***: toeshred has quit IRC (Ping timeout: 265 seconds)
toeshred has joined #arpnetworks
jbergstroem has quit IRC (Ping timeout: 250 seconds)
jbergstroem has joined #arpnetworks
mjp has quit IRC (Read error: Connection reset by peer)
carvite_ has joined #arpnetworks
mjp has joined #arpnetworks
jpalmer has quit IRC (*.net *.split)
twobithacker has quit IRC (*.net *.split)
sjackso has quit IRC (*.net *.split)
Hien_ has quit IRC (*.net *.split)
carvite has quit IRC (*.net *.split)
carvite_ has quit IRC (Changing host)
carvite_ has joined #arpnetworks
carvite_ is now known as carvite
jpalmer has joined #arpnetworks
twobithacker has joined #arpnetworks
sjackso has joined #arpnetworks
Hien_ has joined #arpnetworks
dj_goku_ has quit IRC (Read error: Connection reset by peer)
dj_goku has joined #arpnetworks
dwarren has joined #arpnetworks
SpeedBus has quit IRC (Ping timeout: 245 seconds)
SpeedBus has joined #arpnetworks
mnathani has quit IRC (Ping timeout: 264 seconds)
mnathani has joined #arpnetworks
dj_goku_ has joined #arpnetworks
dj_goku has quit IRC (Read error: No route to host)
dj_goku_ has quit IRC (Read error: Connection reset by peer)
dj_goku has joined #arpnetworks
dj_goku has quit IRC (Changing host)
dj_goku has joined #arpnetworks
qbit has quit IRC (Quit: leaving)
qbit has joined #arpnetworks
qbit is now known as Guest28144
Guest28144 is now known as qbit mercutio: does anyone know of an ipv6 netmask validator?
ie to make sure you're not screwing up syntax. brycec: mercutio: like http://www.gestioip.net/cgi-bin/subnet_calculator.cgi ? mercutio: ahh yeah like that
it's not quite as nice as the netmask command i usually use for ipv4 just to check :)
in the end i used openbgpd to validate it :) brycec: it was simply the first google result for "ipcalc ipv6" :P (Also, I've used their IP address management stuff before) mercutio: the extra :: etc gets confusing. brycec: there's an extra :: ? mercutio: it /loked/ right brycec: Shouldn't there be at most 1 mercutio: nah
shortened form.
this is a /127 that i'm doing. brycec: Right. In shortened form there can only be 1 instance of :: mercutio: yeah
there only is one brycec: So where's the extra? mercutio: well over ipv4 it's "extra" brycec: ah mercutio: i just get paranoid of making mistakes so like to check brycec: That's fine. i was just confused by "the extra ::" (because to me, there's 1, and any more are extra. I don't compare it to ipv4) ***: medum has joined #arpnetworks mercutio: Yeah, I'm still kind of rusty on IPV6.
i'd be fine if it only went up to /32 :)
but the long addresses by sight still are a bit.. disorientating.
apparently someone had asked about netmask gaining ipv6 support in 2000.
and someone asked for an update last year.
it's a pretty nifty program for ipv4.. you can just do things like netmask -r 192.168.13.76/29
or such
and it'll show you the range of ip addresses that covers. brycec: ipcalc does the same thing mercutio: oh brycec: And has seen an update more recently than 5 years ago mercutio: with ipv6 support? brycec: no idea offhand
Looks like no, at least on my install mercutio: the help doesn't suggest ipv6
well ipv4 hasn't changed, so don't relaly need updates. brycec: looks like sipcalc has superseded ipcalc and supports ipv6 mercutio: sipcalc sounds like it might
haha brycec: (yep, confirmed ipv6 in sipcalc) mercutio: sweet, this looks good
yeah
i tried it. ***: RandalSchwartz has joined #arpnetworks RandalSchwartz: anyone up for a ZFS question? mercutio: yeah sure RandalSchwartz: so... I use send/recv to clone a snapshot from zroot to pool/zroot (on a different disk)
what steps do I have to take to make it boot off the second disk, and mount pool/zroot as / mercutio: oh i haven't done much with freebsd zfs root RandalSchwartz: something in bootconf? mercutio: but i think as long as the bootloader understands it shoudl be find
you probably have to use zfs set mountpoint=/ on it RandalSchwartz: vfs.root.mountfrom="zfs:zroot"
probably need to edit that too mercutio: https://wiki.freebsd.org/RootOnZFS
hmm RandalSchwartz: do I need to promote the snapshot so it becomes the live fs
I haven't done that before mercutio: you'll need to clone the snapshot
so usually you make a snapshot on the sender, set the receiver to readonly RandalSchwartz: yes... the tool does that
zxfer mercutio: and keep updating the snapshot on the receiver using diffs, then when you wnat to promote it, you clone frmo the snapshot to a real file system RandalSchwartz: ahh. clone... that was the word I was missing I guess mercutio: it sounds like freebsd doesn't use the zfs automount stuff
and uses /etc/fstab instead.
and that vfs.root.mountfrom is probably what you want.
yeah so you can take any snapshot, create a clone from it, and access it like a normal filesystem. RandalSchwartz: Hmm. Maybe I should rehearse this in a VM. :) mercutio: seems like a good idea RandalSchwartz: and the selected boot drive is out-of-band right?
this is a dedi system at arp mercutio: i'm not sure RandalSchwartz: ok mercutio: i would just split the boot pool from the data pool.
and just haev a fully functional second pool
on another machine RandalSchwartz: too late for that. :) mercutio: heh RandalSchwartz: we're trying to migrate from hard to ssd mercutio: yeah. RandalSchwartz: currently mirror hard... using zxfer to push data over. that worked well. mercutio: without doing another install
how big is your root RandalSchwartz: that's personal! mercutio: you can mirror to ssd if it's big enough
so mirror hard-disk to ssd RandalSchwartz: can't set up mirror after the fact mercutio: you can RandalSchwartz: already have mirror hard1 hard2 mercutio: if it's small enough existing
you can unmirror
or just remove drive / fail it RandalSchwartz: hards are 768, ssd is 512
so it wouldn't accept the mirror mercutio: i had to do that when migrating my zfs array at home
yeah RandalSchwartz: so I have to resort to this send/recv dance
all for about 100G of data. :) mercutio: i'd normally opt for another system install
on a second machine RandalSchwartz: "if I put it in a jail..." mercutio: but that's why i don't migrate from hard-disk to ssd
yeah if you'd made your root smaller.. RandalSchwartz: hard to do that now :) mercutio: when you do your ssd short stroke it
you can always expand it later. RandalSchwartz: interesting thought mercutio: it's a good habit to be in if you're using much less data
so like with a 512gb ssd, with 100gb of data you may decide to only do 200gb on each drive
but leave partition space there RandalSchwartz: hmm. looks like you *can* "mirror down"
... https://blogs.oracle.com/mock/entry/how_to_shrink_a_mirrored mercutio: yeah.
oh
i don't know if you can
i think that was added after the fork. RandalSchwartz: ugh mercutio: i've been finding with ssd's raidz works better than mirrored. RandalSchwartz: says blog entry 2010
but I'd need 3 ssds then mercutio: you've got so many iops, and write speed goes up.
yeah. RandalSchwartz: we've been in this conversation before :) mercutio: oh RandalSchwartz: Oh, I could split each ssd into two mercutio: oh yeah you can't have more than 2. RandalSchwartz: and make it a 4-way raidz mercutio: uhh RandalSchwartz: or 3 with a spair
spare mercutio: that wouldn't give you redundancy RandalSchwartz: oh - because ssd fail is taking two drives at once
and double fail is bad mercutio: anyway, with linux i've found it really easy to migrate.
i don't actually think it'll be that complicated.
i would check out the freebsd zfs root documentation for before it was in the installer.
s/for/from/ BryceBot: <mercutio> i would check out the freebsd zfs root documentation from befrome it was in the installer. mercutio: haha
i didn't have /g
i think there's just two key components, the bootloader, and the initial config as it comes up RandalSchwartz: yeah, the latter being /boot/loader.conf
or something like that
where I found the zfs:zpool thing mercutio: https://calomel.org/zfs_freebsd_root_install.html
does this help?
that site is terrible
hmm zfs set bootfs?
https://wiki.freebsd.org/RootOnZFS/GPTZFSBoot/9.0-RELEASE
this may be better RandalSchwartz: better in what sense
ahh.. that's the one I have bookmarked. mercutio: ok RandalSchwartz: ok - gonna wander into ##freebsd to see if they know what I need mercutio: good idea mnathani_: sipcalc 0.0.0.0/0 >> Addresses in network - 4294967295
Usable range - 0.0.0.1 - 255.255.255.254 brycec: Checks out by my math. mnathani_: I wonder how many bytes it would take to store a compressed text file containing one ipv6 address per line and do that for all possible ipv6 addresses mercutio: a lot
oh compressed.
there's actually special compression algorithams for things like that
or do you mean human readable compression?
ip addresses are predictableish
which reminds me, http://blog.edgecast.com/post/110230974176/being-good-stewards-of-the-internet anisfarhana: and until now i still dont understand how to use the sipcalc even with lots of reading.
Stupid is always stupid i guess. mercutio: anisfarhana: sipcalc 192.168.13.13/29 will show something like
etwork range - 192.168.13.8 - 192.168.13.15
Usable range - 192.168.13.9 - 192.168.13.14
so if you have a /29 subnet that you want to place, you can figure out where a nice multiple of 8 is
you can always do it on your own too.
curiously it doesn't seem to like legacy subnets. netmask does.
err legacy netmasks anisfarhana: Yes i actually know that part.
As i u always use sipcalc to trace out youtube ip address blocks.
and blocked it in firewall until many of staff at office complained they are not able to use Google. mercutio: youtube is probably easier to block in dns.
and you can block alternative dns providers.
it shares infrastructure too close to google search. anisfarhana: Interesting...
So what you just said, https for youtube counts too?
I have no problem blocking youtube.com
But i do have problem to block https://www.youtube.com mercutio: http or https can be blocked just by dns
unless anyone knows the ip addresses to go to anisfarhana: And now even worst, our staff use Google Chrome and it use HTML5 player for youtube. mercutio: what dns cache are you using? anisfarhana: I do blocked youtube by using squid too, the mime for *media player* -: anisfarhana blinks mercutio: that wont' help https unless you force people to use proxy ***: brycec is now known as regex anisfarhana: mercutio: Can you simplify your question again? ***: regex is now known as brycec anisfarhana: I am not RandalSchwartz :P
Well, I use tranparent proxy at office though mercutio: are you using unbound or bind or dnsmasq or what as a local resolver?
transparent proxies don't work with https anisfarhana: Okey..I dont know what to say now.
Your question is just..very geeky to me. ***: pyvpx has quit IRC (Remote host closed the connection) mercutio: well in /etc/resolv.conf.. there's a nameserver... do you have your own local one?
or are you just using your isp's resolver? brycec: It's a geeky channel... anisfarhana: But i use squid in firewall. Firewall ---> proxy server (local ip address) ---> Internet
I am using Google DNS. mercutio: do you have a cache in front of that?
or do you just hand out google dns to desktops? anisfarhana: Desktop --> DHCP server (use google dns) ---> Firewall (also google dns) mercutio: does the dhcp server have local dns cache?
like dnsmasq can do dns as well as dhcp anisfarhana: It is just normal dhcp server in wondows. mercutio: isc dhcp server doesn't.
oh brycec: in other words, a "dns forwarder" anisfarhana: Open the range for each VLANs. mercutio: windows :/
do you run squid on windows? anisfarhana: That is only i know to setup dhcp server.
Debian mercutio: dnsmasq is pretty easy anisfarhana: I use ipcop for firewall. mercutio: and does dns too
and makes it easy to point domain names somewhere else m0unds: whoa, ipcop? haven't heard that name in years mercutio: and it publishes dhcp names to dns. anisfarhana: Interesting... mercutio: ipcop?
did i miss osmethingZ?
err something anisfarhana: m0unds: It works, I have at least 4 ipcops running like charm now. m0unds: anisfarhana: is it still actively developed? i had no idea it was still around anisfarhana: Why bother with those expensive appliance while ipcop can do that? mercutio: cos there's pfsense now? :") anisfarhana: m0unds: afaik yes sir. brycec: because there's better AND free
mercutio: ++
Also m0n0wall anisfarhana: Its not about free, why you wanna spend lots of money while you can use opensource for the same mission? mercutio: anisfarhana: he was just saying there are better alternatives that are also free. anisfarhana: Better use that money and donate to people like mercutio here. brycec: m0n0wall and pfSense are both free, open-source, etc m0unds: yea, i compared ipcop to m0n0wall in 03 or so, and decided on m0n0wall because i liked bsd better anisfarhana: Ah yes..well..again..sorry if i said anything wrong. my engrish is not good. m0unds: ran it on an old hp proliant server until i couldn't bear the noise anymore and built something newer (in like 04 or 05) anisfarhana: mercutio: I am googling about dnsmasq atm mercutio: i used to use an old openbsd box as a router brycec: I ran m0n0wall for years, both at home and for work. Then there came pfSense and I used that at home and work, and still do use it at home. (Before m0n0wall, I used ipcop too) mercutio: at home, with like 16mb of ram anisfarhana: I wish i can flirt with those ipcops dev
lol mercutio: it looks like ipcop is still in development. anisfarhana: Yes it is :)
I am glad the ipcop is still alive..
And founder of #ipcop channel usually here, don't see him recently.
mercutio: Ohhh dnsmasq + dhcp together in 1 place. mercutio: yeah it does dns and dhcp
simple config anisfarhana: I think dnsmasq is something like dns + AD server for windows? mercutio: has a few nice things like being able to just stick extra dns names in /etc/hosts.
i reckon for small setups it's the simplest/easiest solution anisfarhana: and dnsmasq actually can *block* any website i want, even on https? mercutio: it can block the dns name to ip mapping brycec: And it's easy to configure it to deny any DNS request matching a domain, such as blocking youtube.com mercutio: or renumber it brycec: ^ Which is how we got to this point. anisfarhana: Sigh mercutio: i'd recommend renumbering it to an ip with a web server on it that says it's blocked. anisfarhana: I do aware about dnsmasq before, but i don't bother to find out what it is.
Does a person like me can configure / setup it? mercutio: yes.
if you can configure squid you can configure dnsmasq. anisfarhana: With no stress, less downtime, and no overnight at office?
I don't configure squid myself 100% mercutio: well the biggest complication is if you have a mix or static and dhcp addresses on the same subnet anisfarhana: Errr engrish error again. mercutio: and just making sure you don't clash new ip address allocations over the top of existing static allocations. anisfarhana: I don't configure the squid server 100% before, somebody help me for it. mercutio: well the only way to learn is by doing
maybe configure it at home first?
i'm using it at home myself. anisfarhana: I do have spare machine at office, at least with 1 public ip address on it. mercutio: dhcp is disruptive :) brycec: I was too, as part of pfSense (but have just switched to Unbound) anisfarhana: If i have mix/static/dhcp addresses on the same subnet? mercutio: https://wiki.debian.org/HowTo/dnsmasq
this looks like a way to say the important things easy anisfarhana: Ok by looking at the url given, I need another server for that. mercutio: just run it on your squid server
you could setup dns first anisfarhana: But squid server is more to front end. mercutio: and setup your dhcp server to give out the dns cache's ip. anisfarhana: current windows server that i use for dhcp server, able to do that? mercutio: should be able to anisfarhana: Ok thats great. mercutio: i've never done dhcp on windows. anisfarhana: It is easy.
That is why i use it. mercutio: http://forums.petri.com/showthread.php?t=55350 anisfarhana: I will use any OS that could give more easy solution based on my minimal knowledge.
Wow
Interesting.
I believe 006 DNS Servers i put for the windows box at office is 8.8.8.8/8.8.4.4
So basically, just replace that google dns, to my dnsmasq? mercutio: yeah
and then dnsmasq can use 8.8.8.8/8.8.4.4
although i'd recommend not using google dns primary and secondary.
the chances of both going down at once is increased.
and google dns's performance can be kind of variable. i don't know what it's like there. anisfarhana: It is good so far. mercutio: i'm assuming google's dns is in singapore.
but i think they send their requests from taiwan or soemthing anisfarhana: Many people use gDNS to run away from blocked website by our gov. mercutio: heh
opendns may be another option
or ultradns anisfarhana: Slow.
Based on ping compared to gdns mercutio: you can set dnsmasq to query multiple dns in parallel
and take the first answer it gets.
ping isn't everything
google ping is like 24 msec from here anisfarhana: Yes this dnsmasq is interesting mercutio: but it's more than 24msec slower on average.
there's a cool program called namebench which lets you benchmark dns servers.
the problem with google here is that even though the server is close, all the requests come from ages away. anisfarhana: I am aware of that. namebench even recommended to use gdns before. mercutio: hmm anisfarhana: But that is less important.
The more important thing is, how to fight our staff at office.
mercutio: Can i trial and error do the dnsmaqs by using the vps first? and change one of DHCP ip range at office, point it to the public vps? mercutio: don't run dnsmasq on vpos
vps anisfarhana: Even for testing purposes? mercutio: well i mean you can, but you'd have to be very careful with firewalling it. anisfarhana: Firewalling the vps or ? mercutio: you really don't want to run an open dns.
if you're behind a firewall it's safer.
yeah
unbound is better for acl support anisfarhana: Well, i always can format the vps after that with 1 single click only. mercutio: and not being open
well it's more there are constant dns attacks happenign these days
and evn if you shut it off they'll continue
so if you have open dns for 5 minutes
and they find it brycec: Martial arts? "The more important thing is, how to fight our staff at office." mercutio: you'll get 24 hours or something of dns attacks
i dunno how long it is exactly
probably longer BryceBot: That's what she said!! anisfarhana: I am wondering why some people outside want to *attack* me for that. mercutio: it's dns amplification attacks
basically they query a really long record from you with a fake ip address of who they want to attack
and you send a much bigger response than you receive
so like if you type host -t any google.com
you'll get a big long response
but it's a pretty short query
so they send to you at 50 megabit anisfarhana: Well, i do have you to strike back. I can get brycec support if needed. mercutio: and you respond with 200 megabit brycec: What? don't involve me mercutio: well what i'm saying is that if you're open at all they can keep hitting you
and so be careful to block port 53 on firewall
before even trying such software.
b ut it's probably easier to do it on a lan behind firewall brycec: Through bugs/security holes, attackers can "hijack" your server (dns and ntp are popular choices) to DDOS a third target. it's not personal, anisfarhana anisfarhana: brycec: "Never run from the battlefield without fighting" - anisfarhana brycec: Except the Internet is all about defense anisfarhana: mercutio: Then i must try it over the weekend.
brycec / mercutio : I was kidding though about the strike back. mercutio: anisfarhana: the thing is if you're open for even a moment when they're checking for open relays anisfarhana: mercutio: Installing dnsmasq on live server (squid server) is quite risky. mercutio: they'll send attack traffic your way later and you can't stop it
and they don't know it's not still open
because they're pretending to be their victim's ip.
yeah thats' why i said do it at home
if you're behind nat with no dmz with no internet ip it's safer. anisfarhana: But the *network setup* is not same like in office. mercutio: with ferm you can have something like: proto tcp dport 53 REJECT;
proto udp dport 53 REJECT;
i thought you just wanted to test youtube blocking? anisfarhana: You are telling about blocking port 53, I even don't know whether i do block 53 or not at office right now.
Duhhh
I can feel the stress now. mercutio: maybe just use unbound. anisfarhana: mercutio: Sir, maybe i should explain to you first about the current network topology at my office. mercutio: local-zone: "youtube.com" redirect
local-data: "youtube.com A 127.0.0.1"
you should be able to have something ilke that in unbound. brycec: mercutio: ++ anisfarhana: Maybe something can make this dnsmaqs not working on current network setup.
mercutio: How about VM a linux in that windows dhcp server? mercutio: with unbound you have acl's like: access-control: 127.0.0.0/8 allow
well if you're happy with your current dhcp server, then unbound may be the easier way to go anisfarhana: and dnsmasq will not interfere with our current firewall + squid? mercutio: and then you can stick it on the squid box anisfarhana: If i am brave enough to take a risk on it.
Otherwise, i will use spare machine first for it. mercutio: well doing dhcp as well is more disruptive than just dns. anisfarhana: I am happy so far with my dhcp current dhcp server, its about 5 years now and still running like charm.
Well its windows, so I am not worry about kernel panic.
or shellshock things you know. brycec: (Windows can kernel panic. Its kernel panics tend to be coloured blue.) mercutio: well we don't really do windows in here. brycec: You don't say!?! :P anisfarhana: brycec: Sir, with high respect to you, and to mercutio , and also to the arpnetworks, that windows not even give me single bsod until now. I am not saying that windows is good. But what i like said before, with my limited knowledge, I just use *any* that will give me less headache and problems.
Hate to see the conversation, or hates about windows vs linux. Its 2015 now.
And do not ignore me just because i use only 1 single windows at office for dhcp server.
:/ brycec: This isn't Windows vs. Linux, anisfarhana. It was a statement that ARP Networks is known as a *nix VPS host. This is a *nix-leaning crowd in here. -: anisfarhana nods anisfarhana: Sorry for that. Sorry #arpnetworks
My bad.
I am talking about it since nobody speaking about arpnetworks or nix related here..thats all.
Again, sorry. mercutio: well ok back to your original issue. ***: dj_goku has quit IRC (Ping timeout: 256 seconds) mercutio: unbound is pretty easy to setup, and can do acl's to only allow certain ip's to access dns.
which makes it safer to use on an internet facing host. anisfarhana: Wait mercutio, maybe we can speak about this in private or another channel? mercutio: the config is slightly more verbose, but for the essentials it's not relaly harder.
well you know how to change the dhcp server. brycec: You're free to talk about it in here
Nobody's complaining mercutio: so it's just unbound config. anisfarhana: Thanks.
mercutio: Change as in, that 006 in win dhcp server?
The url given by you before? mercutio: unbound is one of the most popular dns resolvers that came out of nowhere.
to being in lots of places. including arp iirc.
anis: yeah.
but it still works ok on small setups. anisfarhana: from gdns to my-setup-dnsmasq, and my-setup-dnsmaqs use gdns right? mercutio: go to unbound not dnsmasq,
less likely to break things :)
it's a bit simpler to use google dns upstream from dnsmasq than unbound anisfarhana: I thought unbound is the local IP address i use for dnsmasq server. Or I am wrong here? mercutio: name: "."
forward-addr: 8.8.8.8
forward-first: yes
you need something like that in the config to use google dns from unbound
nah unbound is an alternate dns resolver
https://unbound.net/ anisfarhana: Ok ok, this is more confusing now.
Stop first mercutio. mercutio: http://npr.me.uk/unbound.html
if you must you can run it on windows too anisfarhana: So unbound and dnsmaqs, are different?
I need both of it? mercutio: you need either
but unbound is safer to not be open dns
unbound can also be graphed in cacti if you're into that kind of thing ***: dj_goku has joined #arpnetworks
dj_goku has quit IRC (Changing host)
dj_goku has joined #arpnetworks