mnathani: no i  mean VPS customers
i tried it in a vps once, it works fine - alias configuration is a PITA vs freebsd or openbsd though
What do you mean? Clicking buttons in a GUI versus just typing it in pf.conf? 06:43:51 < m0unds> i tried it in a vps once, it works fine - alias configuration is a PITA vs freebsd or openbsd though
In which case, I'd say that writing rules is similarly PITA :p
brycec: no, when i messed with it somewhat recently, interface aliases don't work the way i expected them to (the way they work in freebsd or openbsd)
Do you mean "interface groups" as they're termed in pfSense?
the UI element does some weird stuff with aliases that wasn't clear
i don't remember, but it felt kinda counterproductive
at any rate, i only looked because i hadn't used it since like 2007
heh
Well I'm happy to say pfSense has come a long, long way in 7 years :p
and the thing that seemed like it should be alises wasn't
well, they're still on teh same release tree and the ui has some awful 90s UX to it that they need to get rid of asap :P
the notification thing at the top in teh default theme is awful
s/teh/the
<m0unds> the notification thing at the top in the default theme is awful
i looked at m0n0 last night because i hadn't used it since probably 2003, and they just moved up to freebsd 8.3 last month, haha
I don't think I follow what you mean by same release tree - were you expecting them to just scrap everything and start over?
Nice, they're catching up to pfSense
no, they were working on "2.0" forever
IIRC that 8.3 is due to the NanoBSD base.
True, but 1.2.3 was stable up until ~2 years ago
*stable/current
That 2.0 was effectively a total rewrite
yeah, so i guess it was 2 years ago that i messed with it, haha
because it was 1.2.3 (i still have the disk image on my kvm server at home)
"Version 1.0 of the software was released on October 4, 2006.[5] Version 2.0 was released on September 17, 2011,[6] with updates 2.0.1 to 2.0.3 between then and 2013, and version 2.1 was released on September 15, 2013."
Or you can peruse http://www.pfsense.org/about-pfsense/versions.html
1.2.3 released Dec 2009, 2.0.1 released Dec 2011
at least they're somewhat consistent
Good news, up_the_irons, ARP was not on the list of the top 24 networks http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
It didn't make the list at all! https://docs.google.com/spreadsheet/ccc?key=0AhuvvqAkGlindHFtS0pJa0lYZGNlLXNONWtlY01qanc&usp=sharing#gid=0
actually, i did try it more recently - i was trying to figure out how i knew about the thing at the top. i tried it on my small arp vps after i migrated stuff to the bigger arp vps
i do have a 1.2.3 disk image locally though
which i don't remember doing anything with
at any rate, maybe it was a quirk with the vps having a single if or something, or i could just be remembering something that doesn't exist, hahaha
haha, chinanet. go figure.
srsly
and ovh
yeah
color me surprised
what color is surprised?
m0unds: mauve
eeewwwww
at least it's not taupe
or chartreuse
Oh sweet, I'm getting hit with buttloads of DNS queries...
I'm guessing my own DOS reflection
an attack of my very own. On a cable modem. woo
sweet
I wonder how this IP was choosen... I don't really use it for anything, and it's not in DNS anywhere
are you connected to IRC w/it?
or bot connected from it or something?
the only time i ever had a box get ddosed was when i was connected to a provider's IRC channel w/v4 address and some kid decided to start ddosing people connected to the channel
nope and nope
It's the external IP of a router, but all traffic goes out a different IP
huh.
is the address SWIP'd to another business or something?
dun think so
you must just be lucky
holy crap, TWC actually filled in the business information
(protip: always smart to whois your own addresses once in awhile)
ANY? .
that's the query
whee
this is probably odd question but does arp ratelimit dns or anything
UDP inbound as I recall
to 5mbps
$ time host lightning.net >/dev/null
real    0m8.197s
$ time host nac.net >/dev/null
real    0m2.327s
ouch
real    0m0.946s
using the official arp resolvers, and i don't get this kind of response time elsewhere even hitting the same authoritative ns
close to 1 second seems incredibly weird/bad as is
hazardous: for google.com real    0m0.161s
yeah that seems cached maybe, idk
And nac.net now gives me real    0m0.027s
i sometimes have periods of time when it's somewhat acceptable and periods of time where anything takes forever
http://support.arpnetworks.com/kb/main/is-there-a-firewall-filter-rate-limit-or-similar-device-applied-to-my-traffic
outbound UDP traffic is rate-limited to 5mbps
I wonder if up_the_irons / ARP's resolvers are exempt from that, and/or being overwhelming it
wow that was terrible grammar
try again
hahah
yeah i dunno, i just did host google.com and the A records returned instantly
then it hung for 3-4 seconds before returning the mx part
huh.
was just gonna say maybe it wasn't cached but if it's hanging on mx recs, dunno
the prev query, i mean
since it returned google quickly
yeah i have absolutely no idea
http://pastebin.aquilenet.fr/?1328915b0bfb2488#y8PHFMpIH159tKAd5vFItNbggiBNrLCLq4fJmGtx7oE=
wat
oh man this dns ddos is terrible, how will i deal with the 50kbps of traffic pouring in???
Silliest. DOS. Ever.
omgz, you better mitigate it
brycec: <phew> ARP wasn't in the list ;)
What is the purpose of running pfSense (a firewall) on a VPS with only one interface?
i did it to screw around; you can still use it as a gateway or firewall in front of another vps if you really wanted to
you don't /have/ to have separate interfaces unless you're gonna nat
And even then, there are vlans ;) (or vlans inside of vlans, on ARP)
yes
vlans inside of vlans on ARP only work if you use svlan(4) (IEEE 802.1AD)
and then only if you're unblocked and permitted to do so
I know from experience!
now don't try to do svlan(4) on vio(4) on current, something about cksums kills it
current openbsd that is
Does anyone know how much it costs to Akamaize a website? (Serve it using Akaamai's CDN) ?
i've never seen $ amounts, but i've also never heard 'affordable' mentioned alongside their name
might look into edgecast or cachefly too
Ofcourse it would depend on the size of the site / complexity beign served as well as actual traffic / bandwidth
s/beign/being
<mnathani> Ofcourse it would depend on the size of the site / complexity being served as well as actual traffic / bandwidth
i googled and found pricing from an akamai partner showing a $4/GB x 500GB/mo commit
and that was 'cheap'
so approx $2000/month for that setup?
yea
later clarification showed $200/mo @ per GB
and $375/mo for 500GB
http://www.cachefly.com/pricing.html
m0unds: thans
s/thans/thanks
<mnathani> m0unds: thanks
cloudflare.com is free if you don't need SSL
yeah, cloudflare
's free stuff is good if you just want the cdn features
indeed it does sound good
i'm not sure what i like better
allow(Mail).to receive(:all).and_return(@msgs)
allow(Mail).to receive(:all) { @msgs }
http://www.pantz.org/software/pf/use_freebsd_10_as_a_pf_firewall.html
I like the #and_return. It's more clear what it's doing.
m0unds: i prefer cahefly to akamai as a user
I save the block syntax for when I really need a block.
akamai is often terrible performance with "cache misses"
akamai has closer nodes to me than cachefly, but cachefly's average performance is way up.
mike-burns: ah
it's harder to test cache miss performance though.  you used to be able to send ?1 ?2 ?3 ?4 etc to get an uncached version of stuff to test... but that seemed to stop working
and with the number of akamai nodes, unless you're huge there are likely to be lots of cache misses
cloudflrae is terrible i reckon
CloudFlare should get on Any2 so I can peer with them
Akamai is, so is EdgeCast
i don't think it'd make meuch difference?
cloud flare is in san jose atm isn't it?
i can't think of any domains that use it off hand
NO, peering with ARP makes ALL THE DIFFERENCE IN THE WORLD.  Get it right mercutio ;)
well i doubt there's much traffic being pushed to there, and with multiple upstreams ... incoming ins't likely to saturate
and hardly any users on arp are likely to be pulling large files off cloudflare
but cloudflare pulls lots of files from arp
oh
ok i didn't realise that
:)
some dedi customers use CF heavily
mercutio - anyone hosted at (mt) is using cloudflare by default
yeah, shared hosting co's are starting to do that
we have some here
mt?
media temple
(mt)® is Media Temple.  Not sure what "mt" is. :)
me either. But I'm pretty sure a RandalSchwartz is a smartass :P
i've only noticed cloudflare when sites have problems
i suppose that's one of the problems with those things
ditto
some sites only shift to cloudflare when they're getting ddos'ed
or have load issues
and if a site's going slow and you trace and it says cloudflare..
insightcruises.com had it enabled for a week, then they screwed up the DNS, and different people were getting different pages or even A records pointing to nowhere
O_o
so we ripped it all out, and haven't gone back
might have been early growing pains
who's using it right now?
presume these guys: https://www.cloudflare.com/case-studies
RandalSchwartz: you coming to any js.la meetups soon?  it's kinda hard to believe the last one where we had a chance to chat was over a year ago! (christmas before last)
imgur will do
RandalSchwartz: or perhaps that was devops.la... hmmm
*ladevops
interesting - http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack
RandalSchwartz: that was pasted earlier
my client before this one was directly across the street from my hotel and a bar.  I stopped going to meetups. :)
now I'm working in santa monica, and I have to actually drive around, so I can start doing meetups again.
plus, it'll give me an excuse to drink a bit less.  I was a bit out of control because I wasn't driving for 5 days at a time.
o_o
oh cloudflare do have node in los angeles
they would be stupid not to
and the ?1 ?2 trick works
they've got lots of pops
cache hit time in la, 20 msec, cache miss time 500 msec
cache hit time in nz, 85 msec, cache miss time 530 msec
not bad
pretty consistent anyways
yeh i seen way worse from akamai
with > 1 second.
gross
it's only 15k file though
it seemed to get more consistent when i did it more
my friend put their blog on the free cloudflare plan and saw spam comments just stop altogether - i think just as a side effect of cloudflare's anti-bot stuff
imgur still loaded images slow
main imgur.com site isn't cdn'ed, jsut their images
right
img.imgur.com
nah i.imgur.com
img.imgur.com is too
oh ok
imgur is quite reliable
imgur++
i don't normaly look at it
http://imgur.com/gallery/oxn6ZMh
but this is funny
heh
damn now i want to test akamai
but they using https
akamai is 56 msec hit, 1 second miss for apple 56k image
and 17 msec hit,  260 msec miss from la
i suppose that not so bad, i suppose it depends wehre origin servers are
still even for 56k 1 second miss seems kind of bad to me
Just setup my first site to site vpn in a lab, but I can't seem to ping from a subnet behind the vpn to a subnet on the other site.
did you enable forwarding?
The reverse ping works just fine. (pfSense with Openvpn btw)
Did you set the routing?
Non-overlapping subnets?
Firewall?
firewall - allow any/any
non-overlapping subnets yup
traceroute, tcpdump
the server config section had local subnets and remote subnets
i assume pfsense would enable forwarding :)
client only had remote subnets
client side can ping server side, but not reverse
how foolish of me, twice in as many days now, Windows Firewall got the better of me and dropped my icmp packets
oh that's normal
lolol
now I need to redo it to verify if all that config I did was necessary
@mnathani
Have you checked whether Windows Firewall is enabled and dropping packets?
adding extra route statement etc
425 results found. Here's #265 Dec 19, 2013 16:43:30 <mnathani > requests are going through, but not being cached I dont think
lol BryceBot / brycec
You know what they say, if you use something 3 times, you sohuld buy it/script it.
Well, this was only twice but I'm proactive ;)
Ugh - had some beans and rice (normally skipped) with my mexican dish for lunch
now I'm in a carb crash fog :(
forgotten how bad these are
RandalSchwartz: yeah they suck
yeah, rice tends to knock me on my ass too
i think i'm gonna adjust my pf ruleset a bit - i got lazy and didn't define macros or anything so the rules are ugly as hell
when done.. var=..\nvar=..\n\ntable..\ntable..\n\nmatch..\nmatch..\n\nblock..\npass..\n done! ;-)
y'll are lazy
oh i don't quite know how the y thing works
i don't use macros with pf either
y'all are lazy'
well you get the idea I think... You need 2 or 3 separators
it's a regex like any other
oh
ugh - this office has horrible "free" stuff in the kitchen.  either sweetened beverages ("vitamin water", ugh), or decaffinated teas.
and all sorts of "hearthealthywholegrain" snacks
it's sad how much I've found out that this stuff is all crap in the past 18 months
(well not exactly a regex... it's a PCRE verb, with sed expression syntax)
PCRE is a misnomer :)
i like macros because it keeps things readable - granted, i'm likely the only one who will ever see it, it's still nice to keep it concise
i do the same w/network hw configs on gear that actually supports macro type functionality (junos)
hmm cloudflare aren't on coresite
so best hope is for bgp collective to spread to equinix
are there network issues atm
I cant ping arpnetworks.com or my VPS
weird
traceroute?
sec.
I cannot ping arpnetworks.com
http://pastebin.com/wZehQBW7
here is mtr
I can ping 2.v.freedaemon.com (which is on the 1gbps ports)
blame nlayer?
traceroute is taking a while
i can't resolve arpnetworks.com, weird
oh wait yes i can
208.79.89.243
i'm on arpnewtorks fine if anyone wants a traceroute in other direciton
vl5.s1.lax.arpnetworks.com is giving packet loss
arpnetworks v6 is working, arpnetworks v4 is not for ns1 and ns2.arpnetworks.com
ah
just started responding
ge0-arpnet.cust.lax07.mzima.net gives packet lsos too
i wonder what happend
its back now
oh
i never lost connectivity :)
lsos!
Also showing IPv4 loss from INSIDE ARP https://smokeping.cobryce.com/?target=ARP.ThisGW
more accurately, packet loss on my own vlan to the router
guessing router crash?
nice
but not for me
are you on gigabit?
Don't think so?
could it be BIRD related?
i'm not pinging the link address
don't think so
hardly anyone goes over any2ix on the new range
i think it's proably nlayer
fwiw I can ping arpnetworks.com and my VPS both. As far as I can tell from smokeping, there _was_ a brief outage but it's back up now.
actually why would link address stop working then
only likely cause, something unplugged or reset
wow you have a lot of sites in smokeping :)
About 250 probes
i like the overlayed thing
how much bandwidth does that use?
212 hosts to be precise
overlayed... When there's a whole bunch of hosts on one graph? like for the IRC networks?
yeah
A surprising amount.
Reportedly 6.71GB in the last 24 horus
20 ping every 60 seconds
all that ICMP
212 sites
mercutio: 500byte packet size too
brycec: would you mind sharing your hosts file for smokeping?
ahy are you doing 500 byte packet size
i was going to ask that but he has some local stuff in it too
mercutio: Because it's better than the default 5000 :P
frguly isn't 500
err 5000 it's like 72
According to the docs it's 5000
where
http://oss.oetiker.ch/smokeping/doc/smokeping_config.en.html
oh wtf
that's example value
which isnt' the default, but why are they suggesting that
er http://oss.oetiker.ch/smokeping/probe/FPing.en.html
i'd suggest trying 32
and see if graphs look bsaically the same
You have in the past :P
and identify issues just the same
And if the docs don't say "default" but do say "example" what am I to assume?
well i thought i'd do it again
ikr
They aren't the world's best docs :/
Change made
just in time for 4pm on the dot
hmm.. up_the_irons  have you considered making graphs of transit links visible to users?
Ah, 56 is the default. RTFS :/
hmm
i wonder why i saw 72 then
oih maybe it was 76
i htink 56 doesn't include the IP header size of 20 bytes
probably
and actually it leaves it up to fping now that I read right
just set it to 32 :)
"Default is 56, as in ping."
mercutio: 15:58:49 < brycec> Change made
less load on the network
oh you did
But I like chewing up ~7GB/day
heh
~2MB/minute, from 5 monitoring hosts
thing is it's every destination network
and the more people use larger packets etc the more people think it's a good idea to block icmp
which is annyoing
I thought I'd dialed back the default to 10%, I was a Good Guy :p
dumb docs
some of the nlnog ring nodes seem to have stopped responding
staticsafe: if you're talking about my graphs, some never started responding :P (hurricane, I'm looking at you...)
ah
I wanted to give them time to fix themselves :p
your smokeping responds so slowly
i dunno if it's cos it's swapping, or because you have so many hosts
what do you mean?
like clicking things is slow
And no swapping
oh maybe cos it's https
I like the idea of the NLNOG ring
me too
(mmm first page load after I restar the fastcgi, now THAT is slow)
mine are slower than they could be on arp cos not using fastcgi
brycec: it was pretty quick for me via comcast fwiw
it seems your pages take ~2.5 seconds to generate
Thanks m0unds
half a second or less for me
it was 2.6 seconds from arp with curl
weird
 time curl -v 'https://smokeping.cobryce.com/?target=Internet.NLNOGRING' > /dev/null
is what i was doing
it's a bit up and down, now it's 1.4 seconds from arp
2.47 to generate for me
from arp?
.947s for me from comcast in nm
images only 250ms each
haha
mercutio: from my desk
i just got a bad gateway error
damnit who broke smokeping
from nginx
ahahahahah
Sometimes the fastcgi crashes...
hmm mayb eit is cos too many people using it
womp womp
(And yes from nginx, because nginx is servingup the fastcgi)
how many fastcgi processes does it run?
1100
mercutio: Just the one process, because just the one cgi
Unless you're asking total on the system... In which case still just one.
i think i have two
yeh two running as www-data
and one running as smpokeping
i wonder if that slows it down more for me
cos i so far away
oh images don't go via smokeping
(graphs is showing a reduction in b/w woo)
Yes. Those images are built on page load
mercutio: not considered it
i understand there may be some reluctance to
up_the_irons: any idea what happened aerlier?
brycec: on v4 it would not be a router crash
s1.lax#sh ver
...
s1.lax uptime is 4 years, 51 weeks, 4 days, 4 hours, 33 minutes
lol
mercutio: no idea
what chassis is that one?
4500
cool
dat uptime
my vss pair (2x6509E) is at 3y49w2d5h37m
nice :)
yup, pretty solid
our IS dept did a core upgrade to redundant 7009s - those have been horrible
i think the longer you deal with IT the more you decide that everything is terrible
15 years in and i can't say i have that opinion at all
really?
some stuff is really bad, some stuff isn't as bad, some stuff is good
yeah me either
smtp, spam
i've found some stuff to be very good
oh right, but the conditions
get worse and worse
bugs get more obscure etc
i suppsoe the problem with things like routers is traffic volume goes up and up
right
if 100 gigabit connectinos were standard it wouldn't be such an issue
but tehy're new, and require new investment etc
and heaps of "background" stuff to make it work
i suppose one advantage of bandwidth going up over time is it's going to get harder and harder to sniff traffic
Heh, exactly at 4pm, my usage drops considerably https://dl.dropboxusercontent.com/u/3167967/screenshot_2014-02-13_16-26-15.png
do the graphs look the same?
probably, yes
yeh basically
I don't have side-by-side 500vs32, but seems right
although you'd havd a few outages
to this tunnel
huh?
English please.
ther's gaps in your grpahs
yes when I restart smokeping
Well 15:39 was the ARP outage
i don't think it's that
https://smokeping.cobryce.com/images/Internet/NLNOGRING/doruknet01ringnlnognetv4~vps1_last_3600.png
it looks like what smokeping does when it can't keep up
That's chunkhost though... those have always been shitty
oh
it doesn't say loss though
I know
are you doing dns lookups?
For whatever reason, that slave just doesn't keep up
some
smokeping can have issues with graphs if it doesn't do all the hosts in the right time period
Yeah I know
and i've seen it happen due to partial issues with connectivity to some hosts, making dns timeout before
it has logging
it tells you hwen it can't keep up
I only see logs when I start/stop
weird
are you using rrdcached?
i was just checking my logs and saw some stuff from rrdcached
Last I heard, smokeping doesn't support rrdcached
yea it doesn't
hmm maybe i was using that for cacti
(I use rrdcached for munin stuffs though, but that's isolated)
i got rid of munin entirely
I just use zabbix now
Ah that's why you wanted my configs
staticsafe: there's nothing special or unique to my Targets config, it's just long
i'd like to see a standard set of test sites myself
brycec: yea, just want it to because I'm lazy :P
sure I'll sanitize and toss it on sprunge.us
ty
mercutio: that's my dream with nlnog
That I can use them as standard test sites
ahh
brycec: my config isn't even monitoring v6 atm
well i hvae google, gmail facebook twitter slashdot, nytimes, anandtech bbc, guardian godaddy, ubuntu archive wikipedia,
which is unacceptable
which are some goodish sites to test
but like guardian hops around
ubuntu archive always give packet loss when there is a new release
and hmm i didn't comma right at all
so it can make sense to do from multipel sources, to check whether it's the destination site or an in general thing
staticsafe: As requested http://sprunge.us/ZOhN
brycec: ty
It needs cleanup... I was inebriated at one point and forgot how Config::Grammar inherits
heh
config inheritance is my favorite thing
nagios...
(but it's actually parent/child inheritance)
# Boy this is getting annoying.
hehe
it really was!
heh
so basically you're scraping
scraping?
referring to my regex?
to get the destination sites
As opposed to inventing sites? :P
or did you manually do mirrors?
yeh
there's a lot of text
The scraping was not automated
looks like you're relying on dns too
i wnoder if fpign can have a cache for dns
and use prior data if it cant' do a lookup
mercutio: I'd copy from a webpage into my text editor, apply the regex to mold into target configs, and paste that into Targets
mercutio: run a local resolver?
mercutio: Yes, some sites don't have fixed IP's.
staticsafe: you could still hit expiring ttls
yep
unless you use unbound with prefetch hmm
which is fine
(or are known to change their IP from time to time)
you could still hit it though
static: not if the site goes down
the problem is you don't want to fping to wait forever for dns
s/to//
<mercutio> the problem is you don't want  fping  wait forever for dns
oh
i just wanted to kill the first one
too bad :P
so fping can lose all the results
does it assume /g ?
yes
Because that's what PHP's preg_replace does
looking at my traffic graphs and my machines are so idle :(
heh
you should host wikileaks mirror
Is wikileaks still a "thing"? :p
no idea
mercutio: or a tor relay :P
gah no not tor
argh
up_the_irons has stated that he drops you at the first abuse report
weird my vm just spiked to 20kbit bnadwidth
Tor seems liek an unnecessary risk
it looks funyn on the graph
brycec: only exits get abuse reports
not relays
but then 20kbit isn't much
true
but i wouldn't run it on ARP anyways
i average 2kbit/sec inbound
and 1.68kbit/sec outbound
seed some linux ISOs too I guess
i suspect most vm users don't use much bandwidth
agreed
otherwise the ntp thing wouldn't ahve been as obvious
it's probably like 10% of the users use 90% of the bandwidth kind of thing
Another pfSense issue, I have 4 interfaces: WAN, LAN, OPT1 and OPT2
LAN and OPT1 can ping 8.8.8.8
but OPT2 can not
identical firewall rules
OPT2 can ping LAN and OPT1 though
@mnathani
mnathani: Have you checked whether Windows Firewall is enabled and dropping packets?
432 results found. Here's #204 Dec 06, 2013 21:22:38 <mnathani > Anyone know of a method to Auto-BCC a copy of all outgoing mail to a specific address from within the Gmail Web Interface?
packet capture shows pings leaving, but no reply
lol dont think 8.8.8.8 is behind a windows firewall
lol though
Suuuure
opt1 and opt2 setup identically? routable subnets?
yup
And just for kicks, swap (assign) them and see what happens
after swapping, the vm that could ping can no longer ping and the vm that could not ping can ping now
Good
Just wanted to confirm it wasn't something besides configuration
and that the vm's were confi'd right
would you reset pfsense interface assignments at this point
If it didn't matter, I'd leave that and focus on the issue
found it
it had a gateway assigned to it that needed to be removed
from within the pfsense interface
awesome
lol why would you set the gateway on the internal interface? :p
"It made sense at the time" ...
(Oh good, I just checked and the attempted DNS DOS on me subsided :D)
whew, that was close
http://1drv.ms/1c4utnA
i had a live wasp crawling its way across the floor in my server room
wasps are a "NOPE!" for me
practically send me running
haha, i captured it in a cup and took it outside
this guy was super lethargic because of how cold it is in that room
oh shit... I just discovered my carp backup's ntpd is open. damnit damnit.
YOU'RE PART OF THE PROBLEM
not according to monlist
at least, a very tiny part
haha
someone in another channel said they had a supermicro board w/ntpd + monlist running on its ipmi interface
lolol
brycec: you mean it tells you the time?
I mean it lists its recent peers, but it's a short list
oh right
all the open to monlist hosts got blocked
even the ones with shorter lists
I'm talking about a non-ARP system
yeh on arp i mean
(we were here yesterday when up_the_irons said he was gonna do it)
i dunno if people trying to ddos differntiate
oh right
was that eysterday
yea, or the day before
the days all sort of blur together
openntpd hasn't taken off as much as openssh did
(pfSense has "pass in quick" rules to explicitly allow NTP access on all interfaces at the top :( grr)
whoa, really?
yep
pfctl -sr http://sprunge.us/Vijb
Ahahaha http://translate.google.com/#auto/en/%E8%87%AA%E5%8B%95%E3%82%A2%E3%82%AF%E3%82%BB%E3%82%B9%E3%81%AE%E5%A0%B4%E5%90%88%E3%81%AF%E3%80%81%E9%9B%BB%E5%AD%90%E3%83%A1%E3%83%BC%E3%83%AB%E3%82%92%20ntp-scan%40puck.nether.net%20%E3%81%B8%E3%81%8F%E3%81%A0%E3%81%95%E3%81%84
"For automatic access, please fart ntp-scan@puck.nether.net e-mail"
Reviewing some tcpdumps, I see people trying to use my (correctly configured) router to NTP DDOS. Yay for it being setup properly at least
wow, quite a bit in fact
what can you do using the command line / ssh with pfSense that can't be done from the web interface?
dd? :P
well even that can be done from the web
On account of Diagnostics->Command
mnathani: I find it easier to dump pfctl info, run tcpdumps and other diag tools
I guess I meant in terms of managing / configuring the firewall
I leave all management and configuration to the web ui, unless I lock myself out. Since all changes get made to an XML config, best to leave it in the capable, tested, properly-formatting hands of the GUI
Though I suppose watching pflog could count as managing
what distro is it easiest to setup / resolve dependencies of smokeping?
mnathani: Debian, I'd say
At least for slaves...
I just launch an VZ container, apt-get install --no-install-recommends smokeping ; service smokeping stop ; $EDITOR /etc/default/smokeping /etc/smokeping/secrets ; set permissions ; service start smokeping
19... 1000 packets dumped, 19 different "sources"
brycec: thanks
np
also, wtf my VPS load spiked to 33
christ on a cracker
00:20:50 up 6 days,  8:50,  1 user,  load average: 0.00, 0.00, 0.00
00:21:09 up 17 days, 0 min,  1 user,  load average: 0.08, 0.10, 0.07
my 2 ARP VPSen
@uptime host
host uptime: 140 days, 22 hours, 35 minutes, and 48.429999999702 seconds.
My one
(and loadavg is settling back to the .2 range
brycec: so much more bw you doing an hour with smaller ping size?
mercutio: Funny you should ask, I was just looking at that https://dl.dropboxusercontent.com/u/3167967/screenshot_2014-02-13_21-31-44.png
You can clearly see when I added a bunch of hosts with size=500, and when I dropped that back down
iyou're probably still doing a lot of pps
were you at defaults prior?
i didn't quite get that
whther you'd shifted to 500 byte packets today
or ages ago
there are still gaps
i don't think fping does have a way to cache dns lookups
you can use ps to find out what command line it's calling and cut and paste the fping
and do one ping, to figure out long it's waiting on dns
but would need to do it during some kind of outage to know for eusre how much it impacting
comcast.net if you ping that has dns ttl of 30 seconds for instance
so isn't likely to be cached between polls