***: schmir has joined #arpnetworks
dxtr_ has quit IRC (Read error: Operation timed out)
nakano_` has quit IRC (Read error: Operation timed out)
nuke- has quit IRC (Read error: Operation timed out)
Jestre_ has quit IRC (Read error: Connection reset by peer)
Jestre has joined #arpnetworks
nakano_ has joined #arpnetworks
j3m has quit IRC (Read error: Operation timed out)
nukeAFK has joined #arpnetworks
dxtr has joined #arpnetworks
dxtr has quit IRC (Changing host)
dxtr has joined #arpnetworks
j3m has joined #arpnetworks
ziyourenxiang has joined #arpnetworks dxtr: [6~
Opps infrared: fail dxtr: :( ***: Yamazaki-kun has quit IRC (*.net *.split)
leander has quit IRC (*.net *.split)
leander has joined #arpnetworks
Yamazaki-kun has joined #arpnetworks
vtoms has joined #arpnetworks
hsbt has quit IRC (Quit: Tiarra 0.1: SIGTERM received; exit)
hsbt has joined #arpnetworks DaCa: RandalSchwartz: well, we all know perl sucks :p cedwards: thems fightin words lucky: up_the_irons: aye, I sent an email there about a week ago
up_the_irons: to which I received a reply this morning :) cedwards: uhh.. I may have just fixed my issue with ccache on amd64.
blame it on me installing 'minimal' and missing the lib32 libraries :( ***: schmir has quit IRC (Remote host closed the connection) dxtr: Hmm.. How would one easily manage nsd and/or outbound? If I, for example, want to put them in separate jails cedwards: how do you mean manage? dxtr: s/outbound/unbound/
cedwards: Zone files for nsd :)
I guess there's not that much administration with unbound once you get it up and running ***: ziyourenxiang has quit IRC (Quit: ziyourenxiang) cedwards: i run bind in a jail at home...
just point my client(s) to the jail IP, and ezjail-admin console jailname to get in and update things. dxtr: Right
But I thought it would be cool with some kind of interface for it :) cedwards: nice. with my distcc/ccache setup (all P4 machines), my buildworld is down to about 4min and my buildkernel is under 1min dxtr: Cool
I'm still amazed that I have less ping to the vps over ipv6 than ipv4 bob^^: routing is fun ;) dxtr: hehe
bob^^: The thing is I don't even have native ipv6 at home .D
Got it through sixxs
(Wich btw I think is awesome) bob^^: yeah, i still haven't bothered with ipv6 at home either cedwards: I can't get ipv6 (tunneled) at home because my router sucks.
i think it's time to get a new one. dxtr: cedwards: What connection do you have? cedwards: dxtr: DSL at home. leasing the crappy router they had. dxtr: I've got a wrt54gl flashed with Tomato if you wanna buy it :D cedwards: dxtr: my ISP doesn't support ipv6 either, so I'd _have_ to tunnel, but I need a new router first. dxtr: Ofcourse I live in Sweden. If you come get it in person I'll buy you a beer
You'll the the router for $30, the trip might cost $1000 (+/- some).. But you'll save in $4 by getting a beer for free
You'll get the*
Sounds like a decent deal mike-burns: That's better than the deal JetBlue was offering! dxtr: Vacation is priceless :D
mike-burns: Hm? cedwards: or perhaps you deliver it personally and I'll buy you a beer dxtr: cedwards: Unfortunately I don't do home deliveries
... But if I did it would probably be the best home deliveries in the world mike-burns: dxtr: JetBlue was offering $10 plane tickets the other day. US-only I think, and no router or beer. dxtr: mike-burns: well that sucks
it sucks that I'm the only Swede here (And one of few europeans.. Or am I wrong?)
I rarely meet people in my area on IRC. Would be awesome to go to Waynes, drink some coffee and IRC
o/ bob^^: i'm in the UK
but yeah, i think most in this channel are US-based dxtr: I think I need more coffee bob^^: i know plenty of swedes who use irc though - they're all over on quakenet :) dxtr: Yeah, I know loads of swedes both on Quakenet and EFNet :p
But Sweden is huge jdoe: dxtr: and ircnet. dxtr: Gah. I want a job! awyeah_: beh ***: awyeah_ is now known as awyeah awyeah: hrm wtf is my nickserv password. cedwards: hunter2 is my guess awyeah: heh. ***: awyeah has quit IRC (Quit: Reconnecting)
awyeah has joined #arpnetworks awyeah: ohh. their DNS resolution isn't working ;) jdoe: ? ***: schmir has joined #arpnetworks
schmir has quit IRC (Ping timeout: 265 seconds)
Wraithan has left "WeeChat 0.3.3-dev"
leander has quit IRC (Remote host closed the connection) dxtr: Say something fun one can do with a freebsd box and a openbsd box
Preferrably connecting them together somehow :) cedwards: use either as a network gateway and use pf to route to the second for a set of services in jails? dxtr: Actually the openbsd is a router
But with a little more capacity than my router needs
Dual-core atom 330
1GB RAM
300GB hdd
Etc, :P cedwards: torrent seed box? :) dxtr: I've thought the thought so to speak
But that's not cool enough :P cedwards: create your own private tracker? ..i dunno. dxtr: I've got rtadvd, ntpd, unbound, nsd, dhcpd and an httpd running on it ***: leander has joined #arpnetworks dxtr: Oh yeah... rtorrent too :D cedwards: i still need to try unbound/nsd. dxtr: They are just plain awesome
I can honestly say I don't regret throwing out bind :)
By the way, what I'd like to do with the boxes are somehow distributing the resources (distcc would be awesome for my ports needs!) cedwards: I setup ccache/distcc over the last two days. my builds are fast now. dxtr: Cool :) cedwards: which reminds me I need to submit my port for ccache-3.0pre1. dxtr: Oh yeah, cedwards
I'm having problems with openvpn. I'm guessing it's a firewall problem.
Do you have any experience with ip forwarding in freebsd? cedwards: I've not used openvpn before.. another one on my list.
do you have the net.ipv4.forward (or whatever) set to 1 in sysctl? dxtr: net.inet.ip.forwarding = 1
And I've got a NAT rule in pf
http://www.dxtr.cc/~dexter/pf.conf
That's my pf rules cedwards: tail the pflog while you try to connect to verify if it is a firewall issue.. dxtr: Right :)
I'll do that cedwards: or tcpdump and make sure it is actually hitting the interface dxtr: Yeah, I've tcpdumped
I makes it from tun0 to em0
But stops there ***: coil-desktoppcwi is now known as scort dxtr: And I've pinged another server of mine, tcpdumped there and got nothing
So the packets definitly gets lost at em0
Any ideas?
I've got gateway_enable="YES" in rc.conf too - but that won't do anything until I reboot cedwards: maybe you need to reboot mike-burns: YOu just have to run /etc/rc.d/routing to activate that thing. dxtr: mike-burns: Right
No luck :/ ***: dxtr has quit IRC (Read error: Operation timed out) awyeah: btw. pkg_cutleaves > * ***: schmir has joined #arpnetworks bob^^: useful :D
not seen pkg_cutleaves before awyeah: It really helps you clean up when you delete packages. ***: dxtr has joined #arpnetworks
dxtr has quit IRC (Changing host)
dxtr has joined #arpnetworks up_the_irons: pf syntax is quite readable dxtr: Hmm... STILL no luck
Rebooted the vps (For several reason)
What's funny is that I can't even access the ip addresses on em0 (Ping them that is)
So... what could be the problem? :P RandalSchwartz: freebsd? dxtr: Yeah RandalSchwartz: can you pastebin your /etc/rc.conf section?
or if it's really short, just add it here? :) dxtr: What section of it? :) RandalSchwartz: the part related to em0
you said you're having problems with ping, right?
or is it a pf problem? dxtr: It's a pf and openvpn problem :P RandalSchwartz: ahh
yeah - I have openvpn and pf too dxtr: So... How'd you do it? :D RandalSchwartz: what have you tried? dxtr: What haven't I tried? RandalSchwartz: ... vpn_net = "10.77.77.0/24"
... nat on $ext_if from $vpn_net to any -> ($ext_if:0)
ext_if = "em0" dxtr: Yeah, I'm familiar with pf and nat RandalSchwartz: that's the essentials dxtr: nat on em0 from 10/8 to any -> dxtr.cc up_the_irons: what is the meaning of "->" in pf? -: up_the_irons is a pf noob dxtr: Thats how mine looks
up_the_irons: It kinda means "read the man page" ;) RandalSchwartz: it's just that part of the nat syntax
it could probably be left out. mostly syntax sugar I think -: up_the_irons hits dxtr with a large trout up_the_irons: ok RandalSchwartz: might be that you can put more things after "any"
and it needs to know when you're done :) dxtr: No, but seriously up_the_irons, I think '-> addr' generally means "translate to this address" up_the_irons: dxtr: ok dxtr: Massivel simplified, etc.
Massively*
I've never really given it a thought. It's so obvious to me RandalSchwartz: I just cut-n-paste it
so what's the problem? Does the link come up? dxtr: RandalSchwartz: I can connnect, I can access the vpn server (10.9.8.1)... but that's it
I can't access anything outside tun0
Holy shit I know what it is RandalSchwartz: what does your openvpn conf have?
heh
always helps to describe it ***: dxtr has quit IRC (Read error: Connection reset by peer) -: RandalSchwartz waits for the suspense RandalSchwartz: oops - he's gone
must've worked :) cedwards: Ok. I am total fail at CVS, yet I'm trying to submit a port update.
I've downloaded the original tarball from cvsweb.
what I need to do is create a cvs diff of the original and my version. any suggestions?
(note: I've lightly used svn, but mostly used git, so cvs seems.. strange to me) ***: dxtr has joined #arpnetworks
dxtr has quit IRC (Changing host)
dxtr has joined #arpnetworks
vtoms has quit IRC (Quit: Leaving.)
heavysixer has quit IRC (Quit: heavysixer)
dxtr has quit IRC (Read error: Operation timed out) jdoe: heh
if you can't see the other side of the vpn it means your routing and/or forwarding on the other side is fucked up.
if he ever comes back he needs to post vpn configs as well as the pf config. ***: vtoms has joined #arpnetworks
vtoms has quit IRC (Quit: Leaving.)
dxtr has joined #arpnetworks
dxtr has quit IRC (Changing host)
dxtr has joined #arpnetworks
schmir has quit IRC (Remote host closed the connection)
dxtr has quit IRC (Quit: I'm outta here)
visinin has joined #arpnetworks
dxtr has joined #arpnetworks
dxtr has quit IRC (Changing host)
dxtr has joined #arpnetworks dxtr: Okay
Got it working!
:D RandalSchwartz: what was the problem? cedwards: erg! jdoe: pebkac ;) cedwards: I can't get this send-pr to go through because it's coming from username@hostname.domain.tld, and hostname isn't resolvable/valid.
freakin' sendmail up_the_irons: thinking of redoing my mail server. Right now I use qmail, dspam, and some rbls. Suggestions on software? (postfix, exim, dovecot, etc...) I'm looking for something well documented, simple, and good on spam :)
I haven't gone down this road in a long time... RandalSchwartz: postfix + dovecot + amavisd-new + postgrey
I've set that up repeatedly now
could even help out if you got stuck
postfix is the state of the art in mail delivery
all the right knobs, but mostly correct in defaults cedwards: I setup a slick postfix + dovecot + postgresql + webmail + amavis + postgrey + rbl/xbl + strict postfix filtering +... RandalSchwartz: yeah - I use zen rbl cedwards: zen.spamhaus.org helps quite a bit, as does postgrey up_the_irons: nice cedwards: postgrey actually helps a ton. RandalSchwartz: yup, until you can't get mail from a multi-outbound host :)
so the whitelists unfortunately have to be applied to the big ones
and those are also a big source of spam
postgrey doesn't implement mapping, sadly
just whitelist cedwards: ok. I don't know how I'm supposed to submit this freebsd PR if I can't get stinking mail to work right :( RandalSchwartz: I've seen others that say "if you see it from any of 3.4/16, that's the same as any other 3.4/16"
is the PR about mail? :)
if so, ho ho the irony cedwards: RandalSchwartz: ha ha. it's a port update, but as I said it's showing it's coming from my unresolvable internal hostname so freebsd.org rejects it. RandalSchwartz: ssh machine.that.is.properlyconfigured.net sendmail -t <yourmsg DaCa: I use OpenBSD spamd for greylisting, and whitelist with dnswl.org RandalSchwartz: I've done that before cedwards: i forget, in sendmail, how to make it strip the hostname and just come from user@domain RandalSchwartz: in fact, for a while, I had a local sendmail script that just ssh'ed every message like that :)
simpler than setting up local sendmail cedwards: i've got SMARTHOST setup to relay through my mail server, but it's still not working.
..and I don't feel like installing postfix for this one-off. RandalSchwartz: I tell ya. ssh it over :) ***: heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer up_the_irons: RandalSchwartz: do you have any build log of your "postfix + dovecot + amavisd-new + postgrey" setup? RandalSchwartz: no - I most spent time getting everything just right on the old machine
and then carefully copied it to the new machine
I'd be happy to go over all the moving parts though
also involved in moving from old to new was moving insightcruises.com one way, and the other domains the other
so that also made it tricky up_the_irons: yeah
i may play around with it some tonight RandalSchwartz: I also got rid of a pre-queue amavis-d filter, and replaced it with a postgrey and a post-queue amavis-d
that was the new advice
from the docs up_the_irons: ah cedwards: up_the_irons: i have pretty detailed docs on my setup, if you want
up_the_irons: i designed it for work, so it's really scalable and managable. RandalSchwartz: the tricky part for me was getting the dovecot set up just right to use my password file even after being chrooted jdoe: up_the_irons: I can give you a postfix+dovecot config
RandalSchwartz: funny, I just switched to pre-queue SA -: jdoe would rather reject than accept and drop RandalSchwartz: yeah - that generates more blowback thoguh
too many bystandards
bystanders jdoe: nah RandalSchwartz: if it's crap, just absorb it jdoe: you're rejecting while the session is still open
no innocent bystanders RandalSchwartz: yes, but it often gets relayed before that up_the_irons: cedwards: sure, if you don't mind, send it over :) gdolley@arpnetworks.com RandalSchwartz: so the upstream has no option but to blow it to me cedwards: as soon as I get this stupid PR submitted.. up_the_irons: jdoe: sure, i'll take your config too :) jdoe: RandalSchwartz: here's my take on it... assume the mail is 100% spam: if it comes directly to me from the spammer, I reject it during the session. No collateral damage, reject goes right to them. If they proxied through a legit mail server, that mail server should get the rejects, otherwise they might never know they had a problem.
RandalSchwartz: on the other hand, if it's a legit email that's flagged incorrectly, I *want* the sender to get a bounce, otherwise they might never know what happened to it, and that's annoying.
.... also, note that at no point does the email ever make it to someone not directly involved in it coming to me.
which all seems reasonable, I think. dxtr: http://www.youtube.com/watch?v=UO2zrCExdrU jdoe: although I guess it sounded more pompous than I'd intended it to ;) dxtr: Hmm RandalSchwartz: jdoe - that's not how it happens
evil guy -> middlehost -> me jdoe: who is middlehost? dxtr: RandalSchwartz: Probably some firewall rules .) RandalSchwartz: an egress mailer, for example
for a large corp jdoe: alright, so where's the problem? large corp sends you an email, you reject it.
what they do with the bounce is their problem. RandalSchwartz: right, and egressmailer then bounces it to... "From:"
and the "From:" guy gets a blowback
I don't want to blowback jdoe: that's a problem with egressmailer though, not you. RandalSchwartz: Yeah - but it's still Very Real
I know, I get a lot of blowback like that
keep in mind, I've been merlyn@stonehenge.com for almost two decades jdoe: no doubt, but... still. You're (hypothetically) bouncing something correctly. Someone else is dropping the ball. RandalSchwartz: so I'm in almost every list of "use these million names for fake from" jdoe: they should fix that, it's no reason for you to cripple your setup. RandalSchwartz: I'd rather just swallow the virus jdoe: to each their own, I guess :) RandalSchwartz: ok - then the equivalent is me doing post-queue
it's exactly the same setup
me doing post queue is exactly the same as mail coming through an egress mailer
both can lead to blow back unless they are set to DISCARD
there's no way around blowback jdoe: er... that's true, but it's a misleading statement
both can lead to blowback, but only one is actually your fault. RandalSchwartz: fault isn't to be assigned here
it's part of a larger system
if you return spam, you risk blowback
no matter at what level jdoe: well it sort of is, otherwise reductio ad absurdum, I won't deliver to internet hosts because it might lead to blowback RandalSchwartz: and as a victim of a lot of blowback, I won't be creating more of that jdoe: fair enough. ***: fink has joined #arpnetworks dxtr: Hmm
How would I do in openbsd to route certain IPs (eg 192.168.0.17/28) through a certain interface
And route the rest through another? cedwards: I know the Linux way. Not sure how similar it is.. RandalSchwartz: route add, I think
as in, it's part of the routing table
route add 10/8 tun0 jdoe: I think how well that works varies by OS. I know Solaris is a dick about routing subnets cedwards: don't get me started on Slowlaris. I've got a guy at work who swears it was coded by the almighty himself. dxtr: sudo route add -host 192.168.2.4 10.9.8.13
That didn't work
And tun0 instead of 10.9.8.13 didn't work
My problem is: I want to route some LAN clients through my openvpn interface RandalSchwartz: maybe you want to rdr them?
no - that decides based on outgoing
you want nat, which rewrites it
wait. what are you trying to do?
if you want it to work, you'll need to nat them
since the packet has to know where to return
so the outbound IP better be your external IF
this all gets so much simpler with v6
no more nat. thank gawd. dxtr: :d
So this isn't possible with ipv4? RandalSchwartz: it is
but you have to NAT dxtr: Just nat it to tun0?
Sounds reasonable RandalSchwartz: well - I'm still not getting the topolgy
can you draw it with "graphviz" for me? :) dxtr: Sure.
Hold on a minute :) ***: RandalSchwartz has quit IRC (Remote host closed the connection)
RandalSchwartz has joined #arpnetworks dxtr: RandalSchwartz:
http://www.dxtr.cc/~dexter/pub/topology.png
That's kinda what I want to achieve RandalSchwartz: I have no idea what net numbers you want there, or why openvpn is in th emix
or why uroboros has two ways to the internet
or whether openvpn is running *on* uroboros, in which case, not sure how dir655 gets to it without talking to uroboros
so I'd say, diagram, mostly fail :(
anyway, gotta drive. see ya later dxtr: haha, I couldn't come up with a good way to illustrate that I wanted just dir655 to go from uroboros through openvpn
Alright :) RandalSchwartz: layers, man... colored layers
/me goes dxtr: Yeah, right jdoe: that graph is a nightmare ;)
I think what you're trying to say
is that you have a lan on 192.168.2.0/24, of which uroboros is the gateway
and uroboros and bowser are linked by openvpn on 192.168.3.0/24?
... except inexplicably you have a second 192.168.3.0 behind dir655? ***: visinin has quit IRC (Quit: word) dxtr: jdoe: oh, you saw the second test graph I did :p
But yeah, I wanna route 192.168.3.0/24 over openvpn jdoe: I can't give any useful suggestions because your graph is crazy-confusing ;) dxtr: Haha, yeah :D
I've never done any real graphs before.. And I generally suck at making explanatory stuff (Is it called explanatory?)
But in short: Uroboros is my router, bowser is my vps
192.168.3.0/24 is my wlan
And I want to route 192.168.3.0/24 through tun0 in uroboros (openvpn) jdoe: so what's 192.168.2? dxtr: Those are my own stuff connected with a wire
And there are no specific reasons for doing this - It's just educational )
:) jdoe: there are some reasons not to though, I think having different subnets will fuck up broadcast traffic, for example.
uh... sec, maybe my openvpn config can be of some assistance... dxtr: In this situation I don't care that much for broadcast traffic between 192.168.2 and 192.168.3 jdoe: http://pastebin.com/Cq0j8Wbp
if you want it, copy it now because it expires in a day.
I only have a single subnet at home, but what that does is
openvpn server on 11.22.33.44
openvpn client running on my home gateway.
gateway's ip is 10.200.0.1 (and as far as the tunnel is concerned, also 10.100.100.2) dxtr: yeah jdoe: when it's running, server is accessible from the lan as 10.100.100.1 and the entire lan is accessible from the server by their real ips.
(10.200.0.whatever) fink: jdoe: any particular reason why you have openvpn in /etc rather than /usr/local/etc? jdoe: fink: because it's linux and that's where it goes on linux
adjust paths for your os as necessary :) fink: oh, sorry i thought you were bsd jdoe: my vps is
vpn endpoint is another machine, it and the gateway are debian. fink: do you find that confusing , switching between setups/ jdoe: no
I admin linux, solaris, bsd and windows machines on a daily basis.
you get used to it, I guess. And you make a habit of using things that are the same between oses
... like pkill and friends. <3
well, and it helps that I'm pretty new with Solaris, stops me from wading in over my head ;) dxtr: hehe ***: heavysixer has quit IRC (Quit: heavysixer) dxtr: Well, I'm going to bed now ***: bill``` has joined #arpnetworks bill```: hi, what should i do if the vnc details provided in my control panel do not actually work?
tried with three different clients fink: bill```: error? bill```: nothing, the remote just hangs up
none of the three clients provided an error
i can telnet to the host/port in question and am able to successfully establish a connection, but no dice when using an actual vnc client up_the_irons: bill```: what is your VNC host and port bill```: 1 sec
up_the_irons: kvr08.arpnetworks.com on port 6029
i had asked in a support ticket about this a few days ago, but no reply up_the_irons: bill```: http://support.arpnetworks.com/faqs/vps/out-of-band-management
bill```: note the "only one connection" part
appears you have another connection open somewhere. given you've used three clients, this seems fitting :) bill```: yes, i had read about that before, but i had never initiated a vps connection the first time and it still failed
so any infected host on the internet port scanning machines could in theory lock me out from using vnc on my own server?
:-| up_the_irons: bill```: right now it is hanging, which usually means it needs to drop whatever it is holding onto. I think I remember your support email, and I replied saying I connected fine :)
bill```: no, the connection must actually be established. if they don't know your password, it cannot be established bill```: gotcha
since it's been days, and you were the first person to successfully connect, shouldn't it have timed out by now? ***: bill``` has quit IRC (Quit: leaving) up_the_irons: and he ran... ***: fink has quit IRC (Ping timeout: 258 seconds) up_the_irons: bill```: I think there is a bug in the timeout. If the connection is not properly shutdown (you kill your VNC client instead of telling it to end the session), it may hang ***: fink has joined #arpnetworks
ballen has quit IRC (Ping timeout: 240 seconds)
fink has quit IRC (Quit: fink)
Guest40267 has quit IRC (Quit: Leaving)
infrared has quit IRC (Ping timeout: 246 seconds) up_the_irons: DaCa: so behind your OpenBSD spamd, what are you running as the MTA?