IRC chat logs for #ltsp on irc.libera.chat (webchat)


Channel log from 7 September 2019   (all times are UTC)

00:11GodFather has joined IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com)
00:45GodFather has left IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com, Ping timeout: 268 seconds)
00:47GodFather has joined IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com)
01:10GodFather has left IRC (GodFather!~rcc@d53-64-7-141.nap.wideopenwest.com, Ping timeout: 245 seconds)
05:43kjackal has joined IRC (kjackal!~quassel@2a02:587:3110:a100:2128:e04f:7e73:db19)
05:50kjackal has left IRC (kjackal!~quassel@2a02:587:3110:a100:2128:e04f:7e73:db19, Ping timeout: 250 seconds)
06:20shored has left IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi, Read error: Connection reset by peer)
06:20shored has joined IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi)
07:15shored has left IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi, Read error: Connection reset by peer)
09:18shored has joined IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi)
09:21shored has left IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi, Read error: Connection reset by peer)
09:21shored has joined IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi)
09:39kjackal has joined IRC (kjackal!~quassel@2a02:587:3110:a100:2128:e04f:7e73:db19)
09:52kjackal has left IRC (kjackal!~quassel@2a02:587:3110:a100:2128:e04f:7e73:db19, Remote host closed the connection)
09:53kjackal has joined IRC (kjackal!~quassel@2a02:587:3110:a100:2128:e04f:7e73:db19)
10:32kjackal has left IRC (kjackal!~quassel@2a02:587:3110:a100:2128:e04f:7e73:db19, Ping timeout: 276 seconds)
10:40kjackal has joined IRC (kjackal!~quassel@2a02:587:3110:a100:2128:e04f:7e73:db19)
10:52shored has left IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi, Read error: Connection reset by peer)
10:53shored has joined IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi)
11:00shored has left IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi, Ping timeout: 244 seconds)
11:31shored has joined IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi)
11:32shored has left IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi, Read error: Connection reset by peer)
11:34shored has joined IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi)
11:40shored has left IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi, Ping timeout: 246 seconds)
12:06shored has joined IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi)
12:13woernie has joined IRC (woernie!~werner@p200300E3BF05916664420A1137C85F96.dip0.t-ipconnect.de)
12:18adrianor1 has left IRC (adrianor1!~adrianorg@187.115.108.130, Ping timeout: 244 seconds)
12:28y5y5y has joined IRC (y5y5y!8fa70da0@143.167.13.160)
12:28y5y5y has left IRC (y5y5y!8fa70da0@143.167.13.160, Remote host closed the connection)
12:36kjackal has left IRC (kjackal!~quassel@2a02:587:3110:a100:2128:e04f:7e73:db19, Ping timeout: 276 seconds)
12:40kjackal has joined IRC (kjackal!~quassel@2a02:587:3110:a100:2128:e04f:7e73:db19)
12:45adrianorg has joined IRC (adrianorg!~adrianorg@187.58.140.241)
13:19kjackal has left IRC (kjackal!~quassel@2a02:587:3110:a100:2128:e04f:7e73:db19, Ping timeout: 252 seconds)
14:44jgee has left IRC (jgee!~jgee@190.159.118.121, Quit: The Lounge - https://thelounge.chat)
14:50jgee has joined IRC (jgee!~jgee@190.159.118.121)
14:55jgee has left IRC (jgee!~jgee@190.159.118.121, Quit: The Lounge - https://thelounge.chat)
15:16shored has left IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi, Ping timeout: 245 seconds)
15:21shored has joined IRC (shored!~shored@87-92-122-167.bb.dnainternet.fi)
15:23jgee has joined IRC (jgee!~jgee@190.159.118.121)
16:44nickie has joined IRC (nickie!9366c909@147.102.201.9)
16:47
<nickie>
Hello everybody. We intend to use LTSP in a lab with ~60 computers where the Balkan Olympiad in Informatics will be hosted, at NTUA. We're facing some problems with the firewall that we want to install on the (fat) clients --- ufw. Any volunteers to give me a hand? Thanks...
17:21
<alkisg>
nickie: what kind of problems?
17:23
<nickie>
we need to install a firewall so that the clients can only access our local network, and not the internet
17:23
so we use ufw default deny outgoing
17:23
<alkisg>
nickie: setting the gateway isn't enough?
17:24
<nickie>
and we allow outgoing traffic only to specific servers
17:24
ah, we also don't want the clients to talk to eachother, and to misbehave to the servers, so I think we really need a firewall
17:24
<alkisg>
OK, anyway, limiting traffic to specific servers should also be easy with ufw
17:24
<nickie>
yes it is
17:24
<alkisg>
(or plain iptables)
17:24
What problem are you facing?
17:25
<nickie>
but, when ufw starts on the clients, the nbd connection dies
17:25
<alkisg>
Are you blocking certain ports too?
17:25
<nickie>
if we have ufw disabled at boot time and we enable it later on, from the client's console, with the exact same configuration, all is well
17:25
so I think it's not a problem of the ufw configuration
17:26
<alkisg>
Hmm that might not be true. Maybe ufw doesn't block *existing* connections
17:26
So it's quite possible it's a problem with ufw configuration
17:26
<nickie>
we allow all incoming/outgoing traffic to the LTSP server
17:27
or it could be the other way round, if ufw blocks existing connections when it starts
17:27
<alkisg>
What's the output of `sudo ufw status` ?
17:27
<nickie>
```ufw status verbose
17:28
<alkisg>
!paste
17:28
<ltsp>
paste: To avoid channel flooding, please upload text longer than 3 lines to http://paste.debian.net. Don't forget to paste the resulting URL here.
17:29
<nickie>
Sorry, http://paste.debian.net/1099404/
17:29
the LTSP server is 13
17:29
and we have three versions of its IP: IPv4, IPv6 and auto IPv6
17:30
<alkisg>
I don't see any "ALLOW IN"
17:30
I don't know ufw, but shouldn't that be there?
17:30
<nickie>
default allow incoming
17:30
the first line is the command I used
17:31
<alkisg>
allow outgoing, disabled routed? So that means that it allows all traffic to LAN by default?
17:31
<nickie>
nope, this configuration works; the problem is when we have default deny outgoing
17:32
<alkisg>
And the ltsp server is in the same subnet, right?
17:32
<nickie>
This does not work: `Default: allow (incoming), deny (outgoing), disabled (routed)`
17:32
yes
17:33
<alkisg>
Btw how many servers do you want the clients to access? E.g. the ltsp server and a couple of other ones?
17:34
<nickie>
after starting the client and then switching to the "deny" configuration, the client can ssh to the server
17:35
so I don't think the problem is in the configuration of ufw
17:35
just these two: 13 and 15
17:35
and the nameserver (222.210)
17:35
<alkisg>
Maybe it would be easier to set subnet mask=255.255.255.255 to the clients, and add 2 routes to those?
17:35
Similar to what ISPs do...
17:36
Or, use iptables directly, instead of ufw
17:36
Btw, I see online some people using both ufw and iptables-persistent, and getting the error you report because of iptables-persistent, not because of ufw...
17:37
In any case I think the question is more for ufw rather than #ltsp... maybe asking in #ubuntu would be better
17:38
<nickie>
One more thing, if you happen to know
17:38
<alkisg>
nickie: btw, greek?
17:38
<nickie>
We want to install sshd on the clients, so that we use something like ansible to manage them remotely
17:38
(ναι, φυσικά)
17:38
<alkisg>
;)
17:38
Have you seen epoptes.org?
17:38
!epoptes
17:38
<ltsp>
epoptes: Epoptes is a computer lab administration and monitoring tool. It works on Ubuntu and Debian based labs with LTSP or non-LTSP servers, thin and fat clients, standalone workstations, NX clients etc. More info: http://www.epoptes.org
17:39
<nickie>
OK, this could be a solution
17:39
<alkisg>
We developed that specifically for greek school labs
17:39
<nickie>
but if we want to install openssh-server, how do we manage the clients' machine keys?
17:40
<alkisg>
That's the unsafe part; epoptes is safer there,
17:40
<nickie>
the problem with our situation vs. schools is that we expect 50 potential super clever hackers :-)
17:40
<alkisg>
so, you could either have each client regenerate them on boot,
17:40
haha
17:40
and then trust them dynamically after the clients boot,
17:40
<nickie>
and we do that with RC_FILE01 etc. ?
17:41
<alkisg>
INIT_COMMAND is better, it runs earlier,
17:41
or you could store them in the image and move/symlink them at boot, which would have the security issue that clever users could see all private keys
17:42
On the other hand, epoptes is using reverse openssl connections, so it doesn't have that problem
17:42
<nickie>
Thanks a lot alki!. BTW, I tried to contact you on google hangouts before, please ignore it.
17:42
<alkisg>
Oh, didn't google hangouts expire? I didn't see anything.. I'll ignore it if I see it, ok
19:24ZAJDAN has left IRC (ZAJDAN!~zdenek@77.48.149.75, Quit: Konversation terminated!)
19:41
<nickie>
SOLVED, for future reference:
19:41
Don't use a "deny" default policy for ufw, otherwise nbd will disconnect while booting.
19:41
This explains why: https://community.scaleway.com/t/how-to-configures-iptables-with-input-rules-with-dynamic-nbd/303/22
19:43
Use the "allow" default policy for outgoing and, after the specific rules, `ufw deny out to any`.
19:43
BTW, epoptes is great, thanks everybody!
19:43
<alkisg>
nickie: I thought it might do that (default to deny, drop everything, THEN see the allow rule), but then I thought it would be too stupid if it did that, and I didn't even mention it :D
19:43
You're welcome :)
19:46nickie has left IRC (nickie!9366c909@147.102.201.9, Remote host closed the connection)
20:10woernie has left IRC (woernie!~werner@p200300E3BF05916664420A1137C85F96.dip0.t-ipconnect.de, Remote host closed the connection)
21:42vagrantc has joined IRC (vagrantc!~vagrant@unaffiliated/vagrantc)