--- Log opened Thu Apr 26 00:00:03 2018
--- Day changed Thu Apr 26 2018
00:00 < Dagger> it's fairly reliable, but let's not talk about the speed
00:00 <+catphish> i did cheat my measuring from may LAN router
00:01 <+catphish> Dagger: my wifi latency is 4.2ms, so i actually have slower connection to my AP than i do to london (100+ miles away)
00:03 < wiresharked> Dagger: Does flow control really improve performance?
00:04 < tds> catphish: you'll be happy to know that the rtt over your home connection is better than over the uni internet here ;)
00:05 < wiresharked> tds: And yet the belkin N300 doesn't support ac
00:06 < tds> eh, no need for this fancy ac stuff, just use a wire
00:06 < Dagger> catphish: so, I consider wiresharked's constant stream of random questions to which they don't care about the answers to be trolling, even if the questions are somewhat vaguely on-topic
00:06 <+catphish> Dagger: yes, he always does that]
00:06 < xamithan> Just put the kid on ignore|squelch,  thats what I do
00:06 < Dagger> catphish: I'm sure it's going to take a lot to make you want to ban them, but could you at least keep an eye on them?
00:06 <+catphish> Dagger: you can ignore him, or we can ban him
00:07 <+catphish> he's been doing it for months, i was waiting for someone to complain
00:07 < Dagger> because I don't think that on-topic trolling should be a "get out of jail free" card for trolling
00:07 < Dagger> well, you may consider this a complaint :p
00:07 <+catphish> he's gone now
00:08 < Dagger> and yeah, I can ignore, but that doesn't solve the issue for the other 1200 people here (plus it leaves me seeing only half of converstions)
00:09 <+catphish> i can't stand his nonsense
00:10 < Chojuan> question, I ping gateway 192.168.1.1 trough wifi RTT 0.749/1.053/2.098/0.394 and I ping google RTT 0.078/0.099/0.103/0.015 how ping works?
00:10 < Dagger> we've had someone very similar in #a&a over the past year or two. really annoying
00:11 < tds> Chojuan: could just be that the gateway is bad at replying to icmp
00:11 <+catphish> Chojuan: gateway is just slow
00:11 < Dagger> (different hostname, so probably not the same person... although they both use web gateways)
00:12 < cyberbootje> Hi all, i'm trying to test LACP on 3 servers using a 10G switch, also with LACP enabled. Is it possible to split network speeds from 1 server to 2 servers? What i mean is, can i aggregate an LACP bond (2 x 10G) and do 2 x an iperf test to 2 other machines that have 1 x 10G each and basically saturate the 20G bond on 1 host and saturate both other machines that have 10G each ?
00:12 <+catphish> cyberbootje: yes
00:13 <+catphish> cyberbootje: LACP uses a hash to determine which link to use, so it may be that the 2 connections use the same link, or different links, it's luck
00:14 < cyberbootje> well for some reason i'n not able to saturate 20G
00:15 <+catphish> cyberbootje: well what do you see? both connections sharing the same 10G link?
00:15 <+catphish> there was a 50% chance that would happen
00:15 < redrabbit> https://www.dnsperf.com/#!dns-resolvers
00:15 < redrabbit> im sold on 1.1.1.1
00:15 < cyberbootje> i tried tweaking and using jumbo frames, all i get is exactly 5.15Gbit on eacht host
00:15 < redrabbit> just tried it
00:16 < redrabbit> sites load in a flash
00:16 < tds> redrabbit: just run tests from your own network, that's the best way to tell how it'll affect you
00:16 <+catphish> in flash? eww
00:16 < tds> but if you really care about dns latency, run your own internal caching forwarder/recursive resolver :)
00:16 < cyberbootje> catphish: so basically the bond thinks it's a 10G link while with ethtool it says 20000GB
00:16 < redrabbit> tds: i do that
00:16 <+catphish> cyberbootje: the bond is 2 x 10G LACP
00:16 < cyberbootje> yes
00:17 <+catphish> that wasn't a question, it was a statement
00:17 < cyberbootje> both fiber
00:17 < redrabbit> i replaced the cache source
00:17 < cyberbootje> lol
00:17 <+catphish> that has specific consequences, it means that each connection will use a random link
00:17 < Kingrat> if you can, on your hosts/switches, i suggest trying layer3+4 hashing policy
00:17 < Kingrat> it could help
00:18 <+catphish> (not really random, based on a hash, the hash can be configured to use layer2, or layer 2+3, or layer 2+3+4)
00:18 < cyberbootje> it is set to layer2
00:18 <+catphish> cyberbootje: you probably want the 2+3+4 so that every tcp connection uses a random link
00:18 <+catphish> rather than each host being assigned to a link (layer 2 hashing)
00:18 < tds> this has always confused me - I thought lacp worked at layer 2, so how does it hash based on source/destination IP/ports - does linux/whatever just look at the ip packet inside the ethernet frame to calculate the hash?
00:18 <+catphish> tds: yes
00:19 <+catphish> the OS calculates the hash by whatever headers you tell it to inside the frame
00:19 < cyberbootje> hmm ok
00:19 < cyberbootje> i have an option between L2+L3 or L3+ L4
00:19 <+catphish> with layer2, it will alswys use the same link to talk to the same host, pretty much useless
00:20 < tds> hmm, so how would that handle any non-ip ethernet traffic, would it just ignore the contents and hash based on mac addresses instead?
00:20 <+catphish> if you do l3+l4 then each tcp connection will get a random port, that's what you want
00:20 <+catphish> be sure to configure it on both sides
00:20 < cyberbootje> catphish: but the other side has no bond
00:21 < cyberbootje> as in, the other hosts
00:21 <+catphish> cyberbootje: the other side is the switch
00:21 < cyberbootje> hmm ok
00:21 <+catphish> switch one side, host the other
00:21 < Apachez> oh noes not THE switch
00:21  * Apachez runs away screaming with his arms well above his head
00:21 < cyberbootje> that's set to lacp "standard" whatever that may be
00:21 < Apachez> when you do lacp you need to verify two things
00:22 <+catphish> cyberbootje: if you can't change the switch config, don't worry, just means traffic the other way won't be balanced so well
00:22 < Apachez> 1) set the lacp timer to "short" (that is the lag will form within 1 second instead of 30 or so seconds)
00:22 <+catphish> Apachez: i didn't know that was a thing
00:22 < Apachez> 2) change hashalgo into (if possible) srcip+dstip+srcport+dstport, sometimes this is called layer3+layer4 algo
00:22 < cyberbootje> catphish: i probably can change it,  il will have to check what it supports
00:22 < Apachez> catphish: running away screaming?
00:23 <+catphish> cyberbootje: well set them both to l4 if possible
00:23 <+catphish> but it's fine if they don't match
00:23 < Apachez> yeah and the point 1 and 2 above must be done at all participating devices (switches)
00:23 < Apachez> yeah but suboptimal
00:23 < Apachez> flows in one direction will be somewhat loadbalanced while flows in the other direction will only use one cable
00:24 < cyberbootje> i would need to crack open the documentation
00:24 <+catphish> i was suposed to be learning iscsi tonight
00:24 < Apachez> so in A->B you get redundancy + increased bandwidth
00:24 < Apachez> while B->A you only get redundancy
00:24 < Apachez> also note that increased bandwidth means total bandwidth, a single stream/session will still only be able to use the capacity of a single cable
00:24 <+catphish> l2 hashing still works, just means it's assigned per mac only
00:25 < Apachez> but if you download 2 files at once the l3+l4 hashalgo, unless you are really unlucky, will end up using two cables (one cable for one filedownload and the other cable for the other download)
00:25 < Apachez> yeah but then a single host wont be able to push more than a single infrastructure link
00:25 <+catphish> not really that unlucky, with 2 links its a 50% chance
00:25 < Apachez> depends on how the hashalgo is being used
00:26 < Apachez> some devices will use a roundrobin
00:26 < Apachez> some will just do a bitwise match and if even it goes link1 or odd then link2
00:26 <+catphish> i thought it was always the latter
00:26 <+catphish> way less processing needed
00:26 <+catphish> otherwise you'd need a table
00:27 < Apachez> if we look at portnums you have more odd ports than even ports
00:27 < Apachez> and this goes both ways
00:27 < cyberbootje> well for now it does not work so i will need to check what the switch can do
00:27 < Apachez> so you will end up with an odd combo is more likely than even combo
00:28 < cyberbootje> bummer, don't think it can handle it
00:29 <+catphish> well it'll work for traffic from that server at least
00:29 < cyberbootje> or i'm just stupid
00:29 < cyberbootje> any chance you know the switch? VDX 6740
00:31 < cyberbootje> other way around works perfect
00:31 < tds> cyberbootje: what direction do you mean by "other way around"?
00:31 < cyberbootje> 2 x host(1 x 10G) --> 1 host (2 x 10G lacp)
00:32 < cyberbootje> i get 9.89Gbit on each machine
00:32 < tds> hmm, that could just be the switch hashing based on l2 info and not l3 then
00:33 < drac_boy> hi
00:33 < cyberbootje> tds: probably, but i'm afraid the switch can do standard LACP only
00:33 < cyberbootje> need to check it in the morning
00:34 < drac_boy> just curious about it but what do you think about a full size wifi card versus buying a mini-to-full slot adapter and using a mini wifi card? (its the same antennas on rear in either setups anyhow)
00:38 <+catphish> drac_boy: really shouldn't matter
00:39 <+catphish> cyberbootje: yeah thats your switch hashing
00:40 < drac_boy> thanks, suspected cost was the only possible difference catphish :)
00:40 <+catphish> cyberbootje: you could change the MAC on one of the 2 x 10G hosts until it works :)
00:41 < cyberbootje> catphish: i'm going to try that
00:42 < cyberbootje> for now i'm googling and i find it hard to believe a Brocade VDX can't do this
00:47 < CannedSpinach> if I can't resolve a server's hostname on my own network, what are the troubleshooting steps?
00:47 < CannedSpinach> it resolves fine on one computer but struggles with another
00:48 < Chojuan> man hosts
00:49 < cyberbootje> catphish: changing the mac of one slave brakes connectivity to one of the other hosts
00:50 < xamithan> setup the computer with the same DNS that resolves on the other computer
00:51 < CannedSpinach> xamithan: is there a file to transfer or something?
00:51 < CannedSpinach> the problem computer is using the same hosts file as another computer that connects just fine
00:52 < xamithan> Maybe,  if the entry is in the hosts file
00:52 < nuka-cola_> CannedSpinach: on linuxes its /etc/resolv.conf, on windows or macs i have no clue
00:52 < Chojuan> there is a problem with 802.1AX
00:52 < cyberbootje> catphish: think i found it, i would need this right?
00:52 < cyberbootje>   dst-mac-vid               Destination MAC address and VID based load balancing
00:52 < cyberbootje>   src-dst-ip                Source and Destination IP address based load balancing
00:52 < cyberbootje>   src-dst-ip-mac-vid        Source and Destination IP and MAC address and VID based load balancing
00:52 < cyberbootje>   src-dst-ip-mac-vid-port   Source and Destination IP, MAC address, VID and TCP/UDP port based load balancing
00:52 < cyberbootje>   src-dst-ip-port           Source and Destination IP and TCP/UDP port based load balancing
00:52 < cyberbootje>   src-dst-mac-vid           Source and Destination MAC address and VID based load balancing
00:52 < cyberbootje>   src-mac-vid               Source MAC address and VID based load balancing
00:53 < drac_boy> 0_o
00:53 < xamithan> spamming it up
00:54 < drac_boy> yep
00:54 < cyberbootje> sorry, didn't expect it to push it out one per line ugh
00:54 < CannedSpinach> nuka-cola_: would modifying the problem computer's hosts to redirect said domain name to the server's local IP address work?
00:55 < xamithan> Do you even run a home DNS server CannedSpinach ?
00:55 < CannedSpinach> xamithan: I don't believe so, I just have a bunch of DIY projects on my raspberry pi
00:56 < Chojuan> edit hosts easy way
00:57 < xamithan> Then just throw whatever you want in the hosts file
00:57 < CannedSpinach> xamithan: I am sort of concerned about the root of the issue here though
00:58 < CannedSpinach> it's a domain name ending in .local
00:58 < CannedSpinach> and the server was previously connected to on the same machine. I just recently reinstalled the OS and restored the config files from it. so it should be behaving mostly the same. I don't know why it has developed this issue.
00:58 < CannedSpinach> could there be some networking software I forgot to reinstall?
00:58 < xamithan> Nope
00:58 < xamithan> Just add an entry to hosts
00:59 < tds> if you're using .local, it's possible you're using multicast dns for that
01:00 < xamithan> The machine probably had its own DNS server setup and you didn't know
01:00 < CannedSpinach> I am reading now that I need to install Avahi
01:02 < tds> if you want multicast dns, you'll want something like that
01:02 < CannedSpinach> https://unix.stackexchange.com/questions/43762/how-do-i-get-to-use-local-hostnames-with-arch-linux
01:06 < Chojuan> add 192.168.1.100 example.local to hosts
01:09 < Apachez> I would go for src-dst-ip-port
01:35 < guest09328> I want to configure a Remote Access IPsec VPN on a Cisco ASA 5505, using the IPsec VPN wizard. Why do i have to expose certain hosts/networks, in order to be able to make split-tunneling? Why i can't expose the whole network, and still use split-tunneling? Let's say that i want to be able to tunnel to all the corporate resources, but still be able to have unencrypted access to the internet?
01:37 < tds> guest09328: I'm not familiar with cisco stuff, but for a split tunnel vpn like that you'd normally just push a route to cover all of your internal network (eg 10.0.0.0/8), rather than routes per individual hosts
01:37 < redrabbit> is there a way to use secure dns with the new cloudflare service on the edgerouter lite?
01:37 < redrabbit> DNS over HTTPS (DoH)
01:38 < cluelessperson> so reporting back on Unifi stuff
01:38 < cluelessperson> Unifi's equipment seems to work pretty well for enterprise environments
01:39 < cluelessperson> has a couple of caveats here and there, but once you figure it out, which is a pain in the ass, it works
01:39 < cluelessperson> examples like, Their G3 micro security cameras don't see hidden networks.  You have to connect to a network then hide the network
01:39 < cluelessperson> or, their Security Gateway doesn't really support management vlans
01:40 < cluelessperson> through the gui anyway
01:42 < Apachez> meep meep https://imgur.com/gallery/LDGUvhq
01:43 < Chojuan> devices with auto connection to hidden networks are vulnerable
01:43 < guest09328> tds: I know, that is what confuses me. "To expose the entire network behind the most secure interface to remote VPN users without NAT, leave the Exempt Networks field blank" - i am leaving the field blank. I then tick the "Enable split-tunneling to let remote users have simultaneous encrypted access to the resources defined above, and unencrypted access to the internet". Then, i am getting the error: "In order to enable split
01:44 < redrabbit> !reload
01:44 < xamithan> vulerable to what
01:44 < guest09328> of your network in the Exempt networks field above
01:44 < guest09328> Why should i expose only *some* of the network, and not the whole network?
01:44 < Chojuan> to attacks
01:45 < cluelessperson> Chojuan: vulnerable in what way?
01:45 < cluelessperson> I doubt hidden wifi is more vulnerable than wifi
01:45 < Chojuan> I heared about it some time ago, I am not security expert
01:46 < tds> guest09328: I'd expect you to have to add to an included networks list at some point, I assume "excluded networks" is if you're doing the opposite (ie default route over the vpn, but let all the clients push youtube traffic over their original default gateway to save on bandwidth)
01:46 < Chojuan> I am not sure, but they are continuos asking for AP's
01:47 < xamithan> attacks from what
01:47 < Chojuan> client is continuos asking for hidden AP
01:48 < E1ephant> cluelessperson: yeah, and support is probably not quick to address those issues, but then again $super_cheap
01:48 < xamithan> Maybe your client sucks
01:48 < E1ephant> you can't whitelist the mangement in-band?
01:48 < E1ephant> or limit it to one tag?
01:48 < E1ephant> that is kinda weak
01:49 < cluelessperson> E1ephant: who are you talking to?
01:49 < E1ephant> you re: ubnt usg
01:49 < cluelessperson> E1ephant: You can, it's just a major PIT
01:49 < cluelessperson> PITA
01:49 < E1ephant> ah
01:49 < cluelessperson> E1ephant: So, when you bring  up a UNIFI network, you bring up the USG first (defaulting to 192.168.1.*), connect a controller, switch, configure the controller provision
01:50 < cluelessperson> E1ephant: Basically, trying to provision blank USG and SWITCH from a VM server is really hard
01:51 < xamithan> So from some google searching it says that probes sent every 60 sec with ssid name if your ssid is hidden.  But if it isn't hidden then people get the ssid name anyway.  I still don't see how this makes it any less secure or more suspectable to attacks as the ssid name would be available for anyone to see in either case Chojuan
01:51 < E1ephant> ah yeah, weird you can't go controller first
01:51 < cluelessperson> E1ephant: the vm server tags the management network, need to somehow get the switch up, configure it to tag management the USG port, reset the USG
01:51 < cluelessperson> reconfigure the USG with the controller
01:51 < cluelessperson> PITA to get right
01:52 < cluelessperson> E1ephant: I mean you can, maybe I did it weird
01:52 < cluelessperson> my scenario was hard though
01:52 < xamithan> According to some it would make it so people could setup rogue APs for a MITM attack,  but that is ridiculous as they would have to know the password or have the security key.  Which means you'd already be compromised
01:52 < cluelessperson> E1ephant: shouldn't be an issue for anyone else
01:52 < ntd> so, we opened a new branch, HQ stood for all the planning, execution and directions. turned out to be an unmitigated disaster, too many layers of bs and we kinda opened on schedule but work is still being done two months later
01:52 < cluelessperson> xamithan: yeah
01:52 < E1ephant> if there is a usable api for unifi seems somewhat automatable
01:53 < E1ephant> or easier to get running with ansible or something similar
01:53 < ntd> so, then we're refurbishing an existing location bossman wanted us to handle it ourselves
01:53 < E1ephant> but that said, doesn't look like there is an awesome, well documented API.
01:54 < E1ephant> a couple unofficial ones it seems
01:54 < ntd> six weeks out, i had to coax the org in overall charge into communicating with the electrician
01:55 < cluelessperson> E1ephant: I'm sure there is, I did everything through GUI
01:55 < cluelessperson> E1ephant: What made it MUCH harder for me is that my VM server puts that controller VM on a tagged port
01:55 < ntd> two weeks later, now they're talking, now they know just how insane this timetable is
01:55 < E1ephant> aye that is supposed to be their selling point tho, ease of use
01:55 < cluelessperson> so getting the unifi usg and switch toa point to work with the controller is hard. :D
01:55 < E1ephant> especially that unifi stuff
01:55 < cluelessperson> E1ephant: oh it's easy, I'm just being really strict and paranoid
01:55 < cluelessperson> :D
01:55 < E1ephant> :>
01:55 < ntd> and i got flak for interfering. not explicitly
01:56 < ntd> anyone with experience?
01:56 < E1ephant> ntd: job  hunt?
01:56 < E1ephant> sounds pretty redic
01:57 < E1ephant> or if you're contracting, just keep going, the money is still green?
01:57 < E1ephant> contracting/consulting?
01:59 < ntd> hey, i have no choice. shit must have be done in four weeks
01:59 < ntd> and these are the contractors i have to work with
02:00 < ntd> and ofc, for us to be able to berate hq for doing it their way, we must be better with limited resources
02:03 < Chojuan> limited resources are a barrier to acomplish a mission
02:03 < ntd> hq had a lot and they shit the bed
02:03 < E1ephant> que: shia bouf just do it
02:04 < ntd> i have 14 good men, none detached from reality
02:05 < Chojuan> you have to identify barriers first
02:07 < ntd> yeah, gonna ride those electricians hard
02:07 < ntd> they will hate me later, but the job gets done now
02:52 < RogerFederer_> merokoyui fuck off
02:52 < merokoyui> wtf
02:52 < Quatermass> haha
02:52 < RogerFederer_> this is not a tennis channel
02:52 < merokoyui> why are you here, you harasser
02:53 < RogerFederer_> i was here first
02:53 < RogerFederer_> why are you stalking me?
02:53 < Quatermass> both of you get a room and/or take it to /msg children
02:53 < merokoyui> uhm ive been here for a while bruh
02:53 < merokoyui> no i'm setting him on ignore
02:53 < merokoyui> jfc
02:53 < RogerFederer_> it says you joined approximately 8 minutes ago
02:53 < RogerFederer_> fucking loser
02:54 < merokoyui> i meant ive been joing this chan for a while now
02:54 < merokoyui> jfc
03:22 < whatsupdoc> Hi can someone explain the difference between a routing table and a forwarding table? I still cannot get it
03:24 < forgotten> whatsupdoc: i believe a forwarding table is basically the same thing as a MAC table
03:24 < Quatermass> lol more homework
03:24 < forgotten> layer2 stuff
03:24 < whatsupdoc> Quatermass: please
03:24 < forgotten> just a diff name someone might use
03:25 < whatsupdoc> Learning != homework
03:26 < whatsupdoc> Ok
04:02 < rice_crispy_pop2> pretty sure someone is intercepting my wifi
04:03 < light> sharing is caring
04:04 < rice_crispy_pop2> hmm
04:05 < jim> rice_crispy_pop2, do you have control over the wireless access point?
04:05 < xamithan> Wifi throwing them packets the wrong way?
04:05 < rice_crispy_pop2> I think they are doing it from a Naval ship
04:05 < rice_crispy_pop2> because there were some navy people spying on my twitter
04:13 < Quatermass> rice_crispy_pop2: You've been looking straight into the sun again, haven't you.
05:29 < Queenslayer> Hi guys, I want to setup a small windows server environment with 3 client desktop PCs.  Was wanting to know whether the desktops have their own connection to the internet or do they all go through the server?
05:30 < light> Why would they go through the server?
05:30 < Queenslayer> Filtering, firewall? Or do I have the concept wrong?
05:30 < light> Don't you have a router that does this already for the server?
05:30 < Queenslayer> No, it's shite
05:31 < Queenslayer> It's a standard broadband router
05:31 < light> Well, you may want to get a decent one then
05:31 < Queenslayer> That's what I was hoping i could avoid
05:31 < light> If your server goes down for maintenance all your users will lose connectivity
05:32 < light> But sure, you can do firewalling on a router VM
05:32 < Queenslayer> I'd have a backup for redundancy anyway
05:32 < light> You want to create redundant high availability firewalls in front of your broadband router?
05:32 < Queenslayer> Downtime would be minimal
05:33 < Queenslayer> It's not the worst router mind
05:33 < Queenslayer> When I say standard I mean not a Juniper Cisco level router
05:34 < Queenslayer> Internet traffic would be very low
05:34 < light> If it's just for fun go right ahead
05:34 < Queenslayer> That's what it is. A lab environment to test stuff out and learn more about it
05:35 < light> Put pfsense in a VM then
05:35 < Queenslayer> Noted. Thanks light. You must be in the US to be available at this time
05:36 < Queenslayer> Windows Server Hypervisor should do the trick right?
05:37 < light> ESXi is better in my opinion
05:37 < light> But yeah, hyper-v will work
05:37 < Queenslayer> Yeah esxi would be great but HyperV for simplicity for now
05:38 < Queenslayer> Will faff around with the machines to get best performance
05:40 < Queenslayer> light: I've got loads of desktops lying around. Is it worth trying to turn one of them into a gateway router/firewall?
05:41 < light> Yeah why not
05:41 < Queenslayer> To take load off sever
05:41 < light> Go for it
05:42 < Queenslayer> light: cool. Any software in mind? Or should pfsense suffice?
05:44 < E1ephant> opnsense, vyatta,  vSRX, just plain old bsd+pf
05:44 < Queenslayer> E1ephant: copied, pasted... thanks mate.
05:48 < Queenslayer> Guys you've been great. Love this channel for precisely this expertise. Say Hi to zapotech when he comes
05:48 < Queenslayer> Saves hours on Google
05:51 < forgotten> i haven't seen zapotech in a long time
05:58 < Quatermass> Maybe they mean zapotah...or was s/he banned
05:58 < hagbard__> Question, what happens if a prefix is announced, (let's assume a typo), from two different AS?
06:08 < hagbard> I guess this answers my question, https://bgp.he.net/report/multi-origin-routes
06:09 < psprint> Anyone familiar with sockets API? I want to send ARP packet, but 2 projects that I looked at (arp-scan, arping) use pcap library to do that, like if it wouldn't be possible with sockets
06:11 < Queenslayer> forgotten: Quatermass yes, must have been zapotah
06:11 < Queenslayer> Not been here for a while
06:12 < Queenslayer> He was a fellow Brit as far as I remember?
06:33 < hagbard> psprint: if you're still around, the answer to your question is, "sort of."
06:36 < psprint> hagbard: ah, so bad news
06:36 < hagbard> psprint: The long answer is that ARP packets are layer2/ethernet. (You'll notice that's why they're referred to as, "frames" instead of "packets.") Most OS have a method for allowing direct access to an Ethernet card and often that's using the socket API as datagrams.
06:36 < psprint> hagbard: or you mean you know sockets API
06:36 < hagbard> psprint: in linux, you'd be using AF_PACKET and SOCK_RAW in your socket() call.
06:37 < hagbard> psprint: your bind() call gets more complicated, as you need to bind to a specific network interface
06:37 < hagbard> psprint: So, my answer is, there is no cross-platform interface for this, no.
06:37 < psprint> I use lwip on an MCU (stm32). I'm already sending pings, with this socket:   s = lwip_socket( AF_INET,  SOCK_RAW, IP_PROTO_ICMP );
06:38 < hagbard> psprint: alright.
06:38 < psprint> ok so not portable, but it's for specific MCU
06:38 < hagbard> psprint: The portability problem is solved by the libraries, like pcap that you mentioned.
06:38 < hagbard> They have #ifdef'd code for each particular OS implementation.
06:39 < hagbard> What, in a broader sense, are you trying to accomplish? Is there any particular reason why you can't/dont want to use libpcap?
06:40 < hagbard> Ie, if you want to send specific ARP requests from your MCU, I bet that your lwip library has either, A, hooks for sending/receiving raw ethernet frames and/or, B, has some way of accessing the ARP/neighbor table.
06:41 < psprint> Well I might use pcap, but I would have to find FreeRTOS compatible version, not sure what about STM32 MCU hardware
06:41 < hagbard> The lwip stack you mentioned earlier. Is it opensource?
06:42 < psprint> yes, I'm already accessing arp table, but want to try other method. Yeah LWIP is full of hook stuff, I guess I can access frames
06:42 < psprint> yes
06:42 < hagbard> Well, ARP frames are stupid easy to generate/receive/decode.
06:42 < hagbard> They're all fixed-length fields.
06:43 < hagbard> Just define a struct for the ethernet header and arp request fields, cast a pointer to it.
06:44 < hagbard> Having done this before, please believe me. Ethernet headers are trivial to parse for sending and receing ARP. In fact, using the word "parse" is overdoing it.
06:45 < psprint> good to hear
06:46 < hagbard> psprint: I happen to be bored, waiting for something else (tape backup. yes. I know it's 2018.) and you've piqued my curiosity. Which version of FreeRTOS are you using?
06:47 < hagbard> I love how, "straight to business," this code is, meaning lines 91-104. https://github.com/aws/amazon-freertos/blob/master/lib/FreeRTOS-Plus-TCP/source/FreeRTOS_ARP.c
06:47 < psprint> well I can reveal that I use CubeMX application from ST, the point is you click "Use FreeRTOS", "Use LwIP", "Enable ethernet", etc. and generate working code :) so I didn't dive into version they provide
06:48 < hagbard> Ok, I stopped marveling it when I realized the author decided MAC_ADDRESS_LENGTH_BYTES is somehow something that would ever change.
06:48 < psprint> hehe
06:48 < psprint> you have to be prepared, it might happen one day ;)
06:48 < Criggie> ethernetv6 will support 256 byte mac addresses.
06:49 < hagbard> psprint: Alright, then I would say my answer to you is the solution you need will likely be rather specific to library you're using for the rest of IP. I'd check the ST documentation for their bundled FreeRTOS and/or FreeRTOS documentation on the LwIP internanls.
06:50 < hagbard> Criggie: Will 3/4's of them be essentially constant, like ATM addresses?
06:51 < Criggie> yeah probably :)
06:52 < hagbard> Wow, I'm getting old. I can't remember how much of a native ATM address was some crazy bullshit ISO/ASN.1 prefix.. I just remember a lot of 99 bytes
06:52 < Criggie> love you some cells ?
06:52 < hagbard> long time ago, in a different world and a different era.
06:54 < hagbard> Yeah, here we go, ATM addresses were 20 bytes. 39.99.99.99.99.99.99....
06:58 < hagbard> Ok, I stand corrected. I guess the 39.99.99.99.99 stuff was an IBM convention for some of their ATM stuff.
07:00 < psprint> hagbard: ok, thanks
07:01 < hagbard> I'm still amazed at how widely-used ATM is. Please correct me if I'm wrong, but most of the DSL standards use ATM, with the ethernet most people are used to provided as ATM LANE?
07:08 < hagbard> psprint: Again, I don't know what you mean to do. If you want to send arbitrary ARP requests, FreeRTOS_OutputARPRequest(uint32_t ulIPAddress) seems the fastest/easiest. If you want to intercept the replies, then you probably need to hook their event for that.
07:08 < psprint> hagbard: I'm basically doing network discovery
07:08 < hagbard> psprint: You'll find the details for accessing the network device raw in the "porting" documentation for freertos-tcp
07:09 < hagbard> psprint: neat trick that used to work better in the old days. ping 224.0.0.1. It's multicast all hosts.
07:10 < psprint> you have better network, this pings the host it is ran on (loopback?) on OS X (checked now)
07:11 < hagbard> The neat part about it, is that you can sometimes use it to discover hosts on the same ethernet segment configured for a different local subnet. Ie, hosts that a regular OS would not issue an ARP for.
07:12 < hagbard> psprint: So, you may have to specify which interface. If run on your loopback, then I wouldn't expect a reply from any other host for obvious reasons.
07:12 < hagbard> psprint: are private messages ok?
07:13 < psprint> cool, I'm basically in such situation, silently counting on that Mac, which does NAT on en0 (Ethernet) onto en1 (wifi, local network) will forward ARP query from en0 to en1 and then forward back the response
07:13 < psprint> hagbard: yeah
07:14 < hagbard> So, I don't entirely follow what you mean. I'm assuming normal, traditional, layer 3 NAT where layer 2 ARP would never be forwarded.
07:16 < psprint> yeah, I'm expecting this actually, i.e. expecting problems, but I'm hoping that I can configure OS X firewall (pf) to do the en1 <-> en0 ARP forwarding. Effect should be like this, but bidirectional heh: sudo dumpcap -i en1 -f arp -w - | sudo tcpreplay -i en0 -
07:16 < hagbard> Ok, no offense, but I still don
07:17 < hagbard> Ok, no offense, but I still don't follow what on earth you're trying to do / what you're smoking.
07:17 < hagbard> Because it sounds like you're trying to bridge the network interfaces, but only for ARP packets?
07:19 < psprint> hagbard: I want to jump over that's-the-reality obstacle, i.e. do ARP discovery from host that's not on the network (it's attached to computer that *is* on the network)
07:20 < psprint> the reality == ARP is for network segment
07:21 < hagbard> Right, so, then the NAT you mean is changing the source and destination of the IPv4 addresses of the ARP requests to match the different subnets?
07:22 < psprint> w8 I will draw this
07:22 < hagbard> You'll find IP implementations follow conventions, typically called the, "open" model, where they'll answer an ARP request received on any interface if its for an IP associated with any interface configured on the host, regardless of what interface it was received on.
07:23 < hagbard> Other IP implementations follow the, "closed" model, and will only respond if the request received is for the address configured on the interface that it was configured for.
07:24 < hagbard> for what it's worth, I don't understand how any of the OS X/NAT/ARP forwarding relates to the STM MCU situation, either.
07:30 < cluelessperson> Can osmeone here suggest something?
07:31 < cluelessperson> I want to have several VMs with say, 2, 8 TB of data available to them
07:31 < cluelessperson> should I make a massive iscsi 10TB drive?
07:31 < cluelessperson> or should I create NFS shares?
07:31  * cluelessperson is really against NFS shares on his storage server
07:32 < hagbard> Why?
07:33 < hagbard> So, NFS allows the client to defer all the processing and overhead of the filesystem to the server.
07:34 < cluelessperson> hagbard: to the storage server?
07:34 < hagbard> This is assuming that you mean the VM is going to mount the nfs filesystem natively. If you're talking NFS vs iSCSI for your network ESXi datastore, then that's different.
07:34 < cluelessperson> hagbard: because I like how secure and easy it is to have 1 massive iscsi pipeline, rather than managing like 5 samba/nvs shares between servers
07:35 < hagbard> So, samba is unrelated to NFS.
07:35 < cluelessperson> they're both filesharing over network
07:35 < hagbard> Yes, but, it's a bit like gas and diesel cars. They're both cars, they go from place A to B, but sometimes the details matter. Like, at the gas pump.
07:35 < hagbard> Don't get me wrong, though, I do appreciate your point about less management.
07:35 <@pppingme> cluelessperson do you already have a storage server with that much space?
07:36 <@pppingme> or are you building from scratch?
07:36 < cluelessperson> pppingme:   VM_Server -10G-> ZFS Server(14TB)
07:36 < cluelessperson> pppingme: hagbard   You know, I think the  problem is more, "how do I backup a zvol" ?
07:37 < hagbard> cluelessperson: Which VM platform? VMWare/ESXi? And, would you be storing a virtual disk image via NFS or actual files?
07:37 <@pppingme> yuck, personally I wouldn't trust zfs to store for a vm setup
07:37 < cluelessperson> hagbard: testing proxmox for now
07:37 < cluelessperson> pppingme: Yuck?
07:37 < cluelessperson> pppingme: I love ZFS
07:38 < hagbard> pppingme: The surprising part to me is that administering NFS on ZFS is about the easiest NFS administration I've ever found.
07:38 <@pppingme> its way too fragile, and no mainline linux distrib has picked it up, there's a reason for that
07:38 < cluelessperson> pppingme: fragile how?
07:38 < hagbard> I'm guessing pppingme has been burned in the past by it.
07:38 < cluelessperson> sounds like a configuration issue
07:38 <@pppingme> I've seen way too many horror stories that all are based around zfs
07:38 < hagbard> pppingme: Tell me a networking product or protocol that doesn't have horror stories.
07:39 <@pppingme> nope, never used it personally, but have seen it used, and the 'net is just full of horror stories
07:39 < cluelessperson> hagbard: pppingme   Honestly, the only reason I'm avoiding large iSCSI pipeline is because I'm afraid it'll be hard to backup the ZVOL
07:39 < hagbard> (To be fair.)
07:39 < cluelessperson> ifI can bakcup the zvol easily, then it's not an issue
07:39 < cluelessperson> pppingme: I've had no issues with ZFS and I fucking love it
07:39 < cluelessperson> snapshots are amazing, deduplication, encryption
07:39 <@pppingme> the real horror is that the stories don't come down to user screwups, but massive data loss then dev's blame it on hardware or anything else except the crap protocol it is..
07:39 < cluelessperson> iSCSI ZVOLS
07:39 < psprint> Uh I accidentally quitted
07:40 < cluelessperson> pppingme: I've never seen that
07:40 < hagbard> psprint: you didn't miss much.
07:40 < hagbard> cluelessperson: I believe the notion is you don't backup the zvol itself, you'd have whatever is using the zvol back the data up. Otherwise, how are you going to guarantee consistency?
07:41 < hagbard> Ie, I don't backup my external harddrives by cloning one to the other at a sector level. Instead, I copy the files from the first to the second. Ideally, with some kind of logic to only copy over changes.
07:41 < cluelessperson> hagbard: consistency pf what?
07:42 < hagbard> cluelessperson: The filesystem that's presumably stored on that block device.
07:43 < hagbard> pppingme: I'll say one thing about ZFS. When running on Solaris and on Sun Hardware. It served me admirably well and reliably.
07:43 < hagbard> But, those days are long gone.
07:43 < hagbard> And, no, I didn't bother with a support contract.
07:44 < hagbard> These were Sun x4540's.
07:44 < cluelessperson> hagbard: I mean, as long as the backup is the same, it doesn't matter what files are on it
07:44 < cluelessperson> as long as the blocks match, the files will too
07:45 < hagbard> cluelessperson:
07:45 < hagbard> err
07:45 < hagbard> You're talking about offline backups, then. Like, you shut down the VM and then do the backup, right? While nothing is accessing it?
07:46 < cluelessperson> hagbard: in this case, I don't really care about the VMs themselves, just the data they're working on
07:46 < hagbard> Incidentally, I think you'd be better off asking this in, possibly, a more proxmox dedicated channel.
07:46 < hagbard> cluelessperson: That's my point, the data. You don't want to back up your data, for example, while the VM is half-way through writing out a file, right?
07:47 < cluelessperson> sure
07:47 < aeo1ack> weechat crashed twice, I'm on irssi now
07:47 < cluelessperson> hagbard: presumably, ZFS can snapshot the ZVOL, then backup and delete the snapshot
07:48 < hagbard> So, unless you're running your backup software inside the VM - where the software is interacting with the OS kernel running inside the VM - then you can't guarantee the backup is consistent without shutting the VM down. Files aren't being written out to disk very often and, generally, the process happens quickly.
07:48 < hagbard> But, you still run that risk of getting an incomplete file, for example.
07:49 < hagbard> If you take a zvol snapshot, there's no synchronization with the OS in your VM to confirm everything meant to be written to the disk has been written. This is essentially the same situation/scenario as when a computer loses power.
07:50 < hagbard> I believe this may be related to why you're having difficulty finding solutions for backing up your zvols.
07:50 < cluelessperson> hagbard: so for now I have a 1TB ZVOL shared over iSCSI, and I could make multiple SAMBA file shares, but it's more to manage
07:51 < cluelessperson> iSCSI for system drives, SAMBA shares for storing large files (torrents, NVR cameras) etc
07:51 < hagbard> Would you be storing files on the samba shares or would be storing a big virtual-disk image?
07:51 < cluelessperson> files
07:51 < hagbard> Ok, that's a big difference.
07:51 < hagbard> In that case, I would totally do NFS or CIFS for the file data.
07:52 < cluelessperson> hagbard: CIFS?
07:52 < hagbard> iSCSI for the system drives, sure. If they're not that big, though, just keep em local on your file server.
07:52 < sandman13> can you configure both sFlow and NetFlow on a device that supports both?
07:52 < hagbard> CIFS is the protocol used by samba.
07:52 < cluelessperson> hagbard: the reason for SAMBA is because torrents need to be shared to the local network, to windows machines
07:52 < cluelessperson> ah
07:57 < GenteelBen> cluelessperson: you share torrents?!
08:01 < cluelessperson> GenteelBen: that is literally what torrents are for
08:10 < GenteelBen> cluelessperson: torrents are for keeping.
08:11 < GenteelBen> https://lh3.googleusercontent.com/-0Rb3WW40RZc/TiiMoFIVYpI/AAAAAAAAA90/wL1TJqXu6rc/w530-h353-n/1310782030392.jpg
08:12 < GenteelBen> That's me when I find a new game soundtrack torrent.
08:12 < ubuntu> hello guys!
08:13 < GenteelBen> ...
08:13 < cluelessperson> GenteelBen: what
08:15 < whatsupdoc> anynone to help? plz
08:16 < whatsupdoc> https://i.imgur.com/Km81fPA.png
08:20 < whatsupdoc> https://www.youtube.com/watch?v=lNA8tGRBJko
08:20 < pathrocle> i developed a ftp server that saves some data into a database, on a beaglebone... the client wants the device to be scaned with nessus first, but i have no clue what exactly he wants
08:23 < `7hr34t_hvntr> anyone able to speak to why wireshark colors TCP keep-alive and TCP retransmission the same color, red text on black bg
08:24 < whatsupdoc> :'(
08:27 < `7hr34t_hvntr> is there some way to maybe pop out two hosts in wireshark without losing my place in all of the packets im lookig at
08:27 < `7hr34t_hvntr> say like a new window with just traffic between those two hosts
08:35 < whatsupdoc> https://i.imgur.com/OtzLZQa.png
08:36 < whatsupdoc> Anyone??????
08:57 < realbadhorse> Is there any program I could use to set a `nice` equivalent for network usage?
08:57 < `7hr34t_hvntr> anyone know why during what looks like about 30 smb sessions, a host would send out echoes to each of those smb servers right aroudn the end of the connection
08:58 < `7hr34t_hvntr> looks like it corresponds with a bunch of retransmissions and keep-alives
09:01 < Mandrake> hey guys!
09:11 < GenteelBen> Yo Mandrake.
09:11 < GenteelBen> When are you going to find a nice Womandrake and settle down?
09:13 < light> He doesn't want to sap and impurify his precious bodily fluids.
09:14 < hypercore> is there any way to force update DNS records?
09:14 < light> rndc reload
09:14 < hypercore> light: is that via my domain registrar?
09:14 < hypercore> *is that done
09:15 < light> wat
09:15 < hypercore> light: what is rndc reload?
09:15 < light> what are you trying to accomplish?
09:15 < SlashLife> hypercore: You mean you updated your DNS record and now you want to force my cache to be updated without waiting for the TTL to pass?
09:15 < light> ipconfig /flushdns
09:16 < hypercore> i've changed the ip of my vps on my hosting provider, but it's still pointing to the old VPS
09:16 < light> lol
09:16 < hypercore> i want to update it to the new VPS's ip
09:16 < hypercore> SlashLife: yeah
09:16 < light> step 1, did you change the A record?
09:16 < SlashLife> No, it likely is not. You just have someone in between who *caches* that record.
09:16 < hypercore> light: yeah
09:16 < light> step 2, wait.
09:16 < SlashLife> And no, you cannot force them to recheck.
09:16 < hypercore> that's all i wanted to know, thanks
09:18 < SlashLife> If you have records which you expect to change in the near future, or which you change regularly, you should lower your TTLs ahead of time.
09:19 < SlashLife> (Which still won't solve the caching and waiting thing - you'd just have to wait *shorter*.)
09:21 < hypercore> SlashLife: good to know, thanks man
09:28 < Mandrake> GenteelBen haha lel, yet still nice to find tho
09:39 < tpanarch1st> Hi, what’s the most advisable way to transfer an ssh certificate to an iPhone please?
09:42 < sep_> tpanarch1st, "to an iphone?" i would guess that is application spesific.
09:44 < tpanarch1st> Ah maybe
09:44 < tpanarch1st> Like, I figured sending myself an email is hardly appropriate :-)
09:45 < jvdmr> tpanarch1st: through iCloud, or via AirDrop, I guess?
09:46 < jvdmr> but yes, it's at least partly application specific, because whatever app you want to use has to support opening files somehow
09:47 < jvdmr> if it expects you to copy/paste the key (as in the file's contents), I would suggest Notes
09:47 < tpanarch1st> Mmm that is an idea 😊
09:47 < jvdmr> which is still iCloud, I guess
09:47 < tpanarch1st> Food for thought!
09:47 < tpanarch1st> It’s a shame apple doesn’t have anything specific for this
09:47 < tpanarch1st> But then, according to them, Apple users don’t use Linux
09:48 < jvdmr> now that I think of it, Apple does support ssh keys in Keychain
09:48 < jvdmr> but again, the ssh app on your iPhone would have to support using Keychain then
09:49 < tpanarch1st> Yeah - I don’t get why Apple will not just let people use Linux since they are sooo close
09:49 < tpanarch1st> Seems daft to me and I think that’s where the issues start as they don’t really want people to use Linux for some reason
09:50 < jvdmr> I'm not sure what you mean there - like have a Linux version of iTunes to sync your iPhone with? or some other tool? or actually run Linux on your iPhone?
09:50 < tpanarch1st> Like Linux version of iTunes
09:51 < tpanarch1st> Cos Apple stuff really comes into its own, to me, with iTunes
09:51 < jvdmr> ah, yes, I do agree that's a shortcoming
09:51 < tpanarch1st> It’s got to be totally deliberate since Apple stuff is built on Unix anyway right?
09:53 < tpanarch1st> But I’ve bought Shelly so I’m looking forward to testing that out as I wanted to access my server shells from my iPhone in bed lol! If I fall asleep the laptop will fall off the end of the bed!
09:54 < jvdmr> I've got Termius, but haven't tried putting in ssh keys so far
09:54 < jvdmr> every time I need to use it I tell myself I'll get to it soon, but it's been a while now :p
09:55 < tpanarch1st> Ah fairs 😊 I’ve locked down password access altogether so i’ll be damned if I’m going to downgrade my security just because Apple want to be awkward 😊
09:55 < tpanarch1st> Hehe - yeah we all have jobs we don’t look forward to!
09:57 < tpanarch1st> Maybe a silly question but if you ssh over WiFi, does that mean the data transmitted is secure (like a https certificate)
09:57 < hey2> yes
09:58 < tpanarch1st> 😊
09:58 < hey2> just dont use telnet
09:58 < hey2> or do
09:58 < tpanarch1st> Hehe
09:59 < tpanarch1st> That’s nice, right thanks you two - I need some sleep as my friend has been over overnight and I’m slowly going barmy ha
09:59 < hey2> "you two"? :-o
09:59 < hey2> I am going barmy right now too, out of boredom
09:59 < tpanarch1st> Yes you and jvdmr both helped me
09:59 < hey2> I didn't see that
10:00 < tpanarch1st> Ah fairs 😊 have a good day/evening
10:00 < hey2> I have been sitting here monitoring equipment for 4 hours now
10:00 < tpanarch1st> Ugggghhhh
10:00 < hey2> nothing has broken
10:00 < hey2> just got an alert a minute or two ago, got excited to go do something
10:00 < tpanarch1st> Download word cookie on your phone!
10:00 < hey2> and it is the same piece of equipment that has been dropping packets intermittently for weeks
10:00 < tpanarch1st> Glad nothing has broken though!
10:00 < hey2> so disappeared immediately after lol
10:01 < tpanarch1st> Oh so you are trying to spot a fault
10:01 < hey2> No
10:01 < tpanarch1st> Ah I guess that’s annoying
10:01 < hey2> I am in a datacenter right now monitoring servers
10:01 < hey2> and nothing is broken
10:01 < tpanarch1st> But clearly something is wrong and you’re having the devils own job trying to find it then
10:01 < hey2> No, nothing is wrong
10:01 < hey2> everything is fine
10:02 < tpanarch1st> Oh, the packet drops?
10:03 < TotallyNotKim> ayyy. Is there a way to debug dns on debian? I got this in my resolv.conf, but it doesnt seem to append the search domains. I tried with the trailing . and without, no luck :(
10:03 < hey2> That is just a bad configuration
10:03 < tpanarch1st> Oh fairs hey2
10:03 < hey2> I don't have credentials to log in and check it, I just got alerts for it
10:03 < hey2> it's a different teams responsibility
10:03 < hey2> sweep it under the rug for the time being
10:03 < hey2> lol
10:04 < hey2> Just hard to stay up @ 1am with nothing to do, and I have to be here until 8am
10:04 < tpanarch1st> Indeed! Takeout and a few beers mate
10:04 < hey2> can't drink
10:04 < Emperorpenguin> ^
10:04 < hey2> might go make an easymac or something
10:05 < hey2> I got the new issue of 2600 to read I suppose
10:05 < Emperorpenguin> what do you mean you can't drink
10:05 < Emperorpenguin> how are you alive
10:05 < hey2> I'm not supposed to drink beer at work lol
10:05 < tpanarch1st> Hey TotallyNotKim i’m rubbish at networking to be honest but I do know that dig could be your friend...
10:05 < Emperorpenguin> you're not _supposed_ to
10:05 < Emperorpenguin> doesn't mean you _can't_
10:05 < hey2> Honestly
10:05 < hey2> if I drank alcohol right now
10:05 < hey2> I would fall asleep
10:05 < Emperorpenguin> good point
10:05 < Emperorpenguin> then beer + coffee
10:05 < tpanarch1st> Ah sensible hey
10:05 < hey2> and the person who takes over my shift in the morning would find me in the chair with everything on fire
10:06 < Emperorpenguin> = bathroom
10:06 < TotallyNotKim> tpanarch1st: yeah, have to find out what evilish combi of arguments I need
10:06 < tpanarch1st> You don’t want any trouble on your watch hey2
10:06 < hey2> I mean
10:06 < hey2> I "KIND" of do
10:06 < TotallyNotKim> matter of fact, I spied on DNS using tcpdump and theres really only one A request happening
10:06 < hey2> because it is something to do at this point
10:06 < TotallyNotKim> without the search domains
10:06 < hey2> but… I suppose this is the paradox of IT work
10:06 < hey2> Nothing is broken, why am I here?
10:06 < tpanarch1st> TotallyNotKim: I’m rubbish at man but if you’re a better tech than me, maybe you can understand man dig
10:06 < hey2> Everything is broken, why am I here?
10:07 < tpanarch1st> hey2: just go home and leave your printed debug “connection failed - alcohol=0 fatal error” on the desk
10:07 < hey2> I would
10:07 < hey2> but this is my first time back at work in almost 2 weeks too
10:08 < hey2> I was on vacation in the Cayman Islands
10:08 < hey2> they're going to think I developed an alcohol problem
10:08 < tpanarch1st> Hey2 “fatal error on line 2000 - holiday < 6 months connection failed. “
10:09 < tpanarch1st> Hey2 I wonder how many of us end up watching stuff so it’s thing whilst getting a touch inebriated
10:09 < tpanarch1st> Do*
10:10 < tpanarch1st> TotallyNotKim: there is also #dns - I find them rather strict but they might be worth calling on...
10:10 < tpanarch1st> Also go back to the basics, make sure syntax is correct etc
10:11 < tpanarch1st> And dns can take a little while to propagate too
10:11 < TotallyNotKim> tpanarch1st: that's just typical irc elitleism haha
10:11 < TotallyNotKim> the dns server is local
10:11 < hey2> its always DNS
10:11 < tpanarch1st> What is elitism? 😊
10:11 < hey2> l33t15M
10:12 < tpanarch1st> Hmm?
10:12 < TotallyNotKim> tpanarch1st: "The belief that certain persons or members of certain groups deserve favored treatment by virtue of their superiority, as in intelligence, social standing, or wealth."
10:13 < tpanarch1st> Oh sure I know the word but yeah I see where you are perhaps coming from 😊
10:13 < tpanarch1st> yeah, irc can be a hard place!
10:13 < TotallyNotKim> tpanarch1st: yeah, my dumbass doesnt know how to spell haha. IRC is great, if you manage to deal with all kind of people
10:13 < TotallyNotKim> there"s the ones you can talk to and these that deserve a /mute
10:14 < tpanarch1st> TotallyNotKim: it’s worth stating what you want to achieve, see if someone else will chip in here 😊
10:15 < TotallyNotKim> got no time for that right now. I thought maybe I was missing something, but the same config works on my test-machine, so something is broken down the line
10:15 < TotallyNotKim> I'll just write the name out for now, let's see if I got time to fix anytime soon
10:15 < TotallyNotKim> haha
10:15 < tpanarch1st> Possibly, sometimes taking that step back with some of the great minds in here can move you leaps and bounds forward though!
10:16 < TotallyNotKim> tpanarch1st: I solved about 100 problems by just starting to type them out here haha
10:16 < tpanarch1st> Maybe do that then - sometimes when you set out your issue it gets you thinking 😊
10:17 < tpanarch1st> Worth asking #debian - “I’m doing x which works in this scenario, but not in y scenario, why”
10:18 < tpanarch1st> But there’s a lot of gifted people here who likely use Debian and work with DNS regularly too anyway
10:19 < TotallyNotKim> wtf, I never posted the link
10:19 < TotallyNotKim> http://paste.debian.net/hidden/cc1b1938/
10:21 < mgolisch> are there any public dns servers that that redirect on nxdomain?
10:21 < mgolisch> want to test something
10:21 < mgolisch> like that return some bogus address for non existent domains/hosts
10:22 < TotallyNotKim> you arent stealing crypto money, are you?
10:22 < TotallyNotKim> but no, I dont think that should happen
10:23 < TotallyNotKim> or do you mean like forwarding
10:23 < tpanarch1st> I have no idea what I’m reading so I shall keep quiet. I just about know what an a record is!
10:24 < adnn> What exactly is happening at the "is the channel idle?" stage ? What's the computer scanning for, technically ? https://upload.wikimedia.org/wikipedia/commons/1/1d/Csma_ca.svg
10:25 < tpanarch1st> Bed for me, the very best of luck with your night shift hey2 , TotallyNotKim good luck with the dns and hope you still rich quick (please share some with me) mgolisch
10:25 < tpanarch1st> Get not still*
10:26 < TotallyNotKim> gn8
10:26 < tpanarch1st> 😊
11:04 < rigoewba> hi i'm in a corporate network and have 2 pcs on my table a new and an old and trying to copy the data via ftp. i already copied some but after a while the connection gets lost
11:05 < djph> use literally anything else
11:05 < rigoewba> ping says general failure on the old and timeouts on the new. everything else is pingable and works just fine
11:06 < rigoewba> the ping and the connection comes back after a longer while didn't measure the time. perhaps the network is restricted. can that be? to protect such traffic?
11:13 < djph> that wouldn't be "normal" to just randomly shut down ports because of traffic (although, FTP is cancer, so maybe)
11:16 < rigoewba> that's what i thought. \\hostname\share doesn't open even when they're seeing each other..
11:17 < hey2> FTP is cancer?
11:17 < hey2> Watch yo mouth, boi
11:18 < mast> I love watching huge screens of "Permission Denied" scroll across my screen
11:18 <+xand> FTP is a pile of shit
11:18 < rigoewba> it annoys me shitless. not only because i already copied about 60gibs but bc i can't let things go.. i want to solve it and now. :)
11:19 < hey2> xand I bet you use TFTP
11:19 <+xand> yep
11:19 < mast> And like only for like super trivial stuff tho
11:19 < rigoewba> windows is so cool. "unspecified error" :D u must luv it.
11:20 < mast> Its only because I'm dicking around in ubuntu and I have no idea what I'm doing
11:20 < idint> guys which tcp congestion algorithm is better suitable for a BGP server running on Linux, cubic or htcp ?
11:21 < pathrocle> how can i buy and use a ssl certificate for lan?
11:22 < djph> idint: fairly certain (although, I'm not fully caffeinated yet) BGP isn't a TCP protocol ...
11:22 < djph> pathrocle: https://letsencrypt.com
11:23 < djph> granted their certs have to be renewed every 90 days, so it's a bit of a pain.
11:23 < pathrocle> djph, with no acces to internet
11:23 < tds> djph: iirc it's tcp on port 179
11:23 < djph> pathrocle: then why bother using a public CA?
11:24 < pathrocle> djph, i don't know.... its for a bank client.... they want https for a platform that runs on the intranet....
11:24 < djph> tds: indeed it is ... *sigh* wonder what I was thinking of then.
11:24 < djph> pathrocle: OK, so let them be their own CA.
11:24 < idint> not sure if talking about BGP specifically is relevant here, could be OSPF or any, the server is making tcp connections
11:25 < idint> i mentioned BGP just to give an idea of bandwidth needs
11:25 < djph> pathrocle: I mean, if it's "all internal comms", then you have full control of everything; write up your own certs and be your own CA.  Unless there's a requirement that it come from a public CA
11:26 < rigoewba> well. here is something. network discovery is turned off. i remember turning it on but it jumps back. no matter even if i open an admin cmd window and put netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes in.
11:26 < bezaban> closed internal networks have a number of problems with public ca certs
11:26 < djph> probably getting windows GPOs pushed out to you.
11:26 < rigoewba> it says updated 48 rules Ok. but the sharing center shows off again
11:26 < bezaban> or rather the browsers do
11:27 < rigoewba> how could i copy already 60gibs then? :D
11:27 < bezaban> no ocsp / crl
11:28 < rigoewba> what to do then? how to copy the data other than dig for a hdd and a usb application for it?
11:28 < djph> bezaban: yeah, but at the same time, it depends on "which part" is disconnected from the rest of the world.  We've got some bits here that are "gapped(tm)", but you can still access them from setting up a connection via a gateway.
11:28 < djph> rigoewba: ask your IT department?
11:29 < rigoewba> yeah. he's my friend. he says this shouldn't happen. :D and he thinks its a crappy cable. (?)
11:29 < at0m> rigoewba: take the disk out of the old machine, insert it into the new, copy data from disk to disk
11:30 < at0m> for 60GB, that's a helluva lot faster
11:30 < rigoewba> its a laptop - pc situation
11:30 < bezaban> djph: yeah indeed
11:30 < bezaban> djph: used to proxy out certain requests.  Java applets running internally would fail on code signing certs etc
11:30 < rigoewba> but i'll just get a hdd from home tomorrow. im tired of this. (btw its not company stuff only music and games :D )
11:31 < at0m> rigoewba: yea, or external enclosure/esata/.. probably all faster than network
11:31 < rigoewba> gpo is checking every change instantly? didn't know that. i thought it only checks stuff at startup or so..
11:32 < rigoewba> well what can i do right? good thing this is an it support company :D
11:32 < djph> bezaban: yeah, our gapped crap is just typical https.  honestly, I think it's only gapped because some manglement types stack-overflowed in a meeting.  There's literally no benefit to moving these behind the stupid gateway.
11:33 < tafa2> Does anyone know where I can get the latest version of Cisco AnyConnect without a Cisco account? :)
11:33 < hey2> hmm
11:33 < djph> your IT department?
11:34 < hey2> you mean, this?
11:34 < hey2> https://software.cisco.com/download/home/286281283/type/282364313/release/4.6.00362
11:34 < rigoewba> they've taken away my 24" displays (ok they were good for pretty much nothing one with only vga connector lol) and i got 15 year old 4:3 19" displays instead.
11:34 < rigoewba> tells everything huh?
11:35 < tafa2> hey2 yeap
11:35 < rigoewba> whops.
11:36 < mgolisch> its refreshed with whatever your group policy refresh interval is set to
11:36 < mgolisch> usualy 60mins
11:37 < tafa2> djph I am the "IT dept" - don't have any Cisco kit
11:37 < tafa2> so no access
11:37 < rigoewba> so the network discovery isn't set back via it.. cuz it happens pronto. never mind thanks for the help. gotta go bye
11:37 < hey2> Did you not get the link I sent you
11:37 < hey2> lol
11:37 < hey2> Oh
11:37 < tafa2> hey2 - you need to login to download the client
11:37 < hey2> You need a contract
11:37 < hey2> that sucks
11:37 < hey2> Well, for what its worth
11:37 < hey2> I have anyconnect on my computer right now :-p lol
11:39 < mgolisch> why do you need that client if you dont have any gear to use it with?
11:39 < mgolisch> if its for accessing a 3rd parties vpn they should provide the client to you
11:40 < hey2> omgord
11:40 < mdm_> what's happen ?
11:40 < hey2> the sky is falling
11:41 < mdm_> hihihi
11:58 < GenteelBen> mdm__: someone forgot to put 50p in the freenode electricity meter.
11:59 < hey2> only 50 pence?
12:02 < tafa2> mgolisch I'm using OpenConnect
12:03 < tafa2> And it's compatible with AnyConnect - just wanted to give it a go
12:04 < mgolisch> ah i see
12:06 < mgolisch> so anyone know of any public dns service that redirects nxdomain?
12:07 < Gollee> what do you mean
12:13 < mgolisch> like one that returns a fake ip for nxdomain
12:14 < mgolisch> some isps do that to redirect you to some guideing page incase you fatfingered the url
12:14 < Gollee> why would any public dns server do this?
12:14 < Gollee> noone would use it
12:14 < Gollee> service*
12:15 < mgolisch> no idea, i just wondered if there was any that does that, guess ill just fidle around with a local dnsmasq to return some fake ips for some domains, want to test some measures against that bs, causes alot of pain with our vpn
12:53 < djph> Gollee: because we(your ISP) get all that sweet, sweet ad revenue from you, peasant.
13:14 < oo_miguel> hmm.. is it possible that tcp dumps shows SOME outgoing packages but the tcpdump on the target computer does not show them? Or is this definitely an ERROR?
13:15 < tds> oo_miguel: that's certainly possible, it suggests there's packet loss between the computers
13:15 < oo_miguel> this is what tcpump tells me about the outgoing package: Flags [P.], seq 1:394, ack 1, win 229, options [nop,nop,TS val 3643158 ecr 710050678], length 393: HTTP: GET /DATA/GEN/www
13:16 < oo_miguel> and it retries every second, but nothing is received... but other packages work fine
13:16 < oo_miguel> (the browser genearting this package retries..)
13:17 < oo_miguel> any suggestions where to start troubleshooting/finding the reason of the package loss?
13:35 < banisterfiend> hi, with ipv4 the local loopback ips are: 128.0.0.0/8 ad with ipv6 it's ::1 but what is the 'prefix length' for ipv6 so i can properly captur the range of valid local loopback ips
13:40 < MaxFrames> hello
13:40 < djph> fairly certain loopback in v6 is just ::1/128
13:40 < MaxFrames> I need to backup a device via tftp and the device is behind nat; what are the steps to make it work?
13:40 < MaxFrames> the tftp server is outside the nat
13:41 < djph> ohgodwhy
13:41 < MaxFrames> the server sees the incoming connection, with the original (un-natted) ip address as source, but the next phase (recontact the host) times out, I guess I need to port forward something?
13:41 < djph> or masquerade the outbound tftp session
13:42 < MaxFrames> how does this work?
13:42 < djph> NAT masquerade?
13:42 < MaxFrames> yes
13:43 < djph> poorly :D
13:43 < djph> sparknotes version -> "all packets leaving the interface X get their source address re-written to that of the interface they're exiting"
13:43 < MaxFrames> I mean: there is an outbound nat rule, so the packets are coming to the server actually from the nat router's external ip
13:43 < MaxFrames> so that part is taken care of
13:44 < MaxFrames> but then afaik tftp implies that the server initiates a tftp connection to the client, on a random port
13:44 < thothcastel__> is one able to exclude ip addresses through asdm or only through cli? cisco aa 5525
13:44 < thothcastel__> asa
13:44 < djph> then the router SHOULD also be getting a response from the TFTP server saying "this response is related to that request you just sent"
13:44 < djph> although ... it's been for fucking ever since I've actually used TFTP
13:45 < djph> so maybe it doesn't behave quite right :(
13:45 < MaxFrames> it's udp so it's stateless
13:46 < MaxFrames> all this because stupid Cisco does not allow to save a config via http
13:49 < djph> ugh, right, fucking UDP
13:50 < Emperorpenguin> MaxFrames: you can do ssh
13:51 < MaxFrames> sftp?
13:51 < Emperorpenguin> scp
13:51 < Emperorpenguin> Not sftp
13:52 < MaxFrames> I don't have that option. Only TFTP, FTP and SFTP
13:52 < Emperorpenguin> Oh then I meant sftp
13:53 < Emperorpenguin> Although it's not real sftp you can't use filezilla
14:06 < MaxFrames> that would work through nat?
14:09 < grawity> what makes it "not real sftp"
14:10 < grawity> scp isn't "fake sftp", it's nowhere even close to sftp...
14:10 < SemiControl> Hi
14:12 < SemiControl> How long does it takes to transfer a domain to another person?
14:12 < grawity> I think it depends on registrar
14:12 < grawity> and on registry
14:14 < SemiControl> grawity,  godaddy.. whats the usual time
14:16 < SporkWitch> SemiControl: depends on other stuff as well, such as the transfer protection feature that's usually enabled by default; prevents transfers for 60 days after certain changes are made, such as contact info updates
14:19 < SemiControl> SporkWitch,  If we talk about godaddy for e.g when a domain is requested to be transfered to another person (change of email and contact of "registrant") a confirmation email is sent to the email of old registrant, if he agrees/clicks on a link, then the "transfer process starts". I just wanted to get an idea that when the WHOIS records actually update and the domain actually gets transfered ( at a point where it is not reversable back
14:19 < SemiControl> to the old registrant without consent of new registrant)
14:19 < SemiControl> grawity, ^
14:20 < SporkWitch> you'd have to check their policies, that said, get off godaddy asap, horrible company
14:23 < grawity> I thought it's more of a registry thing (verisign for .com) than registrar thing
14:24 < grawity> I've only done transfers between registrars, not between owners, but
14:25 < grawity> I remember that I had mentioned it on IRC and someone (who had previous experience with .com) told me to expect up to a few days :/
14:25 < grawity> (but it was a few minutes for .eu though)
14:25 < SemiControl> SporkWitch,  whats the average time?
14:31 < SporkWitch> read their policy; the only standard thing is the 60 day protection
14:37 < thothcastel__> How many site2site vpns can be configured with a single internet link (single public ip)
14:38 < grawity> normally I'd say no practical limit
14:39 < SporkWitch> could probably make an argument for 2^16
14:41 < grawity> do you mean multiple vpns between the same pair of sites
14:41 < grawity> or many sites, one vpn each?
14:46 < dogbert2> well, the practical limit is usually memory and CPU in the device in question :)
14:47 < k_> hi dear people, i am having a problem; i have a piece of software called houdini installed on my laptop (windows) that is running license server that serves floating license. While i am in office everything works perfectly, I point my fedora workstation to laptop ip and it takes license without and problems while it totally refuses to do so at home. Any clues ? Thanks in advance :)
14:48 < k_> my home workstation runs fedora too, i tried disabline firewall but no luck. I can however ping laptop from my desktop
14:48 < ne2k> what is the canonical way to get both static and dhcp addresses on one interface in linux (ubuntu; ifupdown) these days? I've read that auto eth0 eth0:0; iface eth0 inet dhcp; iface eth0:0 inet static; should do the trick, but the static address doesn't get assigned if the dhcp doesn't work
14:48 < SporkWitch> i chose 2^16, since it doesn't matter how much RAM and how many CPUs you throw at it, there's only 2^16 ports to work with
14:49 < SporkWitch> set the static first
14:49 < SporkWitch> (might also need to do 0:0 and 0:1 in that setup, can't remember)
14:49 < ne2k> SporkWitch, dhcp apparently doesn't work on alias interfaces, so I've read, hence doing it this way round
14:50 < SporkWitch> that doesn't sound right...
14:50 < SporkWitch> i could see only getting one per physical interface, unless you spoof a mac on the aliases, but otherwise the DHCP server wouldn't know
14:50 < detha> SporkWitch: why would each tunnel need a separate port?
14:51 < SporkWitch> detha: how else does the OS know which traffic is for which application?
14:52 < ne2k> SporkWitch, https://askubuntu.com/questions/452317/both-dhcp-and-static-ip-addresses-simultaneously-on-one-interface been working from this
14:53 < Roq> He doesn't state what kind of VPN he is talking about
14:53 < Roq> But there are deffinitly limitation in regards to how many VPNs your hardware can support
14:53 < detha> SporkWitch: by looking at which SPI it comes in on? (or whatever the ssl based ones use for tunnel ID)
15:56 < jvwjgames> I am having issue with inbound calling to my pnx
15:56 < jvwjgames> outbound calling works great
15:58 < detha> Just tell people 'Don't call us, we'll call you'
15:58 < jvwjgames> lol nice
16:06 < oo_miguel> I have found some veeery strange behaviour that I expereince only from my network: having two very similar http requests, that vary only by one single letter length. one is delivered to the target and the other is not: see examples: https://pastebin.com/11PbyJeb
16:07 < oo_miguel> in both cases the tcp connection is built up (syn, syn-ack, ack) but in the second case the http request is never deliverd
16:11 < djph> err, what is the difference?
16:12 < oo_miguel> one a more :)
16:12 < djph> it's not part of the bullshit "aaaaaaaaa" that you put in there, is it?
16:12 < oo_miguel> it is exactly! one single 'a' more
16:12 < oo_miguel> I suppose i could simplify it more, maybe exchange the complete request wit a's
16:12 < djph> or, y'know, not use completely fucked data?
16:12 < oo_miguel> but I am very tired. It took me the whole day to break my problem down to that
16:13 < djph> it took you all day to realize "fucked data = no workie"?
16:13 < oo_miguel> no
16:14 < oo_miguel> data with exactly the legnth of the second request
16:14 < oo_miguel> first works fine
16:14 < oo_miguel> returns 301 at once
16:14 < detha> oo_miguel: MTU issues?
16:14 < djph> then go look at the server and/or upstream firewall to see why one byte matters
16:14 < E1ephant> ^
16:14 < djph> or rather, if the request even makes it
16:14 < E1ephant> does it get all the bytes?
16:15 < oo_miguel> I experience this problem from my home network only. I am directly connected to my isp router. not sure how to debug it
16:15 < oo_miguel> but I get it happens on different devices, so It is not a driver problem local to my machine i suppose
16:16 < detha> oo_miguel: start with setting MTU on your machine to something low, like 1280, and try again
16:17 < Jordi_> I have a problem related to congestion control in TCP that I am confused about.
16:17 < E1ephant> yeah smells like MTU bad with that information
16:18 < oo_miguel> detha: just did "sudo ifconfig eth0 mtu 1280 up", and it did not help
16:18 < Jordi_> Say you have a 1 GBPS link between city a and b. You need to transfer 10 KB payload from a to b. How long does that take assuming congestion control mechanisms are in place.
16:18 < Jordi_> Is that even enough information to answer that question?
16:18 < Aeso> Jordi_, that's going to depend on a couple of things: The latency between the locations, the packet loss on the line, the congestion window scaling of the sending host, etc.
16:19 < djph> Jordi_: 80,000 bits / 1,000,000,000 bits per second. = not very long.
16:19 < detha> oo_miguel: so much for that theory, then. Is this only on one particular site, or all over?
16:19 < djph> and then add 10 minutes because the network engineers are chewing on the fiber again
16:19 < Jordi_> djph: I didn't understand what you meant
16:20 < Jordi_> Wouldn't I require the window size at least to solve the problem?
16:20 < Jordi_> Aeso: That's all the information I have. Link speed and payload size.
16:20 < Aeso> Jordi_, without more information I can't give you any more detail
16:21 < djph> Jordi_: either the question assumes you have other information (e.g. we set the scenario up there, now this is question 2 of N concerning said scenario", or your professor is an ass.
16:21 < Jordi_> I see. Can you point me to some sources where there are solved examples to illustrate how I would go about solving this?
16:22 < Jordi_> djph: I feel like my professor gave me incomplete information. I was just wondering if there are some default values I could assume with which I could solve this
16:22 < Aeso> oh, it's _that_ kind of problem
16:22 < Aeso> we're not going to do your homework for you, sorry:)
16:23 < djph> Jordi_: If it's anything like I used to get in uni, the "information" was provided in a story, or other setup (e.g. the chapter itself) that you were expected to read before answering the questions.
16:24 < Jordi_> I had this in my exam today without any other information.
16:24 < Jordi_> Aeso: I don't want you to solve it for me. I'm just trying to get a feel of how I would solve it, man.
16:24 < Jordi_> *could
16:25 < ne2k> Jordi_, I really don't understand why people persist with these ridiculous questions
16:25 < Aeso> Jordi_, well, let's start with the basics. Do you understand the TCP protocol and it's congestion mechanisms?
16:25 < Aeso> If not, you have a fair bit of reading ahead of you.
16:25 < Jordi_> Reno and Taho?
16:26 < Jordi_> I understand how additive increase and multiplicative decrease and stuff like that works.
16:27 < Jordi_> But not enough to apply in this problem, I suppose :)
16:27 < Jordi_> ne2k: Me or my professor?
16:27 < Aeso> Draw yourself a diagram of the packetflow, it'll help.
16:27 < ne2k> Jordi_, the professor
16:27 < Jordi_> Ah okay
16:27 < ne2k> Jordi_, how can it possibly be answered without much more information?
16:27 < Aeso> Jordi_, without more context on this class it's going to be tough to know how specific he wants you to get
16:28 < Aeso> this is the physics equivalent of ignoring friction and drag while studying kinematics
16:29 < jvwjgames> I am having a firewall issue with my sip server outbound calls work with full two way audio but inbouns calls fail
16:30 < Aeso> jvwjgames, check your connection expiry timers. The firewall may be timing out the state before the host/server send another set of keepalives
16:30 < djph> there were no distances or RTTs involved, right - it was just "10 KB from city a to b at 1gbps" ?
16:31 < Jordi_> Given the information, I basically added twice (payload by link speed) to put it on the wire and then (distance by speed of light) for transmission for . Oh god, I feel like a moron.
16:31 < Jordi_> djph: It was exactly that.
16:31 < jvwjgames> i am using udp not tcp
16:32 < ne2k> djph, the question just says "congestion control mechanisms". it doesn't mention TCP
16:32 < Jordi_> djph: "Find the time required to send 10KB of payload from city A to B using a link which supports a link speed of 1 GBPS:
16:32 < djph> ne2k: crap, did I say TCP congestion?
16:33 < ne2k> djph, no
16:33 < Aeso> ne2k, what does that even mean, though? IP has no congestion control mechanisms afaik
16:33 < Jordi_> But we only "had" TCP congestion control to study for the exam
16:33 < ne2k> Aeso, the question doesn't even say it's IP
16:33 < djph> Jordi_: (10 * 1000 * 8) / 1,000,000,000
16:33 < Aeso> ne2k, shit, that's true
16:34 < ne2k> Jordi_, well, only you know from the context what are reasonable assumptions to make.
16:34 < Jordi_> djph: So that plus twice the transmission time? Is that the time I would calculate given these values?
16:35 < Jordi_> Oh wait. Not twice. You wouldn't count the ack time. So just propagation + transmission time?
16:36 < Aeso> This question really is garbage.
16:36 < djph> Jordi_: all you know is A to B at speed
16:36 < djph> so who cares about distance, it's just payload / speed
16:36 < detha> payload/speed + 1/2 RTT
16:37 < ne2k> "Slow Start" redirects here. For the Japanese manga series, see Slow Start (manga). # lel
16:38 < Jordi_> Aeso: What is the least amount of information which would make this an okay question?
16:38 < Aeso> ne2k, I would totally read a manga about TCP congestion mitigation :P
16:38 < jvwjgames> Fixed i needed to add allow sip guests
16:38 < Aeso> Jordi_, for a real world answer or for this ultra-theoretical magical world question?
16:39 < Jordi_> Not 'real world' real world, maybe passable for a textbook question?
16:40 < Jordi_> Say given maximum window size is 10 and that starting window size is 1
16:40 < ne2k> djph, you would care about distance if city A was Cuvier and city B was Chasm City
16:40 < detha> Jordi_: for a text-book question, speed, RTT, what protocol or what the protocl overhead is, and the assumption 'zero packet loss'
16:41 < djph> ne2k: sure, but on a shitty test / quiz you don't
16:41 < Aeso> Jordi_, so if you ignore packet loss and assume it's a direct L1 connection between hosts, you need to know the RTT, the MTU, and the TCP window size settings of each host in addition to the file size and link bandwidth
16:42 < Jordi_> detha: Speed of light? For RTT let's assume distance is provided, protocol is TCP?. By protocol overhead do you mean how much header is added? What's zero packet loss here?
16:43 < Aeso> Jordi_, RTT includes your propogation time so you don't have to worry about speed of propogation, distance between cities, etc.
16:43 < Jordi_> So file size: 10KB, link bandwidth: 1 GBPS, TCP window size: 10, MTU: 1KB and RTT = 2* d/c
16:43 < detha> Jordi_: in modern times, if you are given distance, work on 2/3 speed of light
16:44 < Jordi_> detha: Makes sense.
16:44 < Jordi_> Aeso: Ah right. Okay.
16:44 < Jordi_> So how would I calculate it now? Do I have to do additive increase from window size 1 or start off with window size as 10?
16:45 < Jordi_> Here I guess the window would never overflow since 10/1 == 10 packets. Assume window size is 5 then.
16:46 < ne2k> Jordi_, why would you assume MTU = 1000 bytes?
16:46 < Aeso> Jordi_, well, it's 1.5 RTT for the TCP handshake (again, assuming TCP). After that the sender fills it's initial window (you say one packet, the payload size of which will be MTUsize - headers
16:47 < Aeso> the receiver ACKs (+1 RTT), the sender sends two packets, etc etc until you've sent the entire payload
16:47 < Jordi_> I just assumed packet size = MTU here
16:48 < Aeso> but it's worth noting that most hosts start with a larger window size than 10
16:48 < Aeso> err than 1
16:49 < andrzej> hey
16:49 < andrzej> if I have 2 FastEth cards in the machine then to be able to use them as one logical nic with about 200Mbit speed I have to connect them up with 1Gbit switch because 100Mbit will be limited to 100Mbit ?
16:49 < Jordi_> Aeso: Yeah I suppose.
16:49 < Aeso> Google did a bunch of testing on performance and discovered that an initial window of 10ish iirc and Linux adopted it as default
16:50 < Aeso> here's the paper if you're curious: https://research.google.com/pubs/pub41330.html
16:51 < Jordi_> Aeso: Does that calculation assume the initial window size was 1? Wouldn't time vary because of the fact that I need to do additively increase the window size?
16:52 < Aeso> Jordi_, it does, which is why I'm pointing out that it's not very real-world.
16:53 < Jordi_> Aeso: Oh okay. it's just that since the question was under congestion control, I thought I should consider it.
16:54 < Aeso> Without any details about how much other traffic is on the line, there's not much for the congestion control to do. Which is part of why I think it's a garbage question.
16:56 < Jordi_> Hmm. I could just dump 10 Kbytes into this link without any congestion control, couldn't I?
16:56 < Aeso> Jordi_, as UDP packets, sure
16:56 < Jordi_> Oh. As TCP what changes? Need to consider 3 way handshake or something else?
16:57 < Aeso> I mean you could configure your host with an initial window size to whatever you want; it's your host after all. But it's generally considered bad practice.
17:00 < Jordi_> Aeso: Now if I consider congestion control, would incrementally increasing the size of the window by 1 / current window size be sufficient to calculate total time?
17:01 < Jordi_> So basically what I mean is, start with window size 1, send 1 packet, recieve ack, set window size = 1 + 1 = 2, send 2 packets, window size = 2 + 1 = 3 and so on until I get to send 10 packets?
17:02 < Aeso> Jordi_, sure.
17:02 < Aeso> Though you'll have sent that 10KB file a long ways before that.
17:03 < ne2k> I think I'd settle for djph's initial answer
17:03 < Aeso> Same.
17:05 < Smallville> Trying to fix Ethernet of a desktop that was working yesterday. I reinstalled the network driver. I used Complete Internet Repair
17:05 < Smallville> Nothing works
17:06 < Smallville> I booted into Linux cd. Ethernet works.
17:06 < Smallville> The desktop is running windows 7.
17:07 < Smallville> If I do a system restore, from last week, will Ethernet work?
17:07 < ne2k> Smallville, what makes you think it's software related?
17:08 < ne2k> Smallville, please describe your network setup. all devices, all interfaces, addresses/masks on interfaces, and interconnections
17:08 < Smallville> Internet worked using Linux parted magic cd
17:09 <+catphish> should i get one of these? any better options for a large screen for side by side work? http://www.dell.com/ed/business/p/dell-u3417w-monitor/pd
17:09 < Smallville> If internet works on Linux then it’s not hardware issues
17:10 < ne2k> Smallville, seems reasonable. is the NIC recognized in Windows? what does device manager say about it? ipconfig? route?
17:10 < ne2k> catphish, two smaller screens? three smaller screens?
17:11 <+catphish> ne2k: i have 2 normal screens right now, but thought this might be nicer
17:11 < Smallville> NiC is listed in device manager. Brand and model
17:12 < Smallville> Ipconfig results are blank as if there is no nic
17:12 < ne2k> catphish, I find two screens annoying, because you end up either having a join right down the middle, or having one that is the "main" one and one that is the "other" one that you have to turn to see
17:12 < Jordi_> ne2k, Aeso, djph: Does this look right? https://paste.debian.net/1022182/
17:13 < ne2k> catphish, I prefer three for that reason; one large one in the middle that is the main one, and two identical smaller ones to the sides that are subsidiary
17:13 <+catphish> ne2k: yeah right now i have to find myself turning to see the the secondary one
17:13 <+catphish> interesting
17:13 < ne2k> catphish, you still have to turn, but I prefer the symmetry of it
17:14 < ne2k> and /most/ stuff can be done on the large central one
17:14 < ne2k> of course, there is an argument that says it just makes you context switch more and you're therefore far less efficient. better to have only one small screen and actually just focus on a job
17:14 < ne2k> depends on the job, though
17:15 < Aeso> Jordi_, the bits in the middle should be 1 RTT each. The server doesn't wait for an ack for every packet: That soft of defeats the purpose of the window.
17:16 < Aeso> Also if the sender is the initiator, it's only 1RTT for the handshake
17:16 <+catphish> that curved one has roughly the same resolution as my 2 current ones, so thinking it'd be nicer
17:16 < Smallville> Network tray icon says no connections available
17:16 < detha> ne2k: very true. I also went to 3 screens
17:16 < Jordi_> Aeso: The only time I can't assume 1 RTT for k packets is when that many packets/segments(?) can't be put on the link simultaneously?
17:17 < ne2k> catphish, I can't comment on curved other than to say a) my gut says you're paying through the nose for a gimmick and b) it /might/ be annoying. or it might be great
17:17 < Jordi_> Why is it 1RTT if the sender is the initiator?
17:17 <+catphish> ne2k: i think i'll give it a go
17:17 <+catphish> they do a 34 and a 38 inch version, the latter seems excessive
17:18 < Aeso> Jordi_, well the receiver is going to communicate it's max receive window in the handshake, and that will define the max number of packets the sender will put on the line without an ack
17:19 < Aeso> also it's 1RTT because the sender can send the last step of the handshake (an ack) and immediately start putting packets on the line
17:19 < detha> Jordi_: if initial window > BDP, the calculation changes a bit yes
17:21 < Aeso> whereas if the receiver initates the transfer, the sender has to wait to receive that ack before it can start sending data
17:22 < Jordi_> Aeso: When I say 1 RTT for 3 packets, say, doesn't that mean I'm counting the time taken to put a packet on the line only once? Sure transmission of 3 packets is almost equal to 1 packet so that is negligible
17:24 < Aeso> Jordi_, the reason it takes a RTT is because you put as much data on the line as tcp slow start will let you, and then you have to wait for an acknowledgement from the receiver before you can send more
17:24 < Jordi_> Aeso: Oh so basically the last Ack piggy backs on the 1st packet? But the recieving window is only 1 packet right?
17:25 < Aeso> the receiving window is much larger than your tcp slow start (hopefully)
17:25 < Aeso> so you send one, wait for ack, send two, wait for ack, send 3, wait for ack
17:26 < Aeso> the RTT delay doesn't have anything to do with how you're sending, but rather that you have to wait for ack to send more
17:26 < Jordi_> Aeso: Yeah so you're saying 1 RTT is enough for 3 packets because you'd be putting in packet 2 and 3 while waiting for 1's ack? But wouldn't you have to similarly wait for 3's ack at the end? Isn't it 1 RTT + 2 * propagation delay (for 2nd and 3rd packet)
17:28 < Aeso> Jordi_, as soon as you get the ack back for 1, you can put another packet on the line. There's a window of time where the sender is both sending new packets and receiving acks at the same time
17:28 < Jordi_> Oh shit only 1 ack is sent for all three
17:28 < Aeso> actually no, though it's normal to get a single ack back for two packets
17:30 < Aeso> but since you're sending and receiving acks at the same time, it's just a RTT delay between 'pulses'
17:31 < Jordi_> So if the ack was recieved for all 3 together, then I would have to wait, 1 RTT + 2 * Prop delay right?
17:31 < Jordi_> If the ack is sent for all 3, I'd be waiting for 3's ack to come before sending anything again right?
17:32 < Aeso> Jordi_, something like that, but that's not how TCP works
17:32 < Aeso> here, watch this: http://packetbomb.com/how-to-troubleshoot-throughput-and-tcp-windows/
17:32 < Aeso> this guy does a lot better job at explaining this better than I do
17:33 < fnDross> anyone have any good resources about zones, with examples..?
17:34 <+xand> what kind of zones
17:34 < fnDross> ones that lede uses
17:34 < fnDross> seeing posts/comments that conflict
17:35 < fnDross> and wordings of things where it looks like my guest network would fall under
17:38 < djph> sparknotes version of zones
17:38 < Jordi_> Aeso: One other thing is I've applied additive increase without using slow start in the beginning. Should I fix that?
17:39 < Jordi_> The video you sent (nice intro!) shows a graph where slow start is used first.
17:39 < djph> (1) you define them, (2) you define what interfaces they include, (3) you define EVERY interaction of EVERY zone.
17:39 < fnDross> tryin to make find out if https://ibin.co/3wZx0gWjNDUu.jpg  semi safe&functional
17:40 < fnDross> mainly the way input/output/forward applies to that Kzone(guest network)
17:40 < djph> why are you using TWO routers?!
17:41 < djph> I take that back .. three
17:41 < fnDross> cause i get 3 ip's from my isp, to take out xbox one traffic load from all other devices
17:42 < djph> that's not how multiple IPs work
17:42 < fnDross> and these arent power house systems
17:42 < djph> you get three IPs and one (1) set amount of bandwidth.
17:42 < fnDross> xbox makes alot router congestion
17:43 < djph> so then get decent router (and/or AP).
17:43 < fnDross> im suppose to get 1 set amount 40/10... but speed tests all give 30-40 ish
17:43 < fnDross> in a slump no $$ atm
17:46 < Aeso> Jordi_, additive increase doesn't kick in until slow start gives way to the congestion control algorithm, correct
17:46 < fnDross> also its so xbox default ports dont need to be changed
17:46 < Aeso> also most people aren't using additive increase congestion control algorithms anymore
17:46 < Aeso> but again with this real world vs theoretical
17:48 < Jordi_> Aeso: How would I add in slow start into this?
17:48 < Jordi_> Is this explanation technically correct? https://paste.debian.net/1022189/
17:48 < Jordi_> I'm using the feynmann method to understand this problem by trying to write down exactly what I understand is happening.
17:49 < djph> hmm, link's just a blank page :
17:49 < Aeso> Jordi_, yeah, that's about right
17:49 < djph> ... stupid firefox
17:49 < fnDross> djph: even with a normal config of 1 router(no vlans etc), the dir-601 gets rebooted[hoping to find a free/$3.99 replacement]
17:49 < Aeso> but again, slow start operates differently
17:49 < Jordi_> Yeah, let me write up another with slow start
17:50 < djph> fnDross: it's unfortunate you're stuck with such shit hardware ... honestly, grab whichever is the best device you have and try with just that one running ...
17:52 < fnDross> did that at first.... as soon as one of the xbox that using it.. cpu spikes to max and sits there
17:52 < fnDross> that 601 gets pummeled tho
17:53 < nickster> quick question, maybe
17:54 < nickster> im currently trying to push DNS A(ipv6), B, and C to all devices on LAN
17:54 < nickster> I set this up in the opnsense general settings
17:54 < nickster> but, if i go to the interface, the dns servers listed there are 127.0.0.1, A, B, C
17:55 < nickster> is the 127.0.0.1 as a dns server broadcasting the address of the router or is something else going on
17:56 < aaa_> https://www.youtube.com/watch?v=nRmMkiTB_uE
17:56 < Jordi_> Aeso: How does this look? https://paste.debian.net/1022191/
17:56 < Jordi_> And can you tell me what other factors I would need to consider in the real world?
17:58 < Aeso> Jordi_, this looks pretty good. Some things to consider: TCP slow start usually starts with 2 packets, not one. Most modern servers are configured to start with 10, even.
17:59 < Jordi_> Aeso: Ah okay! Thanks. I feel like I actually learned something :)
17:59 < Jordi_> Also what other factors would I need to consider if I were to do this in real world?
18:00 < Aeso> Jordi_, yeah, so congestion and packet loss will absolutely shit on your parade as far as these calculations are concerned
18:01 < Aeso> but if you're really curious you can go find papers on equations that take packetloss percentage and tell you your max practical bandwidth
18:03 < Jordi_> Again RTT is equivalent to 2 * (d / 3 * 10^8) + 10^3 / 10^9 everytime  right? Or would that change according to whether I'm using slow start (where I could increase window size after every ack) or additive increase (where window size can only be increased after "window size" amount of acks have been recieved or 1 ack for all the "window size" segments has been recieved)?
18:04 < Jordi_> Aeso: By packet loss you mean packet loss due to congestion control itself right?
18:04 < Jordi_> That only occurs when LM, the max window size is less than 10 in this case right?
18:05 < Jordi_> *congestion
18:05 < detha> Jordi_: that sets a minimum value for RTT. Real-world, there may be switches/routers in between that make it larger
18:05 < Aeso> Jordi_, either or, the whether there's a problem with a link or the switches buffers are full, TCP doesn't know or care
18:07 < detha> Packet loss happens. Sometimes due to congestion, sometimes due to dirty or faulty optics, or other reasons
18:08 < Jordi_> I thought TCP assumes heavy / light congestion for all packet loss?
18:09 < skyroveRR> It does, but it won't work in rare cases..
18:10 < Jordi_> Would RTT = 2 * (d/3 * 10 ^ 8) + (10^3 / 10^9) even be correct assuming I don't care about switches in between? I just want to know if I need to consider the time to put multiple segments on to the wire or not.
18:10 < Jordi_> skyroveRR: Responding to me?
18:10 < skyroveRR> Yeah
18:10 < Jordi_> Ah okay.
18:32 < Arfed> for a server, can multiple clients ever share the same source port?
18:33 < Arfed> I'm considering creating a hash table for fast IP lookup on a server - and the source port seems to be a natural way to match and IP to connection state
18:37 < grawity> source port from client perspective?
18:37 < jquinby> it appears so: https://superuser.com/questions/1179009/ephemeral-port-collision
18:37 < grawity> or did you mean the local port on the server end?
18:37 < grawity> if at least one of the IP addresses are different, then the port pair can absolutely be the same among several connections
18:39 < Arfed> Thanks - that answers that then - I'd have to use a more complicated hash mapping then - maybe not worth it
18:41 < Arfed> what's an accepted fast ip lookup method, with e.g. maximum 200 connections?
18:41 < Arfed> anything better than binary searching?
18:42 < ne2k> Arfed, what are you actually trying to do? are you reinventing the wheel?
18:43 < grawity> I think ipset and nft sets just use hashtables
18:43 < Arfed> I'm just trying to have a fast method of matching an IP to a connection state
18:44 < grawity> what for
18:44 < grawity> detecting duplicate connections from the same IP?
18:44 < ne2k> Arfed, but that doesn't explain what you're actually doing
18:44 < grawity> for ~200 conns, I think a hashtable will do
18:45 < Arfed> I want the program to perform well under a flood of packets, so that matching IP to state doesn't harm performance. are hashtable's better than binary searching?
18:45 <+catphish> Arfed: one normally hashes on src ip, src port, dest ip, dest port, protocol
18:45 <+catphish> Arfed: so as long as all 5 things don't match, you're good
18:45 < grawity> what do you mean "a flood of packets"
18:45 <+catphish> if all 5 things do match, it's the same connection :)
18:45 < Arfed> e.g. an attack on the server, flooding packets
18:46 < grawity> that doesn't explain a thing.
18:46 < grawity> are the "connections" via TCP or via UDP?
18:46 < Arfed> udp
18:46 < Arfed> custom protocol based on udp
18:46 <+catphish> i think i've missed what the actual question was here
18:47 < Arfed> I want a fast way of matching an IP to a connection state, for UDP packets
18:47 <+catphish> for a udp server, you try to be stateless, if you can't, you make a table, indexed on remote_ip, remote_port
18:47 <+catphish> you wouldn't normally match just an IP, you'd match IP+port
18:47 < grawity> "table" as in a hashtable, I assume
18:47 < Arfed> ya IP+Port
18:47 <+catphish> no, table as in table
18:47 < Arfed> an array?
18:47 < grawity> as in array?
18:47 < ne2k> isn't this what the IP stack is for?
18:48 < grawity> "indexed by IP" so with 2**32 entries?
18:48 < grawity> or a linked list?
18:48 < Arfed> the problem with an array is that linear searches are slow
18:48 <+catphish> ne2k: OSs don't make a socket for each client in UDP, so no
18:48 < grawity> they do if you ask
18:48 < grawity> you can connect() a UDP socket
18:48 <+catphish> really? cool
18:48 <+catphish> i've never done that
18:48 <+catphish> well, not as a server
18:49 < Arfed> that's a good point - what does the OS do the route packets in that circumstance?
18:49 < grawity> so like, one socket for receiving initial contact, then create a new one for every client?
18:49 < ne2k> why not have a look at some well-known UDP-based server, such as ntpd or bind, does it?
18:49 < grawity> those don't have active associations as such, do they
18:49 <+catphish> anyway, i don't know how you'd actually store the data in memory, probably just an array, then use a btree or similat to find the entry you want quickly
18:49 < ne2k> Arfed, are you needing to keep state on the server, then?
18:49 < Arfed> it's valuable to seek wider knowledge on it - e.g. I didnt know about ntpd or bind until now ;)
18:50 <+catphish> i usually use a "hash" in ruby, does all this for me
18:50 < ne2k> Arfed, well, as grawity says, they may be a red herring
18:50 <+catphish> maybe that's what you meant by a hash table? if so, sorry
18:50 < Arfed> yes keep state on server - for about 200 connections
18:50 < detha> for 200 entries, it probably doesn't matter
18:50 <+catphish> grawity: sorry, hashtable is exactly what i meant!
18:50 < grawity> yeah those are named so because they're a hashtable or something similar under the hood
18:50 < Arfed> it matters - linear search is too slow
18:51 < detha> even a linear search would be fast
18:51 < ne2k> Arfed, just use srcip.srcport as the key for a hash. what language are you writing this in?
18:51 < Arfed> its slow
18:51 <+catphish> Arfed: yeah, you want a hashtable, where the key is the remote ip and remote port, very easy really
18:51 < grawity> though I've seen some projects use e.g. tries in place of hashtables everywhere
18:51 <+catphish> what ne2k said
18:51 < UncleDrax> so who wants to come do scheduled customer-interface moves for me? (for free... and yes at like 0300 local...)
18:52 < Arfed> how slow is hash generation itself though?
18:52 < grawity> (atheme, freenode's nickserv, uses patricia tries for everything)
18:52 <+catphish> a hashtable with srcip.srcport as the hash, each
18:52 <+catphish> hash generation likely isn't slow
18:52 < grawity> Arfed: measure, but it's usually reasonably fast to deal with this
18:52 < Arfed> millions of hashes per second - not slow?
18:52 <+catphish> Arfed: you have to choose hashtable, or simple list with sequential search, your choice, time both
18:52 < ne2k> Arfed, why are you worrying about things that take nanoseconds when you're dealing with network comms that takes milliseconds?
18:53 < Arfed> because millions of packets means millions of hashes
18:53 <+catphish> both will be fast for 200 entries on a modern CPU, i'd always use the hashtable though, it scales
18:53 < ne2k> Arfed, what language are you writing this in?
18:53 < Arfed> c++
18:53 < ne2k> Arfed, urgh
18:53 < Arfed> hash table lookup speed is constant, for the most part, and limited by the hash function speed, right?
18:53 < ne2k> Arfed, are you running this server on an arduino or something?
18:53 <+catphish> Arfed: for millions of packets you are going to need to put in some work, some testing, we can't design that for you
18:54 < Arfed> ok but is it reasonable to assume millions of hashes is likely to be slow
18:54 <+catphish> time it
18:54 <+catphish> are we talking 1 million lookups, how many entries? 200?
18:55 < grawity> in python, one million hashtable (well, set) lookups takes rougly 0.1 of a second
18:55 < grawity> on my laptop
18:55 < Arfed> 1 million lookups - number of entries probably doesnt matter, as id imagine its hash-speed limited
18:55 < Arfed> 0.1 second is long
18:56 <+catphish> by the way, my laptop, with ruby, can do approx 10 million hash lookups per second
18:56 < detha> ~200 entries means few insertions/deletions, so I would use use a sorted array and binary search instead of hashing each packet. binsearch is < 8 comparisons
18:56 < Arfed> ok. nevermind I think my approach of using a binary search on an array, is probably best
18:56 < Arfed> yea that's the way I went
18:56 <+catphish> 2.3.7 :012 > t = Time.now; 10000000.times do |n|; hashtable[n]; end; puts Time.now - t
18:56 <+catphish> 0.551772404
18:56 < Arfed> just making sure it's the most suitable
18:56 <+catphish> 0.55 seconds for 10 million lookups
18:56 <+catphish> so use the hashtable :)
18:56 < ne2k> Arfed, methinks you are optimising too early
18:56 < grawity> how many packets per second is 1 Gbps?
18:57 < grawity> with 64-byte packets, let's say.
18:57 < Arfed> oh this is optimizing code that's 20 years old
18:57 < Arfed> not quite too early ;)
18:57 <+catphish> 1Gbps = 1.4Mpps
18:57 <+catphish> so my laptop running this under ruby could handle 10Gbps
18:57 <+catphish> so use the hashtable :)
18:57 < grawity> right, so at this rate even mine be able to handle some 5-6 Gbps – per core, if you're multithreaded
18:58 < grawity> I assume your ISP will be calling you well before that
18:58 <+catphish> that was 1 core of my laptop, 10M hashes in half a second lol
18:58 < ne2k> it might not be on the Internet
18:58 < grawity> ne2k: but then why worry about a DDoS
18:58 <+catphish> so optimize away, but use a hashtable with srcip.srcport
18:58 <+catphish> good luck
18:58 < ne2k> grawity, I wasn't readin
18:59 < Arfed> ah no, it's optimizing for single threaded - for now
18:59 < ne2k> anyone know how to, properly, so it actually works, get both a static and a dhcp address on the same interface on modern debianish OS? ifupdown. ubuntu 16.04 server
19:00 < Arfed> 0 byte UDP packets are about 0.5 million roughly, at 1 Gbps
19:00 < ne2k> i.e. working so that if DHCP isn't available at boot, it still has the static, and then when DHCP comes to life it picks it up and still has the static as well.
19:01 < ne2k> auto eth0 eth0:0; iface eth0 inet dhcp; iface eth0:0 inet static; looks like it might work, but appears to go wrong if dhcp is not available at boot
19:10 < ice9> which vpn clients that supports IKEv2 on Linux?
19:15 < FreePizzaKid> Hello, I have a server running with Apache2, and I'm trying to make my logs available through my browser. Basically I have 3 site : a drupal, a redmine and a phpmyadmin. I created a logs folder in each of their installation path, and in my Vhost, i set the logs to write i, said logs folder (for example ErrorLogs /var/www/html/drupal/logs/error.log for the drupal site, etc)
19:15 < FreePizzaKid> In each logs directory, there's a .htaccess, like this one : https://pastebin.com/pyhEQ0Ym
19:16 < FreePizzaKid> I can access the drupal one, but the phpmyadmin gives me a 403 and the redmine a 404, and I don't understand why
19:18 <+catphish> Arfed: nope, 1.4Mpps
19:18 < kottt> Not the best place to ask, since this isn't a networking problem. Linux or Apache channels might be better.
19:18 < kottt> @FreePizzaKid*
19:18 < UncleDrax> from https://httpd.apache.org/support.html -> "The #httpd channel on the irc.freenode.net IRC network is a good place for quick questions. If your questions require a more in-depth answer, you will likely be encouraged to move the question to the mailing list.". (I can't personally speak to if #httpd is populated/useful)
19:18 < Smallville> hey
19:19 < skyroveRR> Hi
19:19 < FreePizzaKid> oh ok thanks, I'll try to ask there
19:19 < Smallville> desktop internet not working, I know ethernet works because internet works on linux cd
19:19 <+catphish> FreePizzaKid: must be something different about those files, if they're all in the web roots check their permissions
19:19 < Smallville> makes it a windows 7 issue.
19:19 <+catphish> Smallville: best use linux
19:20 < Smallville> not my pc
19:20 <+catphish> i didn't suggest it was :)
19:20 < Smallville> linux not an option
19:20 < Smallville> ok sorry
19:21 < Arfed> catphish: 0 length UDP is 28 bytes, ya? that's almost 0.5 million per Gbps
19:21 < Smallville> i did a system restore to when the ethernet was working
19:21 < Smallville> restore worked but the ethernet is still saying "not connected, no connections available"
19:22 < Smallville> i reinstalled the network driver from Dell website
19:22 < detha> Arfed: assuming ethernet, minimum frame length is 64 bytes or so
19:23 < Smallville> the NIC is listed with the correct brand and model numbers in device manager
19:23 < Smallville> i just don't know what the issue is. I tried everything
19:23 < Smallville> any ideas please?
19:24 < drudge`> maybe the NIC is bad?
19:24 < UncleDrax> walk through the layer cake to troubleshoot NICs for Great Justive.
19:25 < drudge`> did you try uninstalling the tcp/ip stack on windows if you're sure the nic is good (live cd working with internet)
19:25 < UncleDrax> *justice
19:25 < Smallville> yes i used Parted Magic
19:25 < Smallville> ethernet works
19:26 < drudge`> try unchecking/removing/re-adding ip4 from the adapter properties?
19:26 < Smallville> hmm
19:26 < Smallville> ok i'll brb
19:29 <+catphish> Arfed: firstly, 1,000,000,000 bits per second is 125,000,000 bytes per second, simple maths says that 125,000,000 / 28 = 4.4 million, however the minimum ethernet frame size is 64 bytes, so the maximum rate should be 125,000,000 / 64 = 1.9Mpps, however in reality, for reasons i'm not sure of, maybe the interframe gap, the actual rate is 1.4Mpps
19:30 <+catphish> Arfed: i don't know how you got 0.5 million, but the correct number is 1.4 million :)
19:30 < Arfed> ya I missed a dot, and went 0.5 instead of ~5 ;) How much of a factor is the ethernet frame in internet communications?
19:31 <+catphish> the frame header is 18 bytes, how much of an impact that has depends on your frame size
19:31 <+catphish> and the minimum size if 64 bytes
19:32 <+catphish> so for 1 byte of payload, you have 63 bytes of overhead, but for 1500 bytes of payload, only 18
19:32 <+catphish> small packets are very inefficient
19:32 < Arfed> doesn the ethernet frame change with each hop?
19:32 <+catphish> yes
19:32 < Arfed> so it's not really counted as part of e.g. DDoS attacks?
19:32 <+catphish> in fact some hops might not use ethernet at all (though most do in 2018)
19:33 <+catphish> Arfed: its totally up to you how you count it
19:33 < Arfed> okey - I'd tend to count it minus the ethernet frame
19:33 <+catphish> most people would say if it fills a 1Gpbs pipe then it's a 1Gbps DoS
19:33 < Arfed> as I'd be measuring the throughput of a DDoS attack - not the capacity of a pipe
19:33 < Smallville> drudge`: the Ethernet adapter properties isn’t retaining the default gateway address
19:33 <+catphish> Arfed: up to you :)
19:34 < Smallville> It clears after I reopen properties
19:34 < drudge`> sounds like an issue
19:34 <+catphish> Arfed: attacks of tiny packets are more likely to be measured in pps
19:34 <+catphish> since their aim is not really to saturate links, but to upset the software
19:35 < Arfed> ah, it's just a different variety of a DDoS
19:35 <+catphish> so their bit rate doesn't matter much :)
19:35 <+catphish> yep
19:38 < fly_agaric> hello i have a problem with a hardware firewall. i created a vpn account for a external company. its a client-to-side vpn and i set the vpn account as source and the server which should be reached by vpn as destination. unluckily the account can reach all hosts in the company.
19:39 < fly_agaric> i looked at the rules and its a allow rule so the communication to every host except this one host which i allowed should be dropped right?
19:49 < ziggylazer> Anyone in #networking ?
19:49 < Hooloovo0> no
19:49 < Aeso> not a one
19:50 < S_SubZero> ##notworking
19:50 < ziggylazer> Well thats a shame
19:50 < xssposed> lol
19:50 < ziggylazer> since this is ##networking
19:56 < xssposed> not sure where to ask, but i figured id ask here: im starting school in the fall so i can actually get a degree in something im passionate about. ive taught myself programming and have worked with malware, networking, security, webdev bs such as front ends/backends etc, but im not sure what to get into. for instance, im going into cs, but cs alone is purely trash. i'll solely learn the rudimentary of cs and thats not what i want. i just dont know
19:56 < xssposed> what field to get into that would incorporate my interests. i figured perhaps engineering, but thats not entrely what i enjoy. i then figured networking, but that hardly involves any programming. any suggestions?
19:57 < Dalton> i went networking cause i had/have no interest in programming
19:57 < djph> ... anything except windows admin ...
19:57 < S_SubZero> what do you want to do?
19:58 < Dalton> i want to be a lumberjack
19:58 < xssposed> LOL
19:58 < S_SubZero> you'd be ok
19:59 < xssposed> what about malware analysts? that should involve both networking and programming
20:00 < qman__> well, if you don't know what you want to do, then you probably shouldn't be starting school
20:00 < xssposed> every female has their expiration date and im not looking to marry rich, therefore, no
20:00 < xssposed> i dont have forever
20:01 < qman__> no, but my point is that school isn't the only path, and isn't really a good idea if you don't know what you want
20:01 < djph> Dalton: and that's okay, you'll sleep all night and work all day.
20:02 < xssposed> i do know what i want, im just uncertain about the field
20:03 < qman__> that's a self contradictory statement
20:03 < qman__> anyway, the best way to figure out what you want to do is to start doing stuff
20:03 < qman__> and find out if you like it
20:03 < xssposed> i like writing exploits, i like finding bugs, but i also enjoy reverse engineering
20:04 < qman__> that's good, and leads to a few avenues in security, particularly penetration testing
20:05 < qman__> trouble with those is there isn't a defined career path, most people who succeed in that field run their own businesses or work as contractors
20:05 < xssposed> penetration testing is a meme
20:05 < xssposed> requires zero skill
20:05 < xssposed> i want a challenge
20:06 < djph> IDK, some of those security types are quite good.
20:07 < qman__> that sort of skillset isn't valued that highly in traditional IT departments, unfortunately
20:07 < qman__> they're more concerned about building stuff
20:07 < qman__> than tearing it down and breaking it
20:08 < qman__> people who are really good at that can be very succesful, but almost always doing consulting, not working for some large company
20:09 < qman__> lots of money to be made, but not a lot of stability
20:09 < djph> qman__: yeh, I was talking about the couple of security contract types I've come across
20:09 < qman__> infosec folks in most large companies are writing policies and processing logs and stuff
20:09 < qman__> things I personally find way too boring
20:10 < xssposed> id most likely work for a company to gain some experience and learn what i dont already know and branch off anyways ;-;
20:14 < xssposed> what about security engineer?
20:14 < xssposed> is that a thing
20:15 < qman__> yes, but it's mostly the same as regular infosec, defining policies and standards, testing security products, etc
20:16 < qman__> helping systems engineers find and follow good practices
20:16 < qman__> I'm a systems engineer, I started my career working for managed service providers and now I build stuff for a large company
20:17 < xssposed> i see
20:17 < qman__> I build the platforms that the software engineers use to run their software
20:18 < xssposed> and how is that for you?
20:18 < xssposed> do you enjoy it..
20:21 < xssposed> and could you define platform? im familiar with what software engineers do, but i initially thought they built their own platform to work with their software, unless im not understanding the term correctly
20:22 < Dalton> not always
20:22 < Dalton> they might be able to work in an environment but not have the right to install/modify said environment
20:23 < xssposed> in other words, you provide the hypervisor and they build the actual os?
20:23 < xssposed> just an example
20:23 < Dalton> i was thinking even less then that
20:24 < Dalton> but yes
20:25 < xssposed> ahh okie
20:25 < djph> he provides a shell / framework program, the software guys then put in the other bits to make it do whatever task
20:26 < xssposed> i get it now :)
20:28 < kottt> xssposed: CS degree is quite trash, unless you're really into computing theory. an assoc. degree in software dev or engineering or finding some kind of (legitimate) cybersec program would probably be way more gratifying
20:28 < kottt> source: im graduating CS and hate it
20:28 < panda_man> I graduated CS and loved it
20:28 < kottt> eh
20:28 < Dalton> i skipped CS cause i didn't want to be a programmer
20:28 < djph> I got halfway through CS and hated it. Moved to Info Systems, and liked it better
20:28 < Dalton> ^^ started there
20:29 < kottt> okay i dont hate CS, but i hated the entire program because the profs were awful, the course material did basically nothing to prepare me for anything, and it felt like a 50,000$ waste of time
20:29 < xssposed> kottt: yes, but dont i need cs to be able to get into those fields?
20:29 < xssposed> ive heard cs alone was trash from several people -.- they told me i was wasting my money and to make money online
20:29 < kottt> lots of ways in besides a CS degree
20:30 < djph> kottt: sounds like you had my profs
20:30 < kottt> though im not a professional, and am currently trying to get the hell out of my student job in a NOC
20:30 < xssposed> wait, so i can get into 'info systems' rather than getting into cs
20:30 < S_SubZero> my community college had an "Industrial Science" track which was CS without the math.  Cuz math is hard -.-;
20:30 < kottt> literally anything with a salary >40k would be a dream job right now
20:30 < kottt> (in eastern maine)
20:30 < xssposed> i dont care how much ill be earning, i just want the knowledge and ill be alright
20:31 < djph> "Computer Science" is really focused on the math / architecture / theory from what I remember; and isn't really set up to get you to be *useful* in a corp environments
20:32 < xssposed> i have a bio degree, so i have taken a few math courses and i already know c, python, js, asm
20:33 < kottt> then an undergrad CS degree would be torture but probably at least quite quick
20:33 < kottt> and easy
20:35 < xssposed> lol thats what i was thinking
20:35 < xssposed> it should be a breeze
20:36 < S_SubZero> I dud an online straight Information Technology degree which was stuff that gets ya past A+, Net+, Project+, Security+, a web cert, javascript, python, etc.  I loathed the java class and didn't like databases much but most of the classes were pretty fun
20:36 < kottt> ah....
20:36 < xssposed> i love databases stuff
20:36 < kottt> Certs would probably be a better use of your time?
20:36 < xssposed> not a fan of java though, albeit it is a nice language
20:36 < xssposed> esp for software
20:37 < kottt> again, not a professional, IDK, but i imagine employers would look at somebody with a bio degree and A+, CCNA, etc and at least bring you in for interview
20:37 < xssposed> ive written a signal bot in java which was torture.. definitely a lot of googling
20:38 < xssposed> bio degree was bcos i was aiming for dental
20:38 < djph> java can die in a fire
20:38 < xssposed> not happy with dental
20:38 < Aeso> in the IT world the major doesn't really matter
20:38 < Aeso> even 'IT' programs don't count for much because their cirriculums are antiquated before you even get the degree
20:39 < kottt> at least you can make some great jokes about it tho xssposed
20:39 < xssposed> LOL true
20:39 < kottt> "yeah i got into dental for a bit, but god, it was like pulling teeth"
20:39 < koala_man> I feel like Marie Antoinette with my free degree and entering the job market before the 2008 crash
20:39 < xssposed> xD
20:39 < S_SubZero> Aeso: I was in the python class for three days, promptly started writing a project at work in python, it was so interesting.  ^^
20:40 < kottt> koala_man: let them eat cake Marie antoinette, or head in a basket marie antoinette?
20:40 < koala_man> cake one
20:40 < kottt> ah
20:40 < S_SubZero> my bonus for that was enough to pay for my entire school
20:40 < xssposed> kottt: i initially loved it, but after working for someone bcos i needed x amount of hrs for dental school, i realized it was hell. it explained why dental students and dentists had the highest suicide rate
20:41 < koala_man> nice
20:41 < kottt> aw jeez
20:42 < koala_man> dental schools have their perks though, like stuffing people's mouths full of instruments, asking them questions, and watch them choke trying to answer it
20:42 < kottt> id be real curious to hear what's so bad about it
20:42 < xssposed> presuming the job market is tough in IT? im personally not too concerned. i know how to make money online with my projects
20:42 < kottt> because left to my imagination i assume it's angst over people not flossing
20:42 <+catphish> as per last night's complaining, iscsi is seriously complicated
20:42 < koala_man> "When did you last floss?" "Don't you remember, you were there"
20:43 <+catphish> why must it be so complicated
20:43 < xssposed> she had me work as her unlicensed hygenist, secretary, manager, and role play dentist when she was too busy
20:43 < xssposed> it was stressful
20:44 < xssposed> she taught me everything
20:47 < xssposed> the idea of it was fun.. being able to fix other peoples problems and relieve their pain and knowing you did itf, it was gratifying. but the stress was overhwelming
20:47 < drudge`> Smallville did you uncheck/remove ip4 from the adapter properties and re-add it? you may or may not need the windows cd
20:48 <+catphish> xssposed: sounds like you're a generalist, skills in general hacking, debugging, figuring things out?
20:48 <+catphish> and you have a terrible attitude towards women :(
20:48 < djph> catphish: he does?
20:49 < xssposed> only bcos many dont like me
20:49 < xssposed> and perhaps the indoctrination that i either get a job, or im stuck being someones property the rest of my life
20:49 < xssposed> makes me feel caged
20:50 < S_SubZero> I did contract IT at a college that had a dentistry department, and I was their guinea pig fo rlike practice cleanings and stuff.  It was a gesture by the staff since my employer didn't give me health insurance.  My teeth were -so- clean.
20:50 <+catphish> that's stupid, but on topic, you basically do whatever you feel like, unfortunately that may change frequently, maybe work as a contractor
20:51 < xssposed> LOL yes, most dental schools ask their students (generally their 3rd year) to do practice cleanings
20:52 <+catphish> we all have to get a job to earn money to live
20:52 < xssposed> i know they visit prisons and offer cleanings
20:53 < xssposed> making money isnt difficult. i just want knowledge. this is subjective of of course, but the more i know, the more i can be creative with my work
20:53 < drudge`> knowledge is fun
20:53 <+catphish> well just learn as you go, hack things til you understand them then move on :)
20:53 <+catphish> that's how hackers learn
20:54 < xssposed> ive been doing that
20:54 <+catphish> then you're good
20:54 <+catphish> just make the money (if that's so easy) and learn as you go
20:54 < xssposed> i tried surroudning myself with engineers, hackers and anyone knowledgeable to learn what they know
20:55 <+catphish> that's ideal
20:55 <+catphish> just keep doing what you do
20:55 <+catphish> drift between jobs until you find a team you love working with, and stay there i guess
20:56 <+catphish> what i'm getting at is that one doesn't need to choose a named career path and stick to it, that's the joy of being a hacker, just do whatever is fun, and try to make money with it
20:56 < xssposed> i was making money, just not the way i wanted to if that makes sense
20:57 < xssposed> i was thinking that too catphish
20:57 <+catphish> well it's normal not to get the right job right away, try things, wait til you fit in
20:59 < xssposed> ;-; i guess im scared i wont be able to do it forever
20:59 < xssposed> and when im cornered and left to find a legitimate job, i wont be able to bcos i wont have a degree
20:59 <+catphish> well you can't do it forever, one day you have to retire, and die, or maybe you get sick of it and go work on a farm instead, whatever
21:00 <+catphish> well getting a degree in CS is a good idea, but if you hate it, don't worry, just get a job, get some commercial experience, it counts for a lot
21:01 <+catphish> if you're lucky you get a job with a great team and work your way up
21:01 <+catphish> or you just end up as a contractor, billing by the day, which you can do once you have commercial experience
21:01 <+catphish> many options
21:01 < xssposed> contractor sounds boring >.>
21:02 <+catphish> you prefer to find a team and stick with them?
21:02 < xssposed> if theyre smarter than me
21:02 <+catphish> in any case, if you have no qualifications maybe you have to get an entry level job, or grind at a degree first
21:02 < xssposed> i get bored if i know more than someone and im left teaching them rather than vice versa
21:02 <+catphish> but it doesn't take too long
21:03 <+catphish> well live with it
21:03 <+catphish> the first 3 years of your career you will be treated like an idiot, you just have to live with it
21:03 <+catphish> after that, you get some respect
21:03 <+catphish> but a good employer will let you contribute if you're good
21:04 <+catphish> anyway, just try things, do what you enjoy, take it from there, be willing to accept entry level jobs in an industry you find interesting
21:04 <+catphish> i never went to university, i hate formal education
21:04 <+catphish> i get bored too easily
21:05 < xssposed> yeah, ill just dive into cs then and go from there
21:05 < galileo_>  my friend got a degree in CS
21:06 < xssposed> im debating between: malware analyst, security engineer, systems engineer, or software engineer
21:06 <+catphish> why choose?
21:06 <+catphish> you can do all those things
21:06 < xssposed> can i?
21:06 < xssposed> ah
21:06 < xssposed> i see
21:06 < xssposed> you make a point
21:06 < galileo_> i did all his homework for him so i pretty much have a degree in CS
21:06 < xssposed> LOL galileo
21:07 <+catphish> xssposed: i mean, if your degree makes you choose, then sure, you have to choose for that, but i meant when it comes to work
21:07 <+catphish> you can find a security company and build a role that incorporates all those aspects
21:07 < xssposed> i see what youre saying. if my degree requires choosing, choose. but overall, i can still do it all
21:07 <+catphish> yes
21:08 <+catphish> over time you will find what you enjoy, what i'm saying is that the degree doesn't tie you down
21:08 <+catphish> in fact many people here get a degree in something totally unrelated, like geology :)
21:08 <+catphish> it doesn't matter that much, as long as you have the skills
21:08 < kottt> to, as they say
21:08 < kottt> "pay the bills"
21:09 <+catphish> must learn iscsi
21:09 <+catphish> (me)
21:09 < hagbard> Anyone here ever had to go to London to do datacenter work? Where did you stay? I'm going to the Equinix sites (LD4/LD6) in Slough. I definitely don't want a hotel in Slough.
21:09 < Phil-Work`> can't say I ever look at people's education history when hiring
21:09 < Phil-Work`> experience is worth infinitely more than a bit of paper
21:10 <+catphish> experience is way more important indeed
21:10 <+catphish> though there's no denying having a degree will help in many cases
21:10 < hagbard> I'd say the, "knack." is the most paramount with experience definitely the second most important.
21:10 <+catphish> i have a combination of engineers with degreed in CS, degrees in unrelated things, and no degree :)
21:11 < xssposed> what about starting that first job? i dont mind starting somewhere small and gaining experience, but they'll take me as a joke once i tell them im self taught
21:11 <+catphish> xssposed: not at all
21:11 < Phil-Work`> xssposed, if they do, you're looking at the wrong companies
21:11 <+catphish> any employer who doesn't think self taught is better isn't worth working for imo
21:12 < xssposed> :) i appreciate the advice guys, thank you
21:12 < hagbard> There's, "self-taught," and "bumbled and tripped through getting things to work." The first is admirable and desirable, the second is often a recipe for disaster.
21:12 <+catphish> being self taught usually means your knowledge is more practical, though sometimes people have theory gaps
21:12 <+catphish> the best is both, people who teach themselves, then get a degree :)
21:13 <+catphish> hagbard: the second should be the first step to the first :)
21:13 <+catphish> but not always
21:13 < Phil-Work`> I'm not convinced I learned much in my CS degree
21:13 <+catphish> i don't have one, thought it would be boring
21:13 < Phil-Work`> though I may be tainted by the rediculous sums of money they are taken from my pay each month for the loan
21:14 <+catphish> i put the money towards a house instead
21:14 <+catphish> xssposed: good luck
21:14 < Phil-Work`> my degree was (relatively) cheap as compared to now
21:14 < xssposed> thank you
21:15 < Phil-Work`> something like 95% of new graduates will pay 9% of their salary for 30 years before the loan is written off
21:15 <+catphish> mine wouldn't have been too bad compared to now, indeed
21:15 <+catphish> thats insane
21:16 < Phil-Work`> only that very small percentage will earn enough to ever pay it off
21:16 <+catphish> xssposed: where are you anyway?
21:16 < Maarten> I got a college degree in computer sciences, application management..... what did I learn? Novell Netware. Building databases in dbase III and dbase IV. Token Ring. - when I got my diploma it was 1996.... and within less than 2 years, all before mentioned technologies were so obsolete, it wasn't even funny anymore.
21:16 < xssposed> wdym?
21:16 <+catphish> xssposed: what country?
21:16 < xssposed> america
21:16 <+catphish> unlucky
21:16 < xssposed> unfortunately >.>
21:17 <+catphish> lol
21:17 < xssposed> i have plans to move to the uk someday
21:17 <+catphish> well i know american companies value degrees a lot more than the rest of the world, so i'd definitely suggest persisting with it, but don't worry about the exact subject
21:17 <+catphish> and self-learn at the same time the stuff you really enjoy
21:18 < xssposed> they do, thats why i was quite hesitant
21:18 <+catphish> american companies have a weird thing for that stupid piece of paper i've heard
21:18 < xssposed> yes!
21:18 <+catphish> so maybe get it, but don't stress about it, just do whatever is easy
21:18 < xssposed> lol they really value that piece of paper
21:18 <+catphish> and focus on your own real learning
21:18 < Phil-Work`> Maarten, I didn't have that problem due to the degree being almost 0% practical skills
21:18 <+catphish> you can always try to do contract work on the side
21:18 < Phil-Work`> learned Java to a very (very very) basic level
21:19 < Phil-Work`> beyond that, all theory - little of which is applicable to me these days
21:23 < mawk> what's a TSO packet ? what's an UFO packet ?
21:27 < grawity> a regular packet that goes through TCP Segmentation Offload, and likewise for UDP Fragmentation Offload
21:27 < xssposed> https://en.wikipedia.org/wiki/Large_send_offload
21:27 < mawk> I see
21:28 < Phil-Work`> I was hoping aliens would be involved
21:29 < mawk> so with TSO, the kernel hands the NIC one big TCP packet
21:29 < mawk> around 64k
21:29 < mawk> maximum
21:33 < mawk> so in my tuntap application, if I add the correct flag for send offload, the kernel will hand me big/unchecksummed packets
21:35 < xssposed> you should do it and see what happens :)
22:01 < Smallville> drudge`: i fixed the issue. Driver didn't uninstall fully the first time. I removed the remaining registry keys relating to broadcom, then installed the driver again. now it works perfectly
22:18 < __ddd__> TCP server/proxy question: say I have a server with 100 connected clients. the server will use a file descriptor per connection, yes? Say I use a proxy (stunnel) to allow clients to connect via TLS to a TLS-incapable server. Are there now 2 or even 3 file descriptors used per connection?
22:18 < ||cw> yes?
22:19 <+xand> using stunnel will create additional TCP connections
22:20 < lordvadr_> __ddd__: When you say "TLS-incapable server", do you mean a server-daemon running locally, or an external host?
22:20 < lordvadr_> And, for the most part, each socket is an fd.
22:20 < __ddd__> server-daemon running locally, let's say. let's say it requires usage of tcp over loopback, no unix sockets
22:20 < fly_agaric> hello guys, a configured a vpn policy on our firewall. vpn_group_acc_xy in source and destination one server + the service port 22 tcp. however the vpn user can reach the server port 22 but can also reach every other service on the host + all other host in the network. what did i do wrong?
22:21 < grawity> for both tcp/ip and unix, you have one socket (and therefore one fd) per stream connection
22:21 < grawity> meaning stunnel will use two sockets (and two fds) for every tunnel
22:26 < lordvadr_> __ddd__: stunnel will have one fd for the bound socket, one fd for each connected session, one fd for each outgoing session. The daemon will have an fd for the bound socket, and an additional fd for each connection.
22:26 < lordvadr_> So, 3N + 2 will be the socket count for N connections.
22:31 < __ddd__> thanks grawity lordvadr_ for breaking that down, that was my naive assumption but I wanted to make sure I wasn't oversimplifying things. is there ever a situation where the max allowed files reported by /proc/[pid]/limits aren't true? or can I fully trust that
22:34 <+catphish> __ddd__: yes, stunnel will use 2 sockets per connection (server and client) then the backend will also use one, i believe the limits reported in proc should be correct
22:35 < __ddd__> let's say I exceed 64k clients, does stunnel handle using different ips so as to not run out of ports? the real clients are on different IPs (they are websocket clients), so the 64k port address space limit is not currently a concern
22:37 < lordvadr_> __ddd__: How you bind sockets is one matter (the general answer to your last question is "no"), but the open FD limit is solid.
22:37 < ||cw> __ddd__: how close are you to that?  I'd assume that by the time you get anywhere near that the other server resources will bottleneck and you'll need to scale out anyway
22:38 < lordvadr_> You can increase it, but it starts making little sense. If 64k isn't enough, would 640k be enough? How about 6.4m?
22:38 < djph> I can't forsee a future where people will need more than 640K ...
22:38 < grawity> at this point you might prefer haproxy or nginx, for they're actually optimized for high client counts
22:38 < grawity> I'm not even sure if stunnel would be multithreaded or anything
22:42 < __ddd__> grawity stunnel does support multithreading. I'd ideally like the ability to scale up to 100k - 200k connections before scaling out, and as I understand it this is a reasonable goal for a websocket server.
22:44 < __ddd__> the websocket server does little more than push jobs to beanstalkd tubes and send/receive messages
22:44 < lordvadr_> __ddd__: At those kinds of loads, I'd suggest looking into other proxy solutions just to be sure you're getting what you want out of it. I'm not sure stunnel was designed for that kind of scale.
22:44 <+catphish> __ddd__: if you're looking at running out of tcp ports i'd seriously consider using a different method to proxy, ideally a unix socket
22:45 < lordvadr_> It's not on the application to manage which IP outbound connections come from.
22:46 <+catphish> with a unix socket you wouldn't have that problem, and you can just increase the fd limit as far as you need to
22:46 < __ddd__> catphish that's probably a good idea and not to difficult to switch to unix socket
22:46 < __ddd__> *too
22:46 <+catphish> it's ok, i'm just smarter than everyone else here :)
22:47 < __ddd__> I know, you've set me straight before ;) thanks again!
22:47 < lordvadr_> Don't encourage him.
22:47 <+catphish> lol i'm kidding of course, but good luck and keep asking here if you get stuck :)
22:52 < __ddd__> catphish do you have any experience with stunnel? I like its simplicity, and if possible i'd like to use it to "wrap" my websocket server instance(s) with TLS capabilities, and once I need more instances I would use something like HAProxy to proxy to different _machines_ -- should I avoid stunnel even for the per-machine proxying?
22:52 < mawk> unix sockets can even work without a filesystem
22:52 < mawk> using abstract domain unix sockets
22:53 < mawk> it's like loopback with ports being an arbitrary string
22:54 <+catphish> __ddd__: personally i use haproxy on the loadbalancer, and nginx on the individual hosts
22:55 < __ddd__> mawk yeah I dig unix domain sockets, I'm stuck using a crappy websocket server library because language choice and legacy code, not sure if it supports unix domain sockets well -- checking now
22:55 <+catphish> nginx handles the translation from tcp to unix socket, and you can do ssl on either nginx or on the haproxy
22:55 <+catphish> nginx can also serve out any static content at the same time
22:56 < mawk> __ddd__: if you're lucky it supports it
22:56 < __ddd__> didn't nginx add websocket support only recently? I'm a little worried about connections dropping
22:56 < mawk> you just have to give a path with a leading \0
22:56 < mawk> why would they drop ?
22:56 <+catphish> __ddd__: i've been doing it for years, never had an issue
22:57 < __ddd__> http-geared proxies don't usually expect long-lived connections. depending on user activity, some of these connections could last quite a long time
22:57 <+catphish> __ddd__: if your websocket server doesn't support unix sockets, i'd just forget about using a proxy on the app servers, and just do the ssl on the loadbalancer, assuming your lan is trusted to send cleartext
22:57 <+catphish> __ddd__: modern http proxies are just fine with websockets
22:57 < mawk> keepalive is a thing, __ddd__
22:57 < mawk> they are long-lived connections, perfectly supported by nginx
22:58 < mawk> so I don't see why there should be a problem with websockets
22:58 <+catphish> i run a lot of websockets through both haproxy and nginx, no issues
22:58 < __ddd__> well that's good to hear
22:59 <+catphish> interestingly i've never run out of ephemeral ports on my loadbalancers, never really considered it
22:59 <+catphish> they have a lot of IPs though, probably enough for a million connections
23:00 < mawk> they are aware of the number of available FDs I guess
23:00 < mawk> and they just throttle incoming traffic/raise the limit
23:00 < mawk> maybe
23:01 < tgodar> so... I don't understand how HSTS works or I'm doing something wrong. How can I load repeatedly load a site over HTTP when the response is sending the Strict-Transport-Security header?
23:02 < mawk> did you load https at least once ?
23:02 < djph> you don't, because HSTS is a TLS thing
23:02 <+catphish> a bug once pushed me to a few hundred thousand connections, i started running into FD limits on the backend applications, increased them and it was all good
23:02 <+catphish> tgodar: i think you need to redirect to https first
23:02 < tgodar> mawk: if I load once over HTTPS then yes, forces that.
23:02 < tgodar> catphish: sounds like it.
23:02 <+catphish> tgodar: and send the hsts header over tls
23:03 <+catphish> it's a bit silly, but i think that's how it works
23:04 < tgodar> It just goes against what I understood the advantage to be, avoid that initial HTTP request... but now I think about it more...
23:04 <+catphish> you can't avoid the initial http request :)
23:04 <+catphish> (obviously)
23:04 < tgodar> right :)
23:05 <+catphish> unless you get your hsts preloaded in the browser
23:05 < tds> if you redirect from the bare domain to www (or vice versa), I think it's also recommended to do http://example.com -> https://example.com -> https://www.example.com so you get hsts recorded for both domains
23:05 < tgodar> tds: thanks for pointing that out
23:05 <+catphish> any time you do a redirect it's silly not to redirect to ssl at the same time
23:08 < tgodar> so HSTS doesn't actually have anything to do with a global list right? What was that initiative called? Chrome doing anything on that front?
23:08 < guest09328> How can a PC become a gateway to corporate, if split-tunneling is enabled?
23:09 < tds> tgodar: that would be hsts preloading (which catphish just mentioned :)
23:09 <+catphish> tgodar: yeah you want hsts preloading
23:09 <+catphish> https://hstspreload.org/
23:09 <+catphish> i really should submit all my sites to it
23:10 < tds> if you own a tld you can even submit the entire tld for preloading :P
23:10 < tgodar> I need to read up on some stuff. Thanks!
23:11 < tds> my main issue with preloading is that it requires enabling includeSubDomains, which I don't feel comfortable enabling for my environment
23:11 < tgodar> word. Does low max-age when testing prevent preload submission is what I'm wondering now
23:12 <+catphish> i literally always use ssl, i can pretty much do all my domains
23:13 <+catphish> i dont think i have any webservers any more that would allow a non ssl reqiest
23:14 < tgodar> ok, so they don't add to the preload list automatically, always a manual submission? Man I really had some misunderstandings
23:14 < __ddd__> thanks again catphish mawk etc.
23:15 <+catphish> tgodar: yep :)
23:15 < tds> ah yeah, I have a few embedded devices (eg switches) which don't support SSL, otherwise I would enable it
23:15 < irwiss> tds: much easier now with LE wildcard certs though :)
23:17 < tds> irwiss: hmm, I'd say if you're copying a single wildcard cert to every switch then you're doing it wrong ;)
23:17 < tgodar> surprised the CA's haven't put a hit out on LE yet :) such a racket
23:17 <+catphish> i just access those devices by IP i guess
23:18 < tds> it makes a lot of sense if you terminate all ssl on a single reverse proxy or have dynamic subdomains, but I feel like copying around a single wildcard cert is bad practise when you can easily obtain lots of individual DV certs
23:19 < irwiss> i'm reversing everything http over a single nginx which has the certs
23:19 < tds> catphish: heh, I'm far too lazy to type in full v6 addresses all the time ;)
23:20 <+catphish> good think my management LANs are ipv4, i actually have no idea why
23:20 <+catphish> probably the odd old hardware device didn't support ipv6 and running both seemed silly
23:20 < tgodar> thanks guys, gotta run but plan to sit in here and listen more in the future.
23:21 <+catphish> have fun
23:35 < LFSveteran> not sure what to do.....
23:35 < LFSveteran> Situation:
23:35 < LFSveteran> I have an openvpn server 192.168.10.1
23:36 < LFSveteran> a linux system with tun0 192.168.10.2
23:36 < djph> <enter> is not punctuation.
23:36 < LFSveteran> and the linux system has also a second eth
23:37 < LFSveteran> from another system I want to reach 192.168.10.1 through that system
23:37 <@pppingme> so where is this other "system" ?
23:38 < LFSveteran> same LAN as that routing linux system
23:38 <@pppingme> ok, so you have an openvpn server with two nics?  whats the 2nd nic for?
23:38 < LFSveteran> no not the server, the "router"
23:38 < LFSveteran> the server is WAN side
23:39 <@pppingme> you're description is coming across in too many pieces..
23:39 < LFSveteran> openvpn server somewhere reachable with 192.168.10.1 through the vpn tunnel
23:40 < LFSveteran> the client that has connection has a tun interface with 192.168.10.2 through eth0
23:40 < LFSveteran> the client also has a eth1 with 192.168.0.2
23:41 < Phil-Work> mind. blown.
23:41 < Phil-Work> draw a diagram :S
23:41 < LFSveteran> mom
23:41 < rypper714> Nice
23:41 <@pppingme> I was just getting read to say that
23:41 <@pppingme> I think a picture with how all the pieces are laid out would help
23:42 < rypper714> Yes indeed. Curious myself to see it.
23:42 < LFSveteran> guess so, pictures always say more than 1000 words
23:42 < Phil-Work> and 1000 line breaks
23:42 < LFSveteran> I'm sure it's a quite basic question
23:42 < LFSveteran>  :)
23:42 < rypper714> Lol true
23:42 < LFSveteran> ah found a white board
23:49 < LFSveteran> https://awwapp.com/b/udiysgr5y/
23:53 < ironpill_> hi all, question about certificate authority cert. when I go to my 802.1x wireless network and when I type in my credentials, it ask me if I trust this CA and when I do it downloads a CA and a server certificate. Can a server send CA certificate?
23:55 <@pppingme> still not clear from drawing..  is "router" both connecting to internet and running vpn client?
23:55 < LFSveteran> yes
23:57 <@pppingme> ok, so we have a router that also runs vpn client, now what is the goal, for "pc 192.168.0.3" to be able to access stuff *on* "vpn server" or *behind* "vpn server" ? or what?
23:57 < LFSveteran> the vpn server
23:57 <@pppingme> ok, so "on" vpn server ??
23:58 < LFSveteran> on the vpn server are running some services that are accessable with 192.168.10.1
23:58 < LFSveteran> the vpnserver is not serving as a gateway to other networks
23:59 <@pppingme> ok, but you want pc's behind the client on the router on the left to be able to access just the services on the vpn server, right?
23:59 < LFSveteran> yes
--- Log closed Fri Apr 27 00:00:00 2018