| cryptodan | Annoyed: it might be | 00:00 |
|---|---|---|
| Annoyed | ls | 00:06 |
| Annoyed | how would that work? | 00:08 |
| cryptodan | I wouldnt know as I do not use a PC for a router | 00:10 |
| Annoyed | I just don't get how the thing can retain the masq. settings after reboot. | 00:13 |
| cryptodan | you can run a tcpdump session and analyze the traffic with wireshark | 00:14 |
| bekks | Annoyed: ufw e.g. saves and loads settings upon reboot. | 00:15 |
| Annoyed | That's not enabled right now. | 00:15 |
| Annoyed | Ok, that mystery is cleared up. | 00:25 |
| bekks | How did it clear up? | 00:26 |
| Annoyed | The other machine on the "inside" was getting out through it's wlan interface. | 00:26 |
| Annoyed | killed that, and now it's behaving as expected; can get to the router box, but no farther. | 00:26 |
| Annoyed | So, client machine can get DHCP address & DNS from the server box. but can't get out. Going try ufw "by the book" again | 00:33 |
| Annoyed | cryptodan: by the way, that /etc/udev/rules.d directory you mentioned is empty | 00:37 |
| Annoyed | There's a readme that sends you to /etc/udev/rules.d/ | 00:42 |
| Annoyed | I think I'm gonna turn that damned thing off.. no frakkin' idea why they want to rename things anyway | 00:43 |
| cryptodan | it shouldnt be empty | 00:46 |
| Annoyed | Well, just turned it off in grub. | 00:46 |
| cryptodan | Annoyed: http://dpaste.com/0KDQCFV | 00:48 |
| Annoyed | Mine has the readme, that's it | 00:50 |
| Annoyed | Well, that went well. It doesn't even see either ethernet card now | 00:51 |
| Annoyed | ifconfig shows lo, that's it | 00:51 |
| cryptodan | Annoyed: time to reinstall | 00:52 |
| Annoyed | This IS a new install. just doing initial setup. | 00:52 |
| Annoyed | and there is no /dev entry for eth* of any sort | 00:53 |
| jerrcs | you should be using "ip addr" or "ifconfig -a" | 01:02 |
| jerrcs | the interface COULD be down. | 01:02 |
| jerrcs | (just as a best practice, no one else seemed to comment on that) | 01:03 |
| Annoyed | Well, there should STILL have been a /dev entry for eth(x) | 01:09 |
| Annoyed | Apparently, you have let it rename things. | 01:10 |
| === Lcawte is now known as Lcawte|Away | ||
| Annoyed | The cynical side of me thinks they are overcomplicating this in order to generate paid support calls | 01:13 |
| jerrcs | Annoyed: so it shows up there? | 01:18 |
| jerrcs | or not | 01:18 |
| Annoyed | the only way the machine sees it's ethernet intefaces is with biosdevname turned on. then it sees p2p1 and p3p1, both enet cards | 01:19 |
| Annoyed | Not sure yet... but I think I might have it | 01:38 |
| Annoyed | Setting the default policy on the input chain to accept allows the inside machine to work.... So. maybe you have to add established/related rules via ufw | 01:39 |
| cryptodan | Annoyed: you say biosdevname exists in the latest server iso? | 01:50 |
| Annoyed | That's what Installed. 14.04.1, downloaded last week | 01:51 |
| cryptodan | im downloading now and will install in a VM | 01:51 |
| Annoyed | so much for the idea or needing established/related rules. | 01:58 |
| Annoyed | They're in the before.rules file already | 01:58 |
| cryptodan | 3 more minutes on download | 01:59 |
| benpardo | If I'm not supposed to do things on root, how do I get to run my reverse proxy on port 80? | 01:59 |
| Annoyed | sudo su to get root permissions temporarily | 02:00 |
| Annoyed | "sudo su" that is | 02:00 |
| benpardo | Annoyed: Is that secure? That's the best way to do it? | 02:01 |
| benpardo | Annoyed: don't mean to be a pain in the ass, I'm just new to this. | 02:01 |
| Annoyed | As far as I know. the root account is disabled by default, but if you want to enable it, you can. But "sudo su" gives you temp. access, usually all you need | 02:02 |
| cryptodan | Annoyed: installing | 02:04 |
| benpardo | what folder on ubuntu should I put the generated static files being served? | 02:10 |
| cryptodan | Annoyed: I just installed a fresh copy of Ubuntu Server 14.04.1 and my devices for ethernet are Eth0 | 02:10 |
| teward | benpardo: it depends on the website configuration - if you're on standard Apache, I think it's on /var/www/ somewhere, if you're on nginx, you should make your own docroot somewhere | 02:13 |
| benpardo | teward: I'm nodejs, does it matter? | 02:13 |
| benpardo | teward: although nginx is going to be the reverse-proxy | 02:14 |
| teward | benpardo: then refer to the nodejs configuration | 02:14 |
| teward | benpardo: i've never used nodejs, but in all web servers and setups, the docroot varies based on the configurations | 02:14 |
| teward | benpardo: so refer to your configurations and find where the document root is | 02:15 |
| benpardo | teward: ah, I see. It may not actually matter and may be something I can set myself | 02:15 |
| Annoyed | cryptodan: Maybe because I'm using UEFI setup on the drives? | 02:15 |
| cryptodan | that wouldnt matter Annoyed | 02:16 |
| teward | benpardo: yes, it really depends on what nodejs lets you configure. it may have a fixed document root or a variable one, it really depends on the configurations, and really the docroot can be anywhere so long as the web server has the access it needs to the docroot | 02:16 |
| benpardo | teward: that really helps | 02:17 |
| Annoyed | cryptodan: Well, I dunno. I have no idea why it's renaming them. I don't really like it, but it's not worth redoing the past week's work to re-install to see what I get. I can live with odd names. And I really don't think that's why I'm having ufw issues. UFW / Iptables IS working now, 'cause I have the default policy for the input chain set to accept. If the device names were the issue, I don't think it would work | 02:19 |
| === zz_DenBeiren is now known as DenBeiren | ||
| Annoyed | But I shouldn't have to set input chain policy to accept to get NAT to work | 02:20 |
| Annoyed | Either UFW can't handle NAT and firwalling right, (which I doubt) or there's something I'm not seeing | 02:21 |
| cryptodan | UFW can | 02:21 |
| Annoyed | I would think it would be able to, but I'm not seeing something. | 02:42 |
| Annoyed | Thanks, folks. | 03:38 |
| Annoyed | enough on this for today | 03:38 |
| === bilde2910|away is now known as bilde2910 | ||
| === hachre_ is now known as hachre | ||
| lordievader | Good morning. | 09:05 |
| lnxmen | Good morning. ;) | 09:21 |
| === Lcawte|Away is now known as Lcawte | ||
| samba35 | how do i assign ip address another guest from guest has dhcp server (both as guest ) | 13:05 |
| samba35 | using ovs version 2.0.2 on ubunut | 13:05 |
| samba35 | using openvswitch | 13:05 |
| mustti | happy new year 2015 to all | 13:08 |
| hariom | I have added an init script. Ran the update-rc.d command to run it after reboot (ps: http://paste.ubuntu.com/9664927/) but after reboot it doesn't run. Manually it runs fine. | 13:11 |
| hariom | Here is my init script: http://paste.ubuntu.com/9664956/ | 13:16 |
| hariom | I have added an init script. Ran the update-rc.d command to run it after reboot (ps: http://paste.ubuntu.com/9664927/) but after reboot it doesn't run. Manually it runs fine. | 13:19 |
| hariom | Here is my init script: http://paste.ubuntu.com/9664956/ | 13:19 |
| jefinc | anyone awake? | 14:14 |
| ObrienDave | barely | 14:16 |
| jefinc | uh oh too many brown bottles | 14:17 |
| fabiofranco85 | (Ubuntu 14.04 LTS) Need to change locale settings for a specific country (pt_BR). The problem is when try to use resources that use these setting it returns the wrong results. Example: In java if I try to get the currency symbol it gives me BRL when it should give me R$ and the decimal separator is , and it gives me . (and the other way around too). I came to the conclusion the problem | 15:49 |
| fabiofranco85 | is with the operating system configuration since I tried on a machine runing windows and it worked perfectly. Any suggestions? | 15:49 |
| bekks | fabiofranco85: I guess thats correct so far (at least for the currency), since the international identifier for your currency is BRL, not R$ (which is the national one). It is the same for the Euro with EUR vs. €, and for the US Dollar with USD vs $. | 15:51 |
| fabiofranco85 | bekks: I understand but is there a file or some place where I can set the Display symbol for the currency? | 15:55 |
| fabiofranco85 | bekks: I´m asking this because as I said it works on windows but when I run it on ubuntu server it goes wrong... and it´s not just the symbol | 15:56 |
| fabiofranco85 | bekks: the decimal and thousand separator are also wrong | 15:56 |
| jefinc | how do I create a server that is then setup so that no matter what computer I access on the network I login with the same user/password and all my preferences are the same? | 15:56 |
| Patrickdk | ldap+nfs | 16:09 |
| Annoyed | Greetings | 16:09 |
| Annoyed | Any of the folks who were helping me yesterday around? | 16:09 |
| Annoyed | anhyone here good with iptables? | 16:14 |
| jerrcs | what's your question? | 16:15 |
| Patrickdk | !ask | 16:15 |
| ubottu | Please don't ask to ask a question, simply ask the question (all on ONE line and in the channel, so that others can read and follow it easily). If anyone knows the answer they will most likely reply. :-) See also !patience | 16:15 |
| jerrcs | 400 ppl in the channel, i'm sure someone will know something about iptables. | 16:15 |
| Patrickdk | do bots count? | 16:16 |
| jerrcs | yup | 16:16 |
| Patrickdk | and I count 3 times? | 16:16 |
| jerrcs | yep | 16:16 |
| Patrickdk | can I get payed 3 times? | 16:17 |
| jerrcs | absolutely | 16:17 |
| Annoyed | Can I specify a list of ips on an allow line? such as -A input -i [interface_name] x.x.x.x, y.y.y.y, z.z.z.z -j ACCEPT ?? | 16:17 |
| Patrickdk | no, and that is highly invalid even if you didn't | 16:17 |
| Annoyed | Yeah, I know.. the exact syntax isn't right | 16:18 |
| jerrcs | Annoyed: have you tried CIDRs instead? or are the IPs in different ranges? | 16:18 |
| Annoyed | jerrcs: totally different | 16:18 |
| jerrcs | then negative, it doesn't work that way | 16:18 |
| Patrickdk | the solution is to use, ipset | 16:19 |
| Annoyed | bah. I have to allow ssh anda few other things from several ips and I wanted to do it on one line | 16:19 |
| jerrcs | first result on google - http://www.gossamer-threads.com/lists/gentoo/user/210361 | 16:19 |
| jerrcs | they give a few ideas for creating "sets" of rules | 16:20 |
| Annoyed | Jerrcs, if you recall, I was having difficulty with ufw yesterday? couldn't get it to do NAT unless the default input policy was accept? I ended up giving up on it and writing a manual ruleset.. that does work | 16:22 |
| Patrickdk | do what? | 16:23 |
| Patrickdk | input policy has NOTHING to do with nat at all | 16:23 |
| Patrickdk | nat ONLY uses the forward rules | 16:23 |
| Annoyed | Well, following the ufw directions at https://help.ubuntu.com/14.04/serverguide/firewall.html to the letter, I couldn't get a natted box online unless I opened the input chain. | 16:25 |
| Patrickdk | yes, your diagnostics where wrong though | 16:25 |
| Patrickdk | maybe your NAT server also did DNS? | 16:26 |
| Patrickdk | and you didn't open up DNS? on input/output chains? | 16:26 |
| Patrickdk | therefor it *seemed* like nat was broken? | 16:26 |
| Patrickdk | and you did apply the correct rules to allow the required icmp through both? | 16:27 |
| Annoyed | Hmmm... Well, the machine does run DNS (full server, not cache) and it is able to resolve it's own needs fine | 16:27 |
| Patrickdk | but can the machine you tested nat on resolve fine? | 16:28 |
| Patrickdk | you ahve to test the whole stack | 16:28 |
| Patrickdk | not just the end result | 16:28 |
| Annoyed | Not sure about ability to resolve. I think it could, though. | 16:32 |
| Patrickdk | my recommendation though, would be to use shorewall | 16:33 |
| Patrickdk | after years of doing iptables and ipchains myself, and finding my own issues, like multible rules interacting to cause holes I didn't want and stuff | 16:33 |
| Patrickdk | shorewall just makes my life so much easier | 16:33 |
| jerrcs | i honestly use raw rules and not much of these programs | 16:33 |
| jerrcs | so i cannot speak on them | 16:33 |
| Patrickdk | I do raw iptables too, but shorewall on anything harder now :) | 16:34 |
| Patrickdk | but sometimes I need to get creative, and use raw iptables for things, expecially stuff like ipvs and manual protocol violations | 16:34 |
| Patrickdk | cause shorewall isn't made to actually break things | 16:34 |
| Patrickdk | things can get alittle fun, when you have like 15+ nic's on a system, it's just a royal pain to do all that manually in iptables | 16:35 |
| Annoyed | But I don't have any allowances for port 53 in my current ruleset, and it works. I assume established,related allows the returns for outbound DNS queries | 16:36 |
| Patrickdk | yes | 16:36 |
| Patrickdk | but what accepts inbound from your machines from *behind* the nat? | 16:37 |
| Patrickdk | workstation -> nat -> outside dns | 16:37 |
| Patrickdk | you have to accept workstation -> nat first, before nat can go outside | 16:37 |
| Patrickdk | that wouldn't be a forward rule, cause your contacting a dns server onyour nat box, most likely | 16:38 |
| Annoyed | the nat box IS the dns server also. | 16:38 |
| Patrickdk | what I said is full of assumptions about how you set things up | 16:38 |
| Annoyed | yes, exactly | 16:38 |
| Patrickdk | but normally that is how people do it | 16:38 |
| Annoyed | but I do recall errors in the logs regarding port 53 | 16:38 |
| Patrickdk | on a normal home nat setup, you need to accept dhcp, dns, probably just all of icmp, and then if you get more fancy, upnp | 16:39 |
| Annoyed | Jan 2 21:56:22 unimatrix0 kernel: [ 6682.487057] [UFW BLOCK] IN=p2p1 OUT= MAC=10:c3:7b:db:99:5a:48:5b:39:1e:29:5b:08:00 SRC=172.16.0.13 DST=172.16.0.254 LEN=79 TOS=0x00 PREC=0x00 TTL=64 ID=48164 DF PROTO=UDP SPT=5088 DPT=53 LEN=59 | 16:40 |
| Annoyed | so, if I get you right, I would have to allow port 53 from any inside interface ? | 16:43 |
| Annoyed | I'm no iptables expert, so I assume something like ufw could write a better ruleset than I can, so I tried that. | 16:44 |
| Annoyed | If I want to use ufw, just add a rule to allow anything from the inside interface to the input chain? | 16:46 |
| Annoyed | Patrickdk: You still here? | 18:02 |
| Annoyed | If so, thank you. It was indeed DNS that was being blocked | 18:03 |
| Patrickdk | ufw doesn't write rulesets | 18:04 |
| Patrickdk | it only is an interface between you and iptables | 18:04 |
| Patrickdk | personally, I think it's a pointless interface | 18:04 |
| Patrickdk | but since ubuntu/debian has no persistant iptables interface, it needed something | 18:04 |
| Annoyed | Well, thank you anyway. I added lines to /etc/ufw/before.rules as follows | 18:07 |
| Annoyed | # allow all on inside interface | 18:07 |
| Annoyed | -A ufw-before-input -i p2p1 -j ACCEPT | 18:07 |
| Annoyed | -A ufw-before-output -o p2p1 -j ACCEPT | 18:07 |
| Annoyed | basically copied the settings for lo and was all set | 18:08 |
| Annoyed | working as desired | 18:08 |
| Annoyed | And I assume that ufw can do a better job writing a ruleset than I can. =) | 18:09 |
| Patrickdk | if p2p1 is your *local* network, should be good enough :) | 18:15 |
| Annoyed | Yes, p2p1 is my inside interface | 18:46 |
| Annoyed | p3p1 is outside. For some reason, Ubuntu renamed them. | 18:47 |
| Annoyed | I tried to disable the biosdevname thing but it wouldn't even see ANY network intefaces then. | 18:48 |
| Annoyed | As long as it works, I'm not going worry about what it calls them | 18:48 |
| jefinc | so on my work's windows network I sign in with the same username/password from any computer within the network and it saves my settings/info etc., how do I do that with ubuntu? | 21:11 |
| === _KaszpiR__ is now known as _KaszpiR_ | ||
| SchrodingersScat | jefinc: https://help.ubuntu.com/community/SettingUpNFSHowTo ? | 21:44 |
| jefinc | SchrodingersScat: I will give it a go, thanks :) | 21:44 |
| NineTeen67Comet | Hello all .. been a while since I set up Ubuntu server (I've been running 13.04 for a while) .. this time however I moved 000-default to sites-available and restarted with my virtual files in sites-enabled but it still goes to the default Apache page .. is there another command I'm missing? | 22:03 |
| NineTeen67Comet | apachectl something? | 22:04 |
| NineTeen67Comet | I have directories in /var/www to represent the sites I'm running (re-building) .. | 22:07 |
| === bilde2910 is now known as bilde2910|away | ||
| zol | Hi! I'm having trouble setting up my home network configuration. I have two NICs, one configured for WAN and the other for WAN on a subnet with range 10.0.0.0/24. The router has static ip 10.0.0.1, I can ping the router form the LAN clients, but I can't ping the clients from the router. The LAN clients can't reach outside of the LAN. I am using ufw as a firewall, I have NAT enabled to the best of my | 22:51 |
| zol | knowledge. I'm feeling terribly lost, have been trying to fix this for 6 hours now. | 22:51 |
| zol | and the other for LAN* | 22:51 |
| zol | I can't seem to get outgoing packets to be allowed by UFW. | 22:52 |
| jdstrand | zol: I suggest you look at the section on 'IP Masquerading' in 'man ufw-framwork' | 23:36 |
| jdstrand | zol: sorry, 'man ufw-framework' | 23:36 |
| * jdstrand wanders off again | 23:36 | |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!