20:38 < MTecknology> cclausen: hey... maybe you can help me with one other thing...
20:39 < cclausen> MTecknology: maybe, what?
20:39 < owen1> MTecknology: thanks, i found this - http://www.ubuntugeek.com/how-to-set-up-host-interface-networking-for-virtualbox-on-ubuntu.html  i hope it's what u meant.
20:40 -!- Kaprenakis [~wuollet@c-69-180-130-199.hsd1.mn.comcast.net] has joined #ubuntu-server
20:40 < MTecknology> cclausen: kvm on my host - I can't enable ufw because it kills my connection to every other system. ideally, if something is detined for the host it'll have to match the rules; otherwise it just passes through the rules into the vm's where the vm's deal with it
20:41 < MTecknology> owen1: no - just a simple bridged interface - there's nothing vbox speficic about it
20:41 < MTecknology> owen1: but ya, that looks about right
20:41 < cclausen> MTecknology: you want the firewall on teh host to block for teh VMs too?
20:42 -!- erichammond [~erichammo@ubuntu/member/erichammond] has quit [Ping timeout: 264 seconds]
20:42 < MTecknology> cclausen: nope, I want ti blocking for itself only - vm's have ufw and they can deal with it themselves
20:42 -!- erichammond [~erichammo@ubuntu/member/erichammond] has joined #ubuntu-server
20:42 -!- Scunizi [~could@ip72-197-240-157.sd.sd.cox.net] has joined #ubuntu-server
20:43 < cclausen> MTecknology: ok, that should work.  I'm not sure what is being blocked, but can you run the firewall in a log-only mode first?  e.g. log what would be blocked?
20:43  * MTecknology upgrades production systems to 10.04 in 17min
20:44 < MTecknology> cclausen: alrighty - once I get the production systems moved up I'll get some output and then annoy you so I don't have to run off shortly into it :)
20:45 < cclausen> MTecknology: sounds good.  I'm watching windows 2008 do the upgrade to R2 right now..
20:45 < MTecknology> ouch
20:48  * MTecknology cusses at identi.ca+jabber+bitlbee
20:55 < MTecknology> 4min - I'll loose irc in the process :(
20:58 -!- erichammond [~erichammo@ubuntu/member/erichammond] has quit [Ping timeout: 264 seconds]
21:02 -!- DavidLevin [~DavidLevi@67-210-33-73.ul.warwick.net] has joined #ubuntu-server
21:06 < Kaprenakis> Does anyone know anything about file server + music streaming?
21:07 < MTecknology> !anyone
21:07 < ubottu> A large amount of the first questions asked in this channel start with "Does anyone/anybody..."  Why not ask your next question (the real one) and find out?
21:08 < cclausen> Kaprenakis: i know the people working on http://github.com/avuserow/amp
21:08 < cclausen> Kaprenakis: the setup I know of reads music out of openafs as needed
21:08 -!- Kaprenakis [~wuollet@c-69-180-130-199.hsd1.mn.comcast.net] has quit [Read error: Connection reset by peer]
21:08 < cclausen> although its not exactly streaming
21:09 < MTecknology> I used to have a vibe music streaming system - but iirc - it's windows only
21:09 -!- msantos [~msantos@CPE0016b6b53ec6-CM00222d5a3fbd.cpe.net.cable.rogers.com] has quit [Ping timeout: 260 seconds]
21:09 < cclausen> I've had good luck getting the darwin streaming server to work on multiple platforms.  worked much better than icecast
21:10 < MTecknology> there- one production system back up and running completely
21:10 -!- Kaprenakis [~wuollet@c-69-180-130-199.hsd1.mn.comcast.net] has joined #ubuntu-server
21:10 < Kaprenakis> mmm i disconnected
21:11 < MTecknology> Kaprenakis: 21:09 < MTecknology> I used to have a vibe music streaming system - but iirc - it's windows only    21:09 < cclausen> I've had good luck getting the darwin streaming server to work on multiple platforms.  worked much better than icecast
21:12 < Kaprenakis> MTecknology: darwin streaming server, can you set that up on a clean install of ubuntu server 10.04 ?
21:12 < MTecknology> cloakable: I think he meant you
21:13 < Kaprenakis> yes sorry.
21:13 < Kaprenakis> MTecknology Tys for the repost.
21:14 < Kaprenakis> cclausen: Could I install Ubuntu Server 10.04. Install Samba for the file server. Then install darwin streaming server to play those files that are being hosted on the file server?
21:15 < cclausen> Kaprenakis: that should work
21:16 < cclausen> Kaprenakis: there are probably some much newer music streaming programs out there too.  I'd look around (or apt-cache search)
21:16 -!- rmk [~user@delusion.fourty.net] has joined #ubuntu-server
21:16 < cclausen> Kaprenakis: do you need to stream over the internet?  Or just on the local subnet?
--- Log closed Sat May 01 21:17:57 2010
--- Log opened Sat May 01 21:21:39 2010
21:21 -!- MTecknology [~MTeck@kalliki/admin/pdpc.supporter.mtecknology] has joined #ubuntu-server
21:21 -!- Irssi: #ubuntu-server: Total of 234 nicks [0 ops, 0 halfops, 0 voices, 234 normal]
21:21 < cclausen> Kaprenakis: http://www.ubuntugeek.com/streaming-media-server-in-ubuntu-gnulinux-using-gnump3d.html <- check that out
21:22 < cclausen> not sure if it has a password though...
21:22 < cclausen> Kaprenakis: do you really need to stream across the internet?  Or can you run the player anywhere and just get to files from across the internet?
21:23 < cclausen> I keep some of my music in openafs and just listen to it from anywhere by acessing teh file space
21:23 -!- LynXnz [~LynXnz@121-72-133-247.dsl.telstraclear.net] has quit [Quit: Leaving]
21:23 -!- Irssi: Join to #ubuntu-server was synced in 117 secs
21:23 -!- lifeless [~robertc@59.167.164.33] has quit [Quit: leaving]
21:24 < cclausen> Kaprenakis: there is also: http://www.oreillynet.com/xml/blog/2004/12/streaming_itunes_from_ubuntu.html
21:25 < Kaprenakis> cclausen: what is openafs?
21:25 < cclausen> Kaprenakis: openafs is a distributed filesystem -> http://www.openafs.org  its not easy to setup though
21:27 < Kaprenakis> cclausen: yeah that doesnt look to noob friendly..
21:29 < cclausen> Kaprenakis: the ubuntu packages actually are fairly easy to install, but you'd need an afs client on various computers that you'd use so I'm not sure if that would work or not
21:30 < cclausen> works great for me.  secure, (encrypted) file space I can literally access from anywhere in the world.
21:30 < Kaprenakis> cclausen: you access it from your computer correct? or any computer anywhere?
21:30 < cclausen> any computer with an AFS client
21:30 < Kaprenakis> cclausen: ok
21:31 < Kaprenakis> cclausen: well then thats not exactly what I'm looking for then.
21:31 < Kaprenakis> cclausen: I need it to be built in the browser, streaming
21:35 -!- pmatulis [~peter@mail.papamike.ca] has quit [Quit: leaving]
21:40 < Kaprenakis> cclausen: So do you think samba server is the best to host files for local or outside access?
21:41 < MTecknology> Commercial on the TV: "Everything that goes into your linux system is designed to save you money." - Turns out she said "Lennox"
21:44 -!- ejat [~fenris@ubuntu/member/fenris-] has joined #ubuntu-server
21:44 -!- cmdshftn_ [~alex@cpe-075-176-023-185.carolina.res.rr.com] has joined #ubuntu-server
21:46 < cclausen> Kaprenakis: samba probably isn't good to use over the internet
21:46 -!- cmdshftn_ [~alex@cpe-075-176-023-185.carolina.res.rr.com] has quit [Client Quit]
21:47 < Kaprenakis> cclausen: well i would store the files via samba but stream those files from the samba server.. does that work?
21:47 < cclausen> maybe
21:48 < Kaprenakis> cclausen: or should i say is it secure?
21:50 -!- grim76 [~grim76@c-98-227-171-151.hsd1.in.comcast.net] has quit [Quit: Leaving]
21:51 < cclausen> its as secure as your streaming program
21:51 -!- lwizardl [~James@c-68-60-86-92.hsd1.mi.comcast.net] has quit [Quit: Leaving]
21:56 -!- Italian_Plumber [~Italian_P@adsl-074-236-202-005.sip.clt.bellsouth.net] has quit [Quit: Leaving.]
21:57 -!- erichammond [~erichammo@ubuntu/member/erichammond] has joined #ubuntu-server
21:58 -!- gigasoft [~gigasoft@95.155.29.211] has joined #ubuntu-server
22:05 -!- MetaMucil [proxy@secursurf.org] has joined #ubuntu-server
22:07 < AdamDV> Is howtoforge down for anyone else
22:08 < cclausen> appears to be, yes
22:08 < Kaprenakis> cclausen: alrighty, so is it secure enough? or should i seek other options?
22:09 -!- erichammond [~erichammo@ubuntu/member/erichammond] has quit [Ping timeout: 264 seconds]
22:12 < cclausen> Kaprenakis: go with it and see how it works
22:13 -!- pting [~pting@96-41-97-66.dhcp.mtpk.ca.charter.com] has quit [Read error: Operation timed out]
22:13 < owen1> i followed the ubuntu docs for enabling networking for vbox (sudo modprobe vboxnetflt) and now i have br0 interface. here is my ifconfig and netstat.  what is the ip and port of my guest?
22:14 < owen1> http://pastebin.com/ptdsvRE9
22:15 < cclausen> can you get to the guests console?
22:15 < cclausen> and run ifconfig there?
22:16 < owen1> cclausen: if wish i knew the port of the guest so i could ssh to it.
22:16 < owen1> can i get to the guest's console from the host and not from outside?
22:17 < cclausen> I'd say virtualbox is useless if you can't get to a VM's console
22:17 < cclausen> how do you fix network problems?
22:17 < cclausen> yeah, it probably works by default only from the host
22:18 < cclausen> you can also try looking in an arp cache for other IPs
22:18 < owen1> cclausen: it's the first time i am trying it, so i can't tell if it's possible.
22:18 < cclausen> does arp -a work on Linux systems?
22:18 < owen1> (192.168.1.1) at 00:1b:2f:fd:17:aa [ether] on br0
22:18 < owen1> maybe that's the ip?
22:19 < cclausen> maybe
22:19 < cclausen> can you ssh there?
22:19 < owen1> let me try
22:19 < cclausen> usually the .1 is the network's default gateway.  but if you don't have a router, I'm not sure how that works
22:20 < owen1> cclausen: connection refused. i tried from my laptop and from the host.
22:20 < cclausen> owen1: well, that could mean anything
22:20 < owen1> maybe i need to add a port
22:20 < cclausen> you need to get to the console on your VM and just run ifconfig to see what is going on
22:21 < owen1> cclausen: yeah. what user should i ssh with? myself?
22:21 < MTecknology> cclausen: hi :D
22:21 < MTecknology> cclausen: data collection time
22:21 < cclausen> if connection is refused, that isn't going to matter
22:22 < owen1> i'll post this in vbox forum. thank you!
22:23 < owen1> cclausen: do u use kvm for hosting websites?
22:24 < MTecknology> cclausen: May  1 22:24:22 pessum kernel: [19981.061455] [UFW BLOCK] IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=vnet1 SRC=192.168.3.6 DST=192.168.1.5 LEN=196 TOS=0x10 PREC=0x00 TTL=63 ID=40752 DF PROTO=TCP SPT=55015 DPT=22 WINDOW=126 RES=0x00 ACK PSH URGP=0
22:26 < cclausen> owen1: I use Microsoft Hyper-V for VMs and have Windows 2k8 IIS7 and Ubuntu 8.04 apache2 VMs right now
22:27 < cclausen> MTecknology: looks like it is blocking ssh traffic?
22:28 < cclausen> MTecknology: allow all IPs to send to port 22 and allow all outbound connections to port 22
22:28 < owen1> cclausen: on the same physical box?
22:28 < cclausen> owen1: actually, yes
22:28 -!- Callum__ [~Callum@222-152-204-57.jetstream.xtra.co.nz] has quit [Quit: Leaving]
22:28 < cclausen> I just moved a production apache webserver and an iis test box to the same physical box
22:29 -!- pting [~pting@96-41-97-66.dhcp.mtpk.ca.charter.com] has joined #ubuntu-server
22:29 < cclausen> owen1: physical box has windows 2008 r2 installed and I just upgraded the IIS install to r2 as well.
22:29 < cclausen> owen1: the physical box just runs the VMs
22:29 < owen1> so your guest os in windows?
22:29 < owen1> sorry ,
22:29 < owen1> your host
22:29 < MTecknology> cclausen: so ufw allow from any port 22 proto tcp to any ?
22:29 < cclausen> yes
22:29 < MTecknology> and vise versa
22:30 < cclausen> MTecknology: I don't know the firewall rules, sorry.  I just turn off firewalls.  I don't believe in them
22:30 -!- MetaMucil [proxy@secursurf.org] has quit [Quit: mmmmmm donuts]
22:30 < cclausen> if I don't want to run a service, I don't run it.  and for ssh brute force attempts I have fail2ban installed
22:31 < uvirtbot> New bug: #573436 in php5 (main) "PHP Deprecated:  Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/ldap.ini on line 1 in Unknown on line 0" [Undecided,New] https://launchpad.net/bugs/573436
22:31 < MTecknology> cclausen: still blocks when I add that
22:31 -!- Callum__ [~Callum@222-152-204-57.jetstream.xtra.co.nz] has joined #ubuntu-server
22:32 < cclausen> MTecknology: you need to allow to any as well.  ssh out to port 22 and into port 22
22:33 < MTecknology> cclausen: what I think I want is from any to any on PHYSOUT=vnet* is allowed
22:33 < cclausen> MTecknology: and note that the client randomly gets a source port from the OS, so you can't restrict on source and destination port apirs
22:33 < MTecknology> yup any -> 22 and 22 <- any
22:38 -!- erichammond [~erichammo@ubuntu/member/erichammond] has joined #ubuntu-server
22:40 < MTecknology> cclausen: I even did 'ufw allow from any to any' - still nothing
22:41 < cclausen> MTecknology: how about setting sudo ufw default allow
22:41 < cclausen> and then just block stuff you don't want as needed
22:41 < cclausen> can you pastebin ufw status  ?
22:42 < MTecknology> 'ufw enable' 'ufw default allow' 'ufw allow from any to any' - still blocks
22:43 < MTecknology> cclausen: http://dpaste.com/189908/
22:44 < cclausen> your default allow rules should let you in
22:44 < cclausen> and a rule to block traffic you don't want in
22:44 < cclausen> https://help.ubuntu.com/community/UFW
22:44 < MTecknology> right
22:44 < MTecknology> I normally use default deny
22:44 < cclausen> yeah, I figured
22:44 < MTecknology> but for this case..
22:45 < MTecknology> everything is allowed
22:46 < cclausen> I think you want to ufw allow 22 for all inbound ssh
22:47 < MTecknology> that should be covered in that allow any any, right?
22:47 < cclausen> yep
22:47 -!- TDJACR [~TDJACR@ool-182eb911.dyn.optonline.net] has quit [Changing host]
22:47 -!- TDJACR [~TDJACR@unaffiliated/tdjacr] has joined #ubuntu-server
22:47 < cclausen> if you want to do it the other way you are going to need better rules
22:47 < MTecknology> the config in that pastebin - i enable ufw and things still block
22:48 < cclausen> you only allowed inbound to port 22
22:48 < MTecknology> http://dpaste.com/189908/
22:48 < MTecknology> check the last one
22:48 < MTecknology> 'ufw allow from any to any'
22:48 < cclausen> yep
22:48 < cclausen> and that blocks things?
22:48 < MTecknology> that's not just ssh
22:48 < MTecknology> yup
22:48 < cclausen> hmm
22:48 < MTecknology> I 'ufw enable' and can't do anything with my vm's
22:49 -!- erichammond [~erichammo@ubuntu/member/erichammond] has quit [Disconnected by services]
22:49 -!- erichammond1 [~erichammo@103.sub-75-213-31.myvzw.com] has joined #ubuntu-server
22:49 -!- erichammond1 is now known as erichammond
22:49 -!- erichammond [~erichammo@103.sub-75-213-31.myvzw.com] has quit [Changing host]
22:49 -!- erichammond [~erichammo@ubuntu/member/erichammond] has joined #ubuntu-server
22:49 < cclausen> I'm not sure what to tell you
22:49 < cclausen> if it were me, I'd look at the actual iptables rules that were generated and see what is going on
22:50 < cclausen> also, what is your goal here?  those IPs are all non-routable.  its not like you are going to have internet traffic on RFC1918 IPs
22:50 < MTecknology> but I do have those vm's available to the world
22:51 -!- Kaprenakis [~wuollet@c-69-180-130-199.hsd1.mn.comcast.net] has left #ubuntu-server []
22:52 < cjs> Where's a good place to go get advice on routing related to a PPPoE link, a bridge, and some machines in the DMZ to which this host is routing?
22:52 < cjs> Basically, the hosts are accessible remotely, but not from the router itself, though I do have a route for that network to br2.
22:53 -!- azteech [~stevan@s59-254-68-64.trico.az.wi-power.com] has joined #ubuntu-server
22:53 -!- vraa [~vraa@h0.163.30.71.dynamic.ip.windstream.net] has joined #ubuntu-server
22:53 < MTecknology> cclausen: the internal nat isn't via world, but those vm's running on it are available via the world
22:53 < cclausen> cjs: can you writeup a pastebin describing your network setup in more details?  ifconfig -a output from varous machines would be helpful
22:54 < cclausen> MTecknology: I thought you said the VMs would block their own traffic?
22:54 < MTecknology> cclausen: no, the host blocks it
22:55 < MTecknology> cclausen: everything I did was on the host
22:55 < cjs> cclausen: Sure.
22:55 < cclausen> MTecknology: hmm.. ok.. that works differently than hyper-V.  I don't even see guest traffic registered on the host
22:57 < MTecknology> cclausen: ideally, I could have one rule that applies to vm's that says - pass it; then I could control the rules for the system itself
22:57 < MTecknology> cclausen: basically because ufw is absolutely amazing... :P
22:59 < cclausen> MTecknology: ok, well, I'm not sure what is going on.  Try working with a small set of rules at once.  and basically add the rule that allows whatever shows up in your block logs and try and work at what is going on
22:59 -!- osmosis [~steven@c-24-21-204-185.hsd1.or.comcast.net] has quit [Quit: Ex-Chat]
23:00 < MTecknology> cclausen: there is no 'rule' that's blocking it though.. ufw being enabled kills connections to the vm's
23:00 < cjs> cclausen: http://pastebin.com/LqVYqPAp
23:00 < MTecknology> cclausen: maybe I should show you /etc/network/interfaces
23:00 < cclausen> MTecknology: does the firewall bind to a single network interface?  is that the problem?
23:00 < MTecknology> cclausen: http://dpaste.com/189909/
23:00 < MTecknology> yup
23:00 < MTecknology> oh..
23:01 < cclausen> cjs: you're abusing routing.  don't and I suspect you'll have better luck.  there is a reason you can't use the broadcast and network addresses
23:02 < cjs> cclausen: Oh, yes? And what would that be?
23:03 < cclausen> cjs: those are used for CIDR routing
23:03 < cjs> (Not that I'm using them at the moment anyway.)
23:03 < cjs> In what way are they used for CIDR routing? (I am familiar with CIDR.)
23:03 < cclausen> cjs: yes and if you need to contact hosts in that space you won't be able to get to them
23:04 < cclausen> cjs: its how the arp tables are built on the routers.  the traffic is sent to an AS for the specific network
23:04 < MTecknology> cclausen: would 'ip addr' output help you help me any?
23:04 < cjs> cclausen: I am aware that I cannot contact hosts in the space I allocated to myself that isn't actually routed to me. It's a trade-off I'm willing to make.
23:04 < cclausen> MTecknology: I do not know
23:04 < cjs> cclausen: ARP tables? For a point-to-point link?
23:05 < cclausen> cjs: arp tables for the internet routers.  its only a point to point link for a single hop.  then its actually routed
23:05 < cjs> What would such ARP tables map? From what to IP addresses, or IP addresses to what?
23:05 < cclausen> cjs: if you don't need the ips, why do that anyway?  It just confuses things
23:05 < MTecknology> cclausen: http://dpaste.com/189913/
23:05 < cjs> cclausen: point-to-point is also routed.
23:05 < cjs> cclausen: I will need the IPs. I'm just not using them yet.
23:05 < cclausen> cjs: err, sorry. routing tables.  its not at the MAC layer, you are correct
23:07 < cclausen> cjs: what is the "router" in your setup?
23:07 < cjs> cclausen: Thank you. And so, given that there is no MAC layer, there's no need for broadcast or network addresses. In fact, the outside world has no idea (until it gets to my ISP) of how the network is divided anyway. And my ISP just takes anything destined for .192 or .199 and pumps it down my link, just as it does for .193 or any other address in that range. (I've tested this by the way, on this link, and I've configured things this way man
23:07 < cjs> y, many times on various systems in the past 15 years.)
23:07 < MTecknology> My swordfish is nearly cooked :)
23:07 < cclausen> cjs: well, whatever, lets figure out the .192 <-> .194 problem right now.
23:07 < cjs> The only reason I need to fake that /25 thing is due to the Linux kernel being unable to handle the idea of a "network" that doesn't have a physical layer.
23:07 < cjs> cclausen: Great, thank-you. .193 is the router.
23:07 < cjs> And those address and routing tables I showed are from it.
23:08 < cclausen> cjs: what is it? a linux system?
23:08 < cjs> Oh, sorry. (Doh!). Ubuntu 10.04 server.
23:08 -!- jnss [janes@gateway/shell/sign.io/x-wjlnwgeubumvkxzf] has joined #ubuntu-server
23:08 < jnss> hey hows the ubuntu server
23:08 < cclausen> and the VM is also a linux system?
23:08 < cjs> It is: also 10.04 server.
23:09 < cclausen> cjs: from the .193 system, if you ping the .194 (yes, it fails) and then run arp -a, does the correct MAC show up?
23:09 < jnss> would you recommend this ubuntu server over centos or debian
23:09 -!- mdeslaur [~mdeslaur@ubuntu/member/mdeslaur] has quit [Quit: *** stack smashing detected ***]
23:10 < cclausen> jnss: over centos, yes.  debian depends.  I like the 5 year support on ubuntu
23:10 < cjs> cclausen: Gah! Yes it does, and suddenly it's working.
23:10 < cclausen> cjs: pings work now?
23:10 < cjs> cclausen: Would you believe "I didn't change anything"? (No, I wouldn't either.)
23:10 < cclausen> cjs: glad I could help :-)
23:10 < cjs> cclausen: yes, they work now. For .193 as well. I wonder what I did.
23:10 < cjs> cclausen: Just make sure you're around next time my networking breaks. :-)
23:11 < cjs> cclausen: Wait. It works in one terminal (ssh login), but not another. I am using -n on ping.
23:11 < cclausen> cjs: same system?
23:12 < cjs> It certainly appears to be.
23:12 < cclausen> cjs: both consoles running as root?
23:13 < cjs> Yes.
23:13 < jnss> got specific reasons why you would rather use ubuntu than centos? ;)
23:13 < cjs> Another one works, too. It's just this one window. This is...interesting.
23:13 < cclausen> using same ping binary?  which ping is same on both?
23:14 < cjs> Yup.
23:14 < cclausen> cjs: close it and open a new one and hope the problem goes away...
23:14 -!- mdeslaur [~mdeslaur@ubuntu/member/mdeslaur] has joined #ubuntu-server
23:14 < cjs> cclausen: Tempting. But I want to poke at this a bit. It's insane enough that it must be me, not the machine.
23:14 < jnss> im just looking for ideas
23:14 < cclausen> jnss: 5 year support, I know the release cycle.  RPMs make babies cry
23:15 < cjs> Dropping back out of my sudo shell, same problem. Hmm!
23:15 < cclausen> cjs: I could see a network capability rule applying to a specific session at login time
23:15 -!- erichammond [~erichammo@ubuntu/member/erichammond] has quit [Ping timeout: 240 seconds]
23:15 < cjs> Hm. Ok, that would be plausible. Except for how the capability rule got there.
23:16 < MTecknology> cclausen: You see anything obvious that would make it not work?
23:16 < cclausen> cjs: selinux?  apparmor?
23:16 < cjs> I am using apparmor. Just the default thing.
23:16 -!- chilicuil [~chilicuil@unaffiliated/chilicuil] has joined #ubuntu-server
23:16 < cjs> Oh...hmmm...doesn't apparmor apply to ping?
23:16 < cclausen> MTecknology: sorry, got distracted.  looking now
23:16 < MTecknology> cclausen: :P
23:16 < cclausen> cjs: I have no idea.  I disable such things
23:16 < cjs> No, not in my case, if /etc/apparmor.d is anything to go by.
23:17 < MTecknology> cclausen: meanwhile I ate swordfish - first time - that was yummy
23:17 < cclausen> MTecknology: does eth0 need its own IP?  I see you have it set to static, but didn't give it an IP
23:17 -!- erichammond [~erichammo@ubuntu/member/erichammond] has joined #ubuntu-server
23:18 < cclausen> err, I guess you have it set to "manual" and not "static"
23:19 < cclausen> does the bridge device manually up it as needed?
23:19 < cclausen> MTecknology: does ifconfig list eth0?  does ifconfig -a ?
23:19 < MTecknology> cclausen: ifconfig shows it
23:20 < MTecknology> http://dpaste.com/189915/
23:20 -!- chilicuil1 [~chilicuil@189.181.238.197] has joined #ubuntu-server
23:20 -!- Error404NotFound [~Error404N@unaffiliated/error404notfound] has quit [Ping timeout: 252 seconds]
23:20 -!- chilicuil [~chilicuil@unaffiliated/chilicuil] has quit [Read error: Connection reset by peer]
23:21 < cclausen> MTecknology: but it doesn't have an IP assigned...  what exactly wasn't working here again?
23:21 < cclausen> MTecknology: just the firewall rules?
23:21 < MTecknology> ya
23:21 < MTecknology> when I enable ufw, I can't communicate with the vm's anymore
23:23 < cclausen> all your VM networks are in 192.168.0.0/22 space ?
23:23 < cclausen> reduce your rules and just allow all traffic in that single CIDR block
23:23 < MTecknology> 192.168.1.0/24
23:23 < MTecknology> ufw allow from any to any should cover that
23:24 < cclausen> rtue, but just to test
23:24 < cclausen> remove all teh rules
23:24 < MTecknology> I don't think my issue is in the rules themselves..
23:24 < MTecknology> ok.
23:24 < cclausen> and add just a ufs allow all from 192.168.0.0/22
23:25 -!- gigasoft [~gigasoft@95.155.29.211] has quit [Remote host closed the connection]
23:25 < MTecknology> you mean 192.168.1.0/24 ?
23:25 < MTecknology> or do I want it wider like that?
23:26 < cclausen> one of the message you posted had a 192.169.3.x IP in it, didn't uit?
23:26 < cclausen> May  1 22:24:22 pessum kernel: [19981.061455] [UFW BLOCK] IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=vnet1 SRC=192.168.3.6 DST=192.168.1.5 LEN=196 TOS=0x10 PREC=0x00 TTL=63 ID=40752 DF PROTO=TCP SPT=55015 DPT=22 WINDOW=126 RES=0x00 ACK PSH URGP=0
23:26 < cclausen> see the SRC=192.168.3.6  in there
23:26 < cclausen> where is that coming from ?
23:27 < MTecknology> oh.. sorry - I was thinking backward
23:28 < MTecknology> the vm's are all in 1.0/24 - the 3.0/24 is my vpn ip
23:28 -!- gigasoft [~gigasoft@95.155.29.211] has joined #ubuntu-server
23:28 < cclausen> MTecknology: does your VPN get blocked too?  Or just the VMs?
23:28 < MTecknology> ERROR: 'Wrong number of arguments'
23:28 < MTecknology> Client->VPN = blocked
23:29 < cclausen> what is your client IP?  in that same range?
23:29  * MTecknology is 192.168.3.xxx
23:29  * MTecknology is 192.168.3.6
23:29 < MTecknology> servers are 192.168.1.0/24
23:29 < cclausen> ok
23:30 < MTecknology> wireless clients 2.0/24; pptp are 4.0/24
23:30 < cclausen> pastebin iptables -L and ufw status
23:31 < MTecknology> here we go
23:31 < MTecknology> cclausen: http://dpaste.com/189917/
23:33 < MTecknology> cclausen: meh - I need to generate traffic to be blocked.... here's an actual sample line that I just generated - May  1 23:32:44 pessum kernel: [24082.584639] [UFW BLOCK] IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=vnet1 SRC=192.168.3.6 DST=192.168.1.5 LEN=100 TOS=0x10 PREC=0x00 TTL=63 ID=25825 DF PROTO=TCP SPT=55015 DPT=22 WINDOW=126 RES=0x00 ACK PSH URGP=0 
23:34 < cclausen> that is a lot of iptables rules...
23:34 < cclausen> so you see anything that looks funky?
23:34 < MTecknology> well, ufw does make a lot of rules :P
23:35 < cclausen> hmm... I wonder if its just affecting existing connections
23:36 < MTecknology> cclausen: line 127?
23:36 < cclausen> its is stateful and iptables probably needs to see the connect in the TCP handshake to allow the traffic
23:36 < uvirtbot> New bug: #573451 in dbconfig-common (main) "package dbconfig-common 1.8.44ubuntu1 failed to install/upgrade: subprocess installed post-installation script returned error exit status 1" [Undecided,New] https://launchpad.net/bugs/573451
23:36 < MTecknology> I wish that was it...
23:36 < MTecknology> any new connections fail
23:36 < cclausen> MTecknology: ah, ok
23:36 < cclausen> good to know though
23:37 < cclausen> wait, your rule is allow in anywhere
23:37 < cclausen> what about allow out ?
23:37 < MTecknology> allow from any to any
23:37 < MTecknology> that should go both ways
23:38 < MTecknology> Default: allow (incoming), allow (outgoing)
23:38 < MTecknology> ^ there's that too - ufw default allow
23:38 < uvirtbot> MTecknology: Error: "there's" is not a valid command.
23:38 < cclausen> can you remove your single rule
23:38 < cclausen> and try that?
23:38 < MTecknology> ok
23:38 < cclausen> just enable ufs without a rule set?
23:38 < cclausen> err, ufw
23:39 < MTecknology> http://dpaste.com/189926/
23:40 < cclausen> rule is still htere: Anywhere                   ALLOW IN    Anywhere
23:40 < MTecknology> sorry... wrong pastebin
23:41 < MTecknology> there we go - http://dpaste.com/189928/
23:41 -!- Scunizi [~could@ip72-197-240-157.sd.sd.cox.net] has quit [Read error: Connection reset by peer]
23:41 < cclausen> did that block stuff too?
23:42 < cclausen> what are teh rules with 192.168.122.0/24 about ?
23:42 < MTecknology> no idea..
23:42 -!- erichammond1 [~erichammo@73.sub-75-213-211.myvzw.com] has joined #ubuntu-server
23:42 -!- erichammond [~erichammo@ubuntu/member/erichammond] has quit [Disconnected by services]
23:42 -!- erichammond1 is now known as erichammond
23:42 -!- erichammond [~erichammo@73.sub-75-213-211.myvzw.com] has quit [Changing host]
23:42 -!- erichammond [~erichammo@ubuntu/member/erichammond] has joined #ubuntu-server
23:42 < MTecknology> hrm..
23:43 < MTecknology> I think that's the virt network
23:43 < MTecknology> I should try iptables -flush
23:43 < MTecknology> maybe?
23:44 < MTecknology> or could that likely kill me?
23:44 < cclausen> yeah, flush the iptables rule sets
23:44 < MTecknology> there - chains listed - but all empty
23:44 < MTecknology> should I do ufw enable from here?
23:44 < cclausen> take a look at this
23:45 < cclausen> http://www.cyberciti.biz/tips/linux-iptables-how-to-flush-all-rules.html
23:45 < cclausen> I'd try flushing all of those
23:45 < MTecknology> I did iptables -F
23:45 < MTecknology> oh
23:45 < cclausen> yeah, but does that actually flush eveything?
23:45 < cclausen> (it might, I don't know)
23:45 < MTecknology> everything except purging the chains
23:45 < MTecknology> which have nothing in them
23:46 -!- marshall [~marshall@dsl-69-172-114-200.acanac.net] has quit [Ping timeout: 252 seconds]
23:46 < MTecknology> ok - EVERYTHING is wiped
23:46 < cclausen> iptables -X just in case
23:46 < cclausen> now try ufw again
23:46 < MTecknology> ok..
23:46  * MTecknology crosses fingers...
23:47 < MTecknology> exact same thing
23:47 < cclausen> iptables -L pastebin?
23:47 < cclausen> e.g. is the rule set the same?  with that 192.168.122 net?
23:48 < MTecknology> http://dpaste.com/189937/
23:49 < cclausen> ok, well at least the 192.168 stuff is gone now
23:50 < cclausen> try switch ufw the other way
23:50 < cclausen> to deny by default
23:51 < cclausen> will the same allow from any to any rule
23:51 < cclausen> and see if it still blocks
23:52 < MTecknology> http://dpaste.com/189941/
23:52 < MTecknology> that's w/o allow allow
23:52 < cclausen> if you have the text, diff the two
23:52 < cclausen> if the only difference the ACCEPT to DROP in teh first line ?
23:53 < MTecknology> http://dpaste.com/189943/
23:54 < cclausen> that is the same thing, isn't it?
23:54 < MTecknology> just with the allow everything
23:54 < cclausen> hmm
23:54 < cclausen> I wonder if allow everything doesn't work b/c of teh default rule sets
23:55 < cclausen> try just allow from 192.168.0.0/16
23:55 < MTecknology> allow from 192.168.0.0/16 to any ?
23:56 < cclausen> just ufs allow from 192.168.0.0/16
23:56 < cclausen> the "to any" should be implied
23:56 < MTecknology> you can't do that
23:56 < cclausen> (at least according to the wiki page I'm reading)
23:56 < cclausen> so this is wrong? https://help.ubuntu.com/community/UFW
23:56 < cclausen> "sudo ufw allow from 192.168.1.0/24"
23:56 < MTecknology> oh..
23:56 < cclausen> its one of the examples
23:56 < MTecknology> nifty
23:56 < MTecknology> I'll try
23:57 -!- Italian_Plumber [~Italian_P@adsl-074-236-202-005.sip.clt.bellsouth.net] has joined #ubuntu-server
23:57 < MTecknology> same thing
23:57 < cclausen> hmm
23:57 < cclausen> I've got no ideas then
23:57 -!- erichammond [~erichammo@ubuntu/member/erichammond] has quit [Quit: Leaving.]
23:57 < MTecknology> alrighty
23:57 < cclausen> unless you want to try purging and reinstalling ufw and iptables
23:58 < MTecknology> I'll just file a bug report and include this whole log :P
23:58 < MTecknology> it happened on a fresh install
23:58 < MTecknology> this whole setup is only a few months old with mostly all default configs
23:59 < MTecknology> cclausen: thanks VERY much for the help :)
23:59 < MTecknology> cclausen: sticking with it this long was impressive :)
--- Log closed Sun May 02 00:00:13 2010