/srv/irclogs.ubuntu.com/2016/07/27/#ubuntu-server.txt

=== Shoe16_ is now known as Shoe16
negevhi, i'm getting this with apparmor:07:58
negev[299732.820845] audit: type=1400 audit(1469605230.425:31340): apparmor="ALLOWED" operation="getattr" info="Failed name lookup - deleted entry" error=-2 profile="/usr/sbin/dovecot" name="/var/lib/dovecot/.temp.a.rkw.io.25454.9d807e6e42bbe568" pid=25454 comm="dovecot" requested_mask="r" denied_mask="r" fsuid=0 ouid=007:58
negevbut the usr.sbin.dovecot profile explicitly allows access to files in that path:07:59
negev/var/lib/dovecot/* rwkl,07:59
=== Shoe16_ is now known as Shoe16
=== Shoe16 is now known as Shoe16|Phone
rbasaknegev: are you sure apparmor is/would actually be denying that?08:26
rbasakSounds like it will fail anyway.08:27
negevrbasak: my assumption is that complain mode would only log events that were denied by the policy08:27
negevwhy would that not be the case?08:27
rbasakI don't know. But the message suggests to me that it's pointing out that it's allowing something that would fail anyway.08:31
negevrequested_mask="r" denied_mask="r"08:32
negevdoesn't that imply denied by policy?08:32
rbasakPossibly it needs to resolve symlinks before it can check against policy maybe? In that case, it cannot match against a rule.08:33
rbasak"Failed name lookup - deleted entry"08:33
rbasakTell me how that would be expected to work even without any AppArmor interference.08:33
negevrbasak: i don't know what that message means so i can't comment08:34
rbasakIt means that the file dovecot tried to access does not exist.08:34
negevok but why does apparmor report on that?08:34
rbasakI'm not certain, but that's how I interpret it anyway.08:34
negevi asked the mailing list, hopefully seth will get back to me soon08:35
rbasakI'm speculating that it's because it matches a rule but cannot dereference any symlink.08:35
Lutherhi guys, i have a question for nagios.  if i want to use notifications i have to install a plugin to do this like https://github.com/jasonhancock/nagios-html-email/blob/master/README.md or i can set up an email server. Is this correct?  i am new to nagios so please do not tear me in pieces if i oversee something obvious :P08:54
negevLuther: the local MTA is fine for sending email alerts08:56
andolLuther: Yes, and no :) Pretty much any action Nagios takes happens by running a plugin. That said, when you install Nagios you usually get a bunch of standard plugins preinstalled and preconfigured; email notifications included.08:57
andolLuther: But yeah, as negev says, the default email-notification does assume the existance of a local MTA.08:57
Lutherokay, i have not found a plugin yet which send the mail. I mean the local MTA should be fine , but i still have to configure commands.cfg to implement the MTA right?08:58
Lutherallright, forget my last question i was stupid again. Nagios still confuses me sometimes09:00
Lutherthx @negev and @andol09:00
andolLuther: Yeah, getting into the right Nagios mindset is a bit of an uphill battle, but once you have crossed that hill, it all starts to make perfect sense.09:04
andol...even if you might want to consider taking a look at Icinga instead, which is kind of the same, but a bit more modern.09:05
andolWell, there is classic Icinga, which is almost the same as classic Nagios, just a bit smoother.09:05
andolThen there is the new Icinga 2, which has a slightly more dynamic config language, etc.09:06
Lutheryeah i have found a lot about Icinga as well, but our professor told us to use nagios ^^ Still i have the feeling that nagios is kind of dead... :O09:07
Lutheri mean the nagios developer conference for this year was canceled, you can hardly find any post about nagios newer than 2014.....09:08
andolLuther: Ah, part of a school assignment? In that I wouldn't worry about it, because pretty much everything you learn about Nagios will also be applicable to Icinga.09:09
andolYes, there will be details which differ, but a lot of the concepts are the same and will translate fine.09:09
Luther@Luther kind of. I study IT and my professor told me to monitor some servers for him. But the next year i have an internship where i will also have to monitor servers so i am happy to get a little bit more experience. Well thats good to hear if i want to switch to icinga09:11
Luther@andol kind of. I study IT and my professor told me to monitor some servers for him. But the next year i have an internship where i will also have to monitor servers so i am happy to get a little bit more experience. Well thats good to hear if i want to switch to icinga09:12
andolLuther: Sounds like a good experience!09:17
andolLuther: Also, with IRC you really don't need to use the @nickname syntax. Most IRC clients will highlight just fine even without the prefixing @.09:17
Lutherallright will remember that andol :)09:22
=== iberezovskiy|off is now known as iberezovskiy
Luthersee ya later guys10:07
Lutherbye10:07
jonahHi is anyone here any good with High Availability and IP Failover on Ubuntu? I'm looking for a solution that just uses two servers if it's possible, with the main web server and a second server to provide the failover/sync and ha solution. I realise most people use more servers and load balancers etc but I just wanted to keep the hardware to a minimum for both for cost and admin. I found this solution but it's a pretty old link: http://10:50
jonahmfarrukhsiddique.blogspot.co.uk/2010/01/highly-available-webservice-by-using.html10:50
rbasakjonah: corosync/pacemaker maybe?10:55
jonahrbasak: I've seen those mentioned on guide online but they usually need more than 2 servers...11:03
patdk-lapheh?11:19
patdk-lapjonah, it never needs more than 2 servers11:19
jonahpatdk-lap: really? I found guides such as this, but the diagram shows 2 load balancers before the the two servers: https://www.digitalocean.com/community/tutorials/how-to-create-a-high-availability-setup-with-corosync-pacemaker-and-floating-ips-on-ubuntu-14-0411:27
jonahpatdk-lap: would be great if you could still set all this up using just the two servers including the load balancing too if possible...11:27
patdk-wkjonah, that guide is insane12:15
patdk-wkdisable stonith cause it's two nodes?12:15
patdk-wkstonith is always required12:15
jonahpatdk-wk: So with corosync/pacemaker does it work at block level/partition level or does it just sync higher up as I have different partitions etc12:59
hallynkirkland: hey, i have a concern, and not sure who to ping.  on landscape, it seems hit or miss as to whether security updates are marked as such.  mysql updates for 12.04 today were not markedas such but changelog lists cves13:05
hallynthat seems like a dangerous thing for customers who might say "oh, no security updates, i'll wait"13:06
sdexterI am installing Ubuntu 14.04 LTS Server onto a RAID1 software raid (not fake). When I get to the step where it does grub-install /dev/sdj it fails. I have tried setting this up a number of ways and it fails this same way every time.13:15
jonahsdexter: i had similar issues. I got it working by setting new partion layout in mbr/msdos rather than GPT13:16
patdk-wkjonah, what are you talking about?13:16
patdk-wkcorocync/pacemaker have nothing to do with levels or partitions13:16
jonahpatdk-wk: ah that's great then! perfect13:17
patdk-wkit does HA, it doesn't do whatever your attempting to ha13:17
jonahpatdk-wk: sorry I don't know much about them13:17
patdk-wkyou have to write/design whatever to manage ha for your filesystem, ip, ...13:17
patdk-wkHA just manages those in an HA way13:17
patdk-wkpacemaker just manages13:17
jonahsdexter: When i tried to use GPT it wouldn't have it, even with the EFI boot partition etc13:18
patdk-wkit does come with a lot of premade scripts, to handle ip's and stuff though13:18
jonahpatdk-wk: ok cool, is there any nice getting started guides etc for me to try follow?13:18
patdk-wkif you want HA filesystem, generally your talking about using drbd13:18
patdk-wkthen having pacemaker manage whatever runs on those filesystems13:18
patdk-wkreaqlly all your looking for is running a webserver and load balancer on each node13:24
patdk-wkthen having something move an ip to the active node13:24
patdk-wkmoving that ip is your hard part13:24
patdk-wkpacemaker can do that, heatbeat can do that, maybe a few other things13:24
patdk-wkbut with two nodes, you need to figure out how to do that sucessfully13:24
patdk-wkhow do you know the other one failed13:24
patdk-wkthere are no real guides for this, cause it's different for everyone13:25
jonahpatdk-wk: ok thanks13:31
sdexterjonah: I think I had seen something about that in my research but I wasn't sure how to switch it to msdos13:32
jonahsdexter: basically when you first partition and format the drive in gparted or some partition program you can choose between mbr/msdos or GPT. Then when you partition the drive set the MBR/MSDOS boot partition or whole partition if you just have one to be bootable by setting the bootflag to be on13:35
jonahsdexter: it's probably a case of starting fresh and partitioning the drive with a live linux cd or something and setting up a new partition table in msdos. Then let the partitioner in the ubuntu setup thing set the partitions you want from there or use guided install13:36
sdexterYeah, I didn't see options for msdos in the installer itself. So i am going to boot from a desktop CD and try what you mentioned.13:38
jonahsdexter: ok good luck13:39
sdexterjonah: thanks13:41
rbasaksmoser: do you think bug 1206164 is worth an Ubuntu delta? I'm concerned about how diverged Ubuntu is becoming on ntp.13:57
ubottubug 1206164 in ntp (Ubuntu) "/etc/network/if-up.d/ntpdate does not detach correctly" [Medium,Triaged] https://launchpad.net/bugs/120616413:57
smoserrbasak, is debian not willing to take it?14:04
smoserit looked like a clear bug14:04
smoserrbasak, wow. i read that bug and had no idea that i wrote it ;)14:06
smoserwell, i think christians' suggestion is good.14:08
rbasaksmoser: Debian's ntp doesn't seem to have an active maintainer. So we'll be maintaining any delta for a long itme.14:15
rbasaksmoser: I agree with Christian's patch. I just don't like adding stuff like new configuration options in Ubuntu deltas. Makes for future pain. So how important is it to us?14:16
smoseri dont know. have to think about it more.14:16
smoserbackgrounding is a pita too14:16
smoserthe only reason it backgrounds (as i understand it) is so that it does not block if the ntp server is not available14:17
smoserbut backgrounding that on boot means that at some indeterminable point in boot clock jumps14:17
rbasakPerhaps we should stop seeding ntpdate (assuming we are)14:18
rbasakDo VMs start from the epoch or from the host's date?14:18
smoserhosts date14:18
rbasakThen can we rely on curtin to use ntpdate, not seed ntpdate or ntp, leave systemd-timesyncd by default to slew time?14:19
rbasakIf the user installs ntpdate then the user accepts the time jump.14:19
smoseryes.14:20
smoserand it even make sense that they accept it on ifup of some device14:21
smoserbut accepting it at an arbitrary point in boot is more sucky14:21
smoserwith no way to control it14:21
=== JanC is now known as Guest24709
=== JanC_ is now known as JanC
rbasakChristian's patch is fine to help solve that, but I think it should be in Debian first.14:22
rbasakIf we don't seed ntpdate, I don't think it's worth an Ubuntu delta.14:23
smoserrbasak, maas is i belive wanting to use it.14:24
smoserso there is a bug... i'd have to find it.14:24
smoserbut basically if you are firewalled off the internet and have ntpdate installed14:24
smoserand you have loads of interfaces14:24
smoserthen ifup -a really sucks14:25
rbasakIn that situation, why do you have ntpdate installed?14:25
smoserfor no reason14:25
smoseri dont knwo.14:25
smoseri think this was an openstack14:25
smoseractually, i do know14:25
smoserbecause you can't really use ntp without ntpdate right?14:25
smoserunless you are sure your clock will never get busted to the poitn that ntp will refuse to jump ?14:25
smoseror is that handled elsewhere14:25
rbasakIIRC, ntp has an option to allow it to jump nowadays14:26
rbasakYes - "-g"14:26
rbasakntp upstream deprecated ntpdate14:26
smoserin that cae, running ntpdate on ifup seems pointless.14:26
rbasakntpd -qg is equivalent to ntpdate14:26
smoserand yeah, installing it seems pointless14:26
rbasakdovecot-core recommends ntpdate for some reason. That's all I can see (http://people.canonical.com/~ubuntu-archive/germinate-output/ubuntu.yakkety/rdepends/ntp/ntpdate)14:33
patdk-wkdovecot hates it when time jumps14:33
patdk-wkit causes all kinds of problems14:33
kirklandhallyn: chat with tyhicks and jdstrand, for a start;  maybe also sync with sparkiegeek (dpb is on holiday this week)14:44
jdstrandtyhicks (cc kirkland and hallyn): if it is in landscape I suspect ratliff might be able to talk to someone at the sprint directly14:49
* jdstrand isn't sure if landscape is at that sprint, but I thought so)14:49
rbasakThat sounds familiar. Nagios' check_apt behaves in a similarly broken way. It relies on apt-get -s and looks at which pocket a download would come from. But security updates are copied to the -updates pocket as well, so this is unreliable.14:51
hallynthanks guys.  ratliff: is that something you can push on?14:53
tyhicksratliff: if you have someone in landscape to talk to in person there, mysql-server-5.7 was correctly uploaded to xenial-security but, as rbasak pointed out, it is copied to xenial-updates shortly after14:55
tyhicksratliff: they could possibly look at the destination pocket specified in the changelog ('xenial-security' can be seen in the first line of https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.13-0ubuntu0.16.04.2)14:57
tyhicksratliff: I'm sure there's probably more reliable means available via launchpad apis but I don't know about them off the top of my head14:58
rbasakbug 1031680 is the nagios-plugins issue. It's only speculation - Landscape might be doing something completely different.15:00
ubottubug 1031680 in nagios-plugins (Ubuntu) "check_apt always report 0 critical updates" [High,Triaged] https://launchpad.net/bugs/103168015:00
=== iberezovskiy is now known as iberezovskiy|off
=== pavlushka_ is now known as Guest91131
=== Guest91131 is now known as pavlushka
setuidAnyone about good with iscsi? I've tripped on something that I don't think should behave like it is...18:27
setuidClean install of 14.04.4 server, installed iscsi components, set up a single, 50GB sparse file on the target, then on the client, I used:18:27
setuidiscsiadm -m discovery -t st -p trustyS-iscsitarget18:28
setuidand it finds -two- paths to that target, one on each NIC (different subnets)18:28
setuidon the client, I then did: iscsiadm -m node --login18:28
setuidwhich finds -two- 50GB volumes, /dev/sdb and /dev/sdc respectively18:28
setuidI can format /dev/sdb1, drop a file there, mount /dev/sdc1 and the file is not there. I mount /dev/sdc1, drop a file there, then unmount. Mounting up /dev/sdc1 again, I see the -first- file (the one I put on /dev/sdb1)18:30
setuid1.) Why does iscsiadm see -two- 50GB volumes, when there's only one physical volume? 2.) Why does it treat them as if they were independent, but they're obviously the same volume.18:30
sarnoldsetuid: simple questions with insanely complicated answers..18:31
setuidsarnold, I'm following this blog post, step by step: http://caribou.kamikamamak.com/2014/09/30/iscsi-and-device-mapper-multipath-test-setup/18:31
sarnoldsetuid: if there's actually two networks worth of bandwidth to the thing you may wish to set up multipathing on the client, so it'll issue commands down both, either for bandwidth or for reliability18:31
setuidbut I'm dead right where I have to format the partition. If I have multipath-tools installed (which I need), the moment I use iscsiadm to log in, BOTH volumes are in use, and I can't format them.18:32
sarnoldsetuid: if there's only one network worth of bandwidth between the two it's probably best to pretend the second name for it doesn't exist18:32
setuidHow does it automatically set up multipathing, when I removed that package?18:32
setuidThey're VMs on the same physical host, but two separate networks coming into each VM18:32
setuidso each VM (2 total) has 2 NICs, NIC1 is net1, NIC2 is net218:33
setuidI specifically named the host different names (in /etc/hosts) based on each network, so it would not overlap subnets18:33
setuid172.16.38.139   trustyS-iscsitarget18:34
setuid172.16.181.128  trustyS-iscsitarget218:34
setuidfor examplel18:34
setuidI'm trying to debug a multipath issue, but tripped on this well before I even started configuring multipathing18:34
setuidsarnold, this is what I see: http://paste.debian.net/785642/18:37
sarnoldsetuid: I suspect that performing operations on the individual /dev/sdb* and /dev/sdc* names has probably corrupted that file irreparably; you may wish to start over from the step of 'create new sparse file'18:39
setuidodd... if I create a partition on /dev/sdc, so I now have /dev/sdc1, I can see it in fdisk on /dev/sdb, but there is no /dev/sdb1, until I go into fdisk on /dev/sdb, do nothing, and use 'w' to write the "changes" to that, then /dev/sdb1 appears.18:39
patdk-lapheh?18:39
patdk-lapsarnold those are simple questions with simple answers18:39
setuidsarnold, Fair enough, I'll try that18:39
patdk-lapwhat filesystem are you using?18:39
sarnoldsetuid: then -never- work with tehe individual devices but only the dm-multipath device..18:40
setuidsarnold, multipath is not installed18:40
setuidI *can't* install it18:40
sarnoldpatdk-lap: heh explaining why you can't just use ext4 or zfs on two paths to the same device takes some time and effort, and understanding why e.g. ocfs2 can work inthe same situation is yet another huge ball of wax :)18:40
setuidbecause I then can't format the device18:40
patdk-lapsarnold, it's easy, they are TWO different devices :)18:41
sarnoldsetuid: but you're in luck, patdk-lap's around :) I was hoping he'd spot the question..18:41
patdk-lapwith different caches18:41
patdk-lapyou must not use both at once, ever18:41
patdk-lapthat is what the multipath package is for18:41
setuidsarnold, http://paste.debian.net/785644/18:42
setuidpatdk-lap, I'm not trying to use both at once18:42
setuidI just happened to notice the oddity18:42
setuidI log in, and it creates /dev/sdb and /dev/sdc18:42
patdk-lapit's not odd18:42
setuidbut no dm-X device18:42
patdk-lapyou have two paths, so it makes two devices18:42
sarnoldsetuid: why can't you install the multipath tools?18:43
setuidHow can I possibly have two paths, without configuring the iscsi initiator to do so?18:43
patdk-lapheh?18:43
patdk-lapyou don't configure the initiator18:43
setuidsarnold, With multipath installed, I can't format the vols, once I've used --login18:43
patdk-lapyou configure the target to only have one path18:43
setuidsarnold, with multipath removed, I can18:43
setuidpatdk-lap, the target only has one path18:44
setuidTarget iqn.2014-09.trustyS-iscsitarget:storage.sys018:44
setuid        Lun 0 Path=/home/ubuntu/iscsi_disk.img,Type=fileio,ScsiId=lun0,ScsiSN=lun018:44
setuidthat is the *ONLY* entry in /etc/iet/ietd.conf18:44
patdk-lapthat says you have one lun18:44
patdk-lapnothing about paths18:44
setuidhttp://caribou.kamikamamak.com/2014/09/30/iscsi-and-device-mapper-multipath-test-setup/18:44
setuid^ following that blog18:44
sarnoldsetuid: so you run e.g. cfdisk /dev/mapper/mpath0 ... and then what happens/18:44
setuidhttp://paste.debian.net/785646/18:45
setuidthat's all that's in there, as expected... root fs and swap18:45
patdk-lapoh ya, that is right18:46
setuidBut /dev/sdb and /dev/sdc represent the single, 50GB vol on the target18:46
sarnolddid the multipath -ll show anything?18:46
patdk-lapI answered this last week18:46
patdk-lapiet does not support LIMITING multipathing18:46
setuidThere is no multipath on the host18:46
setuidNot yet anyway, I have to remove the package to format the vol, then install it18:46
setuidOnce I install multipath, /dev/sdb and /dev/sdc become locked, in-use, and I can't partition or format them18:46
patdk-lapwhy would you want to?18:47
sarnoldthat's probably for the best18:47
sarnoldyou need to then access them with the multipath-consutrcted "single" view of the thing18:47
sarnoldand if multipath -ll didn't construct one for you, that's probably the place to start debugging18:47
setuidhttp://paste.debian.net/785648/18:48
sarnoldaha once you've modified the /dev/sdb directly it's probably time to throw away the sparse file again :)18:48
sarnoldoh line #3 :)18:48
setuidhttp://paste.debian.net/785649/18:48
setuidRight, so now I format /dev/mapper/{long-grok-path}-part118:49
setuidSo that blog post is completely incorrect in these steps referring to /dev/sda18:51
sarnoldwell18:51
setuidAnd the commands and output they show, are missing quite a few options18:51
sarnoldthey are indicating that the iscsi layer works18:51
sarnoldbut not recommendations on how to actually use the thing18:51
setuidThere's no way to get the output they claim, out of the commands they show being used18:51
setuidpatdk-lap, Ok, after some small hoops and translation, it works. I'm trying to debug why /etc/multipath/wwids wouldn't get generated on boot, but does work when using 'multipath -W'19:10
setuidThat's why I modeled these VMs to replicate that reported issue19:11
* setuid loves the good problemsm 19:11
patdk-lap:)19:16
* setuid spies 'peers' in the channel too ;) 19:17
=== Kenrinx is now known as kenrin
cncr04sUnrecognized mount option "umask=000" or missing value21:13
CodeMouse92Greetings, all. Is it possible to limit access to some web directory (the way .htaccess does), but using credentials from an OAuth2 server?21:35
sarnoldCodeMouse92: does this do what you want? https://github.com/pingidentity/mod_auth_openidc21:41
CodeMouse92sarnold: That might work. I'm a fairly novice IT, so I'm totally out of my element, here.21:43
CodeMouse92sarnold: I need to connect to this puppy: http://standards.mousepawgames.com/csi.html21:44
sarnoldCodeMouse92: I've never had to worry about more complicated apache authentication and authorization.. even the basics are annoying :) .. but I saw a few references to that module on stack overflow answers and a quick skim of the page looked sane21:44
sarnold"The CSI (Commenting Showing Intent) Commenting Standards refers to a style of code commenting which allows for the complete rewriting of a program in any language, given only the comments"21:45
sarnoldholy cow, that's ambitious21:45
CodeMouse92sarnold: Yeah, it looks pretty sane. My only reasoning is that I don't want to set up an employee account on *yet one more subsite* in our network21:45
CodeMouse92sarnold: OH! Wrong link!!!21:45
CodeMouse92sarnold: HERE is what I meant: https://secure.phabricator.com/book/phabcontrib/article/using_oauthserver/21:45
CodeMouse92I hate when copy doesn't actually copy >.<21:46
CodeMouse92(You're welcome to read that other one, though. it's a work in progress, but it works pretty well for us so far)21:46
Guest16595some one help meeeee21:47
Guest16595http://askubuntu.com/questions/803276/ufw-block-syslog-tcp-ip-is-blocked-and-this-is-allowed-in-ufw/803307#80330721:47
Guest16595with this mdfk ufw, simple config, only allow port 80,22,12300:12400 tcp and udp21:47
sypherGuest16595: I suppose my first question would be: Why are you trying to limit outbound connections?21:51
Guest16595well i am new in this...21:52
sypherGuest16595: Which makes my question all the more important. Do you know why you're trying to limit outbound connections?21:52
Guest16595i have been trying to allow that range of ports21:53
sypherGuest16595: You're not answering my question. WHY are you trying to limit outbound connections at all?21:53
sypherGuest16595: Let's step back. The system in question, whose firewall you're managing. What is this system doing? Is it a webserver, etc?21:54
Guest16595Because i am new and i didn't know what i was doing21:55
Guest16595yes it is a webserver21:55
sypherGuest16595: That's alright. I was just making sure there wasn't a specific purpose in mind.21:55
Guest16595of tracking21:55
sypherGuest16595: What ports does this server need to accept connections on from the outside? 80, 443, what else?21:55
Guest16595gps conect to the server, a lot of gps..21:55
Guest16595only port 80 for website, 22 for ssh, and range 12300 yo 12400 for gps...21:56
Guest16595"gps trackers"21:57
sypherGuest16595: Excellent. Do you have console access to the server, not through SSH?21:57
Guest16595well i connect via ssh21:58
Guest16595but i am not in front of server21:58
sypherGuest16595: I ask because any firewall work can potentially disrupt your access to the system.21:58
sypherGuest16595: I would suggest disabling ufw (sudo ufw disable), then resetting it entirely (sudo ufw reset).21:59
Guest16595i disable the ufw, because if i enable it, it block some ports of the range21:59
sypherGuest16595: Then skip the disable portion and fully reset it.21:59
syphersudo ufw reset21:59
Guest16595i did it a lot of time and try with differents configuration22:00
Guest16595and iptables, directly22:00
Guest16595lik22:00
Guest16595like iptables -A INPUT -p tcp -m tcp --dport 12340:12400 -j ACCEPT22:00
sypherGuest16595: But none of them have worked, so let's just start from a known good starting point. Please reset ufw.22:00
Guest16595yep22:01
Guest16595i dit22:01
Guest16595i did it.22:01
sypherThese GPS devices - do they communicate over TCP or UDP?22:01
Guest16595with 222:01
Guest16595udp and tcp22:01
sypherGuest16595: You should only require the following three rules: http://paste.ubuntu.com/21200464/22:02
sypherThose three commands will allow SSH and HTTP inbound, as well as the ports you listed for the GPS devices. You don't need any manual iptables rules or outbound filtering.22:02
geniimost GPS use TCP, some can be set for either or both22:02
sypherI don't have a clue of how they communicate. :P22:03
Guest16595but when i type         ufw allow 12340:12400              it say           ERROR: Must specify 'tcp' or 'udp' with multiple ports22:03
sypherGuest16595: Oh, fair enough.22:03
sypherGuest16595: http://paste.ubuntu.com/21200626/22:03
Guest16595and i need to specify protocol like,  ufw allow 12340:12400/tcp              and         ufw allow 12340:12400/udp22:03
sypherMake that four commands, then.22:03
Guest16595men, how i create a note like yours...22:04
sypherGuest16595: http://paste.ubuntu.com/22:05
Guest16595http://paste.ubuntu.com/21200858/22:05
sypherGuest16595: That should be all you need.22:06
Guest16595i show you what rules are in ufw22:06
Guest16595well22:06
Guest16595i run it and show you the logs erros, wait a minute22:06
sarnoldGuest16595: btw, the "pastebinit" tool in the "pastebinit" package makes creating pastebin links from a terminal really easy22:07
* sypher goes to install that...22:07
sypherGuest16595: One more thing, actually. Could you pastebin the contents of /etc/default/ufw?22:08
Guest16595sypher : http://paste.ubuntu.com/21201733/22:12
sypherGuest16595: Your firewall functions as designed.22:13
sypherGuest16595: Oh, wait, I see what's going on.22:13
sypherGuest16595: Can you pastebin the output of 'iptable -L' for me?22:13
Guest16595what?? it's the port source?22:13
Guest16595yes22:13
syphererr...22:14
sypheriptables -L22:14
Guest16595http://paste.ubuntu.com/21202041/22:15
Guest16595and iptables -S22:15
Guest16595http://paste.ubuntu.com/21202142/22:15
sypherGuest16595: Huh. Can I also get 'ufw status verbose'?22:21
Guest16595yep22:21
Guest16595http://paste.ubuntu.com/21202879/22:22
sypherGuest16595: And you're still seeing that traffic blocked?22:23
Guest16595yes22:23
Guest16595i see some ips blocked22:23
Guest16595maybe it would be the time of connections?, like this "ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. When a limit rule is used, ufw will  nor-        mally  allow  the  connection  but  will  deny  connections  if  an  IP  address attempts to initiate 6 or more connections within 30 seconds. See        http://www.debian-administration.org/articles/187 for details.22:25
sypherGuest16595: My theory? When you reenabled ufw, it likely reset its connection tracking. TCP packets coming in with the ACK flag set imply that it's a response to something the server set, but iptables doesn't have a record of the connection, so it drops it.22:25
sypherGuest16595: You might try port-scanning your server to confirm that the ports are, in fact, open from the outside, if you're familiar with the process on how to do so.22:27
Guest16595http://paste.ubuntu.com/21203533/22:27
sypherGuest16595: You can't portscan yourself locally. :P That doesn't hit the firewall at all.22:28
Guest16595jejeje wait a second22:28
Guest16595this is from my computer to server, server has ufw enable22:33
Guest16595http://paste.ubuntu.com/21204076/22:33
Guest16595i have a virtual machin with linux mint xD22:33
sypherGuest16595: You'22:33
sypherGuest16595: You're being rate-limited. :) I can tell because of the gaps in the port numbers.22:34
sypherGuest16595: Which is odd, because ufw doesn't rate-limit by default, last I checked.22:34
sypherGuest16595: Actually, no, you're not. The list of listening ports from the outside matches what you got locally. You're just not listening on that whole range. So, yeah. Your firewall is functioning properly for new connections.22:35
Guest16595And if my firewall is functioning properly, what i can do, ?22:38
Guest16595enable, and wait for the gps tracker reconnect again?22:38
sypherGuest16595: Correct.22:38
Guest16595i'm going to check this, the things and learn jajajajaj, well linux is a world to learn22:41
Guest16595sorry i try to say that things that i learned to config a simple options for range port22:42
Guest16595sorry i forgot to thank you <sypher>, thanks for your time and for all help, i will check the logs22:48
CodeMouse92I have an HTTPS site configured in Apache2, and I've enabled it and reloaded Apache. I also have the port open on the firewall22:58
CodeMouse92However, no dice. It's 404ing me.22:58
CodeMouse92here's the site conf. I've replaced the actual website with example.com: https://bpaste.net/show/71dc8232431e23:01
powersjCodeMouse92, check apache logs and see if it just can't find the index.* file or whatever you are trying to pull up.23:06
CodeMouse92powersj: Unfortunately, no dice. Unless I need to specify loglevel in that .conf...?23:07
powersjno dice as in no logs at all or can't find them?23:08
CodeMouse92As in, nothing odd in /var/log/apache2/error.log23:08
powersjcheck access.log as well to see what was trying to be pulled up by apache23:09
CodeMouse92powersj: Absolutely nothing for this domain at all23:09
CodeMouse92For this site, sorry23:09
CodeMouse92Other sites, yes, but I just refreshed this page, got 404 still, but nothing appears in access.log or error.log to that effect23:10
CodeMouse92I'm clearing logs and refreshing23:11
CodeMouse92Restarting apache2, sry23:11
CodeMouse92powersj: After clearing logs and restarting, and then attempting to go to the site in question, access.log is empty. error.log is https://bpaste.net/show/b877a0537b0b23:12
CodeMouse92All other sites operating normally23:13
powersjAny other site using SSL?23:14
CodeMouse92Yes, all but one23:14
powersjok so it is enabled correctly23:14
CodeMouse92Same cert, too.23:14
CodeMouse92Validated location of document root, and it has www-data ownership23:15
powersjthe only other thing is the ServerName, does your version actually have www.*.com:8442 (note the www)23:18
CodeMouse92I'm not sure I understand. Another valid SSL site is using 'example.com:8446'23:19
powersjthen that isn't it23:19
CodeMouse92I've even tried moving my working directory to /var/www/protected23:22
CodeMouse92And pointing to that. No dice23:22
CodeMouse92powersj: Problem solved. didn't add the port to /etc/apache2/ports.conf23:26
CodeMouse92It's now working23:26
powersjgrats :)23:26
CodeMouse92Anyone familiar with mod_auth_openidc? I need to get it working with this: https://secure.phabricator.com/book/phabcontrib/article/using_oauthserver/23:36
ubuntu_Is there anything for linux machines that one can uses thats equivalent to hyper-v in the repos i see type 2 virtual software but not to much type 1 software in the repo's23:55
ubuntu_I know vmware , ...etc are options i would imagine but there is really not much apt-get install based stuff23:56
sarnoldubuntu_: I haven't got a clue what you mean by "type 1" and "type 2" but there's qemu/kvm and xen and virtualbox; most people use qemu/kvm with the libvirt wrappers23:57
sarnoldubuntu_: there's also kvmtool but that's used less frequently than qemu/kvm23:57
ubuntu_type one based hyper visors that work at bare hardware level as opposed to a vbox on the OS itself. I know i am not explaining this well23:57
ubuntu_Is there any type 2 software that would allow one to setup virtual remote desktop to 1000 client computers23:58
ubuntu_like having 1000 client linux machines boot up into a virtual machine hosted on the ubuntu server23:59

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!