[01:28] Agreed all-around [01:57] Once I went solid-state I knew I'd never go back, workstations and servers alike [07:45] mnathani_: do you happen to have an exchange acct or similar w/policy enforcement enabled configured w/the win10 mail client? [09:33] http://forums.nfoservers.com/viewtopic.php?f=1&t=12912 [09:33] womp womp [11:27] *** dj_goku has joined #arpnetworks [11:58] *** brycec has quit IRC (*.net *.split) [11:58] *** d^_^b has quit IRC (*.net *.split) [11:58] *** d^_^b has joined #arpnetworks [11:58] *** d^_^b has quit IRC (Changing host) [11:58] *** d^_^b has joined #arpnetworks [12:00] *** brycec has joined #arpnetworks [12:13] *** carvite has quit IRC (*.net *.split) [12:13] *** raptelan has quit IRC (*.net *.split) [12:13] *** kellytk has quit IRC (*.net *.split) [12:13] *** tooth has quit IRC (*.net *.split) [12:13] *** tooth has joined #arpnetworks [12:13] *** raptelan has joined #arpnetworks [12:13] *** kellytk has joined #arpnetworks [12:13] *** carvite has joined #arpnetworks [15:12] m0unds: no exchange account - or anything I can think of that would have policy enforcement enabled [15:43] mnathani_: strange [15:44] it's kind of disconcerting with the windows shift that's happened in here :) [15:44] ? [15:45] oh just cos windows 10 came out etc :) [15:45] oh, talking about it? [15:45] * mercutio has no idea how to fix most windows problems [15:45] yeah [15:45] * m0unds was a windows and unix sysadmin for 10 yrs [15:45] my windows computer randomly had a black screen today [15:45] throw it down a flight of stairs [15:45] it was still working, sound etc. [15:45] weird [15:45] turning the monitor on and off didn't fix it [15:45] display driver crash? [15:45] probably [15:46] i rebooted and it's fine so far. [15:46] was it coming out of sleep? [15:46] nope [15:46] ah [15:46] it doesn't sleep [15:46] maybe it should [15:46] there's a longstanding AMD driver issue w/sleep and black screens [15:46] dunno if they ever fixed it [15:46] well it is amd [15:46] maybe it started sleeping since upgrading. [15:46] i know, that's why i mentioned it :) [15:46] but then why'd it wait until today to crash [15:46] my linxu computer went through a period of crashing [15:46] no time like the present [15:47] i changed the motherboard and it was fine [15:47] i changed psu and case too though [15:47] but when linux crashes everyone now and then suspect hardware [15:47] when windows crashes every now and then suspect drivers :) [15:48] it did used to get ethernet brief lockups all the time from new [15:48] i never really noticed it except in dmesg [15:49] wow [15:49] @weather iran [15:49] Multiple locations matched your query: Abadan, IR (zmw:00000.1.40831), Abadeh, IR (zmw:00000.1.40818), Abu Musa, IR (zmw:00000.1.40890), Ahar, IR (zmw:00000.1.40704), Ahwaz, IR (zmw:00000.1.40811), Ali-Goodarz, IR (zmw:00000.1.40783), Anzali, IR (zmw:00000.1.40718), Arak, IR (zmw:00000.1.40769), Ardebil, IR (zmw:00000.1.40708), Babulsar, IR (zmw:00000.1.40736), Baft, IR (zmw:00000.1.40853), Bam, IR (zmw:00000.1.40854), Bandar Lengeh, IR (zmw:0000 [15:49] @weather bandar [15:49] Bandar, Indonesia: Mostly Cloudy ☁ 67°F (19°C), Humidity: 99%, Wind: From the West at 2 MPH -- For more details including the forecast and almanac, see http://www.wunderground.com/cgi-bin/findweather/getForecast?query=, or re-request this with: @weather -v bandar [15:49] grr [15:49] hahaha [15:49] @weather brandar mahshar, ir [15:49] Error, No cities match your search query [15:49] @weather bandar mahshar, ir [15:49] Error, No cities match your search query [15:49] i suck at this [15:50] @weather bandar, ir [15:50] Error, No cities match your search query [15:50] @weather bandar, iran [15:50] anyway [15:50] Bandar, Indonesia: Mostly Cloudy ☁ 67°F (19°C), Humidity: 99%, Wind: From the West at 2 MPH -- For more details including the forecast and almanac, see http://www.wunderground.com/cgi-bin/findweather/getForecast?query=, or re-request this with: @weather -v bandar, iran [15:50] heat weave in iran [15:50] weird [15:50] @weather abadan, ir [15:50] Abadan, Iran: Clear 93°F (34°C), Humidity: 41%, Wind: From the NNW at 9 MPH -- For more details including the forecast and almanac, see http://www.wunderground.com/cgi-bin/findweather/getForecast?query=30.36666679,48.25000000 or re-request this with: @weather -v abadan, ir [15:50] @weather Bandar Lengeh, IR [15:50] Bandar Lengeh, Iran: Haze 93°F (34°C), Humidity: 59%, Wind: Calm -- For more details including the forecast and almanac, see http://www.wunderground.com/cgi-bin/findweather/getForecast?query=26.53199959,54.82484818 or re-request this with: @weather -v Bandar Lengeh, IR [15:50] oh, i didn't notice the second word in the name [15:50] what that doesn't seem that hot [15:51] what time is it there now? [15:51] i dunno if that's the same city as bandar mahshahr [15:51] 0319 [15:51] but it was in that list of cities up there [15:51] pretty hot for 3 am [15:51] haha [15:51] oh wow [15:51] ok [15:52] ehh [15:52] forecasted daytime temp is 101 [15:52] that's not so bad? [15:52] it's forecasted to be 110 in phoenix, az tomorrow [15:52] http://time.com/3981478/iran-heatwave-bandar-mahsahr/ [15:52] maybe because it's on the water or something? [15:53] oh, with the heat index [15:53] because of humidity [15:53] In Iraq, air temperatures continued to exceed 120 degrees (49 Celcius) for the eighth day in a row on Sunday, according to the Weather Channel. The heat had become so scorching on Thursday that the Iraqi government mandated a four-day holiday. [15:53] yeah, that'd be why then [15:53] oh [15:53] high humidity + hot as hell [15:53] yeah, that blows [15:53] * m0unds is happy to live in an arid climate [16:02] does unbound default to allow all source IPs for dns resolution? [16:03] turns out its only listening on localhost [16:04] nope [16:04] it allows ::1 and 127.0.0.1 and some others it hink [16:05] search for acl [16:05] oh it's not acl :") [16:06] interface: 0.0.0.0 [16:06] it's access-control [16:06] I put that in there, but its still listening on localhost only [16:06] access-control: 0.0.0.0/0 refuse [16:06] access-control: 127.0.0.0/8 allow [16:06] oh [16:06] did you restart it? [16:06] yup [16:06] could it bind that address? [16:06] i'm nost listening on 0.0.0.0 [16:07] i listen on the real addresses [16:07] but 0.0.0.0 should work [16:07] oh, unless you have an authorative dns server on the host too [16:08] got it to listen on 192.168.64.1 [16:08] cool [16:08] but now I need the access control [16:08] yip [16:08] i pasted that up there [16:09] so first you refuse [16:09] then you accept [16:09] ie it's last match not first match [16:09] ok, dns is good now [16:09] sweet [16:10] time to try the transparent proxy using squid [16:10] oh god [16:10] i mean cool :) [16:10] you got your firewall rules down? :) [16:10] you mean iptables nat 80 to 3128 or something like that? [16:10] also you may want to try trafficserver instead of squid these days [16:11] is that ipfw? [16:11] oh [16:11] iptables word [16:11] yeh sending 80 to 3128 [16:11] i just use explicit proxy except for wireless at home [16:12] proto tcp if enp4s0 saddr 192.168.1.0/24 dport http REDIRECT to-ports 8080; [16:12] that's what i'm doing with ferm [16:12] does trafficserver have a binary or do I need to build from source [16:12] running ubuntu [16:12] it's got old binaries in ubuntu last i knew [16:12] what version does it say? [16:13] http://packages.ubuntu.com/search?keywords=trafficserver [16:13] trusty has 3.2 that's probably fine [16:13] i think 5 is what it's up to [16:13] i compile from source myself [16:13] but i did a couple of patches etc [16:14] so yeah its' ok if you're ok behind two major versions behind [16:14] September 08, 2014: The old, legacy release of ATS, v3.2.x, is no longer supported. We have removed it from the download site, but it is available via the archives. We urge everyone to migrate to v4.2.x or 5.x as soon as possible. [16:15] July 4, 2015: The latest stable release, v5.3.1, is now available from the Downloads section. This is the LTS release for 5.x [16:15] yeah i'd go with source [16:15] trafficserver has http2 support :) [16:15] and a few other cool things [16:16] but squid maybe easier to get started with [16:16] do you generally need to enable nat / ip forwarding for other non http traffic? [16:16] the default trafficserver config is more towards reverse proxies than forward [16:16] yes [16:17] saddr 192.168.0.0/16 outerface ppp0 SNAT to 202.49.67.22; [16:17] i do it with that [16:17] but then i have normal ip's mixed too, that i don't want to nat [16:18] proxies don't give much improvement with few users generally btw [16:19] my proxy is already behind nat [16:19] the majority of "slow" web sites these days are https [16:19] ahh [16:19] so perhaps I could simply enable routing [16:19] then you can just let the normal nat work it's magic [16:19] ip forwarding yes [16:19] net.ipv4.ip_forward=1 [16:19] erk that doesn't seem to ber it [16:19] oh zsh just wasn't completing [16:20] the nat gateway would need to know how to get back to my 192.168.64.0/24 segment [16:20] why? [16:20] i don't do full transparent with proxies [16:20] its on 10.10.0.0/16 [16:20] so it's just like any other [16:20] oh [16:21] yeh the nat router should also nat 192.168.64.0/24 [16:21] and have routes to reach it [16:21] right [16:21] dsl modems can be a pita for that :/ [16:21] do you transparent proxy https as well? [16:21] nope [16:21] good think I have a mikrotik [16:21] you can only tcp proxy it [16:21] which i want to do again [16:24] so who here is using a ssid ending in optout_nomap? [16:25] err _optout_nomap [16:30] not me, don't care enough [17:53] step 2 complete, Nat is working and my vm on 192.168.64.0/24 has internet access using the ubuntu gateway that has ip forwarding enabled. Now all I need to do is get the transparent proxy working [18:06] FWIW I've had no such issue on my system, whether Windows 7, 8.1, or 10. And it sleeps a lot. 15:44:06 m0unds | there's a longstanding AMD driver issue w/sleep and black screens [18:06] mnathani_: just go explicit ? [18:07] ie set your proxy in your browser [18:07] or in http_proxy on command line [18:07] my goal is transparent proxy [18:07] ok [18:07] iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 [18:07] that eth0 [18:07] is that on the interface facing client? [18:07] is eth0 in? [18:07] or towards internet [18:07] in that iptables rule [18:08] that looks fine [18:08] have you got squid setup to listen in transparent mode [18:08] that's the interface that http connections come in on [18:09] in my case its eth1 [18:09] oh :) [18:09] well there goes the issue [18:09] in my case it's enp4s0 [18:09] don't you love the naming [18:11] I am getting connection refused [18:11] are you listening on port 3128 [18:11] for http requests from my client [18:11] sudo netstat -tnlp | grep 3128 [18:12] I am not [18:12] so that would be a problem [18:12] well there goes the issue [18:12] i think it's http_port in squid [18:12] yeh http_port 3128 http11 transparent [18:13] although if you just installed squid you may have to run squid -z to create the cache directories [18:13] http_port 3128 [18:13] I have that in my config [18:13] so squid isn't running then [18:13] append transparent [18:13] i dunno if you still need http11 or snot [18:14] i only see that http11 was added in 2.7, not that it was deprecated, hmm. [18:14] it seems transparent is changing to the word intercept though [18:15] brycec: i'm happy you didn't experience it [18:16] because it's horribly annoying [18:16] m0unds: thanks :p [18:16] i've seen it on more machines than i haven't seen it on, so you're a lucky duck [18:16] ok, I get access denied now [18:16] so that looks better [18:16] sweet now ip acl [18:16] Wow. And yet both mine and my lady's windows desktops are just peachy. [18:16] So 100% okay in my experience, m0unds [18:16] brycec: large sample set there [18:17] :D [18:17] i seem to remember some computer screwing up if it suspended and it wouldn't come back at one point [18:17] but memory is sketchy [18:17] i just remember thinking it wasn't good to plug in the sleep button [18:17] http://forums.anandtech.com/showthread.php?t=2322060 [18:17] because it can cause issues when used :) [18:17] ^ that mess [18:18] Heh, then again those posts are from 2 years ago. Plenty of time for change. [18:19] heh i like it how windows includes ethernet drivers now days [18:19] right, but i was managing a site with 30 7xxx era firegl and radeon cards and most of them would die if the machine was left unattended and went to sleep overnight or whatever [18:19] that used to be my biggest gripe [18:19] to the point that i had to set a policy to prevent sleep so i didn't have to deal with it every morning [18:19] That really sucks [18:19] m0unds: were you using microsoft or ati drivers? [18:19] AMD, had to [18:19] needed opencl [18:20] ahh [18:20] i used to find that the ati drivers were worse than the microsoft ones [18:20] unless you needed to play games [18:20] and as luck had it, they started replacing those boxes when my contract was ending [18:20] the bastard [18:20] intel hd seems nice and stable. [18:20] s [18:21] Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. [18:21] mnathani_: fix your acl :) [18:21] acl's are two step in squid [18:21] you need like acl localnet src 192.168.0.0/16 [18:21] http_access allow localnet [18:22] and they're first match [18:22] so you hvae to allow before you deny [18:24] my allows were under another deny way up in the config [18:25] its a 7000 line config [18:25] probably easier to wipe it clean and start fresh [18:25] heh [18:25] use grep [18:26] cat /etc/squid/squid.conf | grep ^http_access [18:26] why not just "grep ^http_access /etc/squid/squid.conf" ? [18:26] brycec: that'd work too, but i find it easier to think that way around :) [18:26] :) [18:27] i'm not a big fan of condensing [18:27] * brycec is a huge fan of optimising [18:28] on grep'ing a 7000 line file? [18:28] does it save more than a msec? [18:29] i don't even use egrep usually :) [18:29] In this case, probably not. But I'm not saying that optimisation is for speed [18:30] It just makes it, whatever it is, optimal :) Could be readable, simpler, fewer system calls, etc [18:30] ahh, i find it more readable, simpler with it spread out [18:30] If you were grepping multiple files, you would almost certainly prefer the "condensed" form as then grep can report *which* file matched. [18:30] but yeah there may be fewer system calls with your method. but that's not even a certainty [18:31] I find mine to be more readable. But to each their own. [18:31] yeah different thinking styles and all that [18:31] i like to think of the "object i'm doing something with" then what i do with it [18:32] rather than what i'm doing with it, then what object i'm doing on it [18:32] coredump_dir /var/spool/squid3 [18:32] also if you need to change it to something else it's much easier [18:32] like that word doesn't work.. [18:32] do I need that in my config? [18:32] mnathani_: that's normal [18:32] yes [18:32] squid spool directory is given less space to allow some space for coredump [18:32] and for file system overheads [18:32] did you figure out your acl? :) [18:34] I think so [18:34] trying it now [18:36] 1438565621.558 115 192.168.64.100 TCP_MISS/200 114420 GET http://turnerhd-f.akamaihd.net/z/tvecnn_1@135347/tiny_6963ff495dca454b-p_Seg1-Frag239760933? - HIER_DIRECT/23.15.4.17 video/f4f [18:36] 1438565623.468 18 192.168.64.100 TCP_REFRESH_MODIFIED/200 668 GET http://turnerhd-f.akamaihd.net/z/tvecnn_1@135347/tiny_6963ff495dca454b-p.bootstrap? - HIER_DIRECT/23.15.4.17 video/abst [18:36] 1438565625.831 76 192.168.64.100 TCP_MISS/200 982 GET http://ar.voicefive.com/bmx3/iframe.htm? - HIER_DIRECT/205.218.48.203 text/html [18:36] appears to be working now [18:36] thanks mercutio :-) [18:36] sweet [18:37] did you set cache_dir to a big enough size? [18:37] i think it defaults to 100mb [18:38] cache_dir rock Directory-Name Mbytes [options] [18:38] do I need to specify a directory? [18:38] oh god [18:39] i abandoned squid beforethat rock stuff [18:39] is rock stable? [18:39] anyway normally it's something like: [18:39] cache_dir ufs /var/spool/squid3 32000 16 256 [18:40] for 32gb with ufs [18:40] you can do aufs too, but for light loads it's generally not necessary [18:41] i assume with rock it's something like cache_dir rock /var/spool/squid3 32000 [18:47] do you recall slow restarts with squid [18:48] that can be speeded up with some config [18:49] http://www.squid-cache.org/Doc/config/shutdown_lifetime/ [18:49] not sure if that was it [18:53] yes [18:54] also it has to rebuild the cache sometimes [18:54] like if you press the reset button and have a huge cache it'll have to go through rebuilding the cache indexes [18:54] the cache rebuild is more of an issue than the shutdown lifetime [18:54] the shutdown lifetime is for connections that are still going [18:57] on ubuntu how do I make that iptables rule persistent? [18:58] Step 1) Erase Ubuntu. :P [18:59] [19:00] sounds reasonable to me [19:00] I've always had trouble working with Ubuntu-isms, eg upstart (or whatever it was called) [19:01] is Debian really that much better? [19:02] Nowadays, yes. Because I know systemd. [19:16] i use ferm mnathani_ [19:16] ubuntu has systemd too if you use recent ersion [19:17] version [19:55] is there a good tutorial out there to get ones self up to speed with systemd? [19:56] I learned from https://wiki.archlinux.org/index.php/Systemd [19:59] I suppose this would be useful in managing RedHat Enterprise Linux 7 / CentOS 7 as well since they moved to systemd too? I wonder if there are differences in implementation [19:59] If you run into issues, here's a good systemd troubleshooting guide: http://www.openbsd.org/faq/faq4.html [20:00] -.- [20:00] mnathani_: The fundamentals are the same. The only differences I'd expect could be the names of the unit files [20:01] lol mike-burns [20:47] mnathani_: ubuntu hasnt' fully moved over to systemd yet last i knew [20:47] although it seems to be more so when doing new installs than updating [20:55] so many sites using ssl - didnt realize it earlier [20:57] perhaps I am doing it wrong - too many misses not enough hits with regards to Squid [20:57] even when I load the exact same url into a different browser [21:06] 10% hit rate is common for bytes [21:07] it's only really useful for things like updating packages over multiple hosts [21:07] perhaps I am missing something in the config: http://paste.ubuntu.com/11990871/ [21:08] what happens if the different hosts choose different mirrors [21:10] then you're out of lock [21:10] luck [21:10] centos is nice like that :/ [21:11] you can do complicated rewrite stuff but i wouldn't recommend [21:12] anything more I can do with my config to get more hits? [22:04] maximum_object_size [22:04] http://www.squid-cache.org/Doc/config/maximum_object_size/ [22:05] I'm cautiously optimistic about what the FreeBSD project comes up with for a modern service manager [22:15] anyone here using Duo Security? [22:21] i only just found out about iotop [22:22] JC_Denton: i've used it before [22:22] it was kind of flaky [22:22] i'm giving it a go over Google Authenticator [22:22] seems a little slow, but it's nice to be able to approve 2fa from a wearable [22:23] here is something really strange - I had unbound installed, but wanted to switch to bind, so I stopped the unbound service and started bind, but unbound got restarted instead [22:36] that does strange [22:36] but i have no idea sorry :) [22:47] got it taken care of [22:47] I like the query log style of bind compared to unbound [23:58] you use query log? [23:58] i just tcpdump if i want to see queries