↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |
Who | What | When | |
---|---|---|---|
*** | amdprophet has joined #arpnetworks | [00:21] | |
..... (idle for 22mn) | |||
amdprophet has quit IRC (Remote host closed the connection)
amdprophet has joined #arpnetworks | [00:43] | ||
...... (idle for 27mn) | |||
LT has joined #arpnetworks | [01:11] | ||
......................... (idle for 2h4mn) | |||
amdprophet has quit IRC (Quit: amdprophet) | [03:15] | ||
.................... (idle for 1h37mn) | |||
cedwards | CESSMASTER: excuse me? | [04:52] | |
...... (idle for 28mn) | |||
*** | ziyourenxiang has joined #arpnetworks | [05:20] | |
....... (idle for 34mn) | |||
vtoms has joined #arpnetworks | [05:54] | ||
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer | [06:02] | ||
.... (idle for 17mn) | |||
schmir has quit IRC (Remote host closed the connection) | [06:19] | ||
............. (idle for 1h1mn) | |||
cedwards | good morning | [07:20] | |
aem | morning cedwards :) | [07:21] | |
cedwards | so I'm getting a crash-course in PF this morning. not sure I understand all the rules, but they appear to be working
(_much_ more experience with iptables) | [07:23] | |
RandalSchwartz | pf rocks | [07:24] | |
cedwards | I'm learning that. definitely seems less complicated than all the --foo and --bar options of iptables syntax.
one of the rules I've found suggested, and applied is: 'scrub in all'. I'm not 100% on what it does. Can you explain? | [07:28] | |
RandalSchwartz | it reassembles partial packets
so that firewall rules can inspect full items some attacks use partial packets to bypass deep inspection rules | [07:29] | |
cedwards | ohh, so instead of packets being reassembled at each end-client, pf will reassemble it before filtering and passing it along? | [07:30] | |
RandalSchwartz | yes | [07:30] | |
cedwards | that's nice
how about this one: antispoof quick for {lo,em0} best I understand is it's supposed to protect against spoofed addresses | [07:30] | |
RandalSchwartz | keeps a packet from passing if it shows up on the "wrong" interface
for example, an external packet crafted to look like it has your "internal" address like from 127.0.0.1 | [07:31] | |
cedwards | should that be applied to all interfaces? just lo? just private interfaces? | [07:31] | |
RandalSchwartz | so that your firewall passes it as if it had show up locally
it doesn't hurt to apply it to all no wait it also filters non-routables too, I think 10/8 or maybe that's a different rule on the inside, you don't want to filter those, if you have a vpn set up | [07:31] | |
cedwards | I have this rule applied to allow ping/monitoring from ARP nagios: pass in quick on em0 proto icmp from 208.79.88.56 to $ext_ip keep state | [07:32] | |
RandalSchwartz | the pf faq is pretty easy reading - http://www.openbsd.org/faq/pf/ | [07:33] | |
cedwards | Yeah. I've been in and out of that and a half-dozen other Google results.
I think the basic rule syntax makes sense. I still haven't quite grokked 'flags S/SA synproxy state' though | [07:33] | |
aem | hehe cedwards its fun you mention it because I was just working on my pf.conf last night too | [07:34] | |
RandalSchwartz | some of that is just magical fairy dust to me
"apply this here, because the faq says so" and remember this command: pfctl -vf /etc/pf.conf; sleep 10; pfctl -d so that when you make a change, you see what it is and if it works, hit ^C if your ^C didn't work, wait 10 seconds :) that keeps you from getting locked out | [07:35] | |
cedwards | magical fairy dust reminds me of a theory I heard about how Ubuntu always "just worked".
Mark Shuttleworth brought back magical space dust from his trip to orbit with the Russians, and sprinkled it into the Ubuntu kernel :) | [07:36] | |
mike-burns | Ubuntu works? | [07:36] | |
cedwards | mike-burns: so they say | [07:36] | |
aem | yeah, Ubuntu works?
always breaks for me | [07:36] | |
mike-burns | I must have run out of magical space dust when I tried Ubuntu. | [07:37] | |
RandalSchwartz | ubunutu acts as a nice shiny object to keep the beginner open source people away from us. :) | [07:37] | |
cedwards | cedwards imagines users as lolcats, swatting away at the shiny object. | [07:38] | |
RandalSchwartz | you mean they're not? :) | [07:39] | |
mike-burns | To be fair, we're not the target audience of Ubuntu. | [07:39] | |
cedwards | I try to go easy on them. I use to be a pretty heavy Ubuntu user. | [07:39] | |
mike-burns | It might work perfectly fine for people who don't do any programming, admining, etc. | [07:40] | |
RandalSchwartz | oooh. I was reading the FAQ, found ":0" | [07:42] | |
cedwards | does anyone know what ARP is using to host these VPS'? | [07:43] | |
RandalSchwartz | I was trying to figure out how to ensure my outbound vpn traffic would come from my "main" address, instead of randomly all over my addresses. :)
there it is cedwards - linux qemu I think it says on the vps page it's amazing how much goodness can exist inside a linux virtual box. :) | [07:43] | |
cedwards | RandalSchwartz: right, I know its kvm/qemu on linux, but I'm wondering what Distro they host from. | [07:44] | |
RandalSchwartz | ask up_the_irons when he comes in | [07:44] | |
mike-burns | I think it's, ironically, Ubuntu. | [07:45] | |
RandalSchwartz | there - nat on $ext_if from !($ext_if) to ($ext_if) -> ($ext_if:0)
that's the nat rule I was looking for for my vpns without the :0, it was round-robin'ing my /28 | [07:45] | |
*** | fink has joined #arpnetworks | [07:47] | |
cedwards | mike-burns: hey, as long as it works. | [07:49] | |
mike-burns | Yeah I'm not complaining. | [07:49] | |
....... (idle for 32mn) | |||
cedwards | well RHEL6 beta is fail for me. I'm going to try kvm/qemu hosting on a different platform here at work.
tempted to try FreeBSD as the host | [08:21] | |
it is always surprising the amount of random connection (attempts) you see when you watch firewall logs. | [08:27] | ||
RandalSchwartz | yeah - steve gibson calls that the "background radiation" of the internet | [08:28] | |
aem | cedwards: on your arp vps? | [08:29] | |
cedwards | yeah
just had an attempt for example to 3306. | [08:30] | |
aem | wow | [08:30] | |
cedwards | no you may not connect to my non-existant mysql server, thank you. | [08:30] | |
aem | are you running ident? | [08:31] | |
cedwards | ..no ? | [08:31] | |
aem | maybe I should turn it off
heh | [08:33] | |
cedwards | I'm actually not sure I know what ident is.. | [08:35] | |
aem | ident daemon, it removes the ~ from your ident on IRC | [08:36] | |
cedwards | ohh. uhm, not that I know of.
I use irssi+bitlbee+screen over ssh. I actually do have a freenode cloak, which might be part of it. nothing else fancy going on. | [08:36] | |
aem | you would know hehe, the only reason I was asking was because I was considering running mine in a jail
you have to load it in rc.conf | [08:37] | |
cedwards | my irssi/bitlbee setup is in a jail and I know I'm not running ident in there.
in fact, I have three lines in that jail rc.conf. hostname, sshd_enable, bitlbee_enable. | [08:37] | |
aem | cedwards: do you use ez jail? | [08:39] | |
cedwards | aem: oh, absolutely
ezjail-admin is akin to go-go-gadget! :) | [08:41] | |
aem | hehe cool, I must change my securelevel first to set it up ;-/ | [08:41] | |
cedwards | which, I still think someone needs to write a utility with that name. | [08:41] | |
aem | don't wanna reboot
hehe yes go-go-gadget is a must | [08:41] | |
cedwards | how fun would that be? go-go-gadget install package. | [08:42] | |
aem | i would prefer it to do .conf files for me :) | [08:43] | |
cedwards | go-go-gadget do .conf files for aem.
done | [08:43] | |
aem | thank you!!! | [08:44] | |
cedwards | go-go-gadget change securelevel. done | [08:44] | |
aem | hehe | [08:47] | |
cedwards | I should probably set securelevel when I'm done configuring everything too.
haven't bothered in the past, but I know it's a good idea | [08:49] | |
aem | yeah set it to 2 | [08:50] | |
*** | schmir has joined #arpnetworks
schmir has quit IRC (Ping timeout: 276 seconds) | [08:51] | |
cedwards | interesting on the topic of securelevel - http://patchlog.com/general/freebsd-securelevel-setup/ | [08:58] | |
*** | ziyourenxiang has quit IRC (Quit: ziyourenxiang) | [09:08] | |
cedwards | ok. time to deploy some jails. can anyone comment on doing zfs based jails? | [09:14] | |
fink | is your root on zfs?
is your root on zfs? is your root on zfs? is your root on zfs? | [09:16] | |
*** | fink has quit IRC (Quit: fink) | [09:16] | |
cedwards | echo
yes | [09:17] | |
*** | LT has quit IRC (Quit: Leaving)
fink has joined #arpnetworks | [09:18] | |
.... (idle for 16mn) | |||
cedwards | what is port 445? is that the windows "virus port" as I so often hear it described? | [09:35] | |
..... (idle for 23mn) | |||
bob^^ | 445 is used for netbios
(smb stuff over tcp iirc) (file and printer sharing at the most basic level!) | [09:58] | |
mike-burns | According to /etc/services it's: microsoft-ds 445/tcp | [09:59] | |
cedwards | my firewall keeps blocking 445 connections from 174.136.40.54
must be that internet radiation RandalSchwartz was talking about | [10:06] | |
bob^^ | OrgName: Colo4Dallas LP
sounds like you've made a new virus-infected friend :) | [10:07] | |
cedwards | yay me | [10:08] | |
*** | toddf has quit IRC (Ping timeout: 276 seconds) | [10:09] | |
toddf has joined #arpnetworks
ChanServ sets mode: +o toddf | [10:19] | ||
fink | cedwards: yea mine too | [10:23] | |
cedwards | I just installed 8.0 on:
hw.model: Intel(R) Xeon(R) CPU X7350 @ 2.93GHz hw.ncpu: 16 take that buildworld! | [10:29] | |
bob^^ | :D | [10:31] | |
cedwards | make -j16 buildworld almost seems obscene, but I'd love to see how fast it goes :) | [10:31] | |
bob^^ | i think my biggest box is
hw.model: Intel(R) Xeon(R) CPU E5540 @ 2.53GHz hw.ncpu: 16 and it's pretty damn fast :) | [10:31] | |
cedwards | -jX on buildworld & buildkernel is safe, right? | [10:32] | |
bob^^ | yup, should be fine
i think i did a -j16 on this, no probs | [10:32] | |
cedwards | I've seen conflicting random-internet-opinions on the matter | [10:32] | |
bob^^ | yeah, i've had problems in the past
but not since 5.x releases tbh, if it doesn't like it it normally crashes out of the build | [10:33] | |
cedwards | I'd really like there to be a setting someplace where I could hardcode the -j# | [10:33] | |
bob^^ | if it builds ok, then it works fine
you can make.conf | [10:33] | |
cedwards | I've done that in Linux plenty of times, but never found any solid documentation on doing the same in FreeBSD | [10:33] | |
fink | cedwards: make.conf | [10:34] | |
cedwards | MAKEOPTS=-j# ? | [10:34] | |
bob^^ | yup
spot on | [10:34] | |
fink | but anywya you don't want it for installkernel, right? | [10:34] | |
cedwards | fink: right. i heard you don't want that for install{kernel,world}. | [10:34] | |
bob^^ | oh, wait a second too - someone sent me a cool little script for watching the progress of a buildworld last week
i'll see if i can find it http://www.secnetix.de/olli/scripts/worldwatch that ^^ i think you need the port 'window' installed | [10:34] | |
cedwards | does it give you a progressbar or something? | [10:36] | |
bob^^ | i've not tried ti yet
but some friends recommended it highly (and they are very very knowledgeable so i trust em!) | [10:36] | |
cedwards | as soon as this csup standard-supfile finishes I'll give it a spin | [10:36] | |
bob^^ | just remmeber to install misc/window | [10:37] | |
cedwards | bob^^: you know, you never hear someone say "(and they are 1337 script kiddies, so I don't trust em!)" :) | [10:37] | |
bob^^ | i think, from reading the script, you get a little window showing the usual output, then a seperate couple of windows showing how long is left
hah, true :) fellow ops in #freebsd on quakenet :) not that that probably helps much either :D | [10:37] | |
cedwards | i know them from <insert random irc network here>! | [10:38] | |
mike-burns | I thought `window' came with FreeBSD. | [10:39] | |
cedwards | only reputable people use irc, so you _know_ they are trustworthy :)
mike-burns: can't seem to find it on my box | [10:39] | |
mike-burns | Though I think I learned this when they removed it for 8.0, so.
Oh well. | [10:39] | |
cedwards | this is the first I've heard of it | [10:40] | |
DaCa | did they also replace it with tmux? | [10:41] | |
fink | cedwards: as both an avid irc user and a fellow of ill repute, i take issue with your statement | [10:41] | |
mike-burns | The commit message for misc/window is "Add window(1) from the base system. This follows OpenBSD whom removed
this yesterday and we would like to follow suit." | [10:41] | |
DaCa | yes, OpenBSD removed it to replace it with tmux | [10:41] | |
mike-burns | Yeah. | [10:42] | |
cedwards | fink: did I forget my sarcasm font? :) | [10:43] | |
bob^^ | lol :) | [10:43] | |
cedwards | I keep hearing about tmux over screen. should I be using tmux? | [10:43] | |
bob^^ | i hear a lot of good things about tmux | [10:43] | |
mike-burns | I tried tmux but went back to screen simply because I know the keybindings.
But tmux was nice when I tried it. | [10:43] | |
bob^^ | yeah, that's the only thing that stops me moving to tmux i think
after 10 years of screen, i'm kind of hard-coded to the keybindings i guess you can change them in tmux though | [10:44] | |
DaCa | guess what, they are configurable :) | [10:44] | |
bob^^ | i'm lazy, wht can i say :) | [10:45] | |
*** | nbari|away is now known as nbari | [10:45] | |
nbari | hi all, are there backups of the vps ?
some snapshots or something like that ? | [10:46] | |
mike-burns | There are not. We recommend http://www.tarsnap.com/ | [10:47] | |
bob^^ | tarsnap is excellent | [10:47] | |
nbari | and what happend if the master host fails ?
all data is loss ? | [10:47] | |
cedwards | I hear good things about tarsnap too. s3 storage if I'm not mistaken? | [10:50] | |
bob^^ | yup
seems to work really very well cedwards not really using it properly in anger just yet, but so far, so good well priced too once you get to grips with the pricing :) | [10:51] | |
nbari | sorry if this is offtopic but seem to be here smart guys, any idea on how to configure multiple VPN's using the same PEER IP but diferent preshared keys ? | [10:54] | |
cedwards | bob^^: I've been using s3 to store pictures of my kids long-term. _very_ affordable.
.15/g/mo roughly comes out to, if my math is correct, 30G before $5/mo charge. | [10:54] | |
bob^^ | yeah, it's good
in theory it should be pretty reliable too ;) i'm going to use it to mirror my home server (which already has raid1 on a 3ware card) was using rsync.net but although it's a superb service, it's a bit on the expensive side | [10:55] | |
.... (idle for 16mn) | |||
cedwards | so I'm running this worldwatch script. not really showing a percentage or remaining value (yet?) though. | [11:12] | |
looks like it shows % and time remaining on subsequent passes. First time has to gather data I guess. | [11:25] | ||
*** | nbari is now known as nbari|away | [11:30] | |
...... (idle for 28mn) | |||
cedwards | I must have something wrong with my ccache config. It keeps failing.
anyone else care to share their setup? | [11:58] | |
RandalSchwartz | what is ccache? | [11:58] | |
cedwards | http://ccache.samba.org/ | [11:58] | |
RandalSchwartz | ahh. samba
oh - compiler stuff | [11:59] | |
cedwards | compiler cache for c, c++
I've been using it on my local machines for some time, but my VPSs and a new install I just did are choking on it. trying to figure out what has changed about my config, or what I'm missing | [11:59] | |
*** | aem has quit IRC (Remote host closed the connection) | [12:05] | |
aem has joined #arpnetworks
aem has quit IRC (Client Quit) aem has joined #arpnetworks amdprophet has joined #arpnetworks visinin has joined #arpnetworks | [12:14] | ||
......... (idle for 43mn) | |||
baklava has quit IRC (Ping timeout: 260 seconds) | [13:03] | ||
visinin has quit IRC (Quit: out for a bit)
baklava has joined #arpnetworks baklava has quit IRC (Changing host) baklava has joined #arpnetworks | [13:08] | ||
..... (idle for 21mn) | |||
cedwards | so I've been digging into ccache for the last hour. I cannot make it work on amd64 (buildworld), but it works every item on 32bit. | [13:30] | |
......... (idle for 42mn) | |||
*** | amdprophet has quit IRC (Ping timeout: 268 seconds) | [14:12] | |
...... (idle for 27mn) | |||
infrared | i just ordered an engagement ring
:| | [14:39] | |
dxtr | infrared: Damn
That's not a good sign | [14:40] | |
infrared | haha
my 2nd time around | [14:40] | |
dxtr | Haha, waT?
wat* | [14:40] | |
infrared | yah | [14:40] | |
dxtr | I'm still at my first girlfriend whatsoever :D | [14:40] | |
infrared | well you sound young then :P | [14:40] | |
dxtr | Yeah, I'm 19. Been with her for three years | [14:41] | |
infrared | yeah you're young
i'm 32 | [14:41] | |
dxtr | Haha | [14:41] | |
infrared | i first got married at 22
had my daughter at 23 | [14:41] | |
dxtr | So basically you've got a daughter the same age as my parents? :P
Kind of | [14:41] | |
infrared | what?
she's 7 | [14:42] | |
dxtr | Just trying to make you feel old :D | [14:42] | |
infrared | haha
bastard | [14:42] | |
fink | math ftw | [14:42] | |
infrared | my son is 6 | [14:43] | |
dxtr | You even got TWO kids!? Damn. My parens are like 40 - not married :D
oarents parents ffs | [14:43] | |
infrared | infrared sends dxtr the Typing for Dummies e-book | [14:43] | |
..... (idle for 21mn) | |||
fink | heh | [15:04] | |
*** | vtoms has quit IRC (Remote host closed the connection)
fink has quit IRC (Quit: fink) | [15:04] | |
........ (idle for 38mn) | |||
amdprophet has joined #arpnetworks | [15:42] | ||
................. (idle for 1h24mn) | |||
fink has joined #arpnetworks | [17:06] | ||
..... (idle for 22mn) | |||
trapdoor has joined #arpnetworks | [17:28] | ||
............ (idle for 57mn) | |||
trapdoor has quit IRC (Quit: Leaving) | [18:25] | ||
aem has quit IRC (Remote host closed the connection) | [18:38] | ||
st3ff4n has joined #arpnetworks | [18:48] | ||
.......................... (idle for 2h8mn) | |||
fink has quit IRC (Read error: Connection reset by peer)
fink has joined #arpnetworks fink has quit IRC (Client Quit) | [20:56] | ||
.......... (idle for 49mn) | |||
awyeah has quit IRC (Read error: Connection reset by peer)
awyeah has joined #arpnetworks
phlux has joined #arpnetworks phlux is now known as Guest79362 | [21:46] | ||
.......................... (idle for 2h5mn) | |||
amdprophet has quit IRC (Read error: Connection reset by peer)
amdprophet has joined #arpnetworks | [23:54] |
↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |