[00:21] *** amdprophet has joined #arpnetworks [00:43] *** amdprophet has quit IRC (Remote host closed the connection) [00:44] *** amdprophet has joined #arpnetworks [01:11] *** LT has joined #arpnetworks [03:15] *** amdprophet has quit IRC (Quit: amdprophet) [04:52] CESSMASTER: excuse me? [05:20] *** ziyourenxiang has joined #arpnetworks [05:54] *** vtoms has joined #arpnetworks [06:02] *** heavysixer has joined #arpnetworks [06:02] *** ChanServ sets mode: +o heavysixer [06:19] *** schmir has quit IRC (Remote host closed the connection) [07:20] good morning [07:21] morning cedwards :) [07:23] so I'm getting a crash-course in PF this morning. not sure I understand all the rules, but they appear to be working [07:23] (_much_ more experience with iptables) [07:24] pf rocks [07:28] I'm learning that. definitely seems less complicated than all the --foo and --bar options of iptables syntax. [07:29] one of the rules I've found suggested, and applied is: 'scrub in all'. I'm not 100% on what it does. Can you explain? [07:29] it reassembles partial packets [07:29] so that firewall rules can inspect full items [07:29] some attacks use partial packets to bypass deep inspection rules [07:30] ohh, so instead of packets being reassembled at each end-client, pf will reassemble it before filtering and passing it along? [07:30] yes [07:30] that's nice [07:30] how about this one: antispoof quick for {lo,em0} [07:31] best I understand is it's supposed to protect against spoofed addresses [07:31] keeps a packet from passing if it shows up on the "wrong" interface [07:31] for example, an external packet crafted to look like it has your "internal" address [07:31] like from 127.0.0.1 [07:31] should that be applied to all interfaces? just lo? just private interfaces? [07:31] so that your firewall passes it as if it had show up locally [07:32] it doesn't hurt to apply it to all [07:32] no wait [07:32] it also filters non-routables too, I think [07:32] 10/8 [07:32] or maybe that's a different rule [07:32] on the inside, you don't want to filter those, if you have a vpn set up [07:32] I have this rule applied to allow ping/monitoring from ARP nagios: pass in quick on em0 proto icmp from 208.79.88.56 to $ext_ip keep state [07:33] the pf faq is pretty easy reading - http://www.openbsd.org/faq/pf/ [07:33] Yeah. I've been in and out of that and a half-dozen other Google results. [07:34] I think the basic rule syntax makes sense. I still haven't quite grokked 'flags S/SA synproxy state' though [07:34] hehe cedwards its fun you mention it because I was just working on my pf.conf last night too [07:35] some of that is just magical fairy dust to me [07:35] "apply this here, because the faq says so" [07:35] and remember this command: [07:35] pfctl -vf /etc/pf.conf; sleep 10; pfctl -d [07:35] so that when you make a change, you see what it is [07:35] and if it works, hit ^C [07:36] if your ^C didn't work, wait 10 seconds :) [07:36] that keeps you from getting locked out [07:36] magical fairy dust reminds me of a theory I heard about how Ubuntu always "just worked". [07:36] Mark Shuttleworth brought back magical space dust from his trip to orbit with the Russians, and sprinkled it into the Ubuntu kernel :) [07:36] Ubuntu works? [07:36] mike-burns: so they say [07:36] yeah, Ubuntu works? [07:37] always breaks for me [07:37] I must have run out of magical space dust when I tried Ubuntu. [07:37] ubunutu acts as a nice shiny object to keep the beginner open source people away from us. :) [07:38] * cedwards imagines users as lolcats, swatting away at the shiny object. [07:39] you mean they're not? :) [07:39] To be fair, we're not the target audience of Ubuntu. [07:39] I try to go easy on them. I use to be a pretty heavy Ubuntu user. [07:40] It might work perfectly fine for people who don't do any programming, admining, etc. [07:42] oooh. I was reading the FAQ, found ":0" [07:43] does anyone know what ARP is using to host these VPS'? [07:43] I was trying to figure out how to ensure my outbound vpn traffic would come from my "main" address, instead of randomly all over my addresses. :) [07:43] there it is [07:43] cedwards - linux qemu I think [07:43] it says on the vps page [07:44] it's amazing how much goodness can exist inside a linux virtual box. :) [07:44] RandalSchwartz: right, I know its kvm/qemu on linux, but I'm wondering what Distro they host from. [07:44] ask up_the_irons when he comes in [07:45] I think it's, ironically, Ubuntu. [07:45] there - nat on $ext_if from !($ext_if) to ($ext_if) -> ($ext_if:0) [07:45] that's the nat rule I was looking for for my vpns [07:46] without the :0, it was round-robin'ing my /28 [07:47] *** fink has joined #arpnetworks [07:49] mike-burns: hey, as long as it works. [07:49] Yeah I'm not complaining. [08:21] well RHEL6 beta is fail for me. I'm going to try kvm/qemu hosting on a different platform here at work. [08:21] tempted to try FreeBSD as the host [08:27] it is always surprising the amount of random connection (attempts) you see when you watch firewall logs. [08:28] yeah - steve gibson calls that the "background radiation" of the internet [08:29] cedwards: on your arp vps? [08:30] yeah [08:30] just had an attempt for example to 3306. [08:30] wow [08:30] no you may not connect to my non-existant mysql server, thank you. [08:31] are you running ident? [08:31] ..no ? [08:33] maybe I should turn it off [08:33] heh [08:35] I'm actually not sure I know what ident is.. [08:36] ident daemon, it removes the ~ from your ident on IRC [08:36] ohh. uhm, not that I know of. [08:37] I use irssi+bitlbee+screen over ssh. I actually do have a freenode cloak, which might be part of it. [08:37] nothing else fancy going on. [08:37] you would know hehe, the only reason I was asking was because I was considering running mine in a jail [08:37] you have to load it in rc.conf [08:37] my irssi/bitlbee setup is in a jail and I know I'm not running ident in there. [08:38] in fact, I have three lines in that jail rc.conf. hostname, sshd_enable, bitlbee_enable. [08:39] cedwards: do you use ez jail? [08:41] aem: oh, absolutely [08:41] ezjail-admin is akin to go-go-gadget! :) [08:41] hehe cool, I must change my securelevel first to set it up ;-/ [08:41] which, I still think someone needs to write a utility with that name. [08:41] don't wanna reboot [08:41] hehe [08:42] yes go-go-gadget is a must [08:42] how fun would that be? go-go-gadget install package. [08:43] i would prefer it to do .conf files for me :) [08:43] go-go-gadget do .conf files for aem. [08:43] done [08:44] thank you!!! [08:44] go-go-gadget change securelevel. done [08:47] hehe [08:49] I should probably set securelevel when I'm done configuring everything too. [08:49] haven't bothered in the past, but I know it's a good idea [08:50] yeah set it to 2 [08:51] *** schmir has joined #arpnetworks [08:55] *** schmir has quit IRC (Ping timeout: 276 seconds) [08:58] interesting on the topic of securelevel - http://patchlog.com/general/freebsd-securelevel-setup/ [09:08] *** ziyourenxiang has quit IRC (Quit: ziyourenxiang) [09:14] ok. time to deploy some jails. can anyone comment on doing zfs based jails? [09:16] is your root on zfs? [09:16] is your root on zfs? [09:16] is your root on zfs? [09:16] is your root on zfs? [09:16] *** fink has quit IRC (Quit: fink) [09:17] echo [09:17] yes [09:18] *** LT has quit IRC (Quit: Leaving) [09:19] *** fink has joined #arpnetworks [09:35] what is port 445? is that the windows "virus port" as I so often hear it described? [09:58] 445 is used for netbios [09:58] (smb stuff over tcp iirc) [09:58] (file and printer sharing at the most basic level!) [09:59] According to /etc/services it's: microsoft-ds 445/tcp [10:06] my firewall keeps blocking 445 connections from 174.136.40.54 [10:06] must be that internet radiation RandalSchwartz was talking about [10:07] OrgName: Colo4Dallas LP [10:08] sounds like you've made a new virus-infected friend :) [10:08] yay me [10:09] *** toddf has quit IRC (Ping timeout: 276 seconds) [10:19] *** toddf has joined #arpnetworks [10:19] *** ChanServ sets mode: +o toddf [10:23] cedwards: yea mine too [10:29] I just installed 8.0 on: [10:29] hw.model: Intel(R) Xeon(R) CPU X7350 @ 2.93GHz [10:29] hw.ncpu: 16 [10:29] take that buildworld! [10:31] :D [10:31] make -j16 buildworld almost seems obscene, but I'd love to see how fast it goes :) [10:31] i think my biggest box is [10:31] hw.model: Intel(R) Xeon(R) CPU E5540 @ 2.53GHz [10:31] hw.ncpu: 16 [10:32] and it's pretty damn fast :) [10:32] -jX on buildworld & buildkernel is safe, right? [10:32] yup, should be fine [10:32] i think i did a -j16 on this, no probs [10:32] I've seen conflicting random-internet-opinions on the matter [10:33] yeah, i've had problems in the past [10:33] but not since 5.x releases [10:33] tbh, if it doesn't like it it normally crashes out of the build [10:33] I'd really like there to be a setting someplace where I could hardcode the -j# [10:33] if it builds ok, then it works fine [10:33] you can [10:33] make.conf [10:33] I've done that in Linux plenty of times, but never found any solid documentation on doing the same in FreeBSD [10:34] cedwards: make.conf [10:34] MAKEOPTS=-j# ? [10:34] yup [10:34] spot on [10:34] but anywya you don't want it for installkernel, right? [10:34] fink: right. i heard you don't want that for install{kernel,world}. [10:34] oh, wait a second too - someone sent me a cool little script for watching the progress of a buildworld last week [10:34] i'll see if i can find it [10:35] http://www.secnetix.de/olli/scripts/worldwatch [10:35] that ^^ [10:35] i think you need the port 'window' installed [10:36] does it give you a progressbar or something? [10:36] i've not tried ti yet [10:36] but some friends recommended it highly (and they are very very knowledgeable so i trust em!) [10:36] as soon as this csup standard-supfile finishes I'll give it a spin [10:37] just remmeber to install misc/window [10:37] bob^^: you know, you never hear someone say "(and they are 1337 script kiddies, so I don't trust em!)" :) [10:37] i think, from reading the script, you get a little window showing the usual output, then a seperate couple of windows showing how long is left [10:37] hah, true :) [10:37] fellow ops in #freebsd on quakenet :) [10:38] not that that probably helps much either :D [10:38] i know them from ! [10:39] I thought `window' came with FreeBSD. [10:39] only reputable people use irc, so you _know_ they are trustworthy :) [10:39] mike-burns: can't seem to find it on my box [10:39] Though I think I learned this when they removed it for 8.0, so. [10:39] Oh well. [10:40] this is the first I've heard of it [10:41] did they also replace it with tmux? [10:41] cedwards: as both an avid irc user and a fellow of ill repute, i take issue with your statement [10:41] The commit message for misc/window is "Add window(1) from the base system. This follows OpenBSD whom removed [10:41] this yesterday and we would like to follow suit." [10:41] yes, OpenBSD removed it to replace it with tmux [10:42] Yeah. [10:43] fink: did I forget my sarcasm font? :) [10:43] lol :) [10:43] I keep hearing about tmux over screen. should I be using tmux? [10:43] i hear a lot of good things about tmux [10:43] I tried tmux but went back to screen simply because I know the keybindings. [10:44] But tmux was nice when I tried it. [10:44] yeah, that's the only thing that stops me moving to tmux i think [10:44] after 10 years of screen, i'm kind of hard-coded to the keybindings [10:44] i guess you can change them in tmux though [10:44] guess what, they are configurable :) [10:45] i'm lazy, wht can i say :) [10:45] *** nbari|away is now known as nbari [10:46] hi all, are there backups of the vps ? [10:46] some snapshots or something like that ? [10:47] There are not. We recommend http://www.tarsnap.com/ [10:47] tarsnap is excellent [10:47] and what happend if the master host fails ? [10:47] all data is loss ? [10:50] I hear good things about tarsnap too. s3 storage if I'm not mistaken? [10:51] yup [10:52] seems to work really very well cedwards [10:52] not really using it properly in anger just yet, but so far, so good [10:52] well priced too once you get to grips with the pricing :) [10:54] sorry if this is offtopic but seem to be here smart guys, any idea on how to configure multiple VPN's using the same PEER IP but diferent preshared keys ? [10:54] bob^^: I've been using s3 to store pictures of my kids long-term. _very_ affordable. [10:55] .15/g/mo roughly comes out to, if my math is correct, 30G before $5/mo charge. [10:55] yeah, it's good [10:55] in theory it should be pretty reliable too ;) [10:56] i'm going to use it to mirror my home server (which already has raid1 on a 3ware card) [10:56] was using rsync.net but although it's a superb service, it's a bit on the expensive side [11:12] so I'm running this worldwatch script. not really showing a percentage or remaining value (yet?) though. [11:25] looks like it shows % and time remaining on subsequent passes. First time has to gather data I guess. [11:30] *** nbari is now known as nbari|away [11:58] I must have something wrong with my ccache config. It keeps failing. [11:58] anyone else care to share their setup? [11:58] what is ccache? [11:58] http://ccache.samba.org/ [11:59] ahh. samba [11:59] oh - compiler stuff [11:59] compiler cache for c, c++ [12:00] I've been using it on my local machines for some time, but my VPSs and a new install I just did are choking on it. [12:00] trying to figure out what has changed about my config, or what I'm missing [12:05] *** aem has quit IRC (Remote host closed the connection) [12:14] *** aem has joined #arpnetworks [12:15] *** aem has quit IRC (Client Quit) [12:16] *** aem has joined #arpnetworks [12:19] *** amdprophet has joined #arpnetworks [12:20] *** visinin has joined #arpnetworks [13:03] *** baklava has quit IRC (Ping timeout: 260 seconds) [13:08] *** visinin has quit IRC (Quit: out for a bit) [13:09] *** baklava has joined #arpnetworks [13:09] *** baklava has quit IRC (Changing host) [13:09] *** baklava has joined #arpnetworks [13:30] so I've been digging into ccache for the last hour. I cannot make it work on amd64 (buildworld), but it works every item on 32bit. [14:12] *** amdprophet has quit IRC (Ping timeout: 268 seconds) [14:39] i just ordered an engagement ring [14:39] :| [14:40] infrared: Damn [14:40] That's not a good sign [14:40] haha [14:40] my 2nd time around [14:40] Haha, waT? [14:40] wat* [14:40] yah [14:40] I'm still at my first girlfriend whatsoever :D [14:40] well you sound young then :P [14:41] Yeah, I'm 19. Been with her for three years [14:41] yeah you're young [14:41] i'm 32 [14:41] Haha [14:41] i first got married at 22 [14:41] had my daughter at 23 [14:41] So basically you've got a daughter the same age as my parents? :P [14:41] Kind of [14:42] what? [14:42] she's 7 [14:42] Just trying to make you feel old :D [14:42] haha [14:42] bastard [14:42] math ftw [14:43] my son is 6 [14:43] You even got TWO kids!? Damn. My parens are like 40 - not married :D [14:43] oarents [14:43] parents ffs [14:43] * infrared sends dxtr the Typing for Dummies e-book [15:04] heh [15:04] *** vtoms has quit IRC (Remote host closed the connection) [15:04] *** fink has quit IRC (Quit: fink) [15:42] *** amdprophet has joined #arpnetworks [17:06] *** fink has joined #arpnetworks [17:28] *** trapdoor has joined #arpnetworks [18:25] *** trapdoor has quit IRC (Quit: Leaving) [18:38] *** aem has quit IRC (Remote host closed the connection) [18:48] *** st3ff4n has joined #arpnetworks [20:56] *** fink has quit IRC (Read error: Connection reset by peer) [20:56] *** fink has joined #arpnetworks [20:57] *** fink has quit IRC (Client Quit) [21:46] *** awyeah has quit IRC (Read error: Connection reset by peer) [21:47] *** awyeah has joined #arpnetworks [21:48] *** Guest56287 has quit IRC (Quit: ZNC - http://znc.sourceforge.net) [21:49] *** phlux has joined #arpnetworks [21:49] *** phlux is now known as Guest79362 [23:54] *** amdprophet has quit IRC (Read error: Connection reset by peer) [23:54] *** amdprophet has joined #arpnetworks