--- Log opened Sat Apr 21 00:00:52 2018
00:59 < cluelessperson> So get this
00:59 < cluelessperson> I can see a bunch of WAN mac addresses, I assume from other apartment goers
00:59 < cluelessperson> all fitting an IPv4 scheme
01:10 < CuriosTiger> cluelessperson: "apartment goers"?
01:10 < CuriosTiger> do you live in some sort of communal arrangement? :P
01:11 < cluelessperson> CuriosTiger: I live in an apartment complex.  They have a fiber modem on the floor, and use lke a 1G switch to distribute gigabit to each apartment
01:12 < cluelessperson> CuriosTiger: I'm apparently seeing other people's routers
01:12 < cluelessperson> and their publix ips
01:16 <@pppingme> no such thing as a "fiber modem"
01:17 < lupine> well
01:17 < cluelessperson> pppingme: what would you call it?
01:17 <@pppingme> media converter
01:17 < lupine> it modulates the electrical data into light waves
01:17 < lupine> but shhhh
01:18 < cluelessperson> modulator
01:18 < cluelessperson> ---
01:18 < cluelessperson> So, I suspect the reason I'm seeing these other macs out there, is because I have my switch configured,
01:18 < cluelessperson> Port 1 "WAN / ISP UPLINK"    Port 2 "WAN to GATEWAY"
01:19 <@pppingme> lupine thats kinda pushing it.. its not really modulating as much as lighting a light when there's a 1, and killing the light with a 0
01:19 <@pppingme> modem assumes to modulate to another medium, af, rf, etc..
01:19 < lupine> it's a modulation
01:20 < geokoh> why would somebody have a virtual machine created on their computer with out their knowledge or ability to stop it?
01:20 < lupine> you can say "it's not much of one" as much as you like
01:21 < cluelessperson> geokoh: virtual machines can be tiny
01:21 < Maarten> cluelessperson, AT&T calls it an ONT, or Optical Network Terminal
01:21 < geokoh> does it mean they have been compromised for various reasons, or is that botnet at work?
01:22 <@pppingme> but it doesn't really ride over a different frequency, but rather is just a different representation of an identical signal
01:31 < geokoh> is it possible to temper with somebodies connection, to make them think that their current provider is not very good in an effort to try to make you switch to another isp?
01:32 < geokoh> to send some type of a disrupting signals and such?
01:33 < lupine> sure
01:33 <@pppingme> you mean in a way that mountain cable won't get pissed at you and cut you off and hand it off to the fbi?
01:33 < lupine> highly illegal though
01:33 < lupine> especiually if you're using RF, you are going to get *monstered*
01:33 < lupine> people take that very seriously and will deploy considerable resources to fuck you over
01:34 < geokoh> i get disruptions by another local companny
01:34 < lupine> RF?
01:34 < lupine> a minute ago you didn't know if it was possible
01:34 < lupine> now you're claiming it definitely happens
01:34 < geokoh> im on a rural dsl type of connection
01:34 <@pppingme> describe how you're getting "disruptions"
01:34 < lupine> excuse me if I doubt you a little
01:34 < geokoh> well i suspect that is going on
01:35 < lupine> people often suspect things that aren't true
01:35 < geokoh> based on evidence that is reocuring on youtube
01:35 < lupine> oh god
01:35 < geokoh> yes sir
01:35 <@pppingme> so your 1mbps circuit won't play youtube smoothly?
01:36 < geokoh> so , ill get waching something and , all of a sudden i get , a "distruption" or freezing in the video" than a suddle msg apeased, saying
01:36 < CuriosTiger> cluelessperson: That's probably because the "fiber modem" is little more than an Ethernet switch.
01:37 < CuriosTiger> fiber vs copper are just different transmission media. It's all Ethernet.
01:37 < geokoh> little box apears that says, " experiencing disruption? find out why"  and find out why is a link to another local cable provider, trying to sell me "HD"
01:38 < CuriosTiger> ....that just sounds like lame marketing.
01:38 < geokoh> i know right
01:38 < geokoh> very lame indeed
01:38 < geokoh> it will do it twice generally, and then i can continue waching in peace
01:39 < CuriosTiger> so...your concern is that this ISP is trying to tamper with your connnection to your current ISP because they're showing you ads?
01:39 < geokoh> no
01:39 <@pppingme> Do the two isp's share L1?
01:40 < geokoh> my question is, is that other competetor, "bullying" me in sort of speak to try to make me swithc to them
01:40 < lupine> nobody here knows their motivations
01:40 <@pppingme> probably not, your connection is probably crappy to start with, and you're reading too much into seeing an ad..
01:40 < geokoh> ok
01:40 < geokoh> thats fine
01:41 < geokoh> i just wondered if something like that would be technically possible in business
01:41 < geokoh> i know it sound paranoid
01:42 <@pppingme> if they share L1, it might be
01:42 < geokoh> im on this line of sight dsl rural thing
01:42 < geokoh> i use little round dish to connect
01:44 < tds> if you can get advertising on a page about having connection issues, and target it towards an area where you know your competitors provide bad service, that's certainly a smart marketing move ;)
01:44 < tds> but I'd doubt they're actively interfering with your connection
01:44 < geokoh> but i think i might have physical opsticals in the line of sight
01:45 < geokoh> yuh well it might be smart, but still they are shit out of luck even if i could swich, there is not physical infrustructure to diliver service, because they dont own that tower that i connect to
01:46 < geokoh> it makes no sence to target me for sales, they cant deliver better product
01:46 < geokoh> its like you cant draw blood from tone
01:46 < geokoh> stone* lol
01:46 < localhorse> i have a http+websocket server running on laptop1 and i'm connecting to it from laptop2 (loading the webapp in chrome). it can fetch the html page just fine, but the WS connection ONLY works over my Lancom router, NOT over Linksys WRT 54G (tested both ethernet AND wifi) or TP-LINK MR3020 (wifi), for those i always get timeout for the WS connection. any idea why it doesn't work over those?
01:47 < CuriosTiger> Occam's razor says it's far more likely that your ISP just sucks than that their competitor is actively sabotaging them.
01:47 < localhorse> (Lancom ethernet router)
01:50 < geokoh> curioustiger: sure, they could be engaged in a ugly secrete war of harassment,  greed knows no bounds these days it seems, but i know i have limited connection speed due to technology atm
01:52 < geokoh> if something is invented that can penatrate physical objects to connect me to higher speed, then my problems might be over
01:53 <@pppingme> geokoh what speed were you "sold"? What speed to you see on reliable speed test sites?
01:53 < geokoh> weather really plays huge part in my connection and speed
01:53 < geokoh> im suposed to be on 1m
01:53 <@pppingme> 1m meaning one megabit per second?
01:53 <@pppingme> thats SLOW by any standard..
01:53 < geokoh> thyes sir
01:53 < geokoh> agreed
01:54 <@pppingme> whats your isp say?
01:54 < geokoh> thats rural ontario
01:54 < geokoh> rural canada sucks for interweb
01:54 <@pppingme> wireless can achieve much higher and quite easily..
01:54 < geokoh> says i need high mast, or clear cut path of line of sight lol
01:54 < geokoh> higher*
01:55 <@pppingme> how high of a mast?
01:55 < geokoh> i am connecting over about 3.5 miles distance
01:55 < geokoh> my currecnt higt is about 5 ft
01:55 < zamanf> do you guys know any iptables equivalent for windows? like blocking different types of packets, define the size of the packets, etc?
01:55 < geokoh> sorry 50ft
01:56 <@pppingme> so you're at 50 foot and they want you higher?
01:57 < geokoh> yuh preferably since the trees are growing up around me
01:57 < forgotten> zamanf: iptables equiv of what?  post an iptables rule you want the windows equiv of maybe?
01:57 <@pppingme> are they guaranteeing a higher mast will fix your issue?
01:57 < geokoh> i actually cut down some trees that were in the way
01:57 < geokoh> im thinking it might
01:58 < geokoh> it helped me a bit, but there is still some in the way
01:58 <@pppingme> generally, its all or nothing...  if you've got a stable connection now with minimal packet loss, its unlikely a higher tower will help
01:58 < geokoh> i know
01:59 < geokoh> i could extend my current one by sliding anought chunk undereath the old one by maybe 20 ft, for failly low price
02:00 <@pppingme> if you have enough land, and all you're supporting is a single antenna, it'd be easy to get you higher, but the real question is if that would help
02:00 < geokoh> im just using and old TV airiel mast to hang my internet reseiver on it
02:01 < Spice_Boy1> pppingme: fresnel zone
02:01 < geokoh> well i might find an old piece of tower somewhere, lot of people are getting rid of theirs these days , the cost isnt that problem with that
02:02 < Spice_Boy1> if you can get up higher away from the crap, then it would be better
02:02 < Spice_Boy1> RF line of sight is not the same as visible line of sight
02:03 < geokoh> hmm ok
02:03 <@pppingme> true, but he hasn't indicated he's in a hole or on top of everest..
02:03 < geokoh> i know the tower i connect to sits in a lower elevation that i do
02:04 <@pppingme> how much lower?
02:04 < geokoh> about 100 ft
02:04 < Spice_Boy1> don't Canadians use metric?
02:04 < geokoh> i was trying to chart it
02:04 <@pppingme> Spice_Boy1 they're mixed. half metric, half normal
02:04 < Spice_Boy1> metric is normal pal
02:04 < geokoh> i was using google earth elevation chart and the
02:05 <@pppingme> Spice_Boy1 for rough reference, just over 3 feet is a meter
02:05 < Spice_Boy1> I know, but can't really think quick unless metric
02:05 < geokoh> lol
02:05 < Spice_Boy1> cbf converting
02:05 < Spice_Boy1> is it low or high?
02:05 < Spice_Boy1> it won't have to be super high
02:06 < Spice_Boy1> on another note, I got my librenms application working
02:06 <@pppingme> is that the stuff to query your power stuff?
02:06 < Spice_Boy1> yeah
02:06 < Spice_Boy1> works nicely
02:06 <@pppingme> sweet
02:06 < Spice_Boy1> I'll PM you and you can see it
02:08 < geokoh> one more question i have about viewing windows task manager networking graph
02:09 < Spice_Boy1> pppingme: check your PM
02:11 < geokoh> i  am monitoring local area connection,  how should a stable connection look? should it show a percentage of network utilization as smooth line? or is it normal to see fairlly jaggy picture?
02:12 < tds> Spice_Boy1: out of interest, what are you using to monitor power with librenms, managed PDUs with snmp or something?
02:12 < Spice_Boy1> tds: Powerwall via HTTP api, and custom librenms SNMP app on a linux box
02:13 < zamanf> forgotten, an example: iptables -A INPUT -p udp -s 1.2.3.4 -m length --length 89:1000 -j DROP
02:39 <+imMute> ugh, stupid problem at work today.  8 SG200s connected to a single SG500 with 2 connections each.  the pairs are in LAG groups.  from computer A (connected to the 500) I could ping half the 200s, from computer B I could ping the other half.
02:40 <+imMute> spent an hour trying to diagnose "failures" before I noticed that the other system could access the other half.  figured it had something to do with the LAG groups - disconnected one of each pair and everything works perfectly.
02:40 <+imMute> oh, and the 500 is replacing an old netgear something or other, which was working fine with the LAG groups.  I need a drink no.
02:41 <+imMute> but if any cisco guys are around, I'd love to hear ideas on what was going on.
03:33 < stan7> i can't open port 80 from my router, i dont know why, im on kali linux, and i wanna run apache server from public ip
03:33 < stan7> i already tried many things, do you know why?
03:34 < dogbert2> your ISP could be blocking port 80 inbound
03:34 < stan7> and how can i fix it?
03:34 < dogbert2> you'll need to port forward something like <IP:8080> to port 80 in your router...
03:34 < xamithan> Use another port ?
03:35 < stan7> good options
03:35 <+imMute> could also be double-NAT'd
03:35 < stan7> but if i open another port
03:35 < dogbert2> I port forward on my dlink, and have a hostname via NOIP.com (DDNS)
03:35 < stan7> how can make i know apache to run another than 80 port?
03:35 < xamithan> Change the port in the config
03:35 < dogbert2> change the listen port to something else, like 8080?
03:35 < dogbert2> in apache2.conf or ports.conf
03:36 < stan7> thanks a lot
03:36 < stan7> i will try
03:36 < stan7> thanks you so much
03:36 < xamithan> Or the $vhost.conf
03:36 < xamithan> Might want to make sure kali isn't running a firewall too
03:37 < stan7> thanks a lot
03:38 < SporkWitch> xamithan: IIRC, kali defaults to no firewall, but it also used to default to no network unless you explicitly tell it to connect
03:39 < xamithan> People follow tutorials all the time without knowing what they are doing,  it wouldn't surprise me if a firewall was enabled
03:39 < SporkWitch> xamithan: i mean, the real first warning sign was "kali linux"
03:40 < xamithan> Kali is a good OS
03:40 < SporkWitch> for its intended purpose, yes; the problem is 9 times out of 10 if you see a question about it, they're not using it for that lol
03:41 < xamithan> True,  I don't see any scenario where running a webserver out in the internet using kali is a good idea
03:42 < SporkWitch> xamithan: depends on your definition of good idea; more accurate to say LEGITIMATE
03:44 < stan7> Port 8080 is closed.
03:44 < stan7> still same
03:44 < xamithan> Can you hit the port from within your network from a different computer ?
03:44 < stan7> when i nmap 127.0.0.1 i get this 8080/tcp open  http-proxy
03:44 < SporkWitch> stan7: 1) what are you trying to do and why are you using kali for it, 2) post the output of iptables -S, 3) make sure port forwarding is configured correctly on the router and the host has a static IP
03:44 < stan7> problem is the router
03:45 < stan7> im new in networking, i just wanna open my http server from public ip not internal
03:45 < xamithan> I'm going to take a wild guess and say your forwarding isn't setup correctly
03:45 < SporkWitch> <SporkWitch> stan7: 1) what are you trying to do and why are you using kali for it, 2) post the output of iptables -S, 3) make sure port forwarding is configured correctly on the router and the host has a static IP
03:45 < stan7> maybe i didnt do correctly the port forwarding because its my first time
03:46 < xamithan> Maybe look up your model router on portforward.com and check if you are doing it right
03:47 < stan7> what is iptables? its the linux firewall?
03:47 < Demos[m]> sortof
03:48 < SporkWitch> ...
03:48 < Demos[m]> it's one of the many interfaces that can allow firewalls
03:48 < xamithan> Its a frontend for netfilter
03:48 < Demos[m]> yeah
03:48 < SporkWitch> stan7: let's start over.  First, download a debian or centos ISO, now install that over your kali install
03:48 < stan7> is not a kali good os?
03:49 < xamithan> Its a good livedisc for when you are pentesting
03:49 < xamithan> Using it as a desktop or web server?  no way
03:49 < SporkWitch> stan7: it's a great TOOL, but it's not for your usecase, and it's DEFINITELY not something you should be using when you have to ask what iptables is
03:49 < stan7> or maybe kali has something like firewall that dont let me open ports
03:49 < stan7> lol
03:49 < stan7> you are right sportwitch
03:49 < stan7> i wanna learn
03:49 < xamithan> Throw on Ubuntu
03:49 < xamithan> It has the most guides made for it
03:49 < stan7> lol ubuntu?
03:50 < Demos[m]> fwiw I like firewalld for my firewall management needs
03:50 < stan7> so i should start with ubuntu?
03:50 < xamithan> Until you know what iptables is,  probably
03:50 < stan7> how can i learn more about networking guys?
03:50 < Demos[m]> it really, really doesn't matter that much
03:50 < stan7> reading books?
03:51 < xamithan> Take the CCENT|CCNA exams
03:51 < stan7> i really wanna learn
03:51 < xamithan> That'll learn you a lot about networking
03:51 < SporkWitch> stan7: doesn't matter much, but debian and centos are the ones you'll most likely encounter in the enterprise (more RHEL than centos, but they're fundamentally the same)
03:51 < stan7> how about debian is good option?
03:51 < stan7> so i will download debian i try with it
03:51 < Demos[m]> oh guys: realtalk, implement backups for our storage arrays (offsite and inremental). What have people had good experiences with
03:51 < xamithan> Its a good option but it doesn't do as many newbie friendly things for you like ubuntu
03:52 < SporkWitch> Demos[m]: rsync is the usual go-to
03:52 < stan7> so ubuntu
03:52 < stan7> i will download it
03:52 < xamithan> Doesn't matter really,  ubuntu is based on debian
03:52 < stan7> thanks a lot for your help
03:52 < SporkWitch> stan7: depends on how you learn.  if you like to procrastinate or take shortcuts, you probably won't learn much with ubuntu, since you'll just use the do-it-for-me tools
03:52 < stan7> reading books is good way to improve?
03:53 < xamithan> Labbing is the way to improve,  like you are trying to do now
03:53 < Demos[m]> yeah I thinking about borg, and maybe something like btrbk
03:53 < Demos[m]> one issue is that some of our storage arrays have kernels with very incompatible btrfs implementations, so we can't use send/recv to really replicate
03:54 < dogbert2> burp
03:54 < Demos[m]> also we're talking on the order of 100-200TB for a full copy of everything
03:54 < SporkWitch> Demos[m]: this is why you do delta and incremental backups, not full copies
03:54 < xamithan> How do you even migrate something like 200TB of data to a new system =/
03:55 < Demos[m]> right, but just poking around to figure out the incremental copy can be rough
03:56 < Demos[m]> our real problem is that a lot of it is on synology boxes and they are very, very slow and extremely buggy
03:58 < dogbert2> dang, that ain't home use stuff :)
04:13 < Demos[m]> yeah not a big fan of synology
04:24 < Demos[m]> OK another question: IdP servers, I'm looking at keycloak and it looks completely insane with all the clustering and cacheing? Also the distribution is just "download and run this bash script" am I missing something here?
04:25 < Demos[m]> is this really the best supported FOSS SAML and OAuth provider?
05:08 < fareast> anyone around to discuss pci compliance
05:09 < fareast> I ran a makeshift subnet today.
05:09 < fareast> just want to know your thoughts on it all.
05:10 < fareast> been a while since I did one.
05:21 < stan7> im already in ubuntu and still same problem Port 8080 is closed.
05:22 < linux_probe> poopbuntu
05:23 < SporkWitch> stan7: still need to set a static IP and correctly configure port forwarding
05:34 < linux_probe> lawlz
05:34 < linux_probe> https://imgur.com/gallery/tmidV9L
05:35 < stan7> im checking and i correctly configure port forwarding
05:35 < stan7> i already tried with 8080 port
05:40 < stan7> nothing related with this right? DMZ Settings
05:44 < jvwjgames> I have a question I have a router that has a WAN ip of 162.220.209.34 and on the lan side i have an ip of 162.220.209.51 i though static public ip arn't supposed to be natted so how do i get the ip 162.220.209.51 be visible from the outside world cause ican ping tracert and goto it directly but a licensing server see the ip as 162.220.209.34
05:45 < jvwjgames> and making a DMZ just breaks all other servers
05:46 < SporkWitch> 162.220.209.51 isn't on the route from the outside to the inside; it is from the inside to the outside
05:47 < SporkWitch> (traceroute shows you the nodes you send to, not what they send from)
05:47 < stan7> SportWitch: what do you mean with static ip?
05:47 < stan7> i already checked and its correctly port forwaring configured
05:47 < SporkWitch> stan7: https://lmgtfy.com/?q=static+ip
05:47 < jvwjgames> all those ip's a public static ip's
05:47 < jvwjgames> and would 1-1 NAt work
05:48 < stan7> i know whats it is but i mean... its nothing about the port is closed, or it is?
05:48 < SporkWitch> stan7: if you don't have a static ip, you have no guarantee the host's IP won't change
05:48 < jvwjgames> i do have a static ip
05:48 < stan7> i was thinking to use no ip
05:49 < stan7> for that
05:49 < SporkWitch> jvwjgam44: if the static IP comment were directed at you, i would have hilighted you; you are not the only person in this channel asking questions
05:49 < jvwjgames> anyway would 1-1 NAT work
05:49 < SporkWitch> stan7: the host needs a static IP for port forwarding
05:50 < jvwjgames> cuase the Cpanel servers are seeing the .34 as the WAN ip witch is incorrect
05:50 < stan7> so if i have not static ip i can not port forwaring?
05:50 < SporkWitch> jvwjgam44: any form of NAT will give the results you described; unless you're routing WITHOUT NAT, then the origin seen from outside is the WAN IP
05:50 < SporkWitch> stan7: sure you can, as long as you update the port forwareding every time the host changes IP
05:50 < stan7> i got it
05:50 < SporkWitch> stan7: which is dumb, so set up the damn port forwarding like we've told you repeatedly for the past 3 hours
05:50 < SporkWitch> stan7: and static ip
05:50 < stan7> i have to pay for static ip, right?
05:51 < jvwjgames> yes stan7
05:51 < jvwjgames> your ISP will be able to give you a static ip for a fee
05:51 < SporkWitch> stan7: not on your LAN, and most consumer ISPs won't offer you a static even if you offered to pay
05:51 < jvwjgames> correction some Residental ISP's
05:51 < SporkWitch> jvwjgam44: most consumer ISPs don't offer static unless you upgrade to a business plan, which often triples the price
05:52 < jvwjgames> my ISP CenturyLink does
05:52 < SporkWitch> i'm not aware of centurylink doing business with individuals...
05:53 < skyroveRR> I think jvwjgames has contacts high up
05:53 < skyroveRR> ;)
05:53 < SporkWitch> skyroveRR: more likely it's like where i work: we don't do business with individuals, but some of our customers only have 2 or 3 employees
05:54 < stan7> thanks for your help guys
05:54 < skyroveRR> SporkWitch: which ISP do you work for?
05:55 < skyroveRR> I mean... if it is fine for you to answer....
05:55 < SporkWitch> skyroveRR: i work for a voip company, not an ISP, though we do business with some ISPs to provide our customers dedicated connections for the phones (not allowed to share which carriers we do business with)
05:55 < stan7> i will get static ip but for now its not good i can not open the port, it has to be something about port forwaring configuring
05:55 < stan7> i will keep trying
05:55 < skyroveRR> stan7: that's the spirit!
05:55 < stan7> lol
05:55 < stan7> how do you do guys when you can not fix something?
05:56 < stan7> i mean i like computers just for fun
05:56 < SporkWitch> i don't do guys
05:56 < stan7> but when you need to fix it
05:56 < skyroveRR> SporkWitch: lol
05:56 < daishun> A device on my LAN keeps sending ARPs asking who has 192.168.000.003, tell 0.0.0.0. That's its own
05:56 < daishun> .. own IP. Why is is doing this?
05:57 < SporkWitch> daishun: https://lmgtfy.com/?q=gratuitous+arp
05:57 < SporkWitch> (also, one traditionally removes leading zeros)
05:59 < jvwjgames> what is spanning tree protocal
05:59 < skyroveRR> Google it.
06:00 < jvwjgames> isn't that for switches
06:00 < SporkWitch> jvwjgam44: https://lmgtfy.com/?q=what+is+spanning+tree+protocol
06:00 < stan7> i tryied to do nmap to my public ip and i got message its filtered
06:00 < stan7> maybe its because my isp is blocking
06:00 < stan7> not my router
06:00 < stan7> could be?
06:00 < stan7> should be good idea to call to my isp and ask about it?
06:00 < skyroveRR> stan7: you don't have a static IP. Stop worrying and GET ONE.
06:00 < stan7> ok, i will
06:00 < stan7> thanks
06:00 < SporkWitch> stan7: 1) newlines are not a substitute for punctuation, don't spam; 2) they might, and they probably won't, because most consumer ISPs prohibit hosting servers on your LAN
06:01 < SporkWitch> skyroveRR: that's not his problem; he can't figure out how to set up port forwarding in the first place
06:01 < skyroveRR> Ohh.
06:01 < skyroveRR> The man will learn. :)
06:02 < SporkWitch> skyroveRR: remains to be seen
06:03 < jvwjgames> ok
06:04 < jvwjgames> STP is for switches
06:14 < daishun> I read about gratuitous arp but nothing explains why this device is sending the same one every second, none stop.
06:23 < SporkWitch> daishun: what OS is the host running?
06:28 < daishun_> I don't know what this device it. I use a shared LAN.
06:28 < daishun_> is*
06:29 < daishun_> MAC address says its Shenzhen, all I know.
06:30 < daishun_> Maybe giving it a static IP will make it shut up?
06:31 < SporkWitch> reread the article on gratuitous arp if you think that lol
07:08 < winsoff_> If someone starts an ISP, how do they get IP addresses to give to clients?
07:15 < rewt> they get them from a rir
07:15 < winsoff_> So they register as an AS with the RIR? Does this cost money?
07:16 < rewt> probably
07:20 < what_if> If I use a protocol, that is IP , but not TCP or UDP... will it traverse the internet OK ?
07:23 < Emperorpenguin> Yes what_if
07:27 < MACscr> can i do multiple out-interfaces with iptables? trying to give my vpn acess to a vlan as well. right now im using this https://paste.debian.net/1021300/
07:28 < MACscr> but wanted to add vlan30 as well
07:28 < SporkWitch> sure
07:28 < rewt> what_if, there's plenty of protocols other than tcp and udp flowing around out there
07:35 < MACscr> SporkWitch so i just do -o eth+,vlan30?
07:37 < acresearch> people i have been trying to understand how cisco anyconnect works inorder to make it work on openconnect (my universtiy has changed their vpn setting and it no longer works with openconnect), i think i need a certificate + private key + passphrase     i found the certificate and the private key but still looking for the passphrase, anyone can help understand where to look for it? how does it look like?
07:41 < MACscr> ugh, that didnt work. hmm
07:45 < MACscr> nvm, got it working
09:42 < weyland|yutani> acresearch, https://crashcourse.housegordon.org/OpenConnect.html
09:48 < acresearch> hey weyland|yutani
09:50 < acresearch> weyland|yutani: well, i have used openconnect before on the same VPN. but then they changes the settings from the university (which is why i am in this situation), i managed to find the certificate and A private key that when i use both in OpenConnect it prompts me for a PEM Passphrase,,, i am looking for it, but not sure where to look or how to looks like (file or string etc...)
09:51 < Kado> hi. I have a problem. SYN ACK is absent after SYN. tcpdump is showing only incoming SYN. I use linux/docker/swarm/wireguard. I want to know how to really debug this. Thanks
09:54 < applegal> my network is down when system goes to sleep.. and I always have to restart my modem to regain network... I don't have this problem when connecting my modem to my router, do you think my modem do not have the capability to auto config dns/ip when system goes to sleep/
09:55 < detha> Kado: check your firewall rules
09:56 < linux_probe> failwall
09:56 < Kado> detha: I'm doing tcpdump inside of container. There is no iptables rules inside, it seems i should be able to see response
09:57 < Kado> Also there is no drop rules on machine
09:57 < detha> Kado: does the container have a route back to where the SYN is coming from?
09:57 < Kado> I can ping both containers where i make tcp connections
09:58 < Kado> they see each other. ICMP is working, but not tcp. It is frustrating
09:59 < detha> Are you sure something is listening on that port? Also, are you using tcpdump -iany ?
10:00 < Kado> Yes.
10:00 < linux_probe> lol
10:02 < Kado> I know trying to debug through strace. When I make curl request to that container where netcat is running on port 8080. Nothing is happening. So it seems even SYN packet is not getting inside process(socket?)
10:03 < slickerjet> this is going to sound like a dumb question but i dont know what keywords to google, can i plug in 2 cables into 2 ports on a dumb unmanaged netgear switch to get 2 x 1gbps total throughput?
10:03 < slickerjet> i dont need 2gbps, i need 2 x 1 gbps
10:03 < slickerjet> i dont have SFP+ or SFP :(
10:04 < detha> As far as I know, that part of the linux stack is optimized so userland doesn't see anything until 3-way has completed
10:04 < detha> slickerjet: probably the answer is 'no'.
10:04 < slickerjet> bummer, can you expound on the probably part?
10:05 < slickerjet> i am going to use a 6 port pfsense appliance, wan 1 and wan 2 are going to be at&t and comcast, i was trying to get it so any 2 machines on the network can use up to 1gbps x 2
10:05 < Apachez> slickerjet: then buy one (or two) from fs.com ?
10:05 < slickerjet> well i dont have any 'enterprise' grade gear that supports sfp+
10:06 < slickerjet> just a pfsense appliance, and some dumb unmanaged switches, this is to try to get the best useage out of my gigabit comcast and gigabit at&t
10:06 < slickerjet> i have a peplink multi wan router - peplink balance one, but it only does 600mbps, no where near the 2 x 1gbps max possible speeds
10:07 < cousin_luigi> Greetings.
10:07 < slickerjet> i was thinking about trying my USG-Pro-4, but that wouldnt be limited to 1gbit total, i was thikning a pfsense appliance might work, just gotta figure out how to connect to the switch w/ 2 connections/ports, so i can get 2 x 1gbps
10:07 < slickerjet> im open to ideas
10:07 < cousin_luigi> What's the story with eBPF and linux?
10:07 < cousin_luigi> What's going to become of nftables?
10:25 < Apachez> slickerjet: then buy a ubiquiti xg-16 ?
10:26 < Apachez> 16 x SFP+
10:26 < Apachez> $550
10:26 < slickerjet> i just googled that, it's a little over kill for me
10:27 < slickerjet> i have only 6 cat6 drops in my apartment, terminated to a 8 port punch down
10:27 < slickerjet> wan1 is comcast @ 1gbit, and wan2 is at&t @ 1gbit
10:28 < slickerjet> if i get that xg-16, i can then get a switch that uses SFP+ to plug the 8 port punchdown stuff into, SFP+ from that switch into the XG-16, and then i guess wan1 and wan2 into 2 of the 4 RJ45 ports on the XG-16, right?
10:29 < slickerjet> oh wait xg-16 is only a switch, so i still need a router
10:31 < slickerjet> i was thinking of a 6x1g port pfsense appliance off amazon.com, 2 of those would be for wan1 and wan2, then two of the remaining four go into a netgear dumb switch, and then from the dumb switch plugged into the 6 cat6 drops
10:32 < slickerjet> im trying to see if that would work, like the two ports from switch -> two ports to pfsense appliance, would increase the throughput to 2 x 1gbps, i know i wont get 2gbit, i just wanna see if i can get 2 x 1gbit
10:32 < slickerjet> so two separate machines can max out 1gbit each
10:43 < Apachez> well you can get more drops if you get the proper gear :)
10:43 < slickerjet> i cant run any cables in my apartment :(
10:43 < slickerjet> just a renter :(
10:44 < Apachez> use this if you need a 10G router https://www.ubnt.com/edgemax/edgerouter-infinity/
10:44 < Apachez> or this if you are fine with 1G https://www.ubnt.com/edgemax/edgerouter-pro/
10:45 < Apachez> or this if you want fanless https://www.ubnt.com/edgemax/edgerouter-6p/
10:45 < slickerjet> i dont think the fanless will work, cuz SFP is just 1gbit right?
10:46 < Apachez> lets recap
10:46 < slickerjet> that means the switch i plug it into will be limted to 1gbit, which means 2 separate machines would not be able to hit 1gbit each download
10:46 < Apachez> whats the minimum you need?
10:46 < Apachez> you want 10G at home?
10:46 < Apachez> then use this as router:
10:46 < Apachez> https://www.ubnt.com/edgemax/edgerouter-infinity/
10:46 < slickerjet> i have wan1 @ 1gbit from at&t and wan2 @ 1gbit from comcast. i have 6 cat6 drops in my apartment. i want to be able to have at least 2 different machines max out each internet
10:46 < Apachez> and this as switch:
10:46 < Apachez> https://www.ubnt.com/edgemax/edgeswitch-16-xg/
10:47 < Apachez> and then you get the RJ45/MMF/SMF SFP/SFP+ from www.fs.com
10:48 < slickerjet> the edgerouter infinity doesnt have 2 RJ45 connections, unless im misunderstanding something, and the 16-xg doesnt have the RJ45 in quantity that i need
10:48 < slickerjet> the wan1 and wan2 from at&t and comcast are rj45
10:49 < slickerjet> also, i dont know if im' well versed enough in networking to use edgerouter, i have used USG-Pro4 before, and i like pfsense since it has a gui
11:11 < hetii> Hi
11:11 < hetii> I have such script: https://pastebin.ca/4017403 that use namespaces. The point is that from host I want to be able to telnet to service that bind inside ns2 so 11.11.11.2
11:12 < hetii> so on ns2 I run nc -l -p 1234 and on host: telnet 10.10.10.2 1234
11:16 < hetii> btw I need to go outside so please leave answer on my priv, thx :)
11:21 < Apachez> slickerjet: you get a SFP+ with RJ45
11:22 < Apachez> https://www.fs.com/c/customized-sfp-plus-2874
11:22 < Apachez> https://www.fs.com/products/66617.html
11:46 < ShalokShalom> which bandwidth measurement do you use when your goal is to distinguish between two video resolutions to send?
11:46 < at0m> kbps ?
11:46 < ShalokShalom> so, eg I want to decide if my 720p stream or the 480p one is more suitable - which tool you use?
11:47 < trae32566[w]> your eyeballs
11:47 < trae32566[w]> test from a remote machine or whatever
11:47 < ShalokShalom> for each file individually?
11:47 < ShalokShalom> I mean to automate the task
11:47 < ShalokShalom> like youtube does
11:49 < trae32566[w]> oh, yeah... good luck with that. It's gonna be complicated depending on how the video is being sent, but it would probably need to have at least both latency and bandwidth measurements. I have no idea how youtube does it though.
11:49 < Apachez> lets start this saturday with some cableporn :)  https://imgur.com/gallery/odcMSQc
11:50 < trae32566[w]> I'm sure there are software packages to do what you want
11:50 < trae32566[w]> also, why host video? Is a CDN not feasible?
11:51 < trae32566[w]> really the only time you want to host something like that is if a CDN isn't feasible, or you have tons and tons of infrastructure in many locations
11:54 < ShalokShalom> I probably do it with dtube, thanks
11:56 < ShalokShalom> ?
11:56 < ShalokShalom> sry, typo
12:09 < realbadhorse> what would be better/safer for static file hosting for a semi-experienced person? ftp or auto-indexed nginx? its going to be a public server
12:11 < trae32566[w]> a CDN
12:11 < trae32566[w]> I mean really that's 99% configuration dependent as far as just those two, but seriously, consider a CDN.
12:11 < realbadhorse> huh? no idea to do so
12:12 < realbadhorse> ill be hosting it from home with a broken laptop  running gentoo
12:15 < realbadhorse> its supposed to be pretty small scale so idk if i really need a cdn trae32566[w]
12:21 < redrabbit> ftp, really?
12:22 < redrabbit> its fuckin' annoying to get running and deprecated
12:41 < ShalokShalom> I guess hard he means sftp
12:43 < ShalokShalom> or she
13:24 < aaa_> hi
13:38 < zamanf> hi guys, do you know of any firewall for windows7 that does this? iptables -A INPUT -p udp -s 1.2.3.4 -m length --length 10:100 -j DROP ?
13:56 < trae32566[w]> you mean like Windows Firewall?
14:01 < zamanf> any firewall
14:05 < trae32566[w]> Windows Firewall is built in.
14:06 < zamanf> sure it is, but is it capable of doing this task?
14:06 < detha> no
14:08 < zamanf> is it possible at all under windows?
14:09 < detha> Nothing is impossible. Worst case you'd have to replace most of the windows stack with your own, but impossible? No.
14:09 < zamanf> I see
14:09 < detha> Infeasible? Probably yes.
14:10 < zamanf> maybe then I should get a router that supports iptables
14:10 < zamanf> do you guys have any experience with edgerouter? I am thinking of using it again
14:11 < trae32566[w]> I do, but I don't know if it'll do that sort of filtering
14:11 < zamanf> I remember it runs a linux os that supports iptables
14:11 < zamanf> I Will have to check again
14:11 < trae32566[w]> yes, but that's a very bad idea
14:11 < trae32566[w]> a very *very* bad idea
14:11 < zamanf> why?
14:12 < trae32566[w]> because it runs an OS that manages iptables for you, and by modifying it, you're screwing with everything. It's not supported, and it will break things.
14:12 < trae32566[w]> also, because it's not that simple. There are multiple chains and tables in play
14:13 < trae32566[w]> you need to actually understand everything going on, and that can get complicated with something like zone based firewall
14:14 < zamanf> my rule aims on a specific IP address, how this would mess with the rest?
14:15 < detha> zamanf: because the tools managing the firewall don't expect rulesets to changes, unless they are the ones doing it.
14:15 < trae32566[w]> and on top of that, who says INPUT is the chain being used?
14:15 < Arpanet69> zamanf, what does youre iptables statement do?
14:16 < trae32566[w]> Arpanet69: check the manual, it checks for packet length
14:16 < zamanf> Arpanet69, iptables -A INPUT -p udp -s 1.2.3.4 -m length --length 10:100 -j DROP
14:16 < Arpanet69> lol am not gonna check a manual for iptables :D just wanted to explain in plain englidh
14:16 < trae32566[w]> Arpanet69: https://www.netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO.html#toc3.7
14:17 < aaa_> openvpn over openvpn is possible ?
14:18 < trae32566[w]> that's a terrible idea
14:18 < aaa_> lol
14:18 < Arpanet69> trae32566[w], think you should leave there only bad ideas here
14:18 < Arpanet69> :)
14:18 < trae32566[w]> Arpanet69: someone has to say they're bad ;)
14:19 < trae32566[w]> would you rather me let them do it, and encrypt traffic inside an encrypted tunnel? good idea, go ahead.
14:19 < trae32566[w]> not like there will be any MTU decrease, or any encryption overhead or anything >.>
14:20 < Arpanet69> zamanf, you can do the same thing with windosw firwall with powershell you can be very granular.
14:20 < trae32566[w]> I don't think you can do it based on packet length
14:20 < aaa_> ok ok
14:24 < Arpanet69> trae32566[w], youre right it has allot of options but packet lenght is not included
14:25 < trae32566[w]> yeah, I don't even know if iptables does that by default, it's a module, so I dunno if EdgeOS would even include it
14:25 < trae32566[w]> one sec, I can check
14:26 < Arpanet69> better go for mikrotik
14:26 < trae32566[w]> Arpanet69: zamanf https://paste.fedoraproject.org/paste/0Wozu3yyoP99IlM5Eh4ryQ
14:26 < Arpanet69> or pfsense
14:26 < trae32566[w]> that was an EdgeRouter running 1.10.2
14:26 < trae32566[w]> so no, it doesn't have the required length module from what I can see.
14:27 < trae32566[w]> Arpanet69: I doubt Mikrotik will have it either, but maybe.
14:27 < trae32566[w]> pfsense. .. no idea
14:27 < trae32566[w]> that's such a weird thing to filter by
14:30 < qman> EdgeOS is debian underneath, so it's probably the easiest one to add custom stuff to
14:30 < djph> ^
14:31 < djph> although, it can be finicky (downside of oldstable0
14:31 < trae32566[w]> djph: 2.0 is scheduled for mid-may
14:31 < djph> trae32566[w]: yeah, but last I saw they weren't moving to stable.
14:31 < trae32566[w]> isn't mikrotik BSD underneath?
14:32 < djph> although, I could've skipped right over that comment
14:33 < trae32566[w]> I know they're incrementing a release
14:33 < trae32566[w]> no idea to what, I don't follow debian at all.
14:34 < djph> trae32566[w]: oh, so they are moving up a Debian release as well?
14:34 < trae32566[w]> AFAIK yes
14:34 < djph> good news then.
14:34 < trae32566[w]> from what I understand that means new kernel
14:34 < trae32566[w]> maybe they'll implement all the missing crap.
14:35 < detha> trae32566: mikrotik is linux/iptables underneath
14:35 < trae32566[w]> ahh.
14:36 < qman> the reason I say it's probably the easiest is you can literally install stuff from mainline debian with apt
14:36 < sysfault> is verizon fios 10/100 faster than cable 10/100? i know cable connections are shared as opposed to a dsl connection
14:36 < qman> it's a step further than just a linux kernel
14:36 < djph> sysfault: no
14:36 < sysfault> which has its own loop to the multiplexer, etc
14:36 < djph> sysfault: 100/10 is 100/10
14:37 < sysfault> so realistically they both cap out at the same speed?
14:37 < djph> assuming you're talking about "plans" offered by the ISP
14:37 < sysfault> yes i am
14:37 < sysfault> however cable seems to lag int he afternoon and night when usage is rampant
14:37 < djph> sysfault: close enough in any event.  One may top out at 110 and the other at 105, depending on how they're "limiting" you to 100m.
14:37 < qman> they work the same way, but whether or not the network is overloaded is regional and ISP dependent
14:38 < djph> ^
14:38 < sysfault> i see
14:38 < qman> if the ISP is oversusbcribed, then they're oversubscribed
14:38 < sysfault> i know dsl connections have their own path to the ISP
14:39 < sysfault> unlike shared cable
14:39 < djph> "their own path"
14:39 < djph> it's only to the DLSAM
14:39 < trae32566[w]> ^
14:39 < sysfault> i see
14:39 < djph> *DSLAM
14:39 < trae32566[w]> it still gets oversubscribed from there
14:39 < trae32566[w]> (most likely)
14:39 < qman> the physical wire isn't that important either, because the ISP itself still needs to combine the traffic into a bigger pipe to uplink
14:40 < sysfault> man im reading the introductory text you guys suggest and tanenbaum is everywhere in that darn book. it doesnt seem to have any organization
14:40 < qman> regardless of the technology used that remains the same, so if they have too many people connected to a given uplink, it will be slow during busy times
14:40 < sysfault> i want to read it before diving into my synbex ccna study guide
14:40 < detha> sysfault: oversubscription generally happens further upstream. last-mile is seldom badly oversubscribed
14:40 < CuriosTiger> if you had asked me 15 years ago, I would have thought DSL would win the residential Internet wars.
14:40 < sysfault> because i need a general networking education before i decide to do so but that tanenbaum book isnt the easiest
14:40 < djph> detha: except in TWC-now-Spectrum land
14:40 < CuriosTiger> cable has scaled better than I thought it would.
14:40 < CuriosTiger> still asymmetric, but for residential users, that doesn't really matter.
14:41 < CuriosTiger> it's a bit more of an issue for business, but cloud hosting fixes much of it.
14:41 < trae32566[w]> djph: I never have issues with TWC throughput or latency
14:41 < trae32566[w]> I pay for 300 x 20, get 350 x 25
14:42 < djph> trae32566[w]: must be a regional thing then - they *sucked* once school let out here.
14:42 < djph> .... but AT&T rolled out fiber, and now TWC is playing "please come back, we'll charge you 3x as much for 1/3 of what you get from the other guys"
14:42 < trae32566[w]> that'
14:43 < trae32566[w]> *that's odd
14:43 < djph> that's sales drones for you.
14:43 < trae32566[w]> because here, AT&T asks for $59 / month for like 3mbit, and I pay $79 for 300 x 20
14:43 < sysfault> i was thinking about paying for a gigabit connection but only one of my systems has a gigabit controller in it
14:43 < sysfault> so i decided not to
14:43 < trae32566[w]> I could actually use gigabit.
14:43 < trae32566[w]> >.>
14:43 < djph> trae32566[w]: read it again -- rolled out *fiber*
14:43 < qman> so could I
14:43 < trae32566[w]> djph: yeah, so? They have caps.
14:43 < qman> unfortunately I'm stuck with a terrible cable connection
14:43 < trae32566[w]> very low caps.
14:44 < trae32566[w]> IIRC it's like a 1TB cap
14:44 < trae32566[w]> actually I think 500G
14:44 < djph> trae32566[w]: 1TB if you don't also get uverseTV, or pay $20
14:44 < trae32566[w]> every 100GB over is like +$10
14:44 < trae32566[w]> yeah that's fucked
14:44 < djph> we opted for TV; $18 for the package, and no cap
14:45 < trae32566[w]> v6?
14:45 < djph> possible, but I haven't had a real need to go to v6, so I don't care
14:45 < sysfault> can anyone recommend a true introductory networking text
14:45 < sysfault> or should i stick with tanenbaum
14:45 < djph> sysfault: tanenbaum
14:45 < sysfault> and take my time
14:46  * sysfault falls out
14:46 < djph> trae32566[w]: I mean, I turned it on, and I suppose it's running dualstack, but honestly I really don't care enough to really get into it.
14:49 < cluelessperson> I fucking hate ads
14:49 < cluelessperson> I hate that ads show up on equipment I purchase
14:49 < cluelessperson> I hate that ads are built into my TV
14:50 < cluelessperson> I hate that ads becoming increasingly intrusive.
14:50 < cluelessperson> I hate that by signing up for internet from TWC, they start sending me ADS in the fucking mail
14:50 < cluelessperson> I fucking hate that when I CALL them and tell them to STOP SENDING ME ADS, they continue to
14:50 < cluelessperson> FUCK ADS
14:50 < cluelessperson> and fuck you if you allow them
14:50 < cluelessperson> :P
14:51 < afx> just stop visiting places which sell ads :)
14:51 < cluelessperson> afx: that's not a choice.
14:51 < afx> it is. i dont watch tv for example
14:51 < afx> rarly
14:51 < cluelessperson> afx: you're on the internet
14:51 < cluelessperson> afx: you buy groceries
14:51 < cluelessperson> afx: you have internet service.
14:51 < afx> im on irc :)
14:51 < cluelessperson> afx: they're inescapable
14:51 < tds> if you do want to watch tv, get a non-smart one, and plug a linux box into it :)
14:51 < afx> do you use social media for free? :)
14:51 < cluelessperson> I consider ads to be malware and defacing public property
14:52 < turtle> silence consumer, take it.
14:52 < afx> turtle: lel xD
14:53 < cluelessperson> turtle: I advocate for killing congressmen for treason
14:53 < afx> he couldnt resist the offer :)
14:53 < turtle> sweet, sounds like you're on some cool lists.
14:53 < cluelessperson> capitalism and fascism go hand in hand.
14:54 < afx> i knew it xD
14:55 < weyland|yutani> cluelessperson, ever heard about adblocking?
14:56 < cluelessperson> weyland|yutani: do they have adblockers for TVs?
14:56  * cluelessperson is going to have to setup a mirroring and analysis port for network monitoring so he can firewall various domains
14:56 < weyland|yutani> cluelessperson, sure its called mute button and making pizza
14:57 < weyland|yutani> cluelessperson, if you know your way around pfsense you could use NGblock and block all those pesky ad domains
14:59 < cluelessperson> weyland|yutani: NGblock on what exactly?
15:00 < weyland|yutani> domains used by ad companys there are lists for those said domains and you block them
15:03 < cluelessperson> weyland|yutani: well, how do I block them on the network itself?
15:05 < cluelessperson> weyland|yutani: in my case, unifi security gateways
15:08 < weyland|yutani> cluelessperson, install a firewall betwwen your lan and your router
15:09 < cluelessperson> weyland|yutani: the Unifi USG operates as a firewall and router
15:17 < Apachez> any of you who have been playing with graphviz?
15:22 < cluelessperson> So, I'd like to make a script that downloads adblock lists and updates my Unifi USQ's firewall
15:22 < cluelessperson> do you have any recommendations or ideas for getting lots of lists?
15:37 < weyland|yutani> https://filterlists.com/
15:55 < SporkWitch> did i just walk into tumblr or something? all i see is some illiberal leftist rambling incoherently (though with a VERY self-descriptive name)
16:04 < dogbert2> <shrug>
16:11 < TV`sFrank> too much Winner
16:12 < purplex88> is average download speed a statistical data?
16:12 < drac_boy> hi
16:32 < slickerjet> @Apachez sorry i fell asleep - what did you mean you get RJ45 with SFP+? that means i can get the XG-16 as my switch, and maybe get a unifi router with SFP+?
16:33 < slickerjet> i am not good at networking, as you can tell :(
16:33 < RJ45> SFP is a meme
16:34 < slickerjet> sorry did i misunderstand?
16:34 < tds> slickerjet: you can get sfp+ rj45 transceivers if you really want, but they're relatively expensive
16:35 < slickerjet> oh, i dont want to spend too much money
16:36 < slickerjet> my situation is as follows- i live in an apartment, i have 6 active cat54/cat6 drops in various rooms, i have wan1 from at&t @ 1gbit and wan2 from comcast @ 1gbit, i want to make it such that any 2 machine, or group of machines, can get at least 2 gbit total, or 1gbit per port
16:36 < slickerjet> i hav the 6 drops punched down in a closet, i'm trying to find the most cost effective gear, i just thought i could plug in two ports from my pfsense appliance, into 2 ports in my dumb netgear switch, and that way i can get 2 x 1gbit total throughput, i know no single machine will go beyond 1gbit
16:36 < Apachez> slickerjet: I meant if you need 10G TP (RJ45) you can get such SFP+ modules for that ubiquiti XG-16 box
16:37 < slickerjet> but if i can have at least two indepedent machines doing gigabit each, that would saturate both wan1 and wan2
16:37 < Apachez> yeah they are expensive and limited by the powerbudget of the SFP+ interface
16:37 < Apachez> I would recommend you to use multimode or singlemode fiber instead
16:37 < slickerjet> i cant rerun any wiring :(
16:38 < Apachez> I have summarized my graphviz vs network diagrams question at https://www.reddit.com/r/networking/comments/8dbucs/tools_to_create_maintainable_network_diagrams/dxqe7zp/ in case somebody have some input regarding graphviz :)
16:40 < slickerjet> @Apachez upon some amazon.com research, i think i understand what you mean by multimode and singlemode, you didnt mean rerun my cat cables with fiber, but look for multi mode SFP+ transcivers instead
16:40 < slickerjet> 10gbit SFP+ -> RJ45 is 200$ oh my
16:40 < Apachez> no
16:41 < Apachez> I meant that you should invest in multi or singlemode cables
16:41 < Apachez> you dont have to rip out your current tp cables
16:41 < Apachez> just add the fibers too
16:41 < slickerjet> oh, i cant add fibers because i dont own the place :( they wouldn't let me
16:41 < tds> slickerjet: do you want to be able to push 2gbit to a single remote server over both connections?
16:41 < tds> since that's going to be rather more complex than just the internal network
16:41 < slickerjet> no, just 1gbit would be enough, but i'd like at least 2 different machines to be able to get 1 gbit each
16:42 < slickerjet> my friend explained, i dont want 2gbps, i want 2 x 1gbps
16:42 < slickerjet> my wan1 and wan2 are both gigabit, but RJ45 from their respective consumer grade modems
16:42 < tds> get a slightly less dumb switch and do a 2x 1g bonded link from the router to the switch, then you should be sorted
16:42 < slickerjet> bonded link = LACP right?
16:43 < tds> you'll just need to do some magic on the router to route traffic from different devices out of each connection to split the load
16:43 < tds> yes
16:44 < slickerjet> how complicated is the magic you speak of? i'm not that good at CLI
16:44 < slickerjet> just clicking a few checkboxes in the pfsense interface?
16:45 < tds> I think that pfsense has support for doing it relatively easily, yeah
16:46 < slickerjet> okay sweet, then i have all the stuff i need, my pfsense appliance comes on monday, and i can grab a nice unifi switch from my office
16:46 < tds> depending on exactly how it does it, you may have some issues with certain services if you keep switching between multiple external IPs
16:46 < slickerjet> i think i should be able to do some outbound management, from what i have experience with on my peplink multi wan router, HTTPS Persistance i sthe major one
16:47 < slickerjet> currently i have a multi wan peplink balance one, but it maxes out at 600mbps
16:48 < Celmor> I'm trying to an ftp server working but always when the client switches to passive mode he gets ECONNREFUSED
16:48 < Celmor> although those ports are allowed in iptables
16:56 < drathir> Celmor: not ssh easier?
16:56 < Celmor> why ssh?
16:56 < drathir> Celmor: more secure and easier bypass fw...
16:57 < Celmor> don't wanna allow someone to execute commands on my machine just to allow them basic ftp functionality
16:57 < Celmor> and only wanna share on my local network
16:57 < drathir> Celmor: why You should do that ? ssh allow only sftp access...
16:58 < Celmor> someone wants to access my share as a "network drive" or filezilla
16:58 < tds> it might make more sense to use something like nfs or samba
16:59 < drathir> Celmor: sshfs+bitvisessh...
16:59 < Celmor> with nfs I often have permission issues between windows and linux
16:59 < drathir> tds: yep that good idea too... or just opencloud/seafile...
17:00 < drathir> Celmor: personally think ftp it the worst from all solutions, but Yours choice...
17:01 < Celmor> I tried having sftp access into explorer integrated previously but functionality is very limited and it's slow
17:02 < tds> is this windows explorer?
17:02 < Celmor> can I limit a user to sftp access to my ssh server?
17:02 < Celmor> client uses windows so yeah
17:02 < tds> iirc that can also do webdav, which should work fine
17:02 < drathir> Celmor: m$ samba/nfs probably best integration shot...
17:02 < Celmor> looked into webdav earlier, seemed complicated to setup
17:02 < tds> but yeah, I'd probably just do samba
17:02 < drathir> Celmor: yes You can per account setup only for ssh builid in...
17:02 < Celmor> wanted to keep my host system minimal and don't have complicated servers running
17:03  * drac_boy has always used filezilla or fetch when it comes to ftp no matter the os
17:03 < Celmor> drathir, windows still has problems with nfs, even if you use NFS services in win10, but remote doesn't use win10
17:04 < Celmor> with filezilla you still need a local copy of the file and can't work with the files remotely
17:04 < drathir> Celmor: if no explorer integration needed the fastest way sftp...
17:04 < drac_boy> celmor did you bother reading manual? ;)
17:04 < Celmor> of what?
17:05 < drathir> Celmor: there could be iscsi but that way comlicated setups...
17:07 < Celmor> I could setup iscsi (my filesystem would make it easy) but then I can't access the same files locally at the same time
17:09 < Celmor> if I wanna setup sftp-only access is this still up-to-date? post has been created 5 years ago https://serverfault.com/questions/354615/allow-sftp-but-disallow-ssh
17:12 < drathir> Celmor: creating user adding user to shh group add in sshd filter by group and set sftp only, and You can allso in case block console access...
17:12 < Celmor> how do I do the latter?
17:13 < Celmor> so is the answer in the post I linked correct?
17:13 < drathir> Celmor: im written fast from head +/- steps... not readed sadly...
17:15 < drathir> Celmor: but fast look its kinda similar looks like...
17:16 < Johnjay> ok kind of a softwarish question but if i turn a raspberry pi running debian into a consumer router, how stable is that going to be? Compared to something else like pfsense or freenas or these other programs?
17:16 < Johnjay> like is it going to run for 17.3 days and then crash mysteriously?
17:16 < Celmor> drathir,  so the chroot would disallow the users access to commands?
17:17 < Celmor> a pi might have higher latency/lower network throughput
17:17 < Celmor> pfsense and-the-like obviously have more features
17:18 < drac_boy> johnjay well theres two obvious network-related problems 1. it uses usb not native ethernet 2. wheres the second port or more?
17:18 < Johnjay> drac_boy: right i did see a usb stick used in the tutorial i saw. so it would have to be some kind of usb ethernet
17:18 < Johnjay> actually maybe it was just wifi lol
17:19 < Johnjay> so that's a good point
17:19 < Johnjay> Celmor: a new pi was just released with gigabit ethernet, which is why i'm askign
17:20 < Johnjay> it's got 1 ethernet jack, 4 usb 2.0, and integrated dual band wifi and BT
17:20 < drac_boy> johnjay physical doesn't matter..its likely still usb on the traces
17:23 < tds> ^ the physical gbit port on the pi 3b+ is still attached to usb 2.0, so your throughput won't be great
17:23 < tds> still better than the old 10/100 ports, though
17:24 < Johnjay> tds: er, so it's not really gigabit?
17:24 < drac_boy> I'll rather take native fast ethernet on any other board than ever bother with a sbc that uses usb but :P
17:24 < Celmor> sbc?
17:24 < tds> Johnjay: no, you'll never actually push gigabit through it
17:25 < Johnjay> so more like 280Mbit/s according to wiki spec for usb 2.0?
17:26 < Johnjay> "The new USB Ethernet controller offers gigabit connectivity at a theoretical maximum throughput of 300Mb/s, due to its use of a single USB channel."
17:27 < Johnjay> so in other words to offer more speed it would need to tradeoff some of those usb2.0 ports?
17:29 < Celmor> and need to be rewired
17:30 < Johnjay> well i mean, it's something that would have to be decided before manufacturing
17:33 < at0m> latest rpi3 has gigabit port, but ofc cant deliver gigabit either
17:34 < at0m> it does somethink like you wrote above.
17:34 < at0m> *something
17:35 < Johnjay> anyway aside from this gigabit issue
17:36 < Johnjay> what other potential issues would there be in using one of these for a home router
17:36 < Johnjay> would the bus be too limited to support multiple ethernet connections?
17:36 < drathir> Celmor: not chroot, chrot would limit to user directory only...
17:36 < Johnjay> i'm trying to figure out if it would be cheaper than buying a new wireless router
17:38 < drathir> Celmor: for limit is ForceCommand internal-sftp also for higher security You redirect shell to null one...
17:38 < tds> an ap/router should be relatively cheap and will likely work better than an rpi, you can always stick openwrt on it if you want linux
17:39 < at0m> Johnjay: technically speaking, rpi3 runs its gigalan also off an usb hub (internally), hence the more limited throughput
17:39 < Celmor> drathir, why null? what about /usr/bin/nologin or /bin/false
17:39 < drathir> Johnjay: You probably get better speed by wifi than eth unless no more shared with usb bus...
17:40 < Johnjay> tds: i wonder if you get more bang for your buck buying a small router that doesn't support wifi and plugging a raspi into it.
17:40 < Johnjay> routers cost at least $60, at least the wlan ones i know of
17:40 < superkuh> Hi. I've got a wireless serial link (56k) set up between two computers. The host on my LAN with an internet gateway and a client laptop not on the LAN with only a SLIP connection to the host. The SLIP connection is on a different subnet from my LAN on both host and client (192.168.5.0/24 SLIP, vs 192.168.1.0/24 LAN). I can ping over SLIP from host to client and vice versa fine. But now I'd like to set up internet connection sharing on the h
17:40 < superkuh> ost that can be used over the SLIP connection. I've outlined what I think I need to do at http://superkuh.com/SLIP-serial-internet-sharing.txt but I have a few questions.
17:41 < Johnjay> you can get pi0 with wireless for $24
17:41 < drathir> Celmor: yep that one null in meaning no access...
17:41 < Celmor> mine was half that price
17:41 < superkuh> First, when doing ip forwarding with iptables, do I set the ipforwarding on the SLIP interface (sl0) or on the ethernet/LAN one on eth0?
17:41 < superkuh> ie, sysctl net.ipv4.conf.sl0.forwarding=1 vs sysctl net.ipv4.conf.eth0.forwarding=1 ?
17:41 < Celmor> drathir, as opposed to /bin/nologin?
17:42 < tds> heh, I hadn't considered doing it with a pi zero, I guess that probably would be cheaper (but throughput won't be great)
17:42 < drathir> Johnjay: better save more and take something like https://omnia.turris.cz/en/ or some mitx intel boards...
17:43 < drathir> Johnjay: if You wanna power/stability for longer...
17:43 < Johnjay> well i don't really need great throughput, my internet is not gigabit or something
17:44 < superkuh> Second, when setting up the masquerade with iptables, does I set input (-i) to sl0 and output (-o) to eth0? ie, sudo iptables -A FORWARD -o eth0 -i sl0 -s 192.168.5.0/24 -m conntrack --ctstate NEW -j ACCEPT
17:44 < superkuh> And should the -s be the SLIP subnet or the ethernet/LAN one with the gateway?
17:44 < Johnjay> drathir: that is pretty pricey lol
17:44 < skyroveRR> Hi superkuh :)
17:44 < skyroveRR> And hi drathir :)
17:45 < Celmor> drathir, so if I use 'ChrootDirectory /home/sftp_user' in sshd_config and set that users home to / I can still use /home/sftp_user/.ssh/authorized_keys for authentication?
17:45 < superkuh> Hello skyroveRR.
17:45 < Johnjay> so basically as long as i'm willing to take lower throughput, the answer to my question is that a pi 0 can be used as a home router probably?
17:45 < superkuh> I guess this is probably more of a forum question than an IRC one.
17:45 < superkuh> Anyone have any good recommendations for a forum to discussing internet connection sharing of serial link (SLIP)?
17:45 < superkuh> ER, s/to/for/
17:45 < skyroveRR> superkuh: woah!
17:46 < Celmor> johnjay1, and higher latency
17:46 < skyroveRR> Wait, serial? You still in the stone age, superkuh ? :P
17:46 < drathir> Johnjay: but its all in one solution You can put anything You want there...
17:46 < superkuh> skyroveRR, it's wireless at 915 MHz.
17:46 < skyroveRR> Oh.
17:46 < superkuh> I'm abusing an FPV telemetry dongle as fallback connection for when my high speed ubiquiti kit fails.
17:46 < drathir> Johnjay: and low power consumption tooo....
17:47 < skyroveRR> superkuh: that's an unlicensed frequency, right?
17:47 < Celmor> you can power it just from a computers USB, or any power bank..
17:47 < drathir> Celmor: yes its preffered using ssh keys...
17:47 < superkuh> skyroveRR, yes. But I am licensed for general class as well.
17:47 < Celmor> drathir, just wondering if that's the place since I've set the users home to /
17:47 < skyroveRR> superkuh: so that covers that?
17:47 < drathir> skyroveRR: hi, hi ^^
17:47 < SporkWitch> Celmor: talking about a raspi?
17:47 < superkuh> If I want to boost the power in the future I can with my 25w bidirectional amp.
17:47 < superkuh> Yes.
17:47 < superkuh> I just have to avoid encryption.
17:47 < Celmor> SporkWitch, yeah
17:47 < Johnjay> drathir: right. i mean id' have to use some kind of ethernet hub to provide multiple outputs right?
17:47 < skyroveRR> superkuh: I see.
17:47 < SporkWitch> i've run 'em off solar panels before :)
17:48 < superkuh> I also designed a 910 MHz bandpass filter using split ring resonators that just finished being fabbed in China.
17:48 < drathir> Celmor: user account folder need be owned by root..,
17:48 < superkuh> http://superkuh.com/dgs-bandpass-filter.html
17:48 < Celmor> SporkWitch, what if there happens to be a cloud, suddenly router switches off, lol...
17:48 < superkuh> Specifically the iteration at this anchor, http://superkuh.com/dgs-bandpass-filter.html#yodawg
17:49 < Celmor> drathir, for security you mean?
17:49 < SporkWitch> Celmor: it wasn't meant to be pratical, i was just curious if the panel put out enough / the pi drew little enough
17:49 < tds> superkuh: that iptables rule looks fine, -s should be the lan side subnets that the traffic being nated is coming from, and you want to make sure you have a rule to allow established connections as well in both directions
17:49 < Celmor> yeah, since you can charge other things via a solar panel it'll be more than enough
17:49 < SporkWitch> s/prat/pract
17:50 < drathir> Johnjay: turris have multiple gigabit ports and if good remember usb3.0 too even hdd shoud handle w/o problems...
17:50 < superkuh> Thanks tds.
17:50 < SporkWitch> Celmor: well most stuff you "charge from a solar panel" is actually trickle-charging a capacitor of some kind, not supplying direct power to the running device
17:50 < tds> superkuh: and since you want to forward traffic in both directions, I think you'll need to enable forwarding on both interfaces (or just globally if you want)
17:50 < superkuh> Aha. Okay.
17:51 < SporkWitch> tds: correct
17:51 < drathir> Celmor: nope to chroot works sftp user folder need to be owned by root...
17:51  * tds is always just lazy and enables it on every interface :)
17:51 < skyroveRR> :)
17:51 < superkuh> I was just worried about borking my network for other things.
17:52 < tds> I saw that there was a docker interface on there, which may make life interesting when you start adding your own iptables rules, so good luck
17:53 < ska> Anyone know a network consultant in Sugarland TX area?
17:53 < superkuh> Yeah. apt-get remove didn't get rid of all docker's crap when I stopped caring about it.
17:53 < ska> If so, please PM me anytime.
17:54 < superkuh> ip link del docker0, there.
17:54 < ska> Also looking for someone in San Marcos, TX area.
17:54 < superkuh> Cleared that up.
17:54 < drathir> ska: in us crosstalksolutions guy probably could give some advices too...
17:55 < drathir> superkuh: purge ?
17:55 < superkuh> Good idea. Doing that too.
17:56 < drathir> superkuh: but not sure if it will mess with interfaces...
17:56 < superkuh> Well, it's no longer listed in my routes. So I'll just go and see what will happen.
17:56 < tds> superkuh: also, make sure you have iptables-persistent or something similar installed (with rules saved), so you don't lose everything on reboot
17:56 < drathir> superkuh: best shot that interfaces created by docker at system start get varnished after restart...
17:57 < Johnjay> these are cheap and need to have their mac addr changed: https://www.amazon.com/TOOGOO-Ethernet-Network-RJ45-Adapter/dp/B00CAMZVSC
17:57 < Johnjay> ska: what does a network consultant do?
17:59 < drathir> Johnjay: network design kinda probably hw chose etc...
17:59 < drathir> Johnjay: only not bcm based...
18:00 < Johnjay> ah ok. so basically the things i'm asking about
18:01 < drathir> Johnjay: bcm+linux bad idea mostly...
18:02 < drathir> Johnjay: kinda its fine when works its pain when come to os upgrade...
18:02 < superkuh> On my client PC connecting via SLIP to host IP, do I give the sl0 interface an IP address on the host LAN subnet? ie sudo ip addr add 192.168.0.200/24 dev sl0  then sudo ip route add default via 192.168.0.1 ?
18:03 < limon__> Is it possible to request a higher download rate from ISP where the rate has been reduced, presumably because of instability?
18:03 < Johnjay> apparently you can add an external ethernet port to the SPI interface: http://raspi.tv/2015/ethernet-on-pi-zero-how-to-put-an-ethernet-port-on-your-pi
18:04 < tds> those ENC28J60 modules are *very* slow, though
18:04 < cluelessperson> Can someone suggest a cheap 10G SFP card I can buy?
18:05 < tds> mellanox connectx2 cards tend to be pretty cheap on ebay, depending on your location
18:05 < drathir> limon__: only when dslam upgraded mostly... bc even if they give You higher queue dslam anyway wil drop You when auth/connection errors occur...
18:06 < Johnjay> you only get 3Mbit though
18:06 < Johnjay> lol
18:07 < drathir> limon__: adsl to adsl2+ upgrade could give You better quality depend at distance...
18:08 < limon__> drathir: ah that's annoying. The connection drops are due to bad weather only but it's annoying that I then have to wait for days after for the dl speed to increase
18:09 < drathir> limon__: keep on mind that instability could caused by lover queue placed in business plans there is chance more stable on rush hours...
18:09 < overyander> Hey, I'm wanting to write my own web filter for windows. from research, it looks like all web filters rely on setting proxy settings in the browser and send all web requests to the remote proxy that then does the filtering. I'm wanting to make something that runs locally on the machine and would apply to all browsers and applications even the user messes with the proxy settings. Can anyone point me in the right direction to start?
18:10 < drathir> limon__: hmmm... weather its sattelite wireless uplink?
18:11 < drathir> overyander: transparrent proxy at router with disabled access to it... ?
18:12 < limon__> drathir: No I think there are physical line problems probably, had it for ages but ISP obviously side step it or suggest 'sending a new router' -.-
18:12 < overyander> i'm needing something that runs as a local client on the pc's since they're mostly laptops and when employees travel with them there will be many different environments.
18:13 < drathir> limon__: weather should barely affect conection quality... You always can check connection stats if router support...
18:13 < overyander> I couldn't find anything to this and was looking into writing my own but I'm not sure where to start and how to properly tap into all the web requests on the machine.
18:14 < drathir> overyander: than no mess in my opinion only vpn client and filter at server side...
18:15 < limon__> drathir: it is consistent with bad weather. I presume there is a line fault somewhere. Have even had it in the past where opening the door has lead to disconnects!
18:17 < drathir> limon__: try maybe put some filters for rj11 and power of router...
18:17 < drathir> limon__: btw thats interesting indeed ^^
18:17 < overyander> drathir i don't see how that would work. let's say you take your laptop to the airport and you log in to windows and join the public wifi. what is going to force your computer to then connect to the vpn?
18:18 < limon__> drathir: have filter on rj11 but not router power
18:18 < limon__> I will try that, thanks
18:18 < drathir> overyander: You can setup oopenvpn as service and lock admin account i guess...
18:19 < tds> if you really want to stop determined users though, you'll struggle to if they have physical control of the hardware
18:20 < drathir> oh too late... wanna say also could try to turnoff modem for half of hour to reset connection al remote side...
18:22 < drathir> tds: yea i dont see needs to mess more with notebooks if there is way to bypass that still... tunneling the fastest way i think...
18:59 < spidey91> Hello I'm having problems forwarding ports so they are open in kali linux on virtualbox, I have them open on my modem/router, on my windows firewall, and on gufw the linux firewall. But still I cant forward ports 80 and 8080
19:18 < acresearch> people for cisco vpn where can i find the .pfx file?
19:21 < djph> acresearch: "which" .pfx file?
19:22 < acresearch> djph: apparatnly i need a .pfx file to extract the certificate and private key from inorder to connect a cisco AnyConnect VPN through OpenConnect
19:23 < djph> your IT dept wouldve made it for you (most likely)
19:23 < djph> since its supposed to be "your" key
19:25 < acresearch> djph: well they won't release it, they are forcing us to use windows
19:25 < djph> then grab it from a win machine
19:25 < acresearch> djph: if i cannot extract it or find it from the anyconnect client then i guess it is gave over, i and my students must move back to windows
19:26 < djph> acresearch: its not part of the client.  it would be pushed via win GPO for example
19:27 < acresearch> djph: win gpo?
19:27 < djph> group policy
19:28 < acresearch> djph: from a windows os?
19:29 < djph> no, from a mac ... what did i literally juat tell you?
19:30 < acresearch> i don't know djph i haven't used windows since 2008 i am not familiar with details of how it works
19:30 < acresearch> djph: my last ever windows machine was windows XP
19:31 < djph> so? i havent used it since 00, and i can still work out "get the certs"
19:44 < xceptioN> o/
20:00 < tpanarch1st> hello, this is either a simple question or a rather niggly one, I have searched and searched on google but i'm not finding anything that works. I use Chromium and PVE and I'm getting rather irritated by the "invalid certificate" error that I have to bypass every time I open a new window to get into the administration panel. It is only available on my LAN. I was concerned (although I'm highly likely to have misunderstood) that to get
20:00 < tpanarch1st> a certificate to satisfy Chromium (or chrome), I would actually need to open my PVE to the outside world
20:01 < tpanarch1st> (or the admin panel to the outside world) which is obviously not a wise idea. The best mitigation is you should "close port 80 again" and "work out how to reopen it" for, say, let's encrypt's renewal.
20:02 < djph> PVE?
20:02 < tds> you could use an internal CA, or use another form of validation for let's encrypt (ie dns-01)
20:02 < tpanarch1st> I can't see that being particularly wise either unless let's encrypt can tell you "we will tie up with you at 06:59:58seconds)
20:02 < tds> I suspect he means proxmox
20:02 < djph> AH
20:02 < aditya7400> internal ca is a good idea
20:02 < tpanarch1st> yes Proxmox, apologies, they have changed the name of it somewhat it seems and they now say Proxmox
20:02 < tpanarch1st> there's a little more to this :)
20:02  * tds uses an internal ca for certs on my proxmox host
20:02 < tpanarch1st> so I did find one page pf instructions
20:03 < tpanarch1st> and I downloaded the internal cert, imported it to chromium but chromium is ignoring it. It seems Firefox is Ok with it
20:04 < tpanarch1st> -but- alas, a hell of a lot of my website passwords/autocomplete/bookmarks are in chromium so I don't fancy switching :)
20:04 < tpanarch1st> i'm on a home network with a few issues 1) No static IP 2) One Dynamic IP not Two 3) Proxmox is set to Corinthian.LAN and not a proper FQDN (I never anticipated exposing the interface to the outside world
20:05 < tpanarch1st> that's it I think :) - So tds you can see how using internal hasn't played ball and DNS is a touch tricky
20:15 < tds> yeah, an internal ca sounds like the best option then - chromium should work fine with it, I've had issues with it not displaying a new cert after swapping it on the server but at worst restarting chrome should fix that
20:17 < tpanarch1st> indeed tds
20:17 < tpanarch1st> so i've downloaded pve-root-ca.pem
20:18 < tds> ah, I'd probably recommend generating your own root then signing certs for each host with that, rather than using the built in pve one
20:18 < SporkWitch> ^
20:18 < tpanarch1st> imported it into "authorities" on the SSL Certificate Settings area of Chromium
20:18 < tds> then you can sign certs for other internal services in the future
20:18 < SporkWitch> ...
20:18 < tpanarch1st> ah right :)
20:19  * SporkWitch starts signing certs with pve cert
20:19 < tpanarch1st> but i'm still getting the warning after doing that bit :)
20:19 < tpanarch1st> I did close and re-open chromium
20:19 < SporkWitch> what is the usecase here?  What kind of server are you trying to access and with what?
20:19 < tpanarch1st> sure SporkWitch internal LAN PVE (Proxmox) Web Interface
20:20 < tpanarch1st> sick to death of having to bypass security warning but want it to be as secure as possible nevertheless
20:20 < SporkWitch> ah, so not publicly reachable?
20:20 < tpanarch1st> nope SporkWitch hence limited options AFAIK :)
20:20 < SporkWitch> tpanarch1st: https://github.com/OpenVPN/easy-rsa
20:21 < SporkWitch> it's for openvpn, but you can use it for anything that takes x509 certs
20:21 < tpanarch1st> i thought it was never advisable to allow pve web interface access to the outside world :)
20:21 < tpanarch1st> i'm **not** saying **you are*** saying that anybody :)
20:21 < tpanarch1st> and yet if you want a decent cert, they say, officially, you need to
20:22 < tpanarch1st> "blow a hole in the side of the ship to secure the ship"
20:22 < SporkWitch> tpanarch1st: use the thing i linked if you can't use letsencrypt
20:22 < tds> you can still do dns-01 for unreachable things if you want to use let's encrypt
20:22 < tpanarch1st> yeah :) What's the difference between that and the route i've taken please :)
20:22 < tpanarch1st> tds: what is dns-01 :)
20:22 < SporkWitch> tpanarch1st: reduced headache and confusion lol
20:23 < tds> but that doesn't help if you're using .lan dns names, le certainly won't give you a cert for those ;)
20:23 < tpanarch1st> tds: maybe SporkWitch 's less headache route might be easier?
20:23 < SporkWitch> easyrsa is very well-named :)
20:23 < tds> yes, absolutely, I originally said to do an internal ca :)
20:23 < xceptioN> that's hot
20:23 < tds> just saying that it's still possible to use le in scenarios where the server isn't public
20:23 < xceptioN> wrong window
20:23 < tpanarch1st> ok, cool, it's when you've got two different people with different routes you don't want to seem like you are "playing people off"
20:24 < tpanarch1st> haha xceptioN
20:24 < SporkWitch> tds: yeah, still needs a normal FQDN, though
20:24 < tpanarch1st> ok :)
20:24 < tpanarch1st> have either of you done the easyrsa route?
20:24 < tpanarch1st> partic with pve
20:25 < SporkWitch> i've used it for signed SSH keys and openvpn
20:25 < tds> it shouldn't be any different for pve, just follow the easy-rsa docs, then see the pve docs for how to install the keys on the host
20:25 < tds> s/keys/cert and key/
20:26 < tpanarch1st> ok tds where should i install easy-rsa please? i'm thinking it's probably wise not to mess up PVE and install it on that machine, but then, if you are saying do that for all websites, then i suspect it's worth just banging it on my laptop?
20:26 < tpanarch1st> sorry i say websites - all of my machines with web interface security complaints
20:26  * SporkWitch facepalms
20:26 < BottomX> Why I can’t open the home page of ##networking why this happens?
20:27 < SporkWitch> we have a homepage? lol
20:27 < tpanarch1st> BottomX: what do you see?
20:27 < tds> yes, I'd do it on a trusted machine (eg your desktop/laptop if you trust that, a dedicated vm if you want)
20:27 < tpanarch1st> I was going to say Paragon Internet are in a right mess!
20:27 < tpanarch1st> tds: sounds like my laptop is the most sane solution
20:27 < tpanarch1st> any stumbling blocks, is it rocket science or straight forward :)
20:28 < BottomX> Just about server problem
20:28 < tds> it should be pretty simple, it's called easy-rsa for a reason :)
20:29 < tpanarch1st> excellent, well i shall open the website and have a read :) Thanks for that :)
20:30 < tds> if you fancy an even easier solution, there are also similar gui tools (eg xca)
20:30 < SporkWitch> don't do it!
20:30 < SporkWitch> GUI is a trap
20:30 < tds> easy-rsa is probably better documented, though
20:30 < djph> ^
20:31 < tpanarch1st> are there any instructions for installing it please - the readme doesn't say :)
20:31 < tds> eh, all of these things are just running the same openssl commands behind the scenes :P
20:31 < tpanarch1st> :-D
20:31 < SporkWitch> don't mean that as a joke either; GUI admin tools for things whose primary interface is config files and CLI are a TRAP, they don't really teach you what you're doing, and they have a habit of mangling things making it almost impossible to shift to the "right" way; it's like using waterwings into adulthood, you're never actually going to learn to swim
20:32 < tpanarch1st> hehe :) I'll take your word for that so as not to confuse this anymore - i'm looking at this dauntingly as it is
20:32 < SporkWitch> tds: even with easyrsa, you at least learn some and you can see what it's doing
20:32 < SporkWitch> GUI tools hide all of that
20:32 < tpanarch1st> reet, so i presume with any program it needs to be installed and not just shoved in a directory somewhere?
20:33 < SporkWitch> limited exception: zenmap, which actually does show you the actual nmap commands it's running
20:33 < tpanarch1st> i could go on google "how to install easy-rsa" but are there any acceptable instructios
20:33 < tpanarch1st> instructions
20:33 < tpanarch1st> i was tempted to simply go to package manager
20:33 < SporkWitch> depends on the program; easyrsa is just a script to help automate some stuff for you; you need to install openssl and the other deps normally
20:33 < tpanarch1st> ohhhhh I didn't know that :)
20:33 < tpanarch1st> ahhh
20:34 < tds> iirc easyrsa is also packaged for debian, that should get you all the dependencies and a magic command to set up a new directory with the easy-rsa stuff in
20:34 < tpanarch1st> I can go and do this by probably a million tutorials but i often find i hit a problem and then i'm told i followed the wrong instructions
20:34 < SporkWitch> probably right, i know openvpn installs easyrsa as a dep itself lol
20:34 < tpanarch1st> oh sweet - so perfectly acceptable to use aptitude instead :)
20:34 < tpanarch1st> i'm on linux mint (love it)
20:35 < tpanarch1st> so deb essentially
20:35 < tpanarch1st> any wise words before I do apt-get install easy-rsa :)
20:35 < tpanarch1st> then, any decent newbie instructions for after on the web that you guys say "yeah, they are cool"
20:37 < djph> the manpage?
20:39 < tpanarch1st> djph: ah these manpages are really hard to understand :) So I like to go to easy to read tutorials but i'd rather avoid a tutorial that is wrong :)
20:39 < FalconMillennium> My dynamic IP resets every hour at around h:30-40, can I do something to prevent that?
20:39 < FalconMillennium> And my connection gets interrupted.
20:39 < SporkWitch> tpanarch1st: man man
20:39 < tpanarch1st> SporkWitch: haha :-p
20:39 < SporkWitch> FalconMillennium: scream at your ISP
20:40 < tpanarch1st> i've made that joke before
20:40 < SporkWitch> tpanarch1st: it's not a joke
20:40 < djph> so, then (until [$understand == "true" ] ; then read the manpage )
20:40 < tpanarch1st> serious, they have actually releases a man for the man
20:40 < tpanarch1st> damn, that says a lot :(
20:40 < tpanarch1st> why could they have just not made the man more accessible
20:40 < SporkWitch> why wouldn't they? the point of man is documentation for the various commands, and that includes man itself
20:41 < tpanarch1st> yeah i can see your way of thinking SporkWitch
20:41 < tpanarch1st> :)
20:41 < SporkWitch> it's very accessible, with a standardized format.  while some tools have better documentation than others, the format is generally well-adhered to
20:41 < tpanarch1st> it's like a lot, in terminal you get something like "type --help command"
20:41 < tpanarch1st> and then i type that, and i'm like "oh that doesn't work, i just get some error"
20:41 < SporkWitch> tpanarch1st: it also supports vi movement and search commands
20:42 < tpanarch1st> does it work ok with nano
20:42 < SporkWitch> you can still use arrow keys if you prefer, yes
20:42 < tpanarch1st> aha
20:42 < tpanarch1st> so like, i just typed man easy-rsa but nope
20:42 < SporkWitch> you can also use hjkl, C^D and C^U, and /pattern to search, just like in vi command mode
20:43 < SporkWitch> easy-rsa is a script, it doesn't have a manual page; it does have its own documentation though, including a readme and extremely well-commented config files
20:43 < SporkWitch> (unless it's something bundled, like adduser, scripts don't normally have manpages)
20:46 < tpanarch1st> oh right, i was just trawling man man trying to work out how to search for a manpage lol
20:46 < tpanarch1st> normally i thought it was just man and then whatever
20:46 < tpanarch1st> so that's just for commands then
20:46 < SporkWitch> generally, if there's a manpage for it ;)
20:46 < tpanarch1st> ahhh - so there isn't
20:46 < SporkWitch> unrelated, but a great and edifying read: man hier
20:47 < tpanarch1st> oh right :-p i'm sure it will be a best-seller in no time :-p
20:47 < tpanarch1st> so readme in that github area then?
20:47 < tds> easy-rsa does provide a minimal man page for make-cadir, but I think that's it
20:48 < tpanarch1st> it's supposed to be that simple, you don't need one
20:48 < tpanarch1st> i'm starting to think this is a single command
20:48 < tpanarch1st> once i find the right one
20:48 < tpanarch1st> now it's installed
20:50 < drathir> guys which fw schema is most popular this days ? ACL-based or zone-based firewalls?
21:10 < Apachez> drathir: proxy and applicatiobased
21:29 < jim> when looking at a host's ip route output, if the routes include a default route, will it always look like "default.*dev (interface) .*?
21:30 < jim> err, "default.*dev (interface) .*" (forgot the closing quote)
21:36 < tds> jim: be warned that some things (eg openvpn) will add "default routes" in weird ways
21:36 < tds> eg for v4 ovpn can do 2 /1 routes, to make them preferred over the /0 route
22:10 < SporkWitch> so with ipv6, why does my host show a /64 and /128 with different last 64?  Based on logs on the distant end, the /128 seems to be the specific host, what's that /64 then? gateway?
22:10 < Apachez> tds: yeha longest prefix wins
22:11 < Apachez> with v6 you normally use the linklocal as nexthop
22:12 < SporkWitch> they're both listed as global dyanmic; only distinction between the two is the last 64 and /64 vs /128
22:34 < xingu> SporkWitch: link-local vs dhcp6 assigned global?
22:34 < SporkWitch> link local is a third address; both in question are global scope
22:35 < SporkWitch> looks like my isp is using a 6to4 tunnel, probably why i'm getting slow loads on pages
22:36 < Dagger> if it begins with 2002: then it's 6to4. but it's more likely that it's your router using 6to4, rather than your ISP
22:36 < Dagger> but also if you're using 6to4 then v4 is preferred over v6
22:36 < SporkWitch> agreed, just turned it on to see if it'd behave :P lol
22:36 < SporkWitch> and no, LAN prefix only, so you're probably right about it being the router doing it
22:37 < SporkWitch> or no, i'm not sure; in the ac-3100's settings i have it set to native... hmmm
22:37 < Dagger> addresses added as /128 are usually from DHCPv6. addresses from SLAAC or manually configured are usually /64
22:38 < Dagger> both of them will be the address of your computer, assuming they're listed in `ifconfig` or similar on the computer in question
22:39 < SporkWitch> yeah, just trying to figure it out; when i visit ipv6 test sites it shows the /128 address, not the /64
22:41 < ottomatik> Hi. Sorry for this stupid question. Is the name of the protocol "file transfer protocol" or just "ftp" ?
22:41 < Dagger> your browser has to pick one address or another to connect from. it just happens that it picks that one
22:43 < Dagger> you can try `wget -O- -o/dev/null https://ifconfig.co --bind-address <addr>` or something similar with the other address. or just ssh in from outside or something
22:48 < ottomatik> Any one for my qu'est..
22:49 < ottomatik> Question please?
22:49 < tpanarch1st> tds: is this an ok guide? https://www.akadia.com/services/ssh_test_certificate.html
22:49 < xceptioN> ottomatik: File Transfer Protocol is FTP for short
22:50 < xceptioN> acronym
22:51 < ottomatik> xceptioN, i understand ftp is an acronym. I just want To know if the name is "ftp" or "file transfer protocol"?
22:54 < xceptioN> ottomatik: Your question is like asking: Is the name "IP" or Internet Protocol
22:55 < xceptioN> You can use whichever.  FTP is shorter, easier to type.  But for report writing and talking with others, you should at least mention "File Transfer Protocol (FTP)" so they know FTP will stand for File Transfer Protocol after
22:56 < xceptioN> talking with others that aren't tech related or something I mean
22:57 < ottomatik> xceptioN, so both are considered names. Is that Correct?
22:59 < SporkWitch> initialism, not acronym
23:03 < ottomatik> SporkWitch, what's your answer for my question, please?
23:05 < SporkWitch> your question was largely answered, i merely corrected your misuse of the word "acronym."  An acronym, by definition, must be pronounceable as a word, e.g. Linux, WINE, PITA.  If you read / say it by speaking out the individual letters, it is not an acronym.  All acronyms are initialisms, but not all initialisms are acronyms.
23:07 < ngc0202> since when is linux an acronym
23:08 < SporkWitch> ngc0202: not 100% on timeline, but it's a mixture of a portmanteau of Linux and UNIX, and LINUx Is Not Unix
23:09 < Johnjay> Gnu's not Unix either
23:09 < SporkWitch> yup
23:09 < ottomatik> SporkWitch, for me the name of the protocol is "file transfer protocol", ftp is  just an abbreviation. But apparently I'm wrong
23:09 < SporkWitch> stallman does love his recursive acronyms
23:09 < xceptioN> ottomatik: its the same thing
23:09 < SporkWitch> ottomatik: it is not an abbreviation, it's an initialism
23:10 < Johnjay> you'd think from the name it's the only way you can transfer a file
23:10 < ngc0202> SporkWitch: I was under the impression it was just named after Linus, with an x at the end, possibly in reference to UNIX and possibly just because x is a cool letter
23:10 < Johnjay> Richard Stallman has a very strong opinion about saying Gnu/Linux
23:10 < Johnjay> and he will correct you no matter how many times you say linux
23:10 < xceptioN> :^)
23:11 < SporkWitch> ngc0202: the portmanteaux aspect is definite; it's possible i conflated it with GNU is Not Unix in my memory
23:11 < ottomatik> SporkWitch, in the dictionary it says   an initialism is an abbreviation
23:11 < xceptioN> ottomatik: File Transfer Protocol.. FTP, same thing.  Lol, don't overthink it friendo
23:12 < SporkWitch> ottomatik: which dictionary? that said, i could be mistaken there; i typically think of an abbreviation as merely removing letters, not a full-blown initialism, but you may be right.  initialisms may well be a subset of abbreviations just as acronyms are a subset of initialisms :)
23:12 < SporkWitch> xceptioN: well he said it was for a paper, no? only reason i'm getting THIS pedantic, instead of just leaving it with the original comment :P
23:12 < ottomatik> SporkWitch, wiki dictionary
23:12 < SporkWitch> ottomatik: so not a dictionary lol
23:13 < SporkWitch> wikis, by definition, are not primary sources, and you'd do well to learn that quickly if you plan to be writing ANY kind of paper lol
23:13 < xceptioN> SporkWitch: he didn't say it was for a paper. I just pointed out that, if for report writing, it is good practice to always mention the full name of something first time and use the initialism/acronym/whatever between parenthesis, then from there on you can use the shorter form after
23:14 < SporkWitch> xceptioN: ah, my bad then :(
23:14 < xceptioN> Cause like, the only reason I could think of overthinking FTP/File Transfer Protocol, is for something like academia or report writting heh
23:15 < ottomatik> SporkWitch,  the wikidictionary is pretty decent Ive it installed on my phone
23:15 < SporkWitch> xceptioN: yeah, i always define my terms, even if they're clear but some people may want to quibble.  I had to do a paper about GMOs once, so right at the outset, to head off any nitpicky counters of "selective breeding is genetic modification!" i clearly defined genetically modified organisms as those created in a laborated through means such as gene manipulation, rather than selective breeding
23:15 < Johnjay> SporkWitch: you wouldn't make a great lawyer. they would just redefine a farm as a "laboratory for species"
23:15 < SporkWitch> ottomatik: it's also able to be modified by any random asshat; again, wikis are not primary sources.  by all means, use them to FIND primary sources, but never trust the wiki
23:16 < SporkWitch> Johnjay: context matters.  A legal argument is not a research paper.  The point of defining one's terms in a paper is to make one's meaning clear and make straw men harder to construct.
23:19 < ottomatik> xceptioN, i' m low intelligence, i ask stupid questions
23:20 < SporkWitch> might want to look into a different career field, then...
23:23 < Johnjay> SporkWitch: if Ted kennedy could get away with murder with 17 lawyers i think they know how to manipulate context pretty well
23:24 < SporkWitch> Johnjay: again, we're not talking about a courtroom, we're talking about an academic paper and legitimate academic criticism
23:24 < Johnjay> as long as you don't quit your day job and go to law school then that's fine then
23:25 < SporkWitch> Johnjay: you have literally zero basis for making an assessment of my ability to argue to win, rather than argue to reach truth.  We were discussing the writing of academic papers; you are literally the only person talking about courtrooms
23:27 < jim> is there a problem here
23:27 < SporkWitch> you have a hat in ##networking now? O.o
23:28 < jim> oh, didn't see that :)
23:28 < SporkWitch> in any case, not really; just really weak trolling and insinuations of incompetence for no reason
23:28 < jim> sowwy, be excellent to each other
23:37 < jim> hmm... novax is ralph novak's trademark on the musical instruments he builds
23:38 < SporkWitch> sounds like an antivaxer :P
--- Log closed Sun Apr 22 00:00:53 2018