CESSMASTER: excuse me? good morning morning cedwards :) so I'm getting a crash-course in PF this morning. not sure I understand all the rules, but they appear to be working (_much_ more experience with iptables) pf rocks I'm learning that. definitely seems less complicated than all the --foo and --bar options of iptables syntax. one of the rules I've found suggested, and applied is: 'scrub in all'. I'm not 100% on what it does. Can you explain? it reassembles partial packets so that firewall rules can inspect full items some attacks use partial packets to bypass deep inspection rules ohh, so instead of packets being reassembled at each end-client, pf will reassemble it before filtering and passing it along? yes that's nice how about this one: antispoof quick for {lo,em0} best I understand is it's supposed to protect against spoofed addresses keeps a packet from passing if it shows up on the "wrong" interface for example, an external packet crafted to look like it has your "internal" address like from 127.0.0.1 should that be applied to all interfaces? just lo? just private interfaces? so that your firewall passes it as if it had show up locally it doesn't hurt to apply it to all no wait it also filters non-routables too, I think 10/8 or maybe that's a different rule on the inside, you don't want to filter those, if you have a vpn set up I have this rule applied to allow ping/monitoring from ARP nagios: pass in quick on em0 proto icmp from 208.79.88.56 to $ext_ip keep state the pf faq is pretty easy reading - http://www.openbsd.org/faq/pf/ Yeah. I've been in and out of that and a half-dozen other Google results. I think the basic rule syntax makes sense. I still haven't quite grokked 'flags S/SA synproxy state' though hehe cedwards its fun you mention it because I was just working on my pf.conf last night too some of that is just magical fairy dust to me "apply this here, because the faq says so" and remember this command: pfctl -vf /etc/pf.conf; sleep 10; pfctl -d so that when you make a change, you see what it is and if it works, hit ^C if your ^C didn't work, wait 10 seconds :) that keeps you from getting locked out magical fairy dust reminds me of a theory I heard about how Ubuntu always "just worked". Mark Shuttleworth brought back magical space dust from his trip to orbit with the Russians, and sprinkled it into the Ubuntu kernel :) Ubuntu works? mike-burns: so they say yeah, Ubuntu works? always breaks for me I must have run out of magical space dust when I tried Ubuntu. ubunutu acts as a nice shiny object to keep the beginner open source people away from us. :) you mean they're not? :) To be fair, we're not the target audience of Ubuntu. I try to go easy on them. I use to be a pretty heavy Ubuntu user. It might work perfectly fine for people who don't do any programming, admining, etc. oooh. I was reading the FAQ, found ":0" does anyone know what ARP is using to host these VPS'? I was trying to figure out how to ensure my outbound vpn traffic would come from my "main" address, instead of randomly all over my addresses. :) there it is cedwards - linux qemu I think it says on the vps page it's amazing how much goodness can exist inside a linux virtual box. :) RandalSchwartz: right, I know its kvm/qemu on linux, but I'm wondering what Distro they host from. ask up_the_irons when he comes in I think it's, ironically, Ubuntu. there - nat on $ext_if from !($ext_if) to ($ext_if) -> ($ext_if:0) that's the nat rule I was looking for for my vpns without the :0, it was round-robin'ing my /28 mike-burns: hey, as long as it works. Yeah I'm not complaining. well RHEL6 beta is fail for me. I'm going to try kvm/qemu hosting on a different platform here at work. tempted to try FreeBSD as the host it is always surprising the amount of random connection (attempts) you see when you watch firewall logs. yeah - steve gibson calls that the "background radiation" of the internet cedwards: on your arp vps? yeah just had an attempt for example to 3306. wow no you may not connect to my non-existant mysql server, thank you. are you running ident? ..no ? maybe I should turn it off heh I'm actually not sure I know what ident is.. ident daemon, it removes the ~ from your ident on IRC ohh. uhm, not that I know of. I use irssi+bitlbee+screen over ssh. I actually do have a freenode cloak, which might be part of it. nothing else fancy going on. you would know hehe, the only reason I was asking was because I was considering running mine in a jail you have to load it in rc.conf my irssi/bitlbee setup is in a jail and I know I'm not running ident in there. in fact, I have three lines in that jail rc.conf. hostname, sshd_enable, bitlbee_enable. cedwards: do you use ez jail? aem: oh, absolutely ezjail-admin is akin to go-go-gadget! :) hehe cool, I must change my securelevel first to set it up ;-/ which, I still think someone needs to write a utility with that name. don't wanna reboot hehe yes go-go-gadget is a must how fun would that be? go-go-gadget install package. i would prefer it to do .conf files for me :) go-go-gadget do .conf files for aem. done thank you!!! go-go-gadget change securelevel. done hehe I should probably set securelevel when I'm done configuring everything too. haven't bothered in the past, but I know it's a good idea yeah set it to 2 interesting on the topic of securelevel - http://patchlog.com/general/freebsd-securelevel-setup/ ok. time to deploy some jails. can anyone comment on doing zfs based jails? is your root on zfs? is your root on zfs? is your root on zfs? is your root on zfs? echo yes what is port 445? is that the windows "virus port" as I so often hear it described? 445 is used for netbios (smb stuff over tcp iirc) (file and printer sharing at the most basic level!) According to /etc/services it's: microsoft-ds 445/tcp my firewall keeps blocking 445 connections from 174.136.40.54 must be that internet radiation RandalSchwartz was talking about OrgName: Colo4Dallas LP sounds like you've made a new virus-infected friend :) yay me cedwards: yea mine too I just installed 8.0 on: hw.model: Intel(R) Xeon(R) CPU X7350 @ 2.93GHz hw.ncpu: 16 take that buildworld! :D make -j16 buildworld almost seems obscene, but I'd love to see how fast it goes :) i think my biggest box is hw.model: Intel(R) Xeon(R) CPU E5540 @ 2.53GHz hw.ncpu: 16 and it's pretty damn fast :) -jX on buildworld & buildkernel is safe, right? yup, should be fine i think i did a -j16 on this, no probs I've seen conflicting random-internet-opinions on the matter yeah, i've had problems in the past but not since 5.x releases tbh, if it doesn't like it it normally crashes out of the build I'd really like there to be a setting someplace where I could hardcode the -j# if it builds ok, then it works fine you can make.conf I've done that in Linux plenty of times, but never found any solid documentation on doing the same in FreeBSD cedwards: make.conf MAKEOPTS=-j# ? yup spot on but anywya you don't want it for installkernel, right? fink: right. i heard you don't want that for install{kernel,world}. oh, wait a second too - someone sent me a cool little script for watching the progress of a buildworld last week i'll see if i can find it http://www.secnetix.de/olli/scripts/worldwatch that ^^ i think you need the port 'window' installed does it give you a progressbar or something? i've not tried ti yet but some friends recommended it highly (and they are very very knowledgeable so i trust em!) as soon as this csup standard-supfile finishes I'll give it a spin just remmeber to install misc/window bob^^: you know, you never hear someone say "(and they are 1337 script kiddies, so I don't trust em!)" :) i think, from reading the script, you get a little window showing the usual output, then a seperate couple of windows showing how long is left hah, true :) fellow ops in #freebsd on quakenet :) not that that probably helps much either :D i know them from ! I thought `window' came with FreeBSD. only reputable people use irc, so you _know_ they are trustworthy :) mike-burns: can't seem to find it on my box Though I think I learned this when they removed it for 8.0, so. Oh well. this is the first I've heard of it did they also replace it with tmux? cedwards: as both an avid irc user and a fellow of ill repute, i take issue with your statement The commit message for misc/window is "Add window(1) from the base system. This follows OpenBSD whom removed this yesterday and we would like to follow suit." yes, OpenBSD removed it to replace it with tmux Yeah. fink: did I forget my sarcasm font? :) lol :) I keep hearing about tmux over screen. should I be using tmux? i hear a lot of good things about tmux I tried tmux but went back to screen simply because I know the keybindings. But tmux was nice when I tried it. yeah, that's the only thing that stops me moving to tmux i think after 10 years of screen, i'm kind of hard-coded to the keybindings i guess you can change them in tmux though guess what, they are configurable :) i'm lazy, wht can i say :) hi all, are there backups of the vps ? some snapshots or something like that ? There are not. We recommend http://www.tarsnap.com/ tarsnap is excellent and what happend if the master host fails ? all data is loss ? I hear good things about tarsnap too. s3 storage if I'm not mistaken? yup seems to work really very well cedwards not really using it properly in anger just yet, but so far, so good well priced too once you get to grips with the pricing :) sorry if this is offtopic but seem to be here smart guys, any idea on how to configure multiple VPN's using the same PEER IP but diferent preshared keys ? bob^^: I've been using s3 to store pictures of my kids long-term. _very_ affordable. .15/g/mo roughly comes out to, if my math is correct, 30G before $5/mo charge. yeah, it's good in theory it should be pretty reliable too ;) i'm going to use it to mirror my home server (which already has raid1 on a 3ware card) was using rsync.net but although it's a superb service, it's a bit on the expensive side so I'm running this worldwatch script. not really showing a percentage or remaining value (yet?) though. looks like it shows % and time remaining on subsequent passes. First time has to gather data I guess. I must have something wrong with my ccache config. It keeps failing. anyone else care to share their setup? what is ccache? http://ccache.samba.org/ ahh. samba oh - compiler stuff compiler cache for c, c++ I've been using it on my local machines for some time, but my VPSs and a new install I just did are choking on it. trying to figure out what has changed about my config, or what I'm missing so I've been digging into ccache for the last hour. I cannot make it work on amd64 (buildworld), but it works every item on 32bit. i just ordered an engagement ring :| infrared: Damn That's not a good sign haha my 2nd time around Haha, waT? wat* yah I'm still at my first girlfriend whatsoever :D well you sound young then :P Yeah, I'm 19. Been with her for three years yeah you're young i'm 32 Haha i first got married at 22 had my daughter at 23 So basically you've got a daughter the same age as my parents? :P Kind of what? she's 7 Just trying to make you feel old :D haha bastard math ftw my son is 6 You even got TWO kids!? Damn. My parens are like 40 - not married :D oarents parents ffs heh