/srv/irclogs.ubuntu.com/2015/01/15/#ubuntu-server.txt

X123anyone else seeing weird tcp connection problem with 3.13+ kernel00:00
bearfacedefine weird00:08
=== Metacity is now known as edocb
=== edocb is now known as Guest71787
=== Guest71787 is now known as Metacity
=== Lcawte is now known as Lcawte|Away
X123like..01:06
X123ssh to 127.0.0.1 and it hangs for anywhere from 10 seconds to minutes, sometimes connects and sometimes resets broken pipe etc01:07
X123same thing with curls and such01:07
X123starts happening about 10ish mins after reboot01:07
X123works fine until then01:07
X123almost like a memleak of some sort01:07
X123happens in every kernel 3.13+ i've tried01:07
X123seems fine in older ones01:07
sarnoldI'm on 3.13.0-44-generic and "time ssh localhost date" takes 1.9 seconds for the 'first' run and 0.2 seconds for each additional run01:09
sarnoldhangs with ssh often mean the server is trying to do a reverse DNS lookup on the client's IP address01:09
X123yeah i know but it's not that01:10
sarnoldbut that doesn't make sense re: ten minutes after reboot01:10
X123localhost is in the /etc/hosts01:10
X123plus it does it with curls (http request)01:10
X123and on top of that i can't open any listening sockets either01:10
X123like trying to start a service that listens on port 500001:10
X123it won't listen on the port even though nothing else is there01:10
X123it's extremely weird problem01:11
X123ssh localhost is instant for some time01:11
X123it asks for password instantly every time01:11
X123and then hangs01:11
sarnoldis there anything strange in dmesg? how do netstat or ss output look?01:12
X123nothing major, it's running several services01:12
X123Transport Total     IP        IPv6 *         2108      -         - RAW       0         0         0 UDP       11        8         3 TCP       107       104       3 INET      118       112       6 FRAG      0         0         001:12
X123but not much connections01:12
X123sometimes ssh connects in 10-60 seconds01:12
X123and sometimes it broken pipe/reset by peer01:12
X123after a few mins01:13
X123but this is destroying the HTTP services running on the box01:13
X123even curl to 127.0.0.1 does same thing so as uc an imagine http doesn't work :)01:13
X123once a connection is established (ssh or whatever) it's fine01:13
X123nothign in dmesg01:14
X123was wondering if it had something to do with apparmor01:14
sarnoldX123: apparmor would show up with DENIED messages in dmesg or auditd logs01:15
X123yeah, and it's not01:15
X123but u never know :001:15
X123does same on 3.1601:15
X123and multiple servers are doing it01:16
X123not just one01:16
X123but then again we have a few more servers that aren't AS BAD01:16
X123like ssh takes 8-16s01:16
X123and always seems to connect01:16
X123and it's random that it does that, most of the time it's 1s or so01:17
X123but no matter what it should always be instant01:17
X123kind of driving a few of us nuts haha01:17
X123if you have any clue or direction to figure it out would be appreciated01:19
X123sniffing loopback and watching it shows interesting results sometimes01:20
X123sometimes it gets stuck retramsitting over and over, and sometimes it gets no response01:21
X123is very very odd01:21
k2gremlinCan someone help me with an iptable to redirect all traffic from an interface to a port?01:21
X123like what?01:22
X123i mean you can't redirect ALL traffic from a layer2 interface to a layer3 port01:22
k2gremlinall port 80 traffic to a Squid3 server01:22
X123so have to be more specific :)01:22
k2gremlinI know and iptables are very new to me lol01:22
X123so when someone connects to port 80 of the ip address on your interface01:23
X123u want it to go to some other ip on anothe rport01:23
X123or do u want all traffic that gets forwareded through like a router to be redirected01:23
k2gremlinWell the laptop or lan is connected to one port on my server which is vswitched to Eth1 of my Ubuntu serer01:23
k2gremlinserver01:23
X123ok01:24
k2gremlinI need all of that web traffic redirected to Squid3 and then on the outside redirected from Squid3 to Eth0 which is Vswitch to another physical port on the server.01:24
k2gremlinAll other traffic redirected straight from Eth1 to Eth001:24
X123redirected.. as in?01:24
X123like NAT01:24
X123or routing ?01:24
cyclob|workis there an service available that can monitor bandwidth usage?01:25
k2gremlinThat I am not sure of. Eth0 is on 192.168.1.0 net and Eth1 ison 192.168.2.0 net01:25
k2gremlinso a "static" NAT for all the other traffic maybe?01:25
X123cyclob|work: like a program you run on the command line, or what?01:25
X123you can nat any traffic leaving eth001:26
X123to the ip of eth001:26
cyclob|workyeah so i can stick a box between a switch and router and graph the bandwidth usage over a week01:26
k2gremlinX123, I tried this... http://pastebin.com/Lme2GAxU01:26
X123why not just graph the bandwidth usage on the router or switch port01:26
cyclob|workno snmp or router access sadly01:27
X123whaa01:27
cyclob|workyeah managed routers01:27
X123so you want to insert a server in between it and bridge the interfaces01:27
cyclob|workcosts $$$$ to chagne anything on them. lol01:27
sarnoldcyclob|work: check out iptraf or munin or similar01:27
X123just run SNMP on the server01:27
X123and use cacti or something to graph the interfaces01:27
k2gremlinKind of... I want the Squid3 server to be directly behind my ISP modem and the Lan behind that01:27
X123works just like it's a router or switch01:28
X123what's the squid server for?01:28
cyclob|workcool i'll check them out01:28
k2gremlinits a proxy server...01:28
k2gremlinto allow or disallow based off of rules.01:28
X123yeah just apt-get install snmpd i think01:28
k2gremlinWhich I then build Dilidele WS on top of that for content filtering01:28
X123so you want the squid server to transparent proxy01:29
X123everything coming from your lan01:29
k2gremlinYes!01:29
k2gremlinAnd I am familiar with firewall rules and such on ASA's but iptables is a foriegn language to me01:29
X123that's easy enough01:29
k2gremlinX123, this is for home networking btw01:30
X123you really should specify interfaces in iptables01:30
X123like postrouting -o eth101:30
k2gremlinand I would prefer that because the ISP side may change01:30
X123u don't want to nat everything on every interface01:30
dts|pokeballhey,,, if anyone can answer this i would be very appreciative https://askubuntu.com/questions/573904/setting-up-subdomains-for-ubuntu-server-14-0401:30
k2gremlinto give you a layout of what I have..01:30
k2gremlinRight now is it ISP>Router>Server>Laptop01:31
k2gremlinfor testing01:31
X123server is acting as a switch01:31
k2gremlinfor the laptop yes.01:31
k2gremlinAnd with NORMAL squid... IE...01:31
X123so laptop has an ip from router01:31
k2gremlinDirecting the laptop to the squid it works01:31
X123like eth0 on router goes to ISP01:31
X123eth1 goes to server01:31
k2gremlinumm ...01:31
k2gremlinhttp://puu.sh/ew2LH/59f97f043e.png01:32
k2gremlintop is what I have now01:32
k2gremlinand I can't get it working01:32
k2gremlinOnce I figure it out ill put the server between the IPS and the internal LAN router01:32
X123so the server is doing NAT also01:33
X123to the router, which is doing nat to the isp lol01:33
k2gremlinServer isnt yet...01:33
k2gremlinI just have the interfaces on the server configured for those IP's01:33
X123then how does the laptop get internet access01:33
k2gremlinstatic01:33
k2gremlinatm01:33
k2gremlinOhh umm01:34
k2gremlinIt doesn't01:34
k2gremlinUNLESS01:34
k2gremlinI manually put in the proxy info01:34
k2gremlinwhich I don't want to do01:34
X123oh so it has no internet at all01:34
X123you just want port 80 to work01:34
X123and ntohing else?01:34
k2gremlinwell eventually 80 and 443 to the proxy...01:34
k2gremlineverything else straight out01:34
k2gremlinif that makes sense lol01:34
X123yeah01:35
k2gremlinRight now, anything that has a destination port 8001:35
X123http://www.tldp.org/HOWTO/TransparentProxy-6.html01:36
X123this 6.2 method is the best imo01:36
k2gremlinchecking it out now01:36
sarnoldhah, I read that HOWTO back in the ipfwadm days01:37
sarnoldnice to see it's been updated since then :)01:37
X123haha01:37
X123it still works :)01:37
k2gremlinThis sounds like the iptables is a seperate server..01:37
X123yeah the iptables is the router01:37
X123squid is separate01:37
k2gremlincan they be on one?01:38
X123sure01:38
k2gremlinsquid-box = squid server ip right?01:38
X123yeah01:38
X123but you wouldn't need the extra routing01:38
k2gremlin-s near the end of the first command is source?01:39
X123http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect01:40
X123this should be easier to see for one device01:41
k2gremlinyea I tried that page01:41
X123of course i'd specify interfaces in iptables01:41
X123i dunno why they didn't01:41
X123i ALWAYS specify interface :)01:42
X123-o and -i01:42
k2gremlinActually thats a different page01:42
X123masquerade is outbound nat01:42
k2gremlin1 sec..01:42
X123it's ip unspecific is why they use it because if eth0 connects to the internet, the ip might change01:43
X123so masquade just picks whatever IP is on that interface01:43
X123and uses it01:43
k2gremlinI don't see an eth0 on that page01:43
X123there isn't :)01:44
X123there should be.. :)01:44
X123if eth0 is internet facing01:44
X123then you want -o eth0 for the masq01:44
k2gremlinthis look good? http://pastebin.com/4PSmMVfw01:44
X123just so there's no confusion01:44
k2gremlinafter masq01:44
k2gremliniptables -t nat -A POSTROUTING -j MASQUERADE -o eth001:45
X123before, but im sure it will move it01:45
X123basically means, anything exiting eth0, nat to the ip of eth001:45
k2gremliniptables -t nat -A POSTROUTING -j -o eth0 MASQUERADE ?01:45
X123-A POSTROUTING -o eth0 -j MASQUERADE01:46
k2gremlink ill try01:46
X123then the prerouting ones01:46
X123u want -i01:46
k2gremlin...01:46
X123input interface01:46
X123i mean it's not necessary01:46
X123i just don't like iptables doing things i don't want it to do01:46
k2gremlinon all prerouting?01:47
X123prerouting happens before any processing01:47
k2gremlinhttp://pastebin.com/vF5wSbfc01:48
X123like the first thing it does when a packet comes in an interface = prerouting01:48
X123postrouting happens after it processes the packet in routing table and decides what interface is is going to send the packet out01:48
X123i think the last prerouting is -i eth001:48
k2gremlinill try those commands01:48
k2gremlinright sorry01:48
X123because it's blokcing people on the internet from accessing the squid port01:48
k2gremlinSo if the dport isnt 3128 drop it01:49
X123that drops everything going to 312801:49
X123if it comes in eth001:49
X123but it's not coming in eth0, it's coming in your lan eth101:49
k2gremlinhttp://puu.sh/ex2wD/9242aef150.png01:50
k2gremlinill try it01:50
k2gremlinnope... not even seeing access on the squid logs01:52
k2gremlinis there a way to view traffic on the iptables?01:53
X123u can see counters01:53
k2gremlinhow? lol01:53
X123like iptables -t nat -L -vnx01:53
X123or whatever table u are using -t mangle -t filter01:53
k2gremlinpostroute is only one with counters01:54
X123well you are accessing a real internet ip from the laptop?01:54
k2gremlincnn.com01:54
k2gremlingoogle.com01:54
k2gremlinstuff like that01:55
k2gremlinwait01:55
k2gremlinPings work01:55
k2gremlinso..........01:55
k2gremlinDNS not working01:55
X123you'd have to use DNAT for redirecting a real internet ip to the squid proxy01:55
X123because redirect of a port will just change the port01:56
X123but it will still end up going out01:56
k2gremlinok well getting closer lol01:56
k2gremlinI havent been able to get that ping to work in 3 days trying this01:56
k2gremlinSec... gotta change the squid config to intercept01:56
k2gremlinduh?01:56
X123ping will work because of masq01:57
k2gremlingotcha.. and were not trying to intercept icmp01:57
k2gremlintrying to intercept port 8001:57
X123actually it intercepts 312801:58
k2gremlinhmm nslookup.. laptop is able to resolve01:58
X123and you DNAT port 80 to 312801:58
k2gremlinthats what udp 53?01:58
X123aye01:58
k2gremlinOk so DNS is working01:58
X123do a tcpdump -n -i eth001:59
X123and try access web site01:59
X123i bet you will see it trying to access 312801:59
k2gremliniptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.1:312801:59
k2gremlintry this?01:59
X123yeah that's what u need01:59
X123that redirects connection attemps to 80 to that ip01:59
k2gremlinok do I have to "restart" iptables?01:59
X123not if you typed that from the shell01:59
X123it puts it in instantly02:00
X123but it appends it to the end02:00
X123-A is append02:00
X123so u have to look at where you are inserting it02:00
k2gremlinok it dropped it at the bottom.. top down is how it runs so how do I move it up?02:00
X123and then u have to redirect the REPLY02:00
=== markthomas is now known as markthomas|away
k2gremlinI don't see anything like sequence numbers in here02:01
X123u can do --line-numbers02:01
X123to see the sequence #02:01
X123honestly i just edit a file02:01
X123i do iptables-save >file02:01
X123edit file02:01
k2gremlinWhere is it stored?02:01
X123iptables-restore < file02:02
X123that's how i do it :)02:02
X123i don't even bother with it being saved anywhere02:02
k2gremlinso make a new file with what I want then run that command02:02
X123just type iptables-save02:02
X123u will see02:02
X123so u can > that to a file02:02
X123edit that file02:02
X123then iptables-restore < file02:03
X123and it puts in in the order in the file02:03
X123it's 100x easier02:03
X123imo02:03
k2gremlinok... where did it save to?02:03
k2gremlinnvm.. I did iptables-save > iptables.txt02:04
X123you just need 2 rules02:05
X123in iptables02:05
X123plus the masq02:05
k2gremlinhttp://puu.sh/ex4vX/17d898e47b.png02:05
X123redirect rule should be lan02:06
X123like02:06
X123iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 312802:06
X123if eth1 is your LAN int02:06
X123no wait02:07
X123should be eth002:07
k2gremlinyea eth 102:07
X123cuz it has to do it before it goes out eth002:07
k2gremliniptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 312802:07
k2gremlinis whats in there02:07
X123so you will have two rules like this02:07
X123iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.1.1:3128                         iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 312802:07
X123or whatever your squid IP is02:07
X123in that order02:07
X123should work :)02:08
X123i never tried it like this tho02:08
k2gremlinso the DNAT is the outside02:08
X123and then you'll have the masq02:08
X123DNAT is LAN eth102:08
X123it redirects anything on your LAN02:08
X123that tries to connect to anything on port 8002:08
X123routed though this server02:08
X123to that squid ip02:08
k2gremlinok so LAN is 192.168.2.0, Squid Eth1 is 192.168.2.1 so use 2.1 on the DNAT02:09
X123squid server would be 192.168.1.1 in my example02:11
k2gremlinhttp://puu.sh/ex5cd/95196f94b4.png02:11
X123which is running on the local machine02:11
X123that's what the -j REDIRECT does02:11
X123redirects it to the local machine only02:11
k2gremlinthat last pic I sent still isnt working :/ lol02:13
k2gremlinlemme check squid logs02:13
k2gremlinnope. Squid log shows 0 traffic02:13
X123http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html02:14
X123check this02:14
k2gremlinso at this point, I need to get port 80 traffic to 3128 just to start02:14
X123that looks like it explains it better02:14
X123you can verify that with tcpdump02:14
k2gremlinbut that 3rd rule under the NAT table should do it02:14
X123that's how i do it02:14
X123maybe rp_filter is on02:14
X123and the machine is being a @()#02:14
X123make sure rp_filter=002:14
X123edit the /etc/sysctl.d/10-network-security.conf02:15
X123and make those 002:15
X123that breaks so much stuff that they default to 102:15
X123soooo much02:15
X123syncookie 0 too02:15
k2gremlinthis looks like my exact setup02:16
X123yeah02:16
X123but make sure rp filter!02:16
X123is 002:16
sarnoldif you're going to turn off rp_filter, it's worth making sure your firewall rules enforce something sane02:16
X123since u are doing nat tricks02:16
X123i always turn it off, it causes more problems than anything02:16
X123much easier to iptables stuff02:17
sarnoldX123: any luck with your problem?02:17
X123sarnold no :/02:17
X123unfortunately02:17
sarnoldX123: dang ;(02:17
X123it doesn't do it on centos running same thing02:17
X123or previous kernels02:17
sarnoldI hoped I had just missed it in the middle of the rest..02:17
X123just 3.13+ so far02:17
X123i'm dying to know what it is02:17
sarnoldX123: please file a bug against "linux"02:18
X123well i've only tried the ubuntu kernels02:18
X123i might download and compile one myself02:18
X123and see02:18
X123that's a lot of work though lol02:18
sarnoldX123: when you file one against linux, there's a robot that will ask you test some 'upstream kernels', all precompiled and ready to go02:19
X123ill get one of the techs to do it.. i'm the network engineer :P02:19
X123tested 3.1602:19
X123same stuff02:19
X123rp_filter is the most annoying thing ever02:19
X123it just silently discards packets02:19
X123wish it was default 0 in every dist02:19
=== zz_DenBeiren is now known as DenBeiren
X123k2gremlin u get it working02:31
k2gremlinX123 nope not yet. Crusing through the iptables to figure out why its not forwading 80 to 3128 :/02:31
X123did u disable rp filter02:32
k2gremlinThat site is old... but I can sort of understand it lol02:32
k2gremlinYes02:32
k2gremlinthere were 2 commands wiht it02:32
X123tcpdump :)02:32
X123that is my friend02:32
X123there's a script on that site that sets it up02:32
X123check out the script, it has a bunch of iptables commands02:32
k2gremlinYea I ran it...02:33
X123but some of the block a lot of stuff which u don't want02:33
k2gremlinbut the config portion for squid is really ol02:33
k2gremlinold02:33
k2gremlinthe squid commands are not valid anymore.02:33
X123ah02:33
X123never used squid :)02:33
X123i use nginx02:33
k2gremlinonly traffic was ssh with my putty and an arp request02:33
X123use tcpdump to trace it02:33
X123see what's coming in the lan int02:33
X123see what's on lo02:33
X123and see what's going out02:33
k2gremlincan I grep an interface?02:34
X123u can put options on tcpdump02:34
X123like what do u want to do02:34
k2gremlinsee whats coming in eth102:34
X123just tcpdump -n -i eth102:36
k2gremlin20:36:52.028698 IP 192.168.2.1 > 192.168.2.10: ICMP 192.168.2.1 udp port 53 unreachable, length 6502:37
k2gremlinyea see I can't even ping using their rules02:37
k2gremlinlol02:37
X123yeah like i said02:37
X123it blocks pretty much everything02:38
X123so u can just edit out all the blocking stuff02:38
sarnoldping uses icmp, a different protocol than tcp...02:38
X123you should use tcpdump -n -i lo02:38
X123to see traffic on local machine02:38
X123sarnold, tcpdump shows everything02:38
X123even mpls, gre, layer2 info02:39
X123everything :)02:39
X123not sure why it's called tcpdump but it shows it all02:39
sarnoldX123: hehe, I meant that more along the lines of "you can't ping because you're only forwarding tcp traffic" ...02:39
X123oh eheh02:39
sarnoldX123: tcpdump and I have a love/hate relationship :)02:39
k2gremlinwatching lo isnt generating anything02:39
sarnoldX123: ... I love the stupid thing but hate the language, I have to use the manpage every. single. time.02:39
X123it's not tcpdump language02:40
X123it's pcap02:40
X123so, hate pcap :)02:40
sarnoldoh I do :)02:40
X123hehe02:40
sarnoldsame story with wireshark02:40
k2gremlinbut ill take another wack at this tomorrow. My eyes are starting to hurt lol02:40
k2gremlinThanks for all of the info/help guys02:40
X123yw :)02:40
sarnoldbut why on earth they picked _C_ for the packet disectors...02:40
X123right now i have a hate relationship with cisco nexus 5xxx devices02:40
k2gremlinIm at the point where I open the server to someone.. they come in and set it up for me haha02:40
X123when you are forced to use these instead of a 7k02:41
X123grrrr02:41
k2gremlinso frustrated with it02:41
sarnoldX123: heh, I've not heard much good about cisco gear :/02:41
X123I love cisco gear :)02:41
X123just not the nexus 5k lol02:41
sarnoldah :)02:41
X1236500 platform and ASR02:41
X123are some of my favorite devices anywhere02:41
k2gremlinWell X123 I have another VM running Squid as a direct proxy and its working great. Just can't get this transparent thing working.. lol02:42
k2gremlinits even doing https inspection lol02:42
k2gremlinbut ill be damned if I can get transparent :/02:42
X123yeah you can do that without transparent easy02:42
k2gremlinright lol02:42
X123transparent basically02:43
X123the proxy answers the connection02:43
sarnoldk2gremlin: would it be sufficient to just prevent the clients from getting to the internet at all? i.e., undo the "transparent" bit?02:43
X123it checks out the host: header02:43
k2gremlinsarnold, its for my kids devices lol02:43
X123then connets to that and sends your request02:43
sarnoldk2gremlin: ahhhh02:43
sarnoldstuff that's unlikely to let you set http_proxy env variables correctly :)02:43
k2gremlinI have Squid3 with Diladele WS (content filter) running02:43
k2gremlinwell the problem is... if they just turn off the proxy setting they go right around it lol02:44
X123which is why it won't work with some older http 1.0 requests02:44
k2gremlinGranted they may not be that smart yet.02:44
k2gremlinbut I want to stay 2 steps ahead02:44
X123well, no u can block everything to port 80/44302:44
X123going to the tinernet02:44
X123except from the proxy02:44
X123so if they turn it off they get nothing02:44
k2gremlinCan I do that on my Asus router???????02:44
X123i'm sure you can02:44
X123it prob allows filter rules02:45
k2gremlinill look into it02:45
X123most transparent proxies i set up are bridged02:45
k2gremlinthe only other problem I need to solve.. is how to block changes to iOS WiFi settings lol02:45
X123ha02:45
X123they might have a kid mode on there02:45
k2gremlinCan kids are gonna be smart. They turn off wifi and boom they using their cell service lol02:45
X123some way to set an admin pass02:45
X123yeah02:46
k2gremlinThere are a lot of restrictions..02:46
X123or they can just leave the house :)02:46
k2gremlinexcept wifi02:46
X123and go out of range of the wifi02:46
k2gremlinnot much I can do there02:46
X123and use the cell service :)02:46
X123remove data from their account02:46
X123lol02:46
sarnoldyank the SIM? :)02:46
k2gremlinI have iOS content filters enabled but yea.. :/02:46
k2gremlinAnd honestly.. this whole server thing is just fun for me lol02:46
X123apple could make some good bank02:46
sarnoldlol02:46
k2gremlinkids are going to be kids02:46
X123if they integrated some sort of kid protection into the phone02:47
X123like forced it to use a proxy server they set up02:47
X123even on cell service02:47
k2gremlinI did the content filter more so that I can watch what they are doijng on the net02:47
X123i did that for my kids02:47
X123but i just broke down and bought a router with built in content filtering lol02:47
k2gremlinI know they are going to push the boundaries.. but I want to see the red flag so that I can be like oh hell no... lol02:47
X123don't have time to mess with all that02:48
k2gremlinfun for me.. I love VM's02:48
X123another love /hate relationship of mine02:48
k2gremlinand it took a week ish to get the proxy with https working lol02:48
X123VM's piss me off02:48
k2gremlinlol02:48
X123but they have such good functionality02:48
k2gremlinI have a Plex server and the content filter atm02:48
k2gremlinand a GNS3 IOU vm running as well02:48
k2gremlinWanna hear something funny...02:49
X123right now im working on two nexus 554802:49
X123want to throw them off the 50th floor02:49
k2gremlinI know all this server crap.. granted not well. I know Cisco big time.02:49
k2gremlinNetworking and all that. Tunnels, ospf, bgp02:49
X123yeah me too :>02:49
k2gremlinI took ICND1 Monday02:49
X123that's what I do02:49
k2gremlinfailed by 3 points lol02:49
X123damn heh02:49
k2gremlinfucking trick ass questions lol02:49
k2gremlinexcuse my language02:49
X123i got cisco certs ages ago haha02:50
k2gremlinso the internet side of a router running NAT....02:50
k2gremlinGlobal or inside?02:50
X123and yes they are stupidly tricky questions02:50
X123and the thing that bugged me the most was they are all cisco way02:50
k2gremlinI know it as "Global Inside"02:50
X123i don't always do things the way cisco "SUGGESTS" them to be done02:50
k2gremlinthey had a choice.. "Global" or "Inside"02:50
k2gremlinRIGHT!02:50
X123and all of their questions are based on how they want it done and not 20 other ways u can do it02:50
k2gremlintell me about it02:50
k2gremlintrying to think of some other areas I messed up02:51
k2gremlinoh.. port security lol02:51
k2gremlinIDK how I messed that up02:51
k2gremlinwas a question on sticky mac..02:51
X123lol to me that question would be outside :)02:51
X123or external/dmz02:51
k2gremlinstick puts the number of max devices mac address in the configs correct?02:51
k2gremlinpending the use of a timer02:52
X123if you put it there :)02:52
X123sticky mac puts the devices in the config on IOS :)02:52
X123but it doesn't on nexus 554802:52
X123lol02:52
k2gremlinhaha02:52
k2gremlinim re-taking on the 18th02:52
X123and max devices you have to set02:52
X123like02:52
k2gremlinmax 502:53
X123switchport port-security  switchport port-security maximum 8  switchport port-security aging time 60  switchport port-security violation restrict  switchport port-security aging type inactivity  switchport port-security mac-address sticky02:53
X123max is whatever you set it to02:53
k2gremlinputs first 5 in the config lol02:53
k2gremlinexactally.. not sure how I messed up network device security02:53
X123firs t 5? :)02:53
k2gremlinenable secret 34io5ih398fcfjq is encrypted en pass right? lol02:53
X123yeah02:54
k2gremlinenable pass cisco is un-encrypted en pass02:54
k2gremlinI mean its SO easy02:54
k2gremlinyet I failed lol02:54
X123hehe02:54
k2gremlinand most people would consider ip addressing the hardest part.02:54
k2gremlingot 100% on that02:54
k2gremlinlol02:54
X123it puts a lot more than first 5 :)02:54
X123i got some ports with like 20-3002:54
X123stickies on it02:55
X123for VMs lol02:55
k2gremlinsomeone in networking Saturday tested me..02:55
k2gremlinthey said 3 offices running 500 pc's and 500 phones in each office. Once office is 2 floors with 500/500 as well.02:55
X123i stopped doing dynamic sticky mac and started specifying it02:55
k2gremlinso I made this in 15 mins02:55
k2gremlinhttp://puu.sh/emjcr/18d7274617.png02:55
k2gremlinI love networking but I hate testing02:56
k2gremlinbut anyways, going to play some CoD for a bit02:56
X123heh02:56
k2gremlinthanks again02:56
X123did they like that diagram02:56
X123i love testing stuff :)02:56
X123i hate making diagrams haha02:56
X123making big mpls l3 vpns, and dmvpn and such is a nightmare of config02:57
X123lots of vrfs and such02:57
X123trying to keep track of all that is )!@(*!)02:57
k2gremlinright!02:57
X123plus all the BGP filters, the security filters, control plane policing02:57
X123if someone interrupts me02:57
X123or calls me or anything02:57
X123when im in the middle of a huge config02:57
k2gremlinI hate BGP02:57
X123i have to take like an hour to find where i was lol02:58
k2gremlinhaha02:58
X123i do BGP and securityi all day02:58
X123and MPLS02:58
X123in theory, it's very simple02:58
X123in practice, the filters are a nightmare02:58
collizionused to work somewhere as a sysadmin where the net admin, who just renewed his CCNA, didn't know how to configure dynamic routing. Large campus, 32 buildings, statically routed.02:58
X123shoot if you have one /16 or something02:59
X123and just route huge chunks to a few routers02:59
X123i static rout a lot of stuff :)02:59
X123sometimes just OSPF for loopbacks/links02:59
collizion /8, divided into /16s, /20s, /24s.02:59
X123and static rout to loopbacks03:00
X123and gg03:00
X123but BGP is fairly simple03:00
X123if I had more than 2-3 routers i'd prob set up bgp03:00
X123or carry the routes in ospf or isis or eigrp or something03:00
collizionyeah, we had a lot more.03:00
X123at the least03:00
X123yeah but with like 1k total routes03:00
X123ospf is ok :)03:01
X123or eigep03:01
X123but when got 500-600k routes in most of the core devices03:01
X123no choice have to use bgp :)03:01
X123got a bunch of extreme networks hardware too03:02
X123very good hardware03:02
X123worst CLI EVER03:02
X123EVER!03:02
X123i wrote scripts to configure it just because the cli is so bad03:02
=== swebb_ is now known as swebb
cyclob|worksigh, for a program that's meant to use mysql you'd think they'd let you define your own hashing algorithm04:28
DatzHi, samba server for some reason, is resetting users password after some length of time. I have to reset it every day. Anyone have any ideas about why, or how to fix this?05:17
=== kickinz1|afk is now known as kickinz1
=== kickinz1 is now known as kickinz1|afk
=== kickinz1|afk is now known as kickinz1
lordievaderGood morning.08:56
cocoa117with ubuntu preseed, is there any documentation for partman, partman-lvm, partman-auto, partman-* etc so I know all the avaliable variables to use?09:32
=== Lcawte|Away is now known as Lcawte
AdventureTimehi everyone. is there someone available to PM me? i need help with a server. it would be great if we can do teamviewer or something11:13
=== kickinz1 is now known as kickinz1|afk
jamespagejacalvo, good morning12:14
jamespagejacalvo, not sure whether you saw but we're sprinting on the upstart -> systemd migration for ubuntu vivid today/tomorrow12:14
jamespagejacalvo, zentyal uses quite a bit of upstart only configuration; see http://pad.ubuntu.com/systemd-porting-sprint for impacted packages12:15
jamespagejacalvo, is this something your team can work on?  if not we'll probably drop the packages from vivid as zentyal has not really been touched in 2 years12:16
=== Lcawte is now known as Lcawte|Away
jacalvojamespage, I don't think we can work in that in the short term, we're going to stick to the LTS (trusty) for some time...12:36
rbasakjacalvo: will you want zentyal packages in the next LTS?12:43
jacalvorbasak, that decision is not made yet, I suppose the safest thing you can do now is drop them, better than leave them broken13:02
jacalvothose packages are from a very old zentyal version anyway, as james says they've been unmaintained for more than 2 years (the maintained zentyal packages are in archive.zentyal.org)13:03
rbasakjacalvo: OK, thanks. I understand the desire to care only really about LTSes. It's fairly common for server.13:05
rbasakjacalvo: the (lack of) maintenance in inter-LTS packages causes some conflict with this I think. It's a consequence of how our releases work - we'd expect or even effectively require the package to continue to be maintained in between, even though end-users may not necessarily care on server.13:07
rbasakI'm not sure what we can do about this. It's a dissonance I don't like, though.13:07
rbasakjamespage: ^^ - remove I guess then?13:07
jacalvoyes, the problem is that zentyal and ubuntu release cycles have never been synced13:07
jacalvousually we have the stable packages ready when the LTS is already out and stable13:08
jacalvoit's difficult to have them before the freeze period13:08
rbasakI wonder if click packages are the future here.13:08
rbasakThey're better suited to this I think, but maybe not quite ready for server use yet.13:08
rbasak(I don't know if that would require snappy or not - it'd be nice if non-transactional worked with click packages too)13:09
jacalvoanyway, for our users is no big deal to add an additional repository, and take into account that we also provide remastered ISOs, that's probably the most typical way to install zentyal :)13:09
=== kickinz1|afk is now known as kickinz1
rbasakUnderstood. Maybe that's the better model right now. If so, maybe even intentionally avoid having the packages in Ubuntu, so users don't get misguided to the less recommended and less well looked after path?13:10
jacalvoyes, I think it's better to remove them13:10
jacalvootherwise the only thing they are going to cause is frustration probably13:11
jacalvoin fact some time ago I was already asked about this (because they were blocking some release as they were non-installable or something like that) and I said it was ok to remove them, but finally someone workardounded the issue and they remained there13:13
sebastianlutterI want to rate limit access to port 80/443 per IP to avoid simple DoS attacks. I think iptables rate limit is what I want, what do you use? Can someone provide some practical values or some tutorial link? Thanks for any hint13:16
collizionsebastianlutter: The answer to that is going to be determined by how much traffic you receive normally.13:17
collizionsebastianlutter: As a general resource: http://unix.stackexchange.com/questions/139285/limit-max-connections-per-ip-address-and-new-connections-per-second-with-iptable13:19
sebastianluttercollizion, thanks for the general link. It is just medium business homepage that provide company and products infos (about 50 unique visits a day).13:22
=== Lcawte|Away is now known as Lcawte
collizionsebastianlutter: As a starting measure, you could try a bit of traffic analysis. Make a request to your web site. Surf around, etc. See how many concurrent connections are generated to a single client IP per request.13:28
collizionsebastianlutter: Multiply that by a reasonable buffer factor, and limit concurrent requests per IP address to that number.13:29
sebastianluttercollizion, I will, thanks13:40
=== lazyPower is now known as lp|BagelRun
rcaskeyhey all, I've been playing with netbooting (https://github.com/robjcaskey/dotfiles/tree/master/pxeinstall-example/ansible) but... does the installer honor the proxy setting on url?14:21
=== AdventureTime__ is now known as AdventureTime_
=== lp|BagelRun is now known as lazyPower
=== Lcawte is now known as Lcawte|Away
=== kickinz1 is now known as kickinz1|afk
=== kickinz1|afk is now known as kickinz1
=== martins-afk is now known as martinst
ApplesInArraysI'm getting 100% of /dev/simfs in use. How would I go about resizing?16:08
* X123 yawns16:15
cbreak6Hi when will constant updates stop?  Do the people who write all the programs know what they are doing or is it really that profoundly difficult?16:27
ApplesInArraysDon't yawn: I'm getting 100% of /dev/simfs in use. How would I go about resizing?16:27
tewardcbreak6: define "constant updates"16:29
cbreak6like 3 times a week this and that, so and so found that...16:30
tewardcbreak6: it's less a case of programmers *not* knowing what they're doing and instead security flaws being discovered - in the world of software and security there is always unending research into the stuff to determine vulnerabilities that need fixing16:31
tewardbut you can't assess it as "constant updates"16:31
cbreak6also why are updates released to the repos before we read about it?16:31
tewardbecause constant updates would be like a git master branch.16:31
cbreak6its a pain in the ass :)16:31
cbreak6no mal intent16:31
cbreak6busy webserver admin here16:32
cbreak6teward agree on things being discovered16:33
ApplesInArrayscbreak6: How would you resize the said directory?16:33
ApplesInArraysIf it were an auto-updating program.16:33
cbreak6do a fresh install after backup ;)16:33
rberg-cbreak6: it might be worth turning on unattended upgrades for the security repo.16:33
cbreak6ApplesInArrays resizing on a life site server is not recommended16:34
cbreak6live16:34
ApplesInArraysIt's not really live right now16:34
ApplesInArraysIt's all dead16:34
ApplesInArraysSo a frest 14.04, then resize and reload.16:35
ApplesInArraysI can do that16:35
ApplesInArraysbut how do I go about resizing?16:35
cbreak6rberg- ty for that, will check it out16:35
ApplesInArraysI keep searching, but I can't figure it out16:35
ApplesInArrays"resize /dev/simfs"16:36
cbreak6ApplesInArrays hire a expert16:36
cbreak6I am not16:36
rberg-and I dont know what /dev/simfs is16:37
cbreak6niether do I16:37
ApplesInArraysI don't know, but it's at 100% and I can't do anything because of it.16:37
ApplesInArraysI guess it's just a directory16:37
rberg-looks like its for openvz16:38
cbreak6be nice to see more experts offer services to fix things on the net16:38
cbreak6pretty hard to find16:38
ApplesInArraysIt should be the same as resizing any other directory, no?16:39
rberg-ApplesInArrays: is the directory on the host thats providing that full?16:39
ApplesInArraysYes.16:40
cbreak6ApplesInArrays your provider should have info16:40
rberg-it sounds like simfs is a "proxy-filesystem" provided by the host OS to a container, so I would think you need to expand the volume on the host16:41
ApplesInArraysI think I should move my MySQL then16:43
ApplesInArraysSince that's what's killing it. My scraper is grabing 20MB/day text16:43
rberg-nntp?16:44
=== Lcawte|Away is now known as Lcawte
ApplesInArraysWhat's nntp?16:48
pmatulishave you ever heard of usenet?16:50
ApplesInArraysfor me?16:51
bearfacenntp is used for newsgroups/usenet16:51
=== markthomas|away is now known as markthomas
=== kickinz1 is now known as kickinz1|afk
collizionsebastianlutter: Multiply that by a reasonable buffer factor, and limit concurrent requests per IP address to that number.17:33
collizionOops. Stupid buffer.17:33
=== duxklr is now known as jemurray-WUSTL
=== martinst is now known as martins-afk
=== martins-afk is now known as martinst
tewardcbreak6: if I may make a suggestion?18:00
tewardcbreak6: given that i too am a busy sysadmin and all :P:18:00
tewardcbreak6: my suggestion is to perform your updates during regular maintenance periods - schedule the maintenance to occur regularly, and do it by that schedule18:01
tewardmonthly, twice a month, etc.18:01
=== bilde2910|away is now known as bilde2910
=== Lcawte is now known as Lcawte|Away
=== markthomas is now known as markthomas|away
=== bilde2910 is now known as bilde2910|away
ChrisAnubisIam having an issue with apache2 on Ubuntu 14.04. I have setup the server and added my user to the /var/www/html group (via the sudo adduser myuser /var/www/html command) - I chmod the html dir to 775, but I still recvd an error when attempting to upload files to the server. Switching to chmod 777 allowed the file to upload.21:24
ChrisAnubisSo the issue seems to be in my user being added to the group correctly. Can someone offer some guidance on how to do this correctly?21:25
=== markthomas|away is now known as markthomas
collizionChrisAnubis: There is no '/var/www/html' group. You might try the 'www-data' group instead. You also have to make sure that www-data is the owner user and group on /var/www/html and its subdirectories.21:31
patdk-wkas it shouldn't be by default21:31
collizionChrisAnubis: As a rule, never (ever) set anything to 777 on permissions. That's not fixing anything, that's ignoring it.21:32
ChrisAnubisThank you. I will make it the www-data group. Should I not have recvd an error when attempting to add myself to a group that does not exist?21:34
collizionChrisAnubis: You should have, yes.21:34
ChrisAnubiscollizion: I will check to see if it was the www-data group I added. Turned off the VM. If so, then it is most likely that the www-data group is not the current owner of /var/www/html, correct?21:36
collizionChrisAnubis: It's not by default, because it is a security concession.21:38
ChrisAnubiscollizion:ok. Thank you for the help.21:39
ChrisAnubiscollizion:Thank you. That is what the issue was.21:53
=== danwest is now known as danwest-afk
=== Madkiss_ is now known as Madkiss
sarnoldwill2: was it this security update? http://www.ubuntu.com/usn/usn-2455-1/22:51
will2woah... I'll never fully understand irc! that's a lot of text...22:53
=== acrocity_ is now known as acrocity
=== dasjoe_ is now known as dasjoe
=== akaWolf1 is now known as akaWolf
will2sarnold - I am guessing it was, did a apt-get upgrade on the 11th, so, must be...22:53
=== genpaku_ is now known as genpaku
sarnoldwill2: heh, that's part of a netsplit -- for a while there were two, three, or even more separate IRC networks; some clients try to compress it into "netsplit" messages, and some clients just show a few hundred quits and then joins...22:53
=== Schrodin1 is now known as SchrodingersScat
=== RobertLaptop_ is now known as RobertLaptop
=== davidbow_ is now known as davidbowlby
=== mfisch is now known as Guest97735
wil3I keep getting disconnected :/ sorry- hope you are not sending messages that I can't see :(22:59
wil3sarnold - thanks! and read through that... I don't really get the hack, but, I am guessing that is what it is... everywhere online it states that the correct way to do what I want is to do /usr/bin/mail -s "subject" "message" -- -f <address> -F <name> ... And, this worked for 2 years ... I don't understand the hack but need to find a way to fix this...23:00
wil3so...  I found using /usr/bin/mail -a from:address takes care of the -f, but, I can't find an alternative to the -F23:00
=== Ursinha_ is now known as Ursinha
wil2just got kicked off :/23:07
=== broder_ is now known as broder
=== psivaa_ is now known as psivaa__
=== PeterS is now known as 7JTAB3JD3
=== balloons is now known as Guest8667
=== No_one_at_all is now known as Guest33815
=== maxb is now known as Guest47523
=== Pici is now known as Guest32967
=== kermit is now known as Guest58281
=== robher is now known as robher_
=== X-Rob_ is now known as X-Rob
=== Tribaal_ is now known as Tribaal
=== jrgifford__ is now known as jrgifford_
=== Guest58281 is now known as kermit
=== mwhudson_ is now known as mwhudson
=== DalekSec_ is now known as DalekSec

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!