sarnold | LeMike: hah, figures :) still, now you know a new tool :D not all bad | 00:41 |
---|---|---|
=== TxRaspPi is now known as TxRaspPI | ||
xrandr_mac | Hi.. I am trying to find some documentation on UFW as I am a little new to it. I am trying to understand what this line means: -A ufw-http-logdrop -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "[UFW HTTP DROP] " | 19:00 |
xrandr_mac | Specifically what the --limit and --limit-burst does. I understand --limit is limiting something, but the 5/min... what is that doing along with the limit burst? | 19:01 |
tomreyn | xrandr_mac: this is for rate limiting by ip address. see iptables-extensions(8) and search for: ^ limit | 19:21 |
xrandr_mac | Ok thanks | 19:21 |
xrandr_mac | That cleared it up | 19:26 |
* xrandr_mac offers tomreyn a beer for his troubles :) | 19:26 | |
tomreyn | no troubles here ;) thanks, though | 19:29 |
xrandr_mac | Was wondering why I kept being locked out of my website lol | 19:30 |
JanC | xrandr_mac: it's intended to be used with things like SSH or VPNs | 21:07 |
xrandr_mac | JanC, wanted to prevent DDOS attacks | 21:09 |
JanC | you can probably do that with a custom iptables rule similar to the one created by UFW, but less trigger-happy :) | 21:11 |
RoyK | or use nftables if you're on the cutting edge ;) | 21:12 |
JanC | isn't nftables replaced yet? ;) | 21:12 |
JanC | s/replaced/superseded/ | 21:13 |
RoyK | no | 21:13 |
RoyK | ifw was superseeded by ipchanges, which was superseeded by iptables, which as superseeded by nftables | 21:13 |
RoyK | s/ifw/ipfw/ | 21:13 |
RoyK | and not ipchanges, ipchains | 21:14 |
RoyK | interesting how my fingers just write on automatically | 21:15 |
xrandr_mac | lol | 21:21 |
xrandr_mac | I think for now I am going to just disable that rule... | 21:21 |
JanC | RoyK: there is now also something called bpfilter which is based on eBPF, but it's still a WiP :) | 21:24 |
RoyK | oh - didn't know that | 21:28 |
RoyK | JanC: seems rather cutting edge - probably take a wee while to stabilise | 21:38 |
JanC | :) | 21:41 |
havenstance | anyone have any idea why a Standard Lamp stack containing MySQL instead of MariaDB on Ubuntu Server 18.01.1 LTS would be lagging when trying to view the page? | 21:47 |
havenstance | nvm google-fu found the answer, I'll be migrating this to MariaDB | 21:54 |
trippeh_ | RoyK: very cutting edge indeed - I dont think they have any actual functionality yet. | 22:57 |
trippeh_ | basically an experiment at this stage. | 22:58 |
trippeh_ | also nftables might move over to the same infra IIRC. today nftables uses something similar to but not BPF | 22:59 |
RoyK | trippeh_: I don't know BPF, but I read nftables uses a miniature vm with a micro-OS | 23:12 |
RoyK | not even an OS, really | 23:12 |
RoyK | separate instruction set etc | 23:12 |
trippeh_ | yes, like BPF. | 23:13 |
RoyK | perhaps nftables will disappear like upstart, then… | 23:14 |
trippeh_ | or just become another frontend | 23:15 |
RoyK | BPF certainly looks promising, though | 23:35 |
RoyK | https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/ The most recent development in the evolution of BPF is an exciting proposal to completely replace the kernel part of iptables with BPF in a way that is completely transparent to the user, i.e. existing iptables client binaries and libraries will continue to work. | 23:37 |
RoyK | I've never worked with systems large enough to hit the bottleneck of iptables, though | 23:40 |
RoyK | but then - I don't have 20k Kubernetes services | 23:41 |
trippeh_ | I've experimented a bit with BPF - but not the bpfilter, as that is still not very useful | 23:45 |
trippeh_ | XDP is fun | 23:45 |
trippeh_ | the tracing stuff too | 23:47 |
RoyK | so - perhaps nftables is just a pit stop? | 23:48 |
RoyK | I don't really see the difference - I don't know the stuff under the hood | 23:49 |
RoyK | between nftables and bpfilter, that is | 23:49 |
trippeh_ | I'd expect nftables to just become another frontend to bpfilter, with nicer syntax than iptables. | 23:49 |
trippeh_ | if bpfilter pans out that is. that we do not know. | 23:50 |
RoyK | but what about nftables? it too uses a completely different backend than iptables | 23:50 |
trippeh_ | althouth nftables have shown the bytecode approach to be viable. | 23:50 |
RoyK | BPF - is that how freebsd has been doing firewalling the latest years, hence the "berkley" name? | 23:52 |
trippeh_ | nftables would be changed to emit BPF. like iptables would be | 23:52 |
trippeh_ | BPF var originally a filter for sockets, for tcpdump and the like. not really a firewall thing. | 23:53 |
trippeh_ | the BPF in linux is significantly extended | 23:53 |
RoyK | just wondered - uio.no built this service for sensitive data some years back, mainly for universities and colleges, but also others, in norway, and I know they used freebsd for the firewall, at least 5 years back | 23:54 |
RoyK | the rest is mostly linux | 23:55 |
trippeh_ | you're thinking about pf probably | 23:55 |
RoyK | possibly | 23:55 |
RoyK | I just never saw the big deal with pf compared to iptables | 23:55 |
trippeh_ | pf has nothing to do with BPF | 23:56 |
RoyK | ok | 23:57 |
RoyK | btw, any idea why some would prefer pf to iptables? | 23:57 |
trippeh_ | many hate the iptables syntax. I dont mind it either | 23:57 |
RoyK | I'm quite used to iptables | 23:57 |
RoyK | works | 23:58 |
RoyK | that obviously doesn't mean it's optimal | 23:59 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!