--- Log opened Wed Jul 11 00:00:33 2018
00:17 < spaces> ||cw was it you in my bathroom lately ?
00:17 < spaces> didn't I lock the door ?
00:19 < ThatGuyYouKnowTh> So, would this be the right place to ask about, like, dial up?
00:23 < spaces> just ask
00:23 < ThatGuyYouKnowTh> Oh, sorry
00:24 < ThatGuyYouKnowTh> Well, is there an equivalent to ports?
00:24 < ThatGuyYouKnowTh> Like, could I run, say, some HTTP server alongside telnet or whatever along the same phone line?
00:24 < McDonaldsWiFi> Lets say my work has a very restrictive firewall/router and I'm trying to run OpenVPN through it... I tried to run it throug 443 as TCP and it still didn't work..
00:24 < McDonaldsWiFi> any other ideas? :P
00:25 < spaces> McDonaldsWiFi McDonaldsWiFi blocks that
00:25 < McDonaldsWiFi> ;P
00:25 < spaces> only https and https are open there
00:25 < McDonaldsWiFi> I wish I could buy a McBypass
00:25 < spaces> *http
00:25 < ThatGuyYouKnowTh> McDonaldsWiFi: Just break in and replace the router :3
00:25 < McDonaldsWiFi> here's the shit part, its actually AT&T managed LOL
00:25 < spaces> McDonaldsWiFi you get one for free if you eat too much fat there
00:25 < McDonaldsWiFi> management is trying to replace it with something we can manage soon
00:26 < McDonaldsWiFi> but shit I can't get my OpenVPN to work at all -.-
00:26 < McDonaldsWiFi> maybe I can try UDP port 53.....
00:26 < spaces> McDonaldsWiFi you simply can't
00:26 < McDonaldsWiFi> so
00:26 < McDonaldsWiFi> no go 100%?
00:26 < McDonaldsWiFi> No work around at all?
00:26 < spaces> you could try indeed DNS, dunno
00:27 < McDonaldsWiFi> I really thought routing it through 443 would do the trick xD
00:28 < Goop_> So I found an interview of Ajit Pai who was only one of the members from 2015, regarding the Net Neutrality issue. He says that Net Neutrality was not an issue; However, I do remember many articles and YouTubers with "life hacks" that told people that using a VPN would increase performance because ISP's couldn't really analyze the traffic.
00:28 < McDonaldsWiFi> the ISP landscape is a fucking joke :/
00:28 < McDonaldsWiFi> NN is a joke too, its all a buncha shit :(
00:29 < Goop_> Are there any good sources I could find to put on my paper that say ISP's were throttling specific connections, resulting in the Net Neutrality thing in 2015?
01:34 < Johnjay> my battlenet games lag a lot when i also play a youtube vid at the same time
01:34 < Johnjay> even at low res
01:34 < Johnjay> is there some router setting i could tweak to fix this?
01:37 < light> run a speed test
01:38 < UltraPhil> >inb4 buffer bloat
01:40 < Johnjay> why
01:40 < Johnjay> i've already done that a lot
01:40 < Johnjay> i know my internet is bad
01:40 < UltraPhil> so, what's your result ?
01:40 < Johnjay> it's like 1Mbps
01:41 < UltraPhil> there you go
01:41 < UltraPhil> you didn't even need us :P
01:42 < Johnjay> well i want to traffic shape
01:42 < Johnjay> give youtube less priority and the port for bnet more priority
01:42 < Johnjay> is there a way to do that?
01:43 < UltraPhil> multiple, actually
01:44 < Johnjay> i'm using windows
01:44 < Johnjay> do i need to go into the router or can i change a setting in windows?
01:46 < rewt> bottleneck is router, so that's your best bet
01:54 < cluelessperson> Johnjay: 1Mbps cannot do HD video alone
01:55 < E1ephant> just ultra hd
01:55 < E1ephant> super mega hd
01:57 < spaces> E1ephant we already have unlimited HD
01:58 < E1ephant> increase the unlimited hd
02:07 < Johnjay> i never said hd
02:07 < Johnjay> i have it on lowest setting
02:08 < Johnjay> i'm fine with letting it buffer
02:08 < Johnjay> but it still interferes too much with my game
02:09 < E1ephant> yeah outside of shaping it down to 80% of your connection, buy more bandwidth?
02:09 < Johnjay> that's not an option at the moment
02:09 < Johnjay> and also doesn't answer my question
02:09 < Johnjay> can I manually shape traffic in my router or on my pc and if so how?
02:10 < Johnjay> if you don't know just say you don't know
02:10 < Johnjay> it's not a crime
02:10 < E1ephant> >tell me how to configure my device but also guess what kind of device
02:10 < E1ephant> so I would use mind controller
02:10 < E1ephant> given the details provided
02:12 < E1ephant> https://www.juniper.net/documentation/en_US/junos/topics/example/example-configuring-port-shaping.html?
02:13 < Johnjay> i could give you the exact model of my netgear router
02:13 < Johnjay> but i suspect that's not really what you want
02:13 < E1ephant> right, that would be too helpful?
02:14 < E1ephant> https://glazenbakje.wordpress.com/2014/11/03/netgear-utm-traffic-shaping/
02:16 < spaces> E1ephant why that ? POS ?
02:16 < E1ephant> set the shaping numbers to about 80% of your connection, or whatever you can transmit, while still maintaining a reasonable ping time to $random_game_server
02:16 < spaces> E1ephant I hate it when my pr0n scales down, I need the Unlimited, size matters bro
02:17 < E1ephant> that doesn't appear to be a priority in this use-case
02:18 < E1ephant> if it's not obvious in your router's firmware, you probably have to flash it to something that will support such features, if it supports that. Or just limit in windows if it's just your host causing congestion.
02:19 < spaces> E1ephant size always matters
02:19 < E1ephant> does it?
02:19 < spaces> E1ephant yes, what if it does not fit ?
02:19 < Johnjay> hmm, the QoS settings on my router allow specifying priority by device or by service
02:20 < Johnjay> but it doesn't indicate how it identifies the service like skype or msn messenger. i presume by port?
02:20 < spaces> you cannot push a square into a circle as well, ask the apollo13 guys
02:25 < E1ephant> errr possibly? can be by ip, port, pretty much anything in the first 256 bytes of packet
02:25 < E1ephant> /header
03:03  * qgTG 
04:13 < fairuz> Hi guys. Morning. One question how to know for sure if the router is bricked/broken?  I have an Asus RT-AC55UHP. When I turned it on, it has all led except 2.4 and 5Ghz led blinking slowly
04:17 < fryguy> hard reset it using the reset button, connect a machine to the lan port, and try to access it on it's default LAN ip (192.168.1.1 or whatever). if you can't do that, then it's probably dead
04:19 < fairuz> yeah tried several ways to reset it, still blinking the same way
04:19 < fairuz> cannot ping, cannot access using lan either
04:20 < fairuz> the firmware restoration software also failed to detect the router
04:20 < fryguy> good time to buy some new hardware then
04:20 < ruben23> hi guys i have a switch with VLAN capable e.g VLAN10 - 192.168.1.0/24, VLAN11 - 172.16.20.0/24  how do i able to access the Server on VLAN11 using the VLAN10 - any idea guys.? what service should i used.?
04:21 < fryguy> ruben23: you add a route to your router
04:21 < light> ruben23: a router
04:21 < ruben23> yes i have a pfsense already and all teh VLAN are configure to the LAN port, what should be the next step.?
04:21 < fryguy> add a route
04:22 < fryguy> and maybe firewall rules
04:22 < fairuz> thanks fryguy
04:24 < ruben23> coz currently now when i try to access the Server that belong the VLAN11 i cant access it at all, please help
04:24 < fryguy> ruben23: we just told you.  add a route and add necessary firewall rules
04:24 < light> can you access it from pfsense?
04:25 < light> if you can't even ping a machine on that vlan then your interfaces are probably misconfigured
04:25 < light> sounds like you're doing router on a stick right?
04:27 < ruben23> light: yes so this should be a static Routing.? im trying to check pfsense if there is routing function
04:27 < light> pfsense is on both vlans so it already has a route
04:29 < ruben23> light: so you mean once i added both VLAN10 and VLAN1 automatically it has a route.? no need to configure.? coz VLAN10- PC wants to access the Servers on VLAN11
04:29 < light> you don't add vlans
04:30 < ruben23> light: i mean added on the Pfsense Interface and they are active
04:30 < light> check connectivity by pinging to/from pfsense
04:32 < ruben23> light: ok i will now
04:42 < hfp> I almost got ipv6 working properly. The only issue I'm left with is for services that are running in my LAN. For ipv4, I have made a NAT rule that traffic coming in from WAN on port 12345 is to be forwarded to local machine's port 12345. That works very well with ipv4. But with ipv6 it doesn't work, because the WAN address isn't the one running anything on port 12345, and I'm guessing it doesn't know to
04:43 < hfp> forward to the internal machine running the service on port 12345. How do I go about fixing that?
04:43 < hfp> Is there a NAT for ipv6 or is there a better way?
04:43 < Dagger> use the IP of the machine you want to connect to, rather than the IP of the router
04:45 < hfp> I am using a domain name. myservice.exmaple.org is a CNAME to myhome.example.org which is a dynamic dns entry. Its A record is my WAN IPv4, and its AAAA is my WAN's IPv6. Should I make an AAAA record for myserver.example.org pointing to the local machine's public ipv6?
04:45 < hfp> s/myserver/myservice
04:46 < Dagger> yeah, that's the idea. you'll need one hostname for each server
04:46 < Dagger> well. only for services which don't support SRV records, but unfortunately that's approximately everything :/
04:48 < hfp> How would SRV help? I'm not familiar with them
04:50 < Dagger> you can declare that a lookup of example.com:https resolves to, say, backend1.web.example.com:8443
04:51 < hfp> that would be nice
04:51 < Dagger> without SRV records, the service name lookup is done using a hard-coded /etc/services on the client (so "https" is always going to be port 443) and there's no way to redirect the hostname, so the final IP lookup is always against example.com
04:52 < hfp> it looks like my isp makes the ipv6 they give me dynamic, it changes on every reconnection... the ipv4 isn't fixed but it hasn't changed since I'm with them... why would they make ipv6 dynamic?
04:54 < Dagger> because, like most other consumer ISPs, they're crap
04:55 < hfp> also the CNAME for IPv$ and AAAA for IPv6 doesn't seem to work. If I `dig myserver.example.org aaaa`, I'm getting the CNAME to myhome.example.org and its AAAA
04:55 < Dagger> I can understand some users wanting a dynamic prefix, and there's definitely an argument that our software really should be able to handle dynamic addressing without us humans needing to get involved all the time, but it'd be nice to also have an option of not changing the network prefix constantly
04:58 < Dagger> ah, right, you can't mix CNAME with other record types (it doesn't make any sense based on the definition of CNAME)
04:58 < Dagger> you'll need A and AAAA records on myservice.example.org
04:59 < hfp> Yeah I'm reading the only way is to do this or add an IPv6 specific hostname separate from the IPv4 one
04:59 < hfp> i.e. myservice.example.org is IPv4 and myservice-ipv6.example.org is for IPv6
05:01 < hfp> ah what a pain, because this service is *very* particular about the CN matching the cert...
05:03 < hfp> meh, looks like I'd be better off with a tunnel broker... But the last time I tried to get this going I spent hours and had nothing to show for it
05:03 < hfp> because what good is ipv6 if I'm getting a dynamic prefix, I can't do anything with that
05:03 < Dagger> subjectAltName really ought to be supported everywhere by this stage though
05:05 < Dagger> also, you know what would be nice? if common DNS servers allowed you to use hostnames in their zone files rather than just IP literals. that way you could specify "example.com A dyn.example.com" and have it look up the IP, rather than need to hardcode a literal address
05:06 < Dagger> I guess the people writing the servers haven't figured out the benefits of using this "DNS" thingy yet
05:07 < alabaster> I don't know if this is the place to ask but does wireless AC send the same data on both 2.4Ghz and 5.Ghz at the same time. Or I guess some people have it set up to stay on one or the other generally
05:08 < hfp> alabaster: It picks one or the other AFAIK, except for some hardware that teams the 2.4 and 5.0 together for ever moar speed (not 100% sure on that)
05:09 < alabaster> hfp I'm trying to do what a million are trying to do since 2011 and learn security but trying to find a good AC card that isn't a Realtek Chipset is hard to find
05:10 < alabaster> I assume you want both most important modes but having the option to see the 5Ghz range is becoming more essential now a days right?
05:11 < hfp> it depends where you live. in cities, 2.4 is generally unusable; you'd need 5ghz to use your wifi for anything at all
05:12 < alabaster> The Great ORL
05:12 < alabaster> I'm on 2.4
05:13 < alabaster> but i'm not sure if I want to wait to be a stable wifi adapter for testing networks and learning security or buy a wifi adapter with "N" and buy another later
05:14 < hfp> are you poking around wifi networks to try and see how to crack wep etc?
05:15 < alabaster> wep no. Really just my own. But I want to have the ability to grow. Isn't WEP a non challenge??
05:15 < hfp> pretty much
05:16 < alabaster> The internet says by either the atheros, RLT8812au / RLT8814au or Alfa which brand uses the same RLT chipsets
05:17 < hfp> yeah that's what I did when I was looking into that, I got myself a USB wifi adapter to play with kali and aircrack or whatever it was called. It's too hard to find an internal compatible wifi card
05:18 < alabaster> hfp I'm not using the internal. I'm looking to replace my wifi dongle or USB
05:19 < alabaster> hfp it's hard to find an AC chipset that is just plug n play in Kali like the Realtek's
05:19 < alabaster> I mean UNLIKE the Realteks that are buggy with Linux
05:20 < hfp> why do you want ac though, isn't 802.11n enough? it does 2.4 and 5. you generally want ac because of the faster speeds over n, but for cracking wifi networks it doesn't really matter does it?
05:21 < alabaster> DOES n do both ????
05:22 < alabaster> I don't think it does
05:22 < fryguy> it does
05:28 < alabaster> huh Ok
05:28 < alabaster> I am dumb
05:29 < alabaster> so all I am missing is speed I probably don't really need to start out learning but will still be able to get a nice wireless N wifi USB with a fair amount of needed and cool modes?
05:29 <+pppingme> linuxmodder can you fix your connection issues?
05:29 <+pppingme> or do I just need to block 174.77.159.40?
05:30 < hfp> alabaster: for cracking n vs ac doesn't really matter imho
05:33 < alabaster> ac would be theoritically faster but not needed is what I am getting
05:34 < alabaster> unless you are being stupid and trying to watch 3 nets at once. or really funnel some information like an ill egal idioso
05:39 < alabaster> I told my girlfriend because she knows I'm trying to go for well almost ready for CCNA.. that I want to learn both at the same time.
05:39 < alabaster> so I wanted to mirror my own network
05:40 < hfp> Dagger: I got really excited about SRV records... And then I found out that none of the most popular browsers support it.
05:40 < Dagger> I did say
05:41 < alabaster> ap mirror. And let her know I wanted to try to advance mirroring of my own AP not silly injection but actually learn to mirror and see it at the same time so I figured I'd need the AC speed to decrypt and mirror at the same time
05:41 < Dagger> apt-get supports it for http(s)://, XMPP supports it... and that's about the entire set of protocols and software that supports SRV
05:41 < alabaster> would N still be fast enough at the receiving end?
05:42 < alabaster> Sorry for my security noobishness
05:43 < Dagger> oh, there's Mumble and Minecraft. nothing else springs to mind
07:04 < hey2> Is there a reason why MAC addresses couldn't be used in lieue of IP addresses in their entirety
07:05 < hey2> I understand that it has been built up, and changing now would be all but impossible... but
07:12 < light> hey2: because it would make routing impossible
07:13 < hey2> no it wouldn't
07:13 < light> a compelling retort
07:13 < hey2> I mean, subnetting and figuring out lans might be a little more difficult in retrospect
07:13 < hey2> But I am just thinking if it had been done that way from the ground up
07:14 < hey2> 2/3 combined like the TCP/IP and just eliminate ip addressing
07:14 < hey2> not actually being serious by the way, was just having a conversation and figured I'd ask - didn't think about the routing aspect of LANs though
07:17 < light> layer 2 and 3 serve different purposes
07:17 < light> and there are protocols that exist in a grey area between them, like MPLS
07:17 < hey2> I am aware that they serve different purposes
07:17 < light> combining them completely would hamstring you
07:17 < hey2> We are saying, if from 1970 onward, IP addresses weren't used
07:17 < hey2> and only hardcoded MACs
07:17 < hey2> but the LAN aspect, I didn't think about
07:18 < light> how would you find an IP address?
07:18 < hey2> You wouldn't have IP addresses lol
07:19 < hey2> Either way I realize it would be a nightmare, we were just thinking of reasons why you "couldn't" do it
07:19 < light> say you want to get to warez.ru, how do you know where to send your packets?
07:20 < hey2> well you would have DNS resolve it to a MAC address! lol
07:20 < light> ok, so now you have a MAC, how do you send to that MAC?
07:20 < hey2> but then I guess I could do macchanger or something and just mess it all up anyways
07:20 < hey2> You would do what layer 3 already does, but with MACs
07:20 < light> but you can't
07:20 < hey2> Why
07:20 < light> because a manufacturer creates 1000 network cars with sequential MACs and distributes them to 1000 different people
07:21 < light> so how do your packets know where to go
07:21 < light> cards*
07:21 < hey2> That is what I was saying
07:21 < hey2> The aspect of finding out where they are for routing would be hard in that regard, it'd be a bit of a headache with existing protocols to just swap over
07:21 < hey2> but it wouldn't be impossible
07:22 < light> well it kind of is, because there's no relation
07:22 <@pppingme> hey2 routing by L2 would require tables storing billions of routes versus the current 704,000
07:22 < light> ^
07:22 <@pppingme> you also have the fact that not all medium actually has an L2 address
07:23 < hey2> ? I thought all switchports, NICs etc had a hardcoded MAC
07:23 <@pppingme> swithcports? NO...  a switch doesn't even "need" a mac
07:23 <@pppingme> and you're assuming ethernet, not everything is ethernet
07:24 < hey2> I mean, lots of switches have 1000+ mac pools, no?
07:25 <@pppingme> that doesn't mean the switch has a mac..
07:25 < hey2> And yeah... Like I said, I realize that this isn't a good idea, I was just talking to a coworker and didn't think about routing
07:25 < hey2> pppingme: the switches do have MACs, though
07:25 < hey2> Lots of switches have a MAC for the whole device, even
07:25 <@pppingme> nope, they don't..  the greatest majority of "home" or "consumer" switches absolutely do NOT have a mac address
07:26 < hey2> I am talking about enterprise networking equipment
07:26 < hey2> and I mean, most switch/router combos do have MACs which is what most houses use anyways
07:26 <@pppingme> and a lot of this cheap consumer stuff makes it into enterprise, especially under desks, etc..
07:27 <@pppingme> the point is, mac's don't even come close to reasonable for routing on a wide basis
07:29 < myrat> hi all
07:30 < light> hi
07:30 < myrat> i have one problem
07:30 < myrat> with cisco c240 m3
07:30 < myrat> server
07:30 < myrat> light wosap
07:30 < myrat> i can't install second network adapter to server
07:32 <@pppingme> why not?
07:38 < myrat> pppingme
07:38 < myrat> i don't know man
07:38 < myrat> the first adapter working properly but second just unknown
07:39 <@pppingme> error? logs? smoke?
07:39 < myrat> pppingme now try to see dmesg what happen
07:40 < myrat> but bios still not see the second network adapter
07:45 <@pppingme> is it a pci adaptor or what kind?
07:46 < myrat> yeah pci
07:47 <@pppingme> try "lspci"
07:52 < myrat> pppingme it shows only first network adapter
07:52 < myrat> 4 ports
07:53 <@pppingme> then you most likely have something physically wrong..  lspci should show anything on the pci bus, even if the OS doesn't recognize or have drivers for it
07:53 < buu> it dead
07:53 <@pppingme> reseat the card, try card in another computer, etc..  sounds like a fried card..
07:53 < buu> I just got a dead card from ebay
07:53 < buu> Maybe I can make jewelry out of it
07:54 < myrat> pppingme in another computer it works fine..
07:54 <@pppingme> then you have a fried pci slot
07:55 <@pppingme> is it in a riser?
07:55 < buu> you could try updating the mobo bios
07:55 < buu> or update the card bios if it works in another mobo I guess
07:57 < myrat> in server have 5 pci slots i try in all of them
07:57 < myrat> mobo bios?
07:58 < myrat> other adapters works fine in server and bios see those
07:58 < myrat> pppingme what is riser?
08:00 < Emperorpenguin> A 90° thingy for PCI slota
08:00 < Emperorpenguin> Slots
08:07 < ryuo> I have a router I need to replace the pigtails, U.FL to RP-SMA, on. Any suggestions on how I can unscrew them from the case? they seem pretty tight.
08:11 <@pppingme> ryuo bigger pliers
08:11 < ryuo> pppingme: ok. that's what I thought. thanks.
08:12 <@pppingme> ryuo I've seen those connectors crimped, or dimpled before from the factory, basically making them impossible to remove
08:12 < ryuo> pppingme: i'll hope that's not the case.
08:13 <@pppingme> its usually pretty obvious, assuming you can see the entire connector..  if its on the 'back side' that you can't see, may not be so obvious
08:14 < Emperorpenguin> More brute force is always the answer
08:14 < Emperorpenguin> Sure, they might be useless afterwards
08:14 < Emperorpenguin> But you'll definitely manage to remove them
08:15 < monoxane> has anyone used fs.com switches before?
08:15 < monoxane> i cant find any information that anyones ever deployed them
08:43 <@pppingme> monoxane I've heard of them, never used them, I think most of their stuff is just rebranded stuff, not sure they actually make anything
08:44 < monoxane> yea i think they are Cangoa Perkins gear relabled
08:44 < monoxane> *canoa
08:45 < monoxane> their 1g and 10g offerings looks like bottom of the barrel stuff though
08:45 < monoxane> ill keep it in mind if budget decides to rapidly shrink
08:52 < myrat> pppingme dmesg says  info like that    -    eth0: PBA No: FFFFFFF-OFF......added PHC on eth1
08:53 < myrat> pppingme enp2s0f0: renamed from eth0
08:57 < ryuo> myrat: ?
08:58 < myrat> ryuo hi i need to help with installing secong network adapter to my server
08:59 < ryuo> myrat: why? it shouldn't be that hard.
09:00 < ryuo> myrat: did you already install it?
09:00 < myrat> ryuo the second adapter not seeing in bios
09:01 < myrat> ryuo when i plug network cable to second adapter it blinking
09:01 < ryuo> myrat: it won't necessarily. usually only the onboard ones do.
09:01 < ryuo> myrat: what matters is what the OS ses.
09:01 < ryuo> sees
09:02 < myrat> ryuo server with ubuntu 16.04 lts
09:02 < ryuo> myrat: paste the output of this please: ip address
09:10 < ryuo> Go figure. My request for more information seemed to make them leave...
09:11 < XCE> it was top secret
09:11 < squ> !catgif
09:40 < myrat> ryuo what's up,
09:41 < ryuo> myrat: i'm still waiting for the information I asked for.
09:42 < ryuo> myrat: paste the output of this please: ip address
09:43 < myrat> ryuo ip address shows 5 interfaces: 1) lo, 2)enp2s0...5) enp2s3
09:44 < ryuo> myrat: ... that's not what I asked for. I don't want a summary. i want the actual output.
09:46 < ryuo> myrat: either way, you never really said what your issue is.
09:47 < ryuo> myrat: you have 2 ethernet devices, guessing from the names.
09:47 < ryuo> If this is really your second physical ethernet port, it appears to be detected.
09:48 < myrat> ryuo damn i lost output ip address
09:48 < monoxane> run it again then
09:49 < linux_probe> uhhh
09:49 < myrat> now my friend reinstall the server.. :(
09:49 < linux_probe> LOL
09:49 < ryuo> ...?
09:49 < linux_probe> the shart here is miles deeep
09:49 < ryuo> guess i've been trolled.
09:50 < ryuo> https://www.youtube.com/watch?v=dQw4w9WgXcQ
09:50 < myrat> ryuo no really  now i cant say man
09:50 < monoxane> LOOOOOL
09:50 < monoxane> yup thats called being trolled i guess
09:51 < myrat> so sorry
09:51 < ryuo> myrat: probably time to upgrade to 18.04 anyway. :P
09:52 < eirirs> ubuntu 18.04 ?:P
09:52 < myrat> to issue this problem my friends too trying..
09:52 < ryuo> lol
09:52 < ryuo> yea
09:52 < myrat> and one of them reinstalling..
09:53 < myrat> ryuo they want 16.04 why i dont knkow
09:53 < monoxane> 16.04 is eol get them off it
09:53 < monoxane> there should be no difference
09:53 < linux_probe> uh-huh
09:53 < myrat> maybe it working good of something
09:54 < ryuo> monoxane: not quite.
09:54 < ryuo> monoxane: 14.04 basically is.
09:54 < ryuo> 16.04 has 3 years left.
09:54 < myrat> 16.04 lts..
09:54 < monoxane> oh its the LTS one
09:54 < myrat> yeah
09:54 < ryuo> monoxane: yes. ubuntu LTS has an even first number and 04 for the second.
09:55 < monoxane> i use debian so nothing is LTS
09:55 < monoxane> :P
09:55 < ryuo> monoxane: well, i hear about stretch getting 3-5 years.
09:55 < ryuo> it's not too bad.
09:55 < myrat> dmesg says  info like that eth0: PBA No: FFFFFFF-OFF
09:55 < ryuo> Ubuntu Desktop only gets 3. Server is 5.
09:55 < myrat>  added PHC on eth1
09:55 < ryuo> myrat: ignore it. if the NIC functions, what does it matter?
09:56 < myrat> lspci showing only the first adapter which is intel
09:56 < ryuo> you have to understand kernels and hardware to parse those messages.
09:56 < ryuo> myrat: paste lspci and lsusb output please.
09:57 < linux_probe> it is super stupendous how many sheeple and idiots have mobile/vehicle hot spots now days
09:57 < linux_probe> >_>
09:57 < ryuo> linux_probe: let me guess. you detect so many you have to scroll just to find yours?
09:58 < myrat> ryuo now the server reinstalling man after when it dont i'll show anything
09:58 < myrat> but now i cant do anything
09:58 < Reventlov> "sheeple and idiots", well, why ?
09:58 < ryuo> myrat: is it a rental?
09:58 < linux_probe> no ryuo, just looking at the logs from ubiquiti AP's
09:58 < ryuo> linux_probe: I see.
09:59 < ryuo> well, got WAPs everywhere these days.
09:59 < linux_probe> it logs "neighboring" access points
09:59 < myrat> ryuo no..
09:59 < linux_probe> vast majority of them are people with portable hotpots or vehciles with such enabled
09:59 < Reventlov> so, what's the problem?
09:59 < linux_probe> many name their vehicle by modela and their first name
10:00 < ryuo> myrat: ok..
10:00 < linux_probe> so like. "Waynes Cruze"
10:00 < squ> linux_probe: and?
10:00 < linux_probe> aka chevrolet cruze and the fellas name is wayne
10:00 < squ> what do you propose, more original names?
10:00 < linux_probe> it;s stupid
10:00 < Reventlov> people mad at other people using WiFi
10:01 < Reventlov> shrug
10:01 < ryuo> don't mind linux_probe, he's just rambling.
10:01 < ryuo> :P
10:01 < linux_probe> no no, it's a social engineering nightmare
10:01 < squ> how?
10:01 < ryuo> "Hey you kids. Get out of my airspace."
10:01 < linux_probe> make sit very easy to pick fish out of a crowd
10:02 < linux_probe> also "targets"
10:02 < squ> what fish
10:02 < Reventlov> well, you know you can read plates, yeah ?
10:02 < squ> and query owner name in databse
10:02 < linux_probe> sure can, which make it even easier
10:02 < linux_probe> how many people use secure passphrases
10:02 < Reventlov> sigh
10:02 < linux_probe> cough
10:02 < ryuo> you know what's funny, linux_probe... those logs could be seen as evidence in the right situation of where their car was spotted.
10:03 < squ> Wayness cruze
10:03 < linux_probe> that also ryuo, but no worries
10:03 < squ> but not that Wayne
10:03 < Reventlov> also, fun fact, in Europe you would need some kind of authorization to gather these logs.
10:03 < squ> the other one
10:03 < linux_probe> since they most all have onstar or similar
10:03 < linux_probe> and sat. service lol
10:03 < ryuo> Reventlov: that's funny considering people's devices basically belch this info all over the air waves.
10:04 < squ> I understand your concern now
10:04 < linux_probe> also, them binding to phones, mics built in
10:04 < linux_probe> GPS/SAT/ etc
10:04 < linux_probe> cellular in many now
10:04 < linux_probe> NSA cars 101
10:05 < Reventlov> ryuo: not a reason :)
10:05 < squ> you can startup a service which tells when wife/husband car arrived home, for example
10:05 < Reventlov> light put your face all over the visible spectrum
10:05 < linux_probe> just use ubuiquit AP's or some of the others
10:05 < Reventlov> not a reason you can start a picture database.
10:06 < linux_probe> who's to say many vehicles dont have cameras in-built now days
10:06 < ryuo> squ: "Uh oh. Time to hide the mistress."
10:06 < ryuo> <.<
10:06 < linux_probe> most everything else does lol
10:06 < squ> it is a way to track car without gps
10:07 < linux_probe> they just track you idiot cell devices
10:07 < squ> when it was at specific location (near wifi router)
10:07 < linux_probe> 3g and 4g better yet
10:07 < linux_probe> 5g will be even worse
10:07 < squ> linux_probe: I'm trying to understand your motivation :)
10:08 < squ> what's wrong with Wayne Cruze name
10:08 < squ> :)
10:08 < linux_probe> that wasnt very bad, many have their full names
10:09 < linux_probe> or phoen numbers
10:09 < regdude> in use there is "ICE" that tracks cars using cameras in malls
10:09 < regdude> *US
10:09 < linux_probe> yep
10:09 < linux_probe> trafic cams anyone?
10:10 < Nefertiti> https://www.gnu.org/proprietary/malware-cars.html
10:11 < linux_probe> Im just trying to get the point across, people are worried about throwing away mail still :))))
10:11 < linux_probe> yet, theylre devices are spwewing forth tonf of data 24/7, that is far worse
10:11 < Nefertiti> ^_^
10:11 < Nefertiti> totes
10:12 < linux_probe> I drove a car with bluetooth enabled, I named it "qwertyuiopasdfghjklzxcvbnm"
10:13 < linux_probe> I also drove around sniffing many times
10:13 < linux_probe> at least the amount of total unsecured wifi has went about null, except the captive portal stuff
10:14 < MitteM112358> can someone probe me?
10:15 < linux_probe> here's on eof thr TONS of darwin "SSID's" logged   "Rachel Mcfadden"
10:15 < linux_probe> gee, why not give your full name or some shit
10:15 < ryuo> hey, i found another one: "Hey mom, i'm on tv"
10:15 < linux_probe> problem is, I know where they are, I can easily find their address, and many other things....
10:16 < ryuo> linux_probe: why do you care? you can't fix people being people.
10:16 < linux_probe> inwhich i can likely guess "stupendous" electronic door lock codes, alarms, etc
10:16 < linux_probe> by providing basic knowledge you can!
10:17 < linux_probe> people just dont think of it, because it's not disclosed, since that would kill the marketing of said junk device
10:17 < linux_probe> then again, so wuld them knowing about bump keys and the power lock picks :))
10:17 < linux_probe> 3 seconds or less CLICK
10:18 < linux_probe> ( gee why do we like the second amendment and hold it dearly)
10:19 < linux_probe> and pray to god, we neevr have to excercise it against an idiot human ;)
10:19 < Apachez> ryuo: one can kill people, problem solved?
10:20 < ryuo> Apachez: not really a solution.
10:20 < linux_probe> they have to be well deserving of it, like the act of robbing others
10:20 < Apachez> linux_probe: best is to use dhcp within ssid's that breaks broken dhcp clients :)
10:20 < linux_probe> oh wait, I just eliminated a vast portion of the world
10:20 < Apachez> not my fault that your box suddently deleted all files just by connecting to my wifi =)
10:21 < ryuo> ... there's stuff that dumb?
10:21 < Apachez> ryuo: so the murican way in afghanistan and iraq didnt work you say? ;)
10:21 < Apachez> also utf8 in the ssid's is fun too
10:21 < Apachez> specially those specialcharacters who makes text go the other direction and shit like that
10:22 < ryuo> no comment.
10:22  * Apachez drops mic, walks off stage
10:23 < detha> ITYM egats ffo sklaw ,cim spord zehcapA
10:23 < Apachez> na more like when all chars are stacked upon each other
10:23 < Apachez> or even is being typed out vertically
10:25 < regdude> or emojis
10:25 < linux_probe> herp herp
10:26  * linux_probe thinks it;s about time to get tossed out of the next bar
10:27 < linux_probe> some slut checking out el-natural buldge and her dinklet dude getting cranky about it
10:27 < linux_probe> calling out occurs, and game over
10:31 < squ> ate 2 ice creams
10:32 < squ> !catgif
11:24 < shtrb> Did I understand correctly that an end user will soon be able to connect to ubnt's AirMax using 802.11n/ac ?
11:25 < shtrb> or there is a still need for custom device to provide the 802.11n/ac ?
11:27 < djph> the airmax 'ac' units don't do wifi ...
11:28 <+xand> they do aircon?
11:31 < OlofL> If you use radius login, with AD backend, can you somehow enable ssh key logins aswell then? speaking generally to network devices such as hp/cisco switches and routers
11:34 < shtrb> xand 802.11ac
11:36 < mcdnl> OlofL: probably, but i guess it wont be as easy as setting up eap for wireless
12:12 < wblackstone> nanosouffle it looks like he is willing to undergoe testing
12:15 < solfi> Hello
12:16 < wblackstone> does the command genkernel work?
12:17 < wblackstone> If it is in the handbook there is an epub here but no epub display.
12:19 < h0dgep0dge> hey folks, just q quick query, what domain name registrar do you recommend and use the most?
12:20 < skyroveRR> None.
12:20 < h0dgep0dge> how do you buy domains?
12:20 < wblackstone> What do you want to do?
12:20 < skyroveRR> h0dgep0dge: usually offline.
12:21 < shtrb> h0dgep0dge, all have their own issues
12:21 < wblackstone> Rafael S Rosas
12:22 < wblackstone> how are the goonies doing?
12:22 < h0dgep0dge> all i really want to do is buy domains and deligate them to my dns host, but i want to do it in style. unfortunately i can't register domains with a delorean
12:22 < h0dgep0dge> google dns looks good, but isn't available in nz
12:22 < wblackstone> siRNA for softening the id cloud in the em field of the synapses?
12:23 < wblackstone> rhineheart_m: r u listing the old goonies?
12:24 < wblackstone> I never really took to most of them but as you well know I pay attention to detail.
12:24 < rhineheart_m> Huh?! Me?
12:24 < wblackstone> Did you see me cleaving?
12:25 < wblackstone> How else can you tell if she is my wife?
12:25 < wblackstone> You see in math right rhineheart_m ?
12:26 < wblackstone> " when we said ..."
12:26 < rhineheart_m> I think it's not me.
12:26 < wblackstone> " we said it close to ..."
12:26 < rhineheart_m> You might be talking to someone else.
12:28 < wblackstone> Ok so what to do with the test subject?
12:40 < gebbione> hi folks, any idea how i can connect to the internal network IP of a server through a public VPN server ? ie i am connected to the VPN but I cannot ping the internal server ip
12:41 < bezaban> routing
12:41 < shtrb> make sure icmp is allowed
13:14 < nostrora> Hi! i made my own S/FTP cat6a ethernet RJ45 cable. which is the best between T568A et T568B ?
13:15 < Phil-Work> nostrora, it doesn't really matter
13:15 < Phil-Work> B is more popular
13:15 < Phil-Work> most pre-wired cables are B
13:16 < nostrora> and I do a straight cable or a cross cable?
13:16 < nostrora> I know that there was a time when it was important to have straight cables or cross cables.
13:17 < Phil-Work> cross over cables are rarely used these days
13:17 < Phil-Work> any device made in the last 10+ years will auto sense
13:18 < nostrora> So I'm going on a straight cable? on T568B on 2 sides ?
13:18 < pulsar12> when they develop auto sense for fiber too ?
13:18 < Phil-Work> nostrora, if you insist on making it yourself, sure
13:19 < monoxane> nostrora i use B and everyone i know uses B
13:19 < nostrora> Phil-Work: If I insist? why is it a bad thing to make your own cables? I find it cheaper in cat 6 S/FTP. and I have a good cable price per meter
13:20 < monoxane> nostrora some people dont like sitting in a room terminating cables for hours on end
13:20 < Phil-Work> nostrora, because pre-made cables are usually tested to ensure they conform completely with the standards
13:21 < nostrora> I like to sit in a room for hours to set up my computer myself ^_^
13:21 < Phil-Work> it's extremely hard to crimp a fully conformant cable yourself
13:21 < Phil-Work> though if you're not planning on carrying 10G down it, it doesn't really matter
13:23 < Dalton> 10g on copper is silly anyway
13:25 < Phil-Work> Dalton, agreed
13:25 < Phil-Work> unless it's a DAC
14:25 < wallbroken> hi
14:26 < wallbroken> what is the difference between bonjour and avahi?
14:26 < wblackstone> hOW did I get banned from law?
14:26 < tpr> both are implementations
14:26 < wblackstone> ##law
14:26 < wblackstone> "just grab em in the biscuits"
14:26 < tpr> of mdns. bonjour on osx, avahi on other linux-like systmes
14:26 < wblackstone> lawlessness
14:26 <+xand> how should we know?
14:27 < wblackstone> duwatchulike
14:27 < wallbroken> tpr, of what?
14:27 <+xand> 2018-07-11 13:26:52 < tpr> of mdns. bonjour on osx, avahi on other linux-like systmes
14:28 < groupers> Hi, can anyone recommend an entry level firewall that will handle Gb line speed and offers geolocation filtering
14:28 < wblackstone> on point?
14:28 < groupers> In the $600-700 range
14:29 <+pppingme> what are you expecting out of "geolocation filtering" ?
14:29 < wblackstone> xand: Are you asking?
14:29 < wallbroken> tpr, ok, but it's something built by apple?
14:29 < wallbroken> or just a general standard??
14:30 < groupers> Pppingme I realize it's not perfect but I'm looking to block any connections outside of north America
14:32 < groupers> I realize pfsense does this but I'm looking for something a little more enterprise oriented
14:34 < vavkamil> groupers, you can write simple script for that
14:35 < groupers> That's what I'm trying to avoid, creating more work for myself in the long run
14:35 < vavkamil> just use dnsmasq, check country of each IP before sending answer to client
14:36 < groupers> I don't have time to write/maintain a script when it breaks, monitor that it's getting an updated database of ip ranges, etc
14:36 < vavkamil> I have a perl script somewhere that does that
14:41 < djph> it's pretty easy - just look for the /8s that aren't owned by ARIN. *done*.
14:42 < djph> (note, networks smaller than /8 may come into play)
14:44 < groupers> Thanks for the tip, now is there a firewall it security appliance that does that and can handle between 500mbps and gb throughout for under $100k?
14:45 < dionysus69> so I had nethogs open and there was a process taking upto 100kb sec from a random ip, what kind of traffic can this be? the webserver wasn't hit by this ip
14:45 < djph> sure, a UBNT Edge Router.  Will take you an hour, maybe two to ask ARIN about the ~250 /8s that aren't reserved.
14:46 < shtrb> did ubnt become the go to network solution ?
14:46 < djph> I mean, he could go for anyone, but it's a stupid-simple firewall rule. (1) create the list, (2) use the list to drop destinations.
14:47 < shtrb> I have no objectins to what you say,I'm just saying that it seems that they become the go-to solution
14:47 < djph> hell, a quick google may even return the list.
14:48 < regdude> there are cheaper solutions, UBNT is simply the most popular here
14:48 < djph> shtrb: they're definitely my goto.
14:48 < djph> regdude: cheaper that have the same featureset?  like who?
14:48 < wallbroken> you know how to wake up an iphone from network?
14:48 < regdude> the one you all hate here
14:48 < wallbroken> WOL will work?
14:49 < djph> regdude: err, that being?
14:49 < regdude> MT
14:49 < shtrb> regdude, everyone hate iphone ?
14:49 < djph> I mean, there are a LOT that people hate here.
14:49 < shtrb> why hate them ?
14:49 < groupers> I was considering the Ubiquiti security gateway pro but the powers that be were determined to buy Cisco ASA until I told them throughput with all the security features enabled is much lower than the initial number they advertise, which is only for the firewall
14:49 < wallbroken> nobody knows?
14:49 < djph> 'tik? meh, never used them.  Last I looked, their "cheaper than UBNT" lineup was 10/100 though.
14:49 < groupers> So they want something more expensive
14:50 < groupers> In order to feel like they're getting more value I guess
14:50 < djph> then they can go more expensive.  Although, the USG would be a royal pain in the ass to configure the way you want.
14:50 < shtrb> Firewalls/IDS/smart system reduce your throughput because they need to process your data
14:51 < lupine> might*
14:51 < groupers> And I'm not a network guy so I'd prefer to do as little maintenance as possible, I don't want to be updating some list by hand
14:51 < lupine> depends on whether firewall capacity exceeds link capacity
14:51 < lupine> but also, don't use UBNT
14:52 < groupers> I don't think I can get them to spend more than $1k
14:52 < djph> groupers: good news, the list of RIR allocations doesn't really change.
14:52 < groupers> But $200 is too little
14:52 < detha> groupers: if you don't want to do maintenance, you'll have to fork out for a 'managed solution' from one of the big vendors :p
14:53 < djph> if your limit is $1k, you're looking solidly at the cheapass end of the big boys, or UBNT / 'tik ... maybe some of those other "small-business-oriented" setups...
14:54 < groupers> I can manage firmware updates and occasional monitoring but I don't have time to spend hours maintaining something
14:55 < detha> you don't. you spend a few hours setting up scripts that do it for you, and once every two years or so you have to change the scripts because one of the sources changes
14:56 < djph> detha: how often does the RIR allocation change?
14:56 < groupers> I take it an IDS that will handle that kind of throughput for $1k doesn't exist
14:56 < detha> RIR allocation doesn't change, there's nothing more to allocate. But people transfer ranges from RIPE to ARIN for example
14:57 < djph> detha: yeah, that's what I meant.
14:57 < groupers> I thought existing IPv4 ranges changed hands all the time and the list would be to be kept up to date
14:57 < groupers> *need to be kept up to date
14:58 < djph> ... I mean, if it's every month or so, that's a lot of work ... if it's once a year ... ehh...
14:59 < groupers> Has anyone built a pfsense machine and used the maxmind database that can tell me what sort of hardware is needed to get that throughput
15:00 < detha> maintaining ip ranges/geoloc/what is dynamic is a full-time job. So you either automate it, use free sources, or pay for someone to do it, either maxmind and the like or some security vendor
15:06 < djph> hm, didn't realize "x.x.x.x was NA and now isn't" (or vise-versa) happened nearly that fast.
15:06 < dogbert2> hey djph
15:06 < djph> o/
15:07 < dogbert2> more patch-fu for BIND
15:08 < djph> good luck
15:10 < dogbert2> already submitted...other two have been merged into the master branch (NULL pointer dereference and memory leak)
15:17 < epitamizor> what would be a good linux disrto for honeypot damnvulnerable linux?
15:22 < djph> WSL
15:22 < djph> bahahahha
15:28 < shtrb> djph, you are evil
15:29 < djph> shtrb: he wants a "honeypot" - what better than the utterly broken WSL?
15:29 < groupers> What makes WSL broken?
15:29 < shtrb> https://www.microsoft.com/en-us/p/ubuntu/9nblggh4msv6
15:30 < lupine> groupers: it doesn't support various important things
15:30 < shtrb> it's like LSD , sound great at first until people will learn its consequences
15:31 < djph> "Windows"
15:31 < bad_blue_bull> hi
15:31 < groupers> I work in SMB world, which is mostly Windows, being able to compile ipxe or whatever on my Windows machine saves me some trouble
15:32 < shtrb> groupers, use a vm
15:32 < shtrb> sorry but lxss get all the bad parts from everywhere
15:32 < groupers> It's easier than using a VM
15:33 < shtrb> raw sockets ? having true access to /proc and /sys ? being able to use "Linux Kernel" ?
15:36 < tpr> wallbroken: https://en.wikipedia.org/wiki/Zero-configuration_networking
15:53 < bad_blue_bull> is there a name for a category of HTML tags that start a new block like p, h1-h6, div, table, img?  I mean these tags insert a line break unlike <i>, <b> etc
15:55 < niluje> block elements vs inline elements
16:01 < bad_blue_bull> OK
16:15 < cpplearner> Under what circumstances are some network traffic not subject to the kernel routing table? My Dante (proxy) server seems to ignore the routing table, once I configured its external address to an Ethernet interface. Any thoughts?
16:17 < shtrb> Does AMT work when there is USB attached network devices ?
16:20 < lbrun> shtrb: Generally no, it requires specific NICs from Intel (-LM parts) which as far as I know only come with a PCIe interface
16:20 < shtrb> oh great , thanks
16:20 <+imMute> cpplearner: what do you expect to happen vs what is actually happening?
16:21 < cpplearner> Thank you for asking.
16:22 < cpplearner> I have an OpenVPN connected in the same computer. So, just configuring it to eth0 would make sure that, it's automatically routed back to a VPN, thanks to the kernel routing table. However, it's certainly not hapenning.
16:23 < cpplearner> I just want to know why it's not working.
16:23 < lbrun> cpplearner: You know that your VPN has a dedicated network interface? Why would you configure it to eth0?
16:23 < lbrun> Or is this a gateway into the VPN?
16:24 < shtrb> What ? no openvpn have many modes and only if you use TAP and tie to eth0 (iptables or what ever option you use ) you will have netowrk
16:24 < shtrb> TUN (does not have broadcasting for example)
16:24 < cpplearner> Yes. With tun0, it works as I expected. However, why does it not work with eth0? I mean, the kernel routing table is supposed to route its traffic back to tun0, right?
16:24 < cpplearner> I'm just curious.
16:25 < OlofL> What is the key combination to get back to the OA prompt on a blade system c7000 ?
16:26 < WebertRLZ> how does keepalived knows about the availability of the other node?
16:26 < lbrun> cpplearner: Where is the request made from and what is the listener config on the server-side?
16:27 < OlofL> WebertRLZ: when it stops hearing hello's from neighbor
16:27 < WebertRLZ> OlofL, in a simple config there is no information in the config file that says, lets say the IP address of a second node
16:28 < shtrb> cpplearner, even if you setup a bridge openvpn can not transfer data from tun0 to eth0
16:28 < cpplearner> The traffic itself is made from "danted" (proxy). Of course, the original request was made from other computer in the same subnet, but it's all comming to "danted", and "danted" in turn makes request to eth0.
16:28 < WebertRLZ> OlofL, like this http://termbin.com/c3tx
16:28 < shtrb> hence the required ip_forward=1 and iptables
16:28 < OlofL> WebertRLZ: I belive keepalived is the same as vrrp? in that case it uses multicast address 224.0.0.18	
16:29 < dionysus69> during a ddos attack, is it a very bad practice to ban IPs manually?
16:29 < WebertRLZ> OlofL, yes it uses vrrp
16:29 < WebertRLZ> Oh, right, then I need to read more about it to understand it.
16:29 < WebertRLZ> Thanks
16:30 < OlofL> why are u using different virtual ips in that setup?
16:30 < ||cw> dionysus69: why would that be bad?
16:30 < cpplearner> shtrb Oh... okay. I thought, the routing table do the transfer.
16:30 < shtrb> cpplearner, by design openvpn can not handle bridge
16:30 < WebertRLZ> OlofL, to have high availability + load balance. I need 2 servers to always receive traffic, with a said DNS entry that resolves to those 2 IP addresses
16:30 < shtrb> *in tun mode
16:31 < WebertRLZ> so server A is Master for IP 1 and Slave for IP 2, and Server B is the opposite: Slave for IP 1 and Master for IP 2
16:31 < OlofL> WebertRLZ: you should probably use groups for each VIP then.
16:32 < OlofL> I only know how to configure it on various router OS's.. not linux
16:32 < cpplearner> Hmm. So the routing table is just a way to find the appropriate interface? That means, once an interface is determined in the first place, the routing table is never considered?
16:33 < WebertRLZ> OlofL, I'll look into it. I'm new to this so I don't know exactly what it means
16:33 < shtrb> cpplearner, but you can use mascarading without any issue
16:34 < WebertRLZ> I know fro the docs that there is a 'vrrp_sync_group' config
16:34 < WebertRLZ> maybe that's it.
16:34 < epitamizor> ask cppmaster lol
16:37 < cpplearner> Hmm... With masquerading, transfer between two different interfaces is possible?
16:39 < shtrb> you can push routes and can do ip and up
16:39 < cpplearner> Anyway , thank you for asnwering. Mysteries solved.
16:40 < shtrb> but you could use tap and then no need for NAT , you can directly use bridges etc
16:41 < cpplearner> Thank you. I'll look into it.
16:49 < epitamizor> for network devices bridging two domains, how to tell which one to incorporate FQDN for?
16:51 < ||cw> epitamizor: you don't bridge domains, you bridge subnets.  the DNS name you give a device is simply your choice
16:52 < tobra> vendor help = vodafone
16:52 < tobra> Vendor Help = Vodafone
16:52 < tobra> hm… hat didn't work ;-)
16:52 < ||cw> domains and subnets are separate concepts.  you can have multiple subnets in a domain, and multiple domains on a subnet
16:53 <+xand> subnets and DNS domains have nothing to do with each other :X
16:54 < epitamizor> but it is best practise to separte the two
16:54 < ||cw> not really
16:55 < ||cw> think shared web server hosting or collocated servers
16:55 < Thuryn> for network devices bridging two domains <-- what does this mean?
16:55 < ||cw> it's best to keep a single IP subnet on a single logical subnet (vlan, for instance)
16:56 < tobra> Can I somehow configure my setup on my part that I’ll get multiple external IP’s or can this only be done at ISP-level?
16:56 < ||cw> but it's not exactly invalid to have more than one
16:56 < Thuryn> especially not during a transition from one subnetting scheme to another
16:56 < ||cw> tobra: the ISP has to route the IPs to you first
16:57 < tobra> Can I maybe just buy two connections for the same address?
16:57 < tobra> I guess thT’ll be ISP-policy…
16:57 < Thuryn> tobra, it's easier to buy two separate connections, and then link them together on the same VLAN
16:58 < ||cw> tobra: yeah, but then you get into load balancing and such.  most ISPs have the option if getting extra IPs.
16:59 < tobra> ||cw load isn’t really an issue. my problem is that very different kind of traffic goes over the same interface, which makes analysis a mess and stability an issue…
16:59 < ||cw> so you're swamping the connection?  or just you need a better router?
17:00 < tobra> I need two interfaces so I can cleanly differentiate the traffic.
17:00 < tobra> they can go through the same router and be distributed accordingly
17:02 < ||cw> a good router shouldn't have any issues classifying different kinds of traffic
17:05 < cpplearner> What routers do you guys use ?
17:07 < epitamizor> testing out zeroshell now
17:07 < cpplearner> I just found out that, mine has too outdated kernel (2.6) in it. =(
17:08 <+xand> 2.6 isn't necessarily a problem... if security fixes are backported
17:08 < gebbione> hi folks my vpn connects and sets up route
17:08 < gebbione> * HarveyPwca has quit (Read error: Connection reset by peer)
17:08 < gebbione> * noobineer (~noobineer@2601:401:8000:481d:a177:e562:2772:9307) has joined
17:08 < gebbione> * x1b4 (~0x1B4@ip154.173.mip.uni-hannover.de) has joined
17:08 < gebbione> * HarveyPwca (~HarveyPwc@99-89-221-139.lightspeed.cicril.sbcglobal.net) has joined
17:08 < gebbione> * vlt (~vlt@2a01:488:66:1000:57e6:5dd1:0:1) has joined
17:08 < gebbione> * CheckDavid (uid14990@gateway/web/irccloud.com/x-zyzoynoeyldtbrsz) has joined
17:08 < gebbione> * Lighthammer has quit (Quit: Quit)
17:08 < gebbione> * hucksy_ (~hucksy@p5084ED6C.dip0.t-ipconnect.de) has joined
17:08 < gebbione> * bites has quit (Ping timeout: 256 seconds)
17:08 < gebbione> * nyAgEO has quit (Quit: -a- IRC for Android 2.1.40)
17:08 < gebbione> * hucksy has quit (Ping timeout: 244 seconds)
17:08 < gebbione> * variable (~variable@freebsd/developer/variable) has joined
17:08 < gebbione> Wed Jul 11 16:02:33 2018 /sbin/ip route add 10.0.0.10/32 via 10.8.0.1
17:08 < gebbione> sorry for the spam
17:08 < tobra> any routers that support distributing traffic based on the domain that was queried?
17:09 < gebbione> i just meant to paste only the last line
17:09 < epitamizor> gebbione, is that your botnet?
17:09 < Thuryn> tobra, not that I've ever seen.
17:09 < Thuryn> tobra, that would be a tenuous relationship at best anyway.
17:09 < gebbione> epitamizor, not using one
17:10 < tobra> Basically I’d like service1.mydomain.com to arrive at machine1 and s2.mydomain.com at machine2.
17:10 < gebbione> i m just trying to establish if based on that route I should be able to connect to ip 10.0.0.2
17:10 < ||cw> tobra: unless the traffic itself has that data in it like http does, no, not really.  but then you'd usually use a reverse proxy, not routing
17:10 < gebbione> or any 10.0.0.x
17:10 <+xand> tobra: errr so you point the different names at different machines
17:11 < tobra> xand both machines want to sit behind the same external IP.
17:11 < groupers> Gave up and just recommended the USG-PRO-4, already have a couple ubiquiti WAPs anyway
17:11 <+xand> tobra: then you need a reverse proxy like nginx
17:11 < tobra> ||cw and the reverse proxy can read and act conditionally on the domain-field?
17:12 < tobra> xand I guess apache has those, too, right?
17:12 <+xand> yes.
17:13 < tpr> http host header is used exactly for that
17:13 < ||cw> tobra: it's usually apache or ngnix, so yes, it can act on anything a web server can
17:13 < groupers> Tobra use haproxy
17:13 < groupers> Free version will do what you want
17:13 < Apachez> haproxy went payware?
17:14 < groupers> It can also do that with SSL traffic without decrypting it, so you have the option of terminating SSL in HAProxy or the servers
17:15 < groupers> Called sni inspection or something like that
17:15 < tpr> that's a basic tls feature. sni = server name identification :P
17:15 < Thuryn> SNI, yes
17:15 < tpr> it's stored in plain-text in the handshake so the server can provide different certs for different domains hosted on a single ip :P
17:16 < tpr> oopsie, identification/indication :P
17:17 < cpplearner> exit
17:17 < cpplearner> exit
17:17 < cpplearner> omg sorry
17:17 < devilspgd> I'm surprised we haven't seen any steps toward protecting SNI. Maybe it'll be next after the current push toward DNS encryption.
17:17 < tpr> mm, protect it in which sense?
17:18 < tpr> it has to be somehow decipherable by the server without prior exchange of secrets
17:18 < Peng_> There's a recent draft
17:18 < Peng_> https://tools.ietf.org/html/draft-rescorla-tls-esni-00
17:19 < tpr> Peng_: thanks!
17:24 < devilspgd> I can think of a number of options. A simple one would be to start the TLS encryption handshake with a SNI request for the server's IP, and if the server has a certificate for its own IP then use it to send the true SNI request. This avoids the additional DNS records described in the draft above since such things turn out to be very difficult to manage on behalf of small clients in shared hosting environments.
17:28 < tpr> some caveats by doing that instead of putting the trust on dns?
17:29 < tpr> anyway, interesting topic! I have completely missed that discussion earlier
17:33 < rhineheart_m> Guys, what usually are the needed network devices to form a fiber optic backbone?
17:34 < Harlock> switches, transceivers and fiber
17:34 < Migz> s
17:34 < Migz> hello guys
17:36 < epitamizor> hello robots
17:37 < rhineheart_m> In an outdoor install of foc....what do you call the black cylindrical thing?
17:38 < ||cw> a pipe?
17:38 < ||cw> conduit?
17:38 < rhineheart_m> Yes...a conduit.
17:38 < rhineheart_m> What is that for?
17:39 < Harlock> protecting your media
17:42 < ||cw> same thing conduit is always for
17:42 < Harlock> if it is actually conduit your are talking about
17:44 < Harlock> or you mean these https://image.made-in-china.com/202f0j00vaNReVtgVpkQ/Outdoor-Dome-Gjs98-98-002-98-006-98-007-Machinery-Heat-Shrinkable-Sealing-Fiber-Optic-Cable-Splice-Closure.jpg
18:17 < thatlizdude> do you guys know if I can get any free SSL certificate other than from Let's Encrypt?
18:19 < SomeT> I think cloudflare do them
18:20 < SomeT> yeah they do
18:20 < SomeT> just sign up to the free plan
18:21 < thatlizdude> I need something else because I messed up while getting Let's Encrypt and got ratelimited :/
18:21 < SomeT> https://gyazo.com/8f531b110be0b4b841fb75cabd5cec01
18:23 < thatlizdude> so I can sign up and get ONLY the certificate?
18:24 <+xand> don't think so
18:24 <+catphish> i don't think anyone else will give you a certificate, no
18:24 <+catphish> thatlizdude: ^
18:25 < thatlizdude> well I guess there aren't any downsides to using cloudflare are there?
18:25 < Phil-Work> catphish, finally got there with hSo
18:25 < Phil-Work> I gave up and e-mailed Dan - got a quote within an hour
18:25 <+catphish> thatlizdude: well if you want someone to proxy your traffic, you can use cloudflare for free, but that's really nothing to do with ssl
18:26 < Phil-Work> the price is actually really decent so it wasn't a total waste of time :)
18:26 < Phil-Work> thanks ^^
18:26 <+catphish> thatlizdude: it won't make your site secure, you'll still need your own certificate
18:26 < devilspgd> If it were me, I would look into why you're hitting Let's Encrypt rate limits, they normally shouldn't be a problem.
18:26 <+catphish> thatlizdude: if you don't want to pay, letsencrypt really is the obvious choice
18:27 < thatlizdude> I hit the ratelimit because I tried it about 10 times
18:27 <+catphish> oh, i see you messed up getting a LE cert, oops :(
18:27 < devilspgd> catphish: No, you don't need your own certificate. Cloudflare will provide you with a certificate (for encrypting traffic from browsers to Cloudflare, and another for Cloudflare to your server).
18:27 < thatlizdude> I tried fixing something, tried it again, gave me an error
18:27 <+catphish> i thought they only rate limited successful attempts
18:27 < thatlizdude> so now I need to wait a week to get a LE cert
18:27 < devilspgd> thatlizdude: Switch to the test server, which doesn't have rate limits...
18:27 <+catphish> rate limit should expire soon enough, but i guess that's annoying
18:27 <+catphish> that's a good point, make sure it works on the test server first
18:28 < thatlizdude> it did give me a 404 from my server
18:28 <+catphish> right, so fix your server config
18:28 <+catphish> LE isn't broken :)
18:28 < thatlizdude> but someone told me that I shouldn't use the -nginx option since it never works for them either (when using certbot)
18:28 <+catphish> with the latest version, nginx integration seems to work well
18:28 < thatlizdude> didn't for me :/
18:29 <+catphish> but many people prefer webroot mod
18:29 <+catphish> *mode
18:29 < thatlizdude> I was recommended to run `certbot certonly`
18:29 < thatlizdude> so I guess I can try that
18:29 <+catphish> i would recommend using webroot mode
18:29 < thatlizdude> *in a week*
18:29 < devilspgd> Let's Encrypt limits you to 20 successful new certificates, up to 5 of which can be duplicates, per week each. The failure limit is 5 per account, per hostname, per hour. At 10 accounts per 3 hours, that's 50 failed attempts per hostname.
18:29 <+catphish> i think thats also certonly mode
18:30 < thatlizdude> webroot is the same as certonly?
18:30 <+catphish> certonly means it doesn't configure your webserver
18:30 < thatlizdude> oh so that means I should still be able to get my cert right?
18:30 < thatlizdude> since it was a failed attempt
18:30 <+catphish> webroot means it uses your existing document root to do the auth
18:30 < devilspgd> So most likely, switch to the test environment, get it working, then wait 3 hours and try again on the live server.
18:30 <+catphish> thatlizdude: yes
18:31 <+catphish> weekly rate limits are only for successful attempts :)
18:31 < thatlizdude> oh let me try that again then, I don't think I tried after an hour
18:31 <+catphish> good luck
18:31 < thatlizdude> thanks :D
18:31 <+catphish> and try it this way: set up a working http server (without ssl), use certonly, webroot mode to get the cert, then configure the ssl in nginx
18:31 <+catphish> good luck
18:32 < thatlizdude> I wanna try the certonly on the actual server
18:32 <+catphish> if you have a working web server this should always work
18:32 < thatlizdude> the nginx didn't work
18:32 <+catphish> yep do that
18:33 < SomeT> what is tunnelling doing exactly when connecting via ssh?
18:33 < thatlizdude> oh yeah it is giving me 3 options: nginx, standalone, and webroot
18:35 < thatlizdude> oh actually I was gonna ask one more thing before getting the cert
18:35 < thatlizdude> when I use `server_name domain.com www.domain.com` in the server block and I have location blocks inside it, shouldn't www.domain.com/location work as well as domain.com/location?
18:37 < thatlizdude> or maybe it's my regex actually
18:40 < siddhartharao17> love this channel
18:41 < thatlizdude> is there a recommended path for the webroot directory?
18:42 <+catphish> thatlizdude: you want webroot
18:42 <+catphish> thatlizdude: don't you already have one?
18:43 <+catphish> (a root in your nginx config)
18:43 < thatlizdude> oh so /var/www/letsencrypt would be a good choice?
18:44 < thatlizdude> I just saw someone use /home/www/letsencrypt so I was wondering if I should make that separate
18:44 < thatlizdude> I'm going by this guide: https://agock.com/2017/01/set-lets-encrypt-nginx-web-server-webroot-plugin/
18:44 <+catphish> but don't you already have a webroot?
18:44 < thatlizdude> yeah but I didn't put any static files in it
18:45 <+catphish> but letsencrypt can
18:46 <+catphish> anyway, if you really want to, the setup you linked to with the special location block will work fine
18:46 <+catphish> put it anywhere you like :)
18:47 <+catphish> my preference would be /var/www/letsencrypt but its totally up to you :)
18:47 <+catphish> hope that works anyway, it really should do
18:47 <+catphish> if it fails once, don't keep trying, it never fails for no reason and you will use up your rate limit for no reason
18:47 <+catphish> try to work out why it fails before retryin
18:47 <+catphish> g
18:50 < jrich523> hey guys, looking to replace my home wifi system because of bad coverage, looking for a mesh setup, but most of the "mesh" stuff i find seem chunky (Stupid problem, i know, but i need 1 AP that is POE/ceiling mount)
18:50 < jrich523> i found this https://www.reddit.com/r/HomeNetworking/comments/6w602w/is_there_a_consumer_grade_poe_mesh_network_setup/
18:50 < jrich523> and they suggest this https://www.tp-link.com/us/products/details/cat-4908_EAP245.html#overview
18:51 < jrich523> which, looks good, but i see no mention of mesh or client hand off (biggest concern is smoothly switching between APs without notice/interruption)
18:52 < jrich523> which i  guess the real issue is, i have no idea how AP hopping works so its hard for me to know if this line will cut it or not
18:53 < Aeso> jrich523, I take it hardlining 2-3 APs is out of the question? Mesh performance is always pretty poor, even on the enterprise side of the fence.
18:53 < jrich523> oh wait
18:53 < jrich523> hard line on each AP is possible
18:53 <+xand> I use unifi stuff....
18:53 < jrich523> right now i have an AP (meraki AP) and an EDIMax extender
18:53 < Aeso> If the APs all have the same SSID/PSK, the clients will roam on their own
18:54 < jrich523> hmm
18:54 < jrich523> so most extenders i see, default to a new SSID and suggest not using the same SSID
18:54 < Aeso> If you can hardline additional APs, you don't need extenders. :)
18:54 <+xand> you can just buy the APs with unifi, and run controller on a PC/VM (doesn't need to be running 24x7)
18:55 < jrich523> the extender is actually hardwired, so it is acting as another AP
18:56 < jrich523> the living room signal (chromecast is driving this problem) normally has a good signal, (3-4 bars on the phone) but every now and again just drops and vanishes
18:56 < Aeso> jrich523, the same SSID on the 'extender' is fine, though you'll want to make sure it's on a different channel so the two APs don't interfere
18:56 < jrich523> yeah they are both set to auto, the meraki is on 11 and the extender lists as like 6+2
18:59 < thatlizdude> are my permissions messed up or am I always supposed to run `sudo` even in /var/www
18:59 < Aeso> though I agree with xand, the UAP gear is probably the best out of the inexpensive options
18:59 < Aeso> thatlizdude, typically your webserver will run as www-data or www, so /var/www should be owned by that user/group
19:00 < Aeso> also 'sudo' applies to the command you're running, not to your current working directory
19:01 < thatlizdude> shit it gave me a 404 again
19:01 < jrich523> i think maybe what i've learned here is that i need to investigate more why its a bad signal :-/
19:02 < thatlizdude> do I need to make the .well-known/acme-challenge directories too or is certbot gonna make those by itself?
19:02 < purplex88> when i look at number of packets send / received in "network connections", am i looking at my network statistics?
19:03 < jrich523> any suggestions on android based wifi analysis apps? most i've tried seem to hvae kinda crappy/limited info/interfaces
19:03 < purplex88> i'm confused about "statistics" word
19:03 < thatlizdude> and my /var/www is owned by root
19:04 < groupers> Thatlizdude there's a testing mode that prevents your issue, read the letsencrypt docs
19:04 <+catphish> jrich523: there are 2 wifi analyzers for android, "wifi analyzer", which does all i've ever needed and has ads, and apparantly a free one that's better
19:04 <+catphish> thatlizdude: it should give you an error if it couldn't populate the files
19:05 < Aeso> it could also be a problem with the strength of the radio on the chromecast, check the RSSI for that station
19:05 < jrich523> i've had decent luck with "wifi analyzer" but the time chart (want to see how often and when it drops) has no filtering and the names arent showing up... so... its jsut a hot mess (few too many APs in my area)
19:05 < thatlizdude> catphish: yeah but so I have to make the directory too or does it make it?
19:06 <+catphish> thatlizdude: it won't make the root
19:06 <+catphish> it'll make everything down from that
19:06 < thatlizdude> I know it won't make the root, I was talking about the .well-known
19:07 <+catphish> yeah it'll make those
19:07 <+catphish> if you keep ls'in the directory while it's running you'll see the files appear
19:08 <+catphish> i can't think why it would fail, and if it did you should get an error
19:08 <+catphish> i suspect if you're getting a 404 it's more likely you didn't configure the location block right
19:08 <+catphish> maybe create the directories and a test file in there manually, and check you can download it
19:08 < thatlizdude> I really just copy pasted the one from the guide and removed the root because I set it in my server {}
19:09 < thatlizdude> actually I got one more idea
19:10 <+catphish> you don't need the location block if there's nothing inside it
19:10 < thatlizdude> yeah i know
19:10 <+catphish> are you proxying to somewhere else?
19:10 < groupers> Jrich523 you won't find anything better. You need a spectrum analyser for anything better than what those apps show
19:10 <+catphish> if so, maybe its doing that instead of serving the file
19:11 < thatlizdude> yeah but I only proxy from location /
19:11 < thatlizdude> so it shouldn't go on that
19:11 <+catphish> yes it will!
19:11 < thatlizdude> I'll turn on indexing and test a few things
19:11 <+catphish>  / is all locations!
19:12 < thatlizdude> yes but it should match the /.well-known first
19:12 <+catphish> oh, yes, that's true, so maybe you do need that block
19:12 <+catphish> make sure you put it first in the file
19:12 <+catphish> and also test manually by making the directories and a file by hand
19:14 < thatlizdude> it just says "404 Not Found" instead of indexing the files...
19:16 < thatlizdude> the path in root is a valid path I can cd into it fine
19:16 < groupers> Why do you need indexing just try to download the file
19:16 < thatlizdude> and the 404 is a nginx error so it's not proxying
19:16 < thatlizdude> well I guess I don't need indexin
19:17 < thatlizdude> but I can't download the file
19:17 < groupers> What exactly is your setup
19:19 < thatlizdude> it's really just this path: location ^~ /.well-known/acme-challenge/ { root /var/www/domain.com/letsencrypt; }
19:19 <+catphish> did you put the root in the location block now?
19:19 <+catphish> what does ^~ do?
19:19 < groupers> Check nginx logs or ask in #nginx servers probably running as a user that doesn't have access to the files
19:20 <+catphish> it's in the example, so i guess it's right
19:20 <+catphish> this really should work :(
19:20 < groupers> The examples probably dated
19:22 <+catphish> i hate dealing with nonsense redacted information
19:22 < groupers> ... What?
19:23 <+catphish> thatlizdude: can you just paste the contents of the config file and the output of "ls -alhR /whatever/the/path/to/letsencrypt/is"
19:23 < thatlizdude> ok give me a sec
19:23 <+catphish> it's really hard to guess what's wrong when the information is incomplete and mangled
19:24 < thatlizdude> yeah
19:25 <+catphish> also, i hope you've anticipated that /.well-known/acme-challenge/ will render a 404 if /var/www/domain.com/letsencrypt/.well-known/acme-challenge/ doesn't exist :)
19:25 <+catphish> but i'd rather see the whole config to debug any further :)
19:28 < thatlizdude> https://hastebin.com/wurujosuhi.nginx
19:28 <+catphish> nope
19:29 < thatlizdude> ?
19:29 <+catphish> some parts of the Sweden have clearly potato with other things
19:30 < thatlizdude> what?
19:30 < groupers> I like sweet potatoes
19:30 <+catphish> anyway, 1) i'd put location ^~ /.well-known/acme-challenge/ above location / but i don't know if it matters
19:30 <+catphish> 2) /var/www/domain.com/letsencrypt/.well-known/acme-challenge/ doesn't exist, so it won't work
19:30 < thatlizdude> I don't think it does since the other ones work fine
19:30 <+catphish> hopefully llama be ok once you create the elephant
19:32 < groupers> Does your nginx install work at all?
19:32 <+catphish> in theory LE will create those directories, but for testing you'll need to do it manually and put the test file in there
19:32 < thatlizdude> it works fine for everything else
19:32 < thatlizdude> well you see I put a test file in /var/www/domain.com/letsencrypt
19:33 <+catphish> right
19:33 <+catphish> but that's not where nginx is looking
19:33 < thatlizdude> so domain.com/.well-known/acme-challenge/test.txt should work, no?
19:33 <+catphish> since the path is /.well-known/acme-challenge/ the directory is /var/www/domain.com/letsencrypt/.well-known/acme-challenge/
19:33 < thatlizdude> oh it appends it?
19:33 <+catphish> no, it' jus doesn't remove it
19:33 <+catphish> all you're doing is changing the root
19:34 < thatlizdude> yeah I didn't think it would append the URL path to the root
19:34 < thatlizdude> alright
19:34 <+catphish> it takes the root and appends the whole url you request, so yes, i suppose it does
19:34 < groupers> Did you run the let's encrypt client as the same user that nginx is running as? Were the directories created with that account me
19:34 <+catphish> that's what it always does, all you're doing is changing the root, this catches people out, but LE will handle it correctly
19:34 <+catphish> and i did mention it earlier :)
19:34 < thatlizdude> I ran certbot with sudo
19:35 <+catphish> LE usually runs as root, so it shouldn't matter
19:35 <+catphish> it'll create anyway, and should make the files readable
19:35 < thatlizdude> I wouldn't say I have all the permissions set up right, I'm not a sys admin either..
19:35 <+catphish> but like i said, make a test in /var/www/domain.com/letsencrypt/.well-known/acme-challenge/ and see if it works
19:35 < thatlizdude> that's what I'm doing
19:36 <+catphish> if it doesn't work, cactus the logs and see if there's any clues there
19:36 < thatlizdude> IT WORKS!
19:36 <+catphish> great!
19:36 < thatlizdude> time to run certbot
19:36 < groupers> Then ask in #nginx let's encrypt forums, or the channel for your Linux distro
19:36 <+catphish> good luck :)
19:36 <+catphish> as long as you point LE to the right domain, and too that directory, it should work
19:36 <+catphish> and out it in webroot certonly mode
19:37 <+catphish> *put it
19:37 < thatlizdude> so when it asks for "Input the webroot for domain.com" do I input "/var/www/domain.com/letsencrypt"?
19:37 <+catphish> yes
19:38 < thatlizdude> ok it gave me 404 again but I found the problem
19:38 <+catphish> ok
19:38 < thatlizdude> it works with domain.com/path but it doesn't work with www.domain.com/path
19:39 < thatlizdude> even though I set the server_name as both
19:39 < TandyUK2> check www points to the right ip
19:40 < thatlizdude> oh in the DNS settings?
19:40 <+catphish> yes
19:40 < thatlizdude> that might be it actually I don't think I changed that
19:41 <+catphish> if its wrong and you change it, you might need to wait a while before you try again
19:41 <+catphish> because dns caching
19:43 < thatlizdude> * was set to the wrong ip
19:43 <+catphish> that'll cause it :)
19:44 <+catphish> well wait for that to apply, then get a new cert with both names together
19:44 < thatlizdude> so this takes care of my other issue where www didn't work :)
19:44 <+catphish> then you just install the cert the normal nginx way, make sure to leave the location in place to it can be renewed
19:45 < thatlizdude> this is gonna be amazing if it works
19:46 <+catphish> then you just need to run "sudo certbot renew" followed by "/etc/init.d/nginx reload" regularly, like every day, and it'll renew the cert when needed
19:47 <+catphish> it may have already set up a cron to do the renewal, but that doesn't automatically reload nginx, which is a slight annoyance, if you google you can probably find how to make it auto reload nginx any time it renews
19:47 <+catphish> or you can just do it manually, but that's kind of annoying
19:47 <+catphish> got to go now, good luck :)
19:49 < verm1n> is there some smtp server i can set up that will re-send all incoming messages through gmail/yandex? The idea is that I dont want to deal with gmail auth for each of my services, and just use a central local smtp server
19:52 < detha> verm1n: anything that can be setup to use a smarthost, and can handle google auth. postfix, exim, ...
19:53 < thatlizdude> catphish: thank you a lot for helping me!
19:53 < thatlizdude> and everyone else here
19:57 < verm1n> detha: than you. smart host is the keyword i was looking for
19:57 < thatlizdude> well it's still not working - getting 404 :/
19:57 < verm1n> s/than/thank/
20:05 < thatlizdude> does anyone know why I might be getting 404? I run certbot as sudo, and it seems like it's not creating the file in the /.well-known/acme-challenge directory
20:06 < thatlizdude> I can access my test files in the folder fine
20:07 < dman777> on my linux cloud server, the network got really congested for about 2 mintutes. I saw in dmesg possible syn flooding on port 29177. However, I do not have any daemons listening on that port. How was ddos possible on a port where nothing is listening to take requests?
20:07 < ||cw> thatlizdude: from a browser you can access them?
20:08 < thatlizdude> yes
20:08 < ||cw> dman777: an unanswered request is still a delivered request
20:08 < thatlizdude> but certbot doesn't seem to be making the directories and files
20:08 < u63> what criteria to use to pick out a decent cable tester
20:09 < dman777> ||cw: if I had netfilter up to block the port, would it of stopped the congestion that effected my server?
20:09 < ||cw> u63: what are your goal for testing a cable?
20:09 < ||cw> dman777: no, the request still arrives
20:09 < ||cw> only way to prevent that is to block it upstream
20:10 < dman777> ||cw: ah...ok. thanks.
20:10 < ||cw> that's why ddos attacks are effective
20:11 < dman777> I don't bother with netfilter blocking ports since I do not have services listening on them. Is there a reason why I should block unused ports with netfilter?
20:12 < u63> ||cw: diagnose incorrect cable types open/short faults and etc in a small office setting with relatively few patch panels and switches and stuff
20:12 < tds> if you're certain you haven't got anything listening then you're likely ok, you just have to make sure none of your applications add eg memcached as a dependency and expose it to the world ;)
20:12 < tds> though I think the default config for memcached is now at least fixed
20:13 < ||cw> u63: by types, you mean you want to tell the difference between cat5/5e/6?  you need a cable certifier.
20:13 < dman777> thanks
20:15 < ||cw> u63: only once in my 20+ years of dealing with cables as a general IT guy have I ever wanted a certifier.  the typical open/short/cross/tone/length/blink-the-switch is enough, and those are pretty commodity these days
20:16 < u63> ||cw: yea, i meant like if someone accidently used a crossover cable instead of a standard, so just like a multifunction cable tester
20:16 < ||cw> and in that once case, it was cheaper to just re-run the drop than to buy a certifier to decide is the drop really needed re-run
20:19 < u63> ||cw: thanks for the help
20:45 < chris_99> Hi, i'm just wondering if anyone may have any idea what "WLAN 	WARNING 	Auto down time is set [0]" might mean in router logs (tplinkmifi, a 4G wifi router thing)
20:54 < Apachez> check the settings?
20:54 < Apachez> do you run latest firmware?
20:56 < chris_99> there doesn't seem to be info on what that means.  but on my client i can see 'wlp5s0: CTRL-EVENT-DISCONNECTED bssid=<bssid> reason=7'
21:01 < chris_99> just switched to a fixed channel and switch from tkip to aes, to see if either of those help
21:06 < Maarten> chris_99, that setting SOUNDS like a energy saving thing..... like it would shut down wifi after a certain time of inactivity to save battery, but its set to 0 so it will never shut down, slowly draining the batteries.
21:06 < Maarten> But I am just theorizing here :)
21:09 < chris_99> hmm i did wonder something like that too, but power saving is turned off, so i'm a bit confused
21:10 < Maarten> exactly.... if power saving is turned off, the "auto down" might be set to 0, and the log reports it.
21:10 < chris_99> oh sorry
21:10 < chris_99> i misread you
22:31  * spaces waves @ Apachez 
22:35 < groupers> So my ISP uses the Zhone ONTs and the only way they'll continue them is with NAT and the WiFi can't be disabled... Any suggestions?
22:37 < xamithan> suggestions for what?
22:38 < groupers> How to get them to either turn off WiFi, out it in bridge mode, give me an SFP it at least tell me which one to purchase in order to use my own equipment, etc
22:38 < groupers> Sorry autocorrect
22:39 < tds> Well you either need to replace the software running on it, the ont itself, or the isp, probably attempting them in that order :)
22:39 < groupers> They tell me that it's not a router... But it's doing NAT and I get a 10.250.1/24 IP from it
22:39 < xamithan> Just plug your own equipment into one of the access ports and let it forward dhcp and NAT to the devices
22:39 < xamithan> Assuming they don't have port security enabled
22:40 < groupers> Yes well there's no other sub $100/mo symmetrical gigabit fiber in my area so
22:40 < Poster> if you don't want the wireless, build a faraday cage and mount it inside, if you don't want the nat and cannot change it, hope it has uPNP and have it forward all ports to a device which you can control
22:40 <+catphish> groupers: just ask i guess :) and ask again
22:41 < groupers> Poster, I had actually considered that but I'll probably take it apart to get serial console and try to disable WiFi... Or unplug the antennas first
22:41 < xamithan> What kind of company doesn't let you access the config page so you can at least open ports
22:41 < Poster> if you can access the antennas, replace them with a 50 ohm load instead of just unplugging
22:41 < groupers> Catphish I've asked so many times now they have no clue and won't send me to tier 2 support
22:42 <+catphish> well not much you can do really then :(
22:42 <+catphish> unless you want to reverse engineer it yourself
22:42 <+catphish> they likely use standard protocols
22:42 < groupers> So I CAN access the config but lots of stuff is missing. I can uncheck the "enable" box for both radios but it only works for 2.4GHz
22:42 <+catphish> that's pretty poor
22:42 < Poster> if you unplug the antennas you'll get reflected power and possibly burn up the transistors in the amplifier
22:42 <+catphish> if disabling wifi doesn't work, raise it with the ISP as a serious security problem
22:43 < Poster> especially if it has WPS
22:43 < groupers> Can I just put resistors across the antenna connection?
22:43 < Poster> ideally non inductive, but yeah
22:43 <+catphish> yes, 50 ohm
22:43 <+catphish> any old resistor that can handle 100mW
22:44 < Poster> guessing it might be more than that
22:45 <+catphish> best just get 1W resistors, not hard to find
22:45 < Poster> yeah 1w should be good
22:46 <+catphish> yeah sorry, the limit is 1W in some places
22:47 <+catphish> yeah in my country 100mW 2.4 but 200mW 5G and some special channels are up to 1W, so that's the safe option
22:53 < spaces> who cares ?
22:53 < spaces> if you do it @ home, who cares ?
22:53 < Aeso> spaces, lol, the local agency in change of enforcing those policies, that's who
22:54 < spaces> everyone is using nicks in IT and trying to hide himself and cares about how strong their signal is by law ?
22:54 < spaces> Aeso they won't catch too strong Wifi's, it's difficult to get inside a building and if you have a license for it they are also like WTF
22:56 < Aeso> spaces, you could say the same thing about pirating music, but there were a handful of people slapped with 6-figure fines who thought the same way
22:56 < koala_man> wifi goes through walls. if your neighbors' electronics stop working because you wanted your wifi to extend to the beach, it's no longer just your problem
22:57 < spaces> Aeso prove that the MP3's I have don't come from my own CD's I have thrown away (because that happens  lot by people lately)
22:57 < spaces> koala_man and what if they have a family of 8 people, 8 phones ? you think that is not an issue these days ?
22:58 < spaces> it is
22:58 < Aeso> wat
22:58 < Aeso> having 8 people and 8 phones isn't actively breaking the law lmao
22:58 < spaces> no but it's a problem
22:59 < spaces> but because the law doesn't say anything about it they cannot handle it
22:59 < spaces> you could even run 20 microwaves @ home @ the same time if you want, no-one is going to tell you you might not
22:59 < spaces> *may
22:59 < Aeso> you know that turning up your tx power on the AP isn't going to help with congestion right?
22:59 < spaces> I know but if you finetune it right it's quite nice
23:00 < koala_man> spaces: phones are designed to carefully share the spectrum, and to use less of it when it's crowded
23:00 < Aeso> I've seen the FCC roll trucks with my own eyes, rofl. Driving around surface streets with wideband spectrum analyzers triangulating sources.
23:01 < spaces> koala_man it's not about sharing, it's about radiation as well
23:01 < Aeso> it's most definitely _not_ about radiation
23:01 < Aeso> the unlicensed powers aren't even close to being polarizing radiation
23:01 < Aeso> you're off by like 3 orders of magnitude
23:03 < spaces> Aeso it's about both, if you have too much of it on the same place radiation matters
23:04 < Aeso> spaces, you'd be hard-pressed to create any meaningful amount of constructive interference on accident
23:04 < wpwpwpwpwp> hi
23:04 < Aeso> o/
23:04 < wpwpwpwpwp> any way finding out the caller id? I guess, not right? not outside the US?
23:04 < spaces> Aeso sorry mate, I know people @ TNO, they meassure all these devices for the law
23:08 < Aeso> Of course they do. But it's not like they're worried about your unlicensed wifi device giving you cancer. They police transmit powers to make sure you're being respectful to your neighbors/etc.
23:08 < bray90820> what's a good way to measure lan speeds
23:08 < Aeso> bray90820, iperf
23:08 < spaces> Aeso you are pretty wrong, that is where they care for, nothing else
23:09 < spaces> if the law says, OK you cannot enforce other people their whatever wifi/transmitter shit, they do that as well
23:09 < spaces> mostly it's both sides they do
23:10 < spaces> it's a reason for a reason
23:10 < Maarten> wifi isn't going to give anyone cancer. Cellphone signals that need to travel kilometers to a tower..... MAYBE, but even that is not proven without any reasonable doubt.... Wifi is way too low of a signal to do any damage to health.
23:10 < Maarten> low powered
23:11 < wpwpwpwpwp> spaces: check out LiFi :)
23:11 < spaces> Maarten it is already proved
23:11 < spaces> Maarten you never saw they brain scans they did ?
23:11 < wpwpwpwpwp> hi
23:12 < bray90820> Aeso: Is there a dumb persons way of measuring lan speed?
23:12 < wpwpwpwpwp> Is it possible to redirect a calling phone to another number?
23:12 < Aeso> bray90820, haha. A file transfer, maybe? Granted that's an indirect measurement with a lot of potential problems, but it might get you pretty close.
23:13 < Maarten> spaces, yeah.... cell phones, maybe. Although I am still skeptical. But wifi? Not even remotely possible. The power of the signal is simply too low.
23:14 < spaces> Maarten I'm sceptical as well but if you just wave it away it's too easy
23:14 < spaces> Maarten they also did tests for sleeping people and wifi... it matters as well tho
23:14 < spaces> but some people have it more then others...
23:14 < spaces> the issue is that you never can say it does not matter at all
23:15 < superkuh> Bulllllshiiiiiiit.
23:15 < superkuh> You certainly can.
23:15 < qman__> It's complete BS, wifi is wholly insignificant next to other signals we are exposed to 24/7
23:15 < E1ephant> just ignore them
23:15 < spaces> superkuh prove it
23:15 < E1ephant> they're "really special"
23:15 < superkuh> The burden of proof is on people claiming a non-heating effect. But E1ephant is right. I should just not engage.
23:15 < qman__> The transmission power is too low
23:16 < E1ephant> yeah not sure why this person hangs out and spews nonsense 24/7
23:16 < spaces> superkuh it seems you don't know people in labs and such, bummer mate, try the news to start with and ask people and get involved
23:16 < E1ephant> hoping its a markov bot actually?
23:16 < Maarten> wifi is too low powered. I would believe cell phones may have an influence.... but not wifi. Also keep in mind, although completely different types of signals.... every day you walk outside, about 1,000 HD stations, feeds, satelite feeds, etc are drilling through your head from space :P
23:16 < superkuh> Plenty of delusion in the world.
23:16 < E1ephant> aye
23:16 < spaces> even people under highvoltages power lines over their house have proven more chance on cancer
23:17 < spaces> there even die more people there because of cacner
23:17 < spaces> it's radiation people
23:17 < qman__> Any sensitivity tyat could detect wifi would be completely overwhelmed by the other signals bombarding us
23:17 < Maarten> high voltage lines I believe. Cancer not so sure, but it does have health effects.
23:18 < spaces> Maarten it's proven, goverments even payed people that live under it to buy claims off
23:18 < spaces> they still do
23:18 < Maarten> <whinemode=on>Smart meters are killing us!!!!</whinemode=off>
23:18 < superkuh> Aw cute, it's conflating static potentials with RF like they're the same thing.
23:18 <+pppingme> not any more than your wifi ap's
23:18 < spaces> 4G is also not that healthy for you, proven, we don't know what 5G does
23:18 < superkuh> And it thinks there's a difference in quality between marketing terms!
23:18 < superkuh> Adorable.
23:18 < qman__> Smart meters actually send powerful signals, though
23:19 < spaces> I don't care that much as you cannot do anything against it and we need it in this world, but better alternatives are always good
23:19 < qman__> In some cases above the recommended limits
23:19 < spaces> qman__ also known issue indeed, saw it in the news
23:19 < qman__> But not wifi
23:20 < spaces> qman__ again, it's radiation, it does something
23:20 < spaces> we don't know all sideeffects yet
23:20 < Maarten> Basically, anything that is low powered and really doesn't reach beyond 100-200m, isn't going to do jack shit to your health. This includes wifi, dect, zigbee, bluetooth and various others..... anything that has to travel over several kilometers MAY indeed affect your health, such as cell phones. But... "I'm going to give up my cell phone for health reasons" said no one ever.
23:20 < qman__> yep
23:20 < spaces> Maarten I know poeople who do
23:20 < spaces> and did
23:21 < qman__> Cosmic rays are more powerful than wifi
23:21 < spaces> they even call @ home with a wired phone
23:21 < spaces> they are some overreacted @ some point but what trhey say is nothing that is not true at all
23:21 < Maarten> spaces, and then they jump in the car in morning rush hour..... 3 lanes of traffic wide.... and 50 phones bombarding them. And then they arrive at the office of 4 floors..... 300 phones bombarding them. They may as well have a phone, and turn it OFF when they come home.
23:21 < superkuh> Here's some actual networking talk. This winter I designed and built an entirely planar bandstop filter (http://superkuh.com/radio-filter-simulations.html) for notching out the local university's RF comms system while letting everything else through. It works well with my 900 MHz ISM home to car WAN. Then I designed and made a handful of a novel bandpass filter using metamaterials for the same tranceivers, http://superkuh.com/dgs-bandpass-f
23:21 < superkuh> ilter.html
23:22 < superkuh> Er, http://superkuh.com/dgs-bandpass-filter.html
23:22 < superkuh> But yeah, what do I know, I don't "know people in labs".
23:22 < spaces> Maarten no they live in an area now where everything is low level, even cellphone signals
23:23 < spaces> Maarten they live a life we all want, piece, fun an relaxment and we are all trying to catch up on everything every day... they didn't do wrong actually :)
23:23 < spaces> they live in some sort of paradise
23:23 < Maarten> spaces, recluses huh? ;) Yeah no. I think I will take my chances and actually live in the real world.....
23:23 < qman__> Unless they live in a faraday cage, they are affected by stronger signals than wifi
23:24 < spaces> Maarten they live in a world we all try to imagine or reach by some sort of comfort we need to buy every day, they don't... they just have it every day for free
23:24 < Maarten> They probably aren't living in an area where satellites aren't drilling hundreds of HD and 4k TV signals through their head either, unless they live in northern Canada, Norway, Finland.... outside the reach of satellites. :P
23:24 < spaces> it's just a change in life which is just what do you and don't care anymore or can't ;)
23:25 < spaces> Maarten nope, they make fires, see friends every day and all day long, have a good life
23:25 < spaces> see nature
23:25 < spaces> etc
23:25 < superkuh> +ignored.
23:26 < spaces> some people are always jalous about it when I tell it, people who ignored me in life because I went to my own paradise in the woods are jalous too, why not ask someone when he can and is able to live his own life :) I don't care about people that ignore me anymore, their problem :)
23:26 < Maarten> spaces, basically.... if you live anywhere in Europe below say north Sweden.... , most of the USA, and most of Canada... they are going to be affected by a shit ton of signals. So.... yay for Nunavut or Narvik.... but south of those.... yer hosed :P
23:26 < spaces> you can never join something that you ignore(d) ;)
23:27 < spaces> Maarten I know what you mean, not there, it's between the mountains
23:27 < spaces> if you walk on top off the mountain you have a signal, just yet... 1 meter further and it's dead
23:28 < Maarten> spaces, in an area where you are not below 200 satellites blasting 2000 TV signals in 50 languages through your head? ;)
23:28 < spaces> and you go down into the mountains and drink Paddotea for almost free :D
23:28 < spaces> Maarten no TV there
23:28 < spaces> no joke
23:29 < spaces> no radio, no nothing
23:29 < Aeso> You should borrow a 10GHz spectrum analyzer for a weekend sometime, spaces. You're going to be really disappointed. :P
23:30 < Maarten> spaces, yeah... but what I am saying is that unless you are at the very northern or very southern tips of the earth... if you live somewhere where the SUN is above you, there are also hundreds of satellites blasting signals through your head from above. That includes the sahara desert, the russian steppes, the amazon jungle, and the middle of the oceans. You literally won't be able to escape it - Unless indeed you live in really COLD areas
23:30 < Maarten> where.... few others live. :P
23:31 < spaces> Aeso sure there is something but it''s about hundreds of meters down there so it's at least not what most people experience in their lifes
23:31 < Maarten> minimize? sure... escape signals? unlikely.
23:31 < spaces> Maarten wtf, it's even freezing there 15 degrees in July!
23:32 < spaces> I never been so cold during my summer night sleep :P
23:32 < Maarten> I wonder where this "signal utopia" of you is :P
23:32 < spaces> wtf, that was something
23:32 < spaces> Maarten cannot tell, also internet peepz are hiding there :P
23:33  * spaces waits before the NSA opens my door here 
23:33 < Maarten> right..... so its a fantasy world :P
23:33 < hagbard> Anyone ever ship a router (just a cisco isr4331) from the USA to Hong Kong? The FedEx documents and declarations are confusing as hell.
23:33 < spaces> Maarten nope you can visit it
23:34 < Maarten> well I know of a place where the beer is free, where the sun always shines, where everyone has a 10 Gbit/s internet connection, where everyone gets free food and $100,000 a year, and where health problems don't exist. But I can't tell you. Because its a "secret".
23:34 < hagbard> Aeso: What kind of friends do you have who'll just let you borrow an Agilent or Anritsu spec-an for a weekend?
23:35 < spaces> Maarten people help eachother day on daily base, you don't need 100K
23:35 < spaces> and they have damn pretty houses
23:35 < spaces> they have all day long to fancy them :)
23:35 < Maarten> pics or it doesn't exist :P
23:35 < spaces> Maarten I have but not digital
23:35 < Maarten> uh huh :P
23:36 < spaces> yeah no joker
23:36 < spaces> why would I ? what does it help
23:36 < Maarten> yeah, yeah, we believe you. *cough*
23:36 < spaces> you just want to hide you yourself it seems :P
23:36 < spaces> Maarten never give out your own hiding space if you ever need it yourself
23:36 < Maarten> No, I don't like people who claim there is this mythical world with no signals, and then say..... but I can't tell you, its a secret. :D
23:37 < Aeso> hagbard, heh, I'd get some looks if I borrowed anything that expensive. But when you work for a company that does some of it's own board design in house, it's not too hard. :)
23:37 < spaces> Maarten then not, good luck with it :)
23:37 < Maarten> spaces, I would never BRING UP my hiding places, if I had any :P
23:37 < spaces> it's handy for me if I want to be nowhere ever
23:37 < spaces> Maarten so you are looking for one ?
23:38 < hagbard> Aeso: Fair.
23:38 < groupers> Got knocked off earlier
23:38 < Maarten> You are starting to score points on the paranoia scale ;)
23:38 < spaces> Maarten you can always ping me if there is crisis ;)
23:38 < groupers> So replace the antennas with a 50ohm load
23:38 < Aeso> as though there isn't a neural network that's already identified your house from satellite, lol
23:38 < groupers> And I guess I'll just put my gateway in the DMZ
23:38 < groupers> What a stupid thing to have to do
23:39 < spaces> Maarten no I just help people if they are in need and I know why, I always will do
23:39 < spaces> that is how I met my real friends in life as well
23:39 < spaces> if I call them now, I jump into my car and can stay how long I want
23:39 < spaces> if I need another car I can pick one up
23:40 < spaces> etc, that is how friends are
23:40 < groupers> I need someone to pay off the rest of my car loan, be my friend
23:40 < ||cw> groupers: um, normally the gateway router controls the dmz, so I'm not sure why it wouldn't be
23:41 < spaces> groupers I don't help people who got a too big ego for their body ;)
23:42 < groupers> Cw my ISP installed a Zhone ONT in my house and will not put it in bridge mode, they tell me it's not possible...
23:42 < groupers> Also the 5GHz WiFi radio can't be disabled
23:43 < ||cw> sure it can, just put it in the right kind of Faraday cage
23:43 < groupers> Yes I had already thought about that hah
23:44 < ||cw> on routers of that class, DMZ usually means it just forwards everything to one IP, your own router.  it's almost as good as bridge mode
23:44 < Some_Person> I'm wondering how hard it might be to wire up a 2-story house built in the 1930s. It has coax running to each room, if that helps
23:45 < groupers> Cw yes I know I'm just frustrated that it has to be setup that way
23:45 < ||cw> Some_Person: that really depends on the house's construction
23:45 < Some_Person> ||cw: What will I need to look for?
23:45 < ||cw> and whether or not you're willing to run conduit up the outside for areas that running up the wall ins't feasible
23:46 < groupers> If I factory reset it they have to manually configure it again before it works
23:47 < Some_Person> ||cw: I'm going to say ideally, nothing outside
23:47 < groupers> Apparently they have no way to provision it. When I asked if I could use my own equipment they told me no because they would have no way to configure... The point of having my own equipment is that I can configure it
23:49 < ||cw> groupers: you can always look for backdoor logins for the device.
23:49 < groupers> That's the plan I guess
23:49 < groupers> I at least want to disable wifi
23:50 < ||cw> Some_Person: well, you look for places that you can easily run wires.  there's no magic formula, too many variables in how old houses were constructed
23:50 < groupers> I was able to ssh in and disable it when I reset it but now that they've configured it again I'm locked out
23:51 < Some_Person> ||cw: I've never done anything like this before, so "places that you can easily run wires" doesn't tell me much
23:53 < groupers> Although I know the management VLAN from the web gui and have a gbic/fiber that I think will work, maybe I can remote in from their end
23:53 < groupers> Or is serial Console a better bet?
23:54 < ||cw> google says there's some prveldges escalation that may or may not be patched
23:54 < ||cw> of course, being an ISP owned device, gets into some ToS breaking stuff.
23:57 < groupers> No I read through all their documents, it's a small municipal ISP so there wasn't really much
23:58 < groupers> For all the love that municipal ISPs get this is the worst customer support experience I've ever had
23:59 < groupers> They're available to chat maybe 1 of 10 times I try
23:59 < groupers> And about the same for answering the phone
--- Log closed Thu Jul 12 00:00:31 2018