does anyone know of an ipv6 netmask validator? ie to make sure you're not screwing up syntax. mercutio: like http://www.gestioip.net/cgi-bin/subnet_calculator.cgi ? ahh yeah like that it's not quite as nice as the netmask command i usually use for ipv4 just to check :) in the end i used openbgpd to validate it :) it was simply the first google result for "ipcalc ipv6" :P (Also, I've used their IP address management stuff before) the extra :: etc gets confusing. there's an extra :: ? it /loked/ right Shouldn't there be at most 1 nah shortened form. this is a /127 that i'm doing. Right. In shortened form there can only be 1 instance of :: yeah there only is one So where's the extra? well over ipv4 it's "extra" ah i just get paranoid of making mistakes so like to check That's fine. i was just confused by "the extra ::" (because to me, there's 1, and any more are extra. I don't compare it to ipv4) Yeah, I'm still kind of rusty on IPV6. i'd be fine if it only went up to /32 :) but the long addresses by sight still are a bit.. disorientating. apparently someone had asked about netmask gaining ipv6 support in 2000. and someone asked for an update last year. it's a pretty nifty program for ipv4.. you can just do things like netmask -r 192.168.13.76/29 or such and it'll show you the range of ip addresses that covers. ipcalc does the same thing oh And has seen an update more recently than 5 years ago with ipv6 support? no idea offhand Looks like no, at least on my install the help doesn't suggest ipv6 well ipv4 hasn't changed, so don't relaly need updates. looks like sipcalc has superseded ipcalc and supports ipv6 sipcalc sounds like it might haha (yep, confirmed ipv6 in sipcalc) sweet, this looks good yeah i tried it. anyone up for a ZFS question? yeah sure so... I use send/recv to clone a snapshot from zroot to pool/zroot (on a different disk) what steps do I have to take to make it boot off the second disk, and mount pool/zroot as / oh i haven't done much with freebsd zfs root something in bootconf? but i think as long as the bootloader understands it shoudl be find you probably have to use zfs set mountpoint=/ on it vfs.root.mountfrom="zfs:zroot" probably need to edit that too https://wiki.freebsd.org/RootOnZFS hmm do I need to promote the snapshot so it becomes the live fs I haven't done that before you'll need to clone the snapshot so usually you make a snapshot on the sender, set the receiver to readonly yes... the tool does that zxfer and keep updating the snapshot on the receiver using diffs, then when you wnat to promote it, you clone frmo the snapshot to a real file system ahh. clone... that was the word I was missing I guess it sounds like freebsd doesn't use the zfs automount stuff and uses /etc/fstab instead. and that vfs.root.mountfrom is probably what you want. yeah so you can take any snapshot, create a clone from it, and access it like a normal filesystem. Hmm. Maybe I should rehearse this in a VM. :) seems like a good idea and the selected boot drive is out-of-band right? this is a dedi system at arp i'm not sure ok i would just split the boot pool from the data pool. and just haev a fully functional second pool on another machine too late for that. :) heh we're trying to migrate from hard to ssd yeah. currently mirror hard... using zxfer to push data over. that worked well. without doing another install how big is your root that's personal! you can mirror to ssd if it's big enough so mirror hard-disk to ssd can't set up mirror after the fact you can already have mirror hard1 hard2 if it's small enough existing you can unmirror or just remove drive / fail it hards are 768, ssd is 512 so it wouldn't accept the mirror i had to do that when migrating my zfs array at home yeah so I have to resort to this send/recv dance all for about 100G of data. :) i'd normally opt for another system install on a second machine "if I put it in a jail..." but that's why i don't migrate from hard-disk to ssd yeah if you'd made your root smaller.. hard to do that now :) when you do your ssd short stroke it you can always expand it later. interesting thought it's a good habit to be in if you're using much less data so like with a 512gb ssd, with 100gb of data you may decide to only do 200gb on each drive but leave partition space there hmm. looks like you *can* "mirror down" ... https://blogs.oracle.com/mock/entry/how_to_shrink_a_mirrored yeah. oh i don't know if you can i think that was added after the fork. ugh i've been finding with ssd's raidz works better than mirrored. says blog entry 2010 but I'd need 3 ssds then you've got so many iops, and write speed goes up. yeah. we've been in this conversation before :) oh Oh, I could split each ssd into two oh yeah you can't have more than 2. and make it a 4-way raidz uhh or 3 with a spair spare that wouldn't give you redundancy oh - because ssd fail is taking two drives at once and double fail is bad anyway, with linux i've found it really easy to migrate. i don't actually think it'll be that complicated. i would check out the freebsd zfs root documentation for before it was in the installer. s/for/from/ i would check out the freebsd zfs root documentation from befrome it was in the installer. haha i didn't have /g i think there's just two key components, the bootloader, and the initial config as it comes up yeah, the latter being /boot/loader.conf or something like that where I found the zfs:zpool thing https://calomel.org/zfs_freebsd_root_install.html does this help? that site is terrible hmm zfs set bootfs? https://wiki.freebsd.org/RootOnZFS/GPTZFSBoot/9.0-RELEASE this may be better better in what sense ahh.. that's the one I have bookmarked. ok ok - gonna wander into ##freebsd to see if they know what I need good idea sipcalc 0.0.0.0/0 >> Addresses in network - 4294967295 Usable range - 0.0.0.1 - 255.255.255.254 Checks out by my math. I wonder how many bytes it would take to store a compressed text file containing one ipv6 address per line and do that for all possible ipv6 addresses a lot oh compressed. there's actually special compression algorithams for things like that or do you mean human readable compression? ip addresses are predictableish which reminds me, http://blog.edgecast.com/post/110230974176/being-good-stewards-of-the-internet and until now i still dont understand how to use the sipcalc even with lots of reading. Stupid is always stupid i guess. anisfarhana: sipcalc 192.168.13.13/29 will show something like etwork range - 192.168.13.8 - 192.168.13.15 Usable range - 192.168.13.9 - 192.168.13.14 so if you have a /29 subnet that you want to place, you can figure out where a nice multiple of 8 is you can always do it on your own too. curiously it doesn't seem to like legacy subnets. netmask does. err legacy netmasks Yes i actually know that part. As i u always use sipcalc to trace out youtube ip address blocks. and blocked it in firewall until many of staff at office complained they are not able to use Google. youtube is probably easier to block in dns. and you can block alternative dns providers. it shares infrastructure too close to google search. Interesting... So what you just said, https for youtube counts too? I have no problem blocking youtube.com But i do have problem to block https://www.youtube.com http or https can be blocked just by dns unless anyone knows the ip addresses to go to And now even worst, our staff use Google Chrome and it use HTML5 player for youtube. what dns cache are you using? I do blocked youtube by using squid too, the mime for *media player* that wont' help https unless you force people to use proxy mercutio: Can you simplify your question again? I am not RandalSchwartz :P Well, I use tranparent proxy at office though are you using unbound or bind or dnsmasq or what as a local resolver? transparent proxies don't work with https Okey..I dont know what to say now. Your question is just..very geeky to me. well in /etc/resolv.conf.. there's a nameserver... do you have your own local one? or are you just using your isp's resolver? It's a geeky channel... But i use squid in firewall. Firewall ---> proxy server (local ip address) ---> Internet I am using Google DNS. do you have a cache in front of that? or do you just hand out google dns to desktops? Desktop --> DHCP server (use google dns) ---> Firewall (also google dns) does the dhcp server have local dns cache? like dnsmasq can do dns as well as dhcp It is just normal dhcp server in wondows. isc dhcp server doesn't. oh in other words, a "dns forwarder" Open the range for each VLANs. windows :/ do you run squid on windows? That is only i know to setup dhcp server. Debian dnsmasq is pretty easy I use ipcop for firewall. and does dns too and makes it easy to point domain names somewhere else whoa, ipcop? haven't heard that name in years and it publishes dhcp names to dns. Interesting... ipcop? did i miss osmethingZ? err something m0unds: It works, I have at least 4 ipcops running like charm now. anisfarhana: is it still actively developed? i had no idea it was still around Why bother with those expensive appliance while ipcop can do that? cos there's pfsense now? :") m0unds: afaik yes sir. because there's better AND free mercutio: ++ Also m0n0wall Its not about free, why you wanna spend lots of money while you can use opensource for the same mission? anisfarhana: he was just saying there are better alternatives that are also free. Better use that money and donate to people like mercutio here. m0n0wall and pfSense are both free, open-source, etc yea, i compared ipcop to m0n0wall in 03 or so, and decided on m0n0wall because i liked bsd better Ah yes..well..again..sorry if i said anything wrong. my engrish is not good. ran it on an old hp proliant server until i couldn't bear the noise anymore and built something newer (in like 04 or 05) mercutio: I am googling about dnsmasq atm i used to use an old openbsd box as a router I ran m0n0wall for years, both at home and for work. Then there came pfSense and I used that at home and work, and still do use it at home. (Before m0n0wall, I used ipcop too) at home, with like 16mb of ram I wish i can flirt with those ipcops dev lol it looks like ipcop is still in development. Yes it is :) I am glad the ipcop is still alive.. And founder of #ipcop channel usually here, don't see him recently. mercutio: Ohhh dnsmasq + dhcp together in 1 place. yeah it does dns and dhcp simple config I think dnsmasq is something like dns + AD server for windows? has a few nice things like being able to just stick extra dns names in /etc/hosts. i reckon for small setups it's the simplest/easiest solution and dnsmasq actually can *block* any website i want, even on https? it can block the dns name to ip mapping And it's easy to configure it to deny any DNS request matching a domain, such as blocking youtube.com or renumber it ^ Which is how we got to this point. Sigh i'd recommend renumbering it to an ip with a web server on it that says it's blocked. I do aware about dnsmasq before, but i don't bother to find out what it is. Does a person like me can configure / setup it? yes. if you can configure squid you can configure dnsmasq. With no stress, less downtime, and no overnight at office? I don't configure squid myself 100% well the biggest complication is if you have a mix or static and dhcp addresses on the same subnet Errr engrish error again. and just making sure you don't clash new ip address allocations over the top of existing static allocations. I don't configure the squid server 100% before, somebody help me for it. well the only way to learn is by doing maybe configure it at home first? i'm using it at home myself. I do have spare machine at office, at least with 1 public ip address on it. dhcp is disruptive :) I was too, as part of pfSense (but have just switched to Unbound) If i have mix/static/dhcp addresses on the same subnet? https://wiki.debian.org/HowTo/dnsmasq this looks like a way to say the important things easy Ok by looking at the url given, I need another server for that. just run it on your squid server you could setup dns first But squid server is more to front end. and setup your dhcp server to give out the dns cache's ip. current windows server that i use for dhcp server, able to do that? should be able to Ok thats great. i've never done dhcp on windows. It is easy. That is why i use it. http://forums.petri.com/showthread.php?t=55350 I will use any OS that could give more easy solution based on my minimal knowledge. Wow Interesting. I believe 006 DNS Servers i put for the windows box at office is 8.8.8.8/8.8.4.4 So basically, just replace that google dns, to my dnsmasq? yeah and then dnsmasq can use 8.8.8.8/8.8.4.4 although i'd recommend not using google dns primary and secondary. the chances of both going down at once is increased. and google dns's performance can be kind of variable. i don't know what it's like there. It is good so far. i'm assuming google's dns is in singapore. but i think they send their requests from taiwan or soemthing Many people use gDNS to run away from blocked website by our gov. heh opendns may be another option or ultradns Slow. Based on ping compared to gdns you can set dnsmasq to query multiple dns in parallel and take the first answer it gets. ping isn't everything google ping is like 24 msec from here Yes this dnsmasq is interesting but it's more than 24msec slower on average. there's a cool program called namebench which lets you benchmark dns servers. the problem with google here is that even though the server is close, all the requests come from ages away. I am aware of that. namebench even recommended to use gdns before. hmm But that is less important. The more important thing is, how to fight our staff at office. mercutio: Can i trial and error do the dnsmaqs by using the vps first? and change one of DHCP ip range at office, point it to the public vps? don't run dnsmasq on vpos vps Even for testing purposes? well i mean you can, but you'd have to be very careful with firewalling it. Firewalling the vps or ? you really don't want to run an open dns. if you're behind a firewall it's safer. yeah unbound is better for acl support Well, i always can format the vps after that with 1 single click only. and not being open well it's more there are constant dns attacks happenign these days and evn if you shut it off they'll continue so if you have open dns for 5 minutes and they find it Martial arts? "The more important thing is, how to fight our staff at office." you'll get 24 hours or something of dns attacks i dunno how long it is exactly probably longer That's what she said!! I am wondering why some people outside want to *attack* me for that. it's dns amplification attacks basically they query a really long record from you with a fake ip address of who they want to attack and you send a much bigger response than you receive so like if you type host -t any google.com you'll get a big long response but it's a pretty short query so they send to you at 50 megabit Well, i do have you to strike back. I can get brycec support if needed. and you respond with 200 megabit What? don't involve me well what i'm saying is that if you're open at all they can keep hitting you and so be careful to block port 53 on firewall before even trying such software. b ut it's probably easier to do it on a lan behind firewall Through bugs/security holes, attackers can "hijack" your server (dns and ntp are popular choices) to DDOS a third target. it's not personal, anisfarhana brycec: "Never run from the battlefield without fighting" - anisfarhana Except the Internet is all about defense mercutio: Then i must try it over the weekend. brycec / mercutio : I was kidding though about the strike back. anisfarhana: the thing is if you're open for even a moment when they're checking for open relays mercutio: Installing dnsmasq on live server (squid server) is quite risky. they'll send attack traffic your way later and you can't stop it and they don't know it's not still open because they're pretending to be their victim's ip. yeah thats' why i said do it at home if you're behind nat with no dmz with no internet ip it's safer. But the *network setup* is not same like in office. with ferm you can have something like: proto tcp dport 53 REJECT; proto udp dport 53 REJECT; i thought you just wanted to test youtube blocking? You are telling about blocking port 53, I even don't know whether i do block 53 or not at office right now. Duhhh I can feel the stress now. maybe just use unbound. mercutio: Sir, maybe i should explain to you first about the current network topology at my office. local-zone: "youtube.com" redirect local-data: "youtube.com A 127.0.0.1" you should be able to have something ilke that in unbound. mercutio: ++ Maybe something can make this dnsmaqs not working on current network setup. mercutio: How about VM a linux in that windows dhcp server? with unbound you have acl's like: access-control: 127.0.0.0/8 allow well if you're happy with your current dhcp server, then unbound may be the easier way to go and dnsmasq will not interfere with our current firewall + squid? and then you can stick it on the squid box If i am brave enough to take a risk on it. Otherwise, i will use spare machine first for it. well doing dhcp as well is more disruptive than just dns. I am happy so far with my dhcp current dhcp server, its about 5 years now and still running like charm. Well its windows, so I am not worry about kernel panic. or shellshock things you know. (Windows can kernel panic. Its kernel panics tend to be coloured blue.) well we don't really do windows in here. You don't say!?! :P brycec: Sir, with high respect to you, and to mercutio , and also to the arpnetworks, that windows not even give me single bsod until now. I am not saying that windows is good. But what i like said before, with my limited knowledge, I just use *any* that will give me less headache and problems. Hate to see the conversation, or hates about windows vs linux. Its 2015 now. And do not ignore me just because i use only 1 single windows at office for dhcp server. :/ This isn't Windows vs. Linux, anisfarhana. It was a statement that ARP Networks is known as a *nix VPS host. This is a *nix-leaning crowd in here. Sorry for that. Sorry #arpnetworks My bad. I am talking about it since nobody speaking about arpnetworks or nix related here..thats all. Again, sorry. well ok back to your original issue. unbound is pretty easy to setup, and can do acl's to only allow certain ip's to access dns. which makes it safer to use on an internet facing host. Wait mercutio, maybe we can speak about this in private or another channel? the config is slightly more verbose, but for the essentials it's not relaly harder. well you know how to change the dhcp server. You're free to talk about it in here Nobody's complaining so it's just unbound config. Thanks. mercutio: Change as in, that 006 in win dhcp server? The url given by you before? unbound is one of the most popular dns resolvers that came out of nowhere. to being in lots of places. including arp iirc. anis: yeah. but it still works ok on small setups. from gdns to my-setup-dnsmasq, and my-setup-dnsmaqs use gdns right? go to unbound not dnsmasq, less likely to break things :) it's a bit simpler to use google dns upstream from dnsmasq than unbound I thought unbound is the local IP address i use for dnsmasq server. Or I am wrong here? name: "." forward-addr: 8.8.8.8 forward-first: yes you need something like that in the config to use google dns from unbound nah unbound is an alternate dns resolver https://unbound.net/ Ok ok, this is more confusing now. Stop first mercutio. http://npr.me.uk/unbound.html if you must you can run it on windows too So unbound and dnsmaqs, are different? I need both of it? you need either but unbound is safer to not be open dns unbound can also be graphed in cacti if you're into that kind of thing