--- Log opened Tue Jun 19 00:00:04 2018
01:27 < Goop> Does anyone own/maintain/develop a website that has decent amount of activity from users?
01:28 < TandyUK> Goop: i expect lots of people
01:29 < Goop> The reason I ask, is I want to start a web/mail hosting business and wanted to see if anyone is willing to let me host their website for them (for free/reduced price), so I can work out the "bugs" before selling to others.
01:30 < TandyUK> just use ab
01:30 < Goop> ab?
01:30 < TandyUK> i certainly wouldnt put anything near a test server lol
01:31 < light> apache benchmark
01:31 < TandyUK> google it, apache benchmark or something 'ab' is the program name
01:31 < Goop> There's a little more to it than I would think an Apache benchmark could accomplish
01:31 < light> the margins are slim on such businesses
01:36 <+catphish> Goop: i can't imagine anyone with substantial traffic is going to go for that offer :(
01:38 <+catphish> just make some test sites, and test them i guess
01:44 < Goop> Actually, I'm not looking for substantial staffic. I'm looking for about 20-1000 users per hour
01:49 < kwork> Goop: and exactly why ab wouldnot work for that ?
01:54 < thecha> can I set up my ubuntu server the same way as i did with this lamp server on my raspberry pi?
01:57 < compdoc> dont know. Id be surprized if all the packages will install and run
01:57 < kwork> kind of depends on what he was running on pi aswell
01:57 < thecha> can i set the whole remote thing up the same way too?
01:57 < thecha> kwork lamp server
01:58 < kwork> thecha: that says not much about the distro used on pi
01:58 < thecha> raspbian
01:58 < thecha> it is sort of a dumbed down debian
01:58 < thecha> i thought maybe since ubuntu is based on debian...
01:59 < kwork> but why use ubuntu on the serer :P?
01:59 < kwork> if you could use debian what is more similar to rasbian ?
01:59 < thecha> yesterday... in this channel... people insisted i use ubuntu or centos
02:00 < kwork> different people have different preferences
02:00 < thecha> well i also run trisquel as my main desktp pc and
02:00 < kwork> will you start drinking my favourite beer aswell :P?
02:00 < thecha> yeah so it is the same either way right?
02:00 < kwork> are all the beers the same ?
02:00 < thecha> which is it?
02:00 < thecha> i am not big on alcohol...:)
02:01 < kwork> are all the juices the same :P?
02:01 < Goop> kwork, because I have a custom storage setup that I am concerned that it may or may not work. Pinging a server doesn't really challenge the database, mailing, etc..
02:01 < kwork> Goop: ab isnt actualy pinging a server
02:03 < thecha> kwork they are nto the same, but they are so similar that when you get an unknown juice nothing that you get will come as a surprise
02:03 < thecha> i mean they are all sweet, liquid and fruity
02:04 < kwork> thecha: as of you need to first taste them to know which one you like the same goes for distros
02:07 < thecha> fair enough
02:07 < kwork> thecha: i would say run debian but thats just my cup of tea
02:08 < kwork> everyone has their own
02:08 < kwork> most likely rasbian is most similar to pure debian :)
02:13 < thecha> what do you run on your own server?
02:14 < tds> debian on all the things :)
02:15 < thecha> sweet
02:15 < tds> but again, there are plenty of options, it's worth trying various and seeing what you like
02:15 < thecha> if you stay in the headless mode it looks the same anyways
02:17 < thecha> Ivmk3wew!
02:17 < thecha> whoops just typed my keyphrase in chat...
02:20 < TandyUK> and just told everyone
02:20 < TandyUK> happy changing :)
02:21 < tds> don't worry, it's not like there are 1271 people in here ;)
02:35 < xdroop> All I saw was *********
02:40 < kwork> thecha: i would vote for debian aswell, but everyone has their own
02:48 < luxio> could someone else on the same network downloading a large file affect the internet speed on my device as much as if i was downloading it on my own device?
02:48 < Spice_Boy> of course
02:49 < Spice_Boy> if it goes through the same Internet pipe
02:49 < luxio> wifi
02:50 < S_SubZero> the internet pipe is the one that goes from your residence to the interwebz.
02:59 < nuun> greetings. So far all the documents I have read state captive portals only block access to internet. To engage LAN control it will require NAC and 802.1x authentication according to reads. Could captive portal do for entry to LAN what it does for internet access?
03:06 <+pppingme> nuun there's a big assumption with that statement
03:07 <+pppingme> in other words, while technically accurate, not really true
03:09 < Spice_Boy> nuun: it could yes, if done right
03:09 < Spice_Boy> internet is just a network too
03:33 < melissa666> thecha, re: your now-public keyphrase, when resetting you might want to consider this ;) --> https://xkcd.com/936/
03:35 < melissa666> nuun, what you are suggesting is possible and trivial to implement from a technical perspective, however the reason it's not generally done is that (a) the Internet is where most of the threat lies with repressive states, due to exchange of ideas from outside their censorship bubble and (b) it would be extremely expensive to implement on all LANs (you're talking 100s of thousands to millions of networks) whereas
03:35 < melissa666> implementing censorship in a handful of large ISPs is trivial
03:37 < melissa666> However, one method that would make it possible is to place the burden of implementation on network administrators, and have extremely stiff penalties if individuals/organizations are caught not implementing state censorship/access-control protocols ... but it still wouldn't be as effective as working with cooperative ISPs
03:45 < pekster> Crypto passphrase security? Also relevant: https://www.xkcd.com/538/
04:21 < yates_home> for years i've had my home network configured where i've disable the dhcp server on my router and instaed run the isc dhcpd on my main linux machine on the internal network
04:21 < yates_home> and i've used the same dhcpd.conf file
04:21 < yates_home> but now this: https://paste.fedoraproject.org/paste/b9toPp8Xsr3k-g969jrqX
04:22 < yates_home> https://paste.fedoraproject.org/paste/b9toPp8Xsr3k-g969jrqXg
04:23 < yates_home> why the "Remove host declaration..." ?
04:23 < yates_home> i've got that ip address mapped uniquely by mac address
04:23 < yates_home> https://paste.fedoraproject.org/paste/FhZe12gvDsqdEaGtBPxvlQ
04:24 < yates_home> don't know if it's related, but i also got a new laptop today running win10 and have been connecting it to the network.
04:25 < yates_home> any thoughts?
04:25 < dnanib> 192.168.1.0/24 - this your entire subnet? A good practice is to keep DHCP pool separate and static assignments (even via DHCP) separate within the subnet
04:26 < yates_home> how is that done via the dhcpd.conf?
04:26 < dnanib> I do: 192.168.2.0/24 as entire subnet, 192.168.2.64/26 as DHCP pool and assign statics from 192.168.2.0-63.
04:27 < dnanib> Sorry, I do it with dnsmasq. Don't recall the exact incantation for ISC DHCP
04:27 < yates_home> ok, well thanks dnanib.
04:27 < yates_home> but this has been working for years... ?
04:28 < dnanib> That's what the log is saying. "Remove host declaration freeda-wireless or remove 192.168.1.121
04:28 < dnanib>  from the dynamic address pool for 192.168.1.0/24"
04:28 < yates_home> i really don't see why separating them is necessary. if an address is leased, it's not available. why the problem?
04:28 < dnanib> Maybe you should post the full config file?
04:29 < yates_home> leased whether via a fixed ip or from a pool, that is
04:29 < yates_home> sure , hang on
04:29 < yates_home> https://paste.fedoraproject.org/paste/dw7LGuRKTCtivz1qmihQRw
04:29 < dnanib> Usually a software design decision. It needs complete autonomy in assigning any IP in the pool to any mac requesting one. This sort of thing interferes with that (often optimized) algorithm.
04:30 < yates_home> so just change the "range" in the "subnet"spec?
04:31 < dnanib> Your static assignments are all in 192.168.1.101-155. So change the range to start from 192.168.1.156 or something
04:31 < yates_home> 192.168.1. ...
04:31 < yates_home> right
04:31 < dnanib>   range 192.168.1.156 192.168.1.255;
04:32 < yates_home> also, while i got you on the phone ( :) ), any idea why my windows 10 laptop would be getting hosed wifi connections?
04:32 < yates_home> it connects, but it can't dns lookup, it seems.
04:33 < yates_home> i know, could be 1000 things..
04:34 < yates_home> sometimes it can't lookup, sometimes it can.
04:34 < yates_home> dnanib: thanks, change the range did the trick.
05:37 < myxenovia> hi
05:38 < myxenovia> im learning sound for voip
05:39 < myxenovia> i dont understand why does mono and stereo matter in a record
05:39 < myxenovia> i mean there will only be one source of sound
05:39 < myxenovia> the outside of the device
06:01 < nuun> melissa666: it is a college campus LAN. We are reducing network load by imposing restrictions on the number of devices and removing full automation of network joins.
06:03 < nuun> pppingme: the assumption being that the internet is generally represented by 0.0.0.0 in most routes and code 200 means unhindered access?
06:58 < melissa666> nuun, I'm curious what kind of load you're trying to reduce by imposing restrictions on # of devices? When you say "removing full automation of network joins" are you referring to DHCP? Are you saying you'd like something akin to captive portal, where users have to authenticate to access the LAN?
07:05 < melissa666> nuun, If so, you might want to check out RADIUS --> https://freeradius.org
07:05 < melissa666> (apologies if I'm misunderstanding what you're trying to do)
07:15 < ShapeShifter499> hi
07:20 < melissa666> ShapeShifter499, greetings
07:21 < ShapeShifter499> I'm wondering if there is a bottleneck somewhere or if it's just my crappy router
07:21 < ShapeShifter499> I thought I had Gigabit speeds but I'm not seeing that
07:21 < ShapeShifter499> 30-ish or less Mb/s
07:21 <+pppingme> between devices on your lan, or to internet?
07:22 < ShapeShifter499> this is my router https://wiki.openwrt.org/toh/wd/
07:22 < ShapeShifter499> between my LAN devices
07:29 <+pppingme> ShapeShifter499 how are you testing the speed?  how did you derive the 30'ish number?
07:30 < ShapeShifter499> pppingme: it's just a file transfer using scp
07:30 < ShapeShifter499> sometimes also with Nextcloud
07:30 <+pppingme> then your bottleneck probably isn't related to network
07:31 <+pppingme> you're either maxing out a cpu core, or you're at the limit of your hard drive
07:34 <+pppingme> run iperf between the two workstations
07:34 < ShapeShifter499> pppingme: I figured. So if I had better hardware on either end, do you think that the router I linked too would be any issue?
07:34 < ShapeShifter499> *to
07:42 < melissa666> ShapeShifter499, no, at least not an issue that would limit you to 30Mbps ... the problem is elsewhere
07:45 < melissa666> I notice that you linked to openwrt btw. are you running openwrt on the router, and if so are you running scp from the router itself? if so that's probably your issue. routers are usually rather CPU/RAM constrained
07:48  * dnanib feels left out :-(
07:54 < ShapeShifter499> melissa666: no I'm fairly certain the bottleneck is at the other end.  I have a Raspberry Pi but I recently got a Rock64 with 4GB of ram. I read some reports where people got high network throughput on the Rock64
07:57 < ShapeShifter499> melissa666: yes I run OpenWRT I just wanted to make sure my router wasn't the culprit
07:58 < liveuser33> shapeshifter499 why you run openwrt?
07:59 < liveuser33> how you speaking latin?
07:59 < liveuser33> quasi qam
07:59 < ShapeShifter499> liveuser33: security, up to date software.  The router is a WD My Net n750 and Western Digital discontinued support
07:59 < ShapeShifter499> hmm
07:59 < ShapeShifter499> troll?
08:00 < ShapeShifter499> melissa666: pppingme thanks for the help
08:00 < liveuser33> yeah western digital is pickey
08:01 < liveuser33> why running a wd router?
08:01 < ShapeShifter499> I got three WD routers on fire sale
08:01 < ShapeShifter499> seemed like a decent deal for a router that was dual band 2.4Ghz/5Ghz
08:02 < ShapeShifter499> I think it was less than $20, maybe $15?
08:02 < liveuser33> yeah the software is important though
08:02 < liveuser33> routing is trickey
08:03 < liveuser33> if they put junk software n it , then it us next to nothing, worthless
08:03 < liveuser33> wifi can be used for point to pont jumps
08:03 < liveuser33> aside from that wifi is a mess
08:04 < liveuser33> lookng for a 5ghz client chip
08:04 < liveuser33> they sll havr differwbt firmwarr
08:05 < liveuser33> maybr not work even if hardware claims capable
08:05 < nojeffrey> Amy companies make cat5/6 patch cables in like 10cm increments? say 40cm, 50cm, 60cm, etc?
08:09 < liveuser33> if both chips are the same it is reliable for ptp
08:09 < liveuser33> other than that mayne maybe not
08:11 < liveuser33> shapeshifter499 do you miss when I ran the internet?
08:12 < liveuser33> apparently somebody took it over
08:14 < liveuser33> shapeshifter499 explainsimply one thing which changed for the worse
08:14 < liveuser33> something was going right, then some clown jumps in and screws it up
08:27 <+pppingme> nojeffrey they can probably be orcdered..  why do you want such short cables?
08:47 < nojeffrey> +pppingme trying to clean up some server rooms
08:47 < yasoob__> Hi everyone! I am trying to create probe requests using scapy on Ubuntu 16.04
08:48 < fiet> nojeffrey: Isn't it easier to make those cables yourself?
08:48 < yasoob__> This is the code I am trying to use: https://paste.debian.net/1029848/
08:48 < nojeffrey> Thats a lot of cables
08:48 < yasoob__> The problem is that its not returning any response and no probe request is captured by the sniffer I have running on a different machine. Can someone kindly guide me a bit? I have been trying to get this working for far too long now  with no apparent success
08:49 < liveuser33> hi Jeffrey
08:49 < nojeffrey> I watched this: https://www.youtube.com/watch?v=amdfzcqaTIQ&t=1s
08:49 < nojeffrey> half way through he says it's not worth his time to make his own cables and he does this for a living
08:50 < nojeffrey> liveuser33 hi
08:50 < fiet> Right. Indeed only useful when it's a handful.
08:50 < nojeffrey> I have about 5 patch panels in about 10U of rack, and thought if I could buy 20 x 40cm, 20 x 50cm, etc I could get decent cable management
08:51 < TandyUK> just make them up yourself
08:51 < TandyUK> thats what the cable management columns down the 2 sides of the rack are for ;)
08:51 < TandyUK> assuming your have proper racks and not baby racks
08:52 < TandyUK> "comms rack" vs "equipment rack" in Excel speak
08:52 < TandyUK> comms racks have a 100mm channel down each side for cable management
08:53 < nojeffrey> 3 server rooms, avg 80 cables, I;m not making 240 cables
08:53 < spaces> morning non sexy admins :P
08:54 < nojeffrey> I don't want perfect like /r/cableporn, just pretty good
08:54 < TandyUK> afaik most places you'll only get premade cables in .5m increments
08:54 < nojeffrey> closest I've found: https://www.fs.com/c/cat5e-patch-cables-593
08:54 < nojeffrey> 6". 12", 24". etc
08:54 < TandyUK> nojeffrey: then just give up lol, if youre not aiming for cableporn standards, youre not doing it right imho
08:54 < yasoob__> Can anyone please help me with my wireless probe requests problem? :)
08:56 < fiet> I've never seen cables for sale in 10cm increments. Would be nice though, but I can imagine it would not be profitable enough to keep all those lengths in stock.
08:58 < fiet> yasoob__: Is this the actual config you use? I have no experience with scapy but I can imagine you have to use actual mac addresses
08:59 < yasoob__> fiet: addr1 and addr3 are broadcast addresses because I am broadcasting the probe request and not targeting it to a specific AP
08:59 < nojeffrey> TandyUK I cant even get to a switch I need in one room, its a giant mess, to do cableporn standards I need to replace the patch panels
09:00 < fiet> yasoob__: Like I said, I have no experience with scapy. Have you put your interface into monitoring mode? (For radiotap)
09:00 < nojeffrey> fiet I see, thanks
09:01 < yasoob__> fiet: I have tried it both ways. But I was unsure as to whether I need to put it in monitoring mode even for probe requests. I thought it is only requiring when you are sniffing. Are you sure its required to have the card in monitoring mode even for probe requests? Sorry my knowledge is rusty
09:03 < fiet> yasoob__: I'm not sure how scapy works and what the source address would be, but it would make sense that it will be the hwaddress of the box itself as source and destination broadcast. So anythng responding will be responding to the source and monitoring would not be necessary.
09:04 < yasoob__> fiet: Yup I have the mac of the source box as the source mac in scapy
09:04 < yasoob__> I updated that in my code
09:04 < yasoob__> only the broadcast and the AP (addr3) are broadcast
09:04 < nojeffrey> yasoob__ scapy is also a command line tool
09:05 < nuun> melissa666, thanks. Was looking at a combination of which RADIUS would be a dependency. Would be using 802.1x and NAC. But management said to research captive portal as an option before moving to unfamiliar territory of 802.1x and NAC.
09:05 < nojeffrey> try do what you need directly in scapy first, then branch out to python
09:05 < fiet> yasoob__: What you could do is run a tcpdump/wireshark session next to it in monitoringmode and see if there is any response and your box is missing it for some reason (iptables?), or that it is not responding at all.
09:06 < yasoob__> fiet: Thanks. I guess I should try that next
09:06 < yasoob__> nojeffrey: thanks but I already tried that and considering that my code is only 4-5 lines it should not make much of a difference
09:07 < yasoob__> fiet: I think there is no iptables issue because when I issue a probe request using the network manager on ubuntu, the probe request is logged by my sniffer running on a diff machine
09:09 < fiet> yasoob__: I've made the mistake to properly check iptables way to much. Best is to disable iptables during testing to make sure. Only when you're in an environment where hat is safe to do of course.
09:09 < fiet> *that
09:11 < yasoob__> fiet: Ok best. I will take a look into that. Thanks
09:16 < discipulus> I'm running archlinux with i3wm on a desktop computer with a wired connection and I have a few issues.
09:16 < discipulus> I'm fairly sure I myself is the architect of my problems, but never the less, I can't figure out how to solve them.
09:17 < discipulus> When I installed the system I enabled dhcpcd to get internet connection. So far everything worked just fine.
09:17 < discipulus> After this I set up openvpn and NetworkManager (because I thought I needed NetworkManager to get openvpn to work).
09:17 < discipulus> From this point, every time I boot the computer it takes a few seconds for me to get a connection. After I'm logged in to the desktop I have to wait 5-10 seconds and then reload i3 to get everything to work properly.
09:18 < discipulus> I know I should not run both dhcpcd and NetworkManager at the same time, but if I disable NetworkManager it takes even longer to get a connection. The same thing happens when I try to disable dhcpcd.
09:18 < discipulus> I don't know if it's NetworkManager, dhcpcd or openvpn that is causing this issue.
09:18 < discipulus> I haven't edited any config files for either NetworkManager or dhcpcd. I've just enabled them.
09:21 < discipulus> Oh, and it seems I'm connect both to ethernet AND wifi at the same time.
09:21 < discipulus> I don't know how that is possible, but I'm sending and recieving packets on both.
09:23 <+pppingme> nojeffrey minimum cable length is 1 meter..  anything shorter causes issues
09:36 < nojeffrey> +pppingme like bandwidth or connectivity issues?
09:36 < nojeffrey> that vid I linked above, he used 6" cables and he sounds like he does this for a living
09:44 < system16> Hi. my isp now provides VDSL services and i have ADSL2+ . should i change my plan to VDSL ?
09:48 < Roq> system16: VDSL usually offers higher throughput. If the price is the same and you get more speed then yeah
09:48 < Roq> Make sure your router supports vdsl
09:48 < system16> so more upload speeds ? what about download ?\
09:49 < Roq> More download speed aswell usually, at least in my country
09:49 < Roq> Just compare the plans on your provider's site?
09:50 < system16> i will. thanks
09:50 < liveuser33> system16 what dsl service have you?
09:50 < liveuser33> what provider?
09:51 < Roq> There is a vectored VDSL2 standard that can go up to 100/30
09:51 < liveuser33> juno sells and att sells
09:51 < Roq> ADSL2 is around 20/1?
09:51 < system16> liveuser33, what do you mean ?
09:51 < liveuser33> brand
09:51 < liveuser33> what brand
09:52 < system16> i have 16 Mbps download speed and 1 Mbps upload speed. (700 GB per month)
09:52 < system16> TCT
09:52 < system16> ^^
09:52 < Atro> lol
09:52 < Roq> Well then VDSL will probably increase your speed :p
09:53 < system16> i dont wanna decrease my download speed tho.
09:53 < Roq> It won't. it will increase your download and upload
09:54 < liveuser33> now seems att has brand
09:54 < liveuser33> the human hosts are damaged
09:54 < system16> thanks. now i have a reason to change this pos modem router combo :)
09:54 < liveuser33> what happened
09:55 < Roq> system16: Your speed is now 16/1 (16mbit download, 1mbit upload. VDSL will have speeds like 50/5 or even 100/30
09:55 < liveuser33> what does this to humans
09:55 < liveuser33> mold
09:56 < system16> roq lol we dont have those speeds in here i think the maximum speed in this country is 40 MBps
09:56 < Atro> i can get 100Mbps with like 5 euros
09:56 < Atro> unlimited
09:57 < liveuser33> what making you with the dsl?
09:57 < system16> ?
09:58 < Roq> system16: Ah ok. It's country depended what speeds you get, but in the general rule VDSL throughput speeds (download and upload) are higher than ADSL
09:58 < system16> i tried sattelite services but they suck too . high pings...low speeds
09:58 < system16> liveuser33, ^^
09:58 < Roq> What country do you live in?
09:59 < liveuser33> if it is radio sattelite expect high ping
09:59 < system16> un(fortunately) Iran
09:59 < liveuser33> how lonf does it take for traveling?
10:00 < Roq> Ah ok
10:00 < liveuser33> such is pingtime
10:00 < system16> lonf ? did you mean long ?
10:00 < liveuser33> yes
10:00 < system16> traveling to where liveuser33 ?
10:01 < liveuser33> interesting question
10:01 < Roq> I'm not up to date with the connectivity possiblities in Iran, but to answer your intial question VDSL is better than ADSL
10:02 < liveuser33> note the business have different angles on dishes
10:02 < momomo> I have a printer that I've successfully installed using WPS and without cables ... however, the Scanner functionality seem to work, at least with my program on Ubunut (Mint). Is there a program or an easy way to get the scanner functionality to work as well without cables ?
10:03 < system16> k thanks for helping me out. i have to go . take care
11:24 < djph> momomo: (x)sane is usually the goto for scanning. Personally though, I tend to use the "scan to sftp" for my stuff
11:27 < tya99> first world problems
11:27 < tya99> need to buy more stuff to get 11.1% discount
11:27 < momomo> djph: do you have an example of how such a command might look like /
11:27 < momomo> ?
11:27 < tya99> https://ubwh.com.au discount if you buy over $2k stuff
11:27 < tya99> EdgeSwitch8 - 150W (2x) $563.76 ($281.88ea)
11:27 < tya99> 1m Grounded, External CAT5e  (5x) $117.50 ($20.88ea)
11:27 < tya99> G3 UniFi Video Camera IR - 5 Pack $957.57
11:27 < tya99> Subtotal: $1,638.83
11:27 < tya99> i need to buy more things!
11:28 < momomo> buy a 4k monitor
11:28 < tya99> if only i didn't buy my EdgeSwitch16 150W two years ago from somewhere else!
11:28 < momomo> keyboard?
11:28 < tya99> they don't sell anything but networking hardware
11:29 < momomo> ook
11:29 < tya99> and i had planned to buy the switches and security cameras already
11:29 < momomo> tya99: hosting something?
11:29 < tya99> nah
11:29 < tya99> just upgrading my security
11:29 < momomo> haha
11:29 < momomo> tya99: are you an expert?
11:29 < momomo> on networking?
11:29 < tya99> i want outside security cameras as i don't have any
11:30 < tya99> i wouldn't say so, but i am learning things
11:30 < zenix_2k2> one question, i have a UDP server running on port 8080 but i am not sure whether it has been started or run probably or not, is there anyhow i can check it ?
11:31 < djph> momomo: "command" for what?
11:31 < zenix_2k2> and btw, i am using python to make this server if that info helps
11:31 < tya99> zenix_2k2: check logs check the daemon's status use tcpdump
11:31 < momomo> djph: for scanning ... i am guessing you meant scan to mail kind of thing ?
11:31 < tya99> check ps aux
11:31 < momomo> only to ftp instead?
11:31 < tya99> to see it is running
11:31 < djph> momomo: no, I literally meant what I said.  Granted, the printers I buy support that functionality
11:32 < zenix_2k2> tya99: but this is UDP
11:32 <+catphish> why is it always claimed that RAID 10 is faster than RAID 6?
11:32 < djph> catphish: no idea
11:32 < tya99> zenix_2k2: ps aux will show if the process is running tcpdump will show if any packets are coming from it on 8080
11:32 <+catphish> wouldn't RAID 6 be able to write faster as it doesn't need to write 2 copies of everything
11:32 < tya99> zenix_2k2: on that interface
11:32 <+catphish> or maybe not, maybe every write actually required 3 writes
11:32 <+catphish> i'm not sure
11:33 < tya99> zenix_2k2: tcpdump can do udp traffic
11:33 < momomo> djph: so you push a button the scanner and ends up on a server somepalce? i am guessing you don't initialize the scan from the computer?
11:33 < detha> catphish: "it depends". a raid10 using two controllers for example would be faster (as long as you don't hit PCIE limits)
11:33 <+catphish> oh, RAID 6 writes do require quite a lot of operations
11:33 < djph> momomo: yup
11:34 <+catphish> "Each write operation requires the disks to read the data, read the first parity, read the second parity, write the data, write the first parity and then finally write the second parity. This comes out to be a six times write penalty, which is pretty dramatic"
11:34 <+catphish> that explains it :)
11:34 < djph> on the other hand, the data's likely more stable than raid10
11:35 < tya99> zenix_2k2: tcpdump -i eth0 -n udp src portrange 8080
11:35 < tya99> like that
11:36 < tya99> zenix_2k2: make sure to check the service is actually running ie "ps aux |grep thing"
11:36 < tya99> zenix_2k2: no packets are going to come from something that isn't running ;)
11:37 < detha> djph: 'more stable' ? in what fashion?
11:37 < Reventlov> Can I get 802.11 radio informations, such as Antenna Signal, signal strength, etc, for a device not in monitor mode, for each frame destined by the device? (for itself, not for every frame received)
11:37 <+catphish> djph: RAID 6 can sort of handle more failures, especially if you use the extra capacity it offers to add some hot spares :)
11:38 < djph> detha: in that you can lose more drives before the array is useless
11:39 < detha> djph: as far as I remember, R6 can lose two drives, R10 betwwn 1 and half the array. So on average, R10 is safer...
11:40 < djph> detha: ah...
11:40 < TotallyNotKim> regardless of what two drives for raid6?
11:40 < zenix_2k2> tya99: ok thk
11:40 < TotallyNotKim> becuase in 10 you lose one and the next should be 50:50 lol
11:41 < shtrb> Anyone have experience with LTE/GSM modem that expose the entire interface over USB ? (getting /dev/ttyUSBx and not some android that give you ethernet device) I have three different ones and all are $!$@ androids
11:50 < meowschwitz> shtrb: er, what do you mean 'android'
11:51 < meowschwitz> i have a chinese modem dongle that acts like a flash drive and has to be modeswitched to modem so that it exposes the serial port
11:51 < grawity> shtrb: throw ModemManager at it
11:51 < meowschwitz> shtrb: http://www.draisberghof.de/usb_modeswitch/
11:51 < grawity> shtrb: or the low-level qmi / mbim tools
11:51 < shtrb> meowschwitz, it run internally an android firmware
11:52 < meowschwitz> shtrb: that's retarded
11:52 < shtrb> grawity, used modemmanger (which failed )
11:52 < grawity> shtrb: which failed for what reason exactly
11:52 < shtrb> neither qmi or mbim are loaded , but modem manger can see IMEI , do some AT commands (but not all )
11:53 < shtrb> grawity, modem is not initialized
11:53 < shtrb> meowschwitz, not going to argue, 100% agree
11:53 < shtrb> mmcli give some info
11:53 < grawity> do you know whether it *supports* either MBIM or QMI, or only AT?
11:55 < shtrb> no
11:55 < Kartagis> hello
11:56 < Kartagis> can ns and mx point to different locations?
11:56 < shtrb> I do not have ANY eveidence it should (example the one I'm using now is Huawei E3131)
11:56 < grawity> Kartagis: of course
11:56 < shtrb> Kartagis, yes
11:57 < TotallyNotKim> Kartagis: did somesay tell you yes already?
11:57 < Kartagis> TotallyNotKim: yes, they said yes
12:01 <+catphish> wow, megaraid is seriously confusing
12:06 < momomo> djph: i was able to do it with sane
12:06 < momomo> xsane
12:06 < winsoff> Everybody around me is paranoid, now. Are there any no-frills IP cams that can just send an e-mail when they detect movement, or some shit?
12:08 < melissa666> winsoff, yes, implementing motion-activated cameras is trivial. you can download software like zoneminder that will do this for you
12:08 < hexoroid> I am having issues on one of my ports its picking up 169.* here are my ipconfig and route tables
12:08 < shtrb> yes
12:09 < hexoroid> all other ports on network pick up 192.168.0.1-255 just fine do i need to add route -p ADD 192.168.0.0/24 MASK 255.255.255.0 192.168.0.3
12:09 < shtrb> winsoff, check motion project
12:09 < hexoroid> so it picks up DHCP the correct way so i dont type it in manually ?
12:10 < winsoff> shtrb, melissa666: So I could just buy whatever cheapest not-garbage camera I can find, and then go from there? Interesting.
12:11 < shtrb> It need to have usb interface / network , but you could use a ~$35 pi + ~$10 webcam
12:11 < melissa666> winsoff, yes, take a look at this --> https://zoneminder.com/features/
12:11 < shtrb> you might use even cheaper ones
12:12 < winsoff> The Pi is strong enough to do that? I guess it doesn't scale to 3/4 streams, right?
12:12 < melissa666> The pi is strong enough to handle low-res video, but definitely not high def.
12:13 < melissa666> if you wanted higher definition, you could use a more powerful board (like Rock64) or a laptop/desktop
12:13 < winsoff> Interesting. Perhaps they have something sitting around that would work. I'll have to run some designs and give them some options.
12:14 < melissa666> winsoff, if they have a computer with a USB port, the only other thing they need is a cheap (<$50) camera
12:14 < shtrb> I talked about pi because it was the cheapest opiton I could think of (a pc would be much better) - a pi is like an old pentium 3
12:14 < melissa666> (and an internet connection if they want remote monitoring vs. just getting it from disk)
12:15 < melissa666> pi is actually way faster than old pentium 3 :) ... but yeah, it's slow as shit
12:15 < melissa666> the newest pi has quad core ARM processor
12:15 < melissa666> + 1 gig of ram
12:15 < shtrb> ok pentium 4
12:15 < shtrb> :P
12:15 < melissa666> lol true
12:16 < winsoff> Are wifi-enabled cameras terrible to the network because of the constant noise, or does that vary?
12:16 < shtrb> vary , and they are a security nightmare
12:17 < Kartagis> is there a problem with root servers?
12:17 < shtrb> are knocked of from the net very easily (and if the sdcard is full it is useless)
12:17 < melissa666> winsoff, you have to keep in mind that unless you are damn good at security, every IP camera you put around your home/office is potentially accessible to hackers
12:17 < winsoff> True. I guess as long as they're not UPnP happy
12:17 < winsoff> I've never understood that--how does upnp punch holes in firewalls? Is this a standards-related thing, or can you just block that at the gear level?
12:18 < shtrb> winsof,  every IP camera you put around your home/office is accessible to hackers FTFY
12:18 <+catphish> shtrb: mine aren't
12:18 < melissa666> winsoff, however, if you have good physical security, and have the camera running on a box that isn't connected to the net (just storing footage to disk), then that's not an issue
12:18 < shtrb> catphish, are they running ?
12:18 <+catphish> they are
12:18 < shtrb> plugged in ? and powerd
12:18 < winsoff> melissa666, makes enough sense.
12:19 < shtrb> they are accessible :P
12:19 <+catphish> shtrb: but they can't talk to the internet, so anyone would have a hard job getting at them
12:19 < shtrb> Even LAN ones can be tapped
12:19 <+catphish> shtrb: how?
12:19 < melissa666> ... but then again, if you're not sending the data to remote location, then if someone breaks in and destroys the computer storing the footage ... so yeah, it's a complicated decision, and involves a lot of thought into physically securing the system
12:20 < Kartagis> I have 127.0.0.1:53 in my netstat -antlp output. is is why I can't access from outside?
12:20 < shtrb> hard time != not accessible
12:20 <+catphish> shtrb: well sure, but by that logic everything is accessible
12:20 < shtrb> catphish, if talks over network you can tap on it (if you are able to correctly decode is a different thing)
12:21 <+catphish> well you'd have to physically access the network
12:21 <+catphish> but sure
12:21 < shtrb> catphish, you are 100% correct
12:21 < djph> Kartagis: if your DNS server is only listening to localhost, it won't respond to "not localhost"
12:21 <+catphish> they're not running TLS :)
12:21 <+catphish> so you could easily intercept them with physical LAN access
12:21 < shtrb> catphish, the #%@#%@ tapped the power grid ;-(
12:22 <+catphish> but if you're that close, you can see what the cameras can see anyway :)
12:22 < Kartagis> djph: the funny thing is, I just queried from inside the VPS, and no output.
12:23 < melissa666> catphish, also even if they don't have direct physical access, and are nearby ;)  --> https://www.cl.cam.ac.uk/~rja14/Papers/SE-15.pdf
12:23 < shtrb> catphish, https://cyber.bgu.ac.il/stealing-data-computers-using-heat/ and https://cyber.bgu.ac.il/clever-attack-uses-sound-computers-fan-steal-data/
12:23 < gebbione> hi folks, I am seeing a huge amount of traffic from a specific IP that I cannot identify as a search engine bot or anything legitimate
12:23 < gebbione> ie 10.42.50.60
12:23 < shtrb> but if you have an old AMD you should be safe
12:23 < gebbione> i tried some online tools to establish what the ip is but it looks like just a random ip
12:23 < shtrb> gebbione, local ip
12:24 < djph> gebbione: that's an RFC1918 addresss -- something on your (or your ISP's) network.
12:24 < gebbione> i see, it is not the real ip
12:24 < shtrb> it's real, just NATted
12:24 < djph> it may very well be a "real" IP
12:24 < shtrb> it can be on your ISP network or in your network
12:25 <+catphish> gebbione: is that an IP range you use?
12:25 < gebbione> it must be
12:25 < gebbione> i just set up the system ages ago
12:25 <+catphish> i'd suggest it must be, that IP wouldn't be routed over the internet very far
12:25 < gebbione> it must be the load balancer
12:26 <+catphish> seems plausible
12:27 < gebbione> i need to check how to get the real ips
12:28 < shtrb> catphish, https://arxiv.org/pdf/1804.04014 :-(
12:28 < Kartagis> djph: netstat -Wa includes localhost:953
12:32 < Kartagis> can you guys help? service bind9 status says running, but I can't resolve anything.
12:32 < turtle_> is it running? does it work?
12:32 < turtle_> there's your help I accept paypal
12:34 < shtrb> Kartagis, check the logs (maybe it failed to load the configured zones)
12:34 < djph> Kartagis: /etc/bind/named.conf* set correctly to respond to the local network? zonefiles all check out?
12:49 < Kartagis> does https://paste.ubuntu.com/p/bBBB8YVWsb/ indicate any issues?
12:57 < Reventlov> Can I get 802.11 radio informations, such as Antenna Signal, signal strength, etc, for a device not in monitor mode, for each frame destined by the device? (for itself, not for every frame received)
13:00 < djph> no
13:00 < djph> least I've never seen "per frame" statistics
13:02 < Reventlov> I wonder if I could share antennas across two devices, one in monitor mode, the other one in infrastructure mode
13:02 < Reventlov> and kinda split signals so that both receiver receive the same information
13:03 < light> why? radio waves can be received by multiple devices
13:05 < Reventlov> light: yeah, but if you cannot ensure that they have the same environment (for example, with centimeters apart antennas), then you're done for the measurements
13:05 < Reventlov> and centimeters matter, for 802.11
13:06 < mawk> I'd write a stub driver getting the physical layer information from the first device and injecting it into the second device
13:06 < light> why are you doing this?
13:06 < Kryczek> Reventlov: two in monitor mode yes, however if one transmits then the other one might get fried from getting RF power straight in
13:06 < mawk> yes
13:06 < Reventlov> Kryczek: yeah, good point.
13:06 < mawk> that's the problem with linking the anntenae
13:06 < mawk> so better do this in software
13:07 < Kryczek> Reventlov: what is your end goal? Maybe there is a different solution :)
13:07 < Reventlov> Kryczek: oh, I have no specific end goal.
13:08 < Reventlov> I'm doing a Phd on wireless networks and mobility, so I'm exploring tools I can use.
13:08 < mawk> else can't you place two anntenae right next to the other Reventlov ?
13:08 < mawk> if centimeters matter
13:08 < mawk> the one in monitor mode will hopefully never emit
13:08 < mawk> just receive
13:09 < Kartagis> http://paste.ubuntu.com/p/TVvrXSzCwX/ what does this tell you about named?
13:09 < Kryczek> Reventlov: in the aircrack-ng suite there is a tool (airtun-ng iirc?) that lets you emulate an AP on top of monitoring & injection, but last I checked it does not support WPA, only open and WEP
13:10 < mawk> Kryczek: doing this in the kernel doesn't look too hard
13:10 < mawk> when you're either very low level or very high level it's usually easy
13:11 < Kryczek> mawk: I agree but I think there is also an issue of some (most?) WiFi NICs doing a lot in hardware when they're not in monitoring mode
13:11 < mawk> yeah
13:11 < mawk> I see
13:11 < mawk> so let's reverse this, write the stub for the monitor mode entity
13:12 < mawk> uhm no it doesn't work
13:12 < Kryczek> another approach would be to use an ESP8266, it's a programmable WiFi NIC
13:13 < djph> Reventlov: centimeters don't matter.
13:13 < Kryczek> I think there's even code examples that handle RSSI and forwarding the packet to the OS
13:13 < mawk> and you can make the OS think it's a wifi NIC Kryczek ?
13:14 < Reventlov> djph: for multipath, it does
13:14 < mawk> how do you wire up ? USB ?
13:14 < Kryczek> mawk: tun/tap
13:14 < mawk> the crystal is stable enough for this ?
13:14 < mawk> ah, right
13:15 < Kartagis> hello?
13:15 < mawk> hi Kartagis
13:15 < Kartagis> http://paste.ubuntu.com/p/TVvrXSzCwX/ what should this tell mi about named?
13:15 < Reventlov> Kartagis: Hi. I don't know anything about named, good luck :)
13:15 < Kartagis> me*
13:16 < Kryczek> Kartagis: re-run that command as root
13:16 < Kryczek> (to see the process names)
13:16 < Kartagis> Kryczek: http://paste.ubuntu.com/p/94mwPvzW95/
13:18 < Kryczek> Kartagis: what is your question?
13:18 < Kartagis> Kryczek: I can't  resolve anything
13:18 < Kartagis> internally or externally
13:19 < Kryczek> Kartagis: you want to look at /etc/resolv.conf and your firewall rules (e.g. `iptables -nvL`)
13:22 < Kartagis> Kryczek: http://paste.ubuntu.com/p/hRk25fC5JN/
13:22 < Kartagis> iptables has no rules
13:23 < ne2k> anyone know the MacOS X equivalent of Linux netstat -ltpn (listening, tcp, process name, no dns lookup)
13:24 < Kryczek> Kartagis: is that from the same machine?
13:24 < Kartagis> yes
13:24 < Kartagis> Kryczek: ^^
13:24 < Kryczek> Kartagis: but your machine is 172.30.0.104, and you want to use 172.30.0.2 as the DNS server?
13:25 < Kryczek> or...?
13:25 < Kartagis> this is on amazon, might be useful to add
13:25 < Kartagis> aws
13:26 < Kryczek> Kartagis: what is 172.30.0.2 ?
13:26 < Kartagis> might be aws' server
13:27 < Atro> Whats the technical advantage of using BIRD over a general router?
13:27 < Kryczek> Kartagis: why did you install named?
13:27 < bhuddah> ne2k: lsof -i and then grepping...
13:27 < Atro> A router has ASIC's, the server you  put BIRD on does not
13:27 < ne2k> bhuddah, yep, thanks, found lsof
13:27 < Kartagis> I wanted to run my DNS
13:27 < ne2k> bhuddah, actually lsof -iTCP -sTCP:LISTEN
13:28 < bhuddah> ne2k: you get the idea ^^
13:29 < Kartagis> Kryczek: ^^
13:31 < Kryczek> Kartagis: what for?
13:31 < Kartagis> I'm also hosting
13:35 < Kryczek> Kartagis: I am not sure what to tell you... Check that 172.30.0.2 is the correct DNS IP for AWS, or finish configuring your named and use that?
13:35 < hexoroid> all other ports on network pick up 192.168.0.1-255 just fine do i need to add route -p ADD 192.168.0.0/24 MASK 255.255.255.0 192.168.0.3
13:36 < hexoroid> so it picks up DHCP the correct way so i dont type it in manually ?
14:02 < zenix_2k2> one question guys, i accidentally did "iptables -t nat -A OUTPUT -p tcp --dport 8080 -j REDIRECT --to-ports <port>" without knowing what was the <port> i was redirecting to, is there anyhow to fix this ?
14:04 < JPT> iptables -t nat -L to list the rules
14:04 < JPT> iptables -t nat -D CHAIN POSITION to delete the bad rule
14:05 < JPT> Hint: If you're experimenting on a remote machine, it can be helpful to first set up a cronjob that removes all iptables rules every 10-15 minutes in case you lock yourself out.
14:05 < lpapp> hi, is anyone familiar with snmp here?
14:06 < zenix_2k2> JPT: and by bad rules, it will delete my accident ?
14:06 < JPT> -D takes a chain and the position of the rule in that chain (counting starts at 1 for some reason)
14:06 < TabsOpen> lpapp, a little bit. Nothing on v3 though
14:07 < JPT> zenix_2k2: If your accident made it into the ruleset then you can find and delete it
14:07 < JPT> Also helpful: iptables -S (similar to what iptables-save produces) can show you ALL the rules.
14:08 < zenix_2k2> ok iptables -t nat -L shows me this --> https://pastebin.com/WFjJWLv7
14:08 < zenix_2k2> but there are 2 ports
14:08 < zenix_2k2> which one ? i am not actually too familiar with iptables
14:08 < dnanib> Rules are processed top-down, stopping at first matching rule. So in your case the redirect to 37541 will take place
14:09 < JPT> zenix_2k2: Both rules say "dpt:http-alt", so they're for the same http port that i don't know right now (maybe 8080 or something). One redirects that port to 37541 and the other one to 39441
14:09 < JPT> You need to know which one you want to keep and which one to get rid of
14:09 < zenix_2k2> i tried both but it didn't work
14:10 < zenix_2k2> via some python scripts
14:11 < JPT> You could also remove both rules and do your iptables command again without a typo. :)
14:14 < screwsss> hey room
14:15 < screwsss> anyone here know all about shopping mall public wifi
14:15 < screwsss> and you know free wifi spots
14:15 < turtle> never heard of them
14:15 < zenix_2k2> ok ok ok, so let's just forget about all of these rules, is there any command that i can use to "refresh" everything ?
14:15 < zenix_2k2> cause i actually only added one rule and that result wasn't right
14:15 < screwsss> im wondering how they 'divide' the speeds they get amongst everyone connected :P
14:16 < dnanib> zenix_2k2, what do you want to achieve?
14:16 < shtrb> screwsss, what about them ?
14:17 < zenix_2k2> dnanib: i accidentally added a rule that i couldn't remember what port was it, so i am trying to refresh everything
14:18 < zenix_2k2> port 8080 in specific
14:18 < shtrb> There are many brands, some will limit per connection some will not give any restriction
14:22 < zenix_2k2> so is there anyhow ?
14:26 < Kartagis> would listen-on-v6 {any;} in options prevent listening on v4?
14:27 < light> no
14:27 < light> add listen-on port 53 { 127.0.0.1; }; for ipv4
14:28 < Kartagis> light: at the moment it's not listening on v4
14:28 < light> so add that directive
14:31 < Kartagis> it's still not resolving anything
14:31 < light> restart named
14:31 < Kartagis> what else can I look at?
14:31 < Kartagis> I did
14:31 < zenix_2k2> so hello ?
14:31 < light> are you using the right config file?
14:31 < dnanib> Kartagis, how are you testing whether it is resolving anything or not?
14:31 < light> e.g. /etc/named.conf for non-chroot and /var/named/chroot/etc/named.conf for chroot
14:32 < Kartagis> dnanib: intodns.com
14:32 < zenix_2k2> guys, is there anyhow i can check which port that port 8080 was redirected to ?
14:32 < light> ss -na | grep LISTEN
14:32 < dnanib> With this: listen-on port 53 { 127.0.0.1; }; - the reliable test is "dig @127.0.0.1 www.google.com. a"
14:34 < zenix_2k2> so anyone ?
14:34 < Kartagis> dnanib: none of my domain names are resolving, I can't get e-mail
14:34 < light> pastebin the output
14:35 < Kartagis> me? output of what
14:35 < Kartagis> oh, not me
14:35 < dnanib> Kartagis, you have done this? listen-on port 53 { 127.0.0.1; };
14:36 < dnanib> Then your dns resolver is listening only on your loopback address.
14:36 < light> sometimes I wonder if people only read every other line I type
14:36 < Kartagis> dnanib: I did any and dig gives output
14:38 < dnanib> Please pastebin full command and output. Is dig resolving fine?
14:40 < Kartagis> dnanib: while dig did the thing (https://paste.ubuntu.com/p/dkqGsN9gzY/), I also got https://paste.ubuntu.com/p/qwXxN4b4gr/ in syslog
14:40 < Kartagis> brb, coffee
14:41 < tds> that looks a lot like you have broken ipv6 connectivity, and bind will fall back to connecting to the nameservers over v4
14:41 < dnanib> Kartagis, those syslog errors look benign. Probably your resolver ships with ipv6 addresses for root servers but your server configuration disables ipv6
14:42 < grawity> the root hints have contained ipv6 addresses sine 2008, so
14:44 < tcni> hi all, what is the correct way to implement persistent TCP connections in my server? I want clients to be able to send queries, then wait for a long time before the next one. But I get timeout if waiting too long.
14:44 < tcni> should the client send keepalives?
14:44 < grawity> "I get timeout" from where
14:44 < tcni> grawity: from socket library
14:45 < tcni> my server does a read, but if the client waits 60+ minutes, i timeout
14:45 < grawity> is the connection still alive – can you repeat the read when that happens?
14:45 < grawity> by default TCP connections live forever until either side specifically decides to kill them
14:45 < tcni> there is not read timeout? hm
14:45 < tcni> ok, guess I can retry
14:46 < grawity> read timeouts are an API thing – they're *not necessarily* an indication that the connection is dead
14:46 < dnanib> tcni, timeouts are implemented in application protocols built on top of tcp
14:46 < thecha> I want to use one emacs config across all my devices and want to have a synced org files? can i do this through my homeserver?
14:46 < Kartagis> so, what do I do?
14:46 < grawity> OP has timed out :|
14:46 < dnanib> Kartagis, you seem to be set. Is something not working?
14:47 < Kartagis> dnanib: my domains aren't resolving
14:47 < Kartagis> ;; connection timed out; no servers could be reached
14:47 < light> pastebin your named.conf and zone configs
14:47 < light> eh?
14:47 < dnanib> But you just pastebin'ed that things are resolving... :-)
14:48 < light> lookup against your name server specifically
14:48 < light> what's in your resolv.conf?
14:48 < dnanib> Kartagis, pastebin resolv.conf too then
14:50 < Kartagis> dnshttp://paste.ubuntu.com/p/SWrM7xmcxc/
14:50 < Kartagis> dnanib: http://paste.ubuntu.com/p/SWrM7xmcxc/
14:51 < grawity> where do files start and where do files end in that
14:52 < thecha> Hi Friend, I would like to use one emacs config across all my devices and have them all sync with a and upate new changes to a central file on my homeserver, I would like to also do something similar to my org files, can you point me to a tutorial or resource on how to do this?
14:52 < light> thecha: rsync
14:52 < thecha> ty friend!
14:54 < light> the whois records for boradental.com.tr list ns01.webcinizim.com and ns02.webcinizim.com but neither of those seem to be online/working
14:55 < tds> both of those seem to have A records pointing to the same IP as well
14:55 < tds> (which doesn't respond to queries)
14:56 < tds> if this is meant to be a public nameservers, having it listen on only 127.0.0.1 isn't much use (unless you have something else sitting in front of it)
14:56 < thecha> tds out of curiosity what function do these queries serve?
14:56 < light> also the nameservers for webcinizim.com point to itself
14:56 < Kartagis> grawity: https://paste.ubuntu.com/p/yw387DZHDS/
14:56 < Kartagis> they point to ns01 and ns02
14:57 < Kartagis> ns01, sorry
14:57 < light> How do people resolve ns01.webcinizim.com?
14:57 < tds> glue records (which appear to be in place)
14:57 < light> Ah yes, I was just using them
14:58 < Kartagis> hmm, I don't know why it doesn't exist now
14:58 < tds> Kartagis: is there any reason you've configured it to only listen on 127.0.0.1?
14:58 < tds> unless you have something else sitting in front of that, it won't respond to queries from outside when configured like that
14:58 < light> it's safer for the internet
14:59 < Windy> am i correct in my understanding that traffic selector, proxy id, and encryption domain all refer to the same concept?
14:59 < xdroop> So if I want a CentOS 7 to bring an interface up at boot time with no IP address, how might I do that?
14:59 < light> Windy: wat
14:59 < Windy> there's the concept in IKE of a traffic selector, but it seems like vendors call it different things
14:59 < xdroop> Windy: in that they're all different parts of a phase 2
14:59 < tds> light: safer for the internet?
14:59 < light> xdroop: do your interfaces fail to come up if you omit the IPADDR line from your ifcfg-int file?
15:00 < tds> sure, you don't want to run an open resolver, your nameserver needs to be public though
15:00 < light> tds: than people that don't know how to run dns having servers that can be exploited
15:00 < Windy> in what way are they different?
15:00 < xdroop> light: I'll try that
15:00 < xdroop> Windy: ok reading more closely, yes they are pretty much teh same thing
15:00 < xdroop> (assuming for encryption domain, I know hte other two are the same)
15:01 < Windy> i think that's just the cisco term for it
15:01 < Windy> ike/ipsec is relly convoluted between vendors
15:02 < xdroop> yes, yes it is
15:02 < xdroop> knowing the right vocabulary to feed into google is 75% of the battle
15:02 < xdroop> ...and with Cisco, finding docs for the right OS version is most of the rest.
15:04 < Windy> my experience is always bringing up tunnels with other organizations too, so it can be really hit or miss as to whether the person on the other end has a clue
15:05 < xdroop> ha
15:05 < xdroop> yes
15:05 < Kartagis> hmm. all the IP addresses in zone files are different than the one in console
15:05 < xdroop> light: that worked, thank you
15:06 < light> welcome
15:19 < Kartagis> no, still unresolvable
15:20 < dnanib> Kartagis, is the Bind installation supposed to be authoritative for those domains? Then your listening on 127.0.0.1 does not make sense.
15:20 < dnanib> Remove that. What was the reason you added that in the first place?
15:20 < ALowther> Does anybody know any good sources that compare/teach information about about different VPN implementations and what they're actually doing to encrypt/secure the data?....For instance, I am curious about IKEv2/IPsec vs OpenVPN. I can find plenty of sources that have opinions or general ideas about one being better or easier to implement etc, but what is actually happening? How is each packet actually encapsulated? Is just the data-payl
15:20 < ALowther> oad encrypted, is everything encrypted and then new addressed headers are added to the now encrypted data, etc?
15:21 < Kartagis> I was told here
15:21 < meowschwitz> ALowther: openvpn is TLS, IPSEC is AH/ESP
15:22 < Kartagis> dnanib: should I remove the line or replace with any?
15:22 < dnanib> Kartagis, I joined late to the party. What did you ask for which adding that was recommended?
15:22 < meowschwitz> ALowther: both are fully opaque, for both you can enable PFS and stronger ciphers/hashes if desired
15:23 < Kartagis> I don't remember
15:23 < Kartagis> oh, now I do
15:23 < Kartagis> I asked if listen-on-v6 will prevent listening on v4
15:24 < tds> make sure you're refusing queries to any zones other than yourself before you make it listen on a public interface though
15:24 < tds> since you don't want to be running an open resolver
15:24 < Kartagis> how do I do that?
15:24 < dnanib> Kartagis, do you want to listen on v6 interface, v4 interface or both?
15:25 < Kartagis> v4 I guess
15:25 < ALowther> meowschwitz: Yes, so what, TLS encryption => [mac[ip[port[TLS[APPLICATION]]]]]; IPSEC => [MAC[IP[PORT[SESSION[APPLICATION]]]]]...CAPS = Information included in encryption
15:25 < meowschwitz> https://openvpn.net/index.php/open-source/documentation/security-overview.html
15:25 < meowschwitz> https://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload
15:26 < mcdnl> ALowther: ipsec esp encapsulates the full packet in another ipv4 packet
15:26 < dnanib> Kartagis, your config: 	listen-on port 53 { 127.0.0.1; };
15:26 < dnanib>  listen-on-v6 { any; }; - means it is listening on all v6 interfaces and only on the loopback v4 interface
15:26 < tds> if your provider offers v6, please configure it as well, it's not much extra work :)
15:27 < ALowther> meowschwitz: Nice. Thanks for links.
15:27 < mcdnl> ah just authenticates the content of the packet (ensures the content has not been modified)
15:27 < mcdnl> esp and ah are full ip protocols on its own, while tls is built over tcp
15:27 < ALowther> mcdnl: So there is more overhead I would assume since it's encrypting more information every packet
15:28 < mcdnl> i dont think you'd notice it that much
15:28 < dnanib> Kartagis, I think what you need is:  listen-on port 53 { any; }; listen-on-v6 { none; };
15:28 < mcdnl> with esp/tls yes, packet size increases because of the encryption
15:29 < Kartagis> no, still not resolving
15:30 < tds> what's the output of netstat -nlp?
15:30 < tds> (you want to run that as root)
15:30 < mcdnl> ALowther: i'd say the "hardest" is esp ipsec with aes256gcm / ecp384+ / sha384|sha512 and using ciphers instead of preshared keys
15:30 < tds> that should show you if it's listening on the right addresses
15:30 < mcdnl> s/ciphers/certificates/
15:31 < Kartagis> tds: http://paste.ubuntu.com/p/3V4rZp5tpc/
15:33 < tds> is your provider doing nat?
15:33 <+catphish> someone needs to have a chat with LSI about how on earth their RAID config works!
15:34 <+catphish> if you want RAID 10, you choose RAID 1 :|
15:34 < zamba> i'm looking for a tool to simulate latency, packet loss and so on.. what can be used for this?
15:34 < ALowther> mcdnl: Thank you
15:34 <+catphish> if you choose RAID10 you get RAID100
15:34 < dnanib> Kartagis, are you working on the server with IP 52.89.235.163?
15:35 <+catphish> on the plus side, now my raid is configured properly: Timing buffered disk reads: 3342 MB in  3.00 seconds = 1113.28 MB/sec
15:36 < Kartagis> dnanib: a quick search showed that IP address changes for EC2 instances when rebooted.
15:36 < Kartagis> dnanib: not it's 54 something
15:36 < Aeso> zamba, there's a linux package called tc that is good for that kind of thing
15:37 < tds> Kartagis: I think your glue records are out of date in that case
15:37 < Peng_> Kartagis: Stop and start may change IPs, reboot shouldn't
15:37 < dnanib> Kartagis, are you administrator for zone  webcinizim.com?
15:37 < dnanib> That is where your problem is I think
15:37 < Kartagis> tds: yeah, may not have propogated yet
15:38 < Kartagis> dnanib: yes I am
15:40 < dnanib> Kartagis, then see this: https://pastebin.com/5g5giXmy
15:40 < tds> yeah, I'm still getting that old glue record from all of the nameservers for .com
15:40 < dnanib> Your nameservers are in the zone webcinizim.com and there are no glue records. So that zone has to resolve properly for the other zones to work.
15:41 < Kartagis> sorry
15:41 < Kartagis> dnanib: you were saying?
15:41 < tds> have you already updated the records with your registrar?
15:41 < tds> there's not much else you can do if that's the case
15:41 < strixdio> interesting...
15:41 < nosmelc> What's a good way to go around to about a dozen new ethernet outlets and test them all to make sure they're reliable and all get 1Gbps speeds?
15:41 < dnanib> If you are the admin of webcinizim.com then make sure its DNS works fine first
15:42 < dnanib> Use this: https://www.zonemaster.net/nojs to check if everything is fine or not
15:42 < dnanib> nosmelc, laptop + iperf?
15:42 < strixdio> I am using ssh "-D 9090", and routing all my traffic over socks5 proxy from firefox.. when I go to youtube, it tells me that there are restricted videos (which means that somehow the filter is blocking my traffic). Am I missing something?
15:43 < nosmelc> dnanib, thanks.  I've worked with iperf before
15:43 < nosmelc> dnanib, I guess that's the best way
15:48 < Kartagis> dnanib: https://www.zonemaster.net/test/42478951bc6603c4
15:49 < dnanib> Kartagis, sorry: Internal Server Error
15:49 < dnanib>  :-)
15:50 < Kartagis> No NS records for tested zone from parent. NS tests skipped.
15:50 < Kartagis> idk how I get this
15:51 < tds> Kartagis: have you updated the glue records with your registrar?
15:52 < tds> since there's not much else you can do until that's sorted
15:52 < Kartagis> I never changed them
15:52 < tds> did you say that 52.89.235.163 wasn't the correct IP?
15:53 < Kartagis> yes
15:53 < tds> then you need to update the glue records
15:54 < Kartagis> but there's no page to enter IP
15:54 < Kartagis> only nameserver
15:54 < Kartagis> ns01.webcinizim.com
15:54 < tds> it'll be on the config for the webcinizim.com domain
15:55 < Kartagis> shit
15:55 < Kartagis> there is
15:56 < tds> the ttl on those glue records it pretty high, so it may take a while for the change to actually affect resolvers
15:56 < tds> but that should at least fix some of the issues
15:57 < dnanib> Kartagis, the Registrar URL for that domain is Registrar URL: http://www.ihs.com.tr as per Whois. If you have the credentials to login there please look around for the interface to add NS/Glue records.
15:57 < tds> the records have changed, sounds like Kartagis has already found it :)
15:58 < Kartagis> thanks dnanib and tds
15:59 < Kartagis> I can't believe it
16:01 < dnanib> Way to go, Kartagis :-)
16:01 < tds> looks good, you're refusing queries for google.com as well :)
16:02 < dnanib> Use that Zonemaster to make sure everything is setup just right
16:04 < tds> you have some NS records you've set in the parent zone but not in the child zone on your nameserver: http://dnsviz.net/d/boradental.com.tr/dnssec/
16:04 < tds> should be a pretty easy fix though
16:42 < jvwjgames_> when i make a virtual bridge to another adapter so that traffic gets sent out the eth0 does eth1 have to have a cable plugged in
16:43 < jvwjgames_> meaning traffic at eth1 witch has no cable but is a bridge to eth0 witch does have a cable does eth1 still need an ethernet cable
16:48 < djph> bridging two interfaces just turns them into a switch
16:48 < jvwjgames_> so i do still need a cable
16:49 < djph> does your switch need a cable in every port to work?
16:49 < jvwjgames_> ya
16:49 <+imMute> O.o
16:49 < djph> o_O
16:49 < jvwjgames_> is there a way to creat a virtual port without me needing to go the DC
16:49 < djph> your switch probably needs replaced
16:50 < jvwjgames_> oh wait sorry i read your question wrong
16:50 < jvwjgames_> no
16:51 < djph> exactly ;)
16:51 < jvwjgames_> so traffic can still route  from eth1(no cable) to eth0 (cable)
16:51 < jvwjgames_> cause i can't ping pfsense after setting it up
16:52 < felda> lmao
16:53 < djph> no
16:53 < felda> if you have eth0 set as WAN it will reject all pings
16:54 < felda> and that's not what bridging is designed to do either
16:54 < felda> at least not in pfsense's context
16:54 < felda> jvwjgames_ is pfsense physical machine or a VM?
16:54 < jvwjgames_> VM
16:56 < Roq> jvwjgames_: Can you connect to the pfsense shell via the vm console?
16:56 < felda> you're going to want to make the LAN the connected port for now
16:56 < felda> once you're in you can create rules to allow access to WAN
16:56 < felda> and switch it back to WAN is the connected port
16:56 < jvwjgames_> yes i can get to pfsense via VM consle
16:57 < Roq> a dirty fix is connecting to the shell via console, disable packetfiltering (pfctl -d) and connect to the WAN address
16:57 < felda> ^
16:57 < Roq> Now you can access the gui via the WAN address, and setup your firewall rules
16:57 < felda> you want your test VM connected via WAN because pfsense is goofy and only lets you run updates and install packages if you Internet on WAN
17:18 < CustosLimen> which should I buy for optimal range: should I buy Ubiquiti airCube-AC https://www.ubnt.com/accessories/aircube/ or Mikrotik hAP ac² https://mikrotik.com/product/hap_ac2 ?
17:21 < electricmilk> Will there be an outage if I switch all the ports on our switches using Vlan1 to a new vlan number?
17:21 < mawk> probably
17:21 < mawk> if you're asking this question maybe you shouldn't do that at office times
17:22 < electricmilk> haha k
17:22 < mawk> or wait for lunch
17:22 < mawk> I have some bad memories of a whole office mad at me for "breaking the internet"
17:23 < mawk> during my last intership as a sysadmin
17:23 < electricmilk> I will need to change the native VLan as well right?
17:23 < electricmilk> We are going to have a security audit and I know using VLAN 1 as native Vlan is a big no-no
17:23 < mawk> why
17:23 < mawk> ?
17:23 < mawk> your coworkers don't use ethernet ?
17:24 < electricmilk> Easier to do a vlan hopping attack
17:24 < electricmilk> Considered bad practice to use vlan 1
17:26 < mawk> well you've got a little more steps than just changing vlan number
17:26 < mawk> and if you're using only one vlan, i.e. no vlan at all, what are the benefits of changing the number ?
17:28 < electricmilk> mawk,  Not getting dinged on the security audit but I think I see your point
17:28 < electricmilk> The whole point of VLan hopping is to acccess other Vlans...
17:28 < mawk> yes
17:28 < electricmilk> If there are no other vlans it shouldn't matter that I'm using vlan 1
17:28 < mawk> indeed
17:28 < electricmilk> But I actually do have a Vlan set on one switch
17:28 < electricmilk> But there are routes for that vlan...its just for wifi which has full access
17:29 < electricmilk> I also intend on adding a vlan I do want segmented.  I just want it to have internet access and no routes internally.
17:30 < thecha> what are some secure ways to authenticate yourself to your server you ssssh into
17:31 < electricmilk> thecha,  well isn't ssh itself pretty secure?
17:31 < electricmilk> If you are using an up to date version?
17:31 < tds> ssh keys + totp 2fa if you're paranoid
17:31 < thecha> electric say somebody has compromised my computer wont they gain access to my server too if i uses key pair authentication or a passphrase?
17:32 < tds> totp works nicely to solve that, or store your ssh key on a smartcard
17:33 <+catphish> thecha: you should always use a key encrypted with a passphrase
17:33 < thecha> totp? i see...
17:33 < tds> iirc google make a pam module for it?
17:34 < thecha> catphish! wont they be able to keylog the passphrase?
17:34 <+catphish> but OTP is even better since it means that even if someone got access to your computer with a keylogger, they couldn't use the key
17:34 <+catphish> thecha: yes
17:34 < Apachez> https://twitter.com/marcan42/status/1008981518159511553  HP iLO4 authentication bypass
17:34 <+catphish> thecha: ultimately if soemone has full access to your pc you're screwed
17:34 <+catphish> so you need to make sure that doesn't happen
17:35 < thecha> is there a book that can teach me how to make that at least unlikely?
17:35 < electricmilk> software based keyloggers are still a thing nowadays?  Wouldn't antivirus simply detect this?
17:35 <+catphish> they could just as easily replace your ssh binary with one that connects via their proxy and intercepts your connection, auth, etc
17:35 < thecha> electricmilk! are you on a gnu/linux?
17:36 <+catphish> don't run untrusted code
17:36 < electricmilk> sometimes.  Right now I'm on Windows 10
17:36 < electricmilk> (At work)
17:36 <+catphish> that's the most important thing
17:36 < thecha> electricmilk! what antivirus do you use on your gnu?
17:36 < electricmilk> Good point
17:36 < thecha> catphish! i see
17:37 < electricmilk> I remember trying to compile keyloggers on Linux back in the day and was no easy task.
17:37 < tds> doing disk encryption is also worthwhile if you're concerned about someone pulling the drive and swapping binaries for example
17:37 <+xand> or getting your data
17:37 < tds> ...but you're probably screwed at that point anyway
17:37 <+catphish> electricmilk: it's trivial if you have x11 afaik
17:37 < tds> yes, and that :)
17:37 < thecha> catphish! so no jscript no proprietary or non-free no software as a service and so forth
17:38 <+catphish> thecha: some combination of those depending on your level of paranoia
17:38 < thecha> i have an idea
17:38 < electricmilk> The threat of a keylogger seems unlikely to me on Linux.  Why would someone place malicious code in a well known script that is open source?
17:38 < thecha> cant you have a software calculate md5 checksums of all your stuff after every tiny change?
17:38 <+catphish> you can trust nonfree software just like you trust a distro to compile free software
17:38 < thecha> and then aprove all changes?
17:38 < thecha> and then cosntantly check for changes in md5 cheksusms?
17:39 < tds> sure, if you want to spend the rest of your life reading source code and checking it, and probably missing errors anyway
17:39 < electricmilk> lol
17:39 < thecha> but then again the attacker could just wait for you to change things and work their changes in with yours...
17:39 < electricmilk> I simply had to realize I'm not that important.  People don't care about me.  Just don't be the low hanging fruit.
17:40 < thecha> using a browser that allows jscript is also letting just uncontrolled code be run right?
17:40 < thecha> that means most websites wont work for you, not that i care, just saying
17:40 <+catphish> thecha: to a lesser extent, in a sandbox
17:41 <+catphish> it's all about relative risk
17:41 < thecha> do sandboxes really isolate things?
17:41 < thecha> i see
17:41 <+catphish> yes
17:41 < thecha> well thanks for putting things into perspective
17:41 < thecha> i did not know that you are rleatively safe from this key logger worms and trojans on gnu
17:41 <+catphish> javascript can't access / modify random files on your computer
17:41 < thecha> i thought it was jus too obscure for people to often do that
17:41 < tds> well, it shouldn't be able to at least :)
17:42 <+catphish> but, sometimes browsers have bugs, and javascript can exploit them
17:42 < thecha> catphish! and then if those people are good they can step by step take over the machine?
17:42 <+catphish> similarly, opening a document, it might have something in it that exploits a bug in your word processor, same thing
17:42 <+catphish> thecha: yep
17:42 < electricmilk> Just keep everything up to date to avoid most of that.
17:42 < thecha> so you should nto broswe the web, or open any files you didnt create yourself
17:43 <+catphish> so, again, it's all about relative risk
17:43 < electricmilk> lol stop being so paranoid
17:43 < thecha> well if you can just reduce the risk reasoably that is good enough
17:43 <+catphish> if you have nuclear launch codes, you're not gonna be running javascript, or even conencting to the internet
17:43 < thecha> ok i try being less paranoid electricmilk
17:43 <+catphish> if you just have some people's email addresses to protect, you're gonna be less paranoid
17:43  * tds bets those boxes are still on xp or earlier
17:43 <+catphish> depends who is trying to attack you too
17:44 < electricmilk> Do your updates, and have strong passwords. Encrypt the HD if you are worried about the HD getting stolen.
17:44 <+catphish> more valuable data = more determined attacker
17:44 < electricmilk> Hackers typically look for the low hanging fruit.  Unless like catphish said you have very valuable data.
17:44 < thecha> catphish!  i am just worried about people using any easy oportunities that i present to them by my ignorance
17:45 <+catphish> thecha: the worst vulnerabilities are unpatched software and weak passwords
17:45 < electricmilk> Also, disable remote management on your router, change the default password, and have a strong wifi key.
17:46 < thecha> i thik i am gonna keep wifi off
17:46 < thecha> seems like wifi would be asking for it tbh
17:46 <+catphish> default passwords are the weakest of all :)
17:46 < thecha> lol
17:46 < thecha> catphish! case for strong default passwords
17:46 < electricmilk> Also disable WPS on the router.
17:47 < electricmilk> Strong default password is a bit of an oxy moron.
17:47 < electricmilk> Although I've noticed some routers now come with a unique management password...but I wouldn't really consider that a default password.
17:47 <+catphish> lol strong default passwords
17:48 < electricmilk> strong default password = password1
17:48 <+catphish> i wouldnt trust those unique default passwords
17:48 < electricmilk> me either
17:48 <+catphish> they're too often seeded using a MAC address
17:48 < electricmilk> Or the default wifi key.
17:48 < electricmilk> Many ISP's simply use phone numbers.  It does not take long to get through EVERY possible 10 digit number with aircrack
17:49 <+catphish> default wifi keys really only exist in home kit, so meh
17:49 <+catphish> you arent using a home router as the primary defence for your important data, right :)
17:49 < electricmilk> At least its a lot better than defaulting to OPEN
17:49 <+catphish> is it?
17:49 < electricmilk> Sure
17:49 < electricmilk> The key's aren't super strong but it will stop 99% of attackers
17:49 <+catphish> i like open wifi, at least i did before ubiquitous LTE
17:50 < electricmilk> Its rare to find open wifi these days
17:50 < electricmilk> At least in my area
17:50 <+catphish> indeed, i was pretty upset about it when the trend started
17:51 <+catphish> because when wifi was invented i assumed in a few years every building in the world would have open wireless internet
17:51 < electricmilk> Plus open Wifi is susceptible to MITM attacks
17:51 < electricmilk> I remember in a lab setting up SSLstrip and was quite frightening.
17:51 < electricmilk> Yea but also if you have open Wifi aren't you legally responsible for what happens on it?
17:52 < electricmilk> What if your neighbor Bob is using it for kiddie porn or something?
17:52 <+catphish> only in germany
17:52 <+catphish> rest of the world, no
17:52 < electricmilk> interesting
17:52 <+catphish> it would be pretty ridiculous if you were really
17:52 < electricmilk> I still wouldn't want the feds knocking on my door questioning me about kiddie porn regardless if I'm not legally liable.
17:53 <+catphish> well that's your choice
17:53 < electricmilk> Some cities have free open wifi but again I don't like the idea of MITM attacks
17:53 <+catphish> use TLS
17:54 < tds> your standard approach should be to not trust the network anyway imo
17:54 <+catphish> i don't think it'll be long before browsers disable non-ssl by default with a warning
17:54 < electricmilk> Have you checked out SSLstrip?  I installed it like 10 years ago in a lab but it worked beautifully.
17:54 < tds> hsts is a thing
17:54 < electricmilk> No certificate errors
17:54 < tds> (and preloading)
17:54 < electricmilk> yet everything in plaintext
17:55 <+catphish> sslstrip only works if you access a site in plain text to begin with
17:55 <+catphish> it just prevents SSL rdirects
17:55 <+catphish> it's 90% defeated by HSTS
17:55 < electricmilk> Would HTTPS everywhere prevent it as well?
17:55 <+catphish> and IMO browsers will very soon start warning about all non-tls conenctions
17:55 <+catphish> electricmilk: if browsers warned about non-https, yes
17:56 < electricmilk> Ugh that means SSL-DPI is going to become more and more standard no?
17:56 < electricmilk> I really don't want to set it up on our firewalls
17:56 <+catphish> sure
17:56 <+catphish> well don't then
17:56 < electricmilk> 90% of the techs I mention to tell me not to
17:57 < electricmilk> what's your opinion on SSL-DPI catphish?
17:57 <+catphish> it's really no different from http DPI
17:57 <+catphish> you're just looking at a different part of the packets
17:57 < electricmilk> Except you have to install the certificate on every workstation
17:57 <+catphish> i would never do eother
17:57 <+catphish> oh, that, no, NEVER do that
17:57 < electricmilk> hehe
17:57 < tds> if you want to mitm my traffic, I'll go and use another network :)
17:57 <+catphish> this will break the end to end trust that TLS relies on
17:58 < mcdnl> dpi ssl is ok but you have to be careful, there are some situations where you cant do it
17:58 <+catphish> anyone who installs your cert on their PC is essentially rending TLS worthless because you won't secure the key properly
17:58 < mcdnl> catphish: on corporate networks thats not an issue
17:58 < electricmilk> yea screw that
17:58 <+catphish> if you want to know what websites people visit just sniff the TLS handshakes
17:58 < electricmilk> Meh I just view the content filter logs
17:59 < electricmilk> I only care about the violations
17:59 <+catphish> mcdnl: it might be ok, if you validate remote certs properly, but it's not a good idea
17:59 <+catphish> it breaks end to end trust and key pinning, and other things in nasty ways
17:59 < mcdnl> catphish: usually you inspect all the traffic except for banks, healthcare and specific services that rely on certificates to authenticate
17:59 < tds> I've heard of some bank applications doing their own certificate pinning validation as well
18:00 <+catphish> mcdnl: no, usually you inspect no traffic
18:00 < electricmilk> I need to setup our Childrens center to have network access?  I have strict content filtering through proxy...do you recommend I additionally setup a "parental restriction" DNS server on them as well?
18:00 < electricmilk> *access.
18:00 <+catphish> mcdnl: there are very few occasions where it's a good idea to break end to end SSL :)
18:01 < mcdnl> well, on corporate environments you have to check what users are downloading
18:01 <+catphish> mcdnl: no you don't
18:01 < mcdnl> more than "check", pass it through av/exploits/etc
18:02 < mcdnl> why not?
18:02 <+catphish> mcdnl: i'd probably use AV at the workstation for that
18:02 < detha> also, you have to check what users are uploading
18:02 <+catphish> but i suppose you could do it MITM
18:02 < mcdnl> ^^ dlp
18:02 < electricmilk> We just have really strict content filtering, IP GEO blocking, and then malware/spyware checking for unencrypted traffic.  Also IPS/IDS and botnet filter.
18:02 < electricmilk> Now I need to focus on layer 2 security
18:03 <+catphish> if you trust users that little, just don't give them internet access, or a browser that allows such things
18:03 < tds> i've seen some av applications that do mitm on the local box and install their own root cert
18:03 < electricmilk> and layer 1 to be honest
18:03 < mcdnl> go for a snort
18:03 < mcdnl> and 802.1x
18:03 <+catphish> i think local AV is going to be more effective
18:03 <+catphish> but perhaps there's a case for both
18:03 < mcdnl> tell that to android users
18:03 < electricmilk> Yea not our crappy local AV.  Look forward to switching soon.
18:04 <+catphish> and for identification of material that definitely shouldn't be uploaded of course
18:04 < electricmilk> Should be able to get us bitdefender for basically free
18:04 < electricmilk> (non-profit)
18:05 < tds> electricmilk: if you're going to rely on dns for filtering, make sure you block (or redirect if you want) dns traffic to other resolvers, and keep in mind that people can still do dns over tls/similar
18:05 <+catphish> if you find yourself blocking like that, you're doing it for the wrong reasons IMO
18:05 < electricmilk> tds, only as a backup.  I have strict content filtering by proxy
18:05 < tds> indeed
18:06 < electricmilk> Our content filtering is pretty legit
18:06 <+catphish> if users want to get around your blocks, then you're wasting your time
18:06 < tds> and if you're blocking like that, please make your resolver dnssec-capable, since it's just annoying if not
18:06 < electricmilk> Still can be bypassed with Google Translate though which I'll just block in the hosts file for the children's center
18:07 < electricmilk> I doubt 9 year old children will get passed the blocks
18:07 < electricmilk> If they are able to then awesome..they deserve it
18:07 <+catphish> if you're doing it to prevent people accidentally being harmed, that's fine
18:07 <+catphish> but when they don't want your blocks any more, that's a different matter
18:08 < tds> and keep in mind as soon as one student/whatever can bypass it, everyone will
18:10 <+catphish> i've just never understand the value in blocking someone access to content that they *want* to access, even putting aside the futility of it, i don't see how you are benefiting that person
18:10 <+catphish> for younger children, makes perfect sense, you don't want them being accidentally exposed to things they weren't looking for
18:11 < electricmilk> How would they bypass it though?  I give them standard user access so they can't install software. Have strong content filtering which includes filtering of freeware sites and portable apps. Disable setting to allow them to change proxy or VPN. DNS filtering as backup.  Block Google Translate.
18:12 < electricmilk> catphish,  Well for the adults its mainly to prevent malicious code from getting in the system
18:12 <+catphish> electricmilk: well that seems sane
18:12 <+catphish> i'd bypass it by using a friend's iphone :)
18:12 < electricmilk> Ransomware could bring a small non-profit like us down to our knees.
18:12 < electricmilk> lol
18:12 < tds> stopping users from running random binaries may be worthwhile, if this is windows iirc there's applocker or something
18:13 < rqh4> i used curl -X PUT http://couchbaseip:5984/db
18:13 <+catphish> electricmilk: really? if that's you you need to seriously rethink how you're storing your data
18:13 < rqh4> now what kind of request is being sent
18:13 < tds> for randomware just store everything on a fileserver with snapshots, then you can easily rollback/restore from backups/whatever
18:13 < electricmilk> I mean we do have cloud backups and whatnot but still...
18:13 <+catphish> electricmilk: don't store data in one place where it can be erased, or even writable from a single location
18:13 < electricmilk> Having to get on 50 workstations and restore everything would equal a lot of downtime
18:13 < Wulf> Good Morning.
18:14 < ||cw> electricmilk: keep re-thinking.  redirect docs and desktop to the network.
18:14 < tds> if your critical data is on those workstations, you're probably doing it wrong
18:14 < electricmilk> Its not SUPPOSED to be.
18:14 <+catphish> keep docs on a server, backed up offsite
18:14 < Wulf> In Linux, is there a possibility to "NAT" an ipv4/tcp connection to ipv6/tcp without using a user space proxy?
18:15 < electricmilk> Just yesterday I was in the middle of encrypting an HD with veracrypt when we had a power outage.  It was a darn Seagate 7200.12 and crashed.  Staff member was NOT saving files to fileshare as company policy..now she is convinced it was veracrypt that caused it.
18:15 < ||cw> Wulf: that's not NAT anymore
18:15 < electricmilk> Getting the click of death. Ugh
18:15 < Wulf> ||cw: guess one could call it NPT?
18:15 < tds> Wulf: if you don't want to do it in userspace, you can use jool do to it in a kernel module ;)
18:15 < Windy> any palo alto users here?
18:15 <+catphish> electricmilk: better training i guess :(
18:16 < electricmilk> Yea. I sent out a reminder email and on Friday we have a staff meeting where I'll go into detail
18:16 < electricmilk> I wish we had the server space for roaming profiles
18:16 < Windy> electricmilk: roaming profiles != folder redirection
18:16 < ||cw> roaming can be a pain, bu redirecting my docs is easy
18:17 <+catphish> or just use google docs :)
18:17 < Wulf> tds: will have a look, thanks
18:17 < electricmilk> redirecitng is built-in right?
18:17 < tds> Wulf: if you don't mind userspace, tayga works as well
18:17 < electricmilk> We actually get $5,000 a year in Azure for free
18:17 < Windy> yep, it's done via GPO
18:17 < tds> what are you actually trying to do here though?
18:17 < electricmilk> I should just setup something with azure...folder redirection to Azure server or something
18:18 < Windy> i've done folder redirection with onedrive.  it worked most of the time, but if it ever got out of sync it was a pain, especially for large folders
18:19 < Windy> if you just spin up a fileserver in azure that could work though
18:21 < Wulf> tds: I'm considering building an overlay network for my docker cluster where the docker containers only speak ipv6. If a connection from the internet arrives with ipv4, it somehow needs to be translated to reach e.g. a webserver container.
18:22 < tds> ah, I do something similar, I'd just drop a reverse proxy in front of the entire thing if it's all http/ssl
18:23 < Wulf> tds: of course that would be the obvious solution. That's why I'm looking for alternatives :-)
18:23 < tds> nat64 works nicely for allowing outbound connections from a v6-only network to the v4 world, but if you want to do incoming connections you either need to map individual ports or have a 1:1 mapping between v4 and v6 addresses which is a bit rubbish
18:24 < tds> do really your only option is something that can look at the http host header or sni hostname and forward based on that, unless you want to eat lots of v4 space
18:24 < tds> s/do/so
18:26 < Wulf> tds: yep. I'm trying to work around this with ipv6, but most clients are still on v4.
18:26 < Wulf> tds: is there any userspace proxy aside from haproxy which can forward connections based on SNI?
18:27 < Wulf> tds: while maintaining end-to-end encryption, the proxy mustn't terminate tls.
18:27 < tds> I use sniproxy (mainly because the configs are far shorter and I'm lazy), I think nginx will do it as well
18:29 < tds> keep in mind you probably also want support for proxy protocol to preserve original source ips, otherwise you have to match up timestamps in logs to follow requests which is a pain
18:30 < Wulf> tds: uh... right. Completely forgot about that. But I'm not sure if actually need those src IPs.
18:31 < tds> I still don't bother with it, I really should now that sniproxy and apache have native support though I think
18:31 < Wulf> tds: there's probably no way to accept() a tcp connection, recv the client hello and then ask the kernel to NAT it somewhere else?
18:32 < tds> hmm, I'd never considered that, it would be very neat if you could get it to work though
18:32 < tds> I guess you may also need to do some modification of sequence numbers?
18:34 < Wulf> tds: probably no way around that. Well, could invent a tcp option to force the target tcp server to start from a given sequence
18:40 < Wulf> tds: actually, there are syn cookies. If the proxy knows how to compute them, it could work.
18:43 < tds> Wulf: if there's a jool mailing list/similar, it may be worth asking there
18:43 < tds> since those will be the people who have experience with implementing half of this
18:49 < dnanib> Doesn't haproxy do something like that?
18:49 < dnanib> (accept() a tcp connection, recv the client hello and then ask the kernel to NAT it somewhere else)
18:50 < Wulf> dnanib: not that I know of.
18:52 < dnanib> There was some iptables magic involved. If this discussion is about the feature I'm thinking of.
18:52 < Wulf> There's "TPROXY", but not sure how it works
18:54 < Wulf> https://github.com/torvalds/linux/blob/master/Documentation/networking/tproxy.txt
18:56 < Razva> guys I'm going crazy here. I'm trying to make an iperf on two machines, with no firewall, and it just throws me "connect failed: No route to host". I've tried to specify the IP, another port, nothing.
18:57 < dnanib> Both nodes on same subnet? Could be iptabled.
18:57 < dnanib> iptables
18:57 < Razva> two different subnets
18:57 < dnanib> Then of course, look at the router between the two subnets :-)
18:58 < dnanib> Do a traceroute from one host to the other, to start with
18:58 < Razva> ping works, traceroute works
18:58 < dnanib> Hmm. Firewall most likely. Tried tcptraceroute?
18:58 < tds> Wulf: I guess it may also be worth asking in #Netfilter (and #haproxy if it exists?), people there may be more familiar
18:59 < Wulf> tds: I might when I decide that I actually want/need those features. Which is unlikely :)
19:00 < Razva> dnanib: tcptraceroute works as well
19:00 < tds> Wulf: fair enough, I can imagine you need to hit quite high traffic levels before handing it in userspace starts to become an issue
19:01 < dnanib> What was your tcptraceroute invocation?
19:03 < dnanib> It was: mark incoming traffic to the loadbalanced/proxied service via the mangle table; use policy routing to route the marked packets differently, some haproxy config stuff, mandatory routing of return traffic through the haproxy box. Sorry can't be clearer than that. I looked this up many years ago
19:05 < Wulf> tds: I'm hoping for lots of traffic. But there are tighter bottlenecks.
19:05 < Razva> dnanib: can you please check PM?
19:06 < tds> Wulf: adding more proxies would also likely be an easier solution (at least to start with)
19:10 < krzee> Razva: i agree with them that its either routing or firewall
19:10 < krzee> since you can ping, firewall
19:11 < Razva> yeah, tried on 6 different machines on different ISPs
19:11 < Razva> iperf -s on server, iperf -c server.ip -d
19:11 < Razva> doesn't works on any
19:11 < Razva> so either iperf is broken on Centos7 repo or the commands changed :\
19:11 < krzee> iptables-save -c
19:12 < tds> I'd also check if you're able to open udp connections between the same machines on the same port with netcat or something
19:12 < tds> in case you're doing policy routing of udp only or something crazy like that
19:13 < krzee> well policy routing of udp only would be in the firewall wouldnt it?
19:15 < tds> can't you do it based on ip protocol with ip rule iirc?
19:15 < krzee> ya but that would effect ping
19:16 < tds> yeah, option is ipproto, so you could make it policy route only udp and not icmp
19:16 < krzee> but udp only afaik youd need to use the firewall
19:16 < tds> seems a bit unlikely though
19:16 < krzee> oh im missing that in ip rule add help, believe you tho i know theres a lot of options lol
19:17 < tds> yeah, it wasn't in the man page on my desktop for some reason, you can see it here though: http://man7.org/linux/man-pages/man8/ip-rule.8.html
19:17 < krzee> hey there it is!
19:17 < tds> :)
19:19 < krzee>               protocol PROTO
19:19 < krzee>                      the routing protocol who installed the rule in
19:19 < krzee>                      question.  As an example when zebra installs a rule it
19:19 < krzee>                      would get RTPROT_ZEBRA as the installing protocol.
19:19 < tds> ah, hadn't noticed it can do that before, neat
19:19 < tds> but the option I was thinking of is ipproto
19:20 < krzee> oh right
19:21 < krzee> hah he left the channel *shrug*
19:21 < krzee> thats what i get for lifting my /ignore on webchat hosts
19:22 < krzee> was going to tell him to include ip rule show, but my client wouldnt tag him lol
19:26 < shtrb> What is TXT records with TM_MDM_SERVER=IP ?
19:28 < dnanib> TM = Trend Micro. MDM = Mobile Device Manager or some such. Basically their suite of mobile security products.
19:30 < shtrb> thanks , now I'm even more clueless :)
19:32 < ntd> shtrb, mdm: mobile device management. your employers way of tracking/"managing" your phone :)
19:33 < ntd> never accept a corp phone :)
19:34 < shtrb> It's a landline :D
19:34 < shtrb> actually SIP client
19:34 < shtrb> in a fancy box
19:34 < dnanib> But the TXT record is in some sort of DNS server, right?
19:37 < shtrb> dnanib, I thought TXT records are info only (not actual servers)
19:38 < dnanib> TXT records are just that; text. Different systems use those for different purposes.
19:38 < dnanib> Since it is free text you can put in anything there
19:38 < shtrb> so I don't understand your question
19:39 < dnanib> Hmm. I was asking where you encountered this TXT record that specified a TM_MDM_WHATEVER
19:40 < shtrb> ah , dig`ing a domain (which I have issues to connect to )
19:42 < shtrb>  dig -t ANY +noall +answer service-provider-gateway.corp.com
19:44 < Apachez> ERROR: service-provider-gateway.corp.com not found
19:44 < dnanib> Yep. So that is what I said too. Your dig contacted a DNS server and the TXT record was configured there.
19:44 < shtrb> that was an example ... (not the actual domain)
21:00 < Wixy> Is anybody familiar with load balancers and/or with Cloudflare?
21:01 < fryguy> Wixy: just ask the question you really want to ask
21:03 < Wixy> The thing is I'm running some real time application on a server (one of the many around the world), that I know is on the same region a 3rd party server I use. the problem is cloudflare is in between and I want to understand more how it works, with the intention of somehow getting rid of it (if possible) and connect to the server directly
21:03 < Wixy> when I open a socket and establish a connection to 3rdparty.com, that domain actually points to cloudflare
21:03 < Wixy> so I connect to them, and I'm guessing all the traffic pass through them?
21:04 < Wixy> that's probably adding 5-15ms to my latency
21:04 < electricmilk> Darn HP switches. Running HP-2530-48-PoEP and the clock keeps settings back to the incorrect time.  I set the time from CLI. Type show time and its correct..then a few minutes later it goes back to incorrect time but has the right date.  Confirmed NTP is not enabled. Any ideas?
21:04 < electricmilk> Possibly I need to set the time zone??
21:05 < tpr> Wixy: it works as a reverse (maybe caching) proxy for web-sites
21:06 < Wixy> tpr, is it possible to get rid of it?
21:06 < Wixy> not sure I can somehow get the ip of the real server
21:07 < Wixy> this latency is killing my application, I need to find a way around it
21:08 < electricmilk> ah yea it looks like the timezone did it
21:08 < electricmilk> darn HP switches ugh
21:08 <+catphish> Wixy: the only solution is to contact the owner of the other site and ask for a direct connection, they will likely refuse though
21:09 <+catphish> Wixy: there is no way you can connect to the backend server without asking for its address
21:09 < fryguy> Wixy: i'm sure cloudflare is adding less latency than you think, and one of the main points behind cloudflare is to explicitly hide what the origin ip address is
21:09 < Wixy> they added cloudflare recently, I know the latency was way lower a few weeks ago
21:10 <+catphish> Wixy: 5-15ms is pretty negligable in most http applications
21:10 < Wixy> I know, but not for me
21:10 <+catphish> what are you doing?
21:10 < Wixy> the latency I'm seeing right now is 24ms on avg
21:11 < Wixy> so even 10ms is nearly half of that
21:11 <+catphish> in any case, all tou can do is contact whoever runs the service, tell them your latency has increased, and ask if you can have a more direct connection
21:11 <+catphish> *you
21:11 < Wixy> will do, I doubt they'll do anything as you mentioned
21:11 < Wixy> and btw, I think maybe there's a workaround
21:12 < tds> you may be able to try connecting from multiple locations, and work out where the backend server is hosted from the latency
21:12 <+catphish> there's no workaround unless you know the IP of the backend server
21:12 < tds> well, unless you can persuade it to tell you I guess
21:12 < fryguy> tds, assuming that anycast DNS doesn't affect that
21:13 <+catphish> they may tell you if you ask
21:13 < Wixy> I know in this region they have 100s servers, all requests goes through the same socket so one I establish the connection that's it. but what if I connect many times, checking what the latency is on each socket, and keep the one with the lowest?
21:13 <+catphish> some people use CF to hide their servers, many just use it as a CDN so they may not mind
21:13 < Wixy> that should work I believe, provided with enough trials I'll be connected to one server that is the closest to me
21:13 < Wixy> don't know, what do you think?
21:13 <+catphish> that seems insane
21:13 < Wixy> why?
21:14 < Wixy> I can try opening let's say 100 connections, and keep the one that is the closest
21:14 < Wixy> the fastest *
21:14 <+catphish> i can't think of any reason why that would work
21:15 <+catphish> but even if it did, thats crazy hacky, compared to just discussing the matter with the provider
21:15 < Wixy> why wouldn't that work? if I open one connection, CF would connect me to server A, I open another one, now it's server B
21:15 < Wixy> server B may be on the same datacenter my server is
21:15 <+catphish> sure, but i don't see why one backend serve would be consistently faster than another
21:15 < Wixy> catphish, I will discuss the matter with this company, I just don't think they'll give me a special deal
21:15 <+catphish> it just doesn't seem likely someone would loadbalance between different data centres in that manner
21:16 <+catphish> especially in a scenario where dynamic data is involved
21:16 < tds> fryguy: I worded that badly, I just meant that cloudflare is anycast but may always be proxying to the same backend server, so you can compare the latency of requests between locations and work out where the backend servers are
21:16 <+catphish> its not impossible, just unlikely
21:16 < tds> that's assuming it's all through to a single backend server though, and it sounds like that's not the case
21:16 < Wixy> I want to understand why it wouldn't work.
21:16 <+catphish> and you'll likely always hit the closest cloudflare proxy anyway
21:16 < Wixy> can you explain further please?
21:16 < fryguy> i'm not even sure what we are trying to make work?
21:17 < fryguy> some mythical low-latency connection to some server that we know nothing about?
21:17 <+catphish> i dont understand why they'd be loadbalancing between backends in different data centres
21:17 < fryguy> i'm not sure we can possibly provide fewer details
21:17 <+catphish> but even if they were, you'd still have to go via cloudflare, which is what you said was the problem in the first place
21:17 < UncleDrax> now that's what I call a Sticky situtation!
21:18 < Wixy> <catphish> i dont understand why they'd be loadbalancing between backends in different data centres
21:18 < Wixy> I see your point, maybe they don't ^
21:18 <+catphish> what is the service anyway?
21:18 < Wixy> it's binance api
21:18 <+catphish> i'm intrigued to know what you need sub-10ms http for? crypt currency trading?
21:18 <+catphish> that's pretty much the only use case i see for this :)
21:18 < Wixy> :)
21:19 < tds> is api.binance.com meant to be a welcome to nginx page? ;)
21:19 <+catphish> i'm sure they are aware people want low latency
21:19 <+catphish> to contact them, complain it's increased, see if they can help
21:19 <+catphish> *so
21:19 < UncleDrax> ugh day trading. /unsubscribe
21:20 < Wixy> they added CL for a good reason, I really really doubt they're going to do anything about it
21:20 < Wixy> but you're right CL is probably balancing between many servers on the same datacenter
21:20 < Wixy> so in that case I understand any server would do just fine, right?
21:20 < Wixy> I mean, if I connect to a server that is low in load, then fine, I get a fast connection
21:21 <+catphish> Wixy: one thing *you* can do is test the response time from as many places as possible, get close to the CF proxy that's close to the backend!
21:21 < Wixy> but CL will start sending more clients there, and it'll... balance and average
21:21 < Wixy> catphish, you're a genius
21:21 < tds> nasty thought, you could probably try and work out where the backend(s) are with ripe atlas
21:21 <+catphish> Wixy: i am, but this is still a tedious process :)
21:22 < Wixy> actually if I cannot get rid of CL, it makes a lot of sense of getting close to THEM not to the server itself
21:22 < fryguy> required watching: https://www.youtube.com/watch?v=kpvbOzHUakA
21:22 < adleff> asked before didn't get any hits
21:22 <+catphish> Wixy: exactly
21:22 < tds> you want to be closest to a cloudflare node which is closest to a/the backend
21:22 < adleff> does anyone knows if Link Fault Signaling is mandatory on 10G interfaces?
21:22 < adleff> I'm wondering if UDLD or whatever vendor equivalent is really necessary on 10G optics
21:23 <+catphish> api.binance.com is slow as fuck from here
21:23 < tds> Wixy: also, just to confirm, how are you measuring latency?
21:23 < Wixy> it's 19ms-30ms with a confidence interval of 99.9% here
21:23 < tds> since pinging the cloudflare ip will only get you half the picture
21:23 <+catphish> 400ms from here!!
21:23 < DammitJim> for WiFi AC5300...
21:24 < DammitJim> what is the potential speed between a laptop and an access point?
21:24 < Wixy> tds, I'm actually sending requests and measuring round trip times
21:24 <+catphish> wherever that server is, it sucks :)
21:24 < tds> cool, just thought I'd make sure :)
21:25 < Wixy> I know they're in just one location in AWS
21:25 < Wixy> err, I mean region
21:25 < fryguy> api.binance.com is also cloudfront, not cloudflare...
21:25 < Wixy> but I'm guessing they hav emultiple datacenters there right?
21:25 <+catphish> oh yeah
21:26 < Wixy> you're right
21:26 <+catphish> well i'm 1ms from cloudfront, and a request to api.binance.com takes 350ms :)
21:26 <+catphish> so, i guess they're a LONG way from cloudfront's london proxies
21:26 < Wixy> yep, they're in Tokyo
21:26 < Wixy> you're right, it is cloudfront!
21:27 < Wixy> does it change anything we have been talking?
21:27 <+catphish> no
21:27 < fryguy> i'm in eastern US and getting pings of 12ms and making http requests in 70
21:27 <+catphish> same thing applies, get as close to the tokyo cloudfront as possible, or ask for direct access
21:27 < fryguy> so i'm pretty sure it's not actually in tokyo
21:27 <+catphish> i get ping of 1ms and https in 350 :|
21:28 < fryguy> oh, it's doing the tls redirection at the edge instead of at the origin, I see
21:28 < tds> hah, that would do it
21:28 <+catphish> https://paste.ubuntu.com/p/W8pFDh2FDN/
21:28 <+catphish> fryguy: yep
21:28 < fryguy> also seems like their caching is off and they are sending the wrong headers, since static pages are always a miss on cloudfront
21:29 < fryguy> aka, some pretty basic mistakes going on here
21:29 <+catphish> its an API, there'd be no point caching
21:29 < fryguy> catphish: why not
21:29 <+catphish> it's an authenticated realtime data API
21:29 <+catphish> it's just not gonna get cached
21:30 < fryguy> hrmm, maybe
21:30 < Wixy> btw, may that happen that amazon has multiple datacenters in tokyo and my instance is running in the wrong one?
21:30 < Wixy> that would also explain why the latency has increased
21:30 <+catphish> Wixy: you can easily trace the route to the proxy
21:30 <+catphish> and then gete closer :)
21:31 < fryguy> there are multiple availability zones in tokyo
21:31 < Wixy> http://paste.debian.net/plain/1029948
21:32 < tds> surely you can do better than that :)
21:32 < Wixy> it's 30 hops away
21:32 <+catphish> that's a really poor route
21:33 <+catphish> that's 20, not 30
21:33 <+catphish> but that's poor
21:33 < Wixy> why does it say 30 at the top?
21:33 < Wixy> well, that's not the point, it's a lot of hops anyway
21:33 < fryguy> max
21:33 <+catphish> mine is 9 hops away, and only 1ms
21:33 <+catphish> the time is more important than the hop count
21:33 <+catphish> "30 hops max" max means max
21:34 <+catphish> but it reaches it in 30
21:34 < Wixy> <catphish> mine is 9 hops away, and only 1ms
21:34 < Wixy> from london? wtf?
21:34 < tds> that's just to the proxy though
21:34 <+catphish> that's just to cloudfront's london proxy
21:34 < tds> I'm seeing similar latency from london, http requests are super slow though
21:34 < Wixy> oh I see
21:34 <+catphish> it's another 350ms for an actual https request
21:35 < Wixy> so any idea about how to get it better?
21:35 <+catphish> i wonder why it takes so many hops (8) to get though amazon's network
21:35 < Wixy> (not just a better route to the CF proxy, that won't help unless the CF server is close to the real server)
21:35 <+catphish> i guess amazon use a LOT of routers, but they're fast
21:35 < qman__> You can't, the rest is up to them
21:36 <+catphish> you can't move CF closer to the destination
21:36 <+catphish> well actually you can
21:36 < tds> I see quite a few hops that don't reply with ttl expired inside amazon, which is interesting
21:36 < Wixy> but there are multiple CF, I need to fine the closes to the destination, not move it
21:36 <+catphish> by finding a closer CF proxy
21:36 < Wixy> that's what I meant
21:36 <+catphish> yeah, you need to find the closest one, then get as close to that as possible
21:36 <+catphish> as i said earlier
21:37 < Wixy> I know, but that's an abstract plan, I need steps :P
21:37 < Wixy> ie, I don't know how to do that
21:37 < qman__> fire up instances in each region and test
21:37 <+catphish> mostly trial and error and guesswork
21:37 < Wixy> but I know the region, it's in northeast-1
21:38 < tds> being able to run vms inside the provider's network charged hourly is a pretty ideal situation for this kind of thing :)
21:38 < Wixy> there ther eshould be the closes CF and the actual server
21:38 < Wixy> closest*
21:38 < qman__> Cloudfront by its nature is nit particularly low latency
21:38 < Wixy> I mean, it's impossible that they don't have a CF in tokyo, right?
21:39 <+catphish> you may be able to negotiate something better with binance though, plus their API is new, they may be keen to improve things
21:39 < fryguy> they do have CF in tokyo
21:40 < Wixy> then why it takes 20 hops to reach it? it's probably even running on the same datacenter my instance is running
21:40 <+catphish> it's probably not
21:41 < fryguy> because cloudfront is on the edge, so what's happening (among other things), is your traffic goes OUT of your data center, out to cloudfront, and then back into the datacenter
21:41 <+catphish> amazon have a lot of hops, but not 20 in the same DC
21:41 < fryguy> and it's probably only sometimes in the same datacenter, since there are multiple availability zones, and depending on what cloudfront is hooked up to, might be making connections to multiple different AZs per request
21:41 <+catphish> and again, hops is not key, latency is
21:42 <+catphish> wait, are you on EC2?
21:42 < Wixy> yes
21:42 <+catphish> if so, you really should be able to get close to CF, they're both run by amazon
21:42 < fryguy> catphish: he put an EC2 instance in tokyo trying to get a better connection to this
21:42 <+catphish> well all you can do right now is try different zones
21:42 < Wixy> let me see if I'm getting it right. we all (my instance, binance and CF) are running on the same region, but we may be in different availability zones
21:43 < Wixy> what I need to do is try different AZ until I get one with the least number of hops
21:43 < fryguy> yes, and it's extremely likely that binance has multiple servers spread across the availability zones
21:43 < Wixy> ie, closest to a CF proxy
21:43 <+catphish> not least hope, lowest latency
21:43 <+catphish> *hops
21:43 < Wixy> well, that
21:43 < Wixy> I agree
21:43 < tds> it's worth testing latency of http requests as well while you're at it
21:44 < tds> since that's what you actually care about
21:45 < Wixy> right, actually I was going to ask just that. I'm not sure what number of servers they have or what number of proxies CF have, but it may be the case that the closest CF proxy is not the closest to one of binance servers right?
21:45 < tds> sure, that's possible
21:45 < tds> just try various locations and see how it goes :)
21:45 < fryguy> it depends on the request, it's going to be load balanced across multiple backends
21:45  * catphish knits now
21:45 < Wixy> so I should definitely check the latency to binance in different availability zones, not the latency to CF in a traceroute
21:46 < fryguy> different availability zones isn't going to help you
21:46 < fryguy> (probably)
21:46 < Wixy> why not?
21:46 < fryguy> because binance is going to have servers in each availability zone, and cloudfront is going to load balance across all of them
21:46 < qman__> The connection is indirect anyway
21:46 < fryguy> again, (probably)
21:47 < Wixy> if that's the case I should be the closest to CF, regardless of it being the closest to one of binance servers
21:47 < fryguy> Wixy: cloudfront isn't just one server
21:47 < fryguy> there's going to be multiple cloudfront servers as well, spread across the availability zones
21:48 < Wixy> I know, I meant the closest to one of CF servers
21:48 < fryguy> DNS is going to have you be equally close to multiple CF servers, probably across AZs
21:49 < Wixy> ok, I'll do some tests and come back with actual numbers. thank you all!
21:49 < Wixy> quick last question, what number of hops would be "normal"? you said 20 was too many, catphish
21:50 < Wixy> out of curiosity, I know it's not that important
21:52 < fryguy> 10-20 hops is pretty normal for an internet service like this. if you can bypass cloudfront and get the equivalent of a "peering" agreement (HUGE emphasis on quotes around peering there), you'd be <5 hops
21:52 < matt|class> hi. couple questions.. the place im moving to requires uh.. fiber optic internet and it's been a while since i've done any setup.
21:52 < Wixy> got it
21:53 < matt|class> the ISP will provide me with what most likely.. modem/router combo? do i need a modem for fiber optic?
21:53 < fryguy> no moderm for fiber optic
21:53 < matt|class> just a router
21:53 < tds> it seems that cloudfront have lots of hops inside their network anyway, as catphish mentioned earlier
21:53 < fryguy> probably, depends on how things are set up
21:53 < tds> ie from london I've got amazon's router on lonap as my second hop, but don't hit the actual cloudfront proxy until hop 11
21:54 < UncleDrax> or a Fiber->Copper media convert if you need it as a copper handoff
21:54 < tds> still nice and fast though, <1ms :)
21:54 < matt|class> mkay. well im doing the majority of the setup for security reasons.. now i want to separate myself from the people im sharing the network with -as much as possible- (my roommates). what is the easiest/cheapest method to do this? can i just buy something like a switch that has uh.. what's it called, different domains or vlans or whatever
21:54 < matt|class> and be done with it?
21:55 < UncleDrax> matt|class: what is the ISP physically handing you to connect with? and what is the service that comes out of it (Internet?)
21:55 < matt|class> i don't know yet, it hasn't been set up. all i have is the name of the ISP provider
21:56 < matt|class> let me check if they list anything
21:56 < bray90820> Not sure if this is the right channel for this but how would I create a loopback exemption for a windows 10 app
21:56 < fryguy> matt|class: what is the provider?
21:56 < fryguy> is it a residential thing like comcast gigabit or verizon fios, or frontier, or somebody else?
21:57 < matt|class> something called fision hotwire. shitty horrendous reviews, but it's required for the location
21:57 < matt|class> never heard of them down here honestly
21:57 < UncleDrax> ya is that *something else a Dorm-style campus housing thing
21:57 < matt|class> https://gethotwired.com/
21:57 < tds> "EXPERIENCE THE POWER OF FIBER OPTICS" lol
21:58 < matt|class> okay. im really hoping this data isn't capped because it's telling me 20 mbits a second and "up to 1 gigaBIT of data" <-- if that's true and the monthly allotment
21:58 < matt|class> im going to shove my roommates heads up their asses for making me do this
21:58 < UncleDrax> tds: ya.. marketing people are idiots
21:59 < matt|class> fryguy - their website tells me nothing.
21:59 < tds> I'm in a similar situation though, I just have the shared network on a isolated vlan, my routers have interfaces on that vlan and establish vpn connections over it, but all the actual traffic goes via my own routers over the vpn
22:00 < tds> also means that you can nicely move your own network around between different providers, stick it behind some nat mess, whatever, and everything will just keep working
22:00 < Apachez> Microsoft.WindowsAzure.Storage.Core.Executor.Executor.ExecuteSync(RESTCommand`1 cmd, IRetryPolicy policy, OperationContext operationContext) in c:\Program Files (x86)\Jenkins\workspace\release_dotnet_master\Lib\ClassLibraryCommon\Core\Executor\Executor.cs:677
22:01 < fryguy> matt|class: you are gonna be in for a bad time
22:01 < UncleDrax> matt|class: so ISP aside, you're bsically going to move into a house, get a common uplink, and you want to basically create a house-wide network and isolate each user?
22:01 < UncleDrax> tryign to make sure I understand the scope of the question
22:01 < matt|class> tds - well.. my primary concern is that this is for work, and i have no idea what kind of bullshit sites my roommates visit or what activity they have. i want their network to be as far away from mine as possible with the least likelihood of something like:
22:01 < matt|class> them being infected by a super advanced worm or something , as long as im not touched by it
22:02 < matt|class> im going into extremes here but
22:02 < matt|class> fryguy - why do you say that?
22:02 < UncleDrax> sure, but sounds like you want to basically run your own enterprise network inside the house right?
22:03 < fryguy> oh, if you just care about the internal stuff, then yah just do vlans. pretty straightforward, especially if things are wireless
22:03 < matt|class> something like that i guess. if i plug them into their own vlan separate from mine, they can't touch me right?
22:03 < UncleDrax> ya - and most switches have some sort of VLAN isolation / Private VLAN or something. but you will likely need to talk to the same Router.. so there'll be some muckery with side of it.
22:03 < tds> well at that point they'll be completely isolated at layer 2, you'll need a router with interfaces on multiple vlans if you actually want to reach the internet though
22:04 < fryguy> it becomes a firewall question at that point, they'd have to go through a router/firewall to touch you
22:04 < Phil-Work> matt|class, a lot of switches support port isolation
22:04 < Phil-Work> so ports in the same VLAN can only "talk" to a defined set of ports (usually the one connected to the router)
22:04 < Apachez> its named differently
22:04 < Apachez> most manageable switches supports this
22:04 < Phil-Work> or you can do different VLANs, but that's a bit more of a faff
22:04 < matt|class> well im looking at the cheapest most practical method. if im being given a router by the ISP it's very likely it'll only have one port to plug a switch into
22:04 < Apachez> called port isolation, protected vlan etc
22:04 < Apachez> private vlan is a different thing
22:05 < adleff> cisco has a feature called protected port which is much easier to do than private vlans
22:05 < adleff> and would achieve isolation without multiple subnets
22:05 < matt|class> so just to make sure i understand it correctly..
22:05 < tds> for that situation I guess you have to make sure that the router won't reflect traffic back between devices on the same subnet as well
22:05 < Apachez> adleff: thats protected vlan
22:05 < Apachez> aka "switchport protected"
22:05 < matt|class> if i buy something like a cheapass old cisco switch or whatever that has vlans, i can just plug the output port into the router, and myself on one vlan and them in another vlan and that'll just work? or is it more complex than that
22:05 < Apachez> an interface which is "switchport protected" cannot speak to other "switchport protected" within the same vlan
22:06 < Apachez> on the same unit that is
22:06 < adleff> Apachez, is that not....what I said?
22:06 < UncleDrax> matt|class: it's more complicated
22:06 < Apachez> common rookie mistake is that you forget acl's
22:06 < matt|class> aight
22:06 < tds> matt|class: that'll get you all isolated, nobody will be able to reach the internet though ;)
22:06 < Apachez> so clients at sw1 cannot speak to another client at sw1
22:06 < matt|class> what cost am i looking at for a switch..
22:06 < Apachez> but they can speak to all clients at sw2
22:06 < Phil-Work> matt|class, more complex. The router needs to be in both VLANs which means you need two subnets on the router and (probably) 802.1q support on the router
22:06 < Apachez> and clients at sw2 cannot speak to another client at sw2
22:06 < Apachez> but they can speak to all clients at sw1
22:07 < Apachez> because protected vlan is only within a switch
22:07 < UncleDrax> matt|class: so actually depending on the number of ports, this might all be things you can do in a single $60 Mikrotik or something. how many room-mates?
22:07 < Phil-Work> matt|class, how fast is the proposed Internet connection?
22:07 < matt|class> 2 + me
22:07 < matt|class> according to the website 20 mbits download, dunno upload speed
22:07 < UncleDrax> ya.. we're in $60 MT land
22:08 < Phil-Work> so you can get away with a 100mbit switch - they're 10 a penny on eBay
22:08 < Phil-Work> you can get 48 port Ciscos for $30
22:08 < matt|class> mkay. that's not too terrible.
22:08 < Phil-Work> albeit they're maybe a bit louder/hotter than you'd be comfortable with
22:08 < matt|class> it's going in one of their closets, i don't care
22:09 < UncleDrax> at this point, I would contact the ISP and specifically ask what is provided HW/demarcation. call thier hell desk and tell them you're new user just waitintg for service and you want to know what is compatible or provided.
22:09 < jge> hey all, got a quick question regarding 802.3ad the ieee presentation here: http://www.ieee802.org/3/hssg/public/apr07/frazier_01_0407.pdf (Slide 7) says it does not increase bandwidth for a single conversation, is this for a single TCP stream or source mac ?
22:09 < UncleDrax> if they only provide a media-converter and you have to have a Router anyway, then that changes what you need to buy
22:10 < Phil-Work> jge, depends how it's hashed on the devices
22:10 < matt|class> UncleDrax - yeah. the apartment has a wall panel where theoretically everything's supposed to be connected but it's screwed on.. i can only assume that's the dmark point for them. so it'll be a few days i guess
22:10 < Phil-Work> most these days will hash layer 4 so you may get different links for different TCP flows
22:10 < matt|class> since im moving on the 30th
22:10 < Phil-Work> then again, two flows may hash to the same thing and share a link
22:10 < UncleDrax> jge: in short, as the convo prob says, if you LACP 4x 1G links, no single conversation (again by hashing method) can be > 1 Gigbit in size.
22:11 < linux_probe> more like "link aggravation"
22:11 < UncleDrax> matt|class: ya.. seriouslly call thier hell/help desk and just ask
22:11 < jge> Phil-Work: I wonder what it is on Juniper QFX switches
22:11 < UncleDrax> 'What is your standard demarcation device?' once you get a model/make, you can figure the rest out via spec-sheet
22:11 < matt|class> mkay
22:12 < Phil-Work> jge, it's configurable
22:12 < Phil-Work> sec
22:12 < jge> I remember reading is L2 by default
22:12 < matt|class> i haven't even set them up yet, i'll do it this week. thanks for the help guys
22:12 < jge> UncleDrax: got it, I'm just not sure what they mean by single conversation..
22:13 < matt|class> dnet: Failed to open device lo0 <-- unrelated.. trying to nmap my class's network.. im guessing this is probably related to priveleges?
22:13 < Phil-Work> jge: https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/interfaces-lag-hashing-fields-configuring.html
22:14 < jge> I read that as single streams, I have a 20G MC-LAG (Juniper here) to a bonded 20G interface on a linux server but they're only seeing 10G (it only ever uses one leg of the MC-LAG)
22:15 < jge> it's a load balancer, and I noticed that all traffic is being generated by a single host behind this load balancer
22:16 < linux_probe> sounds like someone has learned the pitfalls of LAG
22:21 < Lope> is UTP and STP the only type of wired network that exists today?
22:21 < Lope> Many years ago I used to setup daisy chain networks, with BNC connectors, 10mbit using PCI network cards.
22:21 < jge> The set up looks like this: https://ibb.co/m0hDaJ
22:22 < Wixy> what? I still didn't change the AZ of my instance and now traceroute reports 14 hops to CF (instead of 20 as before). how is that possible?
22:22 < Lope> That involved running a lot less cable than star configuration required by UTP these days, and often 10mbit was plenty fast enough.
22:23 < jge> I see traffic hitting the load balancer only on a single leg, returning on another , never using both
22:23 < Lope> https://www.ebay.com/sch/i.html?_nkw=bnc+network+card
22:23 < jge> and 10Gs of traffic coming only from a single backend server, same source mac, that's why I was asking whether this is expected..
22:23 < Phil-Work> jge, those two switches are clustered?
22:24 < Phil-Work> also, what OS is the LB?
22:24 < jge> Phil-Work: you could say that yea, juniper calls it MC-LAG
22:24 < jge> HA-Proxy
22:25 < Phil-Work> jge, on Linux?
22:25 < jge> HA-Proxy admin went as far as changing his hash algo to layer2-3 but still the same
22:25 < jge> That's right Phil-Work
22:26 < Phil-Work> jge, Linux supports "bond_xmit_hash_policy layer3+4" with ifenslave
22:27 < Phil-Work> that'll hash per TCP flow, which sounds like what you want here
22:27 < jge> but I thought l3-4 algo is not 802.3ad compliant
22:28 < Phil-Work> it works fine here with EX series switches
22:28 < UncleDrax> jge: a conversation is just an exchange of data between two endpoints. for HTTP it'd be your browser to www.example.com TCP Port 80.
22:28 < UncleDrax> jge: but for LACP, it's more about how you do hashing
22:29 < Apachez> no hash, no heroin ;)
22:29 < Apachez> no coke... dumdumdidum... dr alban!
22:29 < UncleDrax> jge: if you're doing hashing by L2, Server-to-Server conversation will only every use 1 link (in a simple example)
22:29 < Apachez> https://www.youtube.com/watch?v=4uPDfuC3Jck
22:31 < Phil-Work> jge, looks like on QFX the default hash mode is "l2-payload" which seemingly  goes down to L4 source/dest port which is what you want here
22:31 < jge> UncleDrax: that may explain why I'm seeing it only ever traverse one leg, all that 10G traffic is coming from the same server
22:31 < Phil-Work> unless you explicitly disabled some stuff per https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/interfaces-lag-hashing-fields-configuring.html
22:31 < grimm665> Can anyone help with what seems to be an ARP problem? I am having an issue very similar to this one: https://superuser.com/questions/1294114/after-some-time-has-passed-no-arp-requests-from-any-device-get-an-answer-over-w
22:31 < UncleDrax> jge: yeap, very likely the case.
22:32 < grimm665> No ARP responses seen by Wireshark over wifi after about 30 minutes. Ethernet seems to be unaffected.
22:32 < jge> backend server that is, juniper has this explanation for how it does hashing by default: By default, the hashing algorithm uses the values in the destination MAC address, Ethertype, and source MAC address fields in the header to hash traffic on the LAG
22:32 < jge> Phil-Work: hmm, yeah nothing we changed or disabled
22:33 < Phil-Work> change the haproxy server to hash layer 3+4 and see if that makes a difference
22:33 < furi> Does anyone have any ideas what could cause TCP to lose data when sending large data (5 MiB - 100 MiB) over the loopback? Wireshark is showing the following anomalous packets: TCP retransmission, TCP spurious retransmission, TCP Dup Ack, TCP Acked unseen segment, TCP previous segment not captured and I'm not getting all the data I'm supposed to at the other end
22:34 < jge> Phil-Work: yeah, we'll give that a shot.. although that disclaimer of not being fully complaint scares me a bit ;)
22:35 < Phil-Work> it depends on your traffic profile
22:35 < Phil-Work> for TCP traffic, you'll be fine
22:35 < jge> these guys using the server push +10Gbps over my network
22:35 < jge> bastards
22:35 < jge> :)
22:35 < Phil-Work> you need to be careful with the hashing when you care about the order that the packets arrive in
22:36 < Phil-Work> TCP handles out of order packets so you'll be fine doing 3+4 with HTTP
22:39 < jge> cool, will try that Phil-Work thank you both for the help
22:47 <+catphish> well tonight i learned how to knit :)
22:47 <+catphish> good times
23:36 < bray90820> If I wanted to connect my windows 10 tablet to my home network without connecting it to the internet would I just change the DNS?
23:36 < adleff> are you herkin' the derky
23:36 < bray90820> ?
23:41 <+catphish> bray90820: you'd remove the default gateway
23:41 < bray90820> catphish: Thanks
23:41 <+catphish> this will stop it sending any data out to the internet, but lan will still work
23:41 < Apachez> not sure whats going on here but I dont get any good vibes :S https://i.imgur.com/nhvZQ7B.gifv
23:42 <+catphish> trash clearing :)
23:42 < adleff> catphish, that might not work, the tablet might just send ARP for any ip
23:42 < adleff> and if the router is doing proxy arp ...
23:42 < tds> if the network has ipv6, remember to disable whatever your OS uses for receiving RAs and setting routes from that
23:42 <+catphish> adleff: it won't
23:43 <+catphish> adleff: afaik no OS will send arp for things it has no route to on a random interface
23:43 < tds> I guess if you made it a /0 on-link it would, but that's just stupid
23:43 < adleff> are you sure about that catphish :)
23:43 <+catphish> yes
23:43 < adleff> not all ip stack implementations are exactly the same
23:43 <+catphish> maybe some weird homebrew stack
23:43 <+catphish> but not windows/linux/bsd
23:43 < grawity> and then there's http://www.networksorcery.com/enp/protocol/bootp/option027.htm
23:43 < adleff> it sounds wrong, but I have seen unexpected behavior with host routing and ARP before
23:44 < adleff> just be careful
23:44 <+catphish> it would be improbable that both these conditions would be true, but not impossble
23:46 < adleff> man I'm doing my first integrated is-is lab
23:46 < tds> huh, only just noticed that my desktop is doing ecmp when it receives two RAs from different routers, that's new
23:46 < adleff> is-is REALLY does not want L1 to have routes by default
23:46 < adleff> there's a lot of manual intervention to make L1 receive L2 and beyond. lol
23:47 < adleff> tds, that's what you'd expect though right
23:47 < tds> network-manager used to set two routes with different metrics
23:49 < grawity> fwiw, Linux didn't *support* showing IPv6 ECMP routes as such until very recently
23:49 < tds> ah, I guess it may just be that then
23:50 < tds> surely they'd have the same metric if it was displaying them incorrectly though?
23:50 < grawity> you could add them, but they'd show up as two separate routes (though with identical metrics, I'm sure)
23:50 < grawity> and maybe your RA client didn't bother using them because it was a pain
23:52 < grawity> actual multipath route support (like IPv4 already had) was added in 4.11
23:52 < tds> ah, this has changed while on 4.15 I think
23:54 < tds> yeah, just tried an out of date ubuntu 18.04 vm, that has two routes with different metrics
--- Log closed Wed Jun 20 00:00:05 2018