[03:07] <Now_its_Broken> Hi,  can anyone here point to some instructions on getting openvswitch working with netplan?
[07:12] <lordievader> Good morning
[11:13] <ahasenack> rostam: try the dig tool, dig @<ip-of-dns-server> <name-you-want-to-resolv>
[11:13] <ahasenack> rostam: start with using the ip from /etc/resolv.conf
[11:14] <ahasenack> if that's 127.0.1.1 or some such, move on to your real dns server, then try 8.8.8.8 (google's), etc
[11:53] <ahasenack> rbasak: hi, I'm getting this from g-u merge start on samba:
[11:53] <ahasenack> $ git ubuntu merge start pkg/ubuntu/devel
[11:53] <ahasenack> 01/22/2018 09:53:01 - ERROR:pkg/ubuntu/devel version (2:4.7.3+dfsg-1ubuntu1) is after debian/sid version (2:4.7.1+dfsg-1). Are you sure you want to merge? (Pass -f to force the merge).
[11:53] <ahasenack> rbasak: debian/sid is at 4.7.4, though
[11:53] <ahasenack> seems like the debian branch(es?) are behind in the importer?
[12:01] <rbasak> AFAICT, sid is at 2:4.7.3+dfsg-1 and bionic-devel is at 2:4.7.3+dfsg-1ubuntu1
[12:01] <rbasak> Do you see something different?
[12:01] <rbasak> I was looking at https://code.launchpad.net/~usd-import-team/ubuntu/+source/samba/+git/samba
[12:21] <ahasenack> rbasak: rmadison, and the merges page
[12:21] <ahasenack> both show sid at 4.7.4-+dfsg-1
[12:29] <ahasenack> rbasak: sorry, the vpn dropped, this was the last I saw:
 both show sid at 4.7.4-+dfsg-1
[12:29] <ahasenack> * Disconnected ()
[13:30] <rbasak> ahasenack: ah. OK. So the problem is that the importer is straightforwardly out of date rather than inconsistently out of date in different branches I think?
[13:30] <rbasak> I need to sort out my VPN connection. That's blocking me from looking right now :-/
[13:31] <ahasenack> rbasak: I don't know, but "out of date" sounds right
[13:50] <eoli3n> Hi
[13:50] <eoli3n> i'm trying to preseed (with ubuntu kickstart + some preseed lines) a ubuntu install on a dualboot
[13:50] <eoli3n> each kickstart make Win7 not bootable
[13:50] <eoli3n> i need to repair Win7 with CDROM
[13:50] <eoli3n> fact is that i need to automate 800 nodes deploy
[13:51] <eoli3n> here is the kickstart file -> https://ptpb.pw/F5ts
[13:51] <eoli3n> here's some checksums on what changed at each steps -> https://ptpb.pw/0Y6b.png
[13:51] <eoli3n> and here the "view details" log from win7 repair tool -> https://ptpb.pw/fxvz
[13:51] <eoli3n> the fact is that PARTUUID seems changing after kickstart
[13:51] <eoli3n> i think its due to partman
[13:51] <eoli3n> and i'm searching for a way to keep same sda1 PARTUUID
[13:51] <eoli3n> to not to have to repair WIN7 after kickstarting
[13:51] <eoli3n> the strange thing is that kickstarting edit only MBR's bootloarder part -> and repairing with WIN7 CDROM changes only C:\Boot\BCD
[13:51] <eoli3n> and every loop i do a kickstart deploy gives the same
[13:51] <eoli3n> while true; do ; kickstart change bootloarder ; WIN7 boot broken ; repairing with CDROM, it edits date inside sda1 ; done
[13:51] <eoli3n> (sorry for that huge paste)
[13:54] <Ussat> dont dual boot
[13:58] <eoli3n> are you serious ?
[13:58] <Ussat> very
[13:58] <eoli3n> cool
[13:58] <eoli3n> any serious help here ?
[13:59] <Ussat> There is, in my opinion, almost no reason to dual boot anymore with modern hypervisors
[13:59] <eoli3n> you doesn't have my needs
[13:59] <eoli3n> and i'm not asking for that help
[13:59] <eoli3n> that's cool from you
[13:59] <eoli3n> but not my ask
[14:09] <mason> eoli3n: Wait, you're taking a checksum of sda1 there?
[14:09] <mason> eoli3n: I'm assuming sda1 is your ESP, yes?
[14:10] <mason> I'm not completely understanding here, but I'd be more inclined to think you're seeing a problem with your efibootmgr entries.
[14:10] <eoli3n> mason: i'm using legacy not uefi bios
[14:10] <eoli3n> i took some checksum to see what kickstart change
[14:10] <eoli3n> sda1 is windows part
[14:11] <mason> eoli3n: Ah... Nowadays I wouldn't consider dual-booting without UEFI, but I'm not sure Windows 7 can deal with UEFI. Can it?
[14:11] <eoli3n> mason: i use old nodes
[14:11] <eoli3n> i don't know, problem is that i will node renew my 800 nodes now :)
[14:11] <eoli3n> i will not
[14:11] <eoli3n> *
[14:11] <mason> right
[14:12] <eoli3n> my problem needs a bit reflexion to understand what i do
[14:12] <eoli3n> sorry to bot be able to make it easy undestandable
[14:12] <mason> just noted that you've included multiple pastes - looking
[14:12] <eoli3n> thx, ask if any question
[14:12] <eoli3n> the important paste is the table
[14:12] <eoli3n> a bit hard to understand
[14:13] <eoli3n> i started at line1 with a dualboot working
[14:13] <eoli3n> then i reinstall with kickstart at line 2
[14:13] <eoli3n> my kickstart installation needs to keep win7 working
[14:13] <eoli3n> after kickstart, i'm not able to boot win7 without win7 CDROM repair tool
[14:13] <mason> #Clear the Master Boot Record
[14:13] <mason> zerombr yes
[14:13] <mason> Guessing that's why.
[14:13] <eoli3n> nomp
[14:13] <eoli3n> nop
[14:14] <eoli3n> asked to dev of ubuntu kickstart
[14:14] <eoli3n> it does nothing
[14:14] <rbasak> ahasenack: I import samba by hand and it worked fine.
[14:14] <rbasak> Not sure what happened in the past.
[14:14] <rbasak> ahasenack: so it should be good for you now.
[14:15] <rbasak> Sorry it didn't work before. It could have been due to a gap when the importer was running.
[14:15] <rbasak> We haven't got the full "catch up everything" thing running yet.
[14:15] <rbasak> nacc: ^
[14:15] <eoli3n> mason: he pasted me that -> https://paste.ubuntu.com/26409694/
[14:18] <mason> eoli3n: Hm, well. Hopefully someone who's done this will come around with ideas, or there's always the mailing list. I don't run Windows anywhere so I'm not entirely clear on what it wants and what's changed out from under it.
[14:19] <TJ-> eoli3n: I only just came in, but it sounds to me like GRUB needs to create a menu entry for the Windows install. If you want Windows to remain the primary boot-strap bootloader then you have to prevent GRUB from writing it's bootstrap code
[14:21] <eoli3n> TJ-: i don't want to prevent it
[14:21] <eoli3n> chainloader +1 is working
[14:21] <eoli3n> problem is that win7, while booting, ask for repairing
[14:21] <eoli3n> TJ-: https://ptpb.pw/0Y6b.png
[14:22] <eoli3n> please check and tell me if its clear
[14:22] <eoli3n> when installing with kickstart, nothing changed on the disk exept ubuntu install on sda2 and bootloader 0>446 on sda
[14:22] <eoli3n> the strange part is
[14:22] <eoli3n> when i repair win7
[14:22] <eoli3n> it repair by changing BCD on win7 install
[14:23] <eoli3n> i don't know more what it does -> here's the log file -> https://ptpb.pw/fxvz
[14:23] <eoli3n> grub is working
[14:24] <TJ-> eoli3n: is the partitioning using only MBR ?
[14:24] <eoli3n>  what do you mean ? "using only MBR" ?
[14:25] <TJ-> eoli3n: it's possible to have GPT hybrid that also has a valid MBR
[14:25] <eoli3n> i'm using mbr not gpt
[14:25] <eoli3n> https://ptpb.pw/F5ts
[14:25] <eoli3n> https://ptpb.pw/F5ts
[14:25] <TJ-> OK, and which sector does sda1 start at?
[14:25] <eoli3n> oups sorry for double
[14:25] <eoli3n> 2018
[14:25] <eoli3n> ahhh
[14:25] <eoli3n> 2048
[14:26] <eoli3n> please look at the paste
[14:26] <eoli3n> at PRE part
[14:26] <eoli3n> you will see that i use sfdisk to restore part table
[14:26] <TJ-> eoli3n: OK, so under normal circumstances GRUB will write it's boot-strap into sector 0 and it's core image into sector #1 through 2047
[14:27] <eoli3n> not from 0>446 ?
[14:27] <eoli3n> hm i didn't knew there was more that "boot-strap"
[14:27] <eoli3n> my question is
[14:27] <TJ-> eoli3n: 446-509 is the partition table, 510-511 is the signature
[14:28] <eoli3n> ok
[14:28] <eoli3n> so why
[14:28] <eoli3n> installing grub breaks win7 boot
[14:28] <eoli3n> as win7 bootloard is at start of sda1
[14:28] <eoli3n> bootloader
[14:28] <eoli3n> so at 2028
[14:28] <eoli3n> 2048
[14:30] <TJ-> eoli3n: the process goes PC >BIOS > read sector 0 > execute code from offset 0. This is the bootloader's boot-strap code. In GRUB it then uses BIOS services to read sector #1-2047 into memory and continues executing - that is GRUB's core image, which then finds GRUB's root file-system and accesses that, loads the normal.mod and executes 'normal' command which reads /grub/grub.cfg and processes it
[14:30] <TJ-> (menu, wait for key press, launch OS, etc)
[14:31] <eoli3n> i get it
[14:31] <TJ-> As I recall, Windows boot-strap code in sector 0 looks for the partition that is flagged as Bootable, then reads boot code from that partition, which then reads Windows bootmgr code
[14:31] <eoli3n> the partition sda1 is marked as bootable
[14:31] <eoli3n> with "boot" flag i mean
[14:32] <eoli3n> so installing grub can not break any win7 install right ?
[14:32] <TJ-> eoli3n: right, from your table it looks as if the Win7 repair is writing something into the 'spare' sectors from sector 1 onwards - is that correct?
[14:33] <eoli3n> which are spare sectors
[14:34] <eoli3n> what i can say, is that repair tools write between 2048 and end of partition
[14:34] <eoli3n> i know that it edit BCD file
[14:34] <TJ-> eoli3n: Installing GRUB will break Windows every time 100%, since it has to write it's boot-strap code into sector 0. However, it uses os-prober to locate the Windows OS during "update-grub" and adds a menuentry for Windows
[14:35] <eoli3n> TJ-: i used a previous installation method which install grub with a custom script without breaking win7 part
[14:35] <eoli3n> win7 install i mean
[14:35] <TJ-> eoli3n: it sounds more likely Windows is breaking itself - by 'thinking' it needs a repair when it doesn't simply because sector 0 changed, then during the repair it goes on to change things it doesn't need to change
[14:36] <eoli3n> so how to make it works without repair ? dd backup then restore ?
[14:36] <eoli3n> i need to automate the process
[14:36] <eoli3n> but still, i'm not understanding on how my previous deploying method differs
[14:38] <eoli3n> in my previous installation/deploy method, i uncompressed a huge tar.xz on disk, then install grub in chroot with this script -> https://ptpb.pw/DR9s
[14:38] <eoli3n> that didn't make win7 needs a repair
[14:38] <eoli3n> why ?
[14:39] <eoli3n> my previous installation working method, complete is -> boot debian bootstrap pxe -> sfdisk to restore part table -> detar.xz sda2 (/boot) and sda3 (/) -> chroot -> install grub with the script in chroot -> reboot
[14:39] <eoli3n> win7 still working after that
[14:39] <eoli3n> what differ in kickstart method ?
[14:43] <eoli3n> weird, isn't it ?
[14:45] <TJ-> I'm trying to determine what exactly "grub-installer/with_other_os" is supposed to fo
[14:50] <TJ-> I think that should be set to "true" when you expect another OS to be installed; I don't think that'll affect the issue you are having though
[14:50] <eoli3n> that was my question before all of that on #debian
[14:50] <eoli3n> i tried every options TJ-
[14:51] <eoli3n> with_other_os and only_debian, set to true or false
[14:51] <eoli3n> all false was my last try
[14:51] <eoli3n> just tried to install grub with my custom script
[14:51] <eoli3n> as https://ptpb.pw/n5Av
[14:51] <eoli3n> lets try, i tell you in 20min
[14:51] <eoli3n> grub-installer/skip boolean true
[14:51] <eoli3n> then generate a chroot grub.sh installer
[14:54] <eoli3n> cat not echo -> fixed : https://ptpb.pw/ao3y
[15:08] <TJ-> eoli3n: Are you sure when Win7 'repairs' it's not writing a GPT to the disk? Because in your table for lines (3) and (4) you show PARTUUID - that will only be available for GPT, MBR scheme has nowhere to store a /partition UUID/ (whereas the file-system in the partition can/does have a UUID)
[15:11] <TJ-> eoli3n: GPT uses sectors 1-33 which would explain why in line (3) you have a different checksum for 0>1024
[15:12] <eoli3n> i repair, and recheck
[15:15] <TJ-> use "gdisk" to check before and after
[15:15] <eoli3n> i can't, no xserver
[15:17] <TJ-> gdisk is console
[15:17] <eoli3n> ah
[15:17] <eoli3n> huhu
[15:17] <TJ-> "gdisk -l /dev/sda"
[15:18] <eoli3n> need to redeploy, my custom grub.sh breaks
[15:18] <eoli3n> tell you in some minutes
[15:20] <eoli3n> hmm that could be the trick
[15:20] <eoli3n> dump and restore with sgisk
[15:49] <eoli3n> TJ-: before -> http://ix.io/EvA, after -> http://ix.io/EvC
[15:50] <eoli3n> GUID change each time i run gdisk
[15:50] <eoli3n> http://ix.io/EvD
[15:50] <eoli3n> http://ix.io/EvE
[15:51] <TJ-> OK, so not GPT then. So why is Win7 changing something in sector 1+? Does it also hide recovery info there?
[15:51] <eoli3n> hide recovery info ?
[15:51] <eoli3n> where ?
[15:51] <eoli3n> i don't know why, i think, maybe it changes only BCD boot file
[15:51] <eoli3n> in log of repair tool, it just says that it edit the entry in BCD
[15:52] <eoli3n> suppress previous one then replacing by a new matching one
[15:52] <eoli3n> as i my previous paste
[15:52] <eoli3n> https://ptpb.pw/fxvz
[15:52] <eoli3n> https://ptpb.pw/0Y6b.png
[15:53] <eoli3n> 3 collumns in orange are same
[15:53] <TJ-> eoli3n: oh! I misread your table "0>1024" as being the first 4 sectors of the disk, but that's actually the 1st partition
[15:53] <eoli3n> i mean first one is 2048 > (1024*50)
[15:53] <eoli3n> yep
[15:53] <TJ-> eoli3n: you should take a checksum of sectors 1-2047
[15:53] <eoli3n> hm but how to cut it
[15:53] <mason> eoli3n: This is where UEFI is much more orderly. There aren't random things slipping their tentacles around different undocumented bits of disk.
[15:54] <eoli3n> 0>446, 446>510, 512> 2047 ?
[15:54] <TJ-> as in "dd if=/dev/sda skip=1 count=2047 | md5sum"
[15:55] <eoli3n> ok but it will tell nothing
[15:55] <eoli3n> https://ptpb.pw/0Y6b.png
[15:55] <eoli3n> i already test lower part
[15:55] <eoli3n> 0>446 , 446>510
[15:55] <eoli3n> 1>2047 will have part table and bootloader into it no ?
[15:56] <eoli3n> the range is too high ? you know what i mean ?
[15:56] <eoli3n> sadly, i have to go :( , i really want to find out that problem, i will try to diff md5sum 512>2047 too tommorow
[15:57] <TJ-> eoli3n: no, 1-2047 are 'spare' sectors which GRUB puts its core image in
[15:57] <eoli3n> ?
[15:57] <eoli3n> https://fr.wikipedia.org/wiki/Master_boot_record
[15:57] <eoli3n> i don't get what you mean
[15:57] <eoli3n> sorry
[15:58] <eoli3n> wikipedia says that 0>446 is part table
[15:58] <eoli3n> so how 1>2047 could be grub core image
[15:58] <eoli3n> 1 is a byte, yes ?
[15:58] <eoli3n> byte "1" to byte "2047"
[15:58] <eoli3n> ?
[15:59] <TJ-> No, it's sectors of 512 bytes
[15:59] <TJ-> dd uses 512 byte blocks by default
[16:00] <eoli3n> ohhhhh
[16:01] <eoli3n> i will take a look tomorow morning at 8h (GMT+1)
[16:01] <eoli3n> thx a lot for your help
[18:10] <DammitJim> is there an ubuntu repo for tomcat 8.5?
[18:11] <sarnold> DammitJim: 8.5 appears to be in artful and forthcoming bionic
[18:12] <DammitJim> I guess I've got to learn what bionic and artful is
[18:13] <DammitJim> I have ubuntu 16.04 LTS servers with tomcat 8 and apparently Apache Tomcat is making tomcat 8 EOL in September
[18:13] <nacc> DammitJim: 18.04 (unreleased) and 17.10, respectively
[18:13] <DammitJim> trying to start getting off that version
[18:14] <DammitJim> gosh, it looks like I'm going to have to just uninstall tomcat8
[18:14] <sarnold> oh
[18:14] <DammitJim> and download the apache=tomcat-8.5.zip
[18:14] <DammitJim> and work it from that angle
[18:14] <sarnold> so you don't actually have an application that requires 8.5?
[18:14] <DammitJim> no repos
[18:15] <DammitJim> I do not
[18:15] <DammitJim> we are purely doing it because it's EOL
[18:15] <sarnold> just upgrade to 18.04 LTS when you're comfortable with the change
[18:15] <sarnold> 18.04 will be released before september.
[18:15] <DammitJim> yeah, I think that'll be an option in my proposal
[18:22] <sdeziel> DammitJim: also, Tomcat 8 being in main, it should be supported for the full lifetime of 16.04 even if upstream reaches its EOL
[18:22] <nacc> (supported by canonical/ubuntu)
[18:22] <nacc> *not* by upstream, to be clear :)
[18:23] <sdeziel> yeah, main is a canonical thing :)
[18:30] <DammitJim> thanks for clarifying that, sdeziel
[18:30] <DammitJim> so, if there was a problem with tomcat 8, Canonical would fix it and release an update?
[18:31] <nacc> DammitJim: yeah
[18:31] <nacc> generally speaking, it does depend on 'the problem', as we still need to follow SRU rules
[18:31] <nacc> but preusming you mean CVEs or so, then yes
[18:31] <DammitJim> awesome
[18:32] <DammitJim> I need to find the documentation that explains that, because that is AMAZING
[18:32] <nacc> https://help.ubuntu.com/community/Repositories#Main
[18:32] <nacc> iirc
[18:49] <DammitJim> thanks
[19:04] <DammitJim> nacc, I'm reading the Main section
[19:04] <DammitJim> that's where Tomcat would fall under, right?
[19:04] <nacc> DammitJim: correct
[19:05] <sarnold> you can use 'apt-cache policy tomcat8' to see
[19:06] <sarnold> not all binary packages built from a source package are in main, so it doesn't hurt to check all the binary packages you care about
[19:06] <nacc> sarnold: good point
[19:07] <DammitJim> oh gosh
[19:07] <DammitJim> the devil is in the details, but thanks!
[19:07] <DammitJim> so, it seems that if I want to use tomcat 8.5, I'll have to upgrade to Ubuntu 18.04?
[19:08] <nacc> DammitJim: i think everying is in main except libtomcat8-embed-java nad tomcat8-user
[19:09] <nacc> DammitJim: once released, yes, or 17.10 in the meanwhile
[19:45] <Ussat> sigh
[21:34] <Olanzapin> &j ssacc.net
[21:54] <keithzg> So here's something that's been baffling me, and it's arguably appropriate since the router in question runs Ubuntu ;)
[21:55] <keithzg> A bunch of random sites seem to have started blocking HTTP traffic from my office, with what appear to be Apache "Access Denied" messages. This extends to curl/wget from the router itself . . . but somehow *not* to traffic through the OpenVPN instance?
[21:56] <TJ-> keithzg: is your public IP on a blacklist?
[22:00] <keithzg> TJ-: That was my first thought, but if it is, I can't seem to find any publically-accessible listing thereof
[22:01] <TJ-> keithzg: what's the public ip address/mask ?
[22:02] <keithzg> TJ-: It's 184.70.164.246, aka gmcl.com
[22:03] <keithzg> (My current working theory remains that it's some sort of private corporate blacklist; that doesn't explain why VPN'd traffic doesn't get block but I can sortof hand wave that away with "routing is complicated, I'm probably not understanding something")
[22:04] <TJ-> keithzg: if you are using openvpn to tunnel out to another host that then routes, it's IP address will be different
[22:05] <keithzg> TJ-: The router is also the VPN server, though, so shouldn't sites see that as the IP address of the traffic?
[22:06] <TJ-> keithzg: you mean you connect from LAN clients using openvpn to your gateway router?
[22:07] <TJ-> keithzg: checked the IP, not blocked anywhere
[22:07] <keithzg> TJ-: Specifically I mean that the router for the office LAN is also the VPN server that external clients use to get into our LAN remotely.
[22:08] <TJ-> keithzg: Oh, I thought you meant you link your gateway to another location and tunnel /out/ through it
[22:09] <TJ-> keithzg: then I can only thing your gateway is messing with the traffic, are you sure your network doesn't have a transparent proxy?
[22:09] <TJ-> keithzg: does it affect HTTPS connections or only HTTP?
[22:10] <TJ-> keithzg: i'd suspect the Apache message you see is from your own network
[22:11] <keithzg> TJ-: Funny story about that, due to this I've noticed that https://thebay.com doesn't have a valid cert ;) but yeah it appears to affect both HTTPS and HTTP traffic, for instance https://tools.usps.com has a valid HTTPS connection but tells me "You don't have permission to access "http://tools.usps.com/" on this server"
[22:12] <TJ-> keithzg: I think you've got an internal redirection issue in the gateway. Possibly the rules that were set for incoming openvpn  tunnel traffic are breaking regular forwarded traffic
[22:13] <TJ-> keithzg: Ask yourself: 1) when did this start? 2) What did I change just before I noticed the issue?
[22:13] <keithzg> TJ-: That's the problem, other than the standard security patches I haven't touched anything on the router in ages now.
[22:14] <TJ-> keithzg: it's an Ubuntu server actiing as gateway?
[22:14] <keithzg> TJ-: Yup.
[22:14] <TJ-> keithzg: check /var/log/syslog and /var/log/kern.log for clues
[22:15] <TJ-> keithzg: also, if it has apache2 web-server installed, check it's logs in /var/log/apache2/ in case it indicates it's responsible for the messages
[22:18] <keithzg> TJ-: No messages in kern.log for several days now, I can't see anything that seems remotely relevant in either syslog or the apache logs, and nothing seems to shwo up if I tail them while trying to access a site :(
[22:19] <TJ-> keithzg: has it run out of space? "df -h"
[22:19] <TJ-> also try "df -ih" (for inodes)
[22:20] <sarnold> pity there's no way to get both in one invocation :(
[22:20] <keithzg> TJ-: Naw, the 256GB M.2 SSD that the router runs is only at 4% space usage (the only higher is /run at 8%, and inode usage for everything is being rounded to 1%
[22:22] <TJ-> keithzg: good. Are you comfortable sharing the netfilters rules? ("pastebinit <( sudo iptables-save )"
[22:29] <keithzg> TJ-: https://paste.ubuntu.com/26440410/
[22:29] <tomreyn> if you request httpS://tools.usps.com amdd get to see an error stating that you may not access HTTP://tools.usps.com/ (so non-encrypted) then this is a pretty obvious hint that your TLS connection was stripped towards the receiving end.
[22:29] <tomreyn> s/amdd/and/
[22:29] <TJ-> tomreyn: that's why I suspect a local proxy
[22:29] <tomreyn> right
[22:29] <TJ-> keithzg: are the local clients using Ubuntu/Linux ?
[22:29] <keithzg> Yeah I wonder . . . I'm going to try turning off the Apache server (which is proxying to a VM running the *actual* company website)
[22:30] <keithzg> TJ-: Not all of them, the first person who noticed this and has continued to notice things is on Windows 8.1, and I randomly tried a macOS VM at one point. I myself have been mostly testing this from Kubuntu.
[22:31] <keithzg> Well, shutting down the Apache server on the router didn't change anything.
[22:31] <TJ-> keithzg: I'm also surprised, if that is a gateway router, that the INPUT chain doesn't have a DROP policy and then specific rules for allowing VPN/SSH traffic in
[22:32] <TJ-> keithzg: can you do one of those 'wget' ops that gets denied and show us the output in a pastebin?
[22:32] <TJ-> keithzg: from the gateway itself
[22:33] <TJ-> keithzg: also, "pastebinit <( ip -4 -6 route show )"
[22:34] <keithzg> TJ-: I have SSH blocked with `-A INPUT -i external0 -p tcp -m tcp --dport 22 -j REJECT --reject-with icmp-port-unreachable` and that I thought worked fine for blocking SSH traffic (I actually run a port knocker, and that's how rules for allowing SSH in get added)
[22:38] <sdeziel> "ip -4 -6 ro" only returns v6 routes here (on Xenial)
[22:38] <TJ-> keithzg: right, but if there are other services on the gateway they may be exposed.
[22:38] <TJ-> sdeziel: it returns both here on 16.04
[22:38] <keithzg> TJ-: Ah, fair enough.
[22:38] <TJ-> sdeziel: oh, no, you're correct! Sorry, I misread!
[22:38] <keithzg> Anyways the denied requests are just single-line HTTP responses, ex.
Request Rejected</title></head><body>The requested URL was rejected. Please consult with your administrator.<br><br>Your support ID is: 16159986499229415207</body></html>
[22:38] <sdeziel> TJ-: too bad, I would have like it to work ;)
[22:38] <TJ-> keithzg: so, "pastebinit <( ip route show; ip -6 route show )"
[22:38] <TJ-> sdeziel: yeah, it annoys me that without switches it defaults to IPv4
[22:38] <keithzg> TJ-: https://paste.ubuntu.com/26440446/
[22:38] <keithzg> Oh how I wish we had IPv6
[22:38] <TJ-> keithzg: I wanted to see the entire wget messages. Do "pastebinit <( wget http:///whatever 2>&1 )"
[22:38] <keithzg> TJ-: Oh, fair enough, I just saw that it was going "200 OK" and nothing else other than the actual *contents* of index.html indicates any problem.  But here: https://paste.ubuntu.com/26440457/
[22:39] <keithzg> Oh oops, never mind that
[22:39] <keithzg> Although maybe that's a clue to some degree, many initial URLs are fine, but then what they're actually redirecting to isn't OK.
[22:40] <keithzg> Actual wget output for one of these 403s: https://paste.ubuntu.com/26440460/
[22:40] <sdeziel> "wget -SO - http:///whatever 2>&1 )"
[22:40] <tomreyn> i'd rather suggest to use curl --trace /tmp/trace http(s)://...
[22:42] <TJ-> keithzg: thebay.com is broken for me too, and TLS connections return SSL_ERROR_BAD_CERT_DOMAIN
[22:42] <TJ-> keithzg: any other domains do this to you?
[22:42] <sdeziel> 69.192.84.206 belong to Shaw Communications
[22:42] <sdeziel> keithzg: would that be your ISP ^
[22:42] <tomreyn> tools.usps.com seemed like a better test candidate
[22:43] <TJ-> For that I get "20 redirections exceeded."
[22:43] <sdeziel> and when resolving www.thebay.com, I get an akamai IP so it looks like an ISP getting in the way
[22:44] <keithzg> tomreyn: heh yup, that would be precisely what I was going to try as an alt. Here in fact is the curl trace output for that: https://paste.ubuntu.com/26440477/
[22:44] <tomreyn> keithzg: that's the output of which command?
[22:45] <keithzg> sdeziel: Interesting, I saw Akamai when trying to figure things out before too with https://www.us-cert.gov/ (the third website giving this error)
[22:45] <TJ-> sdeziel: that explains it then, they've left thebay.com in the DNS zone file but it should be front-ended by cloudfront. www.thebay.com is correct with a CNAME
[22:45] <keithzg> tomreyn: `curl --trace tracefile https://tools.usps.com`
[22:45] <TJ-> sorry, akamai, not cloudfront
[22:46] <sdeziel> keithzg: from that paste, it seems the 403 was emitted by Akamai themselves
[22:46] <sdeziel> Server: AkamaiGH
[22:46] <sdeziel> maybe Akamai thinks your IP has a bad reputation?
[22:46] <TJ-> tools.usps.com also on akamai - do Akamai have a problem?
[22:47] <TJ-> sdeziel: I did an RBL check on the IP addres over about 30 RBLs and it's clean
[22:47] <sarnold> akamai may have their own database
[22:47] <tomreyn> akamai don't like you.
[22:48] <keithzg> That defintiely aligns with the vague intimations of https://community.akamai.com/community/cloud-security/blog/2016/04/07/why-is-akamai-blocking-me
[22:50] <keithzg> (one of the first things I found when initially noticing this error and when nmap told me that the us-cert site was hosted by Akamai)
[22:50] <TJ-> this is 1 of the big downsides to centralised proxies
[22:50] <keithzg> Yeahhh, and unfortunately that help page gives the impression that there's no way to contact Akamai and ask them precisely what's going on :(
[22:51] <TJ-> keithzg: has anything on your network been doing automated connections, say to access the USPS site for example?
[22:51] <TJ-> someone developing a tool to query shipping status maybe?
[22:53] <keithzg> TJ-: Nothing intentional, no; the only software development anyone other than ol' sysadmin me does is oldskool Win32 work for the software we sell (that in turn tends to run on theoretically airgapped networks, so we don't even have any sort of auto-updater or such for our tools).
[22:55] <TJ-> keithzg: how about via the VPN - you said connections via the VPN were OK - which I can only see happening if the VPN uses a different IP address for it's exit interface from your /30
[22:56] <sdeziel> or maybe the VPN is using split tunneling ?
[22:56] <TJ-> keithzg: show us "pastebinit <( ip addr show )"
[22:57] <keithzg> TJ-: Yeah, that one baffles me as well. Here it is: https://paste.ubuntu.com/26440512/
[22:58] <TJ-> keithzg: so, the external clients /are not/ using the VPN for general internet access, which explains htat
[22:58] <sdeziel> keithzg: on a VPN client that works, could you share "pastebinit <( ip ro)"
[22:59] <TJ-> sdeziel: I hate that "split tunnel" name, it's deceptive, there's no split in the tunnel, it's just standard routing!
[22:59] <sdeziel> TJ-: I /think/ it could be it but I haven't seen any evidence so far
[22:59] <keithzg> sdeziel: Well drat, I didn't bring my laptop to work today! I wonder if Android can manage that.
[23:01] <TJ-> sdeziel: I'm sure it is, the client will use their standard default route (and hence connect successfully to thebay.com) but will route 10.0.0.0./8 (or similar) via the openvpn tunnel
[23:01] <sdeziel> keithzg: you could do something server side. "sudo iptables -A FORWARD -i tun0 -o external0"
[23:02] <TJ-> keithzg: 1 thing you could try us assign another IP address to external0 and use it as the source address for a test, see if it is blocked too, or just your current single IP address
[23:02] <sdeziel> keithzg: then with the VPN client, access a site then run this on the server side: "pastebinit <(sudo iptables -nvL FORWARD)"
[23:02] <TJ-> my typing is going downhill, my fingers have a mind of their own!
[23:02] <sdeziel> TJ-: if Akamai blocks based on IP reputation, they maybe do that using wider CIDRs than /32
[23:03] <TJ-> sdeziel: right, but it's worth testing, because if it's only a /32 there is a workaround
[23:03] <keithzg> sdeziel: Seems the command works fine from a shell on my Android phone, I think? https://paste.kde.org/pw2t6zene
[23:04] <sdeziel> keithzg: hmm, no default route?
[23:04] <tomreyn> 184.70.164.246 belongs to a /13 (!) - not ideal if your hopes are that you'll be emitting less bad traffic than the average of shaw communication (cable?) users. for business use, a much smaller address range would be recommendable.
[23:04] <sdeziel> keithzg: "ip ro g 8.8.8.8" ?
[23:04] <TJ-> which is "ip route get 8.8.8.8"
[23:05] <sdeziel> yeah, sorry, I'm very lazy
[23:05] <TJ-> :D trying to educate as well as diagnose :p
[23:05] <sdeziel> and it's better to have the receiving end understanding a command before running it :)
[23:06] <keithzg> sdeziel: 8.8.8.8 via 10.180.113.86 dev rmnet_data0  src 10.180.113.85 uid 10228
[23:06] <TJ-> I keep telling that to my Huskies!
[23:06] <sdeziel> lol
[23:06] <keithzg> (I haven't tried `sudo iptables -A FORWARD -i tun0 -o external0` yet, for the record)
[23:06] <sdeziel> keithzg: I think that's your answer
[23:07] <sdeziel> keithzg: you are using split tunnelling (or routing just the remote LAN IP space over your VPN/tun0)
[23:07] <keithzg> Aha, fair enough (can't remember if that was intentional on my part when I ported over to the new server, or maybe that
[23:07] <keithzg> 's an artifact of the convoluted setup of my predecessor)
[23:07] <TJ-> keithzg: it makes sense, no point in routing internet bound traffic via the tunnel
[23:08] <sdeziel> keithzg: at least that's what I believe is going on. I'm not very familiar with the per UID routing stuff done on Android
[23:08] <keithzg> TJ-: Yeah, it's definitely what I'd have chosen to set up if I actually did so deliberately ;)
[23:08] <TJ-> keithzg: do you want to test with your 'spare' currently unused IP address?
[23:08]  * sdeziel wonders if per UID routing landed upstream
[23:10] <keithzg> TJ-: That does sound like a plan---although I honestly don't know what it is, heh (I knew we had a second static address but I haven't bothered to look it up)
[23:11] <TJ-> keithzg: your 184.70.164.244/30 gives you 2 IP addresses: .245 and .246 (which you use) so we can try adding .245 and using it
[23:11] <TJ-> keithzg: "sudo ip addr add 184.70.164.245/30 dev external0"
[23:12] <sdeziel> wget --bind-address=184.70.164.245 -SO - https://tools.usps.com/
[23:13] <TJ-> keithzg: then try "wget --bind-address=184.70.164.245 -S -O - http://www.thebay.com"
[23:13] <TJ-> Grrrr, stealing my typing :D
[23:14] <sdeziel> I don't trust your self-aware fingers either ;)
[23:14] <TJ-> LOL
[23:15] <keithzg> hehe
[23:15] <keithzg> Well I must've messed up the addition of the additional address or something, since that (either one) just hangs at "Connecting" forever
[23:15] <TJ-> keithzg: check with "ip addr show dev external0"
[23:16] <TJ-> keithzg: you should see both .245/30 and .246/30
[23:16] <TJ-> We know there's no netfilter rules to get in the way :)
[23:18] <keithzg> TJ-: Heh. Yeah I see it listed although it's different? https://paste.kde.org/pbatt57z3/32j5t0/raw
[23:19] <TJ-> keithzg: that's fine
[23:19] <TJ-> keithzg: let's check routing: "pastebinit <( ip route show )"
[23:19] <keithzg> TJ-: Fair enough, I just wasn't sure, although upon reflection I assume "brd" means broadcast so that makes sense to me then
[23:20] <keithzg> TJ-: https://paste.ubuntu.com/26440728/
[23:20] <TJ-> keithzg: did you say both .245 and .246 hung when used with wget --bind-address= ?
[23:21] <keithzg> TJ-: Oh, no I didn't try binding to .246 instead. Just tried it, it instantly works.
[23:21] <TJ-> interesting, adding the new IP changed the default via to .245
[23:21] <keithzg> (well, gives the 403 from AkamaiGHost, heh)
[23:22] <TJ-> keithzg: I'm getting confused. which works? "wget -S -O - http://www.thebay.com" ?
[23:23] <keithzg> TJ-: That works (gets a 403), explicitly binding to .246 works (also 403), explicitly binding to .245 does not (hangs on the Connecting step)
[23:24] <TJ-> keithzg: weird, that suggests your ISP has assigned a /30 but is not routing it! Is there a modem/router from your ISP connected to the server?
[23:24] <TJ-> keithzg: in which case it's likely .245 is assigned to that device
[23:26] <TJ-> keithzg: do "sudo ip addr del 184.70.164.245/30 dev external0" to clean up the server
[23:26] <keithzg> Yeah they insisted they couldn't give me *just* a modem anymore :( (this is why I don't use Shaw personally!). In theory they've disabled it so that it's only acting as a modem, it's not bridged or anything, but I wouldn't be surprised then if the modem+router box also has its own IP address secretly then.
[23:27] <keithzg> Huh, even add that del I still see .245 as the default route.
[23:27] <keithzg> (Did I just not have a default before? Yeesh, I need to keep better track of these things!)
[23:28] <sdeziel> https://paste.ubuntu.com/26440446/ shows that you had a "default via 184.70.164.245 dev external0 onlink"
[23:29] <sdeziel> keithzg: that's one of your earlier paste
[23:29] <keithzg> sdeziel: Ah, fair enough. So it's more just a lack of comprehension of what it all means on my part then, heh.
[23:29] <TJ-> oh, so .245 is the ISP device
[23:30] <TJ-> i missed that
[23:30] <sdeziel> keithzg: no, we screwed up a little I'm affraid
[23:30] <TJ-> keithzg: so the upshot is ... Akamai
[23:30] <TJ-> i read the default as .246 originally, grrr
[23:31] <keithzg> Curse our fallable humanity!
[23:31] <TJ-> I blame my fingers AND my eyes :)
[23:31] <TJ-> basically, broken I/O
[23:31] <sdeziel> on the up side, you were not SSH'ed in from a remote location and didn't lose access :)
[23:31] <keithzg> hehe
[23:32] <keithzg> Yeah, seems like my next step is probably to bug my ISP and see if there's some way they can get more info or a delisting from Akamai.
[23:33] <keithzg> Many, many thanks! :)
[23:33] <keithzg> I wish all of the internet was full of people as wonderful as #ubuntu-server :D
[23:34] <keithzg> Fallable and human as they may be ;)
[23:34] <sdeziel> hehe
[23:34] <sdeziel> good luck!
[23:34] <keithzg> Thanks!