[00:14] <toddf> jamie: bleh, definately effecting me, cvs.openbsd.org is unreachable from arpnetworks
[00:14] <toddf> due to the outage of course
[00:14] <toddf> er whatever shaw's problem is
[00:25] <mercutio> "the outage"?
[00:25] <mercutio> is cvs.openbsd.org not at a datacentre?
[00:25] <mercutio> i can mtr to it
[00:26] <mercutio> but ssh syas no route to host
[00:26] <mercutio> oh oops wasn't arp anyway
[00:26] <mercutio> maybe diff port, i've only used anoncvs1.ca.openbsd.org
[00:27] <mercutio> anoncvs1 has openssh beta apparently
[05:02] *** heavysixer has joined #arpnetworks
[05:02] *** ChanServ sets mode: +o heavysixer
[05:29] *** heavysixer has quit IRC (Quit: heavysixer)
[05:55] *** dzup has joined #arpnetworks
[05:58] *** heavysixer has joined #arpnetworks
[05:58] *** ChanServ sets mode: +o heavysixer
[06:16] *** heavysixer has quit IRC (Quit: heavysixer)
[06:22] *** _mnathani_ has joined #arpnetworks
[06:24] *** mnathani has quit IRC (Ping timeout: 256 seconds)
[06:26] <staticsafe> cvs.openbsd.org is indeed inaccessible from ARP
[06:27] <staticsafe> AS22512 is behind Rogers and Shaw
[07:33] *** heavysixer has joined #arpnetworks
[07:33] *** ChanServ sets mode: +o heavysixer
[09:02] *** heavysixer has quit IRC (Quit: heavysixer)
[10:01] *** staticsafe has quit IRC (Quit: WeeChat 0.4.0)
[10:08] *** staticsafe has joined #arpnetworks
[11:37] *** heavysixer has joined #arpnetworks
[11:37] *** ChanServ sets mode: +o heavysixer
[11:56] *** _mnathani_ is now known as mnathani
[12:37] *** dzup has quit IRC (Ping timeout: 245 seconds)
[12:44] *** dzup has joined #arpnetworks
[12:58] *** heavysixer has quit IRC (Quit: heavysixer)
[13:17] *** heavysixer has joined #arpnetworks
[13:17] *** ChanServ sets mode: +o heavysixer
[14:33] *** 16WAAKIMH has left "Leaving"
[14:33] *** DiaboliK has joined #arpnetworks
[14:57] *** heavysixer has quit IRC (Quit: heavysixer)
[15:05] *** HighJinx has quit IRC ()
[15:24] *** whitefang has joined #arpnetworks
[15:29] *** dzup has quit IRC (Ping timeout: 245 seconds)
[15:39] *** dzup has joined #arpnetworks
[16:16] *** CaZe has quit IRC (Remote host closed the connection)
[16:17] *** CaZe` has joined #arpnetworks
[16:17] *** CaZe` is now known as CaZe
[16:19] *** dzup has quit IRC (Ping timeout: 245 seconds)
[16:30] *** Ehtyar has joined #arpnetworks
[17:18] <whitefang> anyone here have knowledge of pf and iptables?
[17:26] <easymac> I know how to stop it.
[17:26] <easymac> I assume you need more in depth help though.
[17:27] <whitefang> yah
[17:27] <whitefang> iptables -A INPUT -i venet0 -d 172.0.0.1 -p tcp -m tcp --dport 8128 -j ACCEPT
[17:27] <whitefang> iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j DNAT --to 172.0.0.1:8128
[17:27] <whitefang> im trying to figure out what that translates to in pf
[17:27] <whitefang> im honestly confused as hell right now. just went through configuring bind9, and squid. got both of those running
[17:27] <whitefang> but my brain is just refusing to wrap itself around this
[17:28] <easymac> pass in on venet0 tcp from any to 172.0.0.1 port 8128 looks like the first one
[17:28] <easymac> then hte nat stuff, who knows
[17:28] <easymac> man it.
[17:29] <whitefang> i have
[17:29] <whitefang> im confused
[17:31] <easymac> What are you trying to do?
[17:31] <easymac> transparent proxy or something?
[17:32] <easymac> oh, I see what that's doing.
[17:33] <whitefang> yah
[17:34] <whitefang> ok, the venet0 is refering to something specific with this guys provider
[17:38] <easymac> It's refering to the internal interface on the NAT most likely.
[17:39] <easymac> He's forwarding any connection outgoing to the web on port 80 to 172.0.0.1:8128, which is probably the proxy server.
[17:39] <easymac> He's also allowing connections throug the firewall for this in the first rule.
[17:39] <whitefang> ok
[17:39] <easymac> Look up any transparent proxy pf configuration and you'll see almost exactly the same thing.
[17:39] <whitefang> well I have squid running on 8128
[17:39] <whitefang> i'm going to need to create an interface on 172.0.0.1 right?
[17:42] <easymac> 127.0.0.1 is probably what he meant and he made a typo?
[17:42] <easymac> I'd have squid listen on localhost and forward connections to it.
[17:48] <whitefang> i think the idea might be that only traffic from the 172 interface is going through squid so that normal traffic isn't
[18:01] *** toddf has quit IRC (Ping timeout: 264 seconds)
[18:05] <whitefang> how do I find my vps local internal IP?
[18:11] <mercutio> rdr inet proto tcp from any to port 80 -> 127.0.0.1 port 8128
[18:11] <mercutio> is the freebsd old style syntax
[18:12] <mercutio> well actually i had a src range rather than interface range
[18:12] <mercutio> but it'd diff in freebsd/openbsd
[18:12] <mercutio> cos openbsd has newer pf
[18:12] <mercutio> man pf.conf on either should help you out though
[18:19] <whitefang> i think I might be on to something now. thanks.
[18:26] <mercutio> cool
[18:26] <mercutio> are you doing openbsd or freebsd?
[18:32] <whitefang> mercutio: freebsd
[18:32] <mercutio> ahh ok
[18:32] <mercutio> did that rdr worK?
[18:35] <whitefang> 2013/03/09 18:34:29.050 kid1| PF open failed: (13) Permission denied
[18:35] <whitefang> :/
[18:36] <mercutio> squid sucks
[18:36] <mercutio> use apache traffic server
[18:37] <mercutio> actualyl i dunno
[18:37] <mercutio> are you actually trying to do full redirection?
[18:37] <whitefang> https://github.com/corporate-gadfly/Tunlr-Clone
[18:37] <whitefang> is what I'm trying to do
[18:37] <mercutio> err transparent both ways
[18:37] <whitefang> i have no idea
[18:38] <mercutio> yeh you only need single level transparent
[18:38] <mercutio> is it workign?
[18:38] <mercutio> fwiw if your'e not being transparent proxied you can make it work without your own proxy
[18:39] <whitefang> no, squid is reporting permission denied opening pf
[18:39] <mercutio> does it start anyway
[18:39] <mercutio> is that warning or error?
[18:40] <mercutio> do you have http_port 3128 transparent?
[18:40] <mercutio> in squid.conf
[18:41] <whitefang> 8128 is transpartent
[18:41] <whitefang> squid is starting
[18:41] <mercutio> err
[18:41] <mercutio> 8128
[18:41] <mercutio> even
[18:41] <whitefang> 2013/03/09 18:34:29.050 kid1| PF open failed: (13) Permission denied
[18:41] <whitefang> that is from cache_log
[18:41] <mercutio> what happens when you do telnet localhost 8128
[18:42] <whitefang> Connected to localhost.
[18:42] <whitefang> Escape character is '^]'.
[18:42] <whitefang> Connection closed by foreign host.
[18:42] <mercutio> and you're using transparent rather than intercept?
[18:43] <whitefang> http_port 0.0.0.0:8128 transparent
[18:43] <mercutio> hmm
[18:43] <mercutio> http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf
[18:43] <mercutio> i know it's openbsd
[18:43] <mercutio> but it says about compiling squid with disable-pf-intercept
[18:44] <mercutio> http://wiki.squid-cache.org/ConfigExamples/Intercept/OpenBsdPf#PfInterception:_PF_open_failed:_.2813.29_Permission_denied
[18:48] <whitefang> mercutio: i tried with squid built without pf transparent already, it give a transparent proxying not supported error
[18:49] <whitefang> 2013/03/09 18:15:33.818 kid1| WARNING: transparent proxying not supported
[18:49] <whitefang> so I went and compiled with pf support
[18:50] <mercutio> oh what weird
[18:50] <mercutio> just use apache traffic server :)
[18:55] <whitefang> ok I think I fixed that problem
[18:55] <whitefang> i had to let squid have access to the pf devfs
[18:56] <whitefang> but now something weird is happening
[18:57] <whitefang> its just forwarding to my apache
[18:57] <whitefang> instead of being a transparent proxy
[19:01] <mercutio> it'll do a dns lookup
[19:01] <mercutio> you want it to parent?
[19:01] <mercutio> to another cache?
[19:03] <whitefang> i don't know what that means
[19:04] <whitefang> ok so here's how I want it to work. i goto netflix.com from my network in canada
[19:04] <whitefang> im using this freebsd machine as my dns server
[19:04] <whitefang> the dns server overwrites netflix.com with its own IP
[19:04] <whitefang> so when I goto netflix.com from my home, its actaully connecting to this VPS
[19:05] <whitefang> the squid on teh VPS is then supposed to transparently give me access to the real netflix.com
[19:06] <mercutio> then the vps does look up on netflix
[19:06] <mercutio> ok so your hoem has an arp ip address in hosts file?
[19:07] <mercutio> for netflix
[19:07] <mercutio> oh do you have apache listening on port 80 on arp too?
[19:07] <whitefang> yup
[19:08] <mercutio> do you have two ip addresses?
[19:08] <whitefang> no
[19:08] <whitefang> i didn't think I needed a second IP
[19:08] <mercutio> well it'll go to normal port 80 won't it?
[19:08] <whitefang> should I shutdo3wn my apache and see what happens?
[19:09] <mercutio> yeh ok
[19:09] <mercutio> but
[19:09] <mercutio> don't you need split view for dns?
[19:09] <mercutio> i'll quickly scan that page
[19:09] <whitefang> ahaha
[19:10] <whitefang> looks like apache was intercepting my requests
[19:11] <mercutio> yeh they're not using a web server
[19:11] <mercutio> do you have an intelligent router at home?
[19:11] <whitefang> yes
[19:11] <mercutio> can you redirect some lan ip address on port 80
[19:11] <mercutio> to 8128 on the arp vps?
[19:12] <mercutio> not from your same subnet
[19:12] <mercutio> like if you're on 192.168.1.0/24 like 192.168.90.0/24 for the one being used for redirection
[19:12] <whitefang> that shouldn't be needed though should it?
[19:12] <mercutio> anyway, you don't actually need all that stuff, you just need to parent to a US dns server for those domains.
[19:12] <whitefang> my VPS is now a us dns server
[19:13] <mercutio> it at least works with hulu.com doing that
[19:13] <mercutio> yeah try without munging the names
[19:13] <mercutio> and see if it "just works"
[19:13] <whitefang> oh I have
[19:13] <whitefang> it doesn't
[19:13] <mercutio> i haven't tried netflix cos i don't have subscription
[19:13] <mercutio> ahh does your isp transparently proxy?
[19:13] <whitefang> because it uses geoip to see where your sending your requests from
[19:13] <whitefang> no
[19:13] <mercutio> ahh
[19:13] <mercutio> ok
[19:14] <whitefang> so this is making netflix think that my VPS is actually doing the requests
[19:14] <mercutio> ahh yip
[19:14] <whitefang> and since the streaming isnt done through netflix.com its akamaihd or some such
[19:14] <whitefang> none of the streaming will have to go through my vps
[19:14] <mercutio> yeh
[19:15] <whitefang> so I'm not sure I have pf setup the way I want it
[19:15] <whitefang> #squid transparent
[19:15] <whitefang> rdr on $ext_if inet proto tcp from any to any port www -> 127.0.0.1 port 8128
[19:15] <whitefang> #### Squid Proxy
[19:15] <whitefang> pass in on $int_if inet proto tcp from any to 127.0.0.1 port 8128 keep state
[19:15] <whitefang> pass out on $ext_if inet proto tcp from any to any port www keep state
[19:15] <whitefang> i've got everything else going properly I think
[19:16] <whitefang> its that last bloody thing they the guy tells you how to do with iptables
[19:16] <whitefang> Iptables
[19:16] <whitefang> 172.x.x.x is the venet0:1 internal IP address.
[19:16] <whitefang> For the filter table (which is the default):
[19:16] <whitefang> iptables -A INPUT -i venet0 -d 172.x.x.x -p tcp -m tcp --dport 8128 -j ACCEPT
[19:16] <whitefang> For the nat table:
[19:16] <whitefang> iptables -t nat -A PREROUTING -i venet0 -p tcp --dport 80 -j DNAT --to 172.x.x.x:8128
[19:17] <mercutio> i think you can just do rdr pass
[19:17] <mercutio> on $ext_if
[19:17] <mercutio> but i'd do from <your src ip>
[19:18] <mercutio> but the whole wanting to view your web site too copmlicates matters
[19:19] <whitefang> i'd be happy to not view my web for now
[19:20] <mercutio> oh
[19:20] <mercutio> then just do it from your ip
[19:25] <whitefang> ok, I'll work on that later, gotta eat and have company now. thanks for the help.
[19:53] *** heavysixer has joined #arpnetworks
[19:53] *** ChanServ sets mode: +o heavysixer
[20:18] *** heavysixer has quit IRC (Quit: heavysixer)
[20:22] *** CaZe` has joined #arpnetworks
[20:24] *** pjs has quit IRC (Read error: Connection reset by peer)
[20:25] *** pjs has joined #arpnetworks
[20:25] *** awyeah_ has quit IRC (Read error: Connection reset by peer)
[20:25] *** awyeah_ has joined #arpnetworks
[20:25] *** pjs is now known as Guest8466
[20:25] *** CaZe has quit IRC (Ping timeout: 264 seconds)
[20:25] *** CaZe` is now known as CaZe
[22:31] *** nixbag has quit IRC (Ping timeout: 245 seconds)
[22:33] *** nixbag has joined #arpnetworks
[22:33] *** nixbag is now known as Guest77743
[22:59] *** toddf has joined #arpnetworks
[22:59] *** ChanServ sets mode: +o toddf
[23:49] *** Guest77743 is now known as nixbag
[23:50] *** nixbag has quit IRC (Changing host)
[23:50] *** nixbag has joined #arpnetworks