#arpnetworks 2013-03-09,Sat

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
toddfjamie: bleh, definately effecting me, cvs.openbsd.org is unreachable from arpnetworks
due to the outage of course
er whatever shaw's problem is
[00:14]
mercutio"the outage"?
is cvs.openbsd.org not at a datacentre?
i can mtr to it
but ssh syas no route to host
oh oops wasn't arp anyway
maybe diff port, i've only used anoncvs1.ca.openbsd.org
anoncvs1 has openssh beta apparently
[00:25]
........................................................ (idle for 4h35mn)
***heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
[05:02]
...... (idle for 27mn)
heavysixer has quit IRC (Quit: heavysixer) [05:29]
...... (idle for 26mn)
dzup has joined #arpnetworks
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
[05:55]
.... (idle for 18mn)
heavysixer has quit IRC (Quit: heavysixer) [06:16]
_mnathani_ has joined #arpnetworks
mnathani has quit IRC (Ping timeout: 256 seconds)
[06:22]
staticsafecvs.openbsd.org is indeed inaccessible from ARP
AS22512 is behind Rogers and Shaw
[06:26]
.............. (idle for 1h6mn)
***heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
[07:33]
.................. (idle for 1h29mn)
heavysixer has quit IRC (Quit: heavysixer) [09:02]
............ (idle for 59mn)
staticsafe has quit IRC (Quit: WeeChat 0.4.0) [10:01]
staticsafe has joined #arpnetworks [10:08]
.................. (idle for 1h29mn)
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
[11:37]
.... (idle for 19mn)
_mnathani_ is now known as mnathani [11:56]
......... (idle for 41mn)
dzup has quit IRC (Ping timeout: 245 seconds) [12:37]
dzup has joined #arpnetworks [12:44]
heavysixer has quit IRC (Quit: heavysixer) [12:58]
.... (idle for 19mn)
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
[13:17]
................ (idle for 1h16mn)
16WAAKIMH has left "Leaving"
DiaboliK has joined #arpnetworks
[14:33]
..... (idle for 24mn)
heavysixer has quit IRC (Quit: heavysixer) [14:57]
HighJinx has quit IRC () [15:05]
.... (idle for 19mn)
whitefang has joined #arpnetworks [15:24]
dzup has quit IRC (Ping timeout: 245 seconds) [15:29]
dzup has joined #arpnetworks [15:39]
........ (idle for 37mn)
CaZe has quit IRC (Remote host closed the connection)
CaZe` has joined #arpnetworks
CaZe` is now known as CaZe
dzup has quit IRC (Ping timeout: 245 seconds)
[16:16]
Ehtyar has joined #arpnetworks [16:30]
.......... (idle for 48mn)
whitefanganyone here have knowledge of pf and iptables? [17:18]
easymacI know how to stop it.
I assume you need more in depth help though.
[17:26]
whitefangyah
iptables -A INPUT -i venet0 -d 172.0.0.1 -p tcp -m tcp --dport 8128 -j ACCEPT
iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j DNAT --to 172.0.0.1:8128
im trying to figure out what that translates to in pf
im honestly confused as hell right now. just went through configuring bind9, and squid. got both of those running
but my brain is just refusing to wrap itself around this
[17:27]
easymacpass in on venet0 tcp from any to 172.0.0.1 port 8128 looks like the first one
then hte nat stuff, who knows
man it.
[17:28]
whitefangi have
im confused
[17:29]
easymacWhat are you trying to do?
transparent proxy or something?
oh, I see what that's doing.
[17:31]
whitefangyah
ok, the venet0 is refering to something specific with this guys provider
[17:33]
easymacIt's refering to the internal interface on the NAT most likely.
He's forwarding any connection outgoing to the web on port 80 to 172.0.0.1:8128, which is probably the proxy server.
He's also allowing connections throug the firewall for this in the first rule.
[17:38]
whitefangok [17:39]
easymacLook up any transparent proxy pf configuration and you'll see almost exactly the same thing. [17:39]
whitefangwell I have squid running on 8128
i'm going to need to create an interface on 172.0.0.1 right?
[17:39]
easymac127.0.0.1 is probably what he meant and he made a typo?
I'd have squid listen on localhost and forward connections to it.
[17:42]
whitefangi think the idea might be that only traffic from the 172 interface is going through squid so that normal traffic isn't [17:48]
***toddf has quit IRC (Ping timeout: 264 seconds) [18:01]
whitefanghow do I find my vps local internal IP? [18:05]
mercutiordr inet proto tcp from any to port 80 -> 127.0.0.1 port 8128
is the freebsd old style syntax
well actually i had a src range rather than interface range
but it'd diff in freebsd/openbsd
cos openbsd has newer pf
man pf.conf on either should help you out though
[18:11]
whitefangi think I might be on to something now. thanks. [18:19]
mercutiocool
are you doing openbsd or freebsd?
[18:26]
whitefangmercutio: freebsd [18:32]
mercutioahh ok
did that rdr worK?
[18:32]
whitefang2013/03/09 18:34:29.050 kid1| PF open failed: (13) Permission denied
:/
[18:35]
mercutiosquid sucks
use apache traffic server
actualyl i dunno
are you actually trying to do full redirection?
[18:36]
whitefanghttps://github.com/corporate-gadfly/Tunlr-Clone
is what I'm trying to do
[18:37]
mercutioerr transparent both ways [18:37]
whitefangi have no idea [18:37]
mercutioyeh you only need single level transparent
is it workign?
fwiw if your'e not being transparent proxied you can make it work without your own proxy
[18:38]
whitefangno, squid is reporting permission denied opening pf [18:39]
mercutiodoes it start anyway
is that warning or error?
do you have http_port 3128 transparent?
in squid.conf
[18:39]
whitefang8128 is transpartent
squid is starting
[18:41]
mercutioerr
8128
even
[18:41]
whitefang2013/03/09 18:34:29.050 kid1| PF open failed: (13) Permission denied
that is from cache_log
[18:41]
mercutiowhat happens when you do telnet localhost 8128 [18:41]
whitefangConnected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
[18:42]
mercutioand you're using transparent rather than intercept? [18:42]
whitefanghttp_port 0.0.0.0:8128 transparent [18:43]
mercutiohmm
http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf
i know it's openbsd
but it says about compiling squid with disable-pf-intercept
http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf#PfInterception:_PF_open_failed:_.2813.29_Permission_denied
[18:43]
whitefangmercutio: i tried with squid built without pf transparent already, it give a transparent proxying not supported error
2013/03/09 18:15:33.818 kid1| WARNING: transparent proxying not supported
so I went and compiled with pf support
[18:48]
mercutiooh what weird
just use apache traffic server :)
[18:50]
whitefangok I think I fixed that problem
i had to let squid have access to the pf devfs
but now something weird is happening
its just forwarding to my apache
instead of being a transparent proxy
[18:55]
mercutioit'll do a dns lookup
you want it to parent?
to another cache?
[19:01]
whitefangi don't know what that means
ok so here's how I want it to work. i goto netflix.com from my network in canada
im using this freebsd machine as my dns server
the dns server overwrites netflix.com with its own IP
so when I goto netflix.com from my home, its actaully connecting to this VPS
the squid on teh VPS is then supposed to transparently give me access to the real netflix.com
[19:03]
mercutiothen the vps does look up on netflix
ok so your hoem has an arp ip address in hosts file?
for netflix
oh do you have apache listening on port 80 on arp too?
[19:06]
whitefangyup [19:07]
mercutiodo you have two ip addresses? [19:08]
whitefangno
i didn't think I needed a second IP
[19:08]
mercutiowell it'll go to normal port 80 won't it? [19:08]
whitefangshould I shutdo3wn my apache and see what happens? [19:08]
mercutioyeh ok
but
don't you need split view for dns?
i'll quickly scan that page
[19:09]
whitefangahaha
looks like apache was intercepting my requests
[19:09]
mercutioyeh they're not using a web server
do you have an intelligent router at home?
[19:11]
whitefangyes [19:11]
mercutiocan you redirect some lan ip address on port 80
to 8128 on the arp vps?
not from your same subnet
like if you're on 192.168.1.0/24 like 192.168.90.0/24 for the one being used for redirection
[19:11]
whitefangthat shouldn't be needed though should it? [19:12]
mercutioanyway, you don't actually need all that stuff, you just need to parent to a US dns server for those domains. [19:12]
whitefangmy VPS is now a us dns server [19:12]
mercutioit at least works with hulu.com doing that
yeah try without munging the names
and see if it "just works"
[19:13]
whitefangoh I have
it doesn't
[19:13]
mercutioi haven't tried netflix cos i don't have subscription
ahh does your isp transparently proxy?
[19:13]
whitefangbecause it uses geoip to see where your sending your requests from
no
[19:13]
mercutioahh
ok
[19:13]
whitefangso this is making netflix think that my VPS is actually doing the requests [19:14]
mercutioahh yip [19:14]
whitefangand since the streaming isnt done through netflix.com its akamaihd or some such
none of the streaming will have to go through my vps
[19:14]
mercutioyeh [19:14]
whitefangso I'm not sure I have pf setup the way I want it
#squid transparent
rdr on $ext_if inet proto tcp from any to any port www -> 127.0.0.1 port 8128
#### Squid Proxy
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 8128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
i've got everything else going properly I think
its that last bloody thing they the guy tells you how to do with iptables
Iptables
172.x.x.x is the venet0:1 internal IP address.
For the filter table (which is the default):
iptables -A INPUT -i venet0 -d 172.x.x.x -p tcp -m tcp --dport 8128 -j ACCEPT
For the nat table:
iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j DNAT --to 172.x.x.x:8128
[19:15]
mercutioi think you can just do rdr pass
on $ext_if
but i'd do from <your src ip>
but the whole wanting to view your web site too copmlicates matters
[19:17]
whitefangi'd be happy to not view my web for now [19:19]
mercutiooh
then just do it from your ip
[19:20]
whitefangok, I'll work on that later, gotta eat and have company now. thanks for the help. [19:25]
...... (idle for 28mn)
***heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
[19:53]
...... (idle for 25mn)
heavysixer has quit IRC (Quit: heavysixer)
CaZe` has joined #arpnetworks
pjs has quit IRC (Read error: Connection reset by peer)
pjs has joined #arpnetworks
awyeah_ has quit IRC (Read error: Connection reset by peer)
awyeah_ has joined #arpnetworks
pjs is now known as Guest8466
CaZe has quit IRC (Ping timeout: 264 seconds)
CaZe` is now known as CaZe
[20:18]
.......................... (idle for 2h6mn)
nixbag has quit IRC (Ping timeout: 245 seconds)
nixbag has joined #arpnetworks
nixbag is now known as Guest77743
[22:31]
...... (idle for 26mn)
toddf has joined #arpnetworks
ChanServ sets mode: +o toddf
[22:59]
........... (idle for 50mn)
Guest77743 is now known as nixbag
nixbag has quit IRC (Changing host)
nixbag has joined #arpnetworks
[23:49]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)