=== Shoe16_ is now known as Shoe16
[07:58] <negev> hi, i'm getting this with apparmor:
[07:58] <negev> [299732.820845] audit: type=1400 audit(1469605230.425:31340): apparmor="ALLOWED" operation="getattr" info="Failed name lookup - deleted entry" error=-2 profile="/usr/sbin/dovecot" name="/var/lib/dovecot/.temp.a.rkw.io.25454.9d807e6e42bbe568" pid=25454 comm="dovecot" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[07:59] <negev> but the usr.sbin.dovecot profile explicitly allows access to files in that path:
[07:59] <negev> /var/lib/dovecot/* rwkl,
=== Shoe16_ is now known as Shoe16
=== Shoe16 is now known as Shoe16|Phone
[08:26] <rbasak> negev: are you sure apparmor is/would actually be denying that?
[08:27] <rbasak> Sounds like it will fail anyway.
[08:27] <negev> rbasak: my assumption is that complain mode would only log events that were denied by the policy
[08:27] <negev> why would that not be the case?
[08:31] <rbasak> I don't know. But the message suggests to me that it's pointing out that it's allowing something that would fail anyway.
[08:32] <negev> requested_mask="r" denied_mask="r"
[08:32] <negev> doesn't that imply denied by policy?
[08:33] <rbasak> Possibly it needs to resolve symlinks before it can check against policy maybe? In that case, it cannot match against a rule.
[08:33] <rbasak> "Failed name lookup - deleted entry"
[08:33] <rbasak> Tell me how that would be expected to work even without any AppArmor interference.
[08:34] <negev> rbasak: i don't know what that message means so i can't comment
[08:34] <rbasak> It means that the file dovecot tried to access does not exist.
[08:34] <negev> ok but why does apparmor report on that?
[08:34] <rbasak> I'm not certain, but that's how I interpret it anyway.
[08:35] <negev> i asked the mailing list, hopefully seth will get back to me soon
[08:35] <rbasak> I'm speculating that it's because it matches a rule but cannot dereference any symlink.
[08:54] <Luther> hi guys, i have a question for nagios.  if i want to use notifications i have to install a plugin to do this like https://github.com/jasonhancock/nagios-html-email/blob/master/README.md or i can set up an email server. Is this correct?  i am new to nagios so please do not tear me in pieces if i oversee something obvious :P
[08:56] <negev> Luther: the local MTA is fine for sending email alerts
[08:57] <andol> Luther: Yes, and no :) Pretty much any action Nagios takes happens by running a plugin. That said, when you install Nagios you usually get a bunch of standard plugins preinstalled and preconfigured; email notifications included.
[08:57] <andol> Luther: But yeah, as negev says, the default email-notification does assume the existance of a local MTA.
[08:58] <Luther> okay, i have not found a plugin yet which send the mail. I mean the local MTA should be fine , but i still have to configure commands.cfg to implement the MTA right?
[09:00] <Luther> allright, forget my last question i was stupid again. Nagios still confuses me sometimes
[09:00] <Luther> thx @negev and @andol
[09:04] <andol> Luther: Yeah, getting into the right Nagios mindset is a bit of an uphill battle, but once you have crossed that hill, it all starts to make perfect sense.
[09:05] <andol> ...even if you might want to consider taking a look at Icinga instead, which is kind of the same, but a bit more modern.
[09:05] <andol> Well, there is classic Icinga, which is almost the same as classic Nagios, just a bit smoother.
[09:06] <andol> Then there is the new Icinga 2, which has a slightly more dynamic config language, etc.
[09:07] <Luther> yeah i have found a lot about Icinga as well, but our professor told us to use nagios ^^ Still i have the feeling that nagios is kind of dead... :O
[09:08] <Luther> i mean the nagios developer conference for this year was canceled, you can hardly find any post about nagios newer than 2014.....
[09:09] <andol> Luther: Ah, part of a school assignment? In that I wouldn't worry about it, because pretty much everything you learn about Nagios will also be applicable to Icinga.
[09:09] <andol> Yes, there will be details which differ, but a lot of the concepts are the same and will translate fine.
[09:11] <Luther> @Luther kind of. I study IT and my professor told me to monitor some servers for him. But the next year i have an internship where i will also have to monitor servers so i am happy to get a little bit more experience. Well thats good to hear if i want to switch to icinga
[09:12] <Luther> @andol kind of. I study IT and my professor told me to monitor some servers for him. But the next year i have an internship where i will also have to monitor servers so i am happy to get a little bit more experience. Well thats good to hear if i want to switch to icinga
[09:17] <andol> Luther: Sounds like a good experience!
[09:17] <andol> Luther: Also, with IRC you really don't need to use the @nickname syntax. Most IRC clients will highlight just fine even without the prefixing @.
[09:22] <Luther> allright will remember that andol :)
=== iberezovskiy|off is now known as iberezovskiy
[10:07] <Luther> see ya later guys
[10:07] <Luther> bye
[10:50] <jonah> Hi is anyone here any good with High Availability and IP Failover on Ubuntu? I'm looking for a solution that just uses two servers if it's possible, with the main web server and a second server to provide the failover/sync and ha solution. I realise most people use more servers and load balancers etc but I just wanted to keep the hardware to a minimum for both for cost and admin. I found this solution but it's a pretty old link: http://
[10:50] <jonah> mfarrukhsiddique.blogspot.co.uk/2010/01/highly-available-webservice-by-using.html
[10:55] <rbasak> jonah: corosync/pacemaker maybe?
[11:03] <jonah> rbasak: I've seen those mentioned on guide online but they usually need more than 2 servers...
[11:19] <patdk-lap> heh?
[11:19] <patdk-lap> jonah, it never needs more than 2 servers
[11:27] <jonah> patdk-lap: really? I found guides such as this, but the diagram shows 2 load balancers before the the two servers: https://www.digitalocean.com/community/tutorials/how-to-create-a-high-availability-setup-with-corosync-pacemaker-and-floating-ips-on-ubuntu-14-04
[11:27] <jonah> patdk-lap: would be great if you could still set all this up using just the two servers including the load balancing too if possible...
[12:15] <patdk-wk> jonah, that guide is insane
[12:15] <patdk-wk> disable stonith cause it's two nodes?
[12:15] <patdk-wk> stonith is always required
[12:59] <jonah> patdk-wk: So with corosync/pacemaker does it work at block level/partition level or does it just sync higher up as I have different partitions etc
[13:05] <hallyn> kirkland: hey, i have a concern, and not sure who to ping.  on landscape, it seems hit or miss as to whether security updates are marked as such.  mysql updates for 12.04 today were not markedas such but changelog lists cves
[13:06] <hallyn> that seems like a dangerous thing for customers who might say "oh, no security updates, i'll wait"
[13:15] <sdexter> I am installing Ubuntu 14.04 LTS Server onto a RAID1 software raid (not fake). When I get to the step where it does grub-install /dev/sdj it fails. I have tried setting this up a number of ways and it fails this same way every time.
[13:16] <jonah> sdexter: i had similar issues. I got it working by setting new partion layout in mbr/msdos rather than GPT
[13:16] <patdk-wk> jonah, what are you talking about?
[13:16] <patdk-wk> corocync/pacemaker have nothing to do with levels or partitions
[13:17] <jonah> patdk-wk: ah that's great then! perfect
[13:17] <patdk-wk> it does HA, it doesn't do whatever your attempting to ha
[13:17] <jonah> patdk-wk: sorry I don't know much about them
[13:17] <patdk-wk> you have to write/design whatever to manage ha for your filesystem, ip, ...
[13:17] <patdk-wk> HA just manages those in an HA way
[13:17] <patdk-wk> pacemaker just manages
[13:18] <jonah> sdexter: When i tried to use GPT it wouldn't have it, even with the EFI boot partition etc
[13:18] <patdk-wk> it does come with a lot of premade scripts, to handle ip's and stuff though
[13:18] <jonah> patdk-wk: ok cool, is there any nice getting started guides etc for me to try follow?
[13:18] <patdk-wk> if you want HA filesystem, generally your talking about using drbd
[13:18] <patdk-wk> then having pacemaker manage whatever runs on those filesystems
[13:24] <patdk-wk> reaqlly all your looking for is running a webserver and load balancer on each node
[13:24] <patdk-wk> then having something move an ip to the active node
[13:24] <patdk-wk> moving that ip is your hard part
[13:24] <patdk-wk> pacemaker can do that, heatbeat can do that, maybe a few other things
[13:24] <patdk-wk> but with two nodes, you need to figure out how to do that sucessfully
[13:24] <patdk-wk> how do you know the other one failed
[13:25] <patdk-wk> there are no real guides for this, cause it's different for everyone
[13:31] <jonah> patdk-wk: ok thanks
[13:32] <sdexter> jonah: I think I had seen something about that in my research but I wasn't sure how to switch it to msdos
[13:35] <jonah> sdexter: basically when you first partition and format the drive in gparted or some partition program you can choose between mbr/msdos or GPT. Then when you partition the drive set the MBR/MSDOS boot partition or whole partition if you just have one to be bootable by setting the bootflag to be on
[13:36] <jonah> sdexter: it's probably a case of starting fresh and partitioning the drive with a live linux cd or something and setting up a new partition table in msdos. Then let the partitioner in the ubuntu setup thing set the partitions you want from there or use guided install
[13:38] <sdexter> Yeah, I didn't see options for msdos in the installer itself. So i am going to boot from a desktop CD and try what you mentioned.
[13:39] <jonah> sdexter: ok good luck
[13:41] <sdexter> jonah: thanks
[13:57] <rbasak> smoser: do you think bug 1206164 is worth an Ubuntu delta? I'm concerned about how diverged Ubuntu is becoming on ntp.
[13:57] <ubottu> bug 1206164 in ntp (Ubuntu) "/etc/network/if-up.d/ntpdate does not detach correctly" [Medium,Triaged] https://launchpad.net/bugs/1206164
[14:04] <smoser> rbasak, is debian not willing to take it?
[14:04] <smoser> it looked like a clear bug
[14:06] <smoser> rbasak, wow. i read that bug and had no idea that i wrote it ;)
[14:08] <smoser> well, i think christians' suggestion is good.
[14:15] <rbasak> smoser: Debian's ntp doesn't seem to have an active maintainer. So we'll be maintaining any delta for a long itme.
[14:16] <rbasak> smoser: I agree with Christian's patch. I just don't like adding stuff like new configuration options in Ubuntu deltas. Makes for future pain. So how important is it to us?
[14:16] <smoser> i dont know. have to think about it more.
[14:16] <smoser> backgrounding is a pita too
[14:17] <smoser> the only reason it backgrounds (as i understand it) is so that it does not block if the ntp server is not available
[14:17] <smoser> but backgrounding that on boot means that at some indeterminable point in boot clock jumps
[14:18] <rbasak> Perhaps we should stop seeding ntpdate (assuming we are)
[14:18] <rbasak> Do VMs start from the epoch or from the host's date?
[14:18] <smoser> hosts date
[14:19] <rbasak> Then can we rely on curtin to use ntpdate, not seed ntpdate or ntp, leave systemd-timesyncd by default to slew time?
[14:19] <rbasak> If the user installs ntpdate then the user accepts the time jump.
[14:20] <smoser> yes.
[14:21] <smoser> and it even make sense that they accept it on ifup of some device
[14:21] <smoser> but accepting it at an arbitrary point in boot is more sucky
[14:21] <smoser> with no way to control it
=== JanC is now known as Guest24709
=== JanC_ is now known as JanC
[14:22] <rbasak> Christian's patch is fine to help solve that, but I think it should be in Debian first.
[14:23] <rbasak> If we don't seed ntpdate, I don't think it's worth an Ubuntu delta.
[14:24] <smoser> rbasak, maas is i belive wanting to use it.
[14:24] <smoser> so there is a bug... i'd have to find it.
[14:24] <smoser> but basically if you are firewalled off the internet and have ntpdate installed
[14:24] <smoser> and you have loads of interfaces
[14:25] <smoser> then ifup -a really sucks
[14:25] <rbasak> In that situation, why do you have ntpdate installed?
[14:25] <smoser> for no reason
[14:25] <smoser> i dont knwo.
[14:25] <smoser> i think this was an openstack
[14:25] <smoser> actually, i do know
[14:25] <smoser> because you can't really use ntp without ntpdate right?
[14:25] <smoser> unless you are sure your clock will never get busted to the poitn that ntp will refuse to jump ?
[14:25] <smoser> or is that handled elsewhere
[14:26] <rbasak> IIRC, ntp has an option to allow it to jump nowadays
[14:26] <rbasak> Yes - "-g"
[14:26] <rbasak> ntp upstream deprecated ntpdate
[14:26] <smoser> in that cae, running ntpdate on ifup seems pointless.
[14:26] <rbasak> ntpd -qg is equivalent to ntpdate
[14:26] <smoser> and yeah, installing it seems pointless
[14:33] <rbasak> dovecot-core recommends ntpdate for some reason. That's all I can see (http://people.canonical.com/~ubuntu-archive/germinate-output/ubuntu.yakkety/rdepends/ntp/ntpdate)
[14:33] <patdk-wk> dovecot hates it when time jumps
[14:33] <patdk-wk> it causes all kinds of problems
[14:44] <kirkland> hallyn: chat with tyhicks and jdstrand, for a start;  maybe also sync with sparkiegeek (dpb is on holiday this week)
[14:49] <jdstrand> tyhicks (cc kirkland and hallyn): if it is in landscape I suspect ratliff might be able to talk to someone at the sprint directly
[14:49]  * jdstrand isn't sure if landscape is at that sprint, but I thought so)
[14:51] <rbasak> That sounds familiar. Nagios' check_apt behaves in a similarly broken way. It relies on apt-get -s and looks at which pocket a download would come from. But security updates are copied to the -updates pocket as well, so this is unreliable.
[14:53] <hallyn> thanks guys.  ratliff: is that something you can push on?
[14:55] <tyhicks> ratliff: if you have someone in landscape to talk to in person there, mysql-server-5.7 was correctly uploaded to xenial-security but, as rbasak pointed out, it is copied to xenial-updates shortly after
[14:57] <tyhicks> ratliff: they could possibly look at the destination pocket specified in the changelog ('xenial-security' can be seen in the first line of https://launchpad.net/ubuntu/+source/mysql-5.7/5.7.13-0ubuntu0.16.04.2)
[14:58] <tyhicks> ratliff: I'm sure there's probably more reliable means available via launchpad apis but I don't know about them off the top of my head
[15:00] <rbasak> bug 1031680 is the nagios-plugins issue. It's only speculation - Landscape might be doing something completely different.
[15:00] <ubottu> bug 1031680 in nagios-plugins (Ubuntu) "check_apt always report 0 critical updates" [High,Triaged] https://launchpad.net/bugs/1031680
=== iberezovskiy is now known as iberezovskiy|off
=== pavlushka_ is now known as Guest91131
=== Guest91131 is now known as pavlushka
[18:27] <setuid> Anyone about good with iscsi? I've tripped on something that I don't think should behave like it is...
[18:27] <setuid> Clean install of 14.04.4 server, installed iscsi components, set up a single, 50GB sparse file on the target, then on the client, I used:
[18:28] <setuid> iscsiadm -m discovery -t st -p trustyS-iscsitarget
[18:28] <setuid> and it finds -two- paths to that target, one on each NIC (different subnets)
[18:28] <setuid> on the client, I then did: iscsiadm -m node --login
[18:28] <setuid> which finds -two- 50GB volumes, /dev/sdb and /dev/sdc respectively
[18:30] <setuid> I can format /dev/sdb1, drop a file there, mount /dev/sdc1 and the file is not there. I mount /dev/sdc1, drop a file there, then unmount. Mounting up /dev/sdc1 again, I see the -first- file (the one I put on /dev/sdb1)
[18:30] <setuid> 1.) Why does iscsiadm see -two- 50GB volumes, when there's only one physical volume? 2.) Why does it treat them as if they were independent, but they're obviously the same volume.
[18:31] <sarnold> setuid: simple questions with insanely complicated answers..
[18:31] <setuid> sarnold, I'm following this blog post, step by step: http://caribou.kamikamamak.com/2014/09/30/iscsi-and-device-mapper-multipath-test-setup/
[18:31] <sarnold> setuid: if there's actually two networks worth of bandwidth to the thing you may wish to set up multipathing on the client, so it'll issue commands down both, either for bandwidth or for reliability
[18:32] <setuid> but I'm dead right where I have to format the partition. If I have multipath-tools installed (which I need), the moment I use iscsiadm to log in, BOTH volumes are in use, and I can't format them.
[18:32] <sarnold> setuid: if there's only one network worth of bandwidth between the two it's probably best to pretend the second name for it doesn't exist
[18:32] <setuid> How does it automatically set up multipathing, when I removed that package?
[18:32] <setuid> They're VMs on the same physical host, but two separate networks coming into each VM
[18:33] <setuid> so each VM (2 total) has 2 NICs, NIC1 is net1, NIC2 is net2
[18:33] <setuid> I specifically named the host different names (in /etc/hosts) based on each network, so it would not overlap subnets
[18:34] <setuid> 172.16.38.139   trustyS-iscsitarget
[18:34] <setuid> 172.16.181.128  trustyS-iscsitarget2
[18:34] <setuid> for examplel
[18:34] <setuid> I'm trying to debug a multipath issue, but tripped on this well before I even started configuring multipathing
[18:37] <setuid> sarnold, this is what I see: http://paste.debian.net/785642/
[18:39] <sarnold> setuid: I suspect that performing operations on the individual /dev/sdb* and /dev/sdc* names has probably corrupted that file irreparably; you may wish to start over from the step of 'create new sparse file'
[18:39] <setuid> odd... if I create a partition on /dev/sdc, so I now have /dev/sdc1, I can see it in fdisk on /dev/sdb, but there is no /dev/sdb1, until I go into fdisk on /dev/sdb, do nothing, and use 'w' to write the "changes" to that, then /dev/sdb1 appears.
[18:39] <patdk-lap> heh?
[18:39] <patdk-lap> sarnold those are simple questions with simple answers
[18:39] <setuid> sarnold, Fair enough, I'll try that
[18:39] <patdk-lap> what filesystem are you using?
[18:40] <sarnold> setuid: then -never- work with tehe individual devices but only the dm-multipath device..
[18:40] <setuid> sarnold, multipath is not installed
[18:40] <setuid> I *can't* install it
[18:40] <sarnold> patdk-lap: heh explaining why you can't just use ext4 or zfs on two paths to the same device takes some time and effort, and understanding why e.g. ocfs2 can work inthe same situation is yet another huge ball of wax :)
[18:40] <setuid> because I then can't format the device
[18:41] <patdk-lap> sarnold, it's easy, they are TWO different devices :)
[18:41] <sarnold> setuid: but you're in luck, patdk-lap's around :) I was hoping he'd spot the question..
[18:41] <patdk-lap> with different caches
[18:41] <patdk-lap> you must not use both at once, ever
[18:41] <patdk-lap> that is what the multipath package is for
[18:42] <setuid> sarnold, http://paste.debian.net/785644/
[18:42] <setuid> patdk-lap, I'm not trying to use both at once
[18:42] <setuid> I just happened to notice the oddity
[18:42] <setuid> I log in, and it creates /dev/sdb and /dev/sdc
[18:42] <patdk-lap> it's not odd
[18:42] <setuid> but no dm-X device
[18:42] <patdk-lap> you have two paths, so it makes two devices
[18:43] <sarnold> setuid: why can't you install the multipath tools?
[18:43] <setuid> How can I possibly have two paths, without configuring the iscsi initiator to do so?
[18:43] <patdk-lap> heh?
[18:43] <patdk-lap> you don't configure the initiator
[18:43] <setuid> sarnold, With multipath installed, I can't format the vols, once I've used --login
[18:43] <patdk-lap> you configure the target to only have one path
[18:43] <setuid> sarnold, with multipath removed, I can
[18:44] <setuid> patdk-lap, the target only has one path
[18:44] <setuid> Target iqn.2014-09.trustyS-iscsitarget:storage.sys0
[18:44] <setuid>         Lun 0 Path=/home/ubuntu/iscsi_disk.img,Type=fileio,ScsiId=lun0,ScsiSN=lun0
[18:44] <setuid> that is the *ONLY* entry in /etc/iet/ietd.conf
[18:44] <patdk-lap> that says you have one lun
[18:44] <patdk-lap> nothing about paths
[18:44] <setuid> http://caribou.kamikamamak.com/2014/09/30/iscsi-and-device-mapper-multipath-test-setup/
[18:44] <setuid> ^ following that blog
[18:44] <sarnold> setuid: so you run e.g. cfdisk /dev/mapper/mpath0 ... and then what happens/
[18:45] <setuid> http://paste.debian.net/785646/
[18:45] <setuid> that's all that's in there, as expected... root fs and swap
[18:46] <patdk-lap> oh ya, that is right
[18:46] <setuid> But /dev/sdb and /dev/sdc represent the single, 50GB vol on the target
[18:46] <sarnold> did the multipath -ll show anything?
[18:46] <patdk-lap> I answered this last week
[18:46] <patdk-lap> iet does not support LIMITING multipathing
[18:46] <setuid> There is no multipath on the host
[18:46] <setuid> Not yet anyway, I have to remove the package to format the vol, then install it
[18:46] <setuid> Once I install multipath, /dev/sdb and /dev/sdc become locked, in-use, and I can't partition or format them
[18:47] <patdk-lap> why would you want to?
[18:47] <sarnold> that's probably for the best
[18:47] <sarnold> you need to then access them with the multipath-consutrcted "single" view of the thing
[18:47] <sarnold> and if multipath -ll didn't construct one for you, that's probably the place to start debugging
[18:48] <setuid> http://paste.debian.net/785648/
[18:48] <sarnold> aha once you've modified the /dev/sdb directly it's probably time to throw away the sparse file again :)
[18:48] <sarnold> oh line #3 :)
[18:48] <setuid> http://paste.debian.net/785649/
[18:49] <setuid> Right, so now I format /dev/mapper/{long-grok-path}-part1
[18:51] <setuid> So that blog post is completely incorrect in these steps referring to /dev/sda
[18:51] <sarnold> well
[18:51] <setuid> And the commands and output they show, are missing quite a few options
[18:51] <sarnold> they are indicating that the iscsi layer works
[18:51] <sarnold> but not recommendations on how to actually use the thing
[18:51] <setuid> There's no way to get the output they claim, out of the commands they show being used
[19:10] <setuid> patdk-lap, Ok, after some small hoops and translation, it works. I'm trying to debug why /etc/multipath/wwids wouldn't get generated on boot, but does work when using 'multipath -W'
[19:11] <setuid> That's why I modeled these VMs to replicate that reported issue
[19:11]  * setuid loves the good problemsm 
[19:16] <patdk-lap> :)
[19:17]  * setuid spies 'peers' in the channel too ;) 
=== Kenrinx is now known as kenrin
[21:13] <cncr04s> Unrecognized mount option "umask=000" or missing value
[21:35] <CodeMouse92> Greetings, all. Is it possible to limit access to some web directory (the way .htaccess does), but using credentials from an OAuth2 server?
[21:41] <sarnold> CodeMouse92: does this do what you want? https://github.com/pingidentity/mod_auth_openidc
[21:43] <CodeMouse92> sarnold: That might work. I'm a fairly novice IT, so I'm totally out of my element, here.
[21:44] <CodeMouse92> sarnold: I need to connect to this puppy: http://standards.mousepawgames.com/csi.html
[21:44] <sarnold> CodeMouse92: I've never had to worry about more complicated apache authentication and authorization.. even the basics are annoying :) .. but I saw a few references to that module on stack overflow answers and a quick skim of the page looked sane
[21:45] <sarnold> "The CSI (Commenting Showing Intent) Commenting Standards refers to a style of code commenting which allows for the complete rewriting of a program in any language, given only the comments"
[21:45] <sarnold> holy cow, that's ambitious
[21:45] <CodeMouse92> sarnold: Yeah, it looks pretty sane. My only reasoning is that I don't want to set up an employee account on *yet one more subsite* in our network
[21:45] <CodeMouse92> sarnold: OH! Wrong link!!!
[21:45] <CodeMouse92> sarnold: HERE is what I meant: https://secure.phabricator.com/book/phabcontrib/article/using_oauthserver/
[21:46] <CodeMouse92> I hate when copy doesn't actually copy >.<
[21:46] <CodeMouse92> (You're welcome to read that other one, though. it's a work in progress, but it works pretty well for us so far)
[21:47] <Guest16595> some one help meeeee
[21:47] <Guest16595> http://askubuntu.com/questions/803276/ufw-block-syslog-tcp-ip-is-blocked-and-this-is-allowed-in-ufw/803307#803307
[21:47] <Guest16595> with this mdfk ufw, simple config, only allow port 80,22,12300:12400 tcp and udp
[21:51] <sypher> Guest16595: I suppose my first question would be: Why are you trying to limit outbound connections?
[21:52] <Guest16595> well i am new in this...
[21:52] <sypher> Guest16595: Which makes my question all the more important. Do you know why you're trying to limit outbound connections?
[21:53] <Guest16595> i have been trying to allow that range of ports
[21:53] <sypher> Guest16595: You're not answering my question. WHY are you trying to limit outbound connections at all?
[21:54] <sypher> Guest16595: Let's step back. The system in question, whose firewall you're managing. What is this system doing? Is it a webserver, etc?
[21:55] <Guest16595> Because i am new and i didn't know what i was doing
[21:55] <Guest16595> yes it is a webserver
[21:55] <sypher> Guest16595: That's alright. I was just making sure there wasn't a specific purpose in mind.
[21:55] <Guest16595> of tracking
[21:55] <sypher> Guest16595: What ports does this server need to accept connections on from the outside? 80, 443, what else?
[21:55] <Guest16595> gps conect to the server, a lot of gps..
[21:56] <Guest16595> only port 80 for website, 22 for ssh, and range 12300 yo 12400 for gps...
[21:57] <Guest16595> "gps trackers"
[21:57] <sypher> Guest16595: Excellent. Do you have console access to the server, not through SSH?
[21:58] <Guest16595> well i connect via ssh
[21:58] <Guest16595> but i am not in front of server
[21:58] <sypher> Guest16595: I ask because any firewall work can potentially disrupt your access to the system.
[21:59] <sypher> Guest16595: I would suggest disabling ufw (sudo ufw disable), then resetting it entirely (sudo ufw reset).
[21:59] <Guest16595> i disable the ufw, because if i enable it, it block some ports of the range
[21:59] <sypher> Guest16595: Then skip the disable portion and fully reset it.
[21:59] <sypher> sudo ufw reset
[22:00] <Guest16595> i did it a lot of time and try with differents configuration
[22:00] <Guest16595> and iptables, directly
[22:00] <Guest16595> lik
[22:00] <Guest16595> like iptables -A INPUT -p tcp -m tcp --dport 12340:12400 -j ACCEPT
[22:00] <sypher> Guest16595: But none of them have worked, so let's just start from a known good starting point. Please reset ufw.
[22:01] <Guest16595> yep
[22:01] <Guest16595> i dit
[22:01] <Guest16595> i did it.
[22:01] <sypher> These GPS devices - do they communicate over TCP or UDP?
[22:01] <Guest16595> with 2
[22:01] <Guest16595> udp and tcp
[22:02] <sypher> Guest16595: You should only require the following three rules: http://paste.ubuntu.com/21200464/
[22:02] <sypher> Those three commands will allow SSH and HTTP inbound, as well as the ports you listed for the GPS devices. You don't need any manual iptables rules or outbound filtering.
[22:02] <genii> most GPS use TCP, some can be set for either or both
[22:03] <sypher> I don't have a clue of how they communicate. :P
[22:03] <Guest16595> but when i type         ufw allow 12340:12400              it say           ERROR: Must specify 'tcp' or 'udp' with multiple ports
[22:03] <sypher> Guest16595: Oh, fair enough.
[22:03] <sypher> Guest16595: http://paste.ubuntu.com/21200626/
[22:03] <Guest16595> and i need to specify protocol like,  ufw allow 12340:12400/tcp              and         ufw allow 12340:12400/udp
[22:03] <sypher> Make that four commands, then.
[22:04] <Guest16595> men, how i create a note like yours...
[22:05] <sypher> Guest16595: http://paste.ubuntu.com/
[22:05] <Guest16595> http://paste.ubuntu.com/21200858/
[22:06] <sypher> Guest16595: That should be all you need.
[22:06] <Guest16595> i show you what rules are in ufw
[22:06] <Guest16595> well
[22:06] <Guest16595> i run it and show you the logs erros, wait a minute
[22:07] <sarnold> Guest16595: btw, the "pastebinit" tool in the "pastebinit" package makes creating pastebin links from a terminal really easy
[22:07]  * sypher goes to install that...
[22:08] <sypher> Guest16595: One more thing, actually. Could you pastebin the contents of /etc/default/ufw?
[22:12] <Guest16595> sypher : http://paste.ubuntu.com/21201733/
[22:13] <sypher> Guest16595: Your firewall functions as designed.
[22:13] <sypher> Guest16595: Oh, wait, I see what's going on.
[22:13] <sypher> Guest16595: Can you pastebin the output of 'iptable -L' for me?
[22:13] <Guest16595> what?? it's the port source?
[22:13] <Guest16595> yes
[22:14] <sypher> err...
[22:14] <sypher> iptables -L
[22:15] <Guest16595> http://paste.ubuntu.com/21202041/
[22:15] <Guest16595> and iptables -S
[22:15] <Guest16595> http://paste.ubuntu.com/21202142/
[22:21] <sypher> Guest16595: Huh. Can I also get 'ufw status verbose'?
[22:21] <Guest16595> yep
[22:22] <Guest16595> http://paste.ubuntu.com/21202879/
[22:23] <sypher> Guest16595: And you're still seeing that traffic blocked?
[22:23] <Guest16595> yes
[22:23] <Guest16595> i see some ips blocked
[22:25] <Guest16595> maybe it would be the time of connections?, like this "ufw supports connection rate limiting, which is useful for protecting against brute-force login attacks. When a limit rule is used, ufw will  nor-        mally  allow  the  connection  but  will  deny  connections  if  an  IP  address attempts to initiate 6 or more connections within 30 seconds. See        http://www.debian-administration.org/articles/187 for details.
[22:25] <sypher> Guest16595: My theory? When you reenabled ufw, it likely reset its connection tracking. TCP packets coming in with the ACK flag set imply that it's a response to something the server set, but iptables doesn't have a record of the connection, so it drops it.
[22:27] <sypher> Guest16595: You might try port-scanning your server to confirm that the ports are, in fact, open from the outside, if you're familiar with the process on how to do so.
[22:27] <Guest16595> http://paste.ubuntu.com/21203533/
[22:28] <sypher> Guest16595: You can't portscan yourself locally. :P That doesn't hit the firewall at all.
[22:28] <Guest16595> jejeje wait a second
[22:33] <Guest16595> this is from my computer to server, server has ufw enable
[22:33] <Guest16595> http://paste.ubuntu.com/21204076/
[22:33] <Guest16595> i have a virtual machin with linux mint xD
[22:33] <sypher> Guest16595: You'
[22:34] <sypher> Guest16595: You're being rate-limited. :) I can tell because of the gaps in the port numbers.
[22:34] <sypher> Guest16595: Which is odd, because ufw doesn't rate-limit by default, last I checked.
[22:35] <sypher> Guest16595: Actually, no, you're not. The list of listening ports from the outside matches what you got locally. You're just not listening on that whole range. So, yeah. Your firewall is functioning properly for new connections.
[22:38] <Guest16595> And if my firewall is functioning properly, what i can do, ?
[22:38] <Guest16595> enable, and wait for the gps tracker reconnect again?
[22:38] <sypher> Guest16595: Correct.
[22:41] <Guest16595> i'm going to check this, the things and learn jajajajaj, well linux is a world to learn
[22:42] <Guest16595> sorry i try to say that things that i learned to config a simple options for range port
[22:48] <Guest16595> sorry i forgot to thank you <sypher>, thanks for your time and for all help, i will check the logs
[22:58] <CodeMouse92> I have an HTTPS site configured in Apache2, and I've enabled it and reloaded Apache. I also have the port open on the firewall
[22:58] <CodeMouse92> However, no dice. It's 404ing me.
[23:01] <CodeMouse92> here's the site conf. I've replaced the actual website with example.com: https://bpaste.net/show/71dc8232431e
[23:06] <powersj> CodeMouse92, check apache logs and see if it just can't find the index.* file or whatever you are trying to pull up.
[23:07] <CodeMouse92> powersj: Unfortunately, no dice. Unless I need to specify loglevel in that .conf...?
[23:08] <powersj> no dice as in no logs at all or can't find them?
[23:08] <CodeMouse92> As in, nothing odd in /var/log/apache2/error.log
[23:09] <powersj> check access.log as well to see what was trying to be pulled up by apache
[23:09] <CodeMouse92> powersj: Absolutely nothing for this domain at all
[23:09] <CodeMouse92> For this site, sorry
[23:10] <CodeMouse92> Other sites, yes, but I just refreshed this page, got 404 still, but nothing appears in access.log or error.log to that effect
[23:11] <CodeMouse92> I'm clearing logs and refreshing
[23:11] <CodeMouse92> Restarting apache2, sry
[23:12] <CodeMouse92> powersj: After clearing logs and restarting, and then attempting to go to the site in question, access.log is empty. error.log is https://bpaste.net/show/b877a0537b0b
[23:13] <CodeMouse92> All other sites operating normally
[23:14] <powersj> Any other site using SSL?
[23:14] <CodeMouse92> Yes, all but one
[23:14] <powersj> ok so it is enabled correctly
[23:14] <CodeMouse92> Same cert, too.
[23:15] <CodeMouse92> Validated location of document root, and it has www-data ownership
[23:18] <powersj> the only other thing is the ServerName, does your version actually have www.*.com:8442 (note the www)
[23:19] <CodeMouse92> I'm not sure I understand. Another valid SSL site is using 'example.com:8446'
[23:19] <powersj> then that isn't it
[23:22] <CodeMouse92> I've even tried moving my working directory to /var/www/protected
[23:22] <CodeMouse92> And pointing to that. No dice
[23:26] <CodeMouse92> powersj: Problem solved. didn't add the port to /etc/apache2/ports.conf
[23:26] <CodeMouse92> It's now working
[23:26] <powersj> grats :)
[23:36] <CodeMouse92> Anyone familiar with mod_auth_openidc? I need to get it working with this: https://secure.phabricator.com/book/phabcontrib/article/using_oauthserver/
[23:55] <ubuntu_> Is there anything for linux machines that one can uses thats equivalent to hyper-v in the repos i see type 2 virtual software but not to much type 1 software in the repo's
[23:56] <ubuntu_> I know vmware , ...etc are options i would imagine but there is really not much apt-get install based stuff
[23:57] <sarnold> ubuntu_: I haven't got a clue what you mean by "type 1" and "type 2" but there's qemu/kvm and xen and virtualbox; most people use qemu/kvm with the libvirt wrappers
[23:57] <sarnold> ubuntu_: there's also kvmtool but that's used less frequently than qemu/kvm
[23:57] <ubuntu_> type one based hyper visors that work at bare hardware level as opposed to a vbox on the OS itself. I know i am not explaining this well
[23:58] <ubuntu_> Is there any type 2 software that would allow one to setup virtual remote desktop to 1000 client computers
[23:59] <ubuntu_> like having 1000 client linux machines boot up into a virtual machine hosted on the ubuntu server