↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |
Who | What | When |
---|---|---|
toddf | jamie: bleh, definately effecting me, cvs.openbsd.org is unreachable from arpnetworks
due to the outage of course er whatever shaw's problem is | [00:14] |
mercutio | "the outage"?
is cvs.openbsd.org not at a datacentre? i can mtr to it but ssh syas no route to host oh oops wasn't arp anyway maybe diff port, i've only used anoncvs1.ca.openbsd.org anoncvs1 has openssh beta apparently | [00:25] |
........................................................ (idle for 4h35mn) | ||
*** | heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer | [05:02] |
...... (idle for 27mn) | ||
heavysixer has quit IRC (Quit: heavysixer) | [05:29] | |
...... (idle for 26mn) | ||
dzup has joined #arpnetworks
heavysixer has joined #arpnetworks ChanServ sets mode: +o heavysixer | [05:55] | |
.... (idle for 18mn) | ||
heavysixer has quit IRC (Quit: heavysixer) | [06:16] | |
_mnathani_ has joined #arpnetworks
mnathani has quit IRC (Ping timeout: 256 seconds) | [06:22] | |
staticsafe | cvs.openbsd.org is indeed inaccessible from ARP
AS22512 is behind Rogers and Shaw | [06:26] |
.............. (idle for 1h6mn) | ||
*** | heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer | [07:33] |
.................. (idle for 1h29mn) | ||
heavysixer has quit IRC (Quit: heavysixer) | [09:02] | |
............ (idle for 59mn) | ||
staticsafe has quit IRC (Quit: WeeChat 0.4.0) | [10:01] | |
staticsafe has joined #arpnetworks | [10:08] | |
.................. (idle for 1h29mn) | ||
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer | [11:37] | |
.... (idle for 19mn) | ||
_mnathani_ is now known as mnathani | [11:56] | |
......... (idle for 41mn) | ||
dzup has quit IRC (Ping timeout: 245 seconds) | [12:37] | |
dzup has joined #arpnetworks | [12:44] | |
heavysixer has quit IRC (Quit: heavysixer) | [12:58] | |
.... (idle for 19mn) | ||
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer | [13:17] | |
................ (idle for 1h16mn) | ||
16WAAKIMH has left "Leaving"
DiaboliK has joined #arpnetworks | [14:33] | |
..... (idle for 24mn) | ||
heavysixer has quit IRC (Quit: heavysixer) | [14:57] | |
HighJinx has quit IRC () | [15:05] | |
.... (idle for 19mn) | ||
whitefang has joined #arpnetworks | [15:24] | |
dzup has quit IRC (Ping timeout: 245 seconds) | [15:29] | |
dzup has joined #arpnetworks | [15:39] | |
........ (idle for 37mn) | ||
CaZe has quit IRC (Remote host closed the connection)
CaZe` has joined #arpnetworks CaZe` is now known as CaZe dzup has quit IRC (Ping timeout: 245 seconds) | [16:16] | |
Ehtyar has joined #arpnetworks | [16:30] | |
.......... (idle for 48mn) | ||
whitefang | anyone here have knowledge of pf and iptables? | [17:18] |
easymac | I know how to stop it.
I assume you need more in depth help though. | [17:26] |
whitefang | yah
iptables -A INPUT -i venet0 -d 172.0.0.1 -p tcp -m tcp --dport 8128 -j ACCEPT iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j DNAT --to 172.0.0.1:8128 im trying to figure out what that translates to in pf im honestly confused as hell right now. just went through configuring bind9, and squid. got both of those running but my brain is just refusing to wrap itself around this | [17:27] |
easymac | pass in on venet0 tcp from any to 172.0.0.1 port 8128 looks like the first one
then hte nat stuff, who knows man it. | [17:28] |
whitefang | i have
im confused | [17:29] |
easymac | What are you trying to do?
transparent proxy or something? oh, I see what that's doing. | [17:31] |
whitefang | yah
ok, the venet0 is refering to something specific with this guys provider | [17:33] |
easymac | It's refering to the internal interface on the NAT most likely.
He's forwarding any connection outgoing to the web on port 80 to 172.0.0.1:8128, which is probably the proxy server. He's also allowing connections throug the firewall for this in the first rule. | [17:38] |
whitefang | ok | [17:39] |
easymac | Look up any transparent proxy pf configuration and you'll see almost exactly the same thing. | [17:39] |
whitefang | well I have squid running on 8128
i'm going to need to create an interface on 172.0.0.1 right? | [17:39] |
easymac | 127.0.0.1 is probably what he meant and he made a typo?
I'd have squid listen on localhost and forward connections to it. | [17:42] |
whitefang | i think the idea might be that only traffic from the 172 interface is going through squid so that normal traffic isn't | [17:48] |
*** | toddf has quit IRC (Ping timeout: 264 seconds) | [18:01] |
whitefang | how do I find my vps local internal IP? | [18:05] |
mercutio | rdr inet proto tcp from any to port 80 -> 127.0.0.1 port 8128
is the freebsd old style syntax well actually i had a src range rather than interface range but it'd diff in freebsd/openbsd cos openbsd has newer pf man pf.conf on either should help you out though | [18:11] |
whitefang | i think I might be on to something now. thanks. | [18:19] |
mercutio | cool
are you doing openbsd or freebsd? | [18:26] |
whitefang | mercutio: freebsd | [18:32] |
mercutio | ahh ok
did that rdr worK? | [18:32] |
whitefang | 2013/03/09 18:34:29.050 kid1| PF open failed: (13) Permission denied
:/ | [18:35] |
mercutio | squid sucks
use apache traffic server actualyl i dunno are you actually trying to do full redirection? | [18:36] |
whitefang | https://github.com/corporate-gadfly/Tunlr-Clone
is what I'm trying to do | [18:37] |
mercutio | err transparent both ways | [18:37] |
whitefang | i have no idea | [18:37] |
mercutio | yeh you only need single level transparent
is it workign? fwiw if your'e not being transparent proxied you can make it work without your own proxy | [18:38] |
whitefang | no, squid is reporting permission denied opening pf | [18:39] |
mercutio | does it start anyway
is that warning or error? do you have http_port 3128 transparent? in squid.conf | [18:39] |
whitefang | 8128 is transpartent
squid is starting | [18:41] |
mercutio | err
8128 even | [18:41] |
whitefang | 2013/03/09 18:34:29.050 kid1| PF open failed: (13) Permission denied
that is from cache_log | [18:41] |
mercutio | what happens when you do telnet localhost 8128 | [18:41] |
whitefang | Connected to localhost.
Escape character is '^]'. Connection closed by foreign host. | [18:42] |
mercutio | and you're using transparent rather than intercept? | [18:42] |
whitefang | http_port 0.0.0.0:8128 transparent | [18:43] |
mercutio | hmm
http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf i know it's openbsd but it says about compiling squid with disable-pf-intercept http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf#PfInterception:_PF_open_failed:_.2813.29_Permission_denied | [18:43] |
whitefang | mercutio: i tried with squid built without pf transparent already, it give a transparent proxying not supported error
2013/03/09 18:15:33.818 kid1| WARNING: transparent proxying not supported so I went and compiled with pf support | [18:48] |
mercutio | oh what weird
just use apache traffic server :) | [18:50] |
whitefang | ok I think I fixed that problem
i had to let squid have access to the pf devfs but now something weird is happening its just forwarding to my apache instead of being a transparent proxy | [18:55] |
mercutio | it'll do a dns lookup
you want it to parent? to another cache? | [19:01] |
whitefang | i don't know what that means
ok so here's how I want it to work. i goto netflix.com from my network in canada im using this freebsd machine as my dns server the dns server overwrites netflix.com with its own IP so when I goto netflix.com from my home, its actaully connecting to this VPS the squid on teh VPS is then supposed to transparently give me access to the real netflix.com | [19:03] |
mercutio | then the vps does look up on netflix
ok so your hoem has an arp ip address in hosts file? for netflix oh do you have apache listening on port 80 on arp too? | [19:06] |
whitefang | yup | [19:07] |
mercutio | do you have two ip addresses? | [19:08] |
whitefang | no
i didn't think I needed a second IP | [19:08] |
mercutio | well it'll go to normal port 80 won't it? | [19:08] |
whitefang | should I shutdo3wn my apache and see what happens? | [19:08] |
mercutio | yeh ok
but don't you need split view for dns? i'll quickly scan that page | [19:09] |
whitefang | ahaha
looks like apache was intercepting my requests | [19:09] |
mercutio | yeh they're not using a web server
do you have an intelligent router at home? | [19:11] |
whitefang | yes | [19:11] |
mercutio | can you redirect some lan ip address on port 80
to 8128 on the arp vps? not from your same subnet like if you're on 192.168.1.0/24 like 192.168.90.0/24 for the one being used for redirection | [19:11] |
whitefang | that shouldn't be needed though should it? | [19:12] |
mercutio | anyway, you don't actually need all that stuff, you just need to parent to a US dns server for those domains. | [19:12] |
whitefang | my VPS is now a us dns server | [19:12] |
mercutio | it at least works with hulu.com doing that
yeah try without munging the names and see if it "just works" | [19:13] |
whitefang | oh I have
it doesn't | [19:13] |
mercutio | i haven't tried netflix cos i don't have subscription
ahh does your isp transparently proxy? | [19:13] |
whitefang | because it uses geoip to see where your sending your requests from
no | [19:13] |
mercutio | ahh
ok | [19:13] |
whitefang | so this is making netflix think that my VPS is actually doing the requests | [19:14] |
mercutio | ahh yip | [19:14] |
whitefang | and since the streaming isnt done through netflix.com its akamaihd or some such
none of the streaming will have to go through my vps | [19:14] |
mercutio | yeh | [19:14] |
whitefang | so I'm not sure I have pf setup the way I want it
#squid transparent rdr on $ext_if inet proto tcp from any to any port www -> 127.0.0.1 port 8128 #### Squid Proxy pass in on $int_if inet proto tcp from any to 127.0.0.1 port 8128 keep state pass out on $ext_if inet proto tcp from any to any port www keep state i've got everything else going properly I think its that last bloody thing they the guy tells you how to do with iptables Iptables 172.x.x.x is the venet0:1 internal IP address. For the filter table (which is the default): iptables -A INPUT -i venet0 -d 172.x.x.x -p tcp -m tcp --dport 8128 -j ACCEPT For the nat table: iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j DNAT --to 172.x.x.x:8128 | [19:15] |
mercutio | i think you can just do rdr pass
on $ext_if but i'd do from <your src ip> but the whole wanting to view your web site too copmlicates matters | [19:17] |
whitefang | i'd be happy to not view my web for now | [19:19] |
mercutio | oh
then just do it from your ip | [19:20] |
whitefang | ok, I'll work on that later, gotta eat and have company now. thanks for the help. | [19:25] |
...... (idle for 28mn) | ||
*** | heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer | [19:53] |
...... (idle for 25mn) | ||
heavysixer has quit IRC (Quit: heavysixer)
CaZe` has joined #arpnetworks pjs has quit IRC (Read error: Connection reset by peer) pjs has joined #arpnetworks awyeah_ has quit IRC (Read error: Connection reset by peer) awyeah_ has joined #arpnetworks pjs is now known as Guest8466 CaZe has quit IRC (Ping timeout: 264 seconds) CaZe` is now known as CaZe | [20:18] | |
.......................... (idle for 2h6mn) | ||
nixbag has quit IRC (Ping timeout: 245 seconds)
nixbag has joined #arpnetworks nixbag is now known as Guest77743 | [22:31] | |
...... (idle for 26mn) | ||
toddf has joined #arpnetworks
ChanServ sets mode: +o toddf | [22:59] | |
........... (idle for 50mn) | ||
Guest77743 is now known as nixbag
nixbag has quit IRC (Changing host) nixbag has joined #arpnetworks | [23:49] |
↑back Search ←Prev date Next date→ Show only urls | (Click on time to select a line by its url) |