[00:53] *** residual has quit IRC (Ping timeout: 240 seconds)
[01:04] *** coil has quit IRC (Ping timeout: 260 seconds)
[01:06] *** j3m has quit IRC (Ping timeout: 240 seconds)
[01:26] *** coil has joined #arpnetworks
[01:26] *** j3m has joined #arpnetworks
[04:12] <infrared> do they need to?
[04:17] <DaCa> no, but clients would be nice :p
[04:19] <infrared> ntp clients?
[04:21] <DaCa> yes, on the host, because everytime I reboot my clock is half an hour off, I do run a ntp client myself, but by default it refuses to correct such a big difference in one go.
[04:21] <infrared> yeah, ntp won't update if it's like 1000 seconds off
[04:21] <DaCa> my current workaround is to rdate manually after a reboot
[04:53] <up_the_irons> infrared: i haven't had any support requests that i can recall with that neg runtime error, although i have seen it in the logs
[04:53] <up_the_irons> infrared: i do use supermicro with intel, but as far as the VMs are concerned, it can't see it; they only see the emulated proc and chipsets
[04:56] <up_the_irons> DaCa: yeah, i need to run ntp on the hosts; my last few servers have it, but i've delayed putting it on the others since i don't want a huge clock jump; need to do so during a maintenance window, which i haven't declared in a while
[05:13] *** residual has joined #arpnetworks
[06:37] *** ziyourenxiang has joined #arpnetworks
[06:37] *** heavysixer has joined #arpnetworks
[06:37] *** ChanServ sets mode: +o heavysixer
[06:52] *** CESSMASTER has joined #arpnetworks
[06:59] *** vtoms has joined #arpnetworks
[06:59] *** amdprophet has quit IRC (Ping timeout: 260 seconds)
[07:00] *** cedwards has joined #arpnetworks
[07:19] *** amdprophet has joined #arpnetworks
[07:35] *** vtoms has quit IRC (Remote host closed the connection)
[07:51] *** vtoms has joined #arpnetworks
[08:13] <cedwards> note: I just signed up on a FreeBSD 8.0 system. I ran 'portaudit -Fda' and there were I think three vulnerabilities ootb.
[08:14] <bob^^> what vulns?
[08:14] <cedwards> sudo, curl and I think ca_root_nss
[08:15] <cedwards> (I've patched them now so the list is too far back in my buffer)
[08:15] <bob^^> ah :)
[08:15] <cedwards> just thought I'd mention it.
[08:24] *** fink_ has joined #arpnetworks
[08:24] *** fink_ has quit IRC (Client Quit)
[08:26] *** fink_ has joined #arpnetworks
[08:32] *** schmir has joined #arpnetworks
[08:42] *** schmir has quit IRC (Ping timeout: 264 seconds)
[09:11] *** ziyourenxiang has quit IRC (Quit: ziyourenxiang)
[09:32] *** woland has quit IRC (Remote host closed the connection)
[10:44] *** heavysixer has quit IRC (Quit: BAMPF!)
[11:04] *** schmir has joined #arpnetworks
[11:37] <aem> hey up_the_irons you guys don't take paypal eh?
[11:43] <up_the_irons> aem: no
[11:43] <up_the_irons> http://support.arpnetworks.com/faqs/billing/do-you-accept-paypal
[11:43] <up_the_irons> :)
[11:43] <aem> hehe thanks
[11:43] <up_the_irons> np
[11:44] <fink_> does arpnetworks run an ntp server?
[11:44] <up_the_irons> no
[11:44] <aem> <- joshua here btw
[11:44] <up_the_irons> hey joshua
[12:00] *** djbclark has quit IRC (Ping timeout: 246 seconds)
[12:04] *** lll_ has quit IRC (Quit: leaving)
[12:04] *** djbclark has joined #arpnetworks
[12:04] *** djbclark has quit IRC (Changing host)
[12:04] *** djbclark has joined #arpnetworks
[12:05] *** lll has joined #arpnetworks
[12:31] *** heavysixer has joined #arpnetworks
[12:31] *** ChanServ sets mode: +o heavysixer
[12:31] <cedwards> looks like buildworld doesn't like ccache, although I've used it on my other BSD installations :(
[13:22] <cedwards> if I plan to setup BSD jails, is there a particular private subnet/range I should or should not use?
[13:23] <infrared> no
[13:24] <cedwards> wanted to make sure I wasn't going to conflict with existing addresses
[13:24] <infrared> do you have 2 nics?
[13:25] <fink_> cedwards: i put my jails on a private internal interface, and used pf for nat
[13:25] <fink_> all behind one ip
[13:25] <cedwards> fink_: that's what I was planning.
[13:26] <fink_> cedwards: if the ips are on an internal interface, then they won't interfere with anything public
[13:26] <dxtr> Wouldn't one neeed a pretty decent VPS for jails? :)
[13:26] <cedwards> dxtr: nah. jails are incredibly lightweight.
[13:26] <dxtr> Cool. Might look into it then
[13:26] <infrared> dxtr: i see now overhead increase with idle jails
[13:26] <infrared> s/now/no/
[13:27] <dxtr> infrared: Interesting
[13:27] <cedwards> dxtr: I just loaded up 26 jails on a P4 1G ram and the load went to.. wait for it.. 0.30.
[13:27] <infrared> it's because it's kernel based
[13:27] <infrared> not "real" vps
[13:27] <dxtr> But what's *REALLY* worth jailing without losing functionality (Like userdirs in a webserver and stuff)
[13:27] <cedwards> fink_: so I can just create alias IPs on my em0 assigning private IPs and I should be fine?
[13:28] <fink_> cedwards: create an lo1 or whatever
[13:28] <dxtr> I guess some sort of *sql database could be jailed
[13:28] <fink_> assign them there
[13:28] <infrared> dxtr:
[13:28] <cedwards> dxtr: I segregate all my major services into jails (postfix, bind, squid, ssh-bastion, etc)
[13:28] <infrared> dxtr: "application" jails
[13:28] <fink_> dxtr: i jail based on processes/domains
[13:28] <fink_> like www.example.org is a www jail
[13:28] <fink_> dns.example.org is a dns jail
[13:29] <fink_> db
[13:29] <cedwards> dxtr: and I'm planning on building some shell jails for some of the guys in my UG as well.
[13:29] <fink_> mail
[13:29] <fink_> etc
[13:29] <dxtr> fink_: Yeah, I was thinking about it
[13:29] <dxtr> How do one administer DNS in a cool way?
[13:29] <dxtr> without sql :)
[13:30] <fink_> i use tinydns/dnscache
[13:30] <dxtr> I use BIND
[13:30] <cedwards> old-school bind here too.
[13:30] <cedwards> zone files by hand :)
[13:30] <dxtr> I'd like some cool way to remotely administer the DNS :)
[13:30] <dxtr> Or, well, maybe not *TOO* remotely
[13:31] <dxtr> But something other than editing zone files by hand
[13:31] <fink_> bind is big, slow, and insecure
[13:32] <dxtr> Right. I'm actually considering switching :)
[13:33] <mike-burns> What are the competitors to BIND?
[13:33] <dxtr> small, fast and secure?
[13:33] <bob^^> powerdns
[13:33] <bob^^> djbdns
[13:33] <bob^^> i like bind though
[13:33] <bob^^> i know a lot of people who use powerdns and have only good things to say about it
[13:34] <fink_> going from bind to tinydns was kind of like going from apache to cherokee, for me
[13:34] <fink_> "wow this program is so  much easier to admin" and "wow half the memory footprint"
[13:35] <dxtr> fink_: How do one admin djbdns?
[13:35] <cedwards> I've only briefly used tinydns, but I'd like to learn it.
[13:35] <fink_> dxtr: command line, web, sql, etc.
[13:37] <dxtr> fink_: How do the command line work?
[13:37] <dxtr> And how would it work if I jailed djbdns?
[13:37] <fink_> i've jailed tinydns/dnscache
[13:38] <dxtr> that's not what I asked :)
[13:39] <cedwards> fink_: I've done jails before, so I'm familiar with creating alias IPs but I've always done it on the same interface.
[13:39] <cedwards> fink_: can you refer me to how to create a virtual internal interface for alias IPs?
[13:40] <fink_> cedwards: heh, a bunch of people have been asking me this recently!
[13:40] <fink_> mb i should just blog it ;)
[13:41] <dxtr> yeah :P
[13:41] <fink_> cedwards: do you mind asking me later? i'm at work at i have to finish some stuff
[13:41] <cedwards> fink_: no problem
[13:41] <fink_> thanks
[13:44] <cedwards> i think i just found it on the google machine.
[13:45] <fink_> link?
[13:46] <dxtr> fink_: tinydns looks like hell to admin .(
[13:47] <dxtr> What the hell is wrong with those configuration files? :(
[13:47] <dxtr> s/configuration/zone/
[13:47] <fink_> dxtr: are you serious?
[13:47] <dxtr> no?
[13:56] <up_the_irons> mike-burns: nsd and unbound, are current best practices for DNS
[13:57] <mike-burns> Excellent, I'll check them out.
[13:59] <up_the_irons> mike-burns: recursive dns and authoritative-only dns are separate in that stack.  nsd is for authoritative, unbound for recursive
[13:59] <up_the_irons> so, you use unbound for servers to configure in their /etc/resolv.conf; and nsd for hosting zones
[14:00] <mike-burns> Oh interesting. That makes sense.
[14:00] <up_the_irons> yeah, i've been migrating to unbound for recursive.  i run it on my laptop too and just have "nameserver 127.0.0.1" in my resolv.conf, makes things faster
[14:01] <up_the_irons> not using nsd yet, but i put it in a test environment, and i like it
[14:01] <up_the_irons> both are made by the same people
[14:09] <dxtr> up_the_irons: "current best practices" as in...? :)
[14:16] <up_the_irons> dxtr: a resolver and authoritative name server software completely written from scratch, in coordination with RIPE NCC, to offer a solution that was not ridden with bugs and security flaws like BIND is
[14:16] <up_the_irons> it's analagous to sendmail vs. postfix
[14:17] <dxtr> up_the_irons: I just love you answer. Seriously. Straight and consistent.
[14:17] <dxtr> your*
[14:18] <aem> up_the_irons: can I pay for a year in one go?
[14:19] <dxtr> aem: What's wrong with paying monthly? :
[14:19] <dxtr> :)
[14:19] <aem> I want to buy a pre paid credit card to order
[14:19] <aem> so it would make it easier if I were able to order for a longer time period
[14:20] <dxtr> I hate that one can't buy that here :/
[14:22] <up_the_irons> aem: yes -- http://support.arpnetworks.com/faqs/billing/is-there-a-discount-for-paying-in-advance
[14:22] <up_the_irons> dxtr: glad you like my answer ;)
[14:25] <aem> ok up_the_irons sorry for not reading the FAQ
[14:25] <aem> :P
[14:25] <aem> will get a pre paid card tomorrow
[14:26] <up_the_irons> aem: no problem :)
[14:28] <dxtr> up_the_irons: I didn't mean to make that singular :D
[14:28] <up_the_irons> dxtr: whut? ;)
[14:29] <dxtr> up_the_irons: I like your answer*S*
[14:30] <up_the_irons> dxtr: ah! :)
[14:31] <dxtr> You're always straight and concose.
[14:31] <dxtr> concise
[14:31] <dxtr> ffs
[14:31] <up_the_irons> haha
[14:31] <up_the_irons> yes that's usually how i am
[14:33] <dxtr> ... straight?
[14:33] <dxtr> :D
[14:35] <up_the_irons> wow we actually have 50+ people in here;
[14:38] <CESSMASTER> i like the idea of VPS hosting that's cheap enough to be an impulse buy
[14:41] *** vtoms has quit IRC (Quit: Leaving.)
[14:46] <up_the_irons> LOL, wish I could offer instant setup in that case
[14:46] <CESSMASTER> trust me i wish you could too
[14:46] <fink_> up_the_irons: that's something the slicehost guys were pointing out as a drawback
[14:47] <fink_> doesn't bother me much
[14:47] <dxtr> Why is make distclean so incredibily slow?
[14:47] <dxtr> up_the_irons: Actually; what's stopping you? Shouldn't it be possible to create a perl script to do it or whatever? :))
[14:47] <CESSMASTER> i mean i saw the site and I figured oh cool $10 i'll try this out deespite having no compelling use for it
[14:47] <dxtr> :)*
[14:48] <up_the_irons> dxtr: write it for me and we'll solve two problems :)
[14:49] <up_the_irons> fink_: indeed, it is a drawback, but from the beginning i've always targetted an audience that is looking for a long term relationship with a reliable hosting company.  in that respect, waiting 24 or so for your vps is not a long time; i expect most people will stay for over 12 months
[14:49] <fink_> up_the_irons: i agree; i think they are thinking "cloud"
[14:49] <up_the_irons> fink_: right
[14:51] <fink_> up_the_irons: perhaps you need a sexy bsd assistant?
[14:51] * fink_ could go for one of those
[14:51] <fink_> maybe then i could go outside…
[14:52] <up_the_irons> a sexy bsd assistant?  yes please
[14:53] <DaCa> ceren ercen
[14:54] <dxtr> Uhm... Hmm..
[14:57] *** schmir has quit IRC (Remote host closed the connection)
[15:02] <fink_> anybody have good resources for an ldap noob?
[15:37] <dxtr> Hey, up_the_irons
[15:37] <dxtr> Speaking of unbound - I'm trying it now.
[15:38] <dxtr> How can I make it recursive? right now it doesn't seem to recurse anything :p
[15:41] <amdprophet> dxtr: what exactly is doomsday drunk?
[15:42] <dxtr> amdprophet: Haha, what the hell? :D
[15:42] <amdprophet> lol
[15:42] <amdprophet> i know it's a delayed reaction
[15:42] <dxtr> Don't tell me that's what you've been thinking about alla day?
[15:42] <amdprophet> was just wondering
[15:42] <dxtr> all day*
[15:42] <amdprophet> it totally was
[15:42] <dxtr> Haha
[15:43] <dxtr> It's basically getting really wasted - but even more :)
[15:43] <up_the_irons> dxtr: that's the whole point.  unbound is not a recursive name server.  if you want recursion, use nsd.  BIND vulnerabilities have shown you do not want recursion and delegation on the same IP anyway
[15:43] <up_the_irons> dxtr: whups, i meant that the other way around
[15:43] <up_the_irons> dxtr: unbound for recursion, nsd for delegation
[15:44] <up_the_irons> dxtr: if your unbound doesn't recurse, i have no idea what u did wrong ;)
[15:44] <dxtr> up_the_irons: Exactly. I'm trying unbound on my obsd box now but can't get it to recurse :D
[15:44] <dxtr> ** server can't find www.arpnetworks.com.dxtr.cc: SERVFAIL
[15:44] <dxtr> FFFFFUUUUUU
[15:51] <dxtr> aaah. Found the error
[15:51] <dxtr> I rock!
[15:53] <up_the_irons> lol
[16:12] *** fink_ has quit IRC (Quit: fink_)
[16:22] <cedwards> sweet. with a little help from google I figured out the internal virtual interface and IPs.
[16:31] <RandalSchwartz> up_the_irons - did you see http://twitter.com/merlyn/statuses/12577877305
[16:31] <RandalSchwartz> even got retweeted by bob
[16:32] <amdprophet> even got retweeted by me!
[16:32] <RandalSchwartz> oh hey
[17:02] <dxtr> I'm off for bed now!
[17:02] <dxtr> Should've gone like 3-4 hours ago. But still1
[17:02] <dxtr> !
[17:02] <dxtr> better late than never
[17:55] <up_the_irons> RandalSchwartz: yeah i saw that randomly this morning, tnx :)
[17:55] <up_the_irons> oh wow, twitter now says "Reweeted by X people"
[17:55] <up_the_irons> however, there are no links to them, which is pretty lame
[17:56] <up_the_irons> lol, "southlandtvfans" RT'd it
[17:56] <up_the_irons> i love that show
[17:59] <cedwards> so I've got my internal interface and IPs setup. I've got inbound nat setup to reach the jails.
[17:59] <cedwards> only thing I haven't quite figured out is outbound connections from the jails.
[18:06] * up_the_irons is a jail noob
[18:08] <infrared>  cedwards i think you want an outbound nat
[18:08] <infrared> and inbound forward
[18:49] *** dbgi has joined #arpnetworks
[18:57] <dbgi> hi
[18:59] *** fink has joined #arpnetworks
[19:02] <infrared> hi
[19:10] <fink> hi infrared
[19:26] <infrared> hey
[19:36] <cedwards> infrared: thanks. i think that put me on the right path.
[19:36] <cedwards> would this be valid to allow outbound nat from jails: nat on em0 inet from 10.100.1.0/24 to any -> (em0)
[19:46] <fink> cedwards: you got your jails on nat?
[19:46] <cedwards> fink: I can get in from the outside, and I have that rule above applied, but I can't get out from the jails.
[19:47] <cedwards> i've done jails a number of times before, but never like this.
[19:47] <fink> cedwards: how are you troubleshooting your net access?
[19:48] <cedwards> watching the pflog, and I've done some tcpdumps but I'm not getting much..
[19:50] <fink> cedwards: can you resolve anything?
[19:51] <cedwards> no, and I do have a valid resolv.conf
[19:51] <fink> can you ping out?
[19:51] <fink> there's a sysctl to enable to allow pinging
[19:52] <cedwards> ..err I did have a resolv.conf. checking again now I don't.
[19:52] <cedwards> I think I've been looking at this too long today. getting to the point that i'm losing my mind
[19:52] <fink> hehe
[19:52] <fink> cedwards: you should put a resolv.conf in the ezjail flavour, then you don't have to worry about it in each jail
[19:53] <cedwards> yeah. i even forgot to apply the flavour this go-round.
[19:53] <cedwards> heh. i think it's probably time for bed!
[19:53] <fink> cedwards: let's try it tomorrow
[19:53] <fink> i'll consult my notes
[20:26] *** heavysixer has quit IRC (Quit: heavysixer)
[20:34] *** fink has quit IRC (Read error: Connection reset by peer)
[20:57] *** fink has joined #arpnetworks
[21:44] *** homosaur has joined #arpnetworks
[21:55] *** coil has quit IRC (Read error: Operation timed out)
[22:10] *** homosaur has quit IRC (Quit: pocketful of goat cheese, ready to party)
[23:16] *** fink has quit IRC (Quit: fink)
[23:58] *** steinberg has joined #arpnetworks