xibalbaanyone know how i could see if IPTables is causing this ?  IP > ICMP host unreachable - admin prohibited filter,. I'm trying to SSH from 4.3 to 4.902:20
xibalbaI can pign it no problem02:20
lordievaderGood morning06:22
=== cpaelzer__ is now known as cpaelzer
tewardxibalba: short of digging in your rules on 4.3 and 4.9 not really, and we'd need to see the current ruleset to help you debug that13:56
tewardxibalba: however if the iptables rules on both boxes are *not* set up and are just running 'default' they wouldn't be blocking that13:56
xibalbathanks teward , figured it out. had nothing to do w/iptables, i was barking up the wrong tree14:49
xibalbait was firewall related just not on the iptables side14:49
tewardhehehe, good.  enjoy15:00
SlowJimmyif i open up the internet in my iptables list is it still safe since i am on a gnu linux or will people stumble over my server and breach it?16:51
sarnoldit depends what services you run, how you configured them, etc. first things first, make sure you're using ssh key auth to log in, disable ssh passwords, then perform netstat audit of all listening services16:57
catbadgerhi. I'm trying to install mod_perl 1.31 on apache1... anyone know why it's looking for mod_perl_hooks.pm when it doesn't exist in the zip?17:20
tomreyncatbadger: apache 1, as in apache httpd 1.x?17:27
tomreynif so, which ubuntu version are you running there?17:27
catbadgertomreyn yes. ubuntu 18.04. I'm dockerizing a dumpsterfire legacy app to eventually modernize it17:28
tomreyncatbadger: well i'm afraid you're on your own with running prehistoric apache httpd and mod_perl versions on ubuntu 18.0417:30
tomreyni guess i'd just accept the downtime and migrate it properly.17:31
catbadgerok thanks anyway.17:31
SlowJimmysarnold highly appreciated thank you freind!17:45
sarnoldSlowJimmy: you're welcome :) have fun17:46
ahasenackrbasak: around? Quick question about a bug18:06
ahasenackrbasak: https://bugs.launchpad.net/ubuntu/+source/nfs-utils/+bug/169733918:06
ubottuLaunchpad bug 1697339 in nfs-utils (Ubuntu Xenial) "rpc.gssd performs reverse DNS by default (regardless of -D flag)" [Undecided,New]18:06
ahasenackrbasak: it's a bug in the code that -D behaves incorrectly18:06
ahasenackbut I just found out that there is no mechanism to actually pass that option (or any other) to rpc.gssd via the distro config files18:07
ahasenackso I wonder if it's worth to fix the bug without fixing this other issue of having no nice way to pass the parameters18:07
ahasenackI imagine people who really need to pass a parameter just override the systemd service via /etc/systemd/18:07
ahasenackbut there is nothing to set in /etc/default/<somefile> that will be carried over to the systemd service18:08
rbasakahasenack: if someone were to report to me that the default service can't pass paramaeters, I would probably advise that the user can override in /etc/systemd/system18:48
rbasakahasenack: given that, I'd say that if the daemon doesn't behave as documented with some parameter, then it is a valid bug and valid for SRU.18:48
rbasakahasenack: however, Importance: Low as I see you agree, as it's an obscure use case likely to affect very few users.18:49
ahasenackrbasak: it's a patch-on-a-plate18:56
ahasenackbut once I found out that there is no way to pass the parameter to the daemon without using an override, I felt like that was another bug in its own18:57
rbasakahasenack: I don't think you need to tackle all the bugs :)19:08
rbasakIt can be worked around, too.19:09
rbasakThis one can't I think?19:09
ahasenackit can't19:11
ahasenackneeds a code patch19:11
rbasakI mean "another bug on its own"19:13
ahasenackvia an override, yes19:14
ahasenackyou would have to override many things, as the wrapper in the middle doesn't know about GSSDARGS19:14
ahasenackit's a mess, just like NFS19:14
ahasenack# dpkg -L nfs-common|grep systemd.*service|wc -l19:15
ahasenackin which world is that sane19:15
ahasenack10 services for a file server19:15
ahasenackftp works better, and also has kerberos auth, and can also have tls/ssl19:15
sarnoldouch, "ftp works better"19:17
teward> ftp works better19:17
tewardin what world is this statement NOT heresy?19:17
ahasenacknever had to reboot a server because of a stuck ftp server, that's true19:21
* teward classifies ahasenack as a heretic and sends ahasenack to the Gulag.19:22
ahasenacknfs gets even clients stuck19:22
tewardsftp > ftp19:22
sarnoldI thought -osoft was the default these days?19:22
ahasenackI challenge someone to explain to me all thost 10+ services needed to run nfsv419:23
ahasenackand that wasn't even counting the kerberos servers19:23
tewardi mean, I hate NFS as much as the next guy too19:23
tewardbut FTP?19:23
tewardyou're LOOKING for self-torture at that point19:23
* ahasenack whispers dput19:23
tewardahasenack: dput can be configured to SFTP.19:59
ahasenackI tried, it hangs19:59
sarnoldinteresting; I think most of us on the security team moved to sftp a few years back20:01
sbeattieahasenack: err, wut?20:02
ahasenackwell, I didn't try *yesterday*, but some months ago20:02
ahasenackand lp has many bugs about it. Some fix released, some expired20:02
sbeattieahasenack: been using it without issue for quite some time.20:03
sbeattieobviously your mileage varies.20:03
ahasenacklet's use nfs! :)20:03
* sbeattie weeps20:04
tewardsbeattie: including for straight upload.u.c uploads (such as for the repos)?20:05
sbeattiehrm, probably not.20:05
sbeattieI rarely if ever do that.20:05
sbeattiebut thousands of packages to ppas.20:06
ahasenackit always hung with a ppa for me20:07
ahasenackI wasn't uploading to the archive yet20:07
sbeattiehrm, I do recall an issue a while ago where I think launchpad was having problems looking up public keys, but that was fixed relatively quickly.20:12
sbeattieThat said, ftp is simpler than nfs, if not better; my favorite house of cards was my backup "solution" for one host involved rsnapshot to an nfs mount over openvpn over usb wifi; it would hang on shutdown because the openvpn tunnel would get brought down before the nfs unmount.20:14
sarnoldyeah that sounds likely to fail when there's a strong breeze or the moon, mars, and jupiter all line up at once20:18
ahasenacklining up is rare, nfs failing isn't :P20:22
nacci read that as "a strong breeze on the moon, mars and jupiter all line up at once"20:34
naccit was such an elegant visual20:34
sarnoldhaha :)20:35
naccand even less probable20:36
tewardthe probability FTP falls to a very easy to execute vulnerability, though, is much higher than the probability of NFS failing.20:36
ahasenacknfs is safe, you mean? :)20:37
sarnoldthough I've got to be honest, if I hadto expose one of nfs or ftp to the great unwashed internet, I think I'd pick ftp. You can wrap that in apparmor, seccomp, rlimits, and cgroups. NFS runs right in the bloody kernel..20:37
ahasenackyou can't even run an nfs server in a container20:37
ahasenackand it's not just one service you would be exposing20:38
* ahasenack points up at the wc -l output 20:38
A_DI configured netplan to add a v6 to one of my interfaces, along with a gateway for it to use. It does not seem to correctly add routes for the gateway on the interface. The gateway is within the netmask set on the interface21:05
A_Dis there something I missed or is this possibly a known bug21:06
xednivanyone here with firewalld experience?21:07
masonxedniv: It's generally better to just ask your question rather than ask to ask or survey.21:37
sarnoldA_D: how did you try to apply the new configuration? did you get any error messages or warnings in the logs or dmesg?21:40
masonxedniv: I've got to take off, but if you ask your question later and I see it, and you're still here, I'll see if I can answer it.21:41
xednivmason, thanks buddy, im writing it now21:42
xednivso i have multiple zones, the host runs a kvm libvirtd instance, and i have two bridges for two vlans21:42
masonxedniv: Oh, alright, if you ask it soon I'll stick around.21:42
xednivim seeing rejected packets for both, and i cant route from another host despite adding it tot he trusted/ACCEPT zone21:42
masonxedniv: Is this on Ubuntu?21:43
xednivex. FINAL_REJECT: IN=brvlan1001 OUT=brvlan1001 PHYSIN=bond0.1001 PHYSOUT=vnet021:43
xednivive managed iptables manually always but i decided to try firewalld (famous last words)21:43
masonWell. The wisdom of doing that aside, it ends up just generating iptables rules for you, and those can be examined. I hit a funny issue not long ago. Let me find the reference.21:44
masonxedniv: Oh, hrm. Seems likely unrelated, but the issue I hit was https://access.redhat.com/solutions/355020121:46
masonxedniv: But it's worth seeing if it's something vaguely similar.21:47
masonSorry, I was expecting I'd be more helpful!21:48
sarnoldpaywalled :(21:48
masonBah, is it?21:48
masonsarnold: If you have a developer account, that'd work to get you into that.21:50
sarnoldoh? I thought it was Customers Only, hehe21:50
xednivmason, how can I add a dest port to a rich rule?21:50
sarnoldmason: heh, there's a Google+ logo at the bottom of https://access.redhat.com/subscription-value/ that can probably be yanked off :)21:51
xednivim puzzled though as the trusted zone should handle the host im connecting from and yet it gets rejected21:51
xednivsarnold, hey lol21:51
masonxedniv: Well, you're bridging, and that ends up being "special"21:51
xednivlemme see21:52
masonHm, https://superuser.com/questions/990855/configure-firewalld-to-allow-bridged-virtual-machine-network-access seems very similar21:53
masonAlright, got to go have my shot. \o/ I'll be back later.21:53
sarnoldsee ya mason, thanks :)21:54
xednivsee you man, thank you!21:54
xednivmason, i applied the fix, but now i cant firewall the bridge from the host22:08

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!