--- Log opened Sat Apr 14 00:00:10 2018
--- Day changed Sat Apr 14 2018
00:00 < qman__> yeah, I won't disagree with high school being a waste of time
00:00 < qman__> but generally you don't want to be expelled
00:00 < wiresharked> qman__: You are certainly correct about being banned from using school wifi. I'm a very trustworthy person
00:02 < d3r3k> wiresharked: use a VPN that's hosted on Google Compute Engine and uses SSL on 443/TCP.
00:02 < wiresharked> They can still trace traffic going through the VPN though..
00:02 < qman__> https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act
00:04 < qman__> the law lays out some specific government/financial wording but has a bunch of "or for X Y Z" type statements that effectively mean all computers and networks
00:04 < qman__> and qualifies any data
00:04 < navy_seal9614> qman__: thanks. So what exactly happens when I make http request from my local machine (while on vpn) to my vps (both nginx server and vpn server)? Cause I'm confused, as to why dnsleaktest shows the correct ip, while when i make request to vps nginx it leaks.
00:04 < d3r3k> qman__: not a lawyer, but I don't see how wiresharked would be accessing any unauthorized data.
00:05 < wiresharked> Although, it's weird, because on every school owned computer, when I'm on my google account, hotspot shield is there, and I know I did not install it
00:06 < d3r3k> wiresharked: Chrome syncs plugins.
00:06 < d3r3k> *can sync plugins
00:06 < qman__> navy_seal9614: assuming that you are accessing the site in a way which sends your traffic over the VPN (this is not necessarily the case), you send traffic originating from the IP that openvpn assigned you, over the tunnel, to the vps, where nginx answers the query
00:06 < d3r3k> you can disable it.
00:06 < wiresharked> But I don't think that I installed hotspot shield
00:06 < qman__> navy_seal9614: nginx will see the IP that openvpn assigned to your computer in its logs
00:06 < d3r3k> maybe you left yourself logged in and somebody else did once.
00:07 < wiresharked> I had to leave myself logged in to do windows updates
00:07 < wiresharked> I prefer to use a VPN for good, not to get in trouble with police
00:10 < navy_seal9614> qman__: but is it safe to assume I am sending traffic over the vpn if when I use my browser to send requests (for example to dnsleaktest.com google.com) it shows VPS IP?
00:10 < qman__> no
00:10 < qman__> navy_seal9614: the traffic is only going over the VPN if the route to the site is sent over the VPN
00:11 < qman__> if your vpn config sends all traffic over the vpn, then it will be over the vpn
00:11 < qman__> if it doesn't, you will only send traffic for routes that were pushed in the config over the vpn
00:12 < qman__> d3r3k: this is the tricky part - (a) Whoever— (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— (C) information from any protected computer;
00:12 < qman__> probably doesn't apply in this case but there are other laws to look out for too
00:13 < wiresharked> That is why I don't try to hack into teacher computers
00:13 < qman__> that's what I'm getting at though, there's all kinds of much more specific stuff in the law, but those clauses basically supercede all of that and make accessing any "protected" information on any computer illegal
00:14 < Carll> make sure your vpn isn't DNS only; you should be good.
00:14 < wiresharked> So hotspot shield is good then?
00:14 < Carll> Or alternatively instead of VPN, use a socks tunnel?
00:15 < wiresharked> Carll: Which is not supported on android
00:15 < hukata> hi
00:15 < Carll> wiresharked: I didnt see you where on Android, sorry.
00:16 < Carll> hello hukata.
00:16 < wiresharked> They're using the VPN to get around the fact that Snapchat and instagram are blocked on the school's wifi
00:16 < hukata> more like filtering packet that goes throught the routeur
00:17 < hukata> disabling ports
00:18 < navy_seal9614> qman__: I just checked my config. And i do redirect all traffic over tunnel (push "redirect-gateway def1 bypass-dhcp" is uncommented )
00:19 < qman__> navy_seal9614:  ok, then all traffic should be routing over the VPN - you can see the evidence of this in the nginx log, you should see the traffic originating from your openvpn IP
00:19 < qman__> when you connect to openvpn, it will assign you an IP
00:19 < qman__> I think the default is 10.8.0.0/24
00:20 < qman__> but it should be in the config
00:20 < qman__> the exception is if you're doing a bridged configuration
00:20 < qman__> then you get assigned some other way
00:20 < hukata> why do u need openvpn ? are u going to install it for a intranet ?
00:24 < Carll> navy_seal9614: does DNS leak test show your routers DNS *and* your servers?
00:26 < navy_seal9614> Carll: nope
00:27 < Carll> navy_seal9614: OK, brill. I typed this up anyway; https://pastebin.com/RKBYkw9z
00:29 < navy_seal9614> qman__: i used tcp dump (on vps) to check incoming traffic on port 80 and it leaked my actual ip.
00:33 < navy_seal9614> qman__: also i have an iptable rule that should drop all incoming traffic on 80 except if it is the vps public ip. Does that even make sense? The big picture is something likee that: i have a bunch of docker containers. One of them is nginx and have http ports open. I am using that for dev purposes and want to block all ip except who the one who have access to my vpn
00:37 < mawk> if they're containers they probably don't have their own public IP navy_seal9614
00:37 < mawk> so you just have not to do NAT to it from your public ip
00:42 < sudormrf> any of you lot ever run squid in AWS as a global proxy for an enterprise?
00:42 < mawk> isn't it wiser to run it inside the company itself ?
00:42 < UltraPhil> what the hell am I reading
00:42 < mawk> you want the lowest latency
00:43 < sudormrf> mawk, doesn't work well if workforce is global and dispursed and they don't VPN back home
00:44 < sudormrf> latency to AWS is typically low
00:44 < sudormrf> dependant on user machine
00:44 < sudormrf> not looking to use it for caching
00:44 < mawk> yes
00:44 < UltraPhil> why are you looking to do this, at all, then?
00:44 < mawk> filtering
00:44 < sudormrf> ^
00:44 < mawk> I guess
00:44 < sudormrf> and logging
00:44 < mawk> but you really want to filter the users...at home ?
00:44 < sudormrf> yes
00:45 < sudormrf> there are people that WFH
00:45 < sudormrf> they are remote employees
00:45 < mawk> is it legal ?
00:45 < mawk> oh ok
00:45 < sudormrf> yes
00:45 < mawk> off work time it wouldn't be legal in my country
00:45 < sudormrf> anything they do on a company asset needs to be monitored
00:45 < sudormrf> they shouldn't be doing private shit on a company asset, but that will never change
00:45 < mawk> why not forcing a VPN then ?
00:45 < mawk> yeah
00:45 < sudormrf> not feasible ATM
00:45 < sudormrf> that could come later
00:45 < sudormrf> but even then we need attribution
00:46 < sudormrf> and some of the additional protections afforded by a proxy
00:46 < mawk> you could do both
00:46 < mawk> use the vpn for the safety and centralization then just transparently pass traffic through squid on the VPN router
00:46 < mawk> I already made a setup like that to try out
00:46 < sudormrf> aye that will come once we replace the vpn
00:47 < mawk> how do you expect to force the computers to pass through squid ?
00:47 < mawk> at home
00:47 < mawk> by windows administrator magic I guess
00:47 < mawk> nevermind
00:48 < Irritiable|LT> Networking technology != operating system
00:48 < navy_seal9614> mawk: every container is properly NATed by the docker itself and it works. I can reach it from the outside. My question is why when I am under a VPN and make a request to that nginx instance, tcpdmp on port 80 tool shows my local box public ip? (again dnsleaktest.com shows vps ip)
00:48 < Irritiable|LT> Running *NIX system right now.
00:48 < mawk> for a corporate environment I expect the computers to be windows, Irritiable|LT
00:48 < Irritiable|LT> mawk: Why would you even assume such a thing?
00:48 < Irritiable|LT> Dear Jepeordy: What is: RedHat?
00:49 < mawk> because it's common
00:49 < Irritiable|LT> It's common to use RedHat. I agree.
00:49 < mawk> maybe redhat is common in your country
00:49 < mawk> not in mine
00:49 < Irritiable|LT> "Your country."
00:49 < mawk> here it's windows everywhere
00:49 < Irritiable|LT> I was unaware that Microsoft Windows or Linux RedHat was priced differently in different countries.
00:49 < mawk> not a price, but culture
00:49 < Irritiable|LT> Culture defines economics?
00:49 < UltraPhil> sudormrf, are you providing remote desktops to your workers, i.e. with vmware View, Citrix, or something like that? What's the workflow ?
00:49 < Irritiable|LT> That's a new one on me.
00:50 < sudormrf> they get laptops
00:50 < mawk> you said price
00:50 < Irritiable|LT> Hopefully cheap hardware laptops running either Windows XP or a Linux distro! Something good
00:50 < sudormrf> nope
00:50 < sudormrf> macos
00:50 < Irritiable|LT> Macintosh? Yuck.
00:50 < UltraPhil> sudormrf, you want to monitor all network traffic going through the laptops? Or traffic going to your company assets?
00:50 < Irritiable|LT> At least it's a *NIX based OS.
00:51 < mawk> it is a question navy_seal9614 ?
00:51 < sudormrf> all through laptops, laptops are company assets
00:51 < mawk> you should see the ip from the vpn range
00:51 < mawk> unless you're doing NAT from some kind of container holding your vpn, then you'll see the ip of that container
00:51 < mawk> but not some local public ip
00:53 < mawk> if price was the sole critera when buying stuff we would know that
00:53 < mawk> lol
00:54 < dna6a> If I want to link 2 asus routers via wired connection and mainain LAG on each router
00:54 < dna6a> do I just have 192.168.1.1 and 192.168.1.2? and link them LAN TO LAN?
00:54 < dna6a> or LAN TO WAN?
00:54 < mawk> you've got your solution ready to force the proxy on the system sudormrf ? I'm curious about it
00:55 < mawk> forcing a vpn should be easier
00:55 < UltraPhil> mawk, sudormrf Was just thinking about that; can you really force it on macos ?
00:55 < mawk> I guess using firewall rules you can forbid not using it
00:55 < sudormrf> the VPN here is trash
00:55 < mawk> which sums up to forcing it
00:55 < sudormrf> yes you can
00:56 < sudormrf> you can force it with Casper
00:56 < UltraPhil> ah ok
00:57 < UltraPhil> net traffic on AWS isn't free so I kinda doubt it's a better option from an on-prem VPN using company net?
00:58 < sudormrf> we are AWS native
00:59 < UltraPhil> I just doubt that, cost-wise, it's better to use AWS than company net
00:59 < sudormrf> possibly, but our VPN is trash
00:59 < UltraPhil> but depends on your company net
00:59 < sudormrf> yeah
00:59 < UltraPhil> have you considered hosting an openvpn on prem ?
00:59 < mawk> why is it trash ?
01:00 < mawk> openvpn isn't exactly the fastest thing on earth
01:00 < sudormrf> we are using openvpn
01:00 < sudormrf> and it doesn't scale
01:00 < mawk> indeed
01:00 < sudormrf> we are going to replace it
01:00 < UltraPhil> your users are geographically sparse?
01:01 < mawk> IPSec have much better performance
01:01 < mawk> and some new linux-android-only (for now) things like Wireguard pretty much beat them all
01:01 < sudormrf> openvpn isn't designed for large enterprises. openvpn Access Server is closer, but it doesn't do posturing
01:01 < sudormrf> it's good for home
01:01 < sudormrf> but
01:01 < sudormrf> yeah
01:01 < mawk> in terms of security, speed, ease
01:04 < sudormrf> openvpn has all of those, but doesn't scale for a large enterprise
01:04 < mawk> for security and ease yeah
01:04 < mawk> speed, maybe not
01:04 < mawk> https://www.wireguard.com/performance/
01:05 < sudormrf> debateable
01:05 < mawk> I'd call 260 Mbps over 1 Gbps fast enough, but doesn't beat other competitors at all
01:05 < sudormrf> lots of configuration options
01:05 < mawk> yeah
01:07 < Carll> I may look into this soon actually and compare to openvpn, although my top speed is 35mbps
01:08 < mawk> using wireguard I achieve around 850 Mbps
01:08 < mawk> on my fiber connection
01:08 < Carll> mawk: have you compared against openvpn, I'm more concerned regards to pings.
01:09 < mawk> not yet but I have to set one up
01:09 < mawk> wireguard doesn't pass through crappy open wifis in macdonalds
01:09 < mawk> openvpn is good for that
01:09 < mawk> for ping time you've got a chart on my link
01:11 < lem0n> just found a really interesting issue with PXE/DHCP.. we run automated VM deployment to tons of VLANs using PXE boot.. the DHCP servers and servers replying with PXE information are separate, and there are separate sets too depending on the subnet. it usually works very reliably but have had consistent issues with one subnet.. we set a delay on the dhcp scope and it totally worked
01:11 < lem0n> im trying to figure out if theres an order for with the response from the dhcp server has to be received compared to the position of the option 60 response
01:12 < lem0n> have consistently reproduced the issue until the 100ms dhcp delay was introduced
01:13 < Carll> mawk: I just installed the TAP adapter on my windows, gonna look into it tomorrow, thanks.
01:28 < Kythlo> Hey guys inm having a issue with sending emails to one client, they keep bouncing back and i have no idea why been emailing for over 10 years but theyre bouncing back  i get this error message
01:28 < Kythlo> Final-Recipient: rfc822; sgarland@arbutusclub.com Action: failed Status: 5.0.0 Remote-MTA: dns; webmail.arbutusclub.com. (96.53.49.118, the server for the  domain arbutusclub.com.) Diagnostic-Code: smtp; 550 209.85.217.182 is not allowed to send mail from ashadebetter.ca Last-Attempt-Date: Fri, 13 Apr 2018 16:16:47 -0700 (PDT)
01:28 < Kythlo> I dont think id be on the spam list since we do business together
01:29 < Irritiable|LT> Diagnostic-Code: smtp; 550 209.85.217.182 is not allowed to send mail from ashadebetter.ca
01:30 < tds> ^ your spf record has include:spf.protection.outlook.com, but the IP looks like it's a google mail IP or something
01:30 < tds> so they're validating spf and rejecting the message, as they should, since you have -all
01:31 < sudormrf> openvpn is entirely based on your setup
01:31 < Kythlo> it is a google mail ip, google account but we use outlook software
01:31 < sudormrf> and the end to end things
01:33 < Kythlo> can you elaborate @tds? Im confused i dont know much about spf
01:33 < tds> Kythlo: it looks like your email is being delivered to google, so if it's a plain google apps setup, you just need to update the record
01:34 < tds> a spf record lists the mail servers which are permitted to send mail on behalf of a specific domain, and the gmail servers aren't included in the record for your domain
01:34 < tds> and that record also includes "-all", which means that any emails failing the checks should be rejected
01:34 < Kythlo> v=spf1 include:spf.protection.outlook.com -all
01:35 < Kythlo> It is plain google app setup, what do you mean by update the record?
01:39 < Kythlo> @tds any idea where i would make the change  in google settings? Do i need to add my domain some where ?
01:39 < tds> Kythlo: indeed, that's the record - you will need to update the record with your dns provider (probably the registrar)
01:40 < tds> google should have docs for that
01:40 < tds> https://support.google.com/a/answer/33786?hl=en
01:42 < Kythlo> Yeah i have that up, is there a reason why it all of sudden stopped working?
01:42 < a1fa> hello.. i have a cisco asa ipsec question -- cisco router connecting via ipsec to two separate routers that do dynamic routing. one router is primary for "A/24", and other router is primary for "B/24" both are able to carry A,B traffic. Is it possible to setup two tunnels on Cisco to carry A(primary),B(failover) and B(primary),A(failover) respectively?
01:42 < a1fa> s/cisco router/asa/
01:43 < a1fa> err/ turns out is a 3750
01:44 < tds> Kythlo: assuming you haven't changed the record recently, it's likely they just modified their mail system to check spf
01:49 < dna6a> Hi all
01:49 < dna6a> I want to connect 2 routers via wires connection
01:50 < dna6a> https://www.snbforums.com/threads/gt-ac5300-any-news-or-updates-on-support.45906/#post-397106
01:50 < dna6a> oops sorry
01:51 < dna6a> do i leave primary as 192.168.1.1 and new router as 192.168.1.2 and connect LAN to LAN or LAN to WAN?
01:52 < dna6a> Each of the routers have LAG to a NAS on each
02:54 < mast> Anyone work with Intel SR2600s?
03:19 < ironpillow> hi all can't figure out if this is a managed or unmanaged switch: https://www.tp-link.com/us/products/details/cat-41_TL-SG1016PE.html. It has vlan, qos and igmp snooping
03:19 < ironpillow> but they say it's smart switch
03:19 < ironpillow> TP link never mentions managed
03:20 < mast> "Web-based user interface and management utility simplify configuration "
03:21 < mast> Thought you probably already saw that
03:21 < mast> I have this burning need for POE
03:21 < mast> All of my switches are only POE capable when hooked into a secondary PSU
03:27 < Harlock> ironpillow smart switches are minimally managed switches yes
03:28 < ironpillow> Harlock: oh ok. thanks
03:29 < ironpillow> mast: yep saw that
03:29 < mast> :)
03:43 < SynfulAck> anyone familiar with nx-os? Got a weird problem where i can ssh into the mgmt interface but the switch can ping anything.
03:44 < SynfulAck> cant ping anything*
04:30 < DrunkRhino> Ok, this is probably something stupidly simple that I'm forgetting, but why might a machine running dnsmasq + dhcp resolve the names properly for clients querying it, but not on the machine itself? (i.e. "ping eee" works fine from my tower, which is querying my pi, but not on the pi itself)
04:33 < Kingrat> does the pi have its nameserver set as itself, or another address?
04:36 < DrunkRhino> resolv.conf points to 127.0.0.1
04:50 < fryguy> what's nsswitch.conf entry for `hosts`
04:51 < DrunkRhino> files mymachines myhostname resolve [!UNAVAIL=return] dns
04:52 < fryguy> is systemd-resolved running?
04:52 < DrunkRhino> Yep
04:52 < fryguy> what's /var/run/systemd/resolve look like?
04:53 < DrunkRhino> the resolv.conf there also 127.
04:54 < fryguy> interesting
04:54 < DrunkRhino> I mean, it's the machine handing out the leases so I'm positive it's probably just something stupidly simple that I forgot to configure.
04:55 < fryguy> if you `dig @127.0.0.1` locally does that work?
04:56 < DrunkRhino> drill eee @127.0.0.1 returns the .0.5 it's supposed to
04:56 < fryguy> and drill w/o @127.0.0.1
04:56 < fryguy> ?
04:57 < DrunkRhino> Same thing, weirdly. Ping eee returns "name or service not known" though
04:57 < fryguy> so systemd-resolved is doing something then
04:58 < fryguy> switch nsswitch so that dns is before resolve
04:58 < DrunkRhino> Bingo!
04:58 < fryguy> mine looks like `hosts: files mymachines dns myhostname
04:58 < fryguy> `
04:58 < fryguy> and i'm pretty sure we are on the same OS
04:58 < fryguy> because my commented out one from me messing with this previously is the same as yours
04:59 < DrunkRhino> I remember that I'd futzed with nsswitch.conf before I had to re-image the SD card for the pi, but I couldn't remember what I'd done to it, and what specifically I'd fixed with that.
05:00 < DrunkRhino> Thanks for the help!
05:07 < sakjdhfsadf> what specs do i look at to know if i'm buying a long range wifi adapter?
05:42 < tpanarch1st> will these permissions make my server vulnerable please? https://docs.suitecrm.com/admin/installation-guide/downloading--installing/
05:51 < Kalecgos> Hi, relatively new to networking, struggling with class A and B classful subnetting issues. https://i.imgur.com/BS0G3iC.png This problem, for example. I can manually write out each subnet, but when the problem is asking for Subnet ID 40's last host address, it's kind of hard to write out 41 subnets lol. Is there a formula to quickly calculate that kind of stuff? I remember my proff mentioning something about it but I can't seem 
05:52 < Kalecgos> For a direct reference for the linked problem, how would I get the subnet number (network address) of the 13th subnet without manually writing out the entire 0-13 path.
05:55 < meingtsla> You may be able to start noticing patterns after writing out the first few subnets, so there's that
05:55 < Kalecgos> Yeah I did that on the quiz today, 64 host addresses per subnet, so every 4 subnets the pattern resets
05:57 < Kalecgos> So like would the first host address of that example problem's 40th subnet be 190.35.20.1?
05:58 < meingtsla> Step back a few and tell me how you arrived at that
06:01 < Kalecgos> 64 addresses/subnet, so every subnet's HA range is .1-.62, .65-.126, .129-.190, 193-254
06:02 < Kalecgos> every 4 subnets adds one to the 2nd octect, so subnet 0 = 0.xx, subnet 4 = 1.xx
06:02 < Kalecgos> 40/4 = 10
06:02 < Kalecgos> 10.1
06:02 < Kalecgos> Since it's the first host address
06:02 < meingtsla> OK that's better. You said 190.35.20.1 earlier
06:02 < Kalecgos> oops sorry
06:03 < Kalecgos> My pattern/logic looks correct though, right?
06:04 < meingtsla> Also I see you're treating 0.0/26 as the zeroth subnet. Following that convention makes the counting one step simpler :D
06:05 < Kalecgos> Yeah for this class, you have to include it in answers
06:06 < Kalecgos> Now, that's an easy pattern, just +64 or 1/4th of an octect per subnet
06:06 < meingtsla> ...as opposed to calling 0.0/26 the first subnet
06:07 < Kalecgos> in my head I know it's the first, but if I were talking to a router it's the 0th
06:07 < Kalecgos> just makes more sense on paper when I'm writing it
06:07 < Kalecgos> to me, at least
06:07 < meingtsla> Yeah
06:09 < Kalecgos> What about something like https://i.imgur.com/eM1mwhe.png
06:10 < Kalecgos> For the BA of the 1023rd subnet/subnet ID 1022
06:10 < Kalecgos> I could do that by going backwards from 162.255.255 obviously
06:11 < Kalecgos> here, let's use the same problem, but subnet ID 632
06:11 < Kalecgos> I can't mental math my way through that, and don't see a pattern to skip anything really
06:12 < rewt> you should tell your prof that classes were deprecated about 25 years ago...
06:12 < Kalecgos> We're switching to classless
06:12 < rewt> the only time you should be using them, unfortunately, is when studying for ccna, but should promptly forget about them right after
06:12 < Kalecgos> Yeah this is part of the ccna prep course
06:12 < Kalecgos> er, the precursor to it
06:13 < Kalecgos> Today was the first day of classless
06:13 < Kalecgos> which makes a lot sense to me so far
06:13 < rewt> if cisco gives you a survey about it, make sure you tell them it's been deprecated for two and a half decades
06:14 < meingtsla> Kalecgos: Wait, I thought you were counting subnets starting with 0 and not 1. Why is the 1023rd subnet not the last one?
06:14 < Kalecgos> This question is worded differently
06:14 < Kalecgos> this course is a nightmare
06:14 < Kalecgos> in the workbook, the 1023rd is the 1023rd
06:14 < Kalecgos> in tests/quizes, 1023rd is the subnet ID 1022
06:15 < rewt> omg, "borrowed bits"???
06:15 < rewt> cisco really has to update their material
06:15 < meingtsla> The bits are not being returned
06:15 < meingtsla> Surrendered bits?  Stolen bits?
06:15 < Kalecgos> all your bits are belong to us
06:16 < rewt> cisco isn't french, so stolen
06:16 < meingtsla> Ha, I wasn't even thinking of that
06:17 < Kalecgos> http://docdro.id/ZzIZAQW
06:17 < Kalecgos> here's the student version of the workbook
06:17 < Kalecgos> (the instructor version is publically searchable on my school's website from google btw)
06:18 < DoYouKnow> 23:10 < Tylak> https://twitter.com/shearm/status/984954963393744901
06:18 < Kalecgos> ,/faculty/chento/secure/lectures/
06:18 < Kalecgos> "secure:
06:21 < Kalecgos> I really like this class because of how often the proff changes question wording
06:22 < Kalecgos> Because now on my midterm we have questions like "What is the first host address on the subnetwork that the IP address 172.20.114.25/23 belongs to?", which I think I know how to do, but has never been in this format in our quizes or workbook.
06:22 < rewt> page 9 has an error
06:24 < Kalecgos> I feel like I should have skipped this class and gone straight to intro to networking
06:24 < Kalecgos> 'cuz this class is a subnetting and binary class
06:24 < Kalecgos> and y'all aren't the first to say classes are outdated
06:25 < rewt> i'm sorry you have to go through this :(
06:26 < rewt> lol @ page 74 ... someone's not so good with making diagrams
06:28 < rewt> page 78; i wonder what answer they expect for 127.100.100.10/8
06:29 < Kalecgos> what page is it on?
06:29 < Kalecgos> I have the instructor copy, I'll check
06:30 < Kalecgos> https://i.imgur.com/J5H1Rrq.png
06:30 < Kalecgos> this?
06:31 < rewt> yea heh
06:31 < Kalecgos> "reference: inside front cover"
06:31 < Kalecgos> What front cover? there isn't a book for this class...
06:31 < rewt> but that doesn't answer the question as stated
06:31 < Kalecgos> I hate this shit dude
06:33 < rewt> inside front cover is 2nd page of pdf
06:34 < kang00> Hi any one from usa?
06:34 < Kalecgos> Ah, okay, I was going to be kinda tilted.
06:35 < Kalecgos> Well, thanks for the info guys. I'll pop in here for sure if I need to be pointed in a certain direction about stuff.
06:35 < rewt> anyways, back to your question, to calculate the start of the n-th subnet, just multiply the step between subnets by n, and if you treate the first as n=0, you should get the right answer
06:36 < Kalecgos> What do you mean step?
06:36 < Kalecgos> address range?
06:36 < rewt> the host ip
06:36 < rewt> yeah
06:36 < rewt> and that step will always be a power of 2
06:38 < Kalecgos> Would I divide the answer by 256?
06:39 < Kalecgos> the (address range x subnet )/ 256, that is
06:39 < Kalecgos> i.e 64 addresses per subnet, I want to find subnet 623's first host
06:40 < rewt> divide by 256 as req'd to get the octet values
06:40 < Kalecgos> 64 x 623 = 39872/256 = 155.75 so 165.200.155.193?
06:40 < Kalecgos> https://imgur.com/eM1mwhe
06:40 < Kalecgos> for this question
06:41 < linux_probe> lol
06:41 < rewt> yes, looks about right
06:42 < Kalecgos> Okay, fan-fuckin'-tastic
06:42 < Kalecgos> I knew I was missing something simple
06:42 < Kalecgos> I think I was doing that on my quiz today partially but we weren't allowed to use calculators
06:42 < Kalecgos> and I can't do mental math for the life of me
06:42 < rewt> just make sure you're not off by one
06:42 < rewt> easy to make that mistake
06:43 < Kalecgos> yeah NA would be .192, first HA would be .193
06:43 < Kalecgos> BA would be .255, last HA would be .254
06:43 < Kalecgos> subnet 623 address range = 165.200.155.192-155.256
06:43 < Kalecgos> 255*
06:44 < rewt> also for the multiplication part... is that 623 or 624
06:44 < Kalecgos> 623rd subnet including 0th
06:44 < Kalecgos> oh so that would be 624
06:44 < Kalecgos> sheeit
06:44 < rewt> isn't that 622 then?
06:45 < rewt> n=0 for 1st, n=1 for 2nd, n=622 for 623rd
06:45 < Kalecgos> ah yeah
06:45 < Kalecgos> that's what I meant
06:45 < Kalecgos> so subtract everything by 64
06:46 < Kalecgos> gonna save this log incase I forget
06:47 < rewt> btw, classless is much of the same, but there is no "default mask" and you're not limited to /8, /16, /32; it can be anything between /1 and /32
06:47 < rewt> well, /0 and /32
06:47 < rewt> and there's not "borrowed bits"
06:47 < rewt> -t
06:47 < Kalecgos> ye anything that's a network bit is locked away
06:47 < Kalecgos> no touchy
06:48 < Kalecgos> R E C L A I M the bits
06:48  * linux_probe couldnt pass that test
06:48 < linux_probe> where's my subnet calc lol
06:49 < Kalecgos> this is basically a math class
06:49 < rewt> pretty much
06:49 < linux_probe> >_> that what happens when you never touch anything but /24's
06:49 < rewt> heh
06:49 < linux_probe> it all goes away to the bit bucket
06:49 < Kalecgos> I just need more hands on practice, but the work book's questions are shitty and don't correlate to the quiz/tests
06:50 < Kalecgos> not kidding, there's 3 different versions of questions now that the midterm is worded entirely differently
06:50 < mast> what book is htis
06:50 < rewt> so like word problems in math class
06:51 < rewt> just have to identify the real math question and answer it
06:51 < Kalecgos> Well they're versions we haven't seen
06:51 < Kalecgos> I can extrapolate how to answer them but it's completely different
06:51 < rewt> they contain enough info to get at the answer, but there may be 2 or 3 steps
06:51 < Kalecgos> https://www.docdroid.net/ZzIZAQW/ipv4-classful-subnetting-workbook.pdf this @mast
06:52 < mast> Ah
06:52 < Kalecgos> it's not a 'real' book afaik
06:52 < mast> You know the CCENT books have decent coverage of this stuff
06:52 < Kalecgos> I just want to get this class done and move on to the next one
06:52 < mast> Wendell Odom and Todd Lammle
06:53 < whatsupdoc> Hi, does anyone know how to identify ISPs in a list of router ips?
06:53 < rewt> whatsupdoc: whois
06:53 < mast> You can even get these books for free from sites that end in iratebay
06:53 < DoYouKnow> whatsupdoc: AS #
06:53 < Kalecgos> https://www.amazon.com/CCENT-ICND1-100-105-Official-Guide/dp/1587205807 this book?
06:54 < mast> Yes that's one. People love this guy's book
06:54 < batch> hey can someone highlight me plz, tryin out something
06:54 < mast> Its dry though
06:54 < mast> Todd's book is written in more easy going language. And some people like that
06:55 < Kalecgos> I need to figure out what path I even want to go on in networking
06:55 < whatsupdoc> What do I look for in AS?
06:55 < whatsupdoc> whois
06:55 < rewt> look for the org name
06:55 < DoYouKnow> cononical organization name
06:55 < whatsupdoc> it's my university?
06:56 < rewt> which ip?
06:56 < whatsupdoc> http://dpaste.com/2FX8H57.txt
06:58 < rewt> yes, that starts out at UC Davis, and goes into google
06:58 < whatsupdoc> But where's the ISP?
06:59 < Kalecgos> If I wanted to start working on some general certs, what would the generic path be? A+>CCNET>CCNA=N+?
06:59 < Kalecgos> Or is N+ easier than I'm imagining
06:59 < rewt> whatsupdoc, looks like it's cenic
07:00 < whatsupdoc> ok that's what i was thinking also
07:00 < mast> Depending on your background you could start with CCENT
07:00 < Kalecgos> I have a lot of general IT knowledge, just starting to learn networking
07:00 < Kalecgos> hardware is my memes excluding enterprise stuff
07:01 < mast> For sure
07:01 < mast> I didn't bother getting my A+ before starting CCENT
07:01 < Kalecgos> I've heard a+ is kinda useless
07:01 < mast> I'm sure its slowed me down in a few places here and there, but to me it wasn't that big a deal
07:01 < linux_probe> Chicken Chokin Nut Adjuster
07:01 < mast> Definately not enough to make me think I should have taken the A+
07:02 < mast> The best way to find out though is to start reading and studying the first few chapters of the Wendell or Lammle books and see if it clicks
07:02 < mast> There's also CTBNuggets courses, older ones are on you tubes, and the paid up to date ones can be great tools as well
07:03 < mast> Just start dicking around in there and see how you feel after of learning
07:03 < whatsupdoc> how do you use whois to look up AS #?
07:04 < whatsupdoc> I need to find organization whose AS number is 3, 9, 32, 1239, and 12000
07:04 < mast> Its all fun shit. And if you like have this massive fear of surveillance, government or otherwise, that helps too
07:04 < whatsupdoc> I can use online tools to get the answers, but just wondering how to do it using whois
07:05 < Kalecgos> I'm the opposite
07:05 < Kalecgos> all about data collection
07:05 < Kalecgos> maybe I should follow a google/amazon pipeline
07:05 < Kalecgos> hmmm
07:06 < whatsupdoc> networks are pretty cool. i can't believe everything is actually wired
07:06 < mast> I love it
07:06 < Kalecgos> yeah I just need to get some books
07:06 < mast> I am picking up a fun haul of stuff on Monday
07:07 < Kalecgos> sadly The Bay isn't a great pick for me, can't retain info I read on a screen for whatever reason
07:07 < Kalecgos> and fuck printing a 4082 page book
07:07 < mast> x3650 M3, C160 ironport, Trendnet 802R, two console servers just for the lols and a few upgrades here and there
07:08 < mast> Haha I hear you Kalecgos
07:08 < mast> I printed the Lammle book, but then I have a laser printer that's great on ink
07:08 < Kalecgos> hmm, maybe I should get a printer
07:08 < mast> Try the CTBNuggets videos. They are awesome.
07:09 < mast> I think its best to flesh what they talk about with some book learning, but they are super engaging
07:12 < whatsupdoc> How do you search AS numbers?
07:12 < Kalecgos> mast , if you know off hand, would it be a bad choice to print these ccnet books in B&W or is there not much color/graphics?
07:13 < mast> Black and White is fine for Lammle
07:13 < mast> haven't had a change to get through the Wendell book yet
07:18 < jvwjgames> Hello all how can i do two subnet i have one subnet block as 162.220.209.34/29 adn the other block as 162.220.209.49/28 and confused on the gateway
07:26 < whatsupdoc> Does anyone know a famous server that is located outside the us?
07:27 < whatsupdoc> I have a hard time finding one because whenever I try one they are hosted in US
07:32 < mast> www.thepiratebay.org
07:39 < whatsupdoc> I'm getting some strange results
07:40 < whatsupdoc> What's with the never ending stars?
07:40 < whatsupdoc> http://dpaste.com/2ATBJGX.txt
07:42 < dirac1> wow Paris-Sanclay university.
07:43 < dirac1> Saclay.
07:47 < whatsupdoc> ?
07:48 < whatsupdoc> It just gets dropped all the time
07:49 < whatsupdoc> dange finally found one
08:11 < raykom> Hey guy
08:11 < raykom> Guys
08:12 < raykom> I'm scared shitless, moments ago I was browsing a few adult sites and when I clicked a link on one of them it look like it had illegal content.. I immedietly exited everything
08:12 < raykom> what are the odds of the feds banging on my door
08:12 < Maarten> they are already on their way.
08:13 < raykom> ..
08:13 < Maarten> knock, knock neo.....
08:14 < raykom> I used 2 vpn's and tor but not sure if that does anything... screw these scumbags that upload this crap
08:15 < Maarten> i wouldn't worry about it.
08:15 < Maarten> though.... you could report the site to the police.
08:15 < Harlock> it's probably set up by the police
08:15 < raykom> Well i exited in less than 10 seconds and I never noted the url or anything
08:16 < raykom> I dont think tor stores the url do they?
08:16 < raykom> I could report it without accessing the site but I closed tor
08:16 < Harlock> it probably installed tracking software so they can find you later
08:16 < Maarten> tor is where most child porn gets trafficked through these days....
08:17 < raykom> yeah I assumed that
08:18 < raykom> But the site that had the link to it was legal
08:18 < raykom> At least it looked legal
08:18 < raykom> i am sooo worried right now :(
08:19 < Maarten> 2 vpns and tor and you are worried?
08:20 < raykom> yeah
08:20 < raykom> tor is probably bait so I wold not consider that as a protection level
08:20 < Maarten> disconnect your internet. Only way to ensure the feds aren't coming. Unplug everything physically from the wall, and wait at least 4 weeks.
08:20 < dedmen> hello
08:22 < dedmen> helloooo
08:22 < dedmen> anyone online ?
08:23 < korean-walmart> no
08:26 < dedmen> this so lame
08:37 < Aztec03> dedmen tell no tales
08:38 < dedmen> what ?
08:39 < Aztec03> aw shit its just a piratey disney thing from one a those moviefilm things
08:40 < Aztec03> what's yer question though?
08:41 < dedmen> nah i just wanna learn hacking
08:41 < Aztec03> you're cool now
08:41 < Aztec03> now we are both cool guys.
08:56 < raykom> so you suppose with 2 vpn's and tor, they may consider it a mistake on my part(which is was)?
11:14 < pabed___> Hi guys ,  I  trunked an interface on cisco 2960 , when I connect aricap 2700 to trunked port , I see its show status  notconnected and it is on vlan 1 yet , why it does not change to trunk  status ?
11:16 < pabed___> But when I connected the port to other 2960 switch the port's state changed to trunk , I don't know the problem comes from aircap or switch ?
11:34 < Screwsss> My emails are being sent to the wrong address
11:34 < Screwsss> Well some of them
11:35 < Screwsss> Its really random
11:39 < Screwsss> Hey
12:08 < Apachez> did raykom burn his computer yet?
12:23 < batch> hi can anyone tell me what the requierments are in iptables to forward a protocol ?
12:29 < detha> knowing how to -I FORWARD -p <protocol-nr> -j ACCEPT
12:43 < batch> detha is that all?
12:44 < batch> because, i do have a script that i found online, but i think it does a little bit too much
12:44 < batch> let me find it
12:45 < detha> batch: that is what I would define as 'forwarding a protocol'. -p tcp, -p50, ...
12:47 < batch> detha ok sweet thx for explaining, this is the script that i thought that worked because i did it some time ago but then fuzzing too much with configs and fucked up again: http://ix.io/17JZ
12:47 < batch> should work but maybe there's too much
12:48 < batch> i really need to learn iptables i think
12:54 < detha> that looks like a very simple 'anything is allowed to make outgoing connections, nothing is allowed to come in from the internet, NAT to internet' setup
12:58 < batch> ok thankyou detha !
13:23 < zamanf> I am using an application to send udp packets from one pc to another. The packet goes through the router and the mac address changes on the way. Is there any option in routers to overcome this one and send my original mac address to the destination pc?
13:23 < Spice_Boy1> zamanf: no, that doesn't make sense
13:24 < Spice_Boy1> if it has to route, then it will go through a router, and the other interface on the router will be the new source mac
13:25 < Irritiable|LT> zamanf: You could send your MAC address via the UDP packet.
13:38 < zamanf> I see
13:38 < Irritiable|LT> My suggestion is just a band-aid solution (probably the only one).
13:39 < Irritiable|LT> That or remove the router from the equation?
13:39 < zamanf> I Will explain another situation
13:39 < Irritiable|LT> zamanf: Pure curiosity. Why do you want the receiptient to see the MAC address of the sender?
13:40 < Irritiable|LT> receipient *
13:42 < zamanf> I am using ubuntu to run a vmware windows machine. In the windows machine I run an application that interacts using udp packets with other remote machines. So, when I use wireshark or my custom made udp packet tracker, I can find the remote IP addresses that connect to the windows machine, but when I print the MAC address, it shows mine as their
13:43 < zamanf> it shows the routers mac address
13:43 < zamanf> my router
13:43 < petemc> thats how ethernet works
13:44 < zamanf> so what is the solution here? create a udp packet tracker and launch in the windows installation?
13:45 < Irritiable|LT> zamanf: Okay. You could definitely solve that by sending the MAC address through the UDP packet.
13:45 < Irritiable|LT> [06:25:43] <Irritiable|LT> zamanf: You could send your MAC address via the UDP packet.
13:45 < zamanf> this isn't possible Irritiable|LT
13:45 < zamanf> I mean, I can't add extra data to the packet
13:45 < Irritiable|LT> The Win32 API should be able to pull the operating system's MAC address pretty fast.
13:45 < Irritiable|LT> Ah.
13:45 < Irritiable|LT> A limitation in the utility used.
13:52 < detha> zamanf: where are you capturing that traffic? with bridged networking you should be able to see that mac address on the bridge, or on the router side
13:59 < zamanf> I am capturing the traffic from the Ubuntu
14:00 < zamanf> not sure if I can overcome this obstacle by changing the network settings in vmware
14:02 < detha> which mac address are you after? the VM's or the connecting machine's ?
14:07 < Irritiable|LT> detha: zamanf said he wants: Sending machine's MAC address to arrive at receiving machine.
14:07 < Irritiable|LT> detha: The transmit method is a UDP packet from some unknown utility. He cannot control the UDP packet data being sent.
14:07 < detha> Irritiable|LT: ah. that's a case of 'That is not how ethernet works' indeed then
14:17 < _BIGSHOT_> anybody using plex?
14:17 < _BIGSHOT_> echo dot
14:21 < LFSveteran> got an openvpn server running, client connection is established and it's able to ping the server ip 192.168.10.1
14:21 < LFSveteran> on the same machine as the openvpn server, there are also other services like samba
14:21 < LFSveteran> these are not accessable by VPN/tun0 yet, how to connect these together?
14:23 < plasma> LFSveteran: you could make them listen on the ip of the VPN/tun0, for example
14:35 < LFSveteran> a simple "bind 192.168.10.1" in the telnet config of xinetd won't work
14:35 < _BIGSHOT_> anybody using plex with echo dot?
14:37 < detha> telnet? 1990 called, they want their protocol back.
14:38 < LFSveteran2> I know , just for test
14:38 < LFSveteran2> telnet on a VPN is pretty useless
14:38 < detha> xinetd will have to be restarted /after/ the ovpn server comes up
14:38 < LFSveteran2> I did
14:39 < detha> firewall? /etc/hosts.{allow,deny} ?
14:39 < LFSveteran2> some iptables settings?
14:39 < zamanf> I used wireshark from the windows installation, I still get the router's mac address. I am not sure what can I do, to get the remote mac
14:39 < lupine> socket initiation is exactly inetd
14:39 < lupine> the more things change, the more they stay the same
14:39 < detha> zamanf: you can't.
14:39 < zamanf> detha, maybe the remote mac?
14:39 < zamanf> of the router
14:40 < lupine> if you share an ethernet segment, you can get it. if you don't, you probably can't
14:40 < batch> LFSveteran2 maybe forward per interfaces
14:40 < zamanf> the reason I need this, is because the remote IP addresses are dynamic - so I need to find a way to spot them even when they change
14:40 < LFSveteran2> https://pastebin.com/1at5ahtS
14:40 < lupine> although if you're on ipv6 you might be able to intuit it from SLAAC if privacy extensions aren't on
14:41 < lupine> zamanf: go up a few layers
14:41 < detha> zamanf: so listen for traffic on the VM's address
14:41 < lupine> give them persisten application-level credentials and stop worrying about it
14:41 < lupine> MACs are trivial to spoof anyway
14:42 < zamanf> I can't lupine
14:42 < Apachez> PCs are harder
14:43 < detha> Mainframes, even harder than that
14:44 < lupine> zamanf: yes you can
14:44 < lupine> don't be silly
14:45 < zamanf> I can't change the code of the programs that send the packets
14:45 < _BIGSHOT_> anybody using plex with echo dot?
14:54 < Apachez> only with sierra foxtrot alpha
14:57 < Irritiable|LT> [07:37:46] <detha> telnet? 1990 called, they want their protocol back.
14:57 < Irritiable|LT> Telnet was great for AT&T's Battle.net servers (used for Blizzard games) until they finally shut it off in the early 2000s.
14:58 < Irritiable|LT> Telnet bots were the most simple and the whole reason for vL Clan's private servers and their voodoo magic that StealthBot was built around (VBS).
14:58 < Irritiable|LT> VB / VBS *
15:04 < jorja> Hello
15:06 < jorja> I had a power outage and now the router I use is flashing even when there are no ether cords plugged into it and not connecting to the internet. Is it toast or is there a way to get it to work again? I have already tried unplugging it and replugging it in
15:08 < wiresharked> So I think that "gigabit lite" for ethernet adapters is something to improve latency?
15:09 < Irritiable|LT> jorja: Have you opened up the router to inspect it internally to see if any of the hardware is visually damaged? You can also smell burned components if nothing's visually there.
15:09 < Irritiable|LT> (Do not laugh at the wording on that; it has a secondary and hilarious meaning if you read it wrong.)
15:09 < jorja> I do not know how to open one or even what to look for
15:10 < Irritiable|LT> jorja: I am assuming modern routers have tiny screw holes (I doubt they're using torx screws on them). If you see any sort of melted or burned components: You have an issue.
15:10 < jorja> I am not taking iot about
15:10 < Irritiable|LT> A circuit board is typically green. If it's burned or damaged: It'll look just like anything that's burned is: Dark brown or liquified metal.
15:10 < Irritiable|LT> Also known as: Slag metal.
15:12 < wiresharked> jorja: Well, that's what happens when you overclock your computer..
15:13 < Irritiable|LT> wiresharked: He mentioned a 'power outage.' There was a tornado near-by Texas earlier. We also had power-outages here in Texas.
15:14 < Irritiable|LT> Probably just a lightning strike. This is why if you have expensive toys plugged in walls during lightning storms and refuse to unplug them: You should at least invest in a cheap surge protector.
15:14 < Irritiable|LT> Better to lose a $100 surge protector as opposed to a $250 router / $400 TV / etc.
15:15 < LFSveteran> https://pastebin.com/h90JpeJf
15:15 < LFSveteran> added INPUT and FORWARD of TUN0
15:15 < LFSveteran> still nothing
15:17 < wiresharked> You are certainly correct about the surge protector. And I think I heard about that tornado near texas. Out here in the midwest, we're supposed to get an ice storm
15:17 < detha> LFSveteran: iptables takes first matching rule. you have a REJECT all to all before your rules
15:20 < jorja> No lighting stikes so it was not caused by lighting
15:21 < wiresharked> Probably a shorted fuse somewhere
15:22 < detha> or maybe the isp is still suffering from 'No Power'......
15:23 < wiresharked> That would not cause a router to be burned up though
15:23 < detha> No. But it would stop it from connecting internet. And if it's TR069, also from getting a sane config.
15:24 < LFSveteran> ok, can acces telnet server now
15:24 < jorja> I am on the isp
15:24 < mervin> hello everyone
15:24 < LFSveteran> moved the rules a row higher before the reject
15:24 < jorja> I am on the internet right now
15:25 < wiresharked> detha: The configuration of the settings has nothing to do with the voltages of anything
15:25 < LFSveteran> however still no samba
15:26 < wiresharked> Is port 445 blocked?
15:26 < detha> LFSveteran: port 445/tcp, older versions samba needed 143 or something like that
15:26 < detha> 137/138, actually
15:26 < LFSveteran> I recall 445, 136 .. 139
15:27 < wiresharked> So if that's the case, then check to make sure that ports 445, 136, and 139 are all allowed
15:27 < LFSveteran> 445 open
15:27 < LFSveteran> 136 tcp closed
15:27 < detha> also, isn't some samba stuff udp?
15:27 < LFSveteran> 137/tcp cloded
15:28 < LFSveteran> 138/tcp closed
15:28 < detha> easiest way to see: tcpdump on the tunnel interface, see what the client tries
15:29 < LFSveteran> I thought I justed opened everything with the iptable rules...
15:29 < aaro> 137-138 UDP, 139 TCP
15:35 < LFSveteran> https://pastebin.com/zLjdNnSA
15:37 < detha> that appears to be talking
15:38 < LFSveteran> y
15:43 < jorja> I had a power outage and now the router I use is flashing even when there are no ether cords plugged into it and not connecting to the internet. Is it toast or is there a way to get it to work again? I have already tried unplugging it and replugging it in
15:46 < LFSveteran> not flawlessly yet
15:46 < LFSveteran> switched back to the telnet solution once more
15:47 < LFSveteran> can login, can cd but ls freezes
15:47 < detha> LFSveteran: sounds like MTU issues
15:48 < detha> set the MTU on the tunnel interface 20 or 40 lower
16:03 < adrian_1908> those of you who use iptables, do you prefer a frontend like e.g. "ferm", or do you stick to just the iptables command?
16:07 < LFSveteran> just typing iptables
16:07 < jorja> I had a power outage and now the router I use is flashing even when there are no ether cords plugged into it and not connecting to the internet. Is it toast or is there a way to get it to work again? I have already tried unplugging it and replugging it in
16:08 < detha> adrian_1908: no frontends, plain iptables, generated from templates if need be.
16:09 < adrian_1908> ok, thanks.
16:21 < Kingrat> jorja, usually the cheaper home router hardware just dies and does stuff like that, could be a bad capacitor that needs to be replaced, could also be a bad power supply you can try another one, but thats about as far as its worth going
16:22 < jorja> do not have another one
16:24 < Kingrat> is it a wierd power supply? most use a 12v/1a brick with a standard sized plug which is used on many other things, but i have seen non-standard as well
16:25 < jorja> I do not have a spare plug
16:25 < Apachez> no spare buttplug?
16:26 < Apachez> your redundancy is ashamed...
16:26 < hendrikz> o.O
16:28 < compdoc> now Im ashamed
16:59 < batch> hey, the uplink, is it more like the connection to WAN, or is uplink more like the NIC for a bridge?
17:00 < batch> NIC for a bridge into a lan
17:00 < batch> ?
17:01 < detha> uplink goes up in the drawing. it links to one thing that serves a bunch of 'what your level is' things.
17:01 < batch> hmm
17:02 < batch> so let's say the uplink in a systemd-networkd bridge
17:03 < batch> what should i imagine it like?
17:03 < batch> like, the nice that's forwarding to a bridge adapter?
17:04 < batch> s/nice/NIC
17:04 < detha> spaghetti. it's systemd
17:04 < batch> fml
17:07 < detha> bridges don't have uplinks other that what you define as 'the uplink'
17:09 < Apachez> bridges just have walk or driveways
17:15 < tpanarch1st> hey, this isn't a pure networking question but I was hoping for some non-shootdown ideas please :)
17:16 < tpanarch1st> I have an old website, no updates available (I don't really know what you call a website system) and I'm looking to explore ways of securing it as it is around 10 years old
17:16 < tpanarch1st> i'm not sure, to start, how to identify vulnerabilities with it
17:19 < Kingrat> how are you hosting it
17:23 < detha> tpanarch1st: what is your budget?
17:24 < tpanarch1st> Kingrat: currently, i'm running it on an outside host but I want to migrate it onto ispConfig eventually
17:25 < tpanarch1st> sadly, and it is a gorgeous system froma  usability standpoint but they stopped updating it
17:25 < batch> me trying to make a bridge in raspberry zero with systemd: https://www.youtube.com/watch?v=hUTY5aFdN-4
17:25 < tpanarch1st> I was ever so proud of the achievements of suiteCRM to - what a well developed system!
17:26 < tpanarch1st> nice when you don't have to complain!
17:39 < we3gerg> Hello, I have a layer two switch with four VLANs. I have a server VLAN, call it 'S', and the the other three VLANs 'A', 'B' and 'C'. I want A and B to talk to S, and S to talk back to A and B. Also, A, B and C to remain uncommunicated with each other. How can I do this
17:40 < nickermire> we3gerg: sounds like you need a router and some ACLs
17:40 < we3gerg> That's what I heard, use edge router and use ACLs
17:41 < larry> what pack for wpa2
17:41 < we3gerg> but I heard of this "trunking" thing too, is that necessary?
17:41 < nickermire> depending upon the l2 switch you have, sometimes the switch will do interVLAN routing so you could then skip on using a router.
17:41 < we3gerg> I want to use the router though
17:41 < nickermire> gotcha
17:42 < nickermire> you might also be able to get away with using a opnsense/pfsense firewall as your router/fw and then just create firewlal rules instead of mucking with ACLs on the switch.
17:43 < nickermire> hope that helps.
17:43 < we3gerg> I thought ACLs were done on the router?
17:43 < larry> going through the source code explains things
17:43 < hendrikz> router on a stick
17:44 < hendrikz> ;)
17:44 < we3gerg> router on a stick, heard of this too
17:44 < larry> what pack for wpa2
17:44 < nickermire> we3gerg: the smarter l2 switches have ACL capability
17:44 < we3gerg> this is when you split one interface into sub-interfaces?
17:45 < nickermire> we3gerg: yes
17:45 < larry> that wink is somebody who plays devil is it?
17:45 < larry> using lib linear it is a pinhead attack
17:45 < we3gerg> won't that compromise routing to the outside?
17:45 < larry> if the wink is in the code nost likely it is all compromised
17:46 < larry> going through the source code explains things
17:46 < we3gerg> say, if I do router on a stick for my switch and vlans, and then I want to access the internet from one of the hosts in the vlan, that won't be compromised due to the router on a stick setup?
17:47 < Apachez> router on a stick is a bad setup securitywise
17:47 < Apachez> since you are mixing internal and external traffic in the same device twice
17:47 < we3gerg> what do you recommend?
17:47 < larry> what pack for wpa2
17:47 < nickermire> we3gerg:  Right as your router would have the default gateway and be able to forward on traffic inteneded for the internet.
17:48 < larry> so pinhead can shape actions
17:48 < we3gerg> okay that's good
17:48 < larry> good is a good thing, yes?
17:48 < we3gerg> I guess I'll go with the ACLs on the router, make it happen with the firewall
17:49 < nickermire> we3gerg: if you have enough interfaces on your router, you could put a physical interface in each vlan if you're having bandwidth issues. Then, have a final interface for your uplink out to the internet.
17:50 < nickermire> Lots of ways to do these things. Usually money is the limiting factor.
17:51 < we3gerg> optimizing for simplicity, lowest cost and highest security
17:51 < detha> pick any two
17:52 < we3gerg> security and simplicity of design?
17:54 < detha> L2 switch, firewall/router with one interface per vlan, and one interface out to the interwebz.
17:55 < we3gerg> seems good except for the 1:1 int:vlan
17:55 < we3gerg> why is that necessary?
17:55 < detha> router-on-a-stick with running switch->router over one trunk is less cables, and less throughput between vlans
17:56 < we3gerg> that's okay, very little traffic anyway
17:56 < we3gerg> someone mentioned router on a stick is less secure
17:57 < we3gerg> and I'm not sure how I can prevent certain vlans from communicating
17:57 < detha> 'can be less secure', depending on how it is implemented
17:57 < we3gerg> okay: can I hook up my switch to the edge router with just one cable and manage traffic between VLANs with ACLs and route internet traffic outside? is this possible?
17:58 < detha> yup
17:58 < we3gerg> I reckon the only issue is throughput right?
17:59 < detha> unless you are running things at >90%, not really worth worrying about
17:59 < nickermire> yep
17:59 < nickermire> not sure about the security concern.
17:59 < nickermire> but I'm willing to learn something new too.
18:00 < we3gerg> okay last question, since this is the router, stuff won't be VLAN tagged, so that means I'm working with the addresses of each VLAN. How will I have one interface and multiple addresses from the different VLANs?
18:00 < detha> on your trunk cable it will be vlan tagged
18:01 < we3gerg> so I setup trunking in the router and it'll know? oof
18:01 < detha> in the router, you have vlan1, vlan2, ... interfaces and you can set rules saying 'nothing coming in on vlan2 can go out to vlan3'.
18:02 < we3gerg> really? I did not know this, been playing around in packet tracer and I did not see this
18:20 < jimm> Hi... gotta fix a program that looks at interface settings and "calculates" a masqing firewall
18:21 < larry> jimm what pack for wpa2
18:21 < jimm> given this will take some time, someone interested in helping me diagnose and fix?
18:23 < jimm> \larry, I'm not really sure :) I'm a little occupied at the moment too, otherwise I'd try to help... let people know what dist you're running... maybe you want a package that has wpa-supplicant
18:50 < larry> what pack has wpa2
19:05 < ska> Anyone used these units  as firewalls (pfsense)? https://www.amazon.com/Linksys-LGS124-Rackmount-Unmanaged-Enclosure/dp/B00H1OQBLA/qid=1523568145 ?
19:08 < fryguy> i'm real skeptical you can install pfsense on that
19:09 < detha> That.
19:14 < larry> jimm: fix it?
19:25 < ska> fryguy: its comes pre-installed with it, so I think you can. I have a unit with it already on it.
19:25 < qman__> ska: that's an unmanaged switch, you can't install anything on it
19:26 < ska> sorry wrong link.
19:26 < ska> https://www.amazon.com/Hardware-Firewall-Mikrotik-Security-Barebone/dp/B0777GHHW1/qid=1512756180
19:30 < larry> where having router on usbstick
19:30 < larry> most netfilter broke
19:31 < larry> possibly first wink
19:31 < larry> what was then and what do now
19:31 < larry> David cried
19:31 < larry> about son
19:32 < larry> once they thrashed humankind
19:32 < larry> what now
19:32 < larry> for intelligence is strong sometimes in enemies
19:32 < larry> what now
19:33 < larry> look at what was then
19:33 < larry> first strike was against the firewall
19:33 < larry> what more
19:33 < larry> continue to let them think it is active
19:34 < larry> but it doesnt work
19:34 < larry> when is Mr Jones going to have fairytales
19:34 < larry> all tails from the cryptkeeper
19:34 < larry> murders
19:34 < larry> what fairytails
19:34 < larry> this is tales from the crypt
19:35 < larry> Mitnick tells tails from the crypt
19:35 < larry> jimm: so you masq something
19:35 < larry> if they access the raid
19:36 < larry> why dont you watch legion
19:36 < larry> dont you get the matrix
19:36 < larry> it is a binary world
19:36 < mateothegreat> jesus
19:37 < larry> when you have a complete double image of yopu from GCC
19:37 < larry> what you had was the Guardian Angel
19:37 < larry> in the ether
19:38 < larry> jimm: do you want a fix
19:39 < larry> or do you want to keep thinking the app layer is working
19:39 < larry> when the foundation was cracked
19:39 < larry> first strike at the firewall
19:39 < larry> how many xservers
19:39 < larry> say you have a fighterpilot
19:39 < larry> with weapons of mass destruction
19:40 < larry> tales from the crypt
19:40 < larry> and the visual cortex is fooled by an x server
19:40 < larry> presses the wrong button
19:40 < larry> boom!
19:40 < larry> bombs away
19:41 < larry> these are the scenarios that propogate wild
19:42 < larry> exponential wickedness
19:42 < larry> as it increases you enter the last days where love of men grows cold
19:42 < larry> what masq are you calculating
19:43 < larry> mental omega
19:43 < larry> jimm:
19:43 < larry> stay wide awake
19:43 < larry> this is the object of the game mental omega
19:44 < larry> reduce fractals
19:44  * larry reaches out hand
19:46 < larry> how much binary does it take to maintain h20
19:47  * larry reaches out hand too jimm
19:48 < larry> whatever richard dawkins was talking about
19:48 < larry> holding together the dna structures
19:49 < larry> what was then and now
19:49 < larry> I'm not dwelling on the past
19:49 < larry> the raiders are going
19:49 < larry> how much torture can a mind take before it goes kaput
19:50 < larry> a mirrorless network
19:50 < larry> hostme
19:51 < larry> the masq isn't really needed
19:51 < larry> your talking about shoddy nat right jimm
19:52 < jimm> sshoddy bats?!
19:52 < larry> why not use a real server
19:52 < jimm> or even a reel to reel server?
19:54 < jimm> I']m looking to put a net back together the way it was, and I might also translate the rules to nftables
19:56 < jimm> I do want to use nat (because that's how it was originally done)
19:57 < jimm> I need to figure out what's going on with the program that generates the rules
19:58 < larry> what needs to be fixed?
20:02 < jimm> well first I need to figure out the problem... the iptables rules are initially empty, then I tell it to generate the rules, and instead of making the masq nets the way it's supposed to, it blocks packets from getting to the appropriate subnet (and therefore wire)
20:03 < jimm> I dunno what the problem is yet
20:03 < jimm> and I need a way to piece together what it is
20:05 < `7hr34t_hvntr> anyone ever see google chrome sending out STUN packets
20:06 < detha> jimm: dentistry engineering, gap analysis and filling. define what it needs to do. determine what it does. the difference is the gap. fill that gap.
20:06 < `7hr34t_hvntr> is it seen in conjunction with streaming activity usu
20:08 < _BIGSHOT_> hello, since i am behind Double NAT - I am using "ngrok" to forward my port so that I can use plex remotely, does anyone know how to setup plex with ngrok?'
20:08 < _BIGSHOT_> i already forwarded plex port 32400
20:08 < jimm> what it does: looks at the definitions of some interfaces, figures out which one is the outgoing interface (i.e. going to "the rest of the internet"), then writes iptables rules which creates a masqing firewall
20:09 < jimm> ever since I upgraded (which could mean upgrade kernel), can't ping out, sendto: op not permitted
20:10 < jimm> and I'm not exactly sure what's going on
20:11 < detha> well, start by looking at what it does then
20:12 < jimm> well it makes rules... want to see them?
20:12 < detha> that would be a start
20:13 < jimm> ok, how would I export existing rules? (also, I can give you a tarball of the project, so you can see what it tries to generate, and with which information)
20:14 < jimm> I know iptables -L outputs some of the rules, how would I get all of them?
20:14 < detha> iptables-save is the preferred format
20:15 < detha> otherwise iptables -vnL
20:15 < jimm> lemme check that out
20:15 < tds> and remember to use ip6tables as well if you're using non-legacy ip ;)
20:17 < jimm> ok, looks like I'm still here...
20:22 < jimm> maybe it's not generating rules when it should be
20:34 < jimm> tell ya what... I'm having problems getting this thing to generate the rules... I gotta figure out why... but first, something came up and I gotta leave for awhile...
21:09 < nickster> I was messing with ipv6 like a month ago and never got my interfaces to obtain an address and no other machines were able to get one either.
21:10 < nickster> Today i had a weird power surge and my opnsense vm rebooted
21:10 < nickster> 10 minutes of booting up later, i now have functioning ipv6
21:10 <+catphish> maybe your ISP fixed something
21:11 <+catphish> :)
21:11 < rainyXP> Just out of interest, do you use the proxy functionality on the pfsense?
21:12 < nickster> i figured out the isp issued a /56 prefix because after changing it a few times, it finally worked with that
21:13 < nickster> my lan is set to track interface
21:13 < nickster> rebooting apparently would have solved it
21:14 < nickster> now all lan devices at home can use ipv6
21:14 < nickster> now contemplating if i want it on my vlan
21:16 < revere> What could be wrong that if I query a public dns server with dig (like 8.8.8.8 or 1.1.1.1) for a domain it returns no ANSWER, but with +trace it does?
21:16 < Peng_> revere: Several things. For what name?
21:16 < revere> The nameservers set at the registrar respond with the right answers
21:17 < Goop> How many IPv6 addresses does Cox give its customers?
21:17 < nickster> usually a /64
21:17 < revere> it's a personal domain, if it's most likely something uncommon I'll let the party hosting my dns deal with it
21:18 < nickster> http://forums.cox.com/forum_home/internet_forum/f/internet-forum/15554/ipv6-prefix-delegation
21:18 < nickster> i got lucky with charter handing me a /56
21:29 < ExploitedKernel>   
21:29 < ^Gecko^>  
22:00 < BlueProtoman> Suppose I have a home server and a domain I use to connect to it remotely.  If I'm at home, will connections to this server via 192.168.x.x be faster than through the domain I use to connect remotely?
22:08 < Peng_> No. Maybe.
22:10 < BlueProtoman> Peng_: What do you mean?
22:10 < Peng_> Is it slow?
22:12 < BlueProtoman> Peng_: "It" being "connecting remotely"?
22:13 < Carll> The joys of networking :-)
22:16 < DoctorOfWar> BlueProtoman: The name resolution is actually pretty fast, and afer that the communication will be through ip's, so no overhead there. But depending on your gear, it will 'understand' that connection is coming back to your server
22:16 < {HD}> Does dns have variables? I am working with the new installation of Vesta CP and when I look at that the fall DNS records I see a “NS2.domain.TLD.“ are those variables or should I replace that with my actual domain name?
22:16 < DoctorOfWar> I think, I'm not a 'network' guy, so if I'm wrong please tell me =)
22:17 < {HD}> Fall = default.
22:17 < Apachez> {HD}: if you have gayporn.com your NS should most likely be something like ns1.gayporn.com.
22:17 < Apachez> and ns2...
22:18 < {HD}> Apachez: lol and I will update it to see if it works.
22:18 < {HD}> whyy does an NS record end with a '.'?
22:18 < Carll> {HD}: it shouldn't
22:19 < Carll> {HD}: ns1.domain.tld
22:19 < {HD}> example: when you change an NS record for DigitalOcean it defaults to adding an '.' onto the end.
22:20 < {HD}> And I see it pretty frequently when I search for it.
22:20 < black_13_> is this the ocrrect place to ask about why download fails because of credential errors
22:20 < Apachez> ahh yes
22:20 < Apachez> its ptr records who ends with .
22:20 < Apachez> solly
22:20 < Apachez> black_13_: this is the wrong place to ask about asking
22:21 < Dagger> *all* absolute DNS names end with .
22:21 < black_13_>   Unable to locally verify the issuer's authority. WARNING: certificate common name `distributions.freedesktop.org' doesn't match r equested host name `gstreamer.freedesktop.org'. HTTP request sent, awaiting response... 404 Not Found 2018-04-14 14:56:33 ERROR 404: Not Found.
22:21 < {HD}> Oh...
22:22 < Apachez> black_13_: well go figure
22:22 < {HD}> What resource (dns for dummies) should I read/watch to learn what I need to know about DNS?
22:22 < Apachez> you are visiting gstreamer.freedesktp.org
22:22 < Apachez> that shitty servers gives you cert for distributions.freedesktop.org
22:22 < Apachez> which is wrong
22:22 < Apachez> {HD}: bind.org have a great manual
22:22 < Dagger> relative names are... I guess it depends on context; in DNS lookups, a relative name will have each of the domains in your DNS search list appended to it, and if none of the resulting names exist then it'll try appending .
22:23 < Dagger> in bind zone files, relative names have the current value of $ORIGIN appended to the end
22:23 < black_13_> Ok
22:23 < Apachez> and $ORIGIN is .
22:23 < Apachez> unless set
22:24 < Peng_> black_13_: Apachez: https://gstreamer.freedesktop.org/ WFM. Could be an obsolete client.
22:24 < Dagger> $ORIGIN starts at ., but for reverse zones you generally set it to 0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. or whatever your zone is for
22:24 < Dagger> but of course you don't generally want that being appended to your PTRs, so your PTRs tend to end in .
22:25 < Apachez> Peng_: that url worked for me with no errors
22:25 < Apachez> Common Name (CN)	gstreamer.freedesktop.org
22:26 < Apachez> Common Name (CN)	Let's Encrypt Authority X3
22:26 < Apachez> Issued On	Monday, March 26, 2018 at 1:53:52 AM
22:26 < Apachez> Expires On	Sunday, June 24, 2018 at 1:53:52 AM
22:27 < Apachez> anyone who recalls the name of that scriptbased networkdrawing thingy?
22:27 < Apachez> like visio but in text
22:27 < Apachez> and when you "compile" the textfile you have a nice png
22:28 < Dagger> and similarly, if you're doing a forward zone and have $ORIGIN set to example.com, and you try to do "@ NS ns.example.net" then it'll append example.com to both @ (producing example.com) and to ns.example.net (producing ns.example.net.example.com)
22:28 < Dagger> one of those you probably want. the other one, not so much
22:28 < Apachez> "not so much" :D
22:31 < {HD}> alright, that makes sense. I think I want to update my DNS to use the DNS of my vestaCP vps. I have my namecheap custom DNS pointing to ns1.digitalocean.com and ns2 ect but I think I wanted to point it to the ip of my vps?...
22:33 < black_13_> is there
22:33 < Blueking> are this right channel to ask about wifi networking ?
22:33 < Apachez> Blueking: yes if you can answer my question first
22:34 < black_13_> Apachez it works through chrome great but i just realized that i have a really old version of wget
22:34  * Blueking doesn't know what question are..
22:34 < black_13_> all this is me building for source the gstreamer app
22:34 < Apachez> black_13_: I think wget will use your system CA list which is the same as chrome uses
22:35 < tds> {HD}: you can't have NS records that point directly to an IP - you'll need to set the records to a hostname (eg ns1.yourdomain.com), and then also add "glue" records (a/aaaa records in the parent zone) for the name server IPs
22:35 < Blueking> Apachez: what question ?
22:35 < tds> if you only want to have your domains resolve to the IP of your server, and not use the server as a name server, then you can just add a/aaaa records with your existing dns provider
22:36 < black_13_> https://pastebin.com/DKtR5RDD
22:37 < {HD}> tds: oh. I read about glue records recently. VestaCP creates 14 dns entries for mail and web and other stuff would I copy all thise to namecheap dns or would adding a glue to namecheap then also look at the vestacp dns?
22:38 < tds> I'm not familiar with vestacp - do you know if it acts as a name server itself, or just prints out a list of records for you to add?
22:38 < {HD}> Right now I have namecheap digitalocean and vestacp involved and I don’t know what is doing what.
22:39 < {HD}> tds: I am under the impression it could be a name server
22:39 < {HD}> But I guess I should double check that.
22:39 < tds> if you want to use it as a name server, you want to go down the route of setting your name servers to be something like ns1.yourdomain.com, and add glue records
22:40 < Blueking> I want to upgrade wifi in my house. Currently I am using two asus ac routers set in AP mode.   question are: does wifi clients change to AP with strongest signal? I've googled and it seems some think client doesn't do that.. ?  using same ssid on both AP units
22:41 < {HD}> tds: Ill see what I can do.
22:41 < rr1993> Blueking, They should, depends on implementation on the client device
22:42 < Apachez> Blueking:  anyone who recalls the name of that scriptbased networkdrawing thingy? and when you "compile" the textfile you have a nice png, like visio but in text and when you "compile" the textfile you have a nice png
22:42 < rr1993> but i can imagine some sort of algorithm to prevent excessive switching between aps
22:42 < Blueking> rr1993: mesh wifi does this better ?
22:43 < azizLIGHT> i reset all my networking gear and i see this type of packet loss: https://imgur.com/a/b2ft8
22:43 < azizLIGHT> that is mtr
22:43 < rr1993> Blueking, i have no idea
22:45 < Blueking> :/
23:17 < Blueking> anyone have tested asus' aimesh  ?
23:26 < Apachez> at which RU (1 is bottom/floor and 42 or whatever height you might have is the top) do you prefer to place the kvm at ?
23:37 < wiresharked> djph: So is gigabit lite on ethernet adapters supposed to reduce latency?
23:38 < SporkWitch> Apachez: if you find out the name of that tool, let me know; sounds handy
23:39 < Apachez> SporkWitch: graphvix
23:40 < Apachez> SporkWitch: graphviz
23:40 < Apachez> but now I found out nwdiag for python
23:40 < Apachez> and got a boner when I tried the rackdiag part :)
23:40 < Apachez> you write a small textfile and it outputs in png, svg, pdf and whatelse :)
23:41 < SporkWitch> yeah, it sounded useful; no more manually plugging stuff in, i can just enter the descriptive information and get pretty output
23:48 < Apachez> noone with a rack enclosure close by with a kvm switch within?
23:48 < Apachez> Im thinking whats the optimal location of the kvm switch in a rack, that is at which RU
--- Log closed Sun Apr 15 00:00:45 2018