/srv/irclogs.ubuntu.com/2013/09/28/#ubuntu-za.txt

Kilosmorning all05:52
Kiloshi henkj 06:20
superflymorning oom Kilos06:58
Kilosmorning superfly all good there?06:58
superflypretty much06:59
Kiloshi nlsthzn 07:19
nlsthznhey uncle Kilos , how are you?07:19
Kilosgood ty nlsthzn and you?07:20
nlsthznI am fine... @ work and would rather be home to be able to watch the rugby :/07:20
Kilosaw07:20
nlsthznnot so bad... 07:41
Kilosya thats life i spose07:41
Kiloswe should beat them ausies07:41
nlsthznif we can beat them and get 4 tries then the series is on vs NZ07:46
Kilosyeah07:56
Kiloshi Vince-0 10:58
Vince-0Hi!10:59
charl_good afternoon11:27
charl_Maaz: coffee on11:27
* Maaz flips the salt-timer11:27
Kiloshi charl_ 11:27
KilosMaaz, coffee please11:27
MaazKilos: Sure11:27
charl_hi Kilos 11:28
charl_ich bin kaput11:28
charl_i just arrived this morning back from munich11:28
Kiloswhat made you kaput11:28
Kilostravelling?11:28
charl_octoberfest ist total verrückt11:28
charl_*oktoberfest11:29
Kilosyou sposed to use trains not run11:29
charl_lol11:29
Kilosoh well, self inflicted punishment11:29
charl_yes i took the train from the netherlands all the way to munchen hauptbahnhof11:29
charl_theresienwiese is very close to the station (walking distance)11:29
charl_took two overnight trains11:30
Kilosah11:30
charl_arrived 7 in the morning and left at 10 in the evening11:30
charl_hotels are almost impossible to come by in munich at the moment11:30
MaazCoffee's ready for charl_ and Kilos!11:31
charl_Maaz: thanks11:31
Maazcharl_: Okay :-)11:31
KilosMaaz, danke11:31
MaazBitteschön11:31
charl_i sat in the Hacker-Pschorr tent11:31
charl_it's funny because it contains the word "hacker"11:31
Kiloslol11:32
charl_in the hacker-tent hahaha http://www.hacker-pschorr.com/en/oktoberfest/hacker-tent11:32
Kiloshi captine 12:24
captineHi there12:25
charl_hi captine 12:39
captinehi there12:40
charl_how's it going12:41
charl_ok photos uploaded http://imgur.com/a/z5TcB14:04
charl_there are a bunch that were taken in hannover too at the start14:04
charl_i traveled through hannover14:05
magespawnGood evening17:03
Kiloshi magespawn wb17:03
Kiloswe won nlsthzn 17:03
nlsthznI saw uncle Kilos ... but we needed one more try :/17:04
Kilosyeah17:04
magespawnHi Kilos17:04
magespawnHi nlsthzn17:04
Kilosif they only get 4 points against argentina then we even17:04
nlsthznthen they are 4 points ahead...17:04
nlsthznif they got bonus point they are now 5 points ahead17:05
nlsthznalo magespawn 17:05
Kilosthe comms okes just said if they get for we just need to beat them but if they get 5 we then need to win with bonus17:05
Kiloshows things magespawn 17:06
magespawnBusy and you Kilos? Bit chilly tonight.17:07
Kilosim cruising ty. temp lekker here17:07
nlsthznall depends on what they do in the next game uncle Kilos 17:07
Kilosyeah17:07
Kiloslets hope17:07
magespawnActually had to get the fleece out, and I am trying Kali17:08
nlsthznlol me watching smite and kali is a character in it... I was like oO17:09
magespawnLol17:09
magespawnNope does not work, it is the 64 iso and i need the 3217:26
Kilosaw17:27
magespawnNot a waste though, have it for the future17:27
Kilosoh you got a cold front over you magespawn 17:27
Kilosand rain17:27
magespawnYup, noot much rain though,  need more17:28
magespawnS/noot/not17:28
Kilosgonna be gone tomorrow17:28
magespawnApparently durban is also wet, so we might get more of that17:29
Kilosnight all. sleep tight17:41
=== wiseman is now known as Guest6157
Guest6157hi guys, I have the weirdest problem on 12.04 server. I have setup the server as an Internet gateway/fw with a proxy service. The weird problem is that I can connect perfectly from the fw to anywhere and I can ping from internal pc's to anywhere but as soon as I try to pull down real data it just hangs. Anyone out there with this experience?18:52
Tonberry_can the firewall pull real data?18:53
Guest6157Yup firewall can connect anywhere and pull any data.18:54
Guest6157Here is an example to highlight the problem...18:54
Guest6157I telnet to pop server at Afrihost from the gateway/fw and I connect and retr a message18:55
Guest6157When I telnet from internal pc to the same pop server I connect fine.18:55
Guest6157I type in user and pass and even list all the messages - no prob18:56
Guest6157I retr a 900byte message - no problem18:56
Guest6157When I try to retrieve a 14kb message it just hangs18:57
Guest6157Any ideas? This is really wierd18:57
Tonberry_does http work?18:57
Guest6157I have masquerading turned on in iptables on ppp0 (i'm originating the pppoe from the fw)18:58
Guest6157ALl protocols suffer the same problem. If I http via the proxy - no problem18:59
Guest6157If I bypass the proxy it just hangs after the initial connection setup (about 4 packets each way)18:59
Tonberry_wireshark/tcpdump showing anything interesting?19:01
Guest6157Nothing I can figure, here is the dump with a telnet on port 8019:01
Guest6157root@gateway:~# tcpdump -n -i ppp0 port 80 and host www.perfecthideaways.co.za tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ppp0, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 21:02:48.135726 IP 197.242.144.109.80 > 105.236.125.92.52397: Flags [S.], seq 985820861, ack 3455156208, win 14480, options [mss 1460,sackOK,TS val 3833888364 ecr 6018902,nop,wscale 7], length 0 2119:03
Guest615721:02:48.135921 IP 105.236.125.92.52397 > 197.242.144.109.80: Flags [.], ack 1, win 115, options [nop,nop,TS val 6018911 ecr 3833888364], length 0 21:02:49.134833 IP 197.242.144.109.80 > 105.236.125.92.52397: Flags [S.], seq 985820861, ack 3455156208, win 14480, options [mss 1460,sackOK,TS val 3833889364 ecr 6018911,nop,wscale 7], length 019:04
Tonberry_pastebin might be a better medium for this19:05
Guest6157OK :) you gonna have to help me - my first time on IRC19:05
Tonberry_http://slexy.org or something similar.19:06
Tonberry_Paste it there and paste the url here.19:06
Guest6157http://slexy.org/raw/s21ZYC3JBv19:08
Guest6157I ran a tcpdump on the inside interface as well and it is (afaik) the same 19:09
Guest6157I have checked the MTU's on interfaces incl ppp19:11
Guest6157No mtu limit set in etc/ppp/options19:14
Tonberry_have you tried pings with large lengths?19:14
Guest6157Yup 5k pings run fine but obviously take a little longer to come back19:15
Tonberry_no other strange iptables rules that could start dropping packets?19:17
Guest6157Just ran a 15k ping and runs fine - it gets chopped into 20 packets - but all normal19:18
Guest6157I am running my own simple iptables rules to firewall the thing.19:18
Guest6157I am running the exact same rules on the orginal fw - this one is the replacement19:19
Tonberry_then i am out of ideas19:20
Guest6157hmmm, your comment made me ahve another look and I see some of the rules were using eth1 - not eth3 of outside if19:22
Guest6157let em test quick19:22
magespawnRubber duck.19:23
Guest6157shoot that broke it - need to check out where the break is19:25
Guest6157OK, it reinstated the port 80 block to enforce proxy use19:35
superflyGuest6157: for a light-weight firewall that is easy to configure, I recommend Arno's IP Tables Firewall, it's in the repos19:35
superflyGuest6157: it does NAT, forwarding, etc.19:35
Guest6157problem still exactly the same -- any ideas?19:35
Tonberry_anything odd in kernel logs?19:37
Guest6157I'll take a look - at the risk of security I have posted the rules in case you guys can see something schupit - http://slexy.org/raw/s20Vcz8JKq19:42
Guest6157nothing popping up in kern logs19:45
Guest6157Here is something interesting - when I download a 1039byte email I see this19:54
Guest615721:51:43.264805 IP 197.242.144.109.110 > 105.236.125.92.35805: Flags [P.], seq 1161:2220, ack 73, win 114, options [nop,nop,TS val 3836823444 ecr 6752746], length 105919:54
Guest6157You see the 1059 byte packet19:54
Guest6157When I download a 4542byte email I see this19:55
Tonberry_iptables -t filter -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT19:55
Guest615721:52:25.929352 IP 197.242.144.109.110 > 105.236.125.92.35805: Flags [P.], seq 6564:6782, ack 82, win 114, options [nop,nop,TS val 3836866111 ecr 6763413], length 21819:55
Tonberry_what happens with that one if you change it to eth3?19:55
Guest6157Only a 218 byte packet followed by ack 2220bytes19:56
Guest6157Hmm let me see why that is there19:58
Guest6157That rule is supposed to only allow 'state' traffic inbound to inside interface20:02
Tonberry_you already have iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT20:03
Tonberry_higher up20:03
Guest6157hmmm, let me delete and see20:03
Tonberry_I don't think it should make a difference but then again your setup should work20:04
Guest6157Ya that didn't change anything20:07
Guest6157It is almost certainly got to do with the packet size20:11
Tonberry_yeah that is weird20:11
Tonberry_why does it ack for so much data?20:14
Guest6157Good point, let me see the packets going out before they get to the fw20:15
Guest6157Same packets inside (pc interface) and outside (ppp0)20:21
Guest6157The packet with length 218 is returning packet from the server20:24
Guest6157Let's see what the packets direct from the gateway look like20:24
Guest6157Here is the comparison between the pc and the fw downloading the same email message using retr20:30
Guest6157http://slexy.org/raw/s20wXm94lw20:30
Guest6157This is the first packet coming back from the pop server (fw connection)20:32
Guest615722:27:04.181099 IP 197.242.144.109.110 > 105.236.125.92.38959: Flags [.], seq 1:1441, ack 9, win 114, options [nop,nop,TS val 3838944325 ecr 7553708], length 144020:32
Tonberry_it looks like the pc is only getting the very last packet20:33
Guest6157This is the first packet coming back from the server (pc inside)20:33
Guest615722:19:54.266592 IP 197.242.144.109.110 > 10.1.1.6.35807: Flags [P.], seq 5625:5843, ack 73, win 114, options [nop,nop,TS val 3838422348 ecr 7152511], length 21820:33
Tonberry_is this the same connections as seen from the server and pc?20:34
Tonberry_or is this the pc attempting it and the server attempting it?20:34
Guest6157This is seperate connections20:36
Guest6157But I think you are onto something because the serial nos don;t line up20:37
Tonberry_the pc also ack 1281 twice20:37
Tonberry_looks like it trying to go for a fast retransmit20:37
Tonberry_acks*20:38
Tonberry_still looks a lot like a mtu issue20:38
Tonberry_what happens when you force the ppp device mtu to 50020:39
Tonberry_?20:39
Tonberry_what is the MTU on your internal network interfaces?20:41
Tonberry_eth3 if I understand your server correctly20:41
Guest6157can't force a higher mtu on the ppp interface - can only set the max limit but it will auto negotiate a lower one if it feels needs to20:43
Tonberry_the default is lower than 500?20:44
Guest6157both phys interfaces have 1500 mtu - let me check the ppp settings again20:45
Guest6157         inet addr:105.236.125.92  P-t-P:105.236.10.129  Mask:255.255.255.255           UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:120:46
Tonberry_I think its worth a try to test with a lower mtu on the ppp interface20:48
Tonberry_ip link set dev ppp? mtu 50020:48
Tonberry_or something similar20:48
Tonberry_500 is usually small enough to keep anything happy20:49
Guest6157Oh you think I should bring it down? Let me do that20:49
Tonberry_to me it looks like the large packets go missing, if the MTU is smaller then the server should only respond with packets that it thinks will fit the MTU20:50
Guest6157# Set the MTU [Maximum Transmit Unit] value to <n>. Unless the peer # requests a smaller value via MRU negotiation, pppd will request that # the kernel networking code send data packets of no more than n bytes # through the PPP network interface.20:52
Guest6157ifconfig still shows MTU 1492 on PPP020:53
Guest6157I'm trying the connection20:53
Guest6157When I download 4542byte message the first return packet seen on ppp0 is seq no 4345:4563 (218 bytes) - I think it is the last packet for some reason as you said20:59
Tonberry_try running 20:59
Tonberry_ip link set dev ppp0 mtu 50020:59
Tonberry_while the connection is active20:59
Guest6157Why would it be withholding those packets?20:59
Tonberry_and see if that makes any difference to the mtu/packets21:00
Tonberry_something has to be dropping them for some reason21:00
Tonberry_mmm21:00
Guest6157Yup I'll try but it's not like I'm seeing the packets and then they are getting chopped. I just never see them21:01
Tonberry_an interface somewhere that refuses to fragment packets?21:01
Tonberry_my theory is that with a low enough MTU there should never be any big packets sent to you21:01
Tonberry_also in the cases it does work the final packet is 242 bytes while in the not working cases it is 21821:02
Tonberry_so the packets that do not get through have to be bigger21:03
Guest61571st packet back from server still seq 4586:4804 (218 bytes)21:05
Tonberry_ok21:06
Guest6157I noticed that this packet acks seq 65 which is the last packet from the pc - so no missing packets21:06
Tonberry_ok try lower the MTU of the pc21:07
Guest6157OK that may bring up something - just before we do that I'm going to increase the snap len to catch the whole packet and dig in the contents to see if the 1st outgoing packet is different21:09
Tonberry_ok21:09
Tonberry_try allowing inbound icmp fragment packets in iptables21:17
Guest6157It is still the last packet that comes back (although trancated to 218 bytes as you say) but the data is the almost last words form the email21:22
Guest6157Good point on the icmp - let me see if those packets are coming back or going to the server)21:23
Guest6157I looked at the raw packet data and it has some differences but I cannot tell what - let me see if I can interpret with tcpdump21:24
Tonberry_you could try saving it to pcap and opening the capture with wireshark21:25
Guest6157Not familiar with wireshark (is it gui?) 21:31
Tonberry_yes21:31
Guest6157But I have looked through using some tcpdump options to give ASCII printout21:31
Guest6157Can;t see anything useful in the outgoing packet21:31
Tonberry_you can use it to capture packets directly or view pre captured packets21:31
Guest6157I'll put it on slexy21:32
Tonberry_i suspect your ISP has a router somewhere that drops packets instead of fragmenting them21:32
Guest6157Yes but how would that explain the packets working fine when originating from the fw21:33
Tonberry_the ppp device has a slightly lower mtu than the ethernet device21:33
Guest6157From the network pov it is the same IP address21:33
Tonberry_so when the firewall directly negotiates the tcp connection it tells the server the MTU of the interface it is using21:33
Guest6157we dropped the mtu to 500 so there should be no fragementation21:33
Tonberry_when the pc does negotiates it tells the server its mtu is 150021:34
Tonberry_an for some reason the usual fragmentation/mtu discovery is not picking this up and fixing it21:34
Guest6157Wait, we dropped the mtu of the ppp int - which means all internal packets will be fragmented21:34
Tonberry_thats my best guess21:35
Guest6157we should drop the mtu of the internal if21:35
Tonberry_that could work21:35
Guest6157and put the ppp back to max21:35
Tonberry_you could also try something like http://lartc.org/howto/lartc.cookbook.mtu-mss.html21:36
Guest6158Hey Tonberry_ you still there - I think all the messing around dropped my login21:54
Guest6158I implemented the iptables hack but did not have an effect21:55
Tonberry_ah, any luck so far?21:55
Guest6158the MTU on the internal interface to 500 also didn;t work21:56
Guest6158if I send you the raw packets could you push them through wireshark and see if anything jumps out at you?21:57
Tonberry_i could have a look21:57
Guest6158Gonna need some pointers again - whats the best way?21:58
Tonberry_mmm, good question21:59
Guest6158you can text/whatsapp me your email on 082888173422:00

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!