| xibalba | anyone know how i could see if IPTables is causing this ? IP 10.38.4.3 > 10.38.4.9: ICMP host 10.38.4.3 unreachable - admin prohibited filter,. I'm trying to SSH from 4.3 to 4.9 | 02:20 |
|---|---|---|
| xibalba | I can pign it no problem | 02:20 |
| lordievader | Good morning | 06:22 |
| === cpaelzer__ is now known as cpaelzer | ||
| teward | xibalba: short of digging in your rules on 4.3 and 4.9 not really, and we'd need to see the current ruleset to help you debug that | 13:56 |
| teward | xibalba: however if the iptables rules on both boxes are *not* set up and are just running 'default' they wouldn't be blocking that | 13:56 |
| xibalba | thanks teward , figured it out. had nothing to do w/iptables, i was barking up the wrong tree | 14:49 |
| xibalba | it was firewall related just not on the iptables side | 14:49 |
| teward | hehehe, good. enjoy | 15:00 |
| SlowJimmy | if i open up the internet in my iptables list is it still safe since i am on a gnu linux or will people stumble over my server and breach it? | 16:51 |
| sarnold | it depends what services you run, how you configured them, etc. first things first, make sure you're using ssh key auth to log in, disable ssh passwords, then perform netstat audit of all listening services | 16:57 |
| catbadger | hi. I'm trying to install mod_perl 1.31 on apache1... anyone know why it's looking for mod_perl_hooks.pm when it doesn't exist in the zip? | 17:20 |
| tomreyn | catbadger: apache 1, as in apache httpd 1.x? | 17:27 |
| tomreyn | if so, which ubuntu version are you running there? | 17:27 |
| catbadger | tomreyn yes. ubuntu 18.04. I'm dockerizing a dumpsterfire legacy app to eventually modernize it | 17:28 |
| tomreyn | catbadger: well i'm afraid you're on your own with running prehistoric apache httpd and mod_perl versions on ubuntu 18.04 | 17:30 |
| tomreyn | i guess i'd just accept the downtime and migrate it properly. | 17:31 |
| catbadger | ok thanks anyway. | 17:31 |
| SlowJimmy | sarnold highly appreciated thank you freind! | 17:45 |
| sarnold | SlowJimmy: you're welcome :) have fun | 17:46 |
| ahasenack | rbasak: around? Quick question about a bug | 18:06 |
| ahasenack | rbasak: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/1697339 | 18:06 |
| ubottu | Launchpad bug 1697339 in nfs-utils (Ubuntu Xenial) "rpc.gssd performs reverse DNS by default (regardless of -D flag)" [Undecided,New] | 18:06 |
| ahasenack | rbasak: it's a bug in the code that -D behaves incorrectly | 18:06 |
| ahasenack | but I just found out that there is no mechanism to actually pass that option (or any other) to rpc.gssd via the distro config files | 18:07 |
| ahasenack | so I wonder if it's worth to fix the bug without fixing this other issue of having no nice way to pass the parameters | 18:07 |
| ahasenack | I imagine people who really need to pass a parameter just override the systemd service via /etc/systemd/ | 18:07 |
| ahasenack | but there is nothing to set in /etc/default/<somefile> that will be carried over to the systemd service | 18:08 |
| rbasak | ahasenack: if someone were to report to me that the default service can't pass paramaeters, I would probably advise that the user can override in /etc/systemd/system | 18:48 |
| rbasak | ahasenack: given that, I'd say that if the daemon doesn't behave as documented with some parameter, then it is a valid bug and valid for SRU. | 18:48 |
| rbasak | ahasenack: however, Importance: Low as I see you agree, as it's an obscure use case likely to affect very few users. | 18:49 |
| ahasenack | rbasak: it's a patch-on-a-plate | 18:56 |
| ahasenack | but once I found out that there is no way to pass the parameter to the daemon without using an override, I felt like that was another bug in its own | 18:57 |
| rbasak | ahasenack: I don't think you need to tackle all the bugs :) | 19:08 |
| rbasak | It can be worked around, too. | 19:09 |
| rbasak | This one can't I think? | 19:09 |
| ahasenack | it can't | 19:11 |
| ahasenack | needs a code patch | 19:11 |
| rbasak | I mean "another bug on its own" | 19:13 |
| ahasenack | via an override, yes | 19:14 |
| ahasenack | maybe | 19:14 |
| ahasenack | you would have to override many things, as the wrapper in the middle doesn't know about GSSDARGS | 19:14 |
| ahasenack | it's a mess, just like NFS | 19:14 |
| ahasenack | # dpkg -L nfs-common|grep systemd.*service|wc -l | 19:15 |
| ahasenack | 10 | 19:15 |
| ahasenack | in which world is that sane | 19:15 |
| ahasenack | 10 services for a file server | 19:15 |
| ahasenack | ftp works better, and also has kerberos auth, and can also have tls/ssl | 19:15 |
| ahasenack | </rant> | 19:15 |
| sarnold | ouch, "ftp works better" | 19:17 |
| teward | > ftp works better | 19:17 |
| teward | in what world is this statement NOT heresy? | 19:17 |
| ahasenack | :) | 19:21 |
| ahasenack | never had to reboot a server because of a stuck ftp server, that's true | 19:21 |
| * teward classifies ahasenack as a heretic and sends ahasenack to the Gulag. | 19:22 | |
| ahasenack | nfs gets even clients stuck | 19:22 |
| teward | :P | 19:22 |
| teward | sftp > ftp | 19:22 |
| sarnold | I thought -osoft was the default these days? | 19:22 |
| ahasenack | I challenge someone to explain to me all thost 10+ services needed to run nfsv4 | 19:23 |
| ahasenack | and that wasn't even counting the kerberos servers | 19:23 |
| teward | i mean, I hate NFS as much as the next guy too | 19:23 |
| teward | but FTP? | 19:23 |
| teward | you're LOOKING for self-torture at that point | 19:23 |
| * ahasenack whispers dput | 19:23 | |
| teward | ahasenack: dput can be configured to SFTP. | 19:59 |
| teward | :P | 19:59 |
| ahasenack | I tried, it hangs | 19:59 |
| sarnold | interesting; I think most of us on the security team moved to sftp a few years back | 20:01 |
| sbeattie | ahasenack: err, wut? | 20:02 |
| ahasenack | well, I didn't try *yesterday*, but some months ago | 20:02 |
| ahasenack | and lp has many bugs about it. Some fix released, some expired | 20:02 |
| sbeattie | ahasenack: been using it without issue for quite some time. | 20:03 |
| sbeattie | obviously your mileage varies. | 20:03 |
| ahasenack | obviously | 20:03 |
| ahasenack | let's use nfs! :) | 20:03 |
| * sbeattie weeps | 20:04 | |
| teward | sbeattie: including for straight upload.u.c uploads (such as for the repos)? | 20:05 |
| sbeattie | hrm, probably not. | 20:05 |
| sbeattie | I rarely if ever do that. | 20:05 |
| sbeattie | but thousands of packages to ppas. | 20:06 |
| ahasenack | it always hung with a ppa for me | 20:07 |
| ahasenack | I wasn't uploading to the archive yet | 20:07 |
| sbeattie | hrm, I do recall an issue a while ago where I think launchpad was having problems looking up public keys, but that was fixed relatively quickly. | 20:12 |
| sbeattie | That said, ftp is simpler than nfs, if not better; my favorite house of cards was my backup "solution" for one host involved rsnapshot to an nfs mount over openvpn over usb wifi; it would hang on shutdown because the openvpn tunnel would get brought down before the nfs unmount. | 20:14 |
| sarnold | yeah that sounds likely to fail when there's a strong breeze or the moon, mars, and jupiter all line up at once | 20:18 |
| ahasenack | lining up is rare, nfs failing isn't :P | 20:22 |
| nacc | i read that as "a strong breeze on the moon, mars and jupiter all line up at once" | 20:34 |
| nacc | it was such an elegant visual | 20:34 |
| sarnold | haha :) | 20:35 |
| teward | lol | 20:36 |
| nacc | and even less probable | 20:36 |
| teward | the probability FTP falls to a very easy to execute vulnerability, though, is much higher than the probability of NFS failing. | 20:36 |
| ahasenack | nfs is safe, you mean? :) | 20:37 |
| sarnold | though I've got to be honest, if I hadto expose one of nfs or ftp to the great unwashed internet, I think I'd pick ftp. You can wrap that in apparmor, seccomp, rlimits, and cgroups. NFS runs right in the bloody kernel.. | 20:37 |
| ahasenack | you can't even run an nfs server in a container | 20:37 |
| ahasenack | and it's not just one service you would be exposing | 20:38 |
| * ahasenack points up at the wc -l output | 20:38 | |
| A_D | I configured netplan to add a v6 to one of my interfaces, along with a gateway for it to use. It does not seem to correctly add routes for the gateway on the interface. The gateway is within the netmask set on the interface | 21:05 |
| A_D | is there something I missed or is this possibly a known bug | 21:06 |
| xedniv | anyone here with firewalld experience? | 21:07 |
| mason | xedniv: It's generally better to just ask your question rather than ask to ask or survey. | 21:37 |
| sarnold | A_D: how did you try to apply the new configuration? did you get any error messages or warnings in the logs or dmesg? | 21:40 |
| mason | xedniv: I've got to take off, but if you ask your question later and I see it, and you're still here, I'll see if I can answer it. | 21:41 |
| xedniv | mason, thanks buddy, im writing it now | 21:42 |
| xedniv | so i have multiple zones, the host runs a kvm libvirtd instance, and i have two bridges for two vlans | 21:42 |
| mason | xedniv: Oh, alright, if you ask it soon I'll stick around. | 21:42 |
| xedniv | im seeing rejected packets for both, and i cant route from another host despite adding it tot he trusted/ACCEPT zone | 21:42 |
| mason | xedniv: Is this on Ubuntu? | 21:43 |
| xedniv | ex. FINAL_REJECT: IN=brvlan1001 OUT=brvlan1001 PHYSIN=bond0.1001 PHYSOUT=vnet0 | 21:43 |
| xedniv | yes | 21:43 |
| xedniv | lts | 21:43 |
| xedniv | ive managed iptables manually always but i decided to try firewalld (famous last words) | 21:43 |
| mason | heh | 21:43 |
| mason | Well. The wisdom of doing that aside, it ends up just generating iptables rules for you, and those can be examined. I hit a funny issue not long ago. Let me find the reference. | 21:44 |
| mason | xedniv: Oh, hrm. Seems likely unrelated, but the issue I hit was https://access.redhat.com/solutions/3550201 | 21:46 |
| mason | xedniv: But it's worth seeing if it's something vaguely similar. | 21:47 |
| mason | Sorry, I was expecting I'd be more helpful! | 21:48 |
| sarnold | paywalled :( | 21:48 |
| mason | Bah, is it? | 21:48 |
| sarnold | yeah | 21:48 |
| mason | sarnold: If you have a developer account, that'd work to get you into that. | 21:50 |
| sarnold | oh? I thought it was Customers Only, hehe | 21:50 |
| xedniv | mason, how can I add a dest port to a rich rule? | 21:50 |
| sarnold | mason: heh, there's a Google+ logo at the bottom of https://access.redhat.com/subscription-value/ that can probably be yanked off :) | 21:51 |
| xedniv | im puzzled though as the trusted zone should handle the host im connecting from and yet it gets rejected | 21:51 |
| xedniv | sarnold, hey lol | 21:51 |
| mason | xedniv: Well, you're bridging, and that ends up being "special" | 21:51 |
| xedniv | paywalled! | 21:52 |
| xedniv | lemme see | 21:52 |
| xedniv | ouch | 21:52 |
| mason | Hm, https://superuser.com/questions/990855/configure-firewalld-to-allow-bridged-virtual-machine-network-access seems very similar | 21:53 |
| mason | Alright, got to go have my shot. \o/ I'll be back later. | 21:53 |
| sarnold | see ya mason, thanks :) | 21:54 |
| xedniv | see you man, thank you! | 21:54 |
| xedniv | mason, i applied the fix, but now i cant firewall the bridge from the host | 22:08 |
| xedniv | :( | 22:08 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!