Now_its_BrokenHi,  can anyone here point to some instructions on getting openvswitch working with netplan?03:07
lordievaderGood morning07:12
ahasenackrostam: try the dig tool, dig @<ip-of-dns-server> <name-you-want-to-resolv>11:13
ahasenackrostam: start with using the ip from /etc/resolv.conf11:13
ahasenackif that's or some such, move on to your real dns server, then try (google's), etc11:14
ahasenackrbasak: hi, I'm getting this from g-u merge start on samba:11:53
ahasenack$ git ubuntu merge start pkg/ubuntu/devel11:53
ahasenack01/22/2018 09:53:01 - ERROR:pkg/ubuntu/devel version (2:4.7.3+dfsg-1ubuntu1) is after debian/sid version (2:4.7.1+dfsg-1). Are you sure you want to merge? (Pass -f to force the merge).11:53
ahasenackrbasak: debian/sid is at 4.7.4, though11:53
ahasenackseems like the debian branch(es?) are behind in the importer?11:53
rbasakAFAICT, sid is at 2:4.7.3+dfsg-1 and bionic-devel is at 2:4.7.3+dfsg-1ubuntu112:01
rbasakDo you see something different?12:01
rbasakI was looking at https://code.launchpad.net/~usd-import-team/ubuntu/+source/samba/+git/samba12:01
ahasenackrbasak: rmadison, and the merges page12:21
ahasenackboth show sid at 4.7.4-+dfsg-112:21
ahasenackrbasak: sorry, the vpn dropped, this was the last I saw:12:29
ahasenack<ahasenack> both show sid at 4.7.4-+dfsg-112:29
ahasenack* Disconnected ()12:29
rbasakahasenack: ah. OK. So the problem is that the importer is straightforwardly out of date rather than inconsistently out of date in different branches I think?13:30
rbasakI need to sort out my VPN connection. That's blocking me from looking right now :-/13:30
ahasenackrbasak: I don't know, but "out of date" sounds right13:31
eoli3ni'm trying to preseed (with ubuntu kickstart + some preseed lines) a ubuntu install on a dualboot13:50
eoli3neach kickstart make Win7 not bootable13:50
eoli3ni need to repair Win7 with CDROM13:50
eoli3nfact is that i need to automate 800 nodes deploy13:50
eoli3nhere is the kickstart file -> https://ptpb.pw/F5ts13:51
eoli3nhere's some checksums on what changed at each steps -> https://ptpb.pw/0Y6b.png13:51
eoli3nand here the "view details" log from win7 repair tool -> https://ptpb.pw/fxvz13:51
eoli3nthe fact is that PARTUUID seems changing after kickstart13:51
eoli3ni think its due to partman13:51
eoli3nand i'm searching for a way to keep same sda1 PARTUUID13:51
eoli3nto not to have to repair WIN7 after kickstarting13:51
eoli3nthe strange thing is that kickstarting edit only MBR's bootloarder part -> and repairing with WIN7 CDROM changes only C:\Boot\BCD13:51
eoli3nand every loop i do a kickstart deploy gives the same13:51
eoli3nwhile true; do ; kickstart change bootloarder ; WIN7 boot broken ; repairing with CDROM, it edits date inside sda1 ; done13:51
eoli3n(sorry for that huge paste)13:51
Ussatdont dual boot13:54
eoli3nare you serious ?13:58
eoli3nany serious help here ?13:58
UssatThere is, in my opinion, almost no reason to dual boot anymore with modern hypervisors13:59
eoli3nyou doesn't have my needs13:59
eoli3nand i'm not asking for that help13:59
eoli3nthat's cool from you13:59
eoli3nbut not my ask13:59
masoneoli3n: Wait, you're taking a checksum of sda1 there?14:09
masoneoli3n: I'm assuming sda1 is your ESP, yes?14:09
masonI'm not completely understanding here, but I'd be more inclined to think you're seeing a problem with your efibootmgr entries.14:10
eoli3nmason: i'm using legacy not uefi bios14:10
eoli3ni took some checksum to see what kickstart change14:10
eoli3nsda1 is windows part14:10
masoneoli3n: Ah... Nowadays I wouldn't consider dual-booting without UEFI, but I'm not sure Windows 7 can deal with UEFI. Can it?14:11
eoli3nmason: i use old nodes14:11
eoli3ni don't know, problem is that i will node renew my 800 nodes now :)14:11
eoli3ni will not14:11
eoli3nmy problem needs a bit reflexion to understand what i do14:12
eoli3nsorry to bot be able to make it easy undestandable14:12
masonjust noted that you've included multiple pastes - looking14:12
eoli3nthx, ask if any question14:12
eoli3nthe important paste is the table14:12
eoli3na bit hard to understand14:12
eoli3ni started at line1 with a dualboot working14:13
eoli3nthen i reinstall with kickstart at line 214:13
eoli3nmy kickstart installation needs to keep win7 working14:13
eoli3nafter kickstart, i'm not able to boot win7 without win7 CDROM repair tool14:13
mason#Clear the Master Boot Record14:13
masonzerombr yes14:13
masonGuessing that's why.14:13
eoli3nasked to dev of ubuntu kickstart14:14
eoli3nit does nothing14:14
rbasakahasenack: I import samba by hand and it worked fine.14:14
rbasakNot sure what happened in the past.14:14
rbasakahasenack: so it should be good for you now.14:14
rbasakSorry it didn't work before. It could have been due to a gap when the importer was running.14:15
rbasakWe haven't got the full "catch up everything" thing running yet.14:15
rbasaknacc: ^14:15
eoli3nmason: he pasted me that -> https://paste.ubuntu.com/26409694/14:15
masoneoli3n: Hm, well. Hopefully someone who's done this will come around with ideas, or there's always the mailing list. I don't run Windows anywhere so I'm not entirely clear on what it wants and what's changed out from under it.14:18
TJ-eoli3n: I only just came in, but it sounds to me like GRUB needs to create a menu entry for the Windows install. If you want Windows to remain the primary boot-strap bootloader then you have to prevent GRUB from writing it's bootstrap code14:19
eoli3nTJ-: i don't want to prevent it14:21
eoli3nchainloader +1 is working14:21
eoli3nproblem is that win7, while booting, ask for repairing14:21
eoli3nTJ-: https://ptpb.pw/0Y6b.png14:21
eoli3nplease check and tell me if its clear14:22
eoli3nwhen installing with kickstart, nothing changed on the disk exept ubuntu install on sda2 and bootloader 0>446 on sda14:22
eoli3nthe strange part is14:22
eoli3nwhen i repair win714:22
eoli3nit repair by changing BCD on win7 install14:22
eoli3ni don't know more what it does -> here's the log file -> https://ptpb.pw/fxvz14:23
eoli3ngrub is working14:23
TJ-eoli3n: is the partitioning using only MBR ?14:24
eoli3n what do you mean ? "using only MBR" ?14:24
TJ-eoli3n: it's possible to have GPT hybrid that also has a valid MBR14:25
eoli3ni'm using mbr not gpt14:25
TJ-OK, and which sector does sda1 start at?14:25
eoli3noups sorry for double14:25
eoli3nplease look at the paste14:26
eoli3nat PRE part14:26
eoli3nyou will see that i use sfdisk to restore part table14:26
TJ-eoli3n: OK, so under normal circumstances GRUB will write it's boot-strap into sector 0 and it's core image into sector #1 through 204714:26
eoli3nnot from 0>446 ?14:27
eoli3nhm i didn't knew there was more that "boot-strap"14:27
eoli3nmy question is14:27
TJ-eoli3n: 446-509 is the partition table, 510-511 is the signature14:27
eoli3nso why14:28
eoli3ninstalling grub breaks win7 boot14:28
eoli3nas win7 bootloard is at start of sda114:28
eoli3nso at 202814:28
TJ-eoli3n: the process goes PC >BIOS > read sector 0 > execute code from offset 0. This is the bootloader's boot-strap code. In GRUB it then uses BIOS services to read sector #1-2047 into memory and continues executing - that is GRUB's core image, which then finds GRUB's root file-system and accesses that, loads the normal.mod and executes 'normal' command which reads /grub/grub.cfg and processes it14:30
TJ-(menu, wait for key press, launch OS, etc)14:30
eoli3ni get it14:31
TJ-As I recall, Windows boot-strap code in sector 0 looks for the partition that is flagged as Bootable, then reads boot code from that partition, which then reads Windows bootmgr code14:31
eoli3nthe partition sda1 is marked as bootable14:31
eoli3nwith "boot" flag i mean14:31
eoli3nso installing grub can not break any win7 install right ?14:32
TJ-eoli3n: right, from your table it looks as if the Win7 repair is writing something into the 'spare' sectors from sector 1 onwards - is that correct?14:32
eoli3nwhich are spare sectors14:33
eoli3nwhat i can say, is that repair tools write between 2048 and end of partition14:34
eoli3ni know that it edit BCD file14:34
TJ-eoli3n: Installing GRUB will break Windows every time 100%, since it has to write it's boot-strap code into sector 0. However, it uses os-prober to locate the Windows OS during "update-grub" and adds a menuentry for Windows14:34
eoli3nTJ-: i used a previous installation method which install grub with a custom script without breaking win7 part14:35
eoli3nwin7 install i mean14:35
TJ-eoli3n: it sounds more likely Windows is breaking itself - by 'thinking' it needs a repair when it doesn't simply because sector 0 changed, then during the repair it goes on to change things it doesn't need to change14:35
eoli3nso how to make it works without repair ? dd backup then restore ?14:36
eoli3ni need to automate the process14:36
eoli3nbut still, i'm not understanding on how my previous deploying method differs14:36
eoli3nin my previous installation/deploy method, i uncompressed a huge tar.xz on disk, then install grub in chroot with this script -> https://ptpb.pw/DR9s14:38
eoli3nthat didn't make win7 needs a repair14:38
eoli3nwhy ?14:38
eoli3nmy previous installation working method, complete is -> boot debian bootstrap pxe -> sfdisk to restore part table -> detar.xz sda2 (/boot) and sda3 (/) -> chroot -> install grub with the script in chroot -> reboot14:39
eoli3nwin7 still working after that14:39
eoli3nwhat differ in kickstart method ?14:39
eoli3nweird, isn't it ?14:43
TJ-I'm trying to determine what exactly "grub-installer/with_other_os" is supposed to fo14:45
TJ-I think that should be set to "true" when you expect another OS to be installed; I don't think that'll affect the issue you are having though14:50
eoli3nthat was my question before all of that on #debian14:50
eoli3ni tried every options TJ-14:50
eoli3nwith_other_os and only_debian, set to true or false14:51
eoli3nall false was my last try14:51
eoli3njust tried to install grub with my custom script14:51
eoli3nas https://ptpb.pw/n5Av14:51
eoli3nlets try, i tell you in 20min14:51
eoli3ngrub-installer/skip boolean true14:51
eoli3nthen generate a chroot grub.sh installer14:51
eoli3ncat not echo -> fixed : https://ptpb.pw/ao3y14:54
TJ-eoli3n: Are you sure when Win7 'repairs' it's not writing a GPT to the disk? Because in your table for lines (3) and (4) you show PARTUUID - that will only be available for GPT, MBR scheme has nowhere to store a /partition UUID/ (whereas the file-system in the partition can/does have a UUID)15:08
TJ-eoli3n: GPT uses sectors 1-33 which would explain why in line (3) you have a different checksum for 0>102415:11
eoli3ni repair, and recheck15:12
TJ-use "gdisk" to check before and after15:15
eoli3ni can't, no xserver15:15
TJ-gdisk is console15:17
TJ-"gdisk -l /dev/sda"15:17
eoli3nneed to redeploy, my custom grub.sh breaks15:18
eoli3ntell you in some minutes15:18
eoli3nhmm that could be the trick15:20
eoli3ndump and restore with sgisk15:20
eoli3nTJ-: before -> http://ix.io/EvA, after -> http://ix.io/EvC15:49
eoli3nGUID change each time i run gdisk15:50
TJ-OK, so not GPT then. So why is Win7 changing something in sector 1+? Does it also hide recovery info there?15:51
eoli3nhide recovery info ?15:51
eoli3nwhere ?15:51
eoli3ni don't know why, i think, maybe it changes only BCD boot file15:51
eoli3nin log of repair tool, it just says that it edit the entry in BCD15:51
eoli3nsuppress previous one then replacing by a new matching one15:52
eoli3nas i my previous paste15:52
eoli3n3 collumns in orange are same15:53
TJ-eoli3n: oh! I misread your table "0>1024" as being the first 4 sectors of the disk, but that's actually the 1st partition15:53
eoli3ni mean first one is 2048 > (1024*50)15:53
TJ-eoli3n: you should take a checksum of sectors 1-204715:53
eoli3nhm but how to cut it15:53
masoneoli3n: This is where UEFI is much more orderly. There aren't random things slipping their tentacles around different undocumented bits of disk.15:53
eoli3n0>446, 446>510, 512> 2047 ?15:54
TJ-as in "dd if=/dev/sda skip=1 count=2047 | md5sum"15:54
eoli3nok but it will tell nothing15:55
eoli3ni already test lower part15:55
eoli3n0>446 , 446>51015:55
eoli3n1>2047 will have part table and bootloader into it no ?15:55
eoli3nthe range is too high ? you know what i mean ?15:56
eoli3nsadly, i have to go :( , i really want to find out that problem, i will try to diff md5sum 512>2047 too tommorow15:56
TJ-eoli3n: no, 1-2047 are 'spare' sectors which GRUB puts its core image in15:57
eoli3ni don't get what you mean15:57
eoli3nwikipedia says that 0>446 is part table15:58
eoli3nso how 1>2047 could be grub core image15:58
eoli3n1 is a byte, yes ?15:58
eoli3nbyte "1" to byte "2047"15:58
TJ-No, it's sectors of 512 bytes15:59
TJ-dd uses 512 byte blocks by default15:59
eoli3ni will take a look tomorow morning at 8h (GMT+1)16:01
eoli3nthx a lot for your help16:01
DammitJimis there an ubuntu repo for tomcat 8.5?18:10
sarnoldDammitJim: 8.5 appears to be in artful and forthcoming bionic18:11
DammitJimI guess I've got to learn what bionic and artful is18:12
DammitJimI have ubuntu 16.04 LTS servers with tomcat 8 and apparently Apache Tomcat is making tomcat 8 EOL in September18:13
naccDammitJim: 18.04 (unreleased) and 17.10, respectively18:13
DammitJimtrying to start getting off that version18:13
DammitJimgosh, it looks like I'm going to have to just uninstall tomcat818:14
DammitJimand download the apache=tomcat-8.5.zip18:14
DammitJimand work it from that angle18:14
sarnoldso you don't actually have an application that requires 8.5?18:14
DammitJimno repos18:14
DammitJimI do not18:15
DammitJimwe are purely doing it because it's EOL18:15
sarnoldjust upgrade to 18.04 LTS when you're comfortable with the change18:15
sarnold18.04 will be released before september.18:15
DammitJimyeah, I think that'll be an option in my proposal18:15
sdezielDammitJim: also, Tomcat 8 being in main, it should be supported for the full lifetime of 16.04 even if upstream reaches its EOL18:22
nacc(supported by canonical/ubuntu)18:22
nacc*not* by upstream, to be clear :)18:22
sdezielyeah, main is a canonical thing :)18:23
DammitJimthanks for clarifying that, sdeziel18:30
DammitJimso, if there was a problem with tomcat 8, Canonical would fix it and release an update?18:30
naccDammitJim: yeah18:31
naccgenerally speaking, it does depend on 'the problem', as we still need to follow SRU rules18:31
naccbut preusming you mean CVEs or so, then yes18:31
DammitJimI need to find the documentation that explains that, because that is AMAZING18:32
DammitJimnacc, I'm reading the Main section19:04
DammitJimthat's where Tomcat would fall under, right?19:04
naccDammitJim: correct19:04
sarnoldyou can use 'apt-cache policy tomcat8' to see19:05
sarnoldnot all binary packages built from a source package are in main, so it doesn't hurt to check all the binary packages you care about19:06
naccsarnold: good point19:06
DammitJimoh gosh19:07
DammitJimthe devil is in the details, but thanks!19:07
DammitJimso, it seems that if I want to use tomcat 8.5, I'll have to upgrade to Ubuntu 18.04?19:07
naccDammitJim: i think everying is in main except libtomcat8-embed-java nad tomcat8-user19:08
naccDammitJim: once released, yes, or 17.10 in the meanwhile19:09
Olanzapin&j ssacc.net21:34
keithzgSo here's something that's been baffling me, and it's arguably appropriate since the router in question runs Ubuntu ;)21:54
keithzgA bunch of random sites seem to have started blocking HTTP traffic from my office, with what appear to be Apache "Access Denied" messages. This extends to curl/wget from the router itself . . . but somehow *not* to traffic through the OpenVPN instance?21:55
TJ-keithzg: is your public IP on a blacklist?21:56
keithzgTJ-: That was my first thought, but if it is, I can't seem to find any publically-accessible listing thereof22:00
TJ-keithzg: what's the public ip address/mask ?22:01
keithzgTJ-: It's, aka gmcl.com22:02
keithzg(My current working theory remains that it's some sort of private corporate blacklist; that doesn't explain why VPN'd traffic doesn't get block but I can sortof hand wave that away with "routing is complicated, I'm probably not understanding something")22:03
TJ-keithzg: if you are using openvpn to tunnel out to another host that then routes, it's IP address will be different22:04
keithzgTJ-: The router is also the VPN server, though, so shouldn't sites see that as the IP address of the traffic?22:05
TJ-keithzg: you mean you connect from LAN clients using openvpn to your gateway router?22:06
TJ-keithzg: checked the IP, not blocked anywhere22:07
keithzgTJ-: Specifically I mean that the router for the office LAN is also the VPN server that external clients use to get into our LAN remotely.22:07
TJ-keithzg: Oh, I thought you meant you link your gateway to another location and tunnel /out/ through it22:08
TJ-keithzg: then I can only thing your gateway is messing with the traffic, are you sure your network doesn't have a transparent proxy?22:09
TJ-keithzg: does it affect HTTPS connections or only HTTP?22:09
TJ-keithzg: i'd suspect the Apache message you see is from your own network22:10
keithzgTJ-: Funny story about that, due to this I've noticed that https://thebay.com doesn't have a valid cert ;) but yeah it appears to affect both HTTPS and HTTP traffic, for instance https://tools.usps.com has a valid HTTPS connection but tells me "You don't have permission to access "http://tools.usps.com/" on this server"22:11
TJ-keithzg: I think you've got an internal redirection issue in the gateway. Possibly the rules that were set for incoming openvpn  tunnel traffic are breaking regular forwarded traffic22:12
TJ-keithzg: Ask yourself: 1) when did this start? 2) What did I change just before I noticed the issue?22:13
keithzgTJ-: That's the problem, other than the standard security patches I haven't touched anything on the router in ages now.22:13
TJ-keithzg: it's an Ubuntu server actiing as gateway?22:14
keithzgTJ-: Yup.22:14
TJ-keithzg: check /var/log/syslog and /var/log/kern.log for clues22:14
TJ-keithzg: also, if it has apache2 web-server installed, check it's logs in /var/log/apache2/ in case it indicates it's responsible for the messages22:15
keithzgTJ-: No messages in kern.log for several days now, I can't see anything that seems remotely relevant in either syslog or the apache logs, and nothing seems to shwo up if I tail them while trying to access a site :(22:18
TJ-keithzg: has it run out of space? "df -h"22:19
TJ-also try "df -ih" (for inodes)22:19
sarnoldpity there's no way to get both in one invocation :(22:20
keithzgTJ-: Naw, the 256GB M.2 SSD that the router runs is only at 4% space usage (the only higher is /run at 8%, and inode usage for everything is being rounded to 1%22:20
TJ-keithzg: good. Are you comfortable sharing the netfilters rules? ("pastebinit <( sudo iptables-save )"22:22
keithzgTJ-: https://paste.ubuntu.com/26440410/22:29
tomreynif you request httpS://tools.usps.com amdd get to see an error stating that you may not access HTTP://tools.usps.com/ (so non-encrypted) then this is a pretty obvious hint that your TLS connection was stripped towards the receiving end.22:29
TJ-tomreyn: that's why I suspect a local proxy22:29
TJ-keithzg: are the local clients using Ubuntu/Linux ?22:29
keithzgYeah I wonder . . . I'm going to try turning off the Apache server (which is proxying to a VM running the *actual* company website)22:29
keithzgTJ-: Not all of them, the first person who noticed this and has continued to notice things is on Windows 8.1, and I randomly tried a macOS VM at one point. I myself have been mostly testing this from Kubuntu.22:30
keithzgWell, shutting down the Apache server on the router didn't change anything.22:31
TJ-keithzg: I'm also surprised, if that is a gateway router, that the INPUT chain doesn't have a DROP policy and then specific rules for allowing VPN/SSH traffic in22:31
TJ-keithzg: can you do one of those 'wget' ops that gets denied and show us the output in a pastebin?22:32
TJ-keithzg: from the gateway itself22:32
TJ-keithzg: also, "pastebinit <( ip -4 -6 route show )"22:33
keithzgTJ-: I have SSH blocked with `-A INPUT -i external0 -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable` and that I thought worked fine for blocking SSH traffic (I actually run a port knocker, and that's how rules for allowing SSH in get added)22:34
sdeziel"ip -4 -6 ro" only returns v6 routes here (on Xenial)22:38
TJ-keithzg: right, but if there are other services on the gateway they may be exposed.22:38
TJ-sdeziel: it returns both here on 16.0422:38
keithzgTJ-: Ah, fair enough.22:38
TJ-sdeziel: oh, no, you're correct! Sorry, I misread!22:38
keithzgAnyways the denied requests are just single-line HTTP responses, ex.22:38
keithzg<html><head><title>Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 16159986499229415207</body></html>22:38
sdezielTJ-: too bad, I would have like it to work ;)22:38
TJ-keithzg: so, "pastebinit <( ip route show; ip -6 route show )"22:38
TJ-sdeziel: yeah, it annoys me that without switches it defaults to IPv422:38
keithzgTJ-: https://paste.ubuntu.com/26440446/22:38
keithzgOh how I wish we had IPv622:38
TJ-keithzg: I wanted to see the entire wget messages. Do "pastebinit <( wget http:///whatever 2>&1 )"22:38
keithzgTJ-: Oh, fair enough, I just saw that it was going "200 OK" and nothing else other than the actual *contents* of index.html indicates any problem.  But here: https://paste.ubuntu.com/26440457/22:38
keithzgOh oops, never mind that22:39
keithzgAlthough maybe that's a clue to some degree, many initial URLs are fine, but then what they're actually redirecting to isn't OK.22:39
keithzgActual wget output for one of these 403s: https://paste.ubuntu.com/26440460/22:40
sdeziel"wget -SO - http:///whatever 2>&1 )"22:40
tomreyni'd rather suggest to use curl --trace /tmp/trace http(s)://...22:40
TJ-keithzg: thebay.com is broken for me too, and TLS connections return SSL_ERROR_BAD_CERT_DOMAIN22:42
TJ-keithzg: any other domains do this to you?22:42
sdeziel69.192.84.206 belong to Shaw Communications22:42
sdezielkeithzg: would that be your ISP ^22:42
tomreyntools.usps.com seemed like a better test candidate22:42
TJ-For that I get "20 redirections exceeded."22:43
sdezieland when resolving www.thebay.com, I get an akamai IP so it looks like an ISP getting in the way22:43
keithzgtomreyn: heh yup, that would be precisely what I was going to try as an alt. Here in fact is the curl trace output for that: https://paste.ubuntu.com/26440477/22:44
tomreynkeithzg: that's the output of which command?22:44
keithzgsdeziel: Interesting, I saw Akamai when trying to figure things out before too with https://www.us-cert.gov/ (the third website giving this error)22:45
TJ-sdeziel: that explains it then, they've left thebay.com in the DNS zone file but it should be front-ended by cloudfront. www.thebay.com is correct with a CNAME22:45
keithzgtomreyn: `curl --trace tracefile https://tools.usps.com`22:45
TJ-sorry, akamai, not cloudfront22:45
sdezielkeithzg: from that paste, it seems the 403 was emitted by Akamai themselves22:46
sdezielServer: AkamaiGH22:46
sdezielmaybe Akamai thinks your IP has a bad reputation?22:46
TJ-tools.usps.com also on akamai - do Akamai have a problem?22:46
TJ-sdeziel: I did an RBL check on the IP addres over about 30 RBLs and it's clean22:47
sarnoldakamai may have their own database22:47
tomreynakamai don't like you.22:47
keithzgThat defintiely aligns with the vague intimations of https://community.akamai.com/community/cloud-security/blog/2016/04/07/why-is-akamai-blocking-me22:48
keithzg(one of the first things I found when initially noticing this error and when nmap told me that the us-cert site was hosted by Akamai)22:50
TJ-this is 1 of the big downsides to centralised proxies22:50
keithzgYeahhh, and unfortunately that help page gives the impression that there's no way to contact Akamai and ask them precisely what's going on :(22:50
TJ-keithzg: has anything on your network been doing automated connections, say to access the USPS site for example?22:51
TJ-someone developing a tool to query shipping status maybe?22:51
keithzgTJ-: Nothing intentional, no; the only software development anyone other than ol' sysadmin me does is oldskool Win32 work for the software we sell (that in turn tends to run on theoretically airgapped networks, so we don't even have any sort of auto-updater or such for our tools).22:53
TJ-keithzg: how about via the VPN - you said connections via the VPN were OK - which I can only see happening if the VPN uses a different IP address for it's exit interface from your /3022:55
sdezielor maybe the VPN is using split tunneling ?22:56
TJ-keithzg: show us "pastebinit <( ip addr show )"22:56
keithzgTJ-: Yeah, that one baffles me as well. Here it is: https://paste.ubuntu.com/26440512/22:57
TJ-keithzg: so, the external clients /are not/ using the VPN for general internet access, which explains htat22:58
sdezielkeithzg: on a VPN client that works, could you share "pastebinit <( ip ro)"22:58
TJ-sdeziel: I hate that "split tunnel" name, it's deceptive, there's no split in the tunnel, it's just standard routing!22:59
sdezielTJ-: I /think/ it could be it but I haven't seen any evidence so far22:59
keithzgsdeziel: Well drat, I didn't bring my laptop to work today! I wonder if Android can manage that.22:59
TJ-sdeziel: I'm sure it is, the client will use their standard default route (and hence connect successfully to thebay.com) but will route (or similar) via the openvpn tunnel23:01
sdezielkeithzg: you could do something server side. "sudo iptables -A FORWARD -i tun0 -o external0"23:01
TJ-keithzg: 1 thing you could try us assign another IP address to external0 and use it as the source address for a test, see if it is blocked too, or just your current single IP address23:02
sdezielkeithzg: then with the VPN client, access a site then run this on the server side: "pastebinit <(sudo iptables -nvL FORWARD)"23:02
TJ-my typing is going downhill, my fingers have a mind of their own!23:02
sdezielTJ-: if Akamai blocks based on IP reputation, they maybe do that using wider CIDRs than /3223:02
TJ-sdeziel: right, but it's worth testing, because if it's only a /32 there is a workaround23:03
keithzgsdeziel: Seems the command works fine from a shell on my Android phone, I think? https://paste.kde.org/pw2t6zene23:03
sdezielkeithzg: hmm, no default route?23:04
tomreyn184.70.164.246 belongs to a /13 (!) - not ideal if your hopes are that you'll be emitting less bad traffic than the average of shaw communication (cable?) users. for business use, a much smaller address range would be recommendable.23:04
sdezielkeithzg: "ip ro g" ?23:04
TJ-which is "ip route get"23:04
sdezielyeah, sorry, I'm very lazy23:05
TJ-:D trying to educate as well as diagnose :p23:05
sdezieland it's better to have the receiving end understanding a command before running it :)23:05
keithzgsdeziel: via dev rmnet_data0  src uid 1022823:06
TJ-I keep telling that to my Huskies!23:06
keithzg(I haven't tried `sudo iptables -A FORWARD -i tun0 -o external0` yet, for the record)23:06
sdezielkeithzg: I think that's your answer23:06
sdezielkeithzg: you are using split tunnelling (or routing just the remote LAN IP space over your VPN/tun0)23:07
keithzgAha, fair enough (can't remember if that was intentional on my part when I ported over to the new server, or maybe that23:07
keithzg's an artifact of the convoluted setup of my predecessor)23:07
TJ-keithzg: it makes sense, no point in routing internet bound traffic via the tunnel23:07
sdezielkeithzg: at least that's what I believe is going on. I'm not very familiar with the per UID routing stuff done on Android23:08
keithzgTJ-: Yeah, it's definitely what I'd have chosen to set up if I actually did so deliberately ;)23:08
TJ-keithzg: do you want to test with your 'spare' currently unused IP address?23:08
* sdeziel wonders if per UID routing landed upstream23:08
keithzgTJ-: That does sound like a plan---although I honestly don't know what it is, heh (I knew we had a second static address but I haven't bothered to look it up)23:10
TJ-keithzg: your gives you 2 IP addresses: .245 and .246 (which you use) so we can try adding .245 and using it23:11
TJ-keithzg: "sudo ip addr add dev external0"23:11
sdezielwget --bind-address= -SO - https://tools.usps.com/23:12
TJ-keithzg: then try "wget --bind-address= -S -O - http://www.thebay.com"23:13
TJ-Grrrr, stealing my typing :D23:13
sdezielI don't trust your self-aware fingers either ;)23:14
keithzgWell I must've messed up the addition of the additional address or something, since that (either one) just hangs at "Connecting" forever23:15
TJ-keithzg: check with "ip addr show dev external0"23:15
TJ-keithzg: you should see both .245/30 and .246/3023:16
TJ-We know there's no netfilter rules to get in the way :)23:16
keithzgTJ-: Heh. Yeah I see it listed although it's different? https://paste.kde.org/pbatt57z3/32j5t0/raw23:18
TJ-keithzg: that's fine23:19
TJ-keithzg: let's check routing: "pastebinit <( ip route show )"23:19
keithzgTJ-: Fair enough, I just wasn't sure, although upon reflection I assume "brd" means broadcast so that makes sense to me then23:19
keithzgTJ-: https://paste.ubuntu.com/26440728/23:20
TJ-keithzg: did you say both .245 and .246 hung when used with wget --bind-address= ?23:20
keithzgTJ-: Oh, no I didn't try binding to .246 instead. Just tried it, it instantly works.23:21
TJ-interesting, adding the new IP changed the default via to .24523:21
keithzg(well, gives the 403 from AkamaiGHost, heh)23:21
TJ-keithzg: I'm getting confused. which works? "wget -S -O - http://www.thebay.com" ?23:22
keithzgTJ-: That works (gets a 403), explicitly binding to .246 works (also 403), explicitly binding to .245 does not (hangs on the Connecting step)23:23
TJ-keithzg: weird, that suggests your ISP has assigned a /30 but is not routing it! Is there a modem/router from your ISP connected to the server?23:24
TJ-keithzg: in which case it's likely .245 is assigned to that device23:24
TJ-keithzg: do "sudo ip addr del dev external0" to clean up the server23:26
keithzgYeah they insisted they couldn't give me *just* a modem anymore :( (this is why I don't use Shaw personally!). In theory they've disabled it so that it's only acting as a modem, it's not bridged or anything, but I wouldn't be surprised then if the modem+router box also has its own IP address secretly then.23:26
keithzgHuh, even add that del I still see .245 as the default route.23:27
keithzg(Did I just not have a default before? Yeesh, I need to keep better track of these things!)23:27
sdezielhttps://paste.ubuntu.com/26440446/ shows that you had a "default via dev external0 onlink"23:28
sdezielkeithzg: that's one of your earlier paste23:29
keithzgsdeziel: Ah, fair enough. So it's more just a lack of comprehension of what it all means on my part then, heh.23:29
TJ-oh, so .245 is the ISP device23:29
TJ-i missed that23:30
sdezielkeithzg: no, we screwed up a little I'm affraid23:30
TJ-keithzg: so the upshot is ... Akamai23:30
TJ-i read the default as .246 originally, grrr23:30
keithzgCurse our fallable humanity!23:31
TJ-I blame my fingers AND my eyes :)23:31
TJ-basically, broken I/O23:31
sdezielon the up side, you were not SSH'ed in from a remote location and didn't lose access :)23:31
keithzgYeah, seems like my next step is probably to bug my ISP and see if there's some way they can get more info or a delisting from Akamai.23:32
keithzgMany, many thanks! :)23:33
keithzgI wish all of the internet was full of people as wonderful as #ubuntu-server :D23:33
keithzgFallable and human as they may be ;)23:34
sdezielgood luck!23:34

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!