toddf: due to the outage of course
er whatever shaw's problem is
mercutio: "the outage"?
is cvs.openbsd.org not at a datacentre?
i can mtr to it
but ssh syas no route to host
oh oops wasn't arp anyway
maybe diff port, i've only used anoncvs1.ca.openbsd.org
anoncvs1 has openssh beta apparently
***: heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
heavysixer has quit IRC (Quit: heavysixer)
dzup has joined #arpnetworks
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
heavysixer has quit IRC (Quit: heavysixer)
_mnathani_ has joined #arpnetworks
mnathani has quit IRC (Ping timeout: 256 seconds)
staticsafe: cvs.openbsd.org is indeed inaccessible from ARP
AS22512 is behind Rogers and Shaw
***: heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
heavysixer has quit IRC (Quit: heavysixer)
staticsafe has quit IRC (Quit: WeeChat 0.4.0)
staticsafe has joined #arpnetworks
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
_mnathani_ is now known as mnathani
dzup has quit IRC (Ping timeout: 245 seconds)
dzup has joined #arpnetworks
heavysixer has quit IRC (Quit: heavysixer)
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
16WAAKIMH has left "Leaving"
DiaboliK has joined #arpnetworks
heavysixer has quit IRC (Quit: heavysixer)
HighJinx has quit IRC ()
whitefang has joined #arpnetworks
dzup has quit IRC (Ping timeout: 245 seconds)
dzup has joined #arpnetworks
CaZe has quit IRC (Remote host closed the connection)
CaZe` has joined #arpnetworks
CaZe` is now known as CaZe
dzup has quit IRC (Ping timeout: 245 seconds)
Ehtyar has joined #arpnetworks
whitefang: anyone here have knowledge of pf and iptables?
easymac: I know how to stop it.
I assume you need more in depth help though.
whitefang: yah
iptables -A INPUT -i venet0 -d 172.0.0.1 -p tcp -m tcp --dport 8128 -j ACCEPT
iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j DNAT --to 172.0.0.1:8128
im trying to figure out what that translates to in pf
im honestly confused as hell right now. just went through configuring bind9, and squid. got both of those running
but my brain is just refusing to wrap itself around this
easymac: pass in on venet0 tcp from any to 172.0.0.1 port 8128 looks like the first one
then hte nat stuff, who knows
man it.
whitefang: i have
im confused
easymac: What are you trying to do?
transparent proxy or something?
oh, I see what that's doing.
whitefang: yah
ok, the venet0 is refering to something specific with this guys provider
easymac: It's refering to the internal interface on the NAT most likely.
He's forwarding any connection outgoing to the web on port 80 to 172.0.0.1:8128, which is probably the proxy server.
He's also allowing connections throug the firewall for this in the first rule.
whitefang: ok
easymac: Look up any transparent proxy pf configuration and you'll see almost exactly the same thing.
whitefang: well I have squid running on 8128
i'm going to need to create an interface on 172.0.0.1 right?
easymac: 127.0.0.1 is probably what he meant and he made a typo?
I'd have squid listen on localhost and forward connections to it.
whitefang: i think the idea might be that only traffic from the 172 interface is going through squid so that normal traffic isn't
***: toddf has quit IRC (Ping timeout: 264 seconds)
whitefang: how do I find my vps local internal IP?
mercutio: rdr inet proto tcp from any to port 80 -> 127.0.0.1 port 8128
is the freebsd old style syntax
well actually i had a src range rather than interface range
but it'd diff in freebsd/openbsd
cos openbsd has newer pf
man pf.conf on either should help you out though
whitefang: i think I might be on to something now. thanks.
mercutio: cool
are you doing openbsd or freebsd?
whitefang: mercutio: freebsd
mercutio: ahh ok
did that rdr worK?
whitefang: 2013/03/09 18:34:29.050 kid1| PF open failed: (13) Permission denied
:/
mercutio: squid sucks
use apache traffic server
actualyl i dunno
are you actually trying to do full redirection?
whitefang: https://github.com/corporate-gadfly/Tunlr-Clone
is what I'm trying to do
mercutio: err transparent both ways
whitefang: i have no idea
mercutio: yeh you only need single level transparent
is it workign?
fwiw if your'e not being transparent proxied you can make it work without your own proxy
whitefang: no, squid is reporting permission denied opening pf
mercutio: does it start anyway
is that warning or error?
do you have http_port 3128 transparent?
in squid.conf
whitefang: 8128 is transpartent
squid is starting
mercutio: err
8128
even
whitefang: 2013/03/09 18:34:29.050 kid1| PF open failed: (13) Permission denied
that is from cache_log
mercutio: what happens when you do telnet localhost 8128
whitefang: Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
mercutio: and you're using transparent rather than intercept?
whitefang: http_port 0.0.0.0:8128 transparent
mercutio: hmm
http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf
i know it's openbsd
but it says about compiling squid with disable-pf-intercept
http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf#PfInterception:_PF_open_failed:_.2813.29_Permission_denied
whitefang: mercutio: i tried with squid built without pf transparent already, it give a transparent proxying not supported error
2013/03/09 18:15:33.818 kid1| WARNING: transparent proxying not supported
so I went and compiled with pf support
mercutio: oh what weird
just use apache traffic server :)
whitefang: ok I think I fixed that problem
i had to let squid have access to the pf devfs
but now something weird is happening
its just forwarding to my apache
instead of being a transparent proxy
mercutio: it'll do a dns lookup
you want it to parent?
to another cache?
whitefang: i don't know what that means
ok so here's how I want it to work. i goto netflix.com from my network in canada
im using this freebsd machine as my dns server
the dns server overwrites netflix.com with its own IP
so when I goto netflix.com from my home, its actaully connecting to this VPS
the squid on teh VPS is then supposed to transparently give me access to the real netflix.com
mercutio: then the vps does look up on netflix
ok so your hoem has an arp ip address in hosts file?
for netflix
oh do you have apache listening on port 80 on arp too?
whitefang: yup
mercutio: do you have two ip addresses?
whitefang: no
i didn't think I needed a second IP
mercutio: well it'll go to normal port 80 won't it?
whitefang: should I shutdo3wn my apache and see what happens?
mercutio: yeh ok
but
don't you need split view for dns?
i'll quickly scan that page
whitefang: ahaha
looks like apache was intercepting my requests
mercutio: yeh they're not using a web server
do you have an intelligent router at home?
whitefang: yes
mercutio: can you redirect some lan ip address on port 80
to 8128 on the arp vps?
not from your same subnet
like if you're on 192.168.1.0/24 like 192.168.90.0/24 for the one being used for redirection
whitefang: that shouldn't be needed though should it?
mercutio: anyway, you don't actually need all that stuff, you just need to parent to a US dns server for those domains.
whitefang: my VPS is now a us dns server
mercutio: it at least works with hulu.com doing that
yeah try without munging the names
and see if it "just works"
whitefang: oh I have
it doesn't
mercutio: i haven't tried netflix cos i don't have subscription
ahh does your isp transparently proxy?
whitefang: because it uses geoip to see where your sending your requests from
no
mercutio: ahh
ok
whitefang: so this is making netflix think that my VPS is actually doing the requests
mercutio: ahh yip
whitefang: and since the streaming isnt done through netflix.com its akamaihd or some such
none of the streaming will have to go through my vps
mercutio: yeh
whitefang: so I'm not sure I have pf setup the way I want it
#squid transparent
rdr on $ext_if inet proto tcp from any to any port www -> 127.0.0.1 port 8128
#### Squid Proxy
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 8128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state
i've got everything else going properly I think
its that last bloody thing they the guy tells you how to do with iptables
Iptables
172.x.x.x is the venet0:1 internal IP address.
For the filter table (which is the default):
iptables -A INPUT -i venet0 -d 172.x.x.x -p tcp -m tcp --dport 8128 -j ACCEPT
For the nat table:
iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j DNAT --to 172.x.x.x:8128
mercutio: i think you can just do rdr pass
on $ext_if
but i'd do from <your src ip>
but the whole wanting to view your web site too copmlicates matters
whitefang: i'd be happy to not view my web for now
mercutio: oh
then just do it from your ip
whitefang: ok, I'll work on that later, gotta eat and have company now. thanks for the help.
***: heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
heavysixer has quit IRC (Quit: heavysixer)
CaZe` has joined #arpnetworks
pjs has quit IRC (Read error: Connection reset by peer)
pjs has joined #arpnetworks
awyeah_ has quit IRC (Read error: Connection reset by peer)
awyeah_ has joined #arpnetworks
pjs is now known as Guest8466
CaZe has quit IRC (Ping timeout: 264 seconds)
CaZe` is now known as CaZe
nixbag has quit IRC (Ping timeout: 245 seconds)
nixbag has joined #arpnetworks
nixbag is now known as Guest77743
toddf has joined #arpnetworks
ChanServ sets mode: +o toddf
Guest77743 is now known as nixbag
nixbag has quit IRC (Changing host)
nixbag has joined #arpnetworks