libera/#devuan/ Saturday, 2019-05-18

telmichtimeless: in the best case your ISP should offer IPv6, that is absolutely correct. The VPN offered by ungleich is really for the cases when you cannot get IPv6 otherwise reliable14:12
telmichtimeless: I have it for instance on all notebooks/phones, because mobile phone providers don't give you IPv6 in Switzerland (or at least salt)14:12
fsmithredwhy do I have firefox cookies from places that I last visited in 2016???15:02
fsmithredI've cleared my cookies hundreds or thousands of times since then15:02
fsmithredand they no longer go away when I close firefox15:03
MinceRmaybe the setting to remove cookies on exit was among the many settings they removed15:47
MinceRlike the settings to disable javascript or prevent javascript from hijacking right clicks15:48
fsmithredit's very weird. Most of the time it appears that the cookies are all gone, and this time when I closed the browser, some of the cookies went away, but a handful remained, and a few of them were very old.15:50
cosurgiI should someday switch from chromium fo firefox. However this is how I dealt with chromium problems: I added ~/.config/chromium/Default/Bookmarks to git dotfiles. Every couple weeks I rm -rf ~/.config/chromium/, also I have set immutability attribute on file ~/.config/chromium/Default/Preferences, like this:16:01
cosurgi$ lsattr ~/.config/chromium/Default/Preferences16:01
cosurgi----i---------e---- /home/praca/.config/chromium/Default/Preferences16:01
cosurgiwith commant sudo chattr +i .config/chromium/Default/Bookmarks/Preferences16:01
cosurgiAnd that's it. Chromium is totally wiped out, and doesn't even notice. While I keep using it with exactly the same config all the time.16:02
cosurgiAh, before wiping it out I copy files Current Session,Current Tabs,Last Session,Last Tabs. So that restaring it after the wipe has exactly the same window sopened.16:03
xrogaanfirefox 60.6.3 is finally available from ascii-updates; took only one week :P19:30
xrogaanMinceR: for firefox you can disable javascript through the webdev thing https://files.catbox.moe/6lsexp.png19:33
MinceRi know19:35
MinceRbut they used to have a setting for it in preferences19:35
xrogaanFor ease of use, I have this https://addons.mozilla.org/en-US/firefox/addon/javascript-toggler/19:44
xrogaanI just noticed that if I block all access to the internet but localhost, chromium still can access google.20:16
xrogaanbut nothing else20:16
xrogaanmy iptables rules http://dpaste.com/0XR3CD720:18
gnarfacei don't think changing those settings would kill off existing connections20:20
gnarfacetry just restarting chromium20:20
xrogaani start chromium under the "no-internet" group20:20
xrogaansg no-internet -c 'chromium'20:21
xrogaanso there is no connection made at all20:21
xrogaanchromium cannot reach anything else, just google20:21
xrogaanCan I setup a rule to deny an interface?20:22
DocScrutinizer05my ISP doesn't really offer decent IPv4 :-/20:27
DocScrutinizer05I can switch the damn modemrouter to bridgedmode which gives me a semi-working IPv4 on their damn cgNAT hey use to route their "4over6" cable access to the real world. But then a) my cable TV blows chunks, and b) seems their cgNAT IP range is on several RBL now so fo example I only get "page doesn'T exist" on AliExpress no matter which URL20:30
gnarfacexrogaan: set everything to DROP, try that20:32
DocScrutinizer05hi timeless!20:32
gnarfacexrogaan: try it like this, just as a test: http://paste.debian.net/1082050/20:38
WonkaDocScrutinizer05: funny, aliexpress is on akamai - is akamai not fully DS already? why would they?20:43
xrogaangnarface: I should have said it before, but this works: `DROP       all  --  anywhere             anywhere             owner GID match no-internet`20:44
xrogaanjust the drop all anywhere if the gid matches20:44
xrogaanchromium manages to get to the google servers if localhost isn't blocked20:45
MinceRdoes it actually make a connection or does it just render a page?20:45
xrogaani can search the web20:46
xrogaanand I can watch youtube video20:49
MinceRsounds like the network blocking doesn't work20:49
MinceRmaybe it's using a different protocol, like SPDY?20:49
xrogaanlistens to 224.0.0.251:5353 in udp20:49
xrogaanI don't filter on protocol, I just drop everything20:53
xrogaanapparently, -owner only works for OUTPUT and POSTROUTING. I can't have that.21:04
MinceRhave you tried running chromium in a namespace that had no network access instead?21:04
xrogaanhow?21:09
xrogaanwhat do you mean by namespace?21:09
MinceRthe linux kernel feature21:10
MinceRi can't find the command line to do it before, though21:10
xrogaanwhat a pain in the ass21:33
rebaghey. How to have the same *same* environment with #root user and crontab root user please ?21:57
xrogaancrontab uses the system environment22:00
xrogaancheck /etc/default/cron and /etc/init.d/cron22:01
rebagyes22:01
rebagthe software that need cron (bup), fails because of the differences between the 2 environments ...22:01
xrogaanno, really, read /etc/default/cron22:02
xrogaanmaybe I can highlight the relevant part: `This has no effect on tasks running under cron; their environment can only be changed via PAM or from within the crontab; see crontab(5).'22:02
rebagyes and : READ_ENV="yes"22:03
xrogaanmaybe I can **really** highlight the relevant part: `This has no effect on tasks running under cron; their environment can only be changed via PAM or from within the crontab; see crontab(5).'22:03
xrogaanI don't know bup though, so I might be wrong.22:04
rebagheh yes ok. But I dunno pam, i understand PAM is the onlyway to get the same env as root isn't it ?22:05
gnarfacexrogaan: uh... you allowed localhost/8 to pass through, right?22:06
rebag"or within the corntab"22:06
rebagcrontab22:06
gnarfacexrogaan: i'm not sure you want to allow all those ip's through.  i'm not sure they're actually all localhost22:06
xrogaangnarface: I don't understand22:07
gnarfacewell, i might be wrong here, but the fundamental thing i'm worried about is that localhost is 127.0.0.1, and you're actually passing everything from 127.0.0.0 to 127.255.255.25522:08
gnarfaceand i've never seen that before22:08
gnarfacethat's all22:08
gnarfacealso i'm not sure you're blocking ipv6 at all22:08
rebagreally I don't understand what I have to do. I have this problem for months now I tried various things including adding source in the crontab. I dunno PAM at all. Then any help appreciated22:08
xrogaangnarface: I don't know what you are talking about. I drop everything if the gid matches the rule.22:09
xrogaanrebag: my guess is ask the bup people22:09
rebagwe have tried in the bup chan to figure out which variables were missing, without success :(22:09
gnarfacexrogaan: eh, nevermind.  you know what?  just put google's ips in your /etc/hosts file and point them back to localhost22:09
rebagbut it's asolutely shure that it's related to the cron env because with the root env all fine22:10
xrogaangnarface: what do I not catch with the "anything" rule?22:11
xrogaanany protocol, anywhere except if the destination is local.22:12
gnarfacexrogaan: well you said it blocks everything correctly unless you pass localhost traffic, right?22:13
gnarfacemy hypothesis is that you've made a mistake there and that's how its sneaking out22:14
xrogaan`iptables -A OUTPUT -m owner --gid-owner no-internet -o lo -j ACCEPT'22:14
gnarfacebut it's not beyond the realm of possibility that chromium is doing something sneaky22:14
xrogaanand then: `iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP'22:14
xrogaanwell, yeah, because chromium *doesn't* have access to the internet, just to google services.22:15
xrogaanwhich is the internet, but apparently not from google's point of view.22:15
xrogaansomething something chromebook, something something eating data.22:16
gnarfaceso, iptables has INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING, MANGLE, and ... maybe some others.  if you let it through on any of those, it can sometimes use pre/postrouting or mangle to sneak it through a crack in the armor22:16
gnarfacei'm foggy on the specifics, and i think they're crap22:17
gnarfaceand i largely suspect this is a common view, because it's already being replaced (again)22:17
gnarfaceso you gotta figure out what it's doing with the packets on a lower level, or you gotta just plug all the holes more explicitly22:18
gnarfacei don't think there's anything to say that once you've allowed it to access localhost it can't mangle the packets to get them out and back even if "input" and "output" are being dropped if you don't also drop "forward" "prerouting" and "postrouting" and "mangle" ... understand?22:18
gnarfaceso it really might be easier to just block their traffic by ip explicitly, or use the hosts file override if it's doing it by DNS22:19
gnarfacealso... don't forget about ipv6, i'm not sure you've even touched the ipv6 traffic, and chromium might be smart enough to try both ipv4 and ipv622:21
gnarfaceif it's actually generating traffic under some other uid/gid than what you're running it as... that would be an extremely dirty trick, but not beyond the realm of possibility22:22
xrogaanI understand they can do sneaky stuff, yeah, but I can't match by owner on other hooks than POSTROUTING and OUTPUT.22:22
gnarfacei'm sorry this is not as specific of information as you want, i'm just trying to outline how many blind spots there are here in your setup22:23
gnarfacepersonally i prefer BSD for this part22:23
gnarfacepacketfilter is no less complex, but makes a lot more sense in the end22:24
gnarfacei think there is an implementation for linux these days.  i haven't tried it, but it might be worth it for you22:24
xrogaanoh, right, another cli for ipv622:24
xrogaanI might be that dumb22:25
gnarfacemy hosts file here calls the ipv6 localhost "ip6-localhost", it's distinct from the regular ipv4 localhost.  that could also be the culprit, yes22:25
gnarfaceor something related to that22:26
xrogaanYeah, so, for some reason the iptables rule to drop everything based on owner works. If I suddenly allow localhost, chromium has access to google services. But if I then apply the same rule with ip6tables (drop anything based on owner, without the localhost exception), chromium is stuck yet again.22:27
xrogaanMy question is: "Why?!"22:28
gnarfaceseems like expected behavior in that case22:29
gnarfacechromium tries ipv4 first then falls back on ipv6 so you have to block them both22:29
gnarfacedoesn't that seem logical?22:29
gnarfaceyou should be happy it doesn't try to establish a new network connection to your neighbor's wifi when ipv6 fails, and then start trying ad-hoc routes through nearby bluetooth devices22:30
xrogaanWell, I had the DROP rule for everything for a while, but without anything related to ipv6 and chromium never could reach google22:30
gnarfaceoh, hmm22:30
xrogaanToday I setup the exception, and suddenly chromium could reach google but nothing else22:30
gnarfacesomething a little weird there maybe still22:30
gnarfaceif you do BLOCK instead of DROP does it change anything?22:31
gnarfaceDROP won't bounce the packets, it will just pretend it didn't get them.  if you BLOCK instead, the IP stack gets the packets returned as errors22:31
gnarfacethat might trigger different behavior22:31
xrogaanHow do I do that? -j BLOCK?22:34
gnarfaceyea.  while you're testing this, you should run some tcpdumps on all these interfaces, that will tell you exactly where the packets are going, and what ip addreses they're going to22:34
xrogaan-j REJECT probably22:34
gnarfaceoh, maybe22:35
gnarfacethough, as i consult the man page, it says it is RETURN22:35
xrogaanthere are 3 states only: accepted, dropped and rejected22:36
gnarfacenevermind, RETURN looks like something different22:36
gnarfacethough there's very little information about it on the man page22:36
xrogaanso this is working: http://dpaste.com/34MREA422:38
xrogaanwithout the last line, chromium has access to the google space. With the first line alone chromium doesn't reach the google space.22:38
xrogaan(just to be clear)22:38
xrogaanerr sorry22:38
xrogaanwith the second line alone*22:38
xrogaanbrb coffee22:39
xrogaanrebag: bup seems to need specific things, I don't know the software so I can't help you. You will have a better support with the software authors.22:44
systemdleteIs setting /proc/sys/net/ipv4/ip_forward to 1 sufficient to make ip forwarding work?  I am having a problem on a different system, but maybe devuan runs into this also?23:04
systemdleteI can't find an answer by googling.  There are smart and HELPFUL :) people here, so...23:04
systemdleteI have this working on my CentOS system, and I am currently working on hyperbola (the problem system atm) and shortly, devuan ascii.23:05
systemdleteI have 2 physical interfaces, which I want to allow to forward packets to a virtualbox interface23:06
systemdleteThis exact same config (sans anything I forgot to do, obviously) on CentOS and it works.23:06
systemdleteistm, all I did was echo 1 > /proc/sys/net/ipv4/ip_forward and voila! it worked.23:07
systemdleteTrying this on devuan will be instructive, to say the least...23:07
systemdlete(that's CentOS 6.10, btw, the last of the Mohicans...)23:07
xrogaansystemdlete: sysctl seems to be used to do those thingy23:16
xrogaanor in /etc/sysctl.conf23:17
systemdletetrue, but that's just to ensure that the setting is saved across reboots.  I see that using sysctl to do this is reflected in the contents of the /proc file23:17
systemdleteYes, sysctl.conf is where sysctl will get its persistence data23:17
systemdleteI tried it all different ways.  No love23:18
systemdletexrogaan, keep in mind this is hyperbola, not devuan, but that shouldn't make any difference.23:18
xrogaanwell, I don't know who hyperbola is23:19
gnarface /proc should be the same23:19
gnarfacemore or less23:19
systemdleteThey are an arch distro, but they have removed systemd and they are going to a fixed-release approach based on "stable" snapshots of arch23:19
gnarfaceif you have a custom kernel you might have omitted ip forwarding inadvertently though...23:20
systemdletegnarface: hi, and yes, I agree.23:20
xrogaanwhy no artix linux?23:20
systemdleteno custom kernel23:20
systemdleteI have artix linux also, but I am seeking a fixed release (LTS) which at this point is only alpine, devuan, hyperbola.23:21
xrogaanalso, you might want to ask the hyperbola people23:21
systemdleteAlpine would be great for xen, but I also need virtualbox23:21
systemdleteI've queried them, but because they are a small community, and rather tight, it can be hard to get help.23:21
systemdleteAnd I am not even sure I have a bug.  More likeyly something I overlooked I think23:22
systemdletethese linux kernels are more or less the same, or should be23:22
gnarfaceare you also using ipv6?  is this a virtualized guest of some sort?23:23
systemdleteI'm thinking I might move on to installing and configuring devuan for this, and returning to hyperbola later.23:23
systemdletegnarface:  ipv6 does seem to be enabled on hyperbola, but I did nothing to effect that.  No, not a VM.  The only VM is one of the interfaces, as I stated above.  But that should not matter.23:24
systemdletegnarface: The only thing I am wondering is that the VM is configured for a paravirtualized interface.  If there is a problem with the driver on the host (hyperbola) side, then maybe there is an issue.  But,again, all I have done is made the same VMs available on hyperbola as I had on CentOS.  There should, in theory, be no difference.23:25
KatolaZsystemdlete: echo 1> /proc/... and sysctl have the same effect23:26
systemdleteYes, KatolaZ.  Exactly.23:26
systemdleteThe point is, even though the /proc/... device is set to 1, still packets do not forward.23:27
KatolaZsystemdlete: is that ipv4 forward of ipv6 forward?23:27
systemdleteAlso, I am starting to see DUPs when I ping 8.8.8.8 from hyperbola (local Internet does work through the virtual interface, just not other machines on the LAN)23:28
KatolaZsystemdlete: you have a messed-up routing table23:28
systemdleteipv4 forward.  There is no similar ipv6 device, but there is /proc/sys/net/ipv6/all/ip_forward23:28
KatolaZmost probably23:28
KatolaZthat's why I was asking systemdlete23:29
systemdleteMaybe.  But it really is pretty simple.  And almost identical to the one on CentOS23:29
KatolaZfor ipv6 the procfiles are arranged differently23:29
systemdleteyes, I noticed!23:29
KatolaZsystemdlete: almost identical is not identical :P23:29
KatolaZplease past your ruoting table23:29
KatolaZ~paste23:29
KatolaZbut not here, or the bot will ban you23:30
systemdletedifferent names for the interfaces.  eth? on CentOS, enp?s? on hyperbola23:30
KatolaZo_O23:30
KatolaZsystemdlete: I thought you were talking of a devuan install23:30
systemdletehttps://pastebin.com/fBHkru4j23:31
systemdlete(no, I did mention early on, see above)23:31
systemdletebut as gnarface said, it should be the same23:31
systemdletekernel is 4.9.15523:31
KatolaZare you sure your vbox config is all right?23:32
KatolaZ(meaning, it allows network routing?)23:32
systemdleteYes, because (1) the VM is the same as the one used on CentOS (shared drive) and (2) I am on IRC with you via this very VM23:33
gnarfacei wonder if it could be some module that just needs to be manually loaded...23:34
systemdleteif vbox were not configured properly it would not have worked under CentOS and I'd not be chatting with you here23:34
systemdletegnarface:  I thought of that.  I did a sweep of everything under /lib/modules and found nothing looking like ip_forward or similar23:35
systemdletesee, I really did my homework before coming here to ask.23:35
gnarfacejust making sure23:36
systemdletenp.  and thanks for asking23:36
systemdletehmmm.  Just wondering.  Is there a way to easily disable ipv6?23:38
systemdleteJust to test, get some data points...23:38
systemdleteI don't think I have much ipv6 going on on CentOS.  For one thing, the kernel is old, and I think there were some issues with ipv6 on 2.6.32 or so23:39
fsmithredthere is a way to do that, but I don't remember the exact words23:39
systemdlete(hi fsmithred)23:39
fsmithredhi23:40
systemdletehttps://www.techrepublic.com/article/how-to-disable-ipv6-on-linux/23:40
fsmithredsearch for 'blacklist ipv6' at forums.debian.net and you'll find the answer a bunch of times23:40
fsmithredyeah, do it the debian way23:41
fsmithredin /etc/sysctl.conf23:41
systemdletedone23:41
systemdletenow lets see...23:42
systemdletenope.  still nothing.23:43
systemdletewell, I guess it is time to stop wasting time -- esp the time of the valiant heroes on #devuan --23:43
systemdleteand move on to configuring my devuan domain (same hardware, different partition)23:44
Evilhamsystemdlete: sysctl net.ipv6.conf.all.disable_ipv6 123:44
systemdleteEvilham: thanks.  Got it.  Did it.  Got the t-shirt.  But still no love.  no forwarding23:44
systemdletefirst question, when I bring up devuan graphical, there is a dark border all around the screen.  and there does not seem to be a place to change the monitor settings23:45
systemdletewhen I go into the monitor settings dialog, I am already set for the largest size monitor23:46
systemdletemissing driver?23:46
gnarfacemaybe missing or just picked the wrong one by default.  hard to say. i'd check the Xorg log first, to make sure the detected resolution and refresh settings match the display23:46
gnarfacesometimes it's just bad EDID data23:46
* systemdlete mounts the devuan partition to look at that. Good idea, gnarface23:46
gnarface"overscan" can be a graphics card setting too... it's usually not on by default but i vaguely recall some weird cases where it might be23:47
fsmithredguest additions?23:48
systemdletehardware this time, fsmithred, hardware.  :)23:48
systemdlete(finally!)23:48
fsmithredoh23:48
systemdleteYes, well, this is the result of having put up long enough with C6 as my host and needing to find a solution before 2020, when support for C6 totally runs out23:49
systemdleteI'd like to have Devuan or something solid in place and soon23:50
systemdleteoh, and this is Ascii, not Jessie or Beowulf or any other future release.23:50
systemdleteIt's a fresh install, from about 3 days ago.23:50
systemdletelooks like ATI VESA...23:52
systemdleteRS78023:52
gnarfaceVega you mean?23:53
systemdleteXorg.0.log: VBESetVBEMode failed, mode set without customized refresh.23:53
systemdleteno, VESA23:53
gnarfacedefinitely the wrong driver then23:53
gnarfaceVESA is a generic driver23:54
gnarfacesomething it falls back on if it can't figure out what to use23:54
gnarfaceat that point it's just trying to get any working display even if the feature support is severely limited23:55
systemdletethis MB is from at least a generation ago. (AMD 3M)23:56
systemdlete3AM, sorry23:56
gnarfaceVESA is a lot older than that23:56
systemdleteAM3 rather23:56
gnarfaceVESA isn't your best driver unless the video card is either completely unsupported, or... from the early 1990's23:57
systemdleteIt is loading a driver, a long list of ATI Radeon (and some others)23:57
gnarfacepastebin the xorg log?23:58
gnarfaceby default if you haven't specified in the xorg.conf, it will actually try to load several drivers all at once to see what sticks23:59

Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!