--- Log opened Tue May 08 00:00:12 2018
00:05 <+catphish> that guy really went the extra mile in making that card
00:05 < ^7heo> what card?
00:07 < ^7heo> nevermind, I already regret asking
00:21 <+catphish> lol
00:47 < djph> ^7heo: you know you want one of those cards
00:47 < djph> ... maybe even two
00:47 < djph> they'll go perfect with your thicknet quake II arena
01:13 < batch> hi, can someone tell me some nice tutorial or source to set up a network bridge? i can only find garbage online which are all very different en confusing so i'm really stuck ?
01:14 < tds> batch: what os/distro is this on?
01:14 < batch> trying to use systemd-networkd and archlinux-ARM
01:15 < batch> hope that's not an issue tds..
01:15 < rewt> by bridge, do you mean have multiple network interfaces join their respective networks so as to appear as 1 big network?
01:15 <+catphish> its a less common distro than usual :)
01:15 < tds> ah, I could tell you how to do it with old fashioned ifupdown config, but not with systemd-networkd, sorry :/
01:15 < batch> well rewt let's say i want to create something like this: https://www.glennklockwood.com/sysadmin-howtos/rpi-wifi-island.html
01:15 <+catphish> i can tell you how to do it with debian, or manually, but not with systemd
01:16 < tds> though that does remind me, I need to fix my network-manager bridge config on my desktop...
01:16 < batch> tds well maybe that's a nice beginning though
01:16 <+catphish> making a bridge is trivial to do manually with "brctl"
01:17 < batch> catphish i love to hear about it
01:17 < tds> that page looks like it's just routing between the networks, rather than bridging
01:17 <+catphish> brctl addbr br0; brctl addif br0 eth0; brctl addif br0 eth1
01:17 < rewt> batch, so essentially using a pi to connect multiple wired devices to wifi
01:17 <+catphish> basically make the bridge, add the interfaces, done
01:18 < batch> rewt yeah exactly
01:18 <+catphish> batch: oh, you don't want a bridge at all
01:18 < rewt> a straight bridge may not work in that case -- some wifi APs don't like multiple devices on the same wifi link
01:18 < batch> but i wanna switch between a wireless and a wired profile so i'll be using more upstream interfaces
01:18 < batch> ewh
01:19 <+catphish> rewt: no wifi AP will support this without special wds config afaik
01:19 <+catphish> anyway, you need routing, not bridging
01:19 < rewt> i have heard of some cases where it works, but haven't seen it myself
01:20 < batch> i made the routing work once
01:20 < batch> but then i rebooted and the iptables where gone
01:20 < batch> didn't note them down
01:20 < batch> :'(
01:20 <+catphish> batch: simplest way is with masquerading
01:20 <+catphish> enable ip forwarding, then just apply a masquerading rule to your upstream interfaces
01:21 <+catphish> oh, that's what the guide linked above advocates :)
01:21 < batch> ix.io/17g8 like that?
01:21 <+catphish> although that guide is poorly written
01:21 < batch> i tried this but seems like it's really not enough at all
01:22 < batch> and yeah
01:22 < batch> seems like nobody is using stuff like this in 2018
01:22 < rewt> batch, -o xwan0 for MASQ, and both FORWARDs can be ACCEPT
01:23 < rewt> (without the state stuff)
01:23 < batch> orly
01:23 < batch> hmm
01:23 < tds> or if you're lazy and trust all the interfaces, just don't bother with any forward rules and set the chain to allow ;)
01:23  * batch tries
01:23 < rewt> or that
01:23 < batch> -j ALLOW ?
01:23 < rewt> yes
01:23 < rewt> no
01:23 < rewt> ACCEPT
01:24 < batch> :p
01:24 < tds> ...actually, in their guide they added forward rules but don't have any reject/drop rules
01:24 < tds> lol
01:24 < rewt> iptables -A FORWARD -P ACCEPT
01:24 < rewt> hmm no
01:24 < batch> i like to learn iptables in detail but i feel like that'll really take weeks.. idk lol
01:24 < rewt> iptables -P FORWARD ACCEPT
01:25 < tds> if you're modifying /etc/iptables/rules.v4 (for iptables-persistent on debian, not sure about the arch equivalent), you can just edit the chain definition at the start of the table
01:29 < batch> now also what route do i actually need to add
01:29 < batch> i bet i'm missing too much crucial stuff in my idea
01:30 < rewt> just make sure you have different subnets on each of the pi's interfaces
01:30 < rewt> and have it act as a dhcp server for the wired one
01:30 < batch> i'm having internetconnection 192.168.1.10 as xwan0 and 10.0.0.1 as xlan0 making the new network for the wired devices to it
01:31 < rewt> that works
01:31 < tds> do you have control over the router on the 192.168.1.10 network?
01:31 < batch> yes
01:31 < tds> if you can add a static route on that, it would be much nicer than using NAT :)
01:32 < batch> oh hmm yeah but i want it to be a portable project so i guess that's no usecase here
01:32 < tds> ah yeah, you probably just want to do the iptables nat rules then
01:33 < rewt> also note that this way, the xlan0 devices can only communicate with the wifi router (and beyond), not with any other devices on 192.168.1.*
01:33 < batch> what really? without isolating it?
01:34 < batch> what era are we living in pfff
01:34 < batch> :p
01:34 < tds> an era where everyone deploys ipv4 and nat44 everywhere, rather than proper routed ipv6 ;)
01:35 < rewt> there's no route on the 192.168.1.* devices for the packets to find their way back to 10.0.0.*
01:35 < djph> tds: so, the last 15 years then? :D
01:35 < Terminus> tds: way too many servers still not on ipv4. also, my ISP still hasn't gotten on the ipv6 bandwagon. >_<
01:36 < Terminus> off the top of my head, the only common services that have ipv6 are google, facebook, and netflix.
01:36 <+catphish> i hope generic routers will support ipv6 PD both as client and server
01:37 < Terminus> and i can't use my ipv6 tunnel with google or else it will think i'm in SG which is definitely not correct.
01:37 <+catphish> so thet people can easily spawn child networks without having to mess with routing
01:37 < tds> the software support for PD generally seems pretty bad at the moment
01:37 < batch> PD for PissDrunk?
01:37 < Terminus> catphish: LOL it's a race to the bottom with CPEs here. they've already cut out bridging. ugh.
01:38 < tds> it's a complex one to solve, updating any delegated prefixes to other routers, deprecating the old RAs, updating dns/whatever, dhcpv6, etc
01:38 < batch> ooh prefix delegation
01:39 < rewt> i wonder if android will ever support dhcpv6
01:40 < Terminus> first thing i want to see solved is native RDDNS with win10. i don't really like the idea of using dhcpv6 when router advertisements are good enough.
01:40 < tds> Terminus: oh, is that still not implemented yet?
01:40 < tds> I guess that would explain why dns stopped working in my windows VM
01:41 < Terminus> tds: AFAIK, no. there's a 3rd party RDDNS client for windows though.
01:43 < Terminus> durrr... it's RDNSS. these initialisms always confuse me.
01:44 < Terminus> tds: i may be wrong. i'm seeing conflicting reports about it but as i'm on a mac right now, i can't check. i'll check again when i'm on my desktop.
01:44 < tds> ah yeah, just checked that VM, I had to set a static one :/
01:56 < genewitch> I am ip 10.1.1.1, server is 10.2.2.2, docker on there is 172.17.0.3 . I get on 10.1.1.1 and ssh to 10.2.2.2 -p 22, i want that to go to sshd on 10.2.2.2. anyone else connects to 10.2.2.2 -p22 gets redirected to 172.17.0.3:2222 - existing iptables http://projectftm.com/#r4RCrTIOm9H3Jc1Hob1hkw <-here
01:58 < genewitch> how do i do that?
02:05 < xamithan> Just do a regular forward rule and use the source of 10.1.1.1
02:05 < xamithan> Then do another rule below it the same way but without the source
02:10 < kremator> guys, theorically, which is the maximum bandwidth available trough coaxial cable in it's latest iteration?
02:11 < kremator> obviously, in ideal conditions (a.k.a never in real life)
02:12 < Kyosh> umm
02:12 < Kyosh> 300Mbps?
02:12 < Terminus> tds: just checked here as well. no RDNSS on win10 1803.
02:12 < djph> kremator: "it depends"
02:12 < xamithan> Wouldn't that depend on the type of coax ?
02:13 < djph> type of coax, what you're transmitting over it, encapsulation thereto
02:13 < kremator> Kyosh: what, is coaxial able to pull that?  i though the maximum for it was something along the lines of 10 Mbps
02:13 < djph> I mean, you use coax as antenna leads on PTP microwave, and that can run ~gbit
02:13 < xamithan> This looks pretty good for coax,  10.1Gbps:  https://www.zdnet.com/article/nokia-gets-10gbps-symmetrical-speeds-off-hfc-in-lab-test/
02:13 < kremator> xamithan, djph, that's why i specified in it's latest "iteration" or its newest type of cable
02:14 < djph> kremator: "coaxial" cable is simply a cable with two conductors along the same axis.
02:14 < kremator> djph: oh
02:14 < Terminus> i was about to say that coax as far as i know has always maxxed out at 10 mbps and 802.3 deprecated it back in 2011.
02:15 < Terminus> that's for 10base2 though.
02:15 < xamithan> There is some coax that does over 1Tbps
02:15 < djph> Terminus: that was more an issue of the design of "Ethernet over Thinnet" than anything.
02:15 < kremator> djph: well, idk if you know it, but i was referig to the cable that used to be used to transmit TV signals (aswell as internet in the 90's)
02:15 < xamithan> So it does really depend on a LOT of factors
02:15 < djph> (or was it ethernet over Thicknet ... but meh)
02:15 < kremator> that cable here is called "coaxial cable"
02:15 < Terminus> twinax can do 10 Gbps but that's twinax, not coax.
02:15 < kremator> i think it's called thickwire and thinwire properly but idk
02:15 < djph> kremator: yes, that is "coaxial" cable.  And again, you're asking the wrong question.
02:16 < kremator> djph: care to elaborate please
02:16 < Terminus> even if we're talking coax, the other question is what kind of coax? https://en.wikipedia.org/wiki/Coaxial_cable#Standards
02:16 < djph> kremator: RG6/RG59 is used all over the place.  The throughput depends on the baudrate, and symbolrate
02:17 < djph> I mean, that's like asking "how much throughput does the air have"
02:18 < kremator> ok i go that, then im fucked up because i do not know the type/revision used in rural US
02:18 < kremator> semi-rural*
02:18 < djph> ... anywhere from "11mbps" (802.11b) to 1+ gbps (802.11ac)
02:19 < kremator> welp
02:19 < djph> kremator: what information are you *really* looking for?
02:20 < xamithan> Probably just the docsis 3.1 specs
02:20 < xamithan> Which all rural US cable uses nowadays
02:20 < djph> xamithan: "probably" ... but who knows :)
02:20 < kremator> djph: i was just asking how with some folks in other chnnel, how was possible in rural US to get so fast speeds(5-10 MBps) with 90's coaxial cable platform
02:21 < djph> because 10 MBps is 80 mbit, and well within the spec of docsis 3.0
02:21 < xamithan> 90s coax could do 100mbps easily
02:21 < kremator> djph, xamithan, shit, i didint know, ty for the clarification and the enlightment
02:22 < djph> https://en.wikipedia.org/wiki/DOCSIS
02:22 < djph> really, the only reason that "coax" died off was "cat5e is easier to work with"
02:22 < kremator> djph: "died"
02:23 < kremator> is not like half of the "last mile" platform in US does still use it
02:23 < Terminus> so far all i'm not seeing coax media converters go beyond 100 mbps.
02:23 < djph> died off in ethernet applications
02:24 < kremator> djph: oh ok
02:24 < djph> OFC coax is used in other applications every day
02:24 < kremator> djph: yeah because for outdoor, they do use either fiber optic or twisted pair right?
02:24 < djph> Terminus: "Ethernet" media converters?
02:25 < djph> kremator: depends on what you mean by "for outdoor". Cat5e (and later) UTP/FTP cabling took over in the mainstay of ethernet applications.  Fiber is also a big player.
02:26 < djph> twinax cabling is getting pretty common in between switches in the same rack
02:26 < xamithan> They used RG11 or some thick gauge for outdoor wiring here
02:26 < Terminus> djph: yup.
02:27 < xamithan> I think all inside is RG6
02:28 < wallbroken> hello
02:28 < wallbroken> how "workgroup" name could be usfeul?
02:28 < Terminus> in any case, i doubt i'll ever need to transmit digital signals over coax.
02:28 < wallbroken> some host must be on the same workgroup to communicate?
02:29 < djph> Terminus: because "ethernet".  They never took the signalling past fast-ethernet (although, at least according to the spec, RG5/RG6 should be fairly decent at the ... whatsit 250 MHz carrier rate for cat5e)
02:29 < djph> wallbroken: it's effectively a "light domain" for windows PCs.
02:30 < Terminus> djph: also we skipped over DOCSIS here and went straight to GPON.
02:30 < wallbroken> i just set different workgroup for two hosts
02:30 < wallbroken> but i still can reach each other
02:30 < wallbroken> so, how it is useful?
02:30 < djph> Terminus: yeah, PON is nice
02:30 < djph> wallbroken: they should(tm) be in the same workgroup
02:31 < djph> but different workgroups won't prevent them from working
02:31 < wallbroken> please can you explain better with an example?
02:31 < Terminus> the progression of the majority of internet connections here went dialup -> ADSL -> GPON
02:31 < wallbroken> being in two different groups, each client can reach the different one
02:32 < kremator> Terminus: ADSL is great for countries that are not wastelands, once the country becomes a wastelands, the ADSL cables (twisted pair) it's the first thing to get stolen
02:33 < genewitch> iptables -t nat -A PREROUTING ! -s 15.5.22.14 -i ens3 -p tcp --dport 22 -j DNAT --to 172.17.0.3:2222  <-- this worked i think
02:33 < Terminus> kremator: oh lol. one of the big reasons the telco here is deploying fiber heavily is because they're sick and tired of copper being stolen to the point that poorer areas may get fiber first.
02:33 < djph> wallbroken: the workgroup is "supposed to(tm)" make some things easier / possible (e.g. autodiscovery), but being in different ones won't stop them from communicating
02:33 < genewitch> i mean, i get the correct sshd, and another machine gets the docker sshd
02:34 < djph> Terminus: oh, you're in Detroit? :)
02:35 < wallbroken> djph, what do you mean with autodiscovery?
02:35 < Terminus> djph: no. philippines actually. =P
02:35 < djph> like seeing things in "network"
02:35 < djph> Terminus: close enough.
02:36 < wallbroken> i'm talking about "workgroup", and not "homegroup"
02:36 < djph> Terminus: although 'poorer areas' ... it's all pretty bad over thataway, isn't it?
02:37 < Terminus> of course now it will take time for people to realize that the cables are fiber and they can't be sold like copper.
02:37 < djph> I'd kill someone if they tried stealing my fibre
02:37 < Terminus> djph: there are some isolated areas that are pretty much first-world environment with cost of living to match.
02:37 < wallbroken> djph, the host can discover the other also being on a different workgroup
02:38 < djph> Terminus: dunno about that. Know some people who work in ... errr ... makati city(?) and $10 was still like a stupid amount of money to them (but then again, maybe that's still a comparatively poor area, hell if I know)
02:38 < Terminus> djph: to be fair, the houses in my area cost 500k USD.
02:38 < kremator> Terminus: good to hear that man, at least the poor does have faster connection to the biggest info. and education source
02:38 < kremator> Terminus: is that 500k for a house in US a fuckton or cheap?
02:39 < djph> 25 million pesos, eh?
02:39 < Terminus> djph: depends on where in makati. makati CBD is expensive. like 800 USD/mo gets you a 22 m^2 unit to live in.
02:40 < kremator> Terminus: here some of the thieves that tried to steal a backbone line realised those werent internet cables too late.... after the shock of 5000 AC watts
02:40 < Terminus> restaurants average at 30 USD in makati as well.
02:40 < djph> Terminus: dunno where they live. work with them, and I'd *hope* they didn't live in shitholes
02:40 < kremator> Terminus: where do you live?
02:40 < Terminus> kremator: somewhere in manila.
02:41 < djph> Terminus: but yeah, they were like super crazy like "are you shitting me" when I paypal'd them like $10 or $20
02:41 < kremator> Terminus: oh nice, hwo things are there?
02:41 < Terminus> djph: it really depends on how you live. the thing is, we do have the option of anywhere from a $1 to $100 meal.
02:42 < Terminus> kremator: heavy traffic as always.
02:42 < Terminus> and now i gotta bring my gf to her office. i'm off.
02:43 < kremator> :/ why now? did her car got broken, or is just that now you have an stable couple
02:43 < djph> probably more "they only have the one car"
02:43 < koala_man> haha, upgrading to fiber to prevent copper theft. That's awesome
02:43 < kremator> djph: yeah, i know that, but he says like he wasnt riding her to work before so...
02:44 < kremator> koala_man: we tried to do that, until cable guys and the whole ISP realised that they could sell the fiber optic in colombia so..
02:44 < djph> well, it's just shy of 9AM there
02:50 < lorfds> I have a situation where I have started working at a company where the network was treated like it was in someone's basement...1000ft ethernet cable runs between different spots in the warehouse, $3 switches pasting various things together...it's a mess
02:51 < djph> set it on fire and throw it out the window
02:51 < djph> also, 1k ft runs of copper wouldn't work.
02:51 < lorfds> i'd like to try to start logging what's happening on the network to try and unwind the hairball...any thoughts on the best way to start approaching this
02:52 < djph> honestly, if it's really that bad; don't even try.  Just rip that shit out and start over.
02:52 < lorfds> unfortunately, i have to disassemble the airplane while it's flying
02:52 < lorfds> which means that I can't start from scratch
02:52 < lorfds> but i want to hone in on the key points of disfunction
02:53 < djph> fix your MDF, fix the IDFs, fix the hosts
02:53 < lorfds> for example, i have on area that is covered by wireless, but where we are having constant dropouts...i don't know if it's because of the way the wireless network is setup, or if it's the switching/routing, or if it's channel collissions, etc
02:53 < djph> don't try to "unfuck" what's there - write it off.  Run new (fiber) between the MDF and IDFs, to new switches, etc.
02:54 < lorfds> we're in the process of doing that...but let's just say i want to "unfuck" it...what's the best software to monitor how fucked it currently is
02:54 < djph> you don't have to tear it all down to nothing
02:55 < lorfds> well...with this we might...it's literally chaos
02:56 < djph> software isn't going to fix the physical problems.  It probably won't even help you sort them out (especially with dumb switches)
02:56 < djph> hence the "write it off and just run new backbones"
02:57 < djph> Once your new backbones are in place; work in an IDF at a time, and swap the hosts from the "old network" to the new.
02:58 < djph> fix/map out each IDF as you go
02:58 < djph> last step, walk the building and rip out as much of the now-defunct hardware as you can find.
02:59 < lorfds> what's the price to do a fiber run in a warehouse typically?
03:00 < djph> dunno, but pre-terminated 4-strand is like $100 for 100 meters
03:00 < djph> *pre-terminated OUTDOOR 4-strand
03:00 < lorfds> is this something you can do yourself, or is that a terrible idea?
03:00 < djph> maybe $200
03:01 < cluelessperson> lorfds: yes, use excel
03:01 < cluelessperson> Start at the top, list all the ports, 1-48
03:01 < djph> sure you "can" do fiber yourself, but it's pretty fiddly -- unless you're going to be doing A LOT (like a college campus)
03:01 < cluelessperson> list where each port goes
03:01 < cluelessperson> map out the netowrk
03:01 < cluelessperson> djph: doesn't fiber installation require certification in some places?
03:01 < djph> then it's not really worth the cost to get the kit (so pay the extra and get pre-term ... or hire in someone)
03:02 < djph> cluelessperson: sure, if the *business* wants the install certified ... but since it's "complete fucking nightmare" right now, I think "certified" is the last thing on their minds
03:02 < djph> cluelessperson: or do you mean like an electrician's license?
03:03 < cluelessperson> djph: Some places consider fibre runs to be dangerous
03:03 < djph> cluelessperson: never seen that.  but then again, I don't live in California.
03:03 < cluelessperson> djph: a theater owner I contracted for got certified for like $4000, and ran his own lines underground
03:03 < cluelessperson> djph: I was in Texas also. :P
03:03 < cluelessperson> California hospitals are bullshit too
03:04 < djph> that doesn't sound like it was for the "fiber" itself
03:04 < cluelessperson> djph: probably for installing it underground, not sure
03:04 < djph> probably more the "run it underground"
03:04 < djph> obviously, one would need to look into their local laws.
03:04 < cluelessperson> djph: Yeah.  He was a drive in theater owner.  The booths are little airconditioned sheds 300 meters out
03:05 < djph> here, as long as I'm doing "low voltage", I don't need anything special.
03:06 < djph> beyond city permits for the most part (there are one or two places I don't do biz in, because I'm not taking out $10m in insurance when I barely do $2k worth of work over a year)
03:15 < Criggie> genewitch: Mine was a 64 kbyte Hercules mono 8 bit ISA  with a parallel port too.  It was so expensive, we borrowed it from dad's workmate along with a paper-white screen.
03:34 < Terminus> djph: heh, looks like we're in the same TZ. AU?
03:35 < lorfds> we are running our database in a vm that is also hosting our dns server
03:35 < lorfds> is that a bad idea?
03:35 < Terminus> oh, wait you said "there" meaning here. i thought you were saying it's almost 9AM in your TZ.
03:36 < Terminus> lorfds: yes. what's the point of VMs if you're putting your DB and DNS in a single VM?
03:36 < Terminus> i'd understand if they were related services but DB and DNS are pretty far from each other.
03:36 < Whiskey`> maybe they dont own the bare metal
03:37 < Whiskey`> lorfds: more info required.
03:37 < Terminus> Whiskey`: even if it's on IaaS, they can't spare the $5 for a dedicated DNS instance?
03:39 < Whiskey`> Terminus: well thats what the more info is is about
03:39 < Whiskey`> namely, who set it up, so what made thme decide to do it this way
03:40 < Whiskey`> but also the "another $5" adds up in a hurry
03:40 < koala_man> DNS is a distributed DB, so let's just put all the DB stuff in one vm
03:40 < Whiskey`> ive got something like 70 $5 instances
03:40 < Whiskey`> koala_man: ha! good man
03:41 < Whiskey`> I like that reasoning, sounds VERY much like a CEO
03:43 < Terminus> Whiskey`: i get that they add up but everything in moderation IMO. =)
03:44 < Whiskey`> For sure
03:45 < Terminus> also, if you're to the point where all the costs add up that you can just run your own infrastructure, i'd say just run your own infrastructure.
03:45 < Whiskey`> If only
03:45 < Whiskey`> I still get ddo's over a gb/s in size
03:45 < Whiskey`> so, nope
03:46 < xamithan> Can't get DDoS'd if the traffic never leaves your infra
03:46 < Whiskey`> all my crap is public facing. anything that doesnt need to be, isnt.
03:50 < Terminus> i wonder how many upstreams you can tell to blackhole the DDoS...
03:51 < Whiskey`> not enough to make it worth my time to deal with
03:51 < cluelessperson> koala_man: I'd like to download ALL dns possible
03:51 < cluelessperson> if that's possible
03:52 < Terminus> well your costs don't make it worthwhile to implement your own infrastructure yet then. =)
03:52 < cluelessperson> I want the ability to search through  all example.coms and find what's available
03:52 < cluelessperson> rather than relying on other shithole companies
03:55 < Whiskey`> Terminus: its got the other direction. my time is worth MORE then it takes to manage it
03:55 < Whiskey`> gone*
03:55 < Whiskey`> so it same me time by just farming it out
03:56 < Terminus> cluelessperson: you could start with https://www.iana.org/domains/root/db but what you're trying to do sounds like a lot of work to me.
03:56 < Whiskey`> holy shit i need to stop being up for 30 hours
03:56 < Terminus> Whiskey`: it's all a balance anyway. either do it yourself or pay somebody to do it for you. up to you which one you go with.
03:57 < cluelessperson> Terminus: why would it be a lot of work?
03:57 < Whiskey`> Terminus: yea. i manage the VM's but i let linod handle all the metal
03:57 < Whiskey`> cluelessperson: beucase there the . db is like 20? TB in size
03:57 < Whiskey`> and thats just root, its not even any sub's
03:57 < Terminus> cluelessperson: lots of parsing. you also won't get the records under each domain, just the records for the domain itself.
03:58 < cluelessperson> Terminus: well, my goal is to offer a domain searching service. :)
03:58 < cluelessperson> 20TB isn't a big deal
03:58 < Whiskey`> you want ot do this but came here ot ask?
03:58 < cluelessperson> Whiskey`: kinda want to, but haven't committed
03:58 < cluelessperson> too much money to commit yet
03:59 < Whiskey`> lol
03:59 < Whiskey`> its going to be a lot for sure
03:59 < Terminus> Whiskey`: i go with digital ocean myself. got a lot of stuff there. still cheaper than leasing rackspace from a datacenter and buying all the hardware.
03:59 < Terminus> plus all the manpower costs of running it yourself.
03:59 < Whiskey`> Terminus: yea i cant remember why i didnt use them?
04:00 < Whiskey`> and for sure. wifes work moved from gapps to rackspace nad shits been a mess
04:00 < Terminus> Whiskey`: linode was simply on the market first?
04:00 < Whiskey`> im not allowed to do anything for them cause i am a family member
04:00 < Terminus> Whiskey`: i mean rack space as in an entire rack, not rackspace the company.
04:00 < Whiskey`> Terminus: might be, ive bene with them for ever and a day
04:00 < lorfds> what's the best windows software for monitoring syslog events?
04:00 < Whiskey`> Terminus: yes i know you meant that, it just reminded me of what they did
04:01 < Terminus> Whiskey`: ah...
04:01 < lorfds> i want to run a syslog server on windows
04:01 < Whiskey`> lorfds: a vm runnign linux.... =)
04:01 < tds> hmm, to me 20TB sounds unreasonably large for a zone file, eg for .com
04:01 < Whiskey`> tds: there is a hell of a lot more then just .com
04:01 < Whiskey`> i said .
04:01 < Whiskey`> so .com, org, net, porn, xxx, what all
04:01 < Terminus> plus you need to keep it all updated.
04:02 < Whiskey`> ^
04:02 < tds> well, if you want the zone file for . it's pretty small
04:02 < Whiskey`> one would assume at least weekly but many times/day would be best
04:02 < Terminus> basically what cluelessperson wants to do is run his own whois server with all data cached on his servers.
04:02 < cluelessperson> Whiskey`: Dude, 10-20TB of NVME caching, 100GB of ram, and 50TB of HDD storage is no probabaly
04:02 < cluelessperson> no problem*
04:03 < cluelessperson> that's like $20,000, easy startup for a company
04:03 < Whiskey`> cluelessperson: no thats a pretty simple deal, 10k or so in hardware
04:03 < cluelessperson> Whiskey`: yeah, it can definitely be done
04:03 < Whiskey`> your going to spend more for hosting andracking those boxes
04:03 < cluelessperson> Whiskey`: or I can buy them and host them myself
04:03 < Whiskey`> cause you are not going to get by with just a gige
04:03 < Whiskey`> got 10gig at home?
04:04 < cluelessperson> Whiskey`: 1G, but I think I can get 10G
04:04 < Terminus> lol 10GB at home. that shit needs rack space at equinix, etc.
04:04 < Whiskey`> or some palce damn close
04:04 < cluelessperson> Terminus: 10G is delivered to my apartment
04:04 < cluelessperson> Terminus: might even be a 100G line
04:05 < Whiskey`> that doesnt mean it is availble to you
04:05 < cluelessperson> sure
04:05 < Terminus> cluelessperson: and how many networks can you peer with?
04:05 < cluelessperson> Terminus: dunno
04:05 < Whiskey`> 0, maybe 1
04:05 < tds> sure, but if you want to run a reliable service have you got redundant diverse 10G feeds, multiple power feeds, cooling, etc?
04:05 < Whiskey`> and that isnt even talking site diversity
04:07 < Whiskey`> might as well spin up some aws buckets
04:07 < Whiskey`> and leave them insecured
04:08 < Terminus> cluelessperson: if you really want to give it a go, go download the root zone from verisign using the URL i gave you earlier and start parsing.
04:09 < tds> that's not really any use, you'll need to get zone files from every tld you're interested in finding domains for
04:09 < Terminus> verisign handles .com so go there.
04:10 < Terminus> tds: the link i gave him has all TLDs. he needs to start somewhere.
04:10 < tds> yeah, there's a form somewhere
04:11  * dogbert2 got his synology DS218+ today from the amazon locker :P
04:11 < Terminus> nevermind. apparently http://www.internic.net/domain/root.zone is the entire thing.
04:13 < tds> for .com, this is the form you want: https://www.verisign.com/assets/zonefile_access_request_form.pdf
04:13 < Whiskey`> heh
04:14 < Criggie> dogbert2: you got me all excited - I thought it was an 8 drive SAN
04:14 < Criggie> its a little 2 drive jobbo.
04:14 < dogbert2> yeah...but I don't need more than a RAID-1 unit for home use :P
04:15 < Whiskey`> ....
04:16 < Criggie> dogbert2: heh I like the synology stuff for its "just bloody works" features.
04:16 < Criggie> My parents have one that runs a h264 camera.
04:16 < Terminus> also it's bloody slow for anything other than file sharing. XD
04:16 < Criggie> yeah you wouldn't confuse one with a proper san
04:17 < dogbert2> yeah...that's why I bought it...don't want to fuss and mess with it...just need to pick up 2x6TB or 2x8TB HDD's a week from Friday at Fry's
04:17 < Terminus> mainly my frustration with how much time it takes to process my clicks on its admin panel.
04:17 < dogbert2> which one do you have Terminus
04:17 < Criggie> yeah the webgui is always lethargic
04:17 < Terminus> dogbert2: don't have one. i was configuring it for another guy. can't remember the model.
04:17 < Criggie> The parent's one spent ~4 months analysing their photos.
04:17 < dogbert2> that's something than can improve on :P
04:18 < Terminus> for home use, my desktop is already up all the time. i just need HDDs and i can just share files from it. should save me the cost of a separate NAS.
04:18 < Terminus> i just don't have $1k USD for HDDs right now. haha
04:19 < Criggie> yeah - the nas will use less power than a desktop
04:19 < Terminus> not if desktop is already running all the time.
04:19 < Terminus> also, modern desktops are really power efficient.
04:20 < Criggie> whatever power the desktop uses, the nas will be lower.
04:20 < Terminus> my point is, desktop only is cheaper than desktop + NAS in terms of power for me. =P
04:20 < dogbert2> with everything running, the draw against the UPS is 110 watts
04:20 < Criggie> true - I thought you were replacing.
04:21 < Terminus> besides, i wouldn't buy a damned synology.
04:21 < Criggie> I think the `rents one is 19W operating and about 4W not spinning.
04:22 < dogbert2> probably draw about 2.2-2.5 Kwh a day
04:25 < dogbert2> to run the computer for a month plus all the other gear comes out to about 6-8 bucks a month
04:35 < lorfds> what does "ARP cache poisoning - conflicting SNOOP entry found" mean?
04:41 < Criggie> lorfds: not sure what kit you're using, but multiple different MAC addresses are claiming to own the same IP address.  Could be innocent, like an apple device using one IP on its wired and wireless interfaces, or it could be malicious.
04:42 < CuriousMind> Hi I am back from school
04:52 < lorfds> https://paste.debian.net/1023781/
04:52 < lorfds> how would i debug this?
04:52 < lorfds> or do i have to?
05:00 < dogbert2> LOL...drug testing policies have gone to pot as companies battle for workers
05:01 < tds> lorfds: try and locate the devices using the mac addresses, if they're both set to use the same IP then fix it
05:03 < lorfds> ok thanks...what does this mean: %DATAPLANE-4-DOSATTACK: BAD_PACKET:  Bcast/Mcast ICMP not allowed?
05:04 < purpleunicorn> Can someone help me set up znc bouncer from the source website
05:05 < tds> lorfds: I'm not familiar with whatever is generating that message, but it sounds like something is sending out broadcast traffic and being blocked
05:08 < lorfds> i can remote into the box....how would i figure out where the broadcast traffic is coming from?
05:09 < lorfds> i tried netstat -a
05:09 < lorfds> but not really sure what im looking fo
05:09 < lorfds> r
05:09 < tds> for linux you can just use tcpdump to capture traffic
05:10 < lorfds> one entry has listening on 127.127.127.127:3939
05:11 < lorfds> that seems bizarre
05:11 < moriarty> https://www.csoonline.com/article/3269871/security/bitcoin-network-3-to-10-times-more-evil-than-the-rest-of-the-internet.html
05:12 < tds> lorfds: could be some kind of rdp server (eg xrdp), netstat -p (you may need to run it as root) will tell you what process it is
05:13 < lorfds> tds: i am remoted into that machine...so that makes sense
05:15 < rewt> sounds like you need to stop using that "hack detection kit" or w/e because it's way too paranoid
05:37 < purpleunicorn> can anyone help me get the bouncer on my server
06:07 < whatsupdoc> Hi, can someone explain to me why selective repeat needs an extra bit?
06:12 < Criggie> whatsupdoc: sorry - I've never heard of it.
07:02 < cluelessperson> hm
08:08 < Project86__> I'm setting up a wan pentesting test lab. If I want to use VPN to route the traffic and payloads and whatnot through. Do i use server side, or client side to perform attacks?
08:08 < energizer> my home wifi is terrible, what hardware should i get?
08:10 < Project86__> energizer: a diff isp
08:10 < energizer> Project86__: not available
08:25 < energizer> alright my working theory is that my wifi goes down when im uploading a lot of data
08:26 < energizer> router's fault?
08:26 < detha> your fault - if you hadn't uploaded so much data the wifi would have kept working
08:27 < energizer> good point
08:27 < detha> define 'down'. Other devices are also disconnected?
08:27 < energizer> yeah
08:28 < detha> What make/model is the access point?
08:31 < energizer> detha: TP-Link AC1750 Archer C7
08:32 < energizer> this one https://www.amazon.com/TP-Link-Archer-AC1750-Smart-Router/dp/B00BUSDVBQ
08:33 < masber> good afternoon, my iptables rules are blocking traffic from my local computer 129.94.15.158 to 129.94.72.19:9995, could someone please help me to understand which rule is rejecting it? https://bpaste.net/show/0779f1fb3fb0
08:33 < detha> energizer: no particular experience with that, but 'generic multi-purpose device' by the looks of it. Do you see it rebooting or things like that?
08:34 < detha> masber: iptables -vvnL shows hit counters, see which one is increasing when something is being blocked
08:35 < energizer> detha: nope
08:36 < masber> detha, ok! thanks I found it
08:36 < detha> energizer: do you have anything connected on the ethernet side? try pinging the router (and things internet)  from the ethernet side, then replicate the problem; see if that side also disappears
08:37 < energizer> detha: ok ill give that a shot
08:37 < detha> masber: one of those /26 rules?
08:38 < masber> detha, nop, there are some REJECT rules that didn't show in my previous command. This is the one causing the problem   127  9503 REJECT     tcp  --  eth2   *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1024:65535 reject-with icmp-port-unreachable
08:39 < energizer> detha: are there any routers you'd recommend for home? im not really in the know here
08:45 < detha> energizer: I generally stay away from recommending things, it depends a lot on what you need it for.
08:46 < energizer> detha: fair enough
08:47 < detha> In the 'plastic multi-purpose device', no preference. one step up is mikrotik or ubiquity, after that come things where you 'have to speak to the VAR, and if you need to ask the price you cannot afford it'
08:48 < energizer> are "mesh systems" worth looking at?
08:49 < energizer> eg https://www.amazon.com/dp/B072ZN4PSB
08:50 < detha> 'it depends'. if you have a bunch of people all watching HD video and copying movies over wifi, probably yes. For a one- or two-person household probably no. But those are rule-of-thumb, there are exceptions
08:50 < energizer> ok
08:50 < energizer> thanks
09:14 < regdude> Hi! Can someone name protocols that rely on broadcast MAC address? I can think of DHCP and ARP, but there are a lot more
09:14 <+pppingme> regdude you get mostly out of the IP world'
09:17 <+pppingme> regdude is this ##homework ?
09:17 < regdude> ppingme: no
09:17 < regdude> LANtastic - that is an interesting name
09:29 < AlexeyX> Hi there! Who knows about pureftpd? ChrootEveryone is disabled, but user in chroot (
09:36 < AlexeyX> Is it possible to exclude from chrootEveryOne only one user?
09:53 < regdude> AlexeyX: dont do this, but try adding a soft link to the root in that directory
09:53 < regdude> a very bad fix
10:10 <+xand> AlexeyX: if you want security don't use ftp
10:38 < Atro> Anyone has any clue about palo alto and SFP's?
10:41 < at0m> Atro: "anyone" doesn't usually buy you any help. be more specific.
10:42 < Atro> at0m: nevermind, i had a struggle with Palo Alto's idea of "not supported", due to the vaguenss of its output
10:42 < Atro> but it seems to be working now, so its not needed anymore
11:27 < cluelessperson> Hey guys, I need help against someone bad, and I'd like to use wireshark to try and capture a full HTTPs session including in browser shared keys
11:27 < cluelessperson> I hope to be able to record the stream in entirety as a legal proof
11:27 < shtrb> detha, https://www.theverge.com/circuitbreaker/2018/5/7/17327584/edge-computing-cloud-google-microsoft-apple-amazon you were saying something about FEPs few hours ago ?
11:28 < shtrb> cluelessperson, you need to be also to decrypt it (your browser may support SSLKEY export)
11:29 < shtrb> cluelessperson, check SSLKEYLOGFILE for your system so you could decrypt the data
11:32 < djph> cluelessperson: this session - is it going to be made with keys that you own (i.e. teh destination server is yours)
11:32 < cluelessperson> shtrb: where's SSLKEYLOGFILE ?
11:32 < cluelessperson> djph: sure
11:33 < djph> then install the keys in wireshark (they've got a howto in their wiki).
11:33 < shtrb> cluelessperson, it's env varibale you setup to be able to decrypt SSL/TLS traffic
11:33 < detha> shtrb: interesting, thx. The cycles of centralization/decentralization. This time with a difference, power usage and compute are decentralized, control stays centralized.
11:34 < grawity> how do you define 'compute' as a noun, though
11:34 < shtrb> We only need ISPs give us power on wire to run our equipment
11:34 < grawity> I mean I kinda get it, but it still tickles my parser in the wrong way
11:35 < shtrb> just imagine, if we could get 12V/90V over the phone lines that could power our modems/routers
11:35 < detha> grawity: the word means what management wants it to mean....
11:36 < shtrb> cluelessperson, like here https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
11:36 < detha> shtrb: remember the days of POTS? When the CO powered all phones?
11:36 < shtrb> cluelessperson,  just remember to create the file and verify before you start
11:37 < Apachez> shtrb: https://www.youtube.com/watch?v=nm6DO_7px1I
11:37 < Kryczek> shtrb: aren't phone lines 50V?
11:37 < Apachez> 48V
11:37 < Apachez> but its shitty amount of current
11:38 < Apachez> and many phonelines are like kilometers in length
11:38 < Apachez> and are being removed currently
11:38 < Apachez> so nope
11:38 < Apachez> a dead end
11:38 < djph> IIRC, it's 12v standby, 48v for the ringer
11:38 < shtrb> now it's just IP and then a fancy sip client in a box
11:38 < Kryczek> Apachez: apparently 48V is US, others have 50V :P
11:38 < Apachez> I think its 48V around here too
11:38 < Apachez> which is why the stations are DC powered at 48V
11:39 < shtrb> Kryczek, the ring is 90V
11:39 < shtrb> *was
11:39 < djph> and technically, it's -48v; so the copper doesn't corrode
11:39 < grawity> TIL
11:39 < djph> or something like that
11:40 < Kryczek> Apachez: why are phone lines being removed? Don't they need them for DSL?
11:41 < grawity> Kryczek: I think Apachez meant specifically in areas where FTTH has been rolled out already
11:41 < djph> grawity: nah, AT&T is letting the copper rot on the poles if that's the case
11:41 < djph> grawity: I mean, new shiny fiber, but if you don't get the ftth service, the copper's still there
11:45 < shtrb> Shouldn't FTTN give us power ?
11:45 < shtrb> *what comes after the fiber
11:47 < Apachez> Kryczek: not around here
11:47 < Apachez> phonelines costs to maintain over time
11:47 < Apachez> and since the govermnet phonecompany went private owned they dont care about long term stuff
11:48 < Apachez> telia tries to kill all phonelines where possible and replace with broken 3G/4G instead
11:48 < shtrb> 5G is going to change all of that
11:48 < Apachez> doing stuff over the air is shitty when you need latency and reliability
11:48 < Apachez> its a nice redundancy however IF the lines goes poff
11:49 < Apachez> whats shitty with 3g/4g is that as soon as you have a powerfailure the cellnetwork dies within minutes
11:49 < Apachez> and you get cfonnected to some 2G transmitter miles away
11:49 < shtrb> but wireless has it benifits , you really hate all the kids using their phones and plaing games ? just use a jammer or pray for a thunderstorm
11:49 < Apachez> along with the other 100k users
11:49 < shtrb> 2G still exist ?
11:49 < Apachez> so visiting the powercompany status page is like below 1 kbps
11:49 < Apachez> yeah masterstations still uses it
11:50  * shtrb wonder if people would start leaching on the power like they did when lived near power lines in the past
11:50 < Apachez> you mean from the phonestation?
11:51 < Apachez> they had circuits to kill the wire if there was no ongoing call
11:52 < shtrb> Apachez, no , in the past (think 1960s ) if you lived near a power line sometimes they could use some electrical appliance wihtout physically connecting to the tower
11:52 < Apachez> personally I would prefer smaller phonestations with ups power and diesel and then fiber to those
11:52 < Apachez> this way you can still use alarmsystem and eldersystems (whatever they are called in english)
11:52 < Apachez> along with having fiber at the same time to your home for the bulk traffic
11:53 < Apachez> shtrb: yeah utilizing magnetism they produce near ground
11:53 < Apachez> of course the power companies claimed this was perfectly safe
11:53 < shtrb> and I think I seen some "project" that utilized wifi to power some leds
11:53 < Apachez> but went nuts when people drained the lines this way :D
11:54 < shtrb> I wonder if people tried , if your radio is on my property I can use it
11:54 < Apachez> https://www.youtube.com/watch?v=ZyfXvFicp8M
11:54 < Apachez> some nutty ukrainians or wherever they come from
11:54 < Apachez> many good clips on power :)
11:55 < Kryczek> Apachez: ah sorry to hear :/
11:56 < shtrb> wtf ? a Nokia powered form thin air
11:56 < Apachez> https://www.youtube.com/watch?v=hvQ9H9K7XeM
11:56 < Apachez> shtrb: nots not thin air
11:56 < Apachez> you stand in a electrical magnetic field
11:57 < shtrb> I know , but it looks like that if you don't know about it
11:57 < Apachez> the same principal as how your electrical tooth brush charges
11:57 < shtrb> It look like a cool project to show the school kids
11:57 < Apachez> also the power lines needs to be in a bad configuration for this to happen
11:58 < Apachez> you can minimize the magnetic output by arranging the 3 phases in a triangel with a ground in the middle of it
11:58 < Apachez> or have a ground cable to run along with the powerline
11:58 < Apachez> the later is done in cars to minimize magnetic fields
12:05 < Kryczek> Apachez: maybe it still happens in that configuration? I knew the fluorescent tube trick, I thought everyone knew so I guess it's quite common?
12:06 < Kryczek> e.g. https://www.youtube.com/watch?v=J5PKoNYRm9M
12:06 < Apachez> http://hillaryclintonillness.com/ :D  as seen on john oliver...
12:16 < cluelessperson> Hey people
12:16 < cluelessperson> djph: https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
12:16 < cluelessperson> djph: that works :D
12:42 < mAniAk-_-> ofc it works
13:33 < djph> goddammit, openssh & openssl-crypto; I hate the both of you
13:35 < djph> ... oh, and rhel, and the qa team
13:35 < bezaban> damn you electrons!
13:38 < djph> nah, I like them
13:38 < bezaban> aaall of them?
13:39 < shtrb> djph, just switch prod and testing systems
13:39 < djph> bezaban: well, at lest the ones whipping around to make this mess all work.
13:39 < djph> shtrb: the funny thing is, then test would work; and prod wouldn't
13:39 < bezaban> they are mostly well trained
13:41 < djph> the BEST part of that is, prod actually uses the crypto libs / GEX modulos we (well, *I*) want it to.
13:46 < djph> also, damn everyone with "engineer" in their title who I've had to hand-hold through "this shit is wrong - it needs to do this other thing"
13:48 < djph> okay, I feel bet... wait, where'd my coffee go?!
13:48 < mast> My coffee has a strange taste today.
13:49 < djph> maybe you need something stronger to get the taste of hooker spit out
13:49 < Apachez> too soon djph
13:49 < Apachez> too soon...
13:50 < shtrb> let them play the floor is lava
13:50 < shtrb> (hope ore not in Hawaii )
13:50 < djph> shtrb: only if we can fly to Hawaii first.
13:50 < mast> And the goddamn creams gone bad
13:51 < Apachez> creams?
13:51 < Apachez> around here that shit isnt allowed to be called cream
13:51 < Apachez> so they named it "white"
13:52 < Apachez> "coffee with white"
13:52 < Apachez> thought first some black live matters looneytics was around
13:52 < mast> But couldn't that be powdered as well?
13:53 < Apachez> sure if its real cream
13:53 < Apachez> but this shit doesnt even come from a cow
13:53 < Apachez> only stuff coming from a cow is allowed to be called cream
13:55 < mast> I've started using 35% cream
13:56 < MrNaz> Does Cisco use their software licensing regime to force people to upgrade their networking equipment ?
13:56 < MrNaz> What happens to  your network equipment when your software license expires?
13:56 < mast> It usually gets sold on eBay
13:56 < dogbert2> hey Apachez
13:57 < Apachez> hi diggybert
13:57 < Apachez> MrNaz: you do the math
13:57 < dogbert2> lot of used network gear out there (perfectly good gear, btw)
13:57 < Apachez> I prefer gear which doesnt need licenses just for updates
13:57 < dogbert2> got my Synology DS218+ NAS yesterday from the amazon locker :P
13:58 < mast> There was a deal on them recently yeah?
13:59 < shtrb> Apachez, do you also call coffee by it's collor ? black /brown/moca/pink etc
14:00 < shtrb> Apachez, and how do feel about almoid milk ?
14:01 < Apachez> shtrb: you mean shitty water you get out of smashing almonds in water?
14:01 < Apachez> well whatever floats your boat
14:01 < Apachez> its still not cream
14:01 < Apachez> and hence not allowed to be called cream
14:01 < mast> HAha
14:02 < zzero1> when the juniper srx220 and when srx320 first came out ?
14:02 < Apachez> arent they eol by now?
14:02 < Apachez> so ehm 2010 or so?
14:03 < shtrb> You can't use expired cisco equopment (post EOL) ?
14:03 < Apachez> sure
14:03 < Apachez> but you dont get updates
14:03 < Apachez> and its a bad thing to use gear filled qwith backdoors
14:03 < Apachez> that went public
14:03 < shtrb> You mean like intel cpu not being updated (five year old ones )
14:04 < Apachez> and whatelse
14:04 < shtrb> it was a nab on intel not fixing a bug in their older cpus
14:04 < shtrb> fuck they should replace the cpus with a fixed one
14:05 < Apachez> funny note, there is a speech about backdoors in early huawei products... these were based on "stolen" code from cisco... not many words out on that the very same backdoors also existed in cisco products...
14:05 < mast> Soon my obnoxious offer on this ibm server will be rejected
14:05 < dogbert2> LOL - listening to "Because I got High"
14:05 < mast> And then I can move forward with my life
14:06 < dogbert2> though there is a lot of decent network gear for labs and stuff on amazon and ebay
14:06 < mast> I bought an ibm x3650 m3 for $38 last month
14:07 < mast> Which will not happen a second time
14:07 < dogbert2> Joseph Stalin: I was gonna feed the people
14:07 < dogbert2> , but then I got high
14:07 < mast> I was going to let them out of the Gulage, but then I got high
14:08 < sliddis> Are there any cons to using 40Mhz wide channels on wifi if I can manage to get them none overlapping in my environment?
14:08 < regdude> there is also a lot of decent networking gear for free... in GNS3
14:08 < djph> sliddis: less energy density than 20 MHz, so range may suffer
14:08 < djph> sliddis: also more open to interference
14:08 < regdude> not all devices support 40MHz properly
14:09 < djph> regdude: ehh, if they're 5 GHz, they'd better
14:09 < dogbert2> hey djph
14:09 < djph> 'sup dogbert2
14:09 < sliddis> Ok this is a macOS/IOS only site with "new macs"... 2015+ atleast.  And yes, both radios are set to 5GHz of course :)
14:10 < dogbert2> ohhh...not much...I don't want to get out of this chair, because I got high <LOL> :)
14:10 < regdude> djph: 5GHz is quite good with 40MHz, but not so good with 2.4GHz
14:10 < sliddis> djph: its a high density setting, so i dont want too much range, since it can cause slow and sticky clients. (i turned up basic rates to fix that)
14:10 < djph> regdude: and he implied "can manage to get them non-overlapping" -- that rules out 2.4 at the gate ;)
14:11 < regdude> I was focusing that as he is installing it in the middle of nowhere
14:11 < djph> er s/implied/stated/
14:11 < sliddis> it is actually in the "middle of nowhere". but again, I am talking 5ghz yeah
14:11 < sliddis> since 99% of todays wifi card drivers will prefer 5ghz most of the time
14:12 < djph> sliddis: Note that it's not a "huge" loss in range (in ideal open air conditions, I think you tend to lose about 25-33% of the range that you'd get at 20MHz)
14:13 < Apachez> for a given tx power
14:13 < sliddis> djph: ok sure. Range won't be the problem here, I belive
14:13 < Apachez> think of the tx power as the area
14:13 < Apachez> if you get twice the width the length will shorten to maintain the same area (tx power)
14:13 < Apachez> or just try
14:13 < Apachez> make sure you limit amount of channel collissions
14:14 < zzero1> Apachez: I think so
14:15 < sliddis> I am more afraid the bandwidth will be a problem to be honest.
14:15 < zzero1> but I wanna know how many years these where sold and supported
14:15 < sliddis> 20Mhz vs 40Mhz
14:16 < zzero1> I wanna know their lifespan in terms of software updates
14:16 < djph> sliddis: huh? why would bandwidth be a problem?
14:17 < sliddis> I mean if I used 20MHz channels
14:17 < djph> sliddis: you'll have 8 (probably) non-overlapping channels
14:18 < djph> at (approx) 150 mbit (802.11n) / 180 mbit (802.11ac) throughput.
14:19 < djph> err s/throughput/PHY
14:19 < djph> or for 40 MHz, approx 300 (n) / 400 (ac) mbit PHY
14:19 < djph> assuming, of course, 2x2 MIMO
14:20 < sliddis> Yeah
14:21 < sliddis> 1Gbps line
14:21 < sliddis> The bottle neck will always be the wifi, but im not sure what the user experience will be going from 40 to 20 mhz channels
14:22 < djph> about double
14:22 < djph> :)
14:23 < sliddis> ;)
14:23 < sliddis> Double happy users sounds good
14:23 < djph> note that it depends on how many clients are on an AP -- I mean, an overloaded AP is still an overloaded AP
14:24 < sliddis> What actually determines the PHY mode?  MCS index and channel width?
14:24 < djph> but as long as the AP isn't overloaded, then yeah, the clients will see APPROXIMATELY that things take about half as long to do.
14:24 < djph> sliddis: yep.
14:24 < sliddis> Some of my users are pushing 40GB data per DAY
14:24 < djph> er, maybe a wire then?
14:25 < sliddis> Theyre using only fucking office365. its amazing
14:26 < djph> not that 40G is "a lot" (I mean, you're talking roughly 1600 seconds of airtime (GB -> MB -> mb = 40 * 8 * 1000 = 32000 / 200 = 1600) ... or just shy of 30 minutes.
14:26 < mast> office365 and visits to websites that rhyme with ornhub?
14:28 < sliddis> djph: well, there are about 30 users on the most saturated AP, and each user ranging from 2 to 40GB data.. still both radios on ap running 5Ghz
14:30 < mawk> 32000/200 is 160
14:31 < mawk> but you meant 320000 I guess
14:31 < sliddis> Anyways, why are so many users having so low RX PHY rate?  Could that be an indication that the AP TX output is too low?
14:39 <+catphish> i'd suggest there's too many reasons to count, but trying different power levels may be a good idea, no harm setting it high if you don't need to worry about overlapping APs, or roaming
14:40 <+catphish> also, one would want to do the usual steps to reduce interference
14:42 <+catphish> "lots of users" rarely equates to fast wifi, but lots of things worth trying
14:42 <+catphish> i'd also worry less about the PHY rates and more about the actual throughput
15:37 < zzero1> Apachez: I figured as much
15:40 < c|oner> is "some routers give ping lower priority" true, or is it just something cranky old network guys say
15:40 < c|oner> I see that repeated all over the internet like it's some empirical truth, which I guess means it's been baked into people's brains by some cert
15:41 < TotallyNotKim> > it's been baked into people's brains by some cert
15:41 < TotallyNotKim> lmao
15:41 < TotallyNotKim> this is gold
15:41 < mAniAk-_-> c|oner: sort of, there's a different between traffic through and to a router (or traffic through a router that forces the routes to create a response)
15:43 < mAniAk-_-> c|oner: traffic to a router, it's control plane, is usually rate limited, not really lower priority but youll have drops, same for traffic through that was dropped that the router sends some icmp response for
15:43 < regdude> wat
15:45 < mAniAk-_-> c|oner: ping through a router can be equal to all other traffic if there's no QoS configured, or it can be rate limited or dropped before other traffic
15:45 < mAniAk-_-> wat wat
15:45 < c|oner> right, I would assume that in most cases for through traffic it wouldn't be given special preference one way or another
15:46 < mAniAk-_-> yep
15:51 < shibumi> anybody using gobgpd here?
15:51 < shibumi> How can I do auto route discovery for VXLAN evpn?
15:59 < drathir> mornin/evenin...
16:04 < cluelessperson> anyone know how to get chrome to stop redirecting http to https
16:04 < cluelessperson> stupid shit
16:04 < cluelessperson> that server isn't evne listening on port 443
16:04 < mAniAk-_-> http://stuff
16:06 <+xand> cluelessperson: it wouldn't do that unless it got a 301 or HSTS header before
16:07 < tds> or if it's on the hsts preload list
16:48 <+catphish> cluelessperson: it will only do that if there's a permanent redirect cached, or HSTS
16:49 <+catphish> cluelessperson: clearing the cache will solve the first, but servers with HSTS MUST listen on HTTPS
16:53 < cluelessperson> catphish: thanks
16:53 < cluelessperson> Question about ipv6
16:53 <+catphish> Answer about ipv6
16:54 < cluelessperson> is it suggested to rotate ipv6 addresses in order to obfuscate hosts?
16:54 <+catphish> for an end user, yes, see privacy extensions
16:54 <+catphish> this is a standard feature of most operating systems now
16:54 < shtrb> after dealing with an ISP for the last few days , do not expect privacy to be implemented correctly
16:55 <+catphish> in this case it's nothing to do with ISPs
16:55 <+catphish> ipv6 clients choose their own address within the network
16:56 < cluelessperson> catphish: sure, but is that publicly available to ping/connect?
16:56 < cluelessperson> catphish: natting is sorta a nifty built in firewall
16:56 < cluelessperson> and I think that concerns people
16:56 <+catphish> cluelessperson: that would be entirely dependent on your firewall
16:57 < cluelessperson> which is nice that it completely seperates their functions.
16:57 <+catphish> if you can implement nat, you can implement a stateful firewall
16:57 < cluelessperson> catphish: I don't like the idea of my servers permanently advertising their MAC address
16:57 < cluelessperson> catphish: I have a firewall. :)
16:58 < cluelessperson> just learning about ipv6
16:58 < cluelessperson> Texas was backwards ass and didn't have ipv6, I'm in Seattle now, with 1G and ipv6 and lots of fun
16:58 <+catphish> cluelessperson: there's no reason you have to use your MAC in your ipv6 address
16:58 < cluelessperson> it seems by default, debian may determine your ipv6 based on mac address
16:59 <+catphish> that's certainly how SLAAC addresses are determined, but i wouldn't normally use those addresses for a server
16:59 < cluelessperson> catphish: what would you use?
16:59 <+catphish> i'd use a static address
16:59 < cluelessperson> what makes a statis ipv6 address?
16:59 < wallbroken> https://www.google.it/maps/@41.2599791,16.4329019,3a,15y,272.54h,134.66t/data=!3m6!1e1!3m4!1sa9oCheX9s-MXYS1nZEGOPQ!2e0!7i13312!8i6656
16:59 <+catphish> cluelessperson: it's the same as ipv4, you just choose it yourself
16:59 < wallbroken> why on this camera is there a laser beam warning symbol?
16:59 < cluelessperson> for the moment, I'm using SLAAC, it's not like my MACs are going to change by themselves.
17:00 <+catphish> so if your ip range is 2a00:1:2:3::/64 then you might choose 2a00:1:2:3::123 as your IP address
17:00 <+catphish> cluelessperson: slaac is fine though, and if you're worrying about your MAC address being known, you need to think about why that's a problem on a server
17:01 <+catphish> hint: it's almost certainly not
17:01 < cluelessperson> wallbroken: hard to tell for sure.   Cameeras use beams for focusing, range finding, might be a speed camera, who knows.
17:01 < shtrb> catphish, and than the ISP share the prefix for all it's clients or read the customer real ip
17:01 < cluelessperson> catphish: I just don't want the public to know it
17:01 <+catphish> shtrb: pardon?
17:01 < wallbroken> cluelessperson, it's a monitoring camera for sure
17:01 <+catphish> cluelessperson: why not though?
17:01 < shtrb> catphish, sent with a huge delay
17:02 < wallbroken> maybe that's for ID car reading?
17:02 <+catphish> cluelessperson: i mean, you're welcome not to use your MAC in your IP, and most people don't for servers, but i can't think of any harm
17:02 < cluelessperson> wallbroken: no
17:02 < wallbroken> cluelessperson, why?
17:02 < cluelessperson> catphish: because the mac is a hardware identifier that doesn't change, but the prefix might
17:02 < cluelessperson> so they can track you/hardware unless you obfuscate it
17:03 < cluelessperson> catphish: or they use it to pinpoint exactly what machine might torrent something
17:03 <+catphish> cluelessperson: but it's a server, its identity is not a secret
17:03 < cluelessperson> catphish: No, but by obfuscating data and making it harder to track THAT PARTICULAR HARDWARE it offers protections.
17:03 < shtrb> There is also the EIR which should include any MAC sold in your area (state), so a MACs are registered on selling date
17:03 <+catphish> cluelessperson: as an end user, you use privacy addresses if you don't want your personal identity to be trackable, but for a server where it has a dns name, it makes no sense to hide it
17:04 < shtrb> but EIR will become obsolete and closed post GDPR laws
17:04 < shtrb> s/EIR/Central Equipment Identity Register/g
17:05 < cluelessperson> wallbroken: It could be an IR laser.
17:05 <+catphish> i'm not aware of any such register, except maybe for cellphones
17:05 < cluelessperson> wallbroken: or maybe just a bright LED
17:05 < wallbroken> cluelessperson, it's a laser, there is th symbol of laser warning
17:05 < cluelessperson> wallbroken: Yeah!  Bright  LED packages often come with those warnings because they're high enough power to do eye damage.
17:05 < shtrb> catphish, It comes from the mobile phone but now even laptops with modems are registered with all their MACs
17:06 < cluelessperson> wallbroken: No no.  It's infrared LEDs for night vision and lighting up license plates in the dark.
17:06 < shtrb> *from the mobile world
17:06 < regdude> wallbroken: isnt that simply nightvision?
17:06 <+catphish> shtrb: i've never seen such a database here
17:06 < drathir> wallbroken: laser focus ?
17:06 <+catphish> shtrb: seems like it would be a nightmare to maintain
17:06 < cluelessperson> wallbroken: Yes, they use the laser symbol as a general "eye damage" symbol
17:07 < shtrb> catphish, It's register once (their form do not have a way to transfer ownership)
17:07 < wallbroken> cluelessperson, "class 1 laser product"
17:07 < wallbroken> means laser
17:08 < wallbroken> not bright light source
17:08 < cluelessperson> wallbroken: They probably use a laser that they can specifically widen to cover an area, but sticking your eye right up to it will do damage.
17:08 < cluelessperson> wallbroken: Infrared lasers are a thing, and act plenty fine as a light source.
17:08 < cluelessperson> Lasers are good to a camera for these things.
17:08 < wallbroken> cluelessperson, there are laser cameras used to track objects
17:08 <+catphish> shtrb: never seen anything like that here anyway, but seems plausible that it would exist in some countries
17:09 < cluelessperson> Aiming, focusing, lighting
17:09 < cluelessperson> wallbroken: Not really.
17:09 < regdude> even those cops use lasers to write you a ticket for speeding
17:09 < cluelessperson> regdude: and lidar. :D
17:10 < cluelessperson> wallbroken: Class 1 means <=5mw.  that's weak, your basic pen laser.
17:10 < wallbroken> cluelessperson: https://www.tradeindia.com/fp1440068/SD-Infrared-Laser-Camera-RC0676.html
17:10 < cluelessperson> probably not enough for lighting then
17:10 <+catphish> shtrb: i wouldn't be allowed to share such information because of data protection laws for a start
17:10 < wallbroken> this is a lasesr camera used to track things
17:11 < cluelessperson> wallbroken: who knows
17:11 < shtrb> catphish, that is why I said with GDPR it will be probably become obsolete
17:11 < cluelessperson> Governments are all sorts of evil
17:11 < wallbroken> cluelessperson, open the link, is written
17:12 < djph> because *everything* on the internet is true
17:14 < wallbroken> cluelessperson, so, you guess that IR laser illuminator is just for that?
17:14 < wallbroken> not to tract objects?
17:14 < wallbroken> *track
17:14 < cluelessperson> wallbroken: that's not the same camera
17:14 < cluelessperson> you linked a rectangular body, the maps link shows a round/cylinder
17:15 < drathir> mostly camera should it explained in spec/manual...
17:15 < cluelessperson> wallbroken: also, why would they waste money for a good lasermapping/tracking camera to point at a bridge?
17:15 < ash_work> why can't I ping anything from my vbox on a 'nat service network' ?
17:15 < cluelessperson> the bridge is like 100 feet away
17:16 < cluelessperson> 200 feet
17:16 <+catphish> wow nice camera
17:17 < wallbroken> cluelessperson, my smartphone detects IR light, so, I'll go there at night checking for the light source
17:17 < cluelessperson> wallbroken: :P  that's a good idea.
17:17 < shtrb> any cam can detect IR light
17:18 < TandyUK> wow i thought the hikvision ptz's we have with 36x optical zoom were good - they can read inch high text off a fence ~800M away
17:18 < djph> unless you put an IR filter on it
17:18 < wallbroken> maybe at police station will tell, "oh, what does that dude is doing?!"
17:18 < shtrb> djph, and that is why we remove it:) but most cams can detect it
17:19 < shtrb> don't use a cam if you are in the UK
17:19 < wallbroken> TandyUK, what do you think about that camera? is it for tracking? or just for illuminatingthe road?
17:19 < TandyUK> our ptz?
17:19 < wallbroken> https://www.google.it/maps/@41.2599791,16.4329019,3a,15y,272.54h,134.66t/data=!3m6!1e1!3m4!1sa9oCheX9s-MXYS1nZEGOPQ!2e0!7i13312!8i6656
17:19 < wallbroken> that on the link
17:19 <+catphish> hikvision cameras seem pretty cool
17:19 < acos> What s a good window size for testing 10g on iperf?
17:19 < acos> Wow you people are 1288 strong
17:20 <+catphish> acos: try the defaults :)
17:20 < cluelessperson> ---  Is there any reason not to setup IPv6 AND IPV4?
17:20 < acos> Default is 63KB
17:20 < drathir> TandyUK: hi, hi ^^
17:20 <+catphish> most people don't need to change window scale settings
17:20 < cluelessperson> I'm under the impression many people may not support one, so it's good to support both
17:21 < acos> Ah cool.  Makes sense.  Just trying to see how fast this point to point 10g setup will go
17:21 <+catphish> cluelessperson: the only reason is effort vs reward
17:21 < cluelessperson> catphish: what do you mean?
17:21 <+catphish> cluelessperson: it's always best to support both, but configuring both is twice as much work
17:21 <+catphish> you have to manage 2 sets of IP ranges, 2 sets of firewall rules, deal with twice as many routing issues
17:22 <+catphish> it's better, but it's doubtless more work
17:22 < cluelessperson> catphish: ah, yeah I've noticed.
17:22 < Dagger> doing v4 is the easiest way to support connectivity to legacy v4 hosts though, so... shrug
17:22 < cluelessperson> catphish: well, example,  my friend only uses ipv6 on his servers.
17:22 < kurahaupo> cluelessperson: when you've run out of 10.0.0.0/8 in your data centre, you might as well give up on v4. Then v6 only makes sense
17:22 < cluelessperson> catphish: My old work only had access to ipv4
17:22 <+catphish> cluelessperson: it's extremely rare only to support ipv6
17:23 < Dagger> I'd argue it's not quite twice as much work, because you can mostly share the design between the two
17:23 < ewew> what about vxlan ?
17:23 < wallbroken> https://www.youtube.com/watch?v=218EEgPDDFM
17:23 < wallbroken> this is for tracking
17:23 < cluelessperson> what is a vxlan?
17:23 < kurahaupo> catphish: what counts as "extremely rare"?
17:23 <+catphish> kurahaupo: "nobody does this"
17:23 < cluelessperson> catphish: what kind of "tracking" ?
17:23 < ewew> https://en.wikipedia.org/wiki/Virtual_Extensible_LAN
17:23 < Dagger> e.g. doing a firewall for both v4 and v6 for me consists of wrapping the firewall rules in "domain (ip ip6) { ... }" which is a small part of the work
17:24 < kurahaupo> catphish: would you like a tour of my work?
17:24 <+catphish> Dagger: what you gain in sharing design, you lose again when you realise how many things don't work out of the box with ipv6 yet :)
17:24 < cluelessperson> catphish: that's neat
17:24 < kurahaupo> catphish: "nobody" is literally wrong
17:24 < Dagger> most stuff works fine :p or is just plain severely broken
17:25 < cluelessperson> ewew: my firewall doesn't support dns, you have to set the ranges yourself
17:25 < wallbroken> ok, somebody in comment clarified that "This is a Dahua SD6AL230F-HNI, and uses optical tracking which has nothing to do with lasers. The laser is for IR illumination and because it's so powerful, I do not recommend using that camera low down, because otherwise the images will end up washed out and overexposed."
17:25 < bezaban> kurahaupo: maybe he only meant it figuratively then
17:25 < cluelessperson> wallbroken: So, when you said tracking, I thought you might mean laser scanning like the xbox kinect
17:25 < cluelessperson> wallbroken: because that's obviously a static mounted camera, it doesn't move
17:26 <+catphish> kurahaupo: you are of course correct, for private services, ipv6 only makes the most sense
17:26 < kurahaupo> catphish: perhaps "nobody with fewer than ten million devices" might be closer to true
17:26 < cluelessperson> wallbroken: Also, people won't waste money on laser tech for motion/computer vision when companies like the one I worked for just write their own computer vision stuff :d
17:26 <+catphish> for public services, we're sadly still slaves to ipv4
17:26 < drathir> wallbroken: dahua have pretty affordable prices ones...
17:26 < wallbroken> cluelessperson, that on the video is cool because it has a blade to wash
17:27 < wallbroken> so that's vandalproof
17:27 < wallbroken> in the city, guys are used to paint cameras and make them out of service
17:28 < kurahaupo> catphish: it's moving. The are ISPs who give out real v6 but only cgNAT v4
17:28 < kurahaupo> Especially mobile
17:28 < cluelessperson> wallbroken: good, fuck the government
17:28 <+catphish> sure, but they're nowehere near dropping that ipv4 :(
17:29 < acos> Thanks catphish, seem to be getting 4.24Gbits/sec. Think that is low for 10g?
17:29 <+catphish> well you'd want to aim for 10Gbps :(
17:30 <+catphish> i couldn't say what to tune first though
17:30 <+catphish> others here may have pointers
17:30 < drathir> https://www.youtube.com/watch?v=adCDQjND70Y
17:30 < acos> It bounces between 3.1 and 5.1 during the test with spikes.
18:16 < digi_> I have two dns A records, say site1.mydomain.com, site2.mydomain.com and a computer running two qemu virtual machine instances. both instances have port 80 and 22 open (so i have two local ip adresses for them). I would like to forward site1.mydomain.com to the first qemu instance, and site2 to the second qemu instance, does anybody know how to do this, or what manual i should read?
18:17 < digi_> ( all things run Debian 9 )
18:19 < drathir> digi_: 1:1 source - destination nat in iptables? but that only guess...
18:20 < subvhome> I have an HP switch that when im the only device connected to it ... i get perfect ping responses.. as soon as another device connects to it, lets say another switch (with all empty ports except the uplink) the switch begins to experience random lag spikes
18:21 < digi_> how would iptables know if site1.mydomain.com or site2.mydomain.com is the source?
18:21 < subvhome> hardware monitor on the switch doesn't show any CPU or Memory spikes.. the switch is new out of the box.
18:23 < digi_> since they both point to the same ip adress.
18:24 < drathir> digi_: it should match ip assigned to domain...
18:25 < drathir> digi_: with the same ip best vhosts in apache...
18:26 < drathir> digi_: but still needed one webserver...
18:27 < drathir> digi_: probably kind of trick with different ports or some proxies probably there needed if two web servers...
18:27 < digi_> like running apache on the host that serve the qemu's? and configure vhost forwarding from there?
18:28 < digi_> ( i could put all sites in one apache vhosts config ) but the thing would be a sandbox for different webservers.
18:29 < drathir> digi_: yep apache in qemu and  all 80/443 traffic to it and vhost will handle domain name requests in theory and serve correct content even if one ip for both...
18:29 < digi_> i thought of using multiple ports, http 8080, 8081, 8082 for each server apart.
18:29 < digi_> aah. i see.
18:29 < digi_> i will figure it out, tnx.
18:30 < drathir> digi_: yep vhost allow separate content to be served eg different websites based on domain...
18:31 < drathir> digi_: its np, You can also wait for better ideas there too...
18:33 < digi_> np?
18:33 < drathir> digi_: also take a look on haproxy, maybe it allow to ilter and sending traffic matching correct domain to different webservers...
18:33 < drathir> digi_: np=no problem ^^
18:33 < digi_> :)
18:34 < digi_> i will take a look at haproxy
18:36 < mawk> np = non polynomial
19:19 < nextloop> what are the pro and cons of blocking ICMP inbound for a normal home/office network?
19:20 < E1ephant> nextloop: http://shouldiblockicmp.com/
19:36 < mawk> E1ephant: if you allow ESTABLISHED and RELATED traffic with conntrack there isn't anything else to allow except echo-request no ?
19:36 < mawk> icmp errors go into RELATED traffic
19:36 < mawk> for a terminal host
19:37 < mawk> + the relevant NDP messages like router advertisement or neighbour solicitation
19:44 < E1ephant> so allow echo request?
19:44 < nextloop> E1ephant: thanks. so I take from that that "time exceeded" and "destination unreachable" messages should be allowed inbound
19:45 < E1ephant>  mawk the point is don't block/break icmp
19:45 < E1ephant> I would, yes.
19:45 < E1ephant> maybe rate-limit
19:45 < mawk> it was a question E1ephant
19:45 < mawk> do icmp errors go into RELATED traffic ?
19:45 < mawk> sorry
19:46 < E1ephant> oh oh, tbh good question, I am not that familiar with conntrack
19:46 < E1ephant> if it's just going on tupel values, like protocol/port
19:46 < E1ephant> then I would think no in lots of cases
19:46 < E1ephant> since TCP traceroute, will still get (look for) ICMP ttl expired back
19:47 < E1ephant> the tuples wont match
19:53 < detha> conntrack attempts to classify ICMP errors for TCP/UDP as 'RELATED'. That said, I consider ICMP the only thing where 'default allow, deny specifics' applies. You don't want things like ICMP redirect from the outside, and I vaguely remember some evil about timestamps.
19:59 < mawk> detha ?
20:00 < mawk> there isn't an infinite number of ICMP types
20:00 < mawk> why not just classifying them all ?
20:01 < E1ephant> mawk: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml :)
20:01 < mawk> I see
20:01 < mawk> well still 19 types
20:02 < mawk> with enough motivation you classify them all
20:02 < E1ephant> I mean you could, but the important ones are echo reply and ttl expired
20:02 < mawk> yeah
20:03 < E1ephant> dest unreachable is debatable maybe, imho you'll get people to stop scanning quicker with unreachable
20:03 < E1ephant> as opposed to just drop
20:03 < E1ephant> but sure, target dependant
20:04 < mawk> yes that's my opinion too
20:05 < tds> iirc isn't there an rfc on filtering icmpv6 types?
20:05 < mawk> yes tds
20:05 < tds> ah, 4890
20:05 < mawk> https://tools.ietf.org/html/rfc4890
20:05 < Apachez> since icmp is lacking verification you should always throttle icmp if you choose to allow it
20:06 < mawk> that's the one I followed to filter icmpv6 tds
20:06 < mawk> but overall I ended up just allowing echo-request and stuffing the remainder in RELATED traffic
20:06 < mawk> and allowing everything from fe80::/64
20:07 < mawk> but I'll change it, it doesn't seem too great of an idea now that I know that a third of the datacenter is on the fe80::/64 link
20:07 < Apachez> normally you want icmp echo request, echo reply, ttl excceded and source quence
20:07 < Apachez> the others can be dropped happily
20:07 < mawk> what about fragmentation needed ?
20:08 < mawk> source quench is deprecated according to iana
20:08 < mawk> https://tools.ietf.org/html/rfc6633
20:08 < Apachez> not really
20:16 < detha> mawk: I do. On strict machines, it looks something like this: http://paste.debian.net/1023887/
20:17 < mawk> I see
20:19 < zzero1> when was the juniper srx-220 first available for purchase? I wanna know how much time was available for purchase as new
22:06 < ash_work> is it unwise to have only 1 user account for controlling production servers? (ie through a mgmt server)
22:11 < toxync19> [neuro_sys@tox] Sounds like single point of failure
22:13 < drathir> ash_work: not really You can tight security only to allow that server access, but wise is not keep there unsecured keys etc... And You need care about that server and easier maintain with low app on board one than multiple ones...
22:15 < toxync19> [neuro_sys@tox] Ah, for a moment I thought having that user account owned by only a single person (who might die because of bus factor)
22:15 < drathir> ash_work: consider something like cjdns to management access also or separate vpn network...
22:15 < ash_work> toxync19: well, not with multiple mgmt servers and/or backup of the mgmt server (to the point where you could spin up another instance of the ansible container with the same keys and it can ssh in to any prod box)
22:15 < ash_work> drathir: I didn't understand your sentence too well
22:16 < drathir> ash_work: separate access disallow enter from clearnet directly...\
22:16 < ash_work> toxync19: but yeah, that is a concern
22:29 < ash_work> toxync19: I'm open to suggestions
22:37 <+catphish> morning
22:38 < ash_work> <3 catphish
22:38  * tds waves
22:39  * catphish just got back from a drinks party with his ISP, good times :)
22:39 < tds> is this the little local one you were trying to get a upload plans sorted with?
22:39 <+catphish> yeah
22:39 < tds> nice :)
22:40 <+catphish> the gist of the upload speed issue is that they don't want to lose sales of traditional leased line products by overspecing their home-priced products
22:41 <+catphish> which while annoying, makes perfect sense
22:41 < tds> ah yeah, I guess that makes sense
22:42 < tds> I guess at some point the differentiating factor might be all the residential lines behind cgnat, and only the business ones get proper public v4 :/
22:42 <+catphish> well the real factor is the SLA, business lines have a couple of hours SLA, home lines are like 3 days
22:43 <+catphish> but i can see why they want to discourage business users thinking they don't need to pay for the SLA, then whining when it's down
22:43 <+catphish> i'm just a weird middle ground of power user who wants all the spec but really don't need the SLA/support
22:44 < tds> yeah, I'm sure there are various other people in similar situations
22:44 <+catphish> but yeah, it's purely an attempt not to canibalise business sales, which seems reasonable to me
22:45 < tds> I was wondering the other day if there are any ISPs that'll do v6 + bgp sessions on residential lines, but that seems unlikely
22:47 <+catphish> i imagine the same thing applies
22:48 <+catphish> small ISPs *can* but they probably want users with special requirements to pay leased line prices
22:53 < tds> yeah :/
--- Log closed Wed May 09 00:00:13 2018