00:21.34 | *** join/#gllug MessedUpHare (~stewart@cpc8-acto3-2-0-cust6.4-2.cable.virginmedia.com) |
02:38.33 | *** join/#gllug sabinef72 (~sabinef72@sabinef72.ipv6.popipo.fr) |
02:42.54 | *** join/#gllug Leeds (~richardc@www.scorefive.com) |
03:31.22 | *** join/#gllug sabinef72 (~sabinef72@ns.popipo.fr) |
03:53.23 | *** join/#gllug Azundris (callisto@tatiana.azundris.com) |
09:01.37 | *** join/#gllug PcSett (~Don@host81-159-128-230.range81-159.btcentralplus.com) |
09:21.17 | boudiccas | Beware the Ides of March! |
09:22.31 | morsing | So, www.tickets.london2012.com has no IPv6 addresses... |
09:33.12 | wethrin | No, most places still don't |
09:39.30 | morsing | I am aware, but it's seriously disappointing, especially after the Chinese Olympics IPv6 success |
09:39.53 | morsing | And "most places" = 99.997% |
09:40.28 | morsing | And bear in mind that IPv4 address space will actually run out before the Olympic games start... |
09:44.16 | hali | sort of |
09:44.28 | hali | i just put in a RIPE application for some space |
09:44.50 | hali | its harder than it used to be but they still have a fair amount of spare space for "real" business use |
09:45.55 | morsing | hali: Yes, let's squeeze the last bit out of a dying standard instead of planning for the future... Have worked since 1200 BC |
09:47.03 | hali | we've had IPv6 space and IPv6 peering enabled for about 2 years now |
09:47.09 | hali | NONE of our clients does |
09:47.13 | hali | so it's pretty pointless so far |
09:47.42 | hali | but it's there if they want it |
09:48.02 | hali | i think most of our ISPs have had it for 5+ years ... close to no traffic though |
09:48.04 | morsing | I'm not saying it's your fault - the ISPs need to be the main drive behind it and it doesn't help that consumer routers don't do IPv6 |
09:48.21 | hali | i agree with you, it's an impeding problem |
09:48.30 | hali | did you read the customer router ipv6 study? |
09:48.37 | morsing | No? |
09:48.41 | hali | done by ARIN or someone like that |
09:48.54 | hali | they tested loads of home routers and something like 5% passed their tests |
09:49.13 | hali | another good example is MacOS X .. even the new lion version doesn't have full ipv6 dhcpd support |
09:49.20 | hali | dhcpcd* |
09:49.27 | morsing | Debian is actually pretty crap at IPv6 |
09:49.42 | morsing | IPv6 shouldn't use DHCP anyway |
09:49.53 | morsing | That's what router advertiments are for |
09:51.24 | morsing | Out of our Ricoh printer, X-box, Wii, PS3 and D-link print server, guess how many supports IPv6? |
09:52.46 | morsing | My laptop and our PC at home is on IPv6 but I can't disable IPv4 because traffic that doesn't go through the proxy can't be translated. |
09:59.09 | *** join/#gllug zooz (~zooz@host86-163-12-128.range86-163.btcentralplus.com) |
10:25.58 | antiphase | RA is horseshit |
10:26.14 | antiphase | which is why DHCPv6 is happening |
10:41.12 | *** join/#gllug flips_and_rails (~stu@2001:630:12:1058:218:feff:fe6a:be1b) |
10:53.01 | *** join/#gllug Nafallo_ (~nafallo@ubuntu/member/nafallo) |
11:29.35 | jpds | morsing: Blame Akamai anyway. |
11:41.19 | Cope | is going to the 'Move Over IPv4' party next week |
11:43.45 | morsing | Cope: The one which website isn't on IPv6? |
11:44.08 | Cope | why would you expect eventbrite to be on IPv6? |
11:44.15 | Cope | you are a wanker sometimes, morsing |
11:44.26 | morsing | ? |
11:47.02 | Cope | sorry, morsing |
11:47.07 | Cope | un-called-for |
11:47.11 | Cope | http://bringonipv6.com/ |
11:47.13 | morsing | 'tis ok. Beer? |
11:47.15 | Cope | is what you mean |
11:47.17 | Cope | isn't it |
11:47.21 | morsing | Oh, I see. Yes |
11:47.48 | morsing | What's Move over IPv4 then? And what's eventbrite? |
11:48.11 | AndyMillar | problem is, ipv6 sucks |
11:48.19 | Cope | it's just an event about ipv4 / ipv6 stuff |
11:48.31 | antiphase | http://lmgtfy.com/?q=move+over+ipv4 |
11:48.50 | Cope | i don't know much about it, but a friend of mine is on the panel, so i'm going along too |
11:49.32 | Cope | I mean - I don't know much about IPv6 implementation, advantages, disadvantages etc |
11:49.42 | Cope | interested to get some perspectives |
11:50.16 | antiphase | It's the same as IPv4 with more bits |
11:50.37 | Cope | rolls eyes |
11:51.09 | antiphase | They added some more bells and whistles that are mostly no longer relevant because it's not 20 years ago any more |
11:51.49 | antiphase | It sounds flippant to compare them so glibly, but realistically the implementations will be very similar |
11:51.58 | antiphase | People like familiarity |
11:52.03 | Cope | nods |
11:53.51 | Cope | is hungry |
11:56.20 | morsing | IPv6 is easier to implement and use but more difficult to remember the addresses unfortunately |
12:00.49 | AndyMillar | it also doesn't have NAT |
12:00.52 | AndyMillar | which is a pain |
12:01.12 | antiphase | Fail |
12:01.18 | antiphase | NAT is for gaylords |
12:01.26 | AndyMillar | I don't want to put windows machines on the internet |
12:01.31 | antiphase | Use a firewall then |
12:01.35 | antiphase | NAT isn't a firewall |
12:01.35 | AndyMillar | especially as rhel5/centos5 doesn't have conntracking working |
12:02.58 | morsing | NAT is nice sometimes... And it's annoying you can't do intercepting proxies with IPv6 |
12:04.37 | antiphase | The only use for NAT is in alleviating address shortage, and it should DIAF |
12:04.58 | antiphase | Anyone caught implementing NATv6 is likely to have their internet licence revoked |
12:05.51 | antiphase | wonders if he has made his point |
12:05.57 | morsing | antiphase: They need to implement some other form of prerouting then |
12:06.06 | antiphase | What does that mean? |
12:06.16 | *** join/#gllug Leeds (~richardc@pcd253019.netvigator.com) |
12:06.17 | morsing | To support intercepting proxies |
12:06.31 | antiphase | Do you mean transparent web proxying, for example? |
12:06.43 | morsing | ? Yes... |
12:06.55 | antiphase | I don't see why the situation would be any different with IPv6 |
12:07.03 | morsing | ? |
12:07.06 | morsing | Try it, then |
12:07.15 | morsing | IPv6 can't do it |
12:07.25 | antiphase | wtfs a bit |
12:07.59 | antiphase | Are you suggesting that people with routable IPv4 addresses are currently unable to use transparent proxies? |
12:08.05 | morsing | No |
12:08.24 | morsing | I'm saying IPv6 can't do it |
12:08.31 | antiphase | Or that an HTTP proxy is unable to make a request on behalf of another machine for some reason |
12:08.37 | morsing | ? |
12:08.48 | morsing | PREROUTING is essentially a NAT thing |
12:08.53 | antiphase | You also think that SLAAC is a good idea and that DHCPv6 shouldn't exist |
12:08.53 | morsing | So not supported |
12:09.10 | antiphase | gives up |
12:09.22 | morsing | I understand it can be tricky to understand |
12:09.31 | antiphase | Evidently |
12:10.06 | wethrin | don't see why you couldn't use a transparent proxy |
12:10.47 | wethrin | just tell your router to redirect any requests from an appropriate set of IP addresses to your proxy |
12:11.09 | wethrin | same way certain ISPs do proxying |
12:11.12 | antiphase | Transparent proxying is usually done with policy routing in the network |
12:11.34 | antiphase | It's nothing to do with iptables NAT chains |
12:12.15 | antiphase | wonders how the crusty old AIX-using men would do it |
12:12.31 | antiphase | Steam powered proxies! |
12:13.31 | hali | AIX has actually had decent ipv6 support since version 4.something :) |
12:27.09 | AndyMillar | antiphase: ok, given you seem to like the idea of bridging firewalling and all that jaz; fancy explaining why my stateful firewall doesn't work? :-p |
12:32.14 | *** join/#gllug dick_turpin (~dick_turp@host217-34-163-30.in-addr.btopenworld.com) |
12:32.27 | antiphase | You need more cowbell |
12:32.39 | dick_turpin | Release the hounds! |
12:45.47 | *** join/#gllug gmarkall (~graham@dyn1214-109.wlan.ic.ac.uk) |
12:51.54 | Cope | use pf, hth, hand |
12:51.59 | wethrin | yay for pf |
12:52.32 | Cope | pf is very good indeed :) |
12:53.12 | wethrin | indeed |
12:54.39 | antiphase | pff |
12:54.56 | Cope | antiphase <3 ipchains |
12:55.02 | AndyMillar | ok, given I'm running centos 5.6 |
12:55.18 | AndyMillar | no, 5.5 |
12:55.30 | Cope | run openbsd in a kvm? |
12:55.46 | Cope | chuckles, sorry antiphase |
12:55.47 | Cope | gah |
12:55.48 | Cope | AndyMillar: |
12:56.44 | Cope | I just wouldn't start from there... I prefer pf or even ipfilter to iptables, so I wouldn't build a firewall using linux |
12:57.33 | wethrin | indeed |
12:57.48 | antiphase | I found pf horribly confusing on the single occasion I tried to use it about 5 years ago |
12:57.54 | antiphase | iptables ftw |
12:58.15 | wethrin | I've found iptables/ipchains/ipOMGWTFBBQ to be horribly confusing |
12:58.26 | Cope | i think pf has improved a lot; when I first used it... 7 years ago? whenever wethrin showed it to me... the docs were ropey |
12:58.30 | Cope | they're very good now |
12:58.44 | Cope | and the dsl (for want of a better word) is very clear |
12:58.49 | wethrin | 7 years ago is probably about when they switched from ipf to pf |
12:58.58 | Cope | nods at wethrin |
12:59.29 | Cope | anyway! none of this helps AndyMillar |
12:59.34 | Cope | AndyMillar: what's the actual problem? |
12:59.42 | antiphase | iptables seems to win on account of the commands just being a set of conditions to match, rather than some weird language that implies things |
12:59.50 | antiphase | I can't really say though because I know fuck all about pf :P |
12:59.55 | Cope | nods at antiphase |
13:00.09 | Cope | yes - pf is a packet filtering DSL |
13:01.47 | Cope | iptables/netfilter is more like setting up a series of logic gates to achieve pseudo-stateful packet inspection into the linux kernel |
13:01.57 | Cope | if that makes sense |
13:03.22 | Cope | pass log on $ext_if inet proto tcp from any to $loadbalancers port $webports keep state (max-src-conn 100, max-src-conn-rate 15/5, overload <abusive_hosts> flush) |
13:03.40 | antiphase | goes blind |
13:03.49 | Cope | try doing that in iptables and making it readable |
13:04.02 | antiphase | That looks nearly as horrible as tc |
13:05.01 | Cope | yeah that's kinda long |
13:05.03 | Cope | pass on $ext_if inet proto { udp tcp } from $ldap_allowed to $ldapservers port 389 |
13:05.03 | antiphase | I wonder if anyone has tried to write a converter |
13:05.15 | wethrin | Yes. |
13:05.20 | wethrin | I don't think it worked wonderfully, though |
13:05.53 | Cope | plus carp and pfsync are just amazing |
13:06.05 | Cope | god only knows how you'd do that with iptables |
13:06.28 | antiphase | Maybe no-one has ever needed to |
13:06.49 | Cope | no-one has ever needed to implement failover firewalls with an implementation of VRRP? |
13:07.07 | Cope | yes maybe thats' because no-one in their right mind would use iptables for serious firewalling? |
13:07.10 | Cope | </troll> |
13:07.40 | antiphase | There's always a difficult decision for people to make; by the time you really need proper networking stuff, it seems common for people to buy commercial solutions |
13:07.49 | Cope | yeah |
13:08.13 | Cope | i actually started using pf properly becuase our not inexpensive cisco firewalls sucked balls |
13:08.14 | antiphase | Rather than rely on some crackpot system dreamt up by someone who subsequently leaves |
13:08.43 | Cope | i've used and quite liked checkpoint ng |
13:08.50 | Cope | but that's just ipfilter really |
13:09.04 | Cope | i've used juniper netscreens - they're great |
13:09.10 | Cope | but they're also ipf under the hood |
13:09.26 | Cope | i've used ciscos and hated them |
13:10.18 | Cope | but pf was very cost effective, performed well, and could be nicely managed by puppet |
13:14.02 | AndyMillar | Cope: problem: stateful ip6tables rules aren't matching, so I can't block unbound connections via ipv6 |
13:14.36 | Cope | AndyMillar: you in the centos channel ever? |
13:14.45 | AndyMillar | sometimes |
13:14.59 | AndyMillar | what have I missed? |
13:15.54 | Cope | Pretty sure centosian said something about ip6tables and statefulness a month or two ago; he knows iptables really well, if you want to hit someone up who is likely to help rather than troll like me. |
13:16.50 | Cope | z00dax: you remember? ... |
13:22.17 | z00dax | there is/was a problem with state/ip6tables a while back in centos5 |
13:23.59 | antiphase | You could use Debian instead :P |
13:26.04 | *** join/#gllug dick_turpin (~dick_turp@host217-34-163-30.in-addr.btopenworld.com) |
13:27.14 | z00dax | :) |
13:40.43 | AndyMillar | z00dax: do you know if it's still a problem? :/ |
13:42.21 | Cope | z00dax: Isn't it just that netfiler in the available upstream kernels doesn't support stateful IPv6 firewalling? |
13:43.08 | z00dax | Cope: yup |
13:43.20 | z00dax | checks if 5.6 resolves this |
13:51.03 | z00dax | there are a bunch of patches into the 5.6 kernel that might be relevant |
13:51.10 | z00dax | i dont have a machine to test on right now though |
13:56.13 | AndyMillar | hmm, I might have a play |
14:13.47 | *** join/#gllug sabinef72 (~sabinef72@sabinef72.ipv6.popipo.fr) |
14:19.59 | *** join/#gllug __marcus_ (~marcus@lenny.uk-debtcollection.com) |
14:20.12 | *** join/#gllug cbz (chriseb@vortex.ukshells.co.uk) |
14:37.19 | *** join/#gllug sabinef72 (~sabinef72@ns.popipo.fr) |
17:21.29 | *** part/#gllug dick_turpin (~dick_turp@host217-34-163-30.in-addr.btopenworld.com) |
18:42.12 | *** join/#gllug Hamzah (~mhamzahkh@genesis.home.hamzahkhan.com) |
19:05.13 | *** join/#gllug Hamzah (~mhamzahkh@genesis.home.hamzahkhan.com) |
19:05.46 | *** part/#gllug yaMatt (~yaMatt@li99-88.members.linode.com) |
19:11.06 | *** join/#gllug Mohan (~nixh0st@unaffiliated/mohan) |
19:17.10 | *** join/#gllug Mohan (~nixh0st@unaffiliated/mohan) |
19:44.42 | *** join/#gllug Hamzah (~mhamzahkh@genesis.home.hamzahkhan.com) |
19:45.55 | *** join/#gllug gmarkall (~graham@84.45.235.192) |
20:30.30 | *** join/#gllug __marcus_ (~marcus@lenny.uk-debtcollection.com) |
23:36.02 | *** join/#gllug Leeds (~richardc@pcd253019.netvigator.com) |