log☇︎
78300+ entries in 0.047s
asciilifeform: mircea_popescu: i know this, had the misfortune of buying'em, plugging in, fiddling.
mircea_popescu: asciilifeform you understand, item by cisco/friends not amounting to a rockchip plant sells to usg.tards for 100k sorta money.
asciilifeform: but this won't be born tomorrow.
diana_coman: if I understand correctly asciilifeform's solution is essentially not as much kill the pest as make the whole thing pest-resilient
asciilifeform: and moreover, they are a problem with the basic design of (for the most part) tcp.
asciilifeform: ( iirc mircea_popescu knew this long ago )
asciilifeform: mircea_popescu: serious floods are a problem not at the level of our rack, but upstream
mircea_popescu: this can turn out to be quite lucrative.
mircea_popescu: asciilifeform the rate this is going, i guess nsa will soon be in the business of producing flood-fighters ; considering what the "professional" crapola out there costs...
mircea_popescu: if the wrong "rules" of the administrative office get in the way, the only acceptable solutionb is to fucking burn it down.
mircea_popescu: code written to circumvent administrative failure is possibily the source of wank. 20yo who "fought idiot vice-principal" with code rathere than club.
asciilifeform: there is no way around this.
asciilifeform: mircea_popescu: another important fact to remember : ip rules inevitably slow traffic.
mircea_popescu: i misspoke. i meant "this is a sorry reason to write code."
mircea_popescu: this is a sorry reason to have things.
mircea_popescu: i suspect "iptables" is like "php implementation of ftp" : most people don't have their own isp.
mircea_popescu: diana_coman thinking logically : either this is a problem or it isn't. if it is a problem, then it should be handled upstream not by server.
diana_coman: I am very, very tempted but precisely for this reason still trying to make sure I'm not just preferring the easy way out here
asciilifeform: i do know that many people's pest control setups rely on iptables, and so all new pizarro customers will get it by default. but imho it is a bitter pill.
mircea_popescu: diana_coman can i get you behind this "iptables are for amateurs" line ? ☟︎
mircea_popescu: this is such a tempting notion to invest...
mircea_popescu: ie, "the problem with iptables is that as defined can not exist" ?
asciilifeform: at one time asciilifeform burned 20-40min erry day manually banning . then got tired of this and went to properly optimize the phuctor db so that it doesn't give a damn re load, up to line speed.
diana_coman: the fact that some still do doesn't really = they have no trouble
asciilifeform: diana_coman: i used nothing at all. given as bandwidth hogs dun seem to ever have any trouble coming up with ~infinite new ip proxies.
diana_coman: asciilifeform, what did you use then? I'm not a huge fan of iptables in any way and this have-to-recompile-kernel doesn't help but I don't know of anything else that is better
asciilifeform: i ended up going back to it, largely to use the aws-ban script
a111: Logged on 2018-09-04 14:34 mircea_popescu: well this promises to be a serio0us problem that can't be winged, but will require some thought ; in part because i don't directly see the difference ; and in part because i don't really think a machine without a functioning way to limit access to it is actually seaworthy.
asciilifeform: http://btcbase.org/log/2018-09-04#1847273 << at the time i built the 1st kernel for these particular iron, i was not using (believe or not) iptables, was quite disappointed with the 'whack-a-mole' approach to bandwidth conservation ☝︎
a111: Logged on 2018-09-04 14:33 trinque: more like "if you want to filter by bandwidth throughput instead of source/dest IP, gotta add new module"
asciilifeform: http://btcbase.org/log/2018-09-04#1847272 << this is correct, there's a lengthy list of 'optionals' , and not only in iptables, but for just about errything ☝︎
asciilifeform: mircea_popescu: the 'iron babel' of x86 means that there is not and never has been such a thing as 'general purpose kernel'. there exist of course the fraudulent imitations, of shituntu etc. where they roll in 500MB of ??? 'all possible modules' , but it is beneath contempt
asciilifeform: so if you have a working kernel for a particular iron, you can use it with cuntoo, regardless of what shape cuntoo takes.
asciilifeform: trinque: specifically i mean that kernel is built ~for the iron~ rather than 'for the userland'
mircea_popescu: yes, but... "here's one for amd with raid so and so and fg no external ssd" "here's one for the vibrating bulled you gotta wear per mp orders" "here's one for..." we'll catch our ears.
trinque: except that the product of the build isn't bootable without one, but build takes the kernel config as a parameter, so it can indeed be entirely separate
mircea_popescu: alright. it seems the logical cut here is to disentangle trinque from kernel talk. go ye and make cuntoo ; wtf will we do with the kernels, this is rapidly reverting to 1800s standards of engineering, "die with knowledge"
asciilifeform: ( i discovered the method quite early, in the days of mass FG tests, but did not know the sheer number of sad boxen / kernels afflicted, that turn out to need it )
asciilifeform: mircea_popescu: i still dunget why it has to be issue, usb hub can be dialed down to desired speed with method described on FG www pg
trinque: yep that throws out usb 3.0
asciilifeform: mircea_popescu: note that this kernel is tailored to dulap-style box (i.e. amd, and with that particular raid card)
trinque rereads thread
trinque: diana_coman: that's going to have speed implications for anyone attaching an external drive, neh?
mircea_popescu: alright. so basically, we have a july latest-kernel from alf at http://nosuchlabs.com/pub/conf_current.conf << diana_coman trinque erryone else interested read and see if it works for you / comment ? ☟︎
a111: Logged on 2018-08-01 21:28 diana_coman: after reading around on this mess with the usb speeds, the summary + questions would be: 1. the dwc_otg seems actually specific to raspberry pi so I don't see how it's directly useful atm; am I missing something? 2. the manual/runtime pill so far relies on the companion mechanism to force a USB port down from "high speed" to "full speed" so basically from ehci to uhci/ohci; wouldn't it make more sense to blacklist ehci, xhci and whatever
diana_coman: and just so it doesn't get forgotten, any new config should have xhci turned off as per http://btcbase.org/log/2018-08-01#1838824 ☝︎
mircea_popescu: alright. is this your latest, ie, current kernel ?
mircea_popescu: asciilifeform you gotta get better at labeling. "old" here is "not april ; but thje later one" ?
a111: Logged on 2018-07-12 15:36 asciilifeform: mircea_popescu: asciilifeform's old kernel consists of hand-selected modules, corresponding to dulap-III irons, config can be seen here, http://nosuchlabs.com/pub/conf_current.conf
mircea_popescu: let's import as little turd in sausage as we can.
asciilifeform: mircea_popescu: iirc i posted the config, lessee, :
asciilifeform: mircea_popescu: this is entirely so, take a look at the kernel config list sometime, it is a riot of ???
trinque: aha, "what does firewall mean to /me/ ?"
mircea_popescu: the other idea being that apparently it's not even strictly speaking clear what "have iptables" means.
diana_coman: asciilifeform, I have iptables atm; the idea was to have it by default on any new config/box/system
asciilifeform: diana_coman: if you copy kernel from the 2nd smg box, you get iptables.
asciilifeform: yes, iirc it did not, given as it was a physical clone of mine, which at the time also did not.
asciilifeform: diana_coman: aah we're speaking of the april box
trinque: diana_coman: mind throwing me your kernel .config for comparison with mine?
asciilifeform: or was simply 1 ~component~ of iptables absent ( there's somewhere like 50+ 'optionals' in the list )
a111: Logged on 2018-09-04 14:16 diana_coman: asciilifeform, trinque in case it helps, the kernel option I need to turn on in order to be able to run iptables on the smg machine is networking support/networking options/network packet filtering framework/core netfilter configuration/netfilter xtables support
asciilifeform: http://btcbase.org/log/2018-09-04#1847258 << diana_coman i was under the (possibly mistaken) impression that i built smg box with iptables-able kernel. but was not ? ☝︎
mircea_popescu: but yes, evidently the (undiagnosed ; are these people morons ?!) problem is that "anything could be a firewall rule", ie, this is a place where the scripting turns upon the whole machine state. which makes me suspoect there's a more fundamental error at work somewhere (possibly the very attempt to build a pantsuit net, allcomers-based, possibly something else), but until we get a fix on that... ☟︎
mircea_popescu: make a cut between and that's it.
mircea_popescu: diana_coman 's thing above serving as a "no less than" seeing how minigame is a major downstream adopter ; and the usual "more loc ?! fu!" as a "no more than" driver.
mircea_popescu: trinque kinda what i was thinking here, spend an hour thinking what'd make the cut, put it in, and that's it.
diana_coman: it is asciilifeform's kernel indeed; iptables or something else to limit access though I think is a must on a server
trinque: iirc diana_coman is running an asciilifeform kernel, but I think alf approaches kernels similarly to me: "nothing broke when I turned this off, so off" until that heuristic bumps into something. going to be different bumps in different deployments.
trinque: there is an extremely broad category of possible iptables/netfilter doodads with which to make a firewall, router, etc. I could certainly see use in defining a subset of what's available as standard.
mircea_popescu: i mean, it'd be ok for a terminal. but as a server it gotta have something-like-iptables neh ?
mircea_popescu: well this promises to be a serio0us problem that can't be winged, but will require some thought ; in part because i don't directly see the difference ; and in part because i don't really think a machine without a functioning way to limit access to it is actually seaworthy. ☟︎
trinque: more like "if you want to filter by bandwidth throughput instead of source/dest IP, gotta add new module" ☟︎
mircea_popescu: now, it boggles my mind that this is how it'd fucking work. is it ?!
mircea_popescu: so in this sense, if "iptables" as a module requires recompilation in order for the scripting to work, it's exactly like a car which, upon turning the wheel, puts up an order for a new car via the useful app instead of turning the wheels.
mircea_popescu: even though a car with fixed wheel inclination would be more robust and cheaper to build.
mircea_popescu: it's my understanding that the point of adding scriptability to a program is exactly that : to permit changes in its functioning ("configuration") without requiring a whole recompile. much like the point of adding a steering wheel in a car is to permit the car to take arbitrary curves, as scripted at time of driving. rather than having to driver (how?) car back to factory get a new one with the differently inclined wheelbase.
trinque: but then the Linux kernel even has in-built TLS support these days (at least optional, for now)
trinque: ah, yeah, API to hook to some userland filter proggie and be done with it, eh?
mircea_popescu: we're not even discussing you, here. i was talking about iptables.
trinque: I can't anticipate every single use case someone's going to have.
mircea_popescu: this sounds like a terrible way to go about it. what, fiddling with iptables = kernel rebuild ? why even have a scriptable config if this is how it goes, jaysus
trinque: sounds right to me; there are myriad other kernel options for various rule types for iptables
diana_coman: asciilifeform, trinque in case it helps, the kernel option I need to turn on in order to be able to run iptables on the smg machine is networking support/networking options/network packet filtering framework/core netfilter configuration/netfilter xtables support ☟︎
deedbot: http://bingology.net/2018/08/02/selected-costs-associated-with-furnishing-casa-boingo-for-the-curious/ << Bingology - BingoBoingo's Blog - Selected Costs Associated With Furnishing Casa Boingo For The Curious
deedbot: http://bingology.net/2018/07/29/casa-boingo-a-photo-tour/ << Bingology - BingoBoingo's Blog - Casa Boingo - A Photo Tour
deedbot: http://bingology.net/2018/07/14/the-joy-of-morcilla-dulce/ << Bingology - BingoBoingo's Blog - The Joy Of Morcilla Dulce
deedbot: http://bingology.net/2018/07/07/a-look-at-fraudball-the-terrible-spectator-sport/ << Bingology - BingoBoingo's Blog - A Look At Fraudball, The Terrible Spectator Sport
deedbot: http://bingology.net/2018/06/29/the-moving-process-in-montevideo-continues/ << Bingology - BingoBoingo's Blog - The Moving Process In Montevideo Continues
deedbot: http://bimbo.club/?p=8 << Bimbo.Club - TMSR log summary - 09/01/2018
deedbot: http://trilema.com/2018/no-such-labs-snsa-august-2018-statement/ << Trilema - No Such lAbs (S.NSA), August 2018 Statement
BingoBoingo: Well, a good chunk of it is the when of being around people
cazalla: i did get out of my head, i hear (and have read from your own account) what you're saying, went out on a few day trips with the locals and spoke to them etc
BingoBoingo: The socialization is of tremendous value
cazalla: surprised enough i got a plane and went overseas.. really should've done that shit a long time ago
BingoBoingo: Gotta give hostels a try
cazalla: i already know what you'll say re: accommodation though :)
cazalla: they make the distinction where as i don't, but do you if i bring some taiwanese lass in here?
cazalla: and these taiwanese consider themselves seperate from the chinese, although they are of the same blood
cazalla: i guess i don't have the experience and it makes me feel uncomfortable chatting with someone under 18 even if it's benign, call it conditioning from the west
cazalla: i don't wanna be the white foreign guy hitting on young girls tbh