***: amdprophet has quit IRC (Remote host closed the connection)
amdprophet has joined #arpnetworks
LT has joined #arpnetworks
amdprophet has quit IRC (Quit: amdprophet)
cedwards: CESSMASTER: excuse me?
***: ziyourenxiang has joined #arpnetworks
vtoms has joined #arpnetworks
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
schmir has quit IRC (Remote host closed the connection)
cedwards: good morning
aem: morning cedwards :)
cedwards: so I'm getting a crash-course in PF this morning. not sure I understand all the rules, but they appear to be working
(_much_ more experience with iptables)
RandalSchwartz: pf rocks
cedwards: I'm learning that. definitely seems less complicated than all the --foo and --bar options of iptables syntax.
one of the rules I've found suggested, and applied is: 'scrub in all'. I'm not 100% on what it does. Can you explain?
RandalSchwartz: it reassembles partial packets
so that firewall rules can inspect full items
some attacks use partial packets to bypass deep inspection rules
cedwards: ohh, so instead of packets being reassembled at each end-client, pf will reassemble it before filtering and passing it along?
RandalSchwartz: yes
cedwards: that's nice
how about this one: antispoof quick for {lo,em0}
best I understand is it's supposed to protect against spoofed addresses
RandalSchwartz: keeps a packet from passing if it shows up on the "wrong" interface
for example, an external packet crafted to look like it has your "internal" address
like from 127.0.0.1
cedwards: should that be applied to all interfaces? just lo? just private interfaces?
RandalSchwartz: so that your firewall passes it as if it had show up locally
it doesn't hurt to apply it to all
no wait
it also filters non-routables too, I think
10/8
or maybe that's a different rule
on the inside, you don't want to filter those, if you have a vpn set up
cedwards: I have this rule applied to allow ping/monitoring from ARP nagios: pass in quick on em0 proto icmp from 208.79.88.56 to $ext_ip keep state
RandalSchwartz: the pf faq is pretty easy reading - http://www.openbsd.org/faq/pf/
cedwards: Yeah. I've been in and out of that and a half-dozen other Google results.
I think the basic rule syntax makes sense. I still haven't quite grokked 'flags S/SA synproxy state' though
aem: hehe cedwards its fun you mention it because I was just working on my pf.conf last night too
RandalSchwartz: some of that is just magical fairy dust to me
"apply this here, because the faq says so"
and remember this command:
pfctl -vf /etc/pf.conf; sleep 10; pfctl -d
so that when you make a change, you see what it is
and if it works, hit ^C
if your ^C didn't work, wait 10 seconds :)
that keeps you from getting locked out
cedwards: magical fairy dust reminds me of a theory I heard about how Ubuntu always "just worked".
Mark Shuttleworth brought back magical space dust from his trip to orbit with the Russians, and sprinkled it into the Ubuntu kernel :)
mike-burns: Ubuntu works?
cedwards: mike-burns: so they say
aem: yeah, Ubuntu works?
always breaks for me
mike-burns: I must have run out of magical space dust when I tried Ubuntu.
RandalSchwartz: ubunutu acts as a nice shiny object to keep the beginner open source people away from us. :)
-: cedwards imagines users as lolcats, swatting away at the shiny object.
RandalSchwartz: you mean they're not? :)
mike-burns: To be fair, we're not the target audience of Ubuntu.
cedwards: I try to go easy on them. I use to be a pretty heavy Ubuntu user.
mike-burns: It might work perfectly fine for people who don't do any programming, admining, etc.
RandalSchwartz: oooh. I was reading the FAQ, found ":0"
cedwards: does anyone know what ARP is using to host these VPS'?
RandalSchwartz: I was trying to figure out how to ensure my outbound vpn traffic would come from my "main" address, instead of randomly all over my addresses. :)
there it is
cedwards - linux qemu I think
it says on the vps page
it's amazing how much goodness can exist inside a linux virtual box. :)
cedwards: RandalSchwartz: right, I know its kvm/qemu on linux, but I'm wondering what Distro they host from.
RandalSchwartz: ask up_the_irons when he comes in
mike-burns: I think it's, ironically, Ubuntu.
RandalSchwartz: there - nat on $ext_if from !($ext_if) to ($ext_if) -> ($ext_if:0)
that's the nat rule I was looking for for my vpns
without the :0, it was round-robin'ing my /28
***: fink has joined #arpnetworks
cedwards: mike-burns: hey, as long as it works.
mike-burns: Yeah I'm not complaining.
cedwards: well RHEL6 beta is fail for me. I'm going to try kvm/qemu hosting on a different platform here at work.
tempted to try FreeBSD as the host
it is always surprising the amount of random connection (attempts) you see when you watch firewall logs.
RandalSchwartz: yeah - steve gibson calls that the "background radiation" of the internet
aem: cedwards: on your arp vps?
cedwards: yeah
just had an attempt for example to 3306.
aem: wow
cedwards: no you may not connect to my non-existant mysql server, thank you.
aem: are you running ident?
cedwards: ..no ?
aem: maybe I should turn it off
heh
cedwards: I'm actually not sure I know what ident is..
aem: ident daemon, it removes the ~ from your ident on IRC
cedwards: ohh. uhm, not that I know of.
I use irssi+bitlbee+screen over ssh. I actually do have a freenode cloak, which might be part of it.
nothing else fancy going on.
aem: you would know hehe, the only reason I was asking was because I was considering running mine in a jail
you have to load it in rc.conf
cedwards: my irssi/bitlbee setup is in a jail and I know I'm not running ident in there.
in fact, I have three lines in that jail rc.conf. hostname, sshd_enable, bitlbee_enable.
aem: cedwards: do you use ez jail?
cedwards: aem: oh, absolutely
ezjail-admin is akin to go-go-gadget! :)
aem: hehe cool, I must change my securelevel first to set it up ;-/
cedwards: which, I still think someone needs to write a utility with that name.
aem: don't wanna reboot
hehe
yes go-go-gadget is a must
cedwards: how fun would that be? go-go-gadget install package.
aem: i would prefer it to do .conf files for me :)
cedwards: go-go-gadget do .conf files for aem.
done
aem: thank you!!!
cedwards: go-go-gadget change securelevel. done
aem: hehe
cedwards: I should probably set securelevel when I'm done configuring everything too.
haven't bothered in the past, but I know it's a good idea
aem: yeah set it to 2
***: schmir has joined #arpnetworks
schmir has quit IRC (Ping timeout: 276 seconds)
cedwards: interesting on the topic of securelevel - http://patchlog.com/general/freebsd-securelevel-setup/
***: ziyourenxiang has quit IRC (Quit: ziyourenxiang)
cedwards: ok. time to deploy some jails. can anyone comment on doing zfs based jails?
fink: is your root on zfs?
is your root on zfs?
is your root on zfs?
is your root on zfs?
***: fink has quit IRC (Quit: fink)
cedwards: echo
yes
***: LT has quit IRC (Quit: Leaving)
fink has joined #arpnetworks
cedwards: what is port 445? is that the windows "virus port" as I so often hear it described?
bob^^: 445 is used for netbios
(smb stuff over tcp iirc)
(file and printer sharing at the most basic level!)
mike-burns: According to /etc/services it's: microsoft-ds 445/tcp
cedwards: my firewall keeps blocking 445 connections from 174.136.40.54
must be that internet radiation RandalSchwartz was talking about
bob^^: OrgName: Colo4Dallas LP
sounds like you've made a new virus-infected friend :)
cedwards: yay me
***: toddf has quit IRC (Ping timeout: 276 seconds)
toddf has joined #arpnetworks
ChanServ sets mode: +o toddf
fink: cedwards: yea mine too
cedwards: I just installed 8.0 on:
hw.model: Intel(R) Xeon(R) CPU X7350 @ 2.93GHz
hw.ncpu: 16
take that buildworld!
bob^^: :D
cedwards: make -j16 buildworld almost seems obscene, but I'd love to see how fast it goes :)
bob^^: i think my biggest box is
hw.model: Intel(R) Xeon(R) CPU E5540 @ 2.53GHz
hw.ncpu: 16
and it's pretty damn fast :)
cedwards: -jX on buildworld & buildkernel is safe, right?
bob^^: yup, should be fine
i think i did a -j16 on this, no probs
cedwards: I've seen conflicting random-internet-opinions on the matter
bob^^: yeah, i've had problems in the past
but not since 5.x releases
tbh, if it doesn't like it it normally crashes out of the build
cedwards: I'd really like there to be a setting someplace where I could hardcode the -j#
bob^^: if it builds ok, then it works fine
you can
make.conf
cedwards: I've done that in Linux plenty of times, but never found any solid documentation on doing the same in FreeBSD
fink: cedwards: make.conf
cedwards: MAKEOPTS=-j# ?
bob^^: yup
spot on
fink: but anywya you don't want it for installkernel, right?
cedwards: fink: right. i heard you don't want that for install{kernel,world}.
bob^^: oh, wait a second too - someone sent me a cool little script for watching the progress of a buildworld last week
i'll see if i can find it
http://www.secnetix.de/olli/scripts/worldwatch
that ^^
i think you need the port 'window' installed
cedwards: does it give you a progressbar or something?
bob^^: i've not tried ti yet
but some friends recommended it highly (and they are very very knowledgeable so i trust em!)
cedwards: as soon as this csup standard-supfile finishes I'll give it a spin
bob^^: just remmeber to install misc/window
cedwards: bob^^: you know, you never hear someone say "(and they are 1337 script kiddies, so I don't trust em!)" :)
bob^^: i think, from reading the script, you get a little window showing the usual output, then a seperate couple of windows showing how long is left
hah, true :)
fellow ops in #freebsd on quakenet :)
not that that probably helps much either :D
cedwards: i know them from <insert random irc network here>!
mike-burns: I thought `window' came with FreeBSD.
cedwards: only reputable people use irc, so you _know_ they are trustworthy :)
mike-burns: can't seem to find it on my box
mike-burns: Though I think I learned this when they removed it for 8.0, so.
Oh well.
cedwards: this is the first I've heard of it
DaCa: did they also replace it with tmux?
fink: cedwards: as both an avid irc user and a fellow of ill repute, i take issue with your statement
mike-burns: The commit message for misc/window is "Add window(1) from the base system. This follows OpenBSD whom removed
this yesterday and we would like to follow suit."
DaCa: yes, OpenBSD removed it to replace it with tmux
mike-burns: Yeah.
cedwards: fink: did I forget my sarcasm font? :)
bob^^: lol :)
cedwards: I keep hearing about tmux over screen. should I be using tmux?
bob^^: i hear a lot of good things about tmux
mike-burns: I tried tmux but went back to screen simply because I know the keybindings.
But tmux was nice when I tried it.
bob^^: yeah, that's the only thing that stops me moving to tmux i think
after 10 years of screen, i'm kind of hard-coded to the keybindings
i guess you can change them in tmux though
DaCa: guess what, they are configurable :)
bob^^: i'm lazy, wht can i say :)
***: nbari|away is now known as nbari
nbari: hi all, are there backups of the vps ?
some snapshots or something like that ?
mike-burns: There are not. We recommend http://www.tarsnap.com/
bob^^: tarsnap is excellent
nbari: and what happend if the master host fails ?
all data is loss ?
cedwards: I hear good things about tarsnap too. s3 storage if I'm not mistaken?
bob^^: yup
seems to work really very well cedwards
not really using it properly in anger just yet, but so far, so good
well priced too once you get to grips with the pricing :)
nbari: sorry if this is offtopic but seem to be here smart guys, any idea on how to configure multiple VPN's using the same PEER IP but diferent preshared keys ?
cedwards: bob^^: I've been using s3 to store pictures of my kids long-term. _very_ affordable.
.15/g/mo roughly comes out to, if my math is correct, 30G before $5/mo charge.
bob^^: yeah, it's good
in theory it should be pretty reliable too ;)
i'm going to use it to mirror my home server (which already has raid1 on a 3ware card)
was using rsync.net but although it's a superb service, it's a bit on the expensive side
cedwards: so I'm running this worldwatch script. not really showing a percentage or remaining value (yet?) though.
looks like it shows % and time remaining on subsequent passes. First time has to gather data I guess.
***: nbari is now known as nbari|away
cedwards: I must have something wrong with my ccache config. It keeps failing.
anyone else care to share their setup?
RandalSchwartz: what is ccache?
cedwards: http://ccache.samba.org/
RandalSchwartz: ahh. samba
oh - compiler stuff
cedwards: compiler cache for c, c++
I've been using it on my local machines for some time, but my VPSs and a new install I just did are choking on it.
trying to figure out what has changed about my config, or what I'm missing
***: aem has quit IRC (Remote host closed the connection)
aem has joined #arpnetworks
aem has quit IRC (Client Quit)
aem has joined #arpnetworks
amdprophet has joined #arpnetworks
visinin has joined #arpnetworks
baklava has quit IRC (Ping timeout: 260 seconds)
visinin has quit IRC (Quit: out for a bit)
baklava has joined #arpnetworks
baklava has quit IRC (Changing host)
baklava has joined #arpnetworks
cedwards: so I've been digging into ccache for the last hour. I cannot make it work on amd64 (buildworld), but it works every item on 32bit.
***: amdprophet has quit IRC (Ping timeout: 268 seconds)
infrared: i just ordered an engagement ring
:|
dxtr: infrared: Damn
That's not a good sign
infrared: haha
my 2nd time around
dxtr: Haha, waT?
wat*
infrared: yah
dxtr: I'm still at my first girlfriend whatsoever :D
infrared: well you sound young then :P
dxtr: Yeah, I'm 19. Been with her for three years
infrared: yeah you're young
i'm 32
dxtr: Haha
infrared: i first got married at 22
had my daughter at 23
dxtr: So basically you've got a daughter the same age as my parents? :P
Kind of
infrared: what?
she's 7
dxtr: Just trying to make you feel old :D
infrared: haha
bastard
fink: math ftw
infrared: my son is 6
dxtr: You even got TWO kids!? Damn. My parens are like 40 - not married :D
oarents
parents ffs
-: infrared sends dxtr the Typing for Dummies e-book
fink: heh
***: vtoms has quit IRC (Remote host closed the connection)
fink has quit IRC (Quit: fink)
amdprophet has joined #arpnetworks
fink has joined #arpnetworks
trapdoor has joined #arpnetworks
trapdoor has quit IRC (Quit: Leaving)
aem has quit IRC (Remote host closed the connection)
st3ff4n has joined #arpnetworks
fink has quit IRC (Read error: Connection reset by peer)
fink has joined #arpnetworks
fink has quit IRC (Client Quit)
awyeah has quit IRC (Read error: Connection reset by peer)
awyeah has joined #arpnetworks
Guest56287 has quit IRC (Quit: ZNC - http://znc.sourceforge.net)
phlux has joined #arpnetworks
phlux is now known as Guest79362
amdprophet has quit IRC (Read error: Connection reset by peer)
amdprophet has joined #arpnetworks