
18:02 < cleveland> *mode
18:04 < ||cw> cleveland: yes, if you have 2 nics in the host and/or use vlans properly
18:05 < cleveland> ||cw: 2 nics, one for the LAN and the other for external communication?
18:06 < ||cw> yes, and don't put an IP on the host on that external NIC
18:06 < ||cw> just have the guest bridged to it
18:06 < ||cw> and also have a 2nd vnic on the guest bridged to the LAN nic, which the host can have an IP on.
18:07 < ||cw> I recommend a static address on the host, then the router guest can host DHCP for everything else
18:34 < HEROnymous> hey guys
18:34 < HEROnymous> anybody in here know anyone associated with AS 6 ?
18:41 < Apachez> HEROnymous: AS6 Bull HN Information Systems Inc. ?
18:41 < Apachez> https://bgp.he.net/AS6#_whois
18:45 < HEROnymous> Apachez, right, both of those contacts are bogus - phones don't connect, emails bounce
18:45 < skyroveRR> Hi HEROnymous
18:45 < HEROnymous> howdy
18:53 < tds> HEROnymous: interesting, as6 seems to have the same issue as as3 on bgp.he.net where many prefixes are listed
18:53 < tds> I suspect someone is messing with as paths and feeding that data to route collectors
19:11 < electricmilk> Anyway to tell the history of a website going down? Staff opened ticket that they couldn't access homedepot.com.  Tested and sure enough it didn't resolve.  Tried from VPN and went right through.  Checked firewall logs and nothing is showing that it was blocked. Tested again and resolved. Checked from another workstation and resolved.
19:11 < electricmilk> Wondering if perhaps it was a DNS issue...or if the site just went down for a short period
19:14 < Peng_> Seems unlikely Home Depot would have a DNS outage, they use Akamai.
19:14 < electricmilk> hmm I just found a tool called currentlydown.com that states it has been up
19:14 < electricmilk> Peng_,  Perhaps an issue with our DNS server?
19:15 < mast> Not sure how it compares, but I've always used 'http://www.isitdownrightnow.com"
19:16 < electricmilk> I've noticed sometimes our content filter doesn't give the message which is odd.  When trying to access anonymous proxy sites it just gives a "This site can't be reached" error but the firewall still logs it
19:16 < electricmilk> With this case...no logs
19:16 < flying_sausages> Hey guys, I've got a question about starting an internet connection using mmcli and a PPP modem (Iridium Satellites). I've got calls and texts running with mmcli already, and I can also use the pppd to get to the internet, but I'm wondering if this is also implemented in mmcli and if so, how.
19:16 < electricmilk> Was also complaints of walmart.com not being available last week...but no logs
19:16 < flying_sausages> I also managed to get up and running using a 3g ublox modem but I'm puzzled how to get this running now, would this also be using --simple-connect? What are the bearer options?
19:19 < flying_sausages> this is what I get when I get the information about the Iridium modem, so this should have some useful info https://pastebin.com/jy7u2q0W
20:11 < debron> Hello.. Is possible to limit network bandwith to other computers in my LAN, from my computer by software? doesnt look possible
20:11 < electricmilk> debron,  No access to firewall / router?
20:12 < debron> router, yeah
20:12 < electricmilk> Which router?
20:12 < debron> a mitrastar
20:12 < debron> movistar ISP
20:13 < electricmilk> debron,  This is just a home or small office setup?
20:13 < debron> home, yeah
20:13 < electricmilk> It might be possible with messing with QOS settings...looks like a pain in the ass https://www.reddit.com/r/networking/comments/39oktj/limiting_kbps_of_a_specific_ipmac/
20:14 < electricmilk> There is software that limits use of other users using Wifi..but is considered an attack tool...if you are managing the network I suppose its alright though
20:15 < electricmilk> The router might have network throttling or some similar setting to limit bandwidth, but usually this is set for ALL devices
20:17 < Maarten> debron, you typically would control traffic from the router that handles your incoming/outgoing internet. Your router may have certain QoS settings to ensure no one gets all the speed. (Note that this screws up speed tests in most cases too, but it works) - You can't do it from your computer. There are programs however - such as NetLimiter for Windows - that you can install on the workstation you want to control and give them only a certain LAN
20:17 < Maarten> speed, but that would affect LAN communication as well as internet.
20:18 < debron> thanks electricmilk
20:20 < jeffspeff> i'm having an odd issue. one vlan on my network is having very slow internet access. running speed tests show the connection at 1-2Mbps down and about 8Mpbs up. I installed iperf on a machine in that vlan and a remote server and tested on ports 5021, 80 and 443. On all 3 tests it reports about 25Mbps which is more accurate. Any suggestions on how to diagnose this further to figure out what/where my speed is being throttled?
20:20 < debron> thanks both, Ill read from here
20:21 < debron> someone installed a PLC in my network and at some times in the day its almost impossible to use internet
20:21 < debron> :/
20:22 < Kremator> debron, PLC? Power Line Connection?
20:22 < debron> yeah
20:22 < Kremator> well that's an easy fix, kill the person who installed it
20:22 < debron> lol
20:22 < jeffspeff> lol
20:22 < Kremator> then remove the PLC device
20:22 < debron> i wish sometimes
20:24 < jeffspeff> I can't figure out what the issue could be with that vlan. It's an office that my company just acquired so I'm trying to figure out how things are setup and configured. My first thought was a proxy hiding somewhere but I would have expected the iperf port 80 and 443 tests to reflect slow bandwidth if that were the case.
20:25 < electricmilk> When I was in school the IT guy thought it would be a great idea to install around 9 wireless routers around the campus in random locations with DHCP enabled...
20:25 < electricmilk> And he did this RIGHT before leaving on a 7 day vacation
20:25 < krzee> LOL
20:25  * jeffspeff barfs
20:25 < electricmilk> Took down nearly the entire campus
20:25 < krzee> drop timebonb, leave for vacation
20:25 < krzee> sounds fun!
20:25 < krzee> did he disconnect his phone too?
20:26 < jeffspeff> one if he was a real pro!
20:26 < jeffspeff> lol
20:26 < jeffspeff> *only
20:26 < electricmilk> So after trying to crack the admin password...my teacher and I just walked around the school with his phone following the wifi signal
20:26 < electricmilk> and unplugged.
20:26 < electricmilk> Sometimes its the simplest solutions that work best
20:26 < nobody> hi everyone :)
20:26 < detha> jeffspeff: only one vlan?
20:26 < krzee> lol yep!
20:26 < electricmilk> hi nobody
20:26 < jeffspeff> detha, multiple vlans configured
20:27 < jeffspeff> only 1 is having the issue
20:27 < jeffspeff> i've inherited this mess, i mean network
20:27 < detha> mtu issues somehow? try with a client with lowered MTU, see if that makes a difference
20:28 < jeffspeff> i have done iperf tests to a remote server connected via ike tunnel and an iperf test to a public iperf server; all of which show about 25Mbps. wouldn't an MTU issue be reflected in iperf tests and not just browser traffic?
20:29 < detha> it should
20:30 < ||cw> tried a different browser?
20:30 < jeffspeff> IE and Chrome
20:30 < jeffspeff> also checked settings for any proxy configs
20:30 < jeffspeff> and checked dhcp options for proxy as well
20:30 < ||cw> wireshark it?
20:31 < jeffspeff> next step i guess
20:31 < detha> silly test, go to somthing like whatismyip.com and see if that is somehow routed out a different link
20:31 < krzee> banisterfiend: hey man... so you wanted to know how the routing table works...?
20:31 < krzee> banisterfiend: what OS are you on?
20:31 < banisterfiend> krzee i'm kind of interested specifically how openvpn works though :) so....(1) it sets up a tun device (2) but how does this tun device get an ip address, not via dhcp right? (3) the tun device sends all its data via the gateway (i.e 192.168.1.1) right?
20:32 < banisterfiend> krzee i'm actually on windows, but you can explain in terms of osx/linux if it's easier
20:34 < krzee> banisterfiend: openvpn server can assign the address static or dynamic, or it can be ptp with each side assigning its own ip, there are a few options related to that. the vpn client only sends all traffic to the vpn server IF you configure it that way (which is a matter of adding routes, as seen in the openvpn manual under --redirect-gateway)
20:34 < krzee> banisterfiend: but the questions you asked in #openvpn were really just related to the routing table
20:34 < krzee> so take a look at route print (windows command)
20:34 < krzee> that shows your routing table, the most specific entries count
20:35 < banisterfiend> krzee but route print doesnt' appear to show me which interface
20:35 < krzee> it shows you which ip address, which coresponds to an interface
20:35 < krzee> so same same kinda
20:35 < banisterfiend> how do i know which ip address corresponds to which interface?
20:36 < krzee> ipconfig/all
20:36 < electricmilk> Ugh our Exchange server is constantly trying to reach SMTP servers in China, Chile, Turkey, and Russia.  What gives?
20:37 < banisterfiend> krzee nice
20:37 < electricmilk> I understand it if its the other way around (which is also happening) and those countries are contacting our Exchange server...but why is their source traffic from exchange going to China every couple minutes?
20:37 < krzee> electricmilk: ...did your admin leave on vacation yesterday??
20:37 < krzee> lol
20:37 < electricmilk> haha
20:37 < electricmilk> I think we have something nasty going on here
20:38 < krzee> ya sounds viral
20:38 < electricmilk> Arg
20:38 < krzee> i wanna tell you to lsof, but windows =/
20:38 < banisterfiend> krzee could you explain how the routing table could be setup for openvpn?like if the tun device is set as the default route...then how could openvpn ever talk to the outside world? won't the traffic just go round in circles? ultimately a route has to go to the router right?
20:38 < electricmilk> Well at least I have firewall blocking
20:38 < ||cw> electricmilk: returning a rejection message?
20:39 < Phil-Work> banisterfiend, you usually have a single route to the router for the public IP of the OpenVPN server
20:39 < krzee> banisterfiend: after setting up routing you then need to go to the server and configure NAT so the openvpn client packets get NAT'ed out to the internet
20:39 < krzee> you kinda turn the vpn server into a router for the vpn clients, if that makes sense
20:39 < electricmilk> ||cw,  Where would I be looking for a rejection message?  All I'm seeing is the firewall blocking incoming and outgoing connections to problematic countries
20:39 < Carll> electricmilk: Check for compromised accounts?
20:40 < electricmilk> ooo
20:40 < electricmilk> I need to clean up exchange
20:40 < banisterfiend> interesting
20:40 < krzee> oh and yes, what Phil-Work said is also part of --redirect-gateway as youd see if you read openvpn manual --redirect-gateway as i suggested
20:40 < electricmilk> I have no idea how to see which account its coming from
20:40 < ||cw> the exchange logs and queues I guess.  I don't use exchange
20:40 < electricmilk> We are moving to Office365 soon..thank god
20:40 < ||cw> I know what I'd check on exim...
20:40 < krzee> ||cw: lol ya thats where im stuck with helping him too
20:41 < Carll> electricmilk: The logs will hold the answers.
20:41 < Phil-Work> some servers also push exclude routes for their own public IP
20:41 < electricmilk> Got it. Thank you.  I'll just search for the IP's in the logs
20:41 < banisterfiend> so if i tcpdump on the tun device it just looks like normal packets, but when i tcpdump on the eth device then every single desintation will just be going to the public of the openvpn server....and this public ip has its gateway set as the ip of the router? e.g 192.168.1.1 ?
20:41 < banisterfiend> cc krzee & Phil-Work ^
20:42 < Phil-Work> I've seen others push two /1s instead of 0.0.0.0/0 and also an exclude route for their own IP to try to override the local default route
20:42 < krzee> what do you mean "public ip has its gateway set as the ip of the router" ?  makes me think you dont understand routing
20:43 < krzee> Phil-Work: yep thats the def1 flag to --redirect-gateway
20:43 < krzee> which if he EVER reads --redirect-gateway in the manual he will learn
20:43 < krzee> banisterfiend: go read that now, before your next question.
20:44 < banisterfiend> krzee heh possibly true - but i mean set things up so that if the destination is the public ip of the openvpn server, then it goes out the gateway rather than back in through the vpn
20:45 < krzee> theres more than just default gateways
20:45 < krzee> most specific matching route wins
20:45 < krzee> netmask is how you can tell
20:45 < krzee> !google cidr cheatsheet
20:46 < krzee> damn, no bot
20:46 < krzee> https://oav.net/mirrors/cidr.html
20:46 < krzee> so look at netmasks, as you go higher its more specific
20:46 < electricmilk> Any opinions on forcing users to redirect to Google/BING,Yahoo Safe search?
20:46 < banisterfiend> krzee i tried to read what you asked me to, but it's a bit terse, i think i might need a little more guidance. Can you explain how packets that are destined for the public ip of the openvpnserver end up going out the router, whereas other packets go through the tun device?
20:46 < tds> banisterfiend: afaik openvpn adds in the route for the /32 via the original gateway by default
20:47 < krzee> banisterfiend: based on most specific route matching
20:47 < tds> (or the /128 if you're not using legacy ip ;)
20:47 < krzee> its nothing openvpn specific, you jjust need to understand routing
20:47 < banisterfiend> tds yeah exactly, i thought that's what i was saying by " public ip has its gateway set as the ip of the router? e.g 192" it's a /32 route for that public ip so it has to match the whole ip right?
20:47 < krzee> which is why we came here
20:47 < krzee> this is the best place to learn things like routing
20:48 < krzee> yes, it adds a /32 route which is the most specific possible
20:48 < tds> banisterfiend: since it's a /32 route it only covers that single IP (for v4), and since it's more specific it'll be preferred over any default routes
20:48 < krzee> exactly :)
20:48 < tds> ^ :)
20:48 < banisterfiend> ok cool
20:49 < banisterfiend> so if i look at: route print -4.   i should see a route with the public ip/32 with its gateway set as my router ip?
20:50 < krzee> banisterfiend: and cool, i have no problem explaining stuff in --redirect-gateway i just wanted to be sure you read the manpage on it first =]
20:50 < Carll> Is there any privacy service, for free to offer; DNS servers that block trackers with 24-hour logs, free temporary emails, etc? -- I think I may look into configuring something..
20:50 < tds> it's 2018, use ip -6 route these days ;)
20:50 < kenlumbo> I have a BGP question. I have 2 peers, one is primary, with 2nd as backup. 2nd is backup via local pref and advertising communties to make the backup peer change their local pref, also as path prepend. My question is I'm adding another peer, but I would like this peer to only be active if the first 2 are down. Anyone have a nice doc that would help? I'm not sure if this is possible or not...
20:50 < krzee> banisterfiend: it depends on your settings, but when using --redirect-gateway  the answer is yes
20:50 < kenlumbo> adding a 3rd peer*
20:50 < tds> kenlumbo: I'd just path prepend lots, and set an appropriate local pref
20:51 < kenlumbo> yeah...but that doesn't help their local pref
20:52 < kenlumbo> providers don't obey the as path if their local pref is set differently for their peers
20:52 < kenlumbo> which some do
20:52 < tds> if you path prepend enough (and they only compare based on paths), then they shouldn't ever prefer the route you're sending over the direct peering until the other routes disappear
20:52 < kenlumbo> some providers do
20:52 < kenlumbo> level3 being one
20:53 < kenlumbo> because of their local pref for their peers
20:53 < tds> ah, if you're saying that they're messing with preference inside their as, there isn't a great deal you can do other than communicating with them or setting communities
20:53 < kenlumbo> yeah, which I'm doing, but when doing this with 2 peers, then one will take over, and you can't control which....
20:55 < detha> kenlumbo: if your upstream supports it, send a 'do not advertise to l3' community when you don't want traffic over that link
20:56 < banisterfiend> krzee do you have any experience with WFP ?
20:56 < krzee> dont know what it is... maybe?
20:57 < krzee> world food program?
20:57 < kenlumbo> World Freedom Power
20:58 < krzee> oh windows filtering program
20:58 < krzee> nah i dont actually use windows
20:58 < krzee> i just know basic networking commands cause of helping people in #openvpn lol
20:59 < Sircle> Placing a virtual machine inside a VPS OS. Putting all the apps in the VM and making the outer VPS OS as firewall.  Is this sane and have any benefits?
21:01 < banisterfiend> krzee ah ok...i have one more retarded question. I have a VM that i'm running windows in....and my router gateway ip (192.168.1.1) is not there, it seems to have become: 10.5.11.5. how is this possible? is it because the 'gateway' is really just a tun device sitting on my laptop?
21:01 < banisterfiend> or so, could you explain how that crap works? confusing.heh
21:01 < ||cw> Sircle: can you even run a VM in a VPS?
21:02 < Sircle> yes
21:02 < krzee> the "gateway" is the other side of your VM software)
21:02 < Sircle> yes
21:02 < banisterfiend> krzee i guess so
21:02 < ||cw> Sircle: I'd assume it has the same benefits that any vitalization does
21:02 < tds> you'll be reliant on whatever hypervisor the VPS host uses exposing vt-x/amd-v inside the VMs
21:04 < Carll> Sircle: why not use 'containers'?
21:05 < Sircle> Carll,  whats that?
21:06 < krzee> banisterfiend: and dont worry, your questions are pretty normal... not everybody is a networking eexpert... and from your hostname it seems you're pretty skilled in other areas of computing lol
21:06 < ||cw> Sircle: docker, for one
21:06 < Carll> Sircle: https://www.docker.com
21:06 < tds> there are things like LXC as well
21:06 < banisterfiend> krzee heh i'm a programmer that suddenly has to learn about all this networking stuff i never bothered with before :/ it's quite confusing
21:07 < krzee> banisterfiend: just remember i was nice if you ever see me in the ruby channel, as i know NOTHING about it lol
21:07 < Carll> Sircle: "Containers make it possible to isolate multiple applications running on a single server as well as implement software across multiple servers or move it easily from one environment to the next."
21:08 < banisterfiend> krzee with openvpn there's so many ip addresses: (1) the local ip address of the tun device (2) the public ip address of the openvpn endpoint (3) the ip address you're 'given' by the vpn and which you appear to have from the outside world. Is that accurate?
21:08 < krzee> banisterfiend: vpn's can be used for more than redirecting gateway, but in your very specific usage, yes
21:09 < krzee> banisterfiend: a vpn is merely an encrypted virtual network cable connecting 2 machines... you can do many different things with it
21:09 < krzee> ONE of those things is redirecting your internet connection to change IPs
21:10 < tds> banisterfiend: one thing to keep in mind, I'd say the "ip you're given by the vpn" is the ip on the tun device, though that might then be nated out to appear to be another address to the rest of the world
21:11 < wadadli> What are points that are typically included in a networking project proposal specification?
21:23 < javi404> Is it Friday yet?
21:23 < krzee> YES!
21:23 < krzee> YES IT IS!
21:23 < Carll> Close.
21:27 < Sircle>  I wonder if I can have 2 or 3 fiber connections but still be able to use one ip
21:27 < ||cw> it's certianly friday somewhere
21:28 < ||cw> Sircle: if the device supports link aggregation, sure.  used to do it with T1 liens back in the day
21:29 < Sircle> Can ips be bought?
21:29 < ||cw> yes
21:29 < Sircle> e.g I use dsl but I get a static ip no matter what isp / dsl I use?
21:30 < ||cw> not that easily, no.
21:30 < ||cw> you can get portable blocks, but it takes time and effort to switch where they go
21:30 < Sircle> portable blocks?
21:32 < Sircle> ||cw, whats that
21:32 < krzee> smalllaptop ~ # date +%A
21:32 < krzee> Thursday
21:32 < krzee> :( :(
21:32 < krzee> no no its not :(
21:33 < ||cw> a block of IPs that are portable, as in you can have them rerouted via differnt providers
21:33 < ||cw> but what you want is probably just dynamic dns
21:33 < ||cw> or maybe a VPS you can bounce your services off of
21:35 < Sircle> ||cw,  like a proxy vps?
21:35 < ||cw> lets start with: what are you trying to accomplish
21:37 < Sircle> I have unstable ISP and want to host a web server
21:38 < ||cw> so get web hosting
21:38 < ||cw> don't even need a full vps
21:38 < qman__> if you want more flexibility, a vps is also good, you can get one for $5 a month or less
21:39  * Sircle is a fan of full blown systems
21:39 < Sircle> with more control
21:40 < Carll> Sircle: Consider using a VPS?
21:41 < ||cw> $5 is a whole lot cheaper than the last time I looked
21:41 < Carll> Sircle: I can give you a ref. code for discount (two months free) depends on your preference.
21:41 < krzee> but you can also use dynamic dns, ive run a website on a dynamic ip before
21:42 < krzee> i do agree to use a vps tho
21:42 < krzee> Carll: foor which vps provider?
21:42 < krzee> for*
21:42 < Carll> ||cw: I only pay $5 for 20GB D. & 1TB B. with 1GB ram.
21:42 < krzee> i know a guy who was in the market, he might still be
21:43 < Carll> krzee: DO & Linode.
21:43 < qman__> linode, digital ocean, ovh, etc
21:43 < krzee> oh nice, i think he was going linode, please pass the code!
21:43 < qman__> I use linode
21:43 < Carll> Linode is cool, DO offers more Disk.
21:44 < Evidlo> Sircle: the non-static ip problem can be fixed with a dynamic dns service
21:44 < Evidlo> self-hosting can be a learning experience though
21:44 < Carll> krzee: I'll PM you, okay?
21:44 < krzee> yes please
21:45 < ||cw> linode's plans are confusing, it's limited by bps, not total transfer?
21:46 < qman__> it's limited by total transfer
21:46 < qman__> the bps is the line rate
21:46 < qman__> more expensive plans can get faster lines
21:46 < Carll> ||cw: look at 'transfer'
21:46 < ||cw> there isn't one https://www.linode.com/pricing
21:47 < ||cw> oh, there. i'm blind
21:47 < Sircle> Evidlo,  dyndns will route my trace for free?
21:47 < Carll> ||cw: Pretty cool provider. Very reliable.
21:48 < qman__> dyndns has ads
21:48 < qman__> use afraid.org if you need dynamic DNS
21:48 < qman__> but if you get a VPS you won't need dynamic DNS
21:49 < qman__> linode's DNS is pretty good, unlimited zones, and has a REST API
21:49 < qman__> 15 minute update time
21:50 < Carll> qman__: exactly.
21:50 < Carll> qman__: where you based?
21:50 < bindi> cloudflare dns
21:51 < Carll> I use cloudflare free dns.
21:51 < HEROnymous> cloudflare free dns is actually great
21:51 < Evidlo> I didn't say dyndns.  I said dynamic dns
21:51 < HEROnymous> cloudflare in general runs a pretty tight ship.
21:53 < Sircle> so what cloud flare does is route your public requests to your vps and roundrobin itself if one is down? if so, why would cloudflare rougte all data through tiself for free?
21:53 < Maarten> too bad so many network devices (such as Cisco wireless controllers) abuse 1.1.1.1 for their own use when they aren't supposed to.
21:54 < Evidlo> For example, suppose I have example.com registered with namecheap.  I can configure my router (or any computer on my network) to automatically send a message to namecheap with what my current IP is every hour.
21:54 < Evidlo> then namecheap will update the example.com record to point to me
21:54 < Evidlo> you could also use cloudflare, but I think most registrars provide a dynamic dns service for free
21:54 < Evidlo> Sircle
21:56 < Sircle> ok. does name cheap and godady provide dyndsns free service? I gues if they do, i would have to install some application on my host machine taht will tell the service of its ip evry minut?
21:57 < qman__> no
21:58 < qman__> as I said, if you need dynamic DNS, use afraid.org
21:58 < xamithan> hosting on dynamicdns is just bad all a round
21:58 < qman__> they offer free service, no ads, and fast updates
21:58 < JyZyXEL> does dnsmasq already have support for the 1.1.1.1 DNS Over HTTPS thingy?
21:59 < Sircle> I have to install a client on the machien wehere fiels sit
22:06 < krzee> i second gman's suggestion to use afraid.org
22:07 < krzee> they're good!
22:09 < S_SubZero> better than your nick reading skill I hope!!
22:14 < scivola> Is anyone seeing any fallout from the rogue AS hijackings today?
22:14 < scivola> I don't see anything on twitter about it, so I assume not, but wanted to check anyways
22:14 < scivola> ref: https://bgp.he.net/report/peers#_prefixhistory
22:37 < tds> scivola: I suspect it's just someone messing with as paths and sending that data to route collectors, rather than actual hijacking
22:47 < scivola> tds: sounds about right
22:48 < tds> either way, it's a bit annoying that suddenly bgp.he.net claims that my isp is MIT ;)
22:49 < scivola> lol
23:04 < DF3D2> if i have a /24 block of public ip's and I run internet facing services off of them, only opening the ports necessary --- that isn't any less secure than having one public ip and using NAT and doing the same thing is it ?
23:04 < DF3D2> this is all on pfsense so everything not opened is DENY anyway
23:06 < Apachez> DF3D2: open port is open
23:06 < Apachez> the drawback of having everything on one ip is when you need redundancy
23:06 < ||cw> DF3D2: if the hosts are multihomed on the lan anyway, no.
23:06 < Apachez> or if you want to do anycasting and stuff like that
23:07 < ||cw> you can do multiple IPs on one firewall if you want
23:07 < DF3D2> we are doing multiple ip's on one f/w
23:07 < DF3D2> an entire /24 block in fact
23:07 < ||cw> but yeah, redundancy is an issue, but that can be solved
23:08 < DF3D2> a software vendor claimed I was "wrong" for not using one public ip and nat
23:08 < DF3D2> and I disagree, but im not a networking guru
23:08 < ||cw> if all your things are listing on different ports, you don't need more than one 1 ip
23:08 < DF3D2> they aren't many are listening on the same ports
23:09 < ||cw> I'm not sure there's necessarily a "wrong" either way
23:09 < DF3D2> but even that COULD be solved with nat anyway
23:09 < ||cw> not really.  http you could reverse proxy, but pretty much everything else needs a 1:1 on the ports
23:10 < ||cw> though if you can change the ports... but that's less typical
23:10 < DF3D2> yeah I think the /24 block with transparent firewall is better anyway
23:10 < DF3D2> seems to be easier to deal with
23:11 < ||cw> it is certainly a matter of managing it.  personally, I'd rather nat.  makes swapping out a server on the same public IP stupid simple
23:14 < guest09328> Let's say i have a TRUNK attached to a router interface, and the other interface of the same router should be an IPsec peer. Is it mandatory to make an object-group in the ASA, which will aggregate the VLANs as the other-side LANs, for the purpose of defining the VPN-TRAFFIC (for the extended ACL) or i can go with separate ACEs?
23:15 < Apachez> you mean TAGGED interface?
23:16 < DF3D2> ||cw, thats true, lots of ip's to manage then
23:16 < DF3D2> spreadsheet helps
23:16 < DF3D2> heh
23:18 < guest09328> Apachez: Yes
23:24 < ||cw> guest09328: IPsec is a routed tunnel, you need a bridge to be able to pass the L2 vlan frames
23:25 < ||cw> hope you have a fast link though, bridging broadcast domains over a wide area network seems like asking for trouble
23:28 < qman__> it is at scale, but if you just have a few client computers connecting it's not a huge deal
23:28 < qman__> if you're trying to bridge two actual networks, though, you'll probably have some issues
23:28 < Apachez> being able to push vlan tags remotely is often a nice feature
23:28 < qman__> if you do need L2 site to site, you probably want to filter some stuff out with ebtables
23:29 < qman__> or to get a really fat pipe
23:38 < qman__> a client of one of my previous employers needed to send L2 traffic over a 3-site VPN so that they could do paging on their VoIP phones
23:38 < qman__> it wasn't pretty
23:42 < wiresharked> So today I had to fix a VOIP phone in a bus garage that was getting too little voltage. The ethernet is fine, turns out that something in the chain between the device and the switch was there that it didn't like. The specs state that it should be between 48 to 50 volts, it was getting 34
23:42 < sawgood> qman__: you got multicast paging working to remote sites over a VPN?
23:43 < sawgood> very nice .. even SIP IP based paging to remote sites is impressive!
23:43 < wiresharked> But SIP is an old protocol
23:43 < pi-> Suppose I have a crowd of 10,000 people with mobile phones. One of them taps a button and all of them play a sound. How to go about doing something like this? How low can I get the latency?
23:44 < Criggie> wiresharked: damaged cable?, and possibly a long run making it more sensitive?
23:45 < ||cw> qman__: I think I'd have setup a multicast repeater instead
23:45 < wiresharked> Criggle: Yeah, because the guy I was working with connected the device directly to the switch, and it's working fine now
23:47 < Criggie> wiresharked: OK good work.  Time for either a new run of cable, or a local PSU ?
23:48 < Criggie> wiresharked: the linksys/cisco phones are happy with POE and a local PSU at the same time.
23:48 < qman__> yeah, I wasn't the one who set it up, but I know many, many solutions were attempted and that one was arrived at after they all failed
23:48 < Criggie> I like centralised UPS on a POE switch for all phones/cameras/APs
23:49 < Criggie> but its not always possible.
23:49 < ||cw> couple rpi and some socat magic should do
23:49 < sawgood> Criggie: which UPS do you use?  Does it have CAT-5e or just a USB for the PC?
23:50 < ||cw> sawgood: I have a couple USB with rpi and apcupsd and ssmpt, works well enough for basic alerts
23:50 < ||cw> ssmtp^
23:50 < sawgood> yeah me too ... .nice to hear!
23:51 < Criggie> sawgood: depends how good the budget was at purchase time :)   I have a couple of APCs at home with NICs but they're in need of new batteries.  Theres another serial APC and in th ehouse I have a USB APC on the firewall/switch.
23:51 < sawgood> I want a UPS with Ethernet, but they are too costly!
23:51 < ||cw> if I had more than a couple I'd probably get the net card
23:51 < wiresharked> Criggie: So is it the case that VOIP devices can act up if they have a non-local PSU hooked in?
23:51 < Criggie> sawgood: yes, yes they are.  Batteries are consumables and don't last more than 6/7 years.
23:51 < ||cw> in that case it would be the management software justifying it
23:52 < Criggie> wiresharked: I've never had a problem that has been related to ppower over POE
23:52 < sawgood> APC UPS with Ethernet and fresh new batteries are always costly
23:52 < qman__> used ones aren't
23:52 < qman__> that's what I run, old APC SmartUPS units with NMCs
23:52 < Criggie> sawgood: yeah I bought a set of new batteries for "cheap" but they weren't up to specs.
23:52 < Criggie> highly disappointed.
23:53 < ||cw> wiresharked: it depends on the phone and what you mean by non-local
23:53 < qman__> the only issue I have with them is that the NMCs are so old that the HTTPS can't be used with modern browsers
23:53 < wiresharked> qman__: Well that's silly
23:54 < qman__> it's annoying but still not a bad choice given the cost
23:54 < wiresharked> Criggie: It could have been a bad or failing power supply unit somewhere
23:54 < qman__> an old APC for $100-150, an NMC for $20, and a set of batteries for $100
23:54 < qman__> rock solid setup, lasts around 3 years before it needs new batteries
23:55 < Criggie> wiresharked: if your POE switch is naffed then you have other problems too.  And one UPS/switch is cheaper than a UPS per desk, and less inconvenient than a power supply per phone locally.
23:56 < qman__> I've got probably a dozen of them, and I've yet to have one fail beyond needing new batteries and a couple blown fuses
23:57 < wiresharked> Criggie: And they also said that the districts billing site was down because of an issue with NFS over vmware
23:58 < qman__> if you don't need the NMC you can get a BackUPS Pro for a bit less, otherwise the same guts
23:59 < qman__> serial port only on those, though
23:59 < Criggie> serial port works fine - I prefer them to USB ports.
23:59 < qman__> the trouble is that it's a custom pinout
23:59 < qman__> so you need an APC-specific cable
--- Log closed Fri Apr 13 00:00:07 2018