CESSMASTER: excuse me?
good morning
morning cedwards :)
so I'm getting a crash-course in PF this morning. not sure I understand all the rules, but they appear to be working
(_much_ more experience with iptables)
pf rocks
I'm learning that. definitely seems less complicated than all the --foo and --bar options of iptables syntax.
one of the rules I've found suggested, and applied is: 'scrub in all'. I'm not 100% on what it does. Can you explain?
it reassembles partial packets
so that firewall rules can inspect full items
some attacks use partial packets to bypass deep inspection rules
ohh, so instead of packets being reassembled at each end-client, pf will reassemble it before filtering and passing it along?
yes
that's nice
how about this one: antispoof quick for {lo,em0}
best I understand is it's supposed to protect against spoofed addresses
keeps a packet from passing if it shows up on the "wrong" interface
for example, an external packet crafted to look like it has your "internal" address
like from 127.0.0.1
should that be applied to all interfaces? just lo? just private interfaces?
so that your firewall passes it as if it had show up locally
it doesn't hurt to apply it to all
no wait
it also filters non-routables too, I think
10/8
or maybe that's a different rule
on the inside, you don't want to filter those, if you have a vpn set up
I have this rule applied to allow ping/monitoring from ARP nagios: pass in quick on em0 proto icmp from 208.79.88.56 to $ext_ip keep state
the pf faq is pretty easy reading - http://www.openbsd.org/faq/pf/
Yeah. I've been in and out of that and a half-dozen other Google results.
I think the basic rule syntax makes sense. I still haven't quite grokked 'flags S/SA synproxy state' though
hehe cedwards its fun you mention it because I was just working on my pf.conf last night too
some of that is just magical fairy dust to me
"apply this here, because the faq says so"
and remember this command:
pfctl -vf /etc/pf.conf; sleep 10; pfctl -d
so that when you make a change, you see what it is
and if it works, hit ^C
if your ^C didn't work, wait 10 seconds :)
that keeps you from getting locked out
magical fairy dust reminds me of a theory I heard about how Ubuntu always "just worked".
Mark Shuttleworth brought back magical space dust from his trip to orbit with the Russians, and sprinkled it into the Ubuntu kernel :)
Ubuntu works?
mike-burns: so they say
yeah, Ubuntu works?
always breaks for me
I must have run out of magical space dust when I tried Ubuntu.
ubunutu acts as a nice shiny object to keep the beginner open source people away from us. :)
you mean they're not? :)
To be fair, we're not the target audience of Ubuntu.
I try to go easy on them. I use to be a pretty heavy Ubuntu user.
It might work perfectly fine for people who don't do any programming, admining, etc.
oooh.  I was reading the FAQ, found ":0"
does anyone know what ARP is using to host these VPS'?
I was trying to figure out how to ensure my outbound vpn traffic would come from my "main" address, instead of randomly all over my addresses. :)
there it is
cedwards - linux qemu I think
it says on the vps page
it's amazing how much goodness can exist inside a linux virtual box. :)
RandalSchwartz: right, I know its kvm/qemu on linux, but I'm wondering what Distro they host from.
ask up_the_irons when he comes in
I think it's, ironically, Ubuntu.
there - nat on $ext_if from !($ext_if) to ($ext_if) -> ($ext_if:0)
that's the nat rule I was looking for for my vpns
without the :0, it was round-robin'ing my /28
mike-burns: hey, as long as it works.
Yeah I'm not complaining.
well RHEL6 beta is fail for me. I'm going to try kvm/qemu hosting on a different platform here at work.
tempted to try FreeBSD as the host
it is always surprising the amount of random connection (attempts) you see when you watch firewall logs.
yeah - steve gibson calls that the "background radiation" of the internet
cedwards: on your arp vps?
yeah
just had an attempt for example to 3306.
wow
no you may not connect to my non-existant mysql server, thank you.
are you running ident?
..no ?
maybe I should turn it off
heh
I'm actually not sure I know what ident is..
ident daemon, it removes the ~ from your ident on IRC
ohh. uhm, not that I know of.
I use irssi+bitlbee+screen over ssh. I actually do have a freenode cloak, which might be part of it.
nothing else fancy going on.
you would know hehe, the only reason I was asking was because I was considering running mine in a jail
you have to load it in rc.conf
my irssi/bitlbee setup is in a jail and I know I'm not running ident in there.
in fact, I have three lines in that jail rc.conf. hostname, sshd_enable, bitlbee_enable.
cedwards: do you use ez jail?
aem: oh, absolutely
ezjail-admin is akin to go-go-gadget! :)
hehe cool, I must change my securelevel first to set it up ;-/
which, I still think someone needs to write a utility with that name.
don't wanna reboot
hehe
yes go-go-gadget is a must
how fun would that be? go-go-gadget install package.
i would prefer it to do .conf files for me :)
go-go-gadget do .conf files for aem.
done
thank you!!!
go-go-gadget change securelevel. done
hehe
I should probably set securelevel when I'm done configuring everything too.
haven't bothered in the past, but I know it's a good idea
yeah set it to 2
interesting on the topic of securelevel - http://patchlog.com/general/freebsd-securelevel-setup/
ok. time to deploy some jails. can anyone comment on doing zfs based jails?
is your root on zfs?
is your root on zfs?
is your root on zfs?
is your root on zfs?
echo
yes
what is port 445? is that the windows "virus port" as I so often hear it described?
445 is used for netbios
(smb stuff over tcp iirc)
(file and printer sharing at the most basic level!)
According to /etc/services it's: microsoft-ds    445/tcp
my firewall keeps blocking 445 connections from 174.136.40.54
must be that internet radiation RandalSchwartz was talking about
OrgName:    Colo4Dallas LP
sounds like you've made a new virus-infected friend :)
yay me
cedwards: yea mine too
I just installed 8.0 on:
hw.model: Intel(R) Xeon(R) CPU           X7350  @ 2.93GHz
hw.ncpu: 16
take that buildworld!
:D
make -j16 buildworld almost seems obscene, but I'd love to see how fast it goes :)
i think my biggest box is
hw.model: Intel(R) Xeon(R) CPU           E5540  @ 2.53GHz
hw.ncpu: 16
and it's pretty damn fast :)
-jX on buildworld & buildkernel is safe, right?
yup, should be fine
i think i did a -j16 on this, no probs
I've seen conflicting random-internet-opinions on the matter
yeah, i've had problems in the past
but not since 5.x releases
tbh, if it doesn't like it it normally crashes out of the build
I'd really like there to be a setting someplace where I could hardcode the -j#
if it builds ok, then it works fine
you can
make.conf
I've done that in Linux plenty of times, but never found any solid documentation on doing the same in FreeBSD
cedwards: make.conf
MAKEOPTS=-j# ?
yup
spot on
but anywya you don't want it for installkernel, right?
fink: right. i heard you don't want that for install{kernel,world}.
oh, wait a second too - someone sent me a cool little script for watching the progress of a buildworld last week
i'll see if i can find it
http://www.secnetix.de/olli/scripts/worldwatch
that ^^
i think you need the port 'window' installed
does it give you a progressbar or something?
i've not tried ti yet
but some friends recommended it highly (and they are very very knowledgeable so i trust em!)
as soon as this csup standard-supfile finishes I'll give it a spin
just remmeber to install misc/window
bob^^: you know, you never hear someone say "(and they are 1337 script kiddies, so I don't trust em!)" :)
i think, from reading the script, you get a little window showing the usual output, then a seperate couple of windows showing how long is left
hah, true :)
fellow ops in #freebsd on quakenet :)
not that that probably helps much either :D
i know them from <insert random irc network here>!
I thought `window' came with FreeBSD.
only reputable people use irc, so you _know_ they are trustworthy :)
mike-burns: can't seem to find it on my box
Though I think I learned this when they removed it for 8.0, so.
Oh well.
this is the first I've heard of it
did they also replace it with tmux?
cedwards: as both an avid irc user and a fellow of ill repute, i take issue with your statement
The commit message for misc/window is "Add window(1) from the base system.  This follows OpenBSD whom removed
this yesterday and we would like to follow suit."
yes, OpenBSD removed it to replace it with tmux
Yeah.
fink: did I forget my sarcasm font? :)
lol :)
I keep hearing about tmux over screen. should I be using tmux?
i hear a lot of good things about tmux
I tried tmux but went back to screen simply because I know the keybindings.
But tmux was nice when I tried it.
yeah, that's the only thing that stops me moving to tmux i think
after 10 years of screen, i'm kind of hard-coded to the keybindings
i guess you can change them in tmux though
guess what, they are configurable :)
i'm lazy, wht can i say :)
hi all, are there backups of the vps ?
some snapshots  or something like that ?
There are not. We recommend http://www.tarsnap.com/
tarsnap is excellent
and what happend if the master host fails ?
all data is loss ?
I hear good things about tarsnap too. s3 storage if I'm not mistaken?
yup
seems to work really very well cedwards
not really using it properly in anger just yet, but so far, so good
well priced too once you get to grips with the pricing :)
sorry if this is offtopic but seem to be here smart guys, any idea on how to configure multiple VPN's using the same PEER IP but diferent preshared keys ?
bob^^: I've been using s3 to store pictures of my kids long-term. _very_ affordable.
.15/g/mo roughly comes out to, if my math is correct, 30G before $5/mo charge.
yeah, it's good
in theory it should be pretty reliable too ;)
i'm going to use it to mirror my home server (which already has raid1 on a 3ware card)
was using rsync.net but although it's a superb service, it's a bit on the expensive side
so I'm running this worldwatch script. not really showing a percentage or remaining value (yet?) though.
looks like it shows % and time remaining on subsequent passes. First time has to gather data I guess.
I must have something wrong with my ccache config. It keeps failing.
anyone else care to share their setup?
what is ccache?
http://ccache.samba.org/
ahh. samba
oh - compiler stuff
compiler cache for c, c++
I've been using it on my local machines for some time, but my VPSs and a new install I just did are choking on it.
trying to figure out what has changed about my config, or what I'm missing
so I've been digging into ccache for the last hour. I cannot make it work on amd64 (buildworld), but it works every item on 32bit.
i just ordered an engagement ring
:|
infrared: Damn
That's not a good sign
haha
my 2nd time around
Haha, waT?
wat*
yah
I'm still at my first girlfriend whatsoever :D
well you sound young then :P
Yeah, I'm 19. Been with her for three years
yeah you're young
i'm 32
Haha
i first got married at 22
had my daughter at 23
So basically you've got a daughter the same age as my parents? :P
Kind of
what?
she's 7
Just trying to make you feel old :D
haha
bastard
math ftw
my son is 6
You even got TWO kids!? Damn. My parens are like 40 - not married :D
oarents
parents ffs
heh