[00:41] <sarnold> LeMike: hah, figures :) still, now you know a new tool :D not all bad
[19:00] <xrandr_mac> Hi.. I am trying to find some documentation on UFW as I am a little new to it. I am trying to understand what this line means: -A ufw-http-logdrop -m limit --limit 5/min --limit-burst 10 -j LOG --log-prefix "[UFW HTTP DROP] "
[19:01] <xrandr_mac> Specifically what the --limit and --limit-burst does. I understand --limit is limiting something, but the 5/min... what is that doing along with the limit burst?
[19:21] <tomreyn> xrandr_mac: this is for rate limiting by ip address. see iptables-extensions(8) and search for: ^   limit
[19:21] <xrandr_mac> Ok thanks
[19:26] <xrandr_mac> That cleared it up
[19:26]  * xrandr_mac offers tomreyn a beer for his troubles :)
[19:29] <tomreyn> no troubles here ;) thanks, though
[19:30] <xrandr_mac> Was wondering why I kept being locked out of my website lol
[21:07] <JanC> xrandr_mac: it's intended to be used with things like SSH or VPNs
[21:09] <xrandr_mac> JanC, wanted to prevent DDOS attacks
[21:11] <JanC> you can probably do that with a custom iptables rule similar to the one created by UFW, but less trigger-happy  :)
[21:12] <RoyK> or use nftables if you're on the cutting edge ;)
[21:12] <JanC> isn't nftables replaced yet?   ;)
[21:13] <JanC> s/replaced/superseded/
[21:13] <RoyK> no
[21:13] <RoyK> ifw was superseeded by ipchanges, which was superseeded by iptables, which as superseeded by nftables
[21:13] <RoyK> s/ifw/ipfw/
[21:14] <RoyK> and not ipchanges, ipchains
[21:15] <RoyK> interesting how my fingers just write on automatically
[21:21] <xrandr_mac> lol
[21:21] <xrandr_mac> I think for now I am going to just disable that rule...
[21:24] <JanC> RoyK: there is now also something called bpfilter which is based on eBPF, but it's still a WiP   :)
[21:28] <RoyK> oh - didn't know that
[21:38] <RoyK> JanC: seems rather cutting edge - probably take a wee while to stabilise
[21:41] <JanC> :)
[21:47] <havenstance> anyone have any idea why a Standard Lamp stack containing MySQL instead of MariaDB on Ubuntu Server 18.01.1 LTS would be lagging when trying to view the page?
[21:54] <havenstance> nvm google-fu found the answer, I'll be migrating this to MariaDB
[22:57] <trippeh_> RoyK: very cutting edge indeed - I dont think they have any actual functionality yet.
[22:58] <trippeh_> basically an experiment at this stage.
[22:59] <trippeh_> also nftables might move over to the same infra IIRC. today nftables uses something similar to but not BPF
[23:12] <RoyK> trippeh_: I don't know BPF, but I read nftables uses a miniature vm with a micro-OS
[23:12] <RoyK> not even an OS, really
[23:12] <RoyK> separate instruction set etc
[23:13] <trippeh_> yes, like BPF.
[23:14] <RoyK> perhaps nftables will disappear like upstart, then…
[23:15] <trippeh_> or just become another frontend
[23:35] <RoyK> BPF certainly looks promising, though
[23:37] <RoyK> https://cilium.io/blog/2018/04/17/why-is-the-kernel-community-replacing-iptables/ The most recent development in the evolution of BPF is an exciting proposal to completely replace the kernel part of iptables with BPF in a way that is completely transparent to the user, i.e. existing iptables client binaries and libraries will continue to work.
[23:40] <RoyK> I've never worked with systems large enough to hit the bottleneck of iptables, though
[23:41] <RoyK> but then - I don't have 20k Kubernetes services
[23:45] <trippeh_> I've experimented a bit with BPF - but not the bpfilter, as that is still not very useful
[23:45] <trippeh_> XDP is fun
[23:47] <trippeh_> the tracing stuff too
[23:48] <RoyK> so - perhaps nftables is just a pit stop?
[23:49] <RoyK> I don't really see the difference - I don't know the stuff under the hood
[23:49] <RoyK> between nftables and bpfilter, that is
[23:49] <trippeh_> I'd expect nftables to just become another frontend to bpfilter, with nicer syntax than iptables.
[23:50] <trippeh_> if bpfilter pans out that is. that we do not know.
[23:50] <RoyK> but what about nftables? it too uses a completely different backend than iptables
[23:50] <trippeh_> althouth nftables have shown the bytecode approach to be viable.
[23:52] <RoyK> BPF - is that how freebsd has been doing firewalling the latest years, hence the "berkley" name?
[23:52] <trippeh_> nftables would be changed to emit BPF. like iptables would be
[23:53] <trippeh_> BPF var originally a filter for sockets, for tcpdump and the like. not really a firewall thing.
[23:53] <trippeh_> the BPF in linux is significantly extended
[23:54] <RoyK> just wondered - uio.no built this service for sensitive data some years back, mainly for universities and colleges, but also others, in norway, and I know they used freebsd for the firewall, at least 5 years back
[23:55] <RoyK> the rest is mostly linux
[23:55] <trippeh_> you're thinking about pf probably
[23:55] <RoyK> possibly
[23:55] <RoyK> I just never saw the big deal with pf compared to iptables
[23:56] <trippeh_> pf has nothing to do with BPF
[23:57] <RoyK> ok
[23:57] <RoyK> btw, any idea why some would prefer pf to iptables?
[23:57] <trippeh_> many hate the iptables syntax. I dont mind it either
[23:57] <RoyK> I'm quite used to iptables
[23:58] <RoyK> works
[23:59] <RoyK> that obviously doesn't mean it's optimal