[00:00] <Patrickdk> you can't do ftp via ssh
[00:00] <Patrickdk> you can use sftp though
[00:26] <whitepowder> i'm trying to put together a recovery usb stick. It has 2 partitions (fat16 2gb and btrfs 14gb) I've got syslinux, freedos, grub4dos, and my preseed configs on it. I need to be able to install 12.04.4 from this, configured pretty much entirely automatically. I'd like to keep the preseed in the fat16 part, so it can be changed from a windows box if needed
[03:49] <gambol> guys, anyone know if there's some app/package will enable ip_forward by default?  I have a 14.04, seeing the ip_forward is 1 but I believe I never changed it manually.
[03:58] <PryMar56> gambol, check the mod time on /etc/sysctl.conf
[03:59] <PryMar56> gambol, do you see ip_forward setting here `sysctl -p` ?
[04:13] <PryMar56> gambol, maybe a kernel param?
[04:27] <gambol> Thanks PryMar56 . Sorry I can't ssh the host atm.
[04:28] <gambol> `sysctl -a` will show the params
[04:28] <gambol> it is a standard 14.04 installation, with I followed the offical docs to build a kickstart server
[04:29] <gambol> so packages newly installed is tftp stuff only I think
[04:30] <gambol> oh and bind ,and dhcp
[04:30] <gambol> nothing touched for iptables or network details
[05:21] <mnaser> I have a server that seems to be stuck in the installation process (PXE boot).  How can I get a shell to look at why it is currently stuck?
[05:52] <gambol> mnaser, i guess Alt F4
[05:52] <mnaser> ctrl+alt+f2 worked
[05:53] <gambol> I am new to ubuntu 2
[06:56] <abhie2e> hi
[06:57] <AlisonChaiken> Greetings from Hildesheim, Germany.    I need what I'm sure is a Frequently Answered Answer.
[06:57] <abhie2e> i installed ubuntu server in virtualbox vm, and connected bridged wlan0 to host. still no network in vm. help
[06:57] <AlisonChaiken> I have Ubuntu 12.04.    I type "do-release-upgrade", am told that there are no new releases!
[06:57] <abhie2e> ping gmail gives unknown host
[06:57] <AlisonChaiken> And I tried "sudo apt-get dist-upgrade," nothing happens.
[06:58] <AlisonChaiken> What am I missing?
[06:58] <AlisonChaiken> abhie2e, what do you see if you type "ip addr list" in both host and VM?
[06:58] <AlisonChaiken> Does your VM have an IP?   Are you using NetworkManager?
[06:59] <abhie2e> AlisonChaiken, host is connected to internet. thats how i am here in irc. ubuntu server vm gives lo and eth0 for ip addr list
[06:59] <abhie2e> both do not have ip
[07:00] <AlisonChaiken> I don't follow you abhie2e.    If host doesn't have an internet connection, how would the VM?
[07:00] <AlisonChaiken> "ip addr list" is a command.   You type it at shell prompt to see what connections are up.
[07:00] <abhie2e> AlisonChaiken, both lo and etho in vm do not have ip. host have internet. thats why i am talking to you.
[07:00] <abhie2e> via irc
[07:01] <AlisonChaiken> So eth0 is listed by "ip addr list" in VM, but there's no IPv4 address?
[07:01] <AlisonChaiken> Try "man brctl"    I recall you want to use brctl.
[07:02] <abhie2e> ok
[07:03] <abhie2e> no manual entry brctl
[07:05] <AlisonChaiken> abhie2e you must need to install whatever package brctl is in.   Doing so will make life easier.
[07:05] <abhie2e> ok
[07:05] <AlisonChaiken> Meanwhile I see that "do-release-upgrade -d" gets trusty even though it's not a development release.
[07:10] <w\laite> AlisonChaiken: If I recall correctly, LTS upgrade is available only after 14.04.1
[07:10] <w\laite> 12.04 -> 14.04, that is
[07:10] <AlisonChaiken> Ah, I see w\laite.   That explains it.
[07:11] <AlisonChaiken> Well, I'll get 14.04.1 when that comes along.
[07:11] <AlisonChaiken> I don't care that much about LTS, and I need the new binutils now!
[07:11] <AlisonChaiken> Thx for the explanation.    The commands' error message is a bit unhelpful in that regard.
[07:11] <w\laite> yeah, np
[08:34] <fedcab> Hello, I just set up a ubuntu server. I can get a remote console via ssh but the local console doesn't appear although the getty processes show up in the process list. Where can I look for help?
[11:15] <pmatulis> morning
[11:47] <histo> *yawn*
[12:49] <zul> jamespage:  keystone needs oslo.db now
[12:51] <jamespage> zul, that's good
[12:51] <zul> jamespage:  meh
[13:11] <jamespage> zul, the nova.conf we ship with needs a tidy - its has at least 4 removed configuration options :-)
[13:11] <zul> jamespage:  um?
[13:11] <jamespage> zul, http://paste.ubuntu.com/7690330/
[13:12] <jamespage> zul, I just merged that tidy into the charms
[13:12] <zul> jamespage:  ok ill get rid of it for power
[13:12] <jamespage> zul, no - that's in the debian/nova.conf as well
[13:12] <jamespage> zul,  inthe packaging
[13:13] <zul> jamespage:  k gimme a sec
[13:13] <jamespage> zul, its non-urgent
[13:13] <zul> jamespage:  im just cleaning up the packaging today
[13:14] <zul> jamespage:  everything must be blue! ;)
[13:42] <tom[]> does 14.04 by default scan /etc/network/interfaces.d or must i add 'source /etc/network/interfaces.d/*' to /etc/network/interfaces?
[13:46] <nandersson> Hi, Samba 4.1.9, a security-release just got released. Will that version flow into Trusty? (I am also interested in getting at least samba 4.1.8 because that version contains a fix that makes it possible to use realmd to join a Samba AD DC)
[13:47] <nandersson> ...currently Trusty is on samba 4.1.6, and in Trusty-proposed for Ubuntu 14.04.1 I still see samba 4.1.6...
[14:10] <rbasak> nandersson: security fixes are usually backported. After a security update, you're likely to see the same base upstream version since only the relevant security patches will be applied.
[14:10] <rbasak> I don't see any seucirty updates for samba in Trusty right now. If you want to track one and a bug doesn't already exist, then please file one and mention the CVE.
[14:12] <mdeslaur> nandersson: I can confirm we won't be updating to 4.1.9, we'll be backporting the actual security fix
[14:22] <nandersson> rbasak, mdeslaur Ok! Thanks a lot!
[14:53] <zoraj_> Hi all
[14:55] <zoraj_> I'm installing ubuntu server 14.04 on Dell PowerEdge
[14:55] <zoraj_> but I am unable to install the grub on MBR, there is an error, Unable to install Grub in /dev/sda
[14:55] <zoraj_> this is a fatal error
[14:55] <zoraj_> any clue ?
[15:26] <ashd> hi all. i need to drop back to php5.4 from php5.5 on a 14.04 LTS new install - due to an ioncube ecoded set of php files.  brand new server - not running anything so can remove and re-install whatever is needed.. annoyed as i did not notice the requirements and cannot find out how to drop back a version
[15:28] <pmatulis> ashd: will 5.3 do?  if so, consider installing Ubuntu 12.04
[15:33] <ashd> pmatulis: yes, realise that - just installed a fresh 14.04 LTS - know i can get it by re-installing 12.x
[15:36] <pmatulis> ashd: otherwise, you can *try* removing php5, enabling the quantal repo, and installing php5.4
[15:36] <ashd> pmatulis: that could be a way forward…
[15:37] <pmatulis> ashd: hm, dunno if quantal stuff is still available, it's EOL
[15:37] <pmatulis> ashd: anyway, it's a dubious way forward and could lead to problems later
[15:39] <ashd> pmatulis: think i will put that machine on hold and create another VM with 12.x - it will save time
[15:41] <ashd> back...
[15:44] <nandersson> Hi, does anybody know when we can expect vagrant cloud-images for Utopic? I.e here https://cloud-images.ubuntu.com/vagrant/ After release or during alpha-stage?
[16:31] <jiffe98> anyone running apache-mpm-itk on 14.04 successfully?  We're running it on 12.04 but in 14.04 with the same config it seems like it is trying to access the .htaccess file with the wrong user
[16:32] <dannf> jamespage, are you good w/ sponsoring the SRU for LP: #1320327? /me needs to make sure that gets in for 14.04.1 for new hw support
[16:34] <jamespage> bug 1320327
[16:35] <jamespage> dannf, already did - https://launchpad.net/ubuntu/trusty/+queue?queue_state=1&queue_text=
[16:35] <jamespage> its not been accepted by the SRU team yet
[16:36] <dannf> jamespage: ah, ok, thanks! i just confsued sponsoring w/ sru approving. many thanks! i'll go poke elsehwere
[16:36] <jamespage> dannf, np :-)
[16:42] <jiffe98> it must be trying to access the .htaccess file as www-data because if I change ownership to that and chmod 700 the directory it still works
[16:46] <jiffe98> this worked fine in 12.04, why do people have to go breaking things
[17:08] <tom[]> can the 14.04 installer write a preseed file?
[18:08] <zoraj> Hi,
[18:09] <zoraj> I've just finished installing Ubuntu Server, I also installed OpenSSH server
[18:10] <zoraj> when doing 'ssh localhost' it's ok but from other machine when doing something like ssh 192.168.1.2, I got a connection refused
[18:10] <zoraj> did I miss something ?
[18:11] <RoyK> zoraj: can you ping to/from the machine? did you setup ufw?
[18:11] <sarnold> zoraj: there's lots of ways a connection can be refused; first, check netstat -tlp | grep :22 to see what interfaces sshd is listening on
[18:12] <sarnold> zoraj: check firewalls on both machines as well as any firewalls that might be between the two
[18:13] <zoraj> RoyK, from the server I can ping to my laptop, and vice versa, and what is ufw ?
[18:13] <RoyK> !ufw | zoraj
[18:14] <zoraj> sarnold, netstat is not installed but sshd is listening on 22
[18:15] <sarnold> zoraj: with which local addresses?
[18:16] <RoyK> zoraj: netstat is part of net-tools, which should be installed by default
[18:17] <zoraj> sarnold, the server id address
[18:17] <zoraj> RoyK, ok thx gonna check it out
[18:17] <zoraj> ip* address
[18:20] <zoraj> I'm just editing /etc/ssh/sshd_config if I cound find out somthing to change, so I can be able to connect remotely to the server
[18:22] <RoyK> zoraj: the default config should be ok
[18:24] <zoraj> damn ! I had to put the option -l login
[18:24] <zoraj> I just did ssh ip_address
[18:25] <zoraj> and it asked me the login then the password
[18:25] <RoyK> zoraj: ssh username@host
[18:25] <RoyK> zoraj: that works too ;)
[18:26] <zoraj> RoyK, oh yeah ! you rock
[18:26] <zoraj> thanks guys
[18:26] <zoraj> next step, setting up the ftp server :P
[18:27] <RoyK> why ftp?
[18:27] <RoyK> ftp is a rather old and crappy protocol to which there are lots of alternatives :P
[18:27] <zoraj> RoyK, I will have to copy things from my laptop to the server, like sql file to run in mysql client
[18:27] <patdk-wk> ftp is broken since the invention of nat
[18:28] <RoyK> sftp? rsync over ssh? webdav?
[18:28] <patdk-wk> and you want to send your password in plain text over that internet?
[18:28] <zoraj> hmm... any suggestion
[18:28] <zoraj> ?
[18:28] <RoyK> zoraj: what're you running on the laptop?
[18:28] <RoyK> zoraj: if on windows, use filezilla with sftp (ftp over ssh)
[18:28] <RoyK> zoraj: if on linux, there are several other choices
[18:28] <zoraj> RoyK, Im using a mac
[18:28] <sarnold> zoraj: sftp is thousand times better
[18:29] <zoraj> ok gonna check that out
[18:29] <RoyK> zoraj: then AFP or Samba or something is probably the easiest
[18:29] <sarnold> zoraj: mac has sftp built-in, probably the "transfer" program can do sftp too if you want gui :)
[18:29] <RoyK> sarnold: filezilla works well on mac
[18:29] <zoraj> but I need a sftp daemon running on the server side right ?
[18:29] <sarnold> zoraj: ah, transmit rather :)  http://panic.com/transmit/
[18:29] <sarnold> zoraj: sshd provides one already.
[18:30] <zoraj> really ?
[18:30] <zoraj> let me check that out guys
[18:30] <zoraj> I'm installing things on a Dell PowerEdge
[18:30] <zoraj> to make it as a server
[18:31] <RoyK> webdav is supported by Finder in the first place
[18:31] <RoyK> so if you setup apache or whatever with webdav, it just works
[18:31] <zoraj> Royk, well, it wont be only me that will connect to the server, client that using Windows may use it too to transfer files
[18:32] <RoyK> zoraj: then use samba
[18:32] <zoraj> since, sshd is up and running, I'm gonna test filezilla to connect to it
[18:32] <RoyK> zoraj: it's not hard to setup, and both os x and windows will connect to it as though it were a windows server
[18:32] <sarnold> I wouldn't want to use samba over the open internet
[18:32] <RoyK> sarnold: neither would I
[18:33] <sarnold> samba over a LAN is fine or within a VPN is fine..
[18:33] <RoyK> SMB[23] are quite good over slow links too
[18:33] <sarnold> zoraj: winscp can also do sftpd.
[18:33] <RoyK> sarnold: better use filezilla - better UI
[18:33] <sarnold> s/sftpd/sftp/
[18:34] <sarnold> RoyK: .. and the same ui on all platforms. nice. I've never used it before..
[18:35] <RoyK> :)
[18:36] <zoraj> it works guys :) I didn't know that having sshd running, you could transfer files to it
[18:36] <RoyK> zoraj: you can tunnel a *lot* of stuff over ssh
[18:36] <zoraj> RoyK, okey
[18:37] <RoyK> setup a squid proxy and let a friend, currently in vietnam, to create an ssh tunnel to the box and use localhost as her proxy - suddenly she could reach things like facebook :P
[18:38] <zoraj> they blocked facebook in Vietnam ?
[18:42] <RoyK> zoraj: apparently, yes
[18:42] <RoyK> zoraj: nothing formal, just informal blocking :P
[18:43] <zoraj> ah ok
[18:43] <RoyK> zoraj: and then - she'd better use IRC from a box/vm in Norway than using the local network from there
[18:45] <zoraj> RoyK, I will probable take a look at setting up proxy next time, my next step is currently setting up Ruby and RoR because I will have to install Redmine that requires them
[18:46] <RoyK> zoraj: shouldn't be too hard. a proxy isn't necessary unless you need it for some reason
[18:48] <zoraj> okey
[19:13] <zoraj> to install web app like phpMyAdmin, redmine, where is the best way to put it out ?
[19:14] <Pici> Can you rephrase that question?
[19:15] <RoyK> zoraj: apt-get install phpmyadmin # ?
[19:16] <zoraj> Pici, well, I've just downloaded phpmyadmin code source so I can install it on my server as a mysql client
[19:16] <Pici> zoraj: Do you have a good reason for doing that instead of installing the package that is in our repositories?
[19:17] <zoraj> Pici, I didn't know I could install it from the repo, I'm a beginner
[19:17] <Pici> zoraj: You should assume that everything is in the repositories first. :)
[19:19] <zoraj> Pici,:) hopefully Redmine WebApp is also there because having to follow all of these instruction (http://www.redmine.org/projects/redmine/wiki/HowTo_Install_Redmine_on_Ubuntu_step_by_step) to make it work,
[19:19] <Pici> !info redmine
[19:20] <zoraj> let me check that out guys, anyway thanks
[19:20] <Pici> I'm not sure how up-to-date that is though... mysqladmin should work fine though.
[19:20] <zoraj> !info redmine
[19:20] <zoraj> ^^ looks like I am an irc beginner too
[19:57] <zoraj> sound like I messed up with /etc/resolv.conf. this link (http://www.howtogeek.com/howto/ubuntu/change-ubuntu-server-from-dhcp-to-a-static-ip-address/) suggests me to change this file to set up the dns server
[19:58] <zoraj> I rebooted the server and the file is now empty,
[19:58] <zoraj> so I couldn't resolve any website address name
[19:59] <zoraj> how I could regenerate the old setting ?
[19:59] <zoraj> within this file
[20:00] <zoraj> it warns me that ANY CHANGE WILL BE OVERWRITTEN
[20:03] <lordievader> zoraj: /etc/resolv.conf is dynamicly generated. The config files are in /etc/resolvconf/.
[20:05] <zoraj> :q
[20:05] <zoraj> oups :P
[20:05] <zoraj> lordievader, ok
[20:05] <lordievader> dynamicly*
[20:05] <lordievader> dynamically* pff...
[20:06] <zoraj> lordievader, I'm browsing the directory, but I didn't find which one is the the file to modify
[20:07] <lordievader> zoraj: I usually put my changes in /etc/resolvconf/resolv.conf.d/head
[20:08] <zoraj> there is a text on the header of this file that YOUR CHANGES WILL BE OVERWRITTEN
[20:09] <lordievader> zoraj: Correct, that is where the message in /etc/resolv.conf comes from ;)
[20:09] <zoraj> lordievader, so where I supposed to put the dns server address ?
[20:10] <genii> Alternately, add something like dns-nameservers 8.8.8.8 8.8.4.4       to /etc/network/interfaces and then resolvconf will act accordingly and use that
[20:10] <lordievader> ^ that is another approach.
[20:10] <genii> ( to the stanza for the adapter you want to use those dns, like eth0 or so on)
[20:11] <zoraj> genii, ok, let me do that and will back to you
[20:19] <zoraj> genii, it works like a charm :) thanks, I needed to restart the server to get it work though, the 'sudo /etc/init.d/networking restart' was useless
[20:20] <genii> zoraj: Better to use sudo service networking restart     .....but anyhow, glad to assist
[20:22] <zoraj> genii, ok thanks for your time guys
[20:22] <bluefrog> 'lo, my server is ipv6 only, if the website I want to reach (from that server) only has ipv4 then I'm screwed, correct?
[20:30] <genii> bluefrog: As I understand, you can use nat64/tayga for this, but I am not familiar with it's configuring.
[20:32] <bluefrog> to be honest with you i have no idea, set up a ubuntu server on an internet provider (gandi) with ipv6 only. no big deal, i will ask some network friends of mine
[20:33] <bluefrog> but i think i'm screwed. don't see why there would be some "reverse" ipv6 to ipv4
[20:33] <genii> !info tayga
[20:34] <genii> Meh, not much info there.
[20:34] <bluefrog> that's ok gonna have a read about that
[20:34] <maswan> bluefrog: in the general case you are screwed. there are ipv6<->ipv4 nat-like translators, but those require a gateway that has both. you could also imagine using a dual-stacked http proxy to acces v4-only from a v6-only machine, etc.
[20:35] <bluefrog> genii thx. gonna read http://www.bitprocessor.be/2011/05/31/setting-up-nat64-dns64/
[20:36] <bluefrog> maswan, thx.  I like to move forward generally so will have a quick look but won't waste too much time on it. thx for the answers
[20:36] <bluefrog> ipv6 is the future. ipv4 is dead except that most peeps don't accept that fact.
[20:36] <TJ-> bluefrog: how about https://www.sixxs.net/tools/gateway/
[20:37] <bluefrog> TJ-, cheers will read as well
[20:37] <maswan> at least I'm at the point where most of the services I run are dual-stacked, except for some that have a very limited community
[20:38] <bluefrog> cool
[20:38] <maswan> (se.archive.u.c is most relevant here, I guess)
[20:39] <maswan> 17% of requests came in over ipv6 the last 7 days
[20:39] <bluefrog> nice number
[20:40] <maswan> that's mostly running ubuntu system hitting dists etc for apt-get update
[20:40] <maswan> in bytes it is 4.4%, and that's mostly debian cd downloads
[20:41] <maswan> huh, 75% of downloaded bytes is debian cd, 75% of hits is ubuntu/dists
[20:42] <bluefrog> i like what TJ- page says :) "When they get enough hits they might be hinted that IPv6 use is rising and maybe we can pursuade them this way to start making their websites natively IPv6 accessible. "
[20:50] <shodan45> is there a reason that the /initrd.img symlink uses an absolute path?
[20:52] <TJ-> shodan45: on what release, which kernel?
[20:54] <shodan45> TJ-: 12.04 "mythbuntu" install, 3.8.0-31-generic
[20:55] <shodan45> but I'm testing with a plain 12.04 server install inside a vm
[20:55] <shodan45> oh heh, the goal here is to pxe boot :)
[20:55] <TJ-> shodan45: I don't have a 12.04 bare VM install to hand, but here with 14.04 the links aren't absolute
[20:55] <shodan45> TJ-: hm, interesting
[20:55] <TJ-> shodan45: "initrd.img -> boot/initrd.img-3.13.0-29-generic"
[20:56] <shodan45> I wouldn't mind upgrading to 14.04, except that this is an "appliance" type box, and it works 100% as-is
[20:57] <shodan45> TJ-: any idea where that symlink gets created?
[20:57] <tgm4883> shodan45: which is 100% what I would recommend as well :)
[20:57] <TJ-> shodan45: Via update-initramfs I'd suspect
[20:57] <tgm4883> shodan45: I can check my 12.04 box if you just tell me what I'm looking for (installing a sophos email appliance right now)
[20:58] <shodan45> or, alternately, is there another symlink pointing to the "current" kernel & initrd?
[21:00] <shodan45> tgm4883: I'm not really "looking" for anything - I'm trying to create a symlink to the current kernel, but the whole FS is going to be NFS mounted
[21:01] <tgm4883> Yea we really haven't had any good instructions/tools since laga left the project
[21:01] <tgm4883> *for pxe bootin
[21:03] <TJ-> shodan45: Not sure quite what you're requiring to do, but I wrote an article and support scripts for auto-config of PXE boot server @ http://tjworld.net/wiki/Linux/Ubuntu/NetbootPxeLiveCDMultipleReleases
[21:05] <shodan45> TJ-: I'm worried that when a kernel or initrd update happens (while pxe/tftp/nfs booted), the pxelinux config will be pointing at the wrong files
[21:05] <shodan45> TJ-: make sense? or need more details? :)
[21:07] <TJ-> shodan45: Yes, I can see what you're getting at... you need to manage that on the NFS server. a cron job, or a startup-script with inotify that checks the exported directory links would be my solution.
[21:11] <shodan45> TJ-: ahh I think I see what you mean... make a script that runs on shutdown that "fixes" the symlink
[21:12] <TJ-> shodan45: Well, that, or if the rootfs on NFS has been changed, update the pxeconfig itself to point to the updated kernel/initrd pair
[21:12] <shodan45> true
[21:12] <shodan45> hmm
[21:14] <TJ-> shodan45: You could unconditionally update the PXE config using inotify watches, so that any new boot after the update uses the updated kernel/initrd pair. Are multiple systems sharing the rootfs? Is it read-only for some or all clients? There are several issues to consider in doing it.
[21:19] <shodan45> TJ-: nah, single NFS client... I'm just trying to stop using a cheap USB stick to run the OS :)
[21:19] <TJ-> ahhh :)
[21:20] <shodan45> I've done it before, and they inevitably die
[21:20] <shodan45> and I have a nice 3TB raid array with gig-e network, so.... :)
[21:48] <Randy_O> Anyone have any experience repairing server ports? I have a server that can't connect or be connected to over port 80. I have apache2 running and had an http proxy running, removing the proxy broke the server.
[21:49] <maswan> netstat or lsof can tell you what process is listening on a particular port
[21:50] <Randy_O> I've got that, it says it's just apache2 but I cant apt-get or wget, but I can ping any host.
[21:50] <shodan45> Randy_O: sounds like a firewall... why did you get rid of the proxy?
[21:51] <Randy_O> shodan45, the firewall is completely disable at this time, and I got rid of the proxy because it was for a local network at home but I don'
[21:51] <Randy_O> don't need anymore
[21:52] <shodan45> can you connect to apache over localhost?
[21:52] <shodan45> aka telnet localhost 80
[21:52] <sarnold> Randy_O: iptables -n -L  shows you no rules that get in the way?
[21:52] <Randy_O> wget : Connecting to 10.0.1.200:80... failed: Connection refused.
[21:53] <histo> Randy_O: what's iptables -n -L show?
[21:53] <shodan45> could also be a firewall external to the server
[21:54] <Randy_O> http://paste.ubuntu.com/7692405/
[21:54] <sarnold> netstat -tnlp ?
[21:55] <TJ-> Randy_O: !! did you see my last couple of messages in #ubuntu, much earlier?
[21:55] <Randy_O> sarnold, http://paste.ubuntu.com/7692411/
[21:55] <Randy_O> TJ-,  no, I scrolled back to find it, but didnt catch it
[21:55] <Randy_O> TJ-, supper time for me :)
[21:55] <Randy_O> TJ-, back now
[21:55] <TJ-> Jun 23 21:17:59 <TJ->   Randy_O: If you can get a listing on .200 of what avahi is seeing that may be useful: "avahi-browse -akrt"
[21:56] <Randy_O> TJ-, http://paste.ubuntu.com/7692417/
[21:56] <sarnold> Randy_O: most irc clients have something like /lastlog -hilight
[21:57] <sarnold> txt = ["Machine Name=Thomas Ross’s Library" "Password=0" "iTSh Version=196618" ....  ?
[21:57] <Randy_O> sarnold, itunes media sharing
[21:58] <sarnold> Randy_O: I'm just hoping "password=0" means "no password necessary" rather than "the password to use is 0"  :)
[21:58] <Randy_O> sarnold, ha, yeah, it's no password. 0 would be an easy password to guess
[22:00] <TJ-> Randy_O: Nothing obvious there. I've installed and removed squid-deb-proxy and squid-deb-proxy-client here to try to recreate your scenario, but been unable to
[22:01] <sarnold> yeah I certainly expected to see some iptables rules or at least see apache bound to something other than 0.0.0.0:80.
[22:01] <TJ-> Randy_O: The bit that constantly brings me back to netfilters/nftables, is that *outgoing* connections to tcp port 80 are being refused, but when "iptables -S" shows no local netfilters rules at all
[22:02] <sarnold> which then makes me think in crackpot land that perhaps there's a rootkit on the machine. that's a mighty big jump to make though..
[22:03] <TJ-> Randy_O: On .200, try connecting to my own server with this and I'll watch the incoming connections "FQDN="tjworld.org"; PORT="80"; exec 4<>/dev/tcp/$FQDN/$PORT; echo -e "GET / HTTP/1.1\nHost: $FQDN\r\nConnection: close\r\n\r\n" >&4; RESPONSE=$(cat <&4); echo "$RESPONSE"; exec 4<&-;"
[22:03] <Randy_O> TJ-,  I havent messed around with the firewall much. The server is mostly local, and only goes outside the network for https traffic (owncloud)
[22:03] <TJ-> sarnold: Yes, and we checked for arp cache poisoning and negated that
[22:04] <Randy_O> TJ-, done, -bash: /dev/tcp/tjworld.org/80: Connection refused
[22:04] <TJ-> Randy_O: what's your network's public IP - my server gets hit alot so I'm not sure if I saw a connection or not!
[22:04] <Randy_O> 99.240.178.102 it's dynamic, but usually the same
[22:05] <Randy_O> you could connect to it on https://99.240.178.102
[22:05] <TJ-> Randy_O: no, no connections
[22:06] <TJ-> Randy_O: is apache still listening on 0.0.0.0:80 on .200?
[22:06] <TJ-> Randy_O: if so, also from .200, try a localhost connection: "FQDN="127.0.0.1"; PORT="80"; exec 4<>/dev/tcp/$FQDN/$PORT; echo -e "GET / HTTP/1.1\nHost: $FQDN\r\nConnection: close\r\n\r\n" >&4; RESPONSE=$(cat <&4); echo "$RESPONSE"; exec 4<&-;"
[22:07] <Randy_O> TJ-, tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2259/apache2
[22:07] <Randy_O> TJ-, -bash: /dev/tcp/127.0.0.1/80: Connection refused
[22:07] <TJ-> Randy_O: Right, so a local loopback *should* succeed
[22:07] <Randy_O> TJ-, it didnt
[22:08] <TJ-> Randy_O: So, definitely something on .200 then
[22:08] <Randy_O> interfaces?
[22:08] <Randy_O> resolv?
[22:08] <Randy_O> hosts?
[22:08] <TJ-> Randy_O: At least we are sure now that it is a local issue. Can't be a resolver issue since we're using IP addresses
[22:08] <Randy_O> sorry, didnt' mean to spam. I've checked all those, and I'm pretty sure they're all done correctly
[22:08] <Randy_O> TJ-,  ok, so not resolv.
[22:09] <sarnold> TJ-: checking arp cache was a good one.
[22:11] <sarnold> TJ-: maybe the tc traffic-control stuff? (yes, a huge guess..)
[22:12] <sarnold> Randy_O: can you pastebin ip addr list   and ip route list  ?
[22:12] <TJ-> Randy_O: Rationally, despite everything we've seen, it still *feels* like a firewall issue. On that working assumption, lets explore some more. Can you show us "sudo iptables -t nat -S && sudo iptables -t filter -S && sudo iptables -t security -S && sudo iptables -t mangle -S"
[22:13] <Randy_O> sarnold, http://paste.ubuntu.com/7692451/
[22:13] <shodan45> what about apparmor or selinux?
[22:14] <Randy_O> TJ-, http://paste.ubuntu.com/7692454/
[22:14] <Randy_O> shodan45, checked, and both still default config
[22:14] <TJ-> sarnold: here are the pastebins: iptables: http://paste.ubuntu.com/7691344/   port 80 tcpdump from a client .202: http://paste.ubuntu.com/7691434/   "ip route ls table all" http://paste.ubuntu.com/7691465/  "netstat -plnt" http://paste.ubuntu.com/7691508/
[22:15] <sarnold> shodan45: it'd take some effort to get apparmor to block outgoing connections and it currently couldn't deny access to only outgoing port 80
[22:15] <TJ-> HAHA! I was correct at our first investigation! There's amasquarading rule still in place for a transparent proxy
[22:15] <sarnold> oooh, -A FORWARD -i p4p1 -j ACCEPT ...
[22:16] <TJ-> Randy_O: -A PREROUTING -i p4p1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
[22:16] <TJ-> Randy_O: OK, do this to see just that table: "sudo iptables -t nat -S"
[22:16] <shodan45> sarnold: yeah, I'm not familiar with apparmor, other than it's a competitor to selinux
[22:17] <Randy_O> TJ-, http://paste.ubuntu.com/7692463/
[22:19] <TJ-> Randy_O: "sudo iptables -t nat -F && sudo iptables -t nat -F OUTPUT"
[22:19] <Randy_O> TJ-,  good, I'll reboot to see if it holds
[22:20] <TJ-> Randy_O: not yet!
[22:20] <Randy_O> TJ-, oops, I did.
[22:20] <TJ-> Randy_O: Test it to be sure it works now, then we'll remove it from the saved settings :)
[22:20] <TJ-> Randy_O: >> Jun 23 18:23:29 <TJ->   Randy_O: Did you have any transparent proxy netfilters rules set by iptables ?
[22:21] <Randy_O> TJ-,  ok, so it did work, I was able to apt-get. reboot un did it. so to make permanent change?
[22:21] <TJ-> Randy_O: If it works after the reboot, then something is saving the current iptables rules at shutdown and reloading them at start-up, so you'er fixed
[22:21] <Randy_O> TJ-,  it failed on reboot, and I issed that command line again and it's working again. rebooting undoes something
[22:22] <TJ-> Randy_O: I wonder if you have UFW installed?
[22:22] <Randy_O> TJ-,  I do
[22:23] <TJ-> Randy_O: OK, lets find out the brute-force way, looking for all port 3128 mentions: "sudo grep -rn '3128' /etc/*"
[22:24] <Randy_O> TJ-,  mostly webmin, http://paste.ubuntu.com/7692480/
[22:24] <sarnold> eeeek
[22:24] <Randy_O> TJ-,  line 2-3 seem odd
[22:24] <TJ-> Randy_O: Yes, that's it "etc/firewall.conf"
[22:25] <Randy_O> TJ-, cat /etc/firewall.conf http://paste.ubuntu.com/7692483/
[22:27] <TJ-> Randy_O: So, with the rules now removed, simply do "sudo iptables-save >/etc/firewall.conf"
[22:27] <Randy_O> TJ-,  -bash: /etc/firewall.conf: Permission denied
[22:28] <TJ-> Randy_O: oh of course, silly me!
[22:28] <TJ-> Randy_O: So, with the rules now removed, simply do "sudo iptables-save | sudo dd of=/etc/firewall.conf"
[22:28] <sarnold> haha, dd
[22:28] <TJ-> Randy_O: Then, we'll find out which service/helper is configured to write to that file
[22:28] <Randy_O> TJ-,  done, reboot?
[22:29] <TJ-> No need
[22:29] <TJ-> Randy_O: I think you may have got the instructions for that from here: http://www.debian-administration.org/article/445/Getting_IPTables_to_survive_a_reboot
[22:29] <Randy_O> TJ-, no, I know it'll take effect without reboot, but I want to reboot to check if the config holds
[22:30] <TJ-> Randy_O: Or, it is possible that in webmin, under Network > Linux Firewall, you've configured it to save the rules to that file. You'd need to access the webmin web interface on port 10000 to check that, though
[22:30] <TJ-> Randy_O: It will, just re-read the /etc/firewall.conf file to make sure those rules for 3128/80 ports are gone
[22:31] <Randy_O> TJ-, that page is in fact in my history, but I dont recall doing any of that. I rebooted, it's all good now. So, thanks again, I dont think I could have figured that out on my own. Now I know :)
[22:31] <TJ-> Randy_O: Let's be sure it is webmin doing it, so you know
[22:33] <Randy_O> TJ-, Ive done 3 reboots now and It seems to be good. I went into webmin and tried to reset the firewall, and it's still working ok
[22:33] <TJ-> Randy_O: You should be able to get to it with "http://10.0.1.200/config.cgi?module=firewall&section=line1"
[22:34] <TJ-> Randy_O: That takes you to the Firewall module configuration page
[22:34] <TJ-> Randy_O: on that page there is an option to use the OS default location, or set your own. "IPtables save file to edit 	Use operating system or Webmin default  "
[22:34] <TJ-> Randy_O: My guess is, you have a manually set path there of "/etc/firewall.conf"
[22:37] <Randy_O> TJ-, it was set to use OS or webmin default
[22:38] <TJ-> Randy_O: OK, maybe it's here then: "cat /etc/network/interfaces"
[22:39] <TJ-> Randy_O: I have, for example, "    post-up /sbin/iptables-restore < /etc/iptables.up.rules"
[22:40] <Randy_O> TJ-, yep, that line is there
[22:40] <Randy_O> TJ-, below iface lo inet loopback
[22:40] <TJ-> Randy_O: OK, so you know now how /etc/firewall.conf is loaded at startup, and you know how to save the current rules with "iptables-save > /etc/firewall.conf"
[22:41] <Randy_O> TJ-, I do now
[22:41] <TJ-> Randy_O: :D blimey, that was a stiff test!
[22:41] <Randy_O> TJ-, haha, for sure, I'm pretty good with this kind of stuff, but this issue was way out of my league.
[22:42] <Randy_O> TJ-, thanks again for the help
[22:42] <TJ-> Randy_O: you're welcome; thanks for the brain-teaser :)
[23:44] <autojack> I just had a strange problem that doesn't jive with my knowledge/experience of apt.
[23:46] <autojack> I'm on Precise. my company has our own apt repo that we use in addition to the default Ubuntu ones. we have a newer-than-standard version of bind9 in there. apt-cache showpkg bind9 shows me that version, as well as two older ones from the Ubuntu apt repos. yet when I tried to do apt-get install bind9=9.8.1.dfsg.P1-4ubuntu0.8 (one of the Ubuntu versions) it tells me that version is not found.
[23:46] <autojack> commenting out our internal apt repo and doing an apt-get update allowed me to install that other version.
[23:46] <autojack> but I don't understand why I had to do that, since showpkg displayed it as an available version.
[23:46] <autojack> thoughts?