[01:51] *** dwarren has quit IRC (Read error: Connection reset by peer) [04:02] *** toeshred has quit IRC (Ping timeout: 265 seconds) [04:02] *** toeshred has joined #arpnetworks [04:09] *** jbergstroem has quit IRC (Ping timeout: 250 seconds) [04:09] *** jbergstroem has joined #arpnetworks [04:13] *** mjp has quit IRC (Read error: Connection reset by peer) [04:15] *** carvite_ has joined #arpnetworks [04:19] *** mjp has joined #arpnetworks [04:20] *** jpalmer has quit IRC (*.net *.split) [04:20] *** twobithacker has quit IRC (*.net *.split) [04:20] *** sjackso has quit IRC (*.net *.split) [04:20] *** Hien_ has quit IRC (*.net *.split) [04:20] *** carvite has quit IRC (*.net *.split) [04:21] *** carvite_ has quit IRC (Changing host) [04:21] *** carvite_ has joined #arpnetworks [04:21] *** carvite_ is now known as carvite [04:21] *** jpalmer has joined #arpnetworks [04:21] *** twobithacker has joined #arpnetworks [04:21] *** sjackso has joined #arpnetworks [04:21] *** Hien_ has joined #arpnetworks [04:37] *** dj_goku_ has quit IRC (Read error: Connection reset by peer) [04:37] *** dj_goku has joined #arpnetworks [04:52] *** dwarren has joined #arpnetworks [09:00] *** SpeedBus has quit IRC (Ping timeout: 245 seconds) [09:01] *** SpeedBus has joined #arpnetworks [12:23] *** mnathani has quit IRC (Ping timeout: 264 seconds) [12:26] *** mnathani has joined #arpnetworks [13:31] *** dj_goku_ has joined #arpnetworks [13:31] *** dj_goku has quit IRC (Read error: No route to host) [13:42] *** dj_goku_ has quit IRC (Read error: Connection reset by peer) [13:47] *** dj_goku has joined #arpnetworks [13:47] *** dj_goku has quit IRC (Changing host) [13:47] *** dj_goku has joined #arpnetworks [14:12] *** qbit has quit IRC (Quit: leaving) [14:44] *** qbit has joined #arpnetworks [14:45] *** qbit is now known as Guest28144 [14:47] *** Guest28144 is now known as qbit [15:27] does anyone know of an ipv6 netmask validator? [15:27] ie to make sure you're not screwing up syntax. [15:34] mercutio: like http://www.gestioip.net/cgi-bin/subnet_calculator.cgi ? [15:43] ahh yeah like that [15:44] it's not quite as nice as the netmask command i usually use for ipv4 just to check :) [15:44] in the end i used openbgpd to validate it :) [15:44] it was simply the first google result for "ipcalc ipv6" :P (Also, I've used their IP address management stuff before) [15:44] the extra :: etc gets confusing. [15:44] there's an extra :: ? [15:45] it /loked/ right [15:45] Shouldn't there be at most 1 [15:45] nah [15:45] shortened form. [15:45] this is a /127 that i'm doing. [15:45] Right. In shortened form there can only be 1 instance of :: [15:45] yeah [15:45] there only is one [15:45] So where's the extra? [15:45] well over ipv4 it's "extra" [15:46] ah [15:47] i just get paranoid of making mistakes so like to check [15:49] That's fine. i was just confused by "the extra ::" (because to me, there's 1, and any more are extra. I don't compare it to ipv4) [15:49] *** medum has joined #arpnetworks [15:56] Yeah, I'm still kind of rusty on IPV6. [15:58] i'd be fine if it only went up to /32 :) [15:58] but the long addresses by sight still are a bit.. disorientating. [16:00] apparently someone had asked about netmask gaining ipv6 support in 2000. [16:00] and someone asked for an update last year. [16:01] it's a pretty nifty program for ipv4.. you can just do things like netmask -r 192.168.13.76/29 [16:01] or such [16:01] and it'll show you the range of ip addresses that covers. [16:01] ipcalc does the same thing [16:01] oh [16:01] And has seen an update more recently than 5 years ago [16:01] with ipv6 support? [16:01] no idea offhand [16:02] Looks like no, at least on my install [16:02] the help doesn't suggest ipv6 [16:02] well ipv4 hasn't changed, so don't relaly need updates. [16:03] looks like sipcalc has superseded ipcalc and supports ipv6 [16:03] sipcalc sounds like it might [16:03] haha [16:03] (yep, confirmed ipv6 in sipcalc) [16:04] sweet, this looks good [16:04] yeah [16:04] i tried it. [16:54] *** RandalSchwartz has joined #arpnetworks [16:54] anyone up for a ZFS question? [16:55] yeah sure [16:55] so... I use send/recv to clone a snapshot from zroot to pool/zroot (on a different disk) [16:55] what steps do I have to take to make it boot off the second disk, and mount pool/zroot as / [16:56] oh i haven't done much with freebsd zfs root [16:56] something in bootconf? [16:56] but i think as long as the bootloader understands it shoudl be find [16:56] you probably have to use zfs set mountpoint=/ on it [16:56] vfs.root.mountfrom="zfs:zroot" [16:57] probably need to edit that too [16:57] https://wiki.freebsd.org/RootOnZFS [16:57] hmm [16:57] do I need to promote the snapshot so it becomes the live fs [16:57] I haven't done that before [16:57] you'll need to clone the snapshot [16:57] so usually you make a snapshot on the sender, set the receiver to readonly [16:57] yes... the tool does that [16:57] zxfer [16:57] and keep updating the snapshot on the receiver using diffs, then when you wnat to promote it, you clone frmo the snapshot to a real file system [16:58] ahh. clone... that was the word I was missing I guess [16:58] it sounds like freebsd doesn't use the zfs automount stuff [16:58] and uses /etc/fstab instead. [16:58] and that vfs.root.mountfrom is probably what you want. [16:59] yeah so you can take any snapshot, create a clone from it, and access it like a normal filesystem. [17:00] Hmm. Maybe I should rehearse this in a VM. :) [17:01] seems like a good idea [17:01] and the selected boot drive is out-of-band right? [17:02] this is a dedi system at arp [17:02] i'm not sure [17:02] ok [17:03] i would just split the boot pool from the data pool. [17:03] and just haev a fully functional second pool [17:03] on another machine [17:03] too late for that. :) [17:04] heh [17:04] we're trying to migrate from hard to ssd [17:04] yeah. [17:04] currently mirror hard... using zxfer to push data over. that worked well. [17:04] without doing another install [17:04] how big is your root [17:04] that's personal! [17:04] you can mirror to ssd if it's big enough [17:05] so mirror hard-disk to ssd [17:05] can't set up mirror after the fact [17:05] you can [17:05] already have mirror hard1 hard2 [17:05] if it's small enough existing [17:05] you can unmirror [17:06] or just remove drive / fail it [17:06] hards are 768, ssd is 512 [17:06] so it wouldn't accept the mirror [17:06] i had to do that when migrating my zfs array at home [17:06] yeah [17:06] so I have to resort to this send/recv dance [17:06] all for about 100G of data. :) [17:06] i'd normally opt for another system install [17:06] on a second machine [17:07] "if I put it in a jail..." [17:07] but that's why i don't migrate from hard-disk to ssd [17:07] yeah if you'd made your root smaller.. [17:07] hard to do that now :) [17:07] when you do your ssd short stroke it [17:07] you can always expand it later. [17:07] interesting thought [17:08] it's a good habit to be in if you're using much less data [17:08] so like with a 512gb ssd, with 100gb of data you may decide to only do 200gb on each drive [17:08] but leave partition space there [17:09] hmm. looks like you *can* "mirror down" [17:09] ... https://blogs.oracle.com/mock/entry/how_to_shrink_a_mirrored [17:11] yeah. [17:11] oh [17:11] i don't know if you can [17:11] i think that was added after the fork. [17:11] ugh [17:12] i've been finding with ssd's raidz works better than mirrored. [17:12] says blog entry 2010 [17:12] but I'd need 3 ssds then [17:12] you've got so many iops, and write speed goes up. [17:12] yeah. [17:12] we've been in this conversation before :) [17:12] oh [17:12] Oh, I could split each ssd into two [17:12] oh yeah you can't have more than 2. [17:12] and make it a 4-way raidz [17:13] uhh [17:13] or 3 with a spair [17:13] spare [17:13] that wouldn't give you redundancy [17:13] oh - because ssd fail is taking two drives at once [17:14] and double fail is bad [17:14] anyway, with linux i've found it really easy to migrate. [17:14] i don't actually think it'll be that complicated. [17:14] i would check out the freebsd zfs root documentation for before it was in the installer. [17:14] s/for/from/ [17:14] i would check out the freebsd zfs root documentation from befrome it was in the installer. [17:14] haha [17:15] i didn't have /g [17:15] i think there's just two key components, the bootloader, and the initial config as it comes up [17:17] yeah, the latter being /boot/loader.conf [17:17] or something like that [17:17] where I found the zfs:zpool thing [17:21] https://calomel.org/zfs_freebsd_root_install.html [17:21] does this help? [17:21] that site is terrible [17:22] hmm zfs set bootfs? [17:22] https://wiki.freebsd.org/RootOnZFS/GPTZFSBoot/9.0-RELEASE [17:22] this may be better [17:30] better in what sense [17:30] ahh.. that's the one I have bookmarked. [17:31] ok [17:31] ok - gonna wander into ##freebsd to see if they know what I need [17:32] good idea [18:50] sipcalc 0.0.0.0/0 >> Addresses in network - 4294967295 [18:51] Usable range - 0.0.0.1 - 255.255.255.254 [18:56] Checks out by my math. [19:53] I wonder how many bytes it would take to store a compressed text file containing one ipv6 address per line and do that for all possible ipv6 addresses [20:04] a lot [20:04] oh compressed. [20:05] there's actually special compression algorithams for things like that [20:13] or do you mean human readable compression? [20:36] ip addresses are predictableish [20:38] which reminds me, http://blog.edgecast.com/post/110230974176/being-good-stewards-of-the-internet [20:38] and until now i still dont understand how to use the sipcalc even with lots of reading. [20:38] Stupid is always stupid i guess. [20:38] anisfarhana: sipcalc 192.168.13.13/29 will show something like [20:39] etwork range - 192.168.13.8 - 192.168.13.15 [20:39] Usable range - 192.168.13.9 - 192.168.13.14 [20:39] so if you have a /29 subnet that you want to place, you can figure out where a nice multiple of 8 is [20:39] you can always do it on your own too. [20:40] curiously it doesn't seem to like legacy subnets. netmask does. [20:40] err legacy netmasks [20:41] Yes i actually know that part. [20:41] As i u always use sipcalc to trace out youtube ip address blocks. [20:42] and blocked it in firewall until many of staff at office complained they are not able to use Google. [20:43] youtube is probably easier to block in dns. [20:44] and you can block alternative dns providers. [20:44] it shares infrastructure too close to google search. [20:47] Interesting... [20:48] So what you just said, https for youtube counts too? [20:48] I have no problem blocking youtube.com [20:48] But i do have problem to block https://www.youtube.com [20:49] http or https can be blocked just by dns [20:49] unless anyone knows the ip addresses to go to [20:49] And now even worst, our staff use Google Chrome and it use HTML5 player for youtube. [20:49] what dns cache are you using? [20:50] I do blocked youtube by using squid too, the mime for *media player* [20:50] * anisfarhana blinks [20:50] that wont' help https unless you force people to use proxy [20:50] *** brycec is now known as regex [20:50] mercutio: Can you simplify your question again? [20:50] *** regex is now known as brycec [20:50] I am not RandalSchwartz :P [20:51] Well, I use tranparent proxy at office though [20:52] are you using unbound or bind or dnsmasq or what as a local resolver? [20:52] transparent proxies don't work with https [20:52] Okey..I dont know what to say now. [20:52] Your question is just..very geeky to me. [20:52] *** pyvpx has quit IRC (Remote host closed the connection) [20:53] well in /etc/resolv.conf.. there's a nameserver... do you have your own local one? [20:53] or are you just using your isp's resolver? [20:53] It's a geeky channel... [20:53] But i use squid in firewall. Firewall ---> proxy server (local ip address) ---> Internet [20:53] I am using Google DNS. [20:53] do you have a cache in front of that? [20:54] or do you just hand out google dns to desktops? [20:55] Desktop --> DHCP server (use google dns) ---> Firewall (also google dns) [20:55] does the dhcp server have local dns cache? [20:55] like dnsmasq can do dns as well as dhcp [20:55] It is just normal dhcp server in wondows. [20:55] isc dhcp server doesn't. [20:55] oh [20:55] in other words, a "dns forwarder" [20:55] Open the range for each VLANs. [20:55] windows :/ [20:56] do you run squid on windows? [20:56] That is only i know to setup dhcp server. [20:56] Debian [20:56] dnsmasq is pretty easy [20:56] I use ipcop for firewall. [20:56] and does dns too [20:56] and makes it easy to point domain names somewhere else [20:56] whoa, ipcop? haven't heard that name in years [20:56] and it publishes dhcp names to dns. [20:57] Interesting... [20:57] ipcop? [20:57] did i miss osmethingZ? [20:57] err something [20:57] m0unds: It works, I have at least 4 ipcops running like charm now. [20:57] anisfarhana: is it still actively developed? i had no idea it was still around [20:57] Why bother with those expensive appliance while ipcop can do that? [20:57] cos there's pfsense now? :") [20:57] m0unds: afaik yes sir. [20:58] because there's better AND free [20:58] mercutio: ++ [20:58] Also m0n0wall [20:58] Its not about free, why you wanna spend lots of money while you can use opensource for the same mission? [20:58] anisfarhana: he was just saying there are better alternatives that are also free. [20:58] Better use that money and donate to people like mercutio here. [20:59] m0n0wall and pfSense are both free, open-source, etc [20:59] yea, i compared ipcop to m0n0wall in 03 or so, and decided on m0n0wall because i liked bsd better [20:59] Ah yes..well..again..sorry if i said anything wrong. my engrish is not good. [21:00] ran it on an old hp proliant server until i couldn't bear the noise anymore and built something newer (in like 04 or 05) [21:00] mercutio: I am googling about dnsmasq atm [21:00] i used to use an old openbsd box as a router [21:00] I ran m0n0wall for years, both at home and for work. Then there came pfSense and I used that at home and work, and still do use it at home. (Before m0n0wall, I used ipcop too) [21:01] at home, with like 16mb of ram [21:01] I wish i can flirt with those ipcops dev [21:01] lol [21:01] it looks like ipcop is still in development. [21:02] Yes it is :) [21:02] I am glad the ipcop is still alive.. [21:03] And founder of #ipcop channel usually here, don't see him recently. [21:04] mercutio: Ohhh dnsmasq + dhcp together in 1 place. [21:05] yeah it does dns and dhcp [21:05] simple config [21:05] I think dnsmasq is something like dns + AD server for windows? [21:05] has a few nice things like being able to just stick extra dns names in /etc/hosts. [21:05] i reckon for small setups it's the simplest/easiest solution [21:06] and dnsmasq actually can *block* any website i want, even on https? [21:06] it can block the dns name to ip mapping [21:06] And it's easy to configure it to deny any DNS request matching a domain, such as blocking youtube.com [21:06] or renumber it [21:06] ^ Which is how we got to this point. [21:06] Sigh [21:06] i'd recommend renumbering it to an ip with a web server on it that says it's blocked. [21:07] I do aware about dnsmasq before, but i don't bother to find out what it is. [21:07] Does a person like me can configure / setup it? [21:07] yes. [21:08] if you can configure squid you can configure dnsmasq. [21:08] With no stress, less downtime, and no overnight at office? [21:08] I don't configure squid myself 100% [21:08] well the biggest complication is if you have a mix or static and dhcp addresses on the same subnet [21:08] Errr engrish error again. [21:08] and just making sure you don't clash new ip address allocations over the top of existing static allocations. [21:09] I don't configure the squid server 100% before, somebody help me for it. [21:09] well the only way to learn is by doing [21:09] maybe configure it at home first? [21:09] i'm using it at home myself. [21:10] I do have spare machine at office, at least with 1 public ip address on it. [21:10] dhcp is disruptive :) [21:10] I was too, as part of pfSense (but have just switched to Unbound) [21:10] If i have mix/static/dhcp addresses on the same subnet? [21:11] https://wiki.debian.org/HowTo/dnsmasq [21:11] this looks like a way to say the important things easy [21:11] Ok by looking at the url given, I need another server for that. [21:11] just run it on your squid server [21:12] you could setup dns first [21:12] But squid server is more to front end. [21:12] and setup your dhcp server to give out the dns cache's ip. [21:12] current windows server that i use for dhcp server, able to do that? [21:13] should be able to [21:13] Ok thats great. [21:13] i've never done dhcp on windows. [21:13] It is easy. [21:13] That is why i use it. [21:14] http://forums.petri.com/showthread.php?t=55350 [21:14] I will use any OS that could give more easy solution based on my minimal knowledge. [21:15] Wow [21:15] Interesting. [21:16] I believe 006 DNS Servers i put for the windows box at office is 8.8.8.8/8.8.4.4 [21:16] So basically, just replace that google dns, to my dnsmasq? [21:16] yeah [21:17] and then dnsmasq can use 8.8.8.8/8.8.4.4 [21:17] although i'd recommend not using google dns primary and secondary. [21:17] the chances of both going down at once is increased. [21:17] and google dns's performance can be kind of variable. i don't know what it's like there. [21:18] It is good so far. [21:18] i'm assuming google's dns is in singapore. [21:18] but i think they send their requests from taiwan or soemthing [21:18] Many people use gDNS to run away from blocked website by our gov. [21:18] heh [21:18] opendns may be another option [21:19] or ultradns [21:19] Slow. [21:19] Based on ping compared to gdns [21:19] you can set dnsmasq to query multiple dns in parallel [21:19] and take the first answer it gets. [21:19] ping isn't everything [21:19] google ping is like 24 msec from here [21:19] Yes this dnsmasq is interesting [21:19] but it's more than 24msec slower on average. [21:20] there's a cool program called namebench which lets you benchmark dns servers. [21:20] the problem with google here is that even though the server is close, all the requests come from ages away. [21:20] I am aware of that. namebench even recommended to use gdns before. [21:20] hmm [21:21] But that is less important. [21:21] The more important thing is, how to fight our staff at office. [21:22] mercutio: Can i trial and error do the dnsmaqs by using the vps first? and change one of DHCP ip range at office, point it to the public vps? [21:23] don't run dnsmasq on vpos [21:23] vps [21:24] Even for testing purposes? [21:24] well i mean you can, but you'd have to be very careful with firewalling it. [21:24] Firewalling the vps or ? [21:24] you really don't want to run an open dns. [21:24] if you're behind a firewall it's safer. [21:24] yeah [21:25] unbound is better for acl support [21:25] Well, i always can format the vps after that with 1 single click only. [21:25] and not being open [21:25] well it's more there are constant dns attacks happenign these days [21:26] and evn if you shut it off they'll continue [21:26] so if you have open dns for 5 minutes [21:26] and they find it [21:26] Martial arts? "The more important thing is, how to fight our staff at office." [21:26] you'll get 24 hours or something of dns attacks [21:26] i dunno how long it is exactly [21:26] probably longer [21:26] That's what she said!! [21:27] I am wondering why some people outside want to *attack* me for that. [21:27] it's dns amplification attacks [21:27] basically they query a really long record from you with a fake ip address of who they want to attack [21:27] and you send a much bigger response than you receive [21:28] so like if you type host -t any google.com [21:28] you'll get a big long response [21:28] but it's a pretty short query [21:28] so they send to you at 50 megabit [21:28] Well, i do have you to strike back. I can get brycec support if needed. [21:28] and you respond with 200 megabit [21:29] What? don't involve me [21:29] well what i'm saying is that if you're open at all they can keep hitting you [21:29] and so be careful to block port 53 on firewall [21:29] before even trying such software. [21:29] b ut it's probably easier to do it on a lan behind firewall [21:30] Through bugs/security holes, attackers can "hijack" your server (dns and ntp are popular choices) to DDOS a third target. it's not personal, anisfarhana [21:30] brycec: "Never run from the battlefield without fighting" - anisfarhana [21:30] Except the Internet is all about defense [21:31] mercutio: Then i must try it over the weekend. [21:31] brycec / mercutio : I was kidding though about the strike back. [21:32] anisfarhana: the thing is if you're open for even a moment when they're checking for open relays [21:32] mercutio: Installing dnsmasq on live server (squid server) is quite risky. [21:32] they'll send attack traffic your way later and you can't stop it [21:32] and they don't know it's not still open [21:32] because they're pretending to be their victim's ip. [21:32] yeah thats' why i said do it at home [21:32] if you're behind nat with no dmz with no internet ip it's safer. [21:33] But the *network setup* is not same like in office. [21:33] with ferm you can have something like: proto tcp dport 53 REJECT; [21:33] proto udp dport 53 REJECT; [21:33] i thought you just wanted to test youtube blocking? [21:33] You are telling about blocking port 53, I even don't know whether i do block 53 or not at office right now. [21:33] Duhhh [21:33] I can feel the stress now. [21:34] maybe just use unbound. [21:34] mercutio: Sir, maybe i should explain to you first about the current network topology at my office. [21:35] local-zone: "youtube.com" redirect [21:35] local-data: "youtube.com A 127.0.0.1" [21:35] you should be able to have something ilke that in unbound. [21:35] mercutio: ++ [21:35] Maybe something can make this dnsmaqs not working on current network setup. [21:36] mercutio: How about VM a linux in that windows dhcp server? [21:36] with unbound you have acl's like: access-control: 127.0.0.0/8 allow [21:36] well if you're happy with your current dhcp server, then unbound may be the easier way to go [21:37] and dnsmasq will not interfere with our current firewall + squid? [21:37] and then you can stick it on the squid box [21:38] If i am brave enough to take a risk on it. [21:38] Otherwise, i will use spare machine first for it. [21:38] well doing dhcp as well is more disruptive than just dns. [21:38] I am happy so far with my dhcp current dhcp server, its about 5 years now and still running like charm. [21:39]