#saltr (irc2p) | I2P+ 2.6.5+ >> i2pplus.github.io | skank.i2p | git.skank.i2p | purokishi.i2p | vituperative.github.io/i2pchat | natter.i2p | notbob.i2p | ramble.i2p | shreddit.i2p | cake.i2p | /msg an op for voice

#saltr

/2024/05/21

Online: 54

~dr|z3d

@RN

@StormyCloud

@T3s|4

@T3s|4_

@eyedeekay

@orignal

@postman

@zzz

%Liorar

+Afkaid

+FreefallHeavens

+Unbur

+Xeha

+cumlord

+goose2_

+j6

+poriori

+profetikla

+r00tobo

+snex

+uop23ip

+weko

An0nm0n

Arch

Danny

DeltaOreo

DiCEy1904

Irc2PGuest11229

Irc2PGuest21326

Irc2PGuest48909

Irc2PGuest54864

Irc2PGuest71250

Nausicaa

Onn4l7h

acetone_

anon2

anontor

anu3

bak83

boonst

enoxa

fujifilm

goose2

itsjustme

mareki2pb

onon_1

qend-irc2p

shiver_

u5657

user

veiledwizard

xen_NULL

StormyCloud Anyone notice any outproxy issues within the past 24 hours?

dr|z3d yeah, it smells funny, StormyCloud

dr|z3d faint smell of rotten eggs and cabbage.

StormyCloud New feature, smell-o-vision

dr|z3d I've got another config for you to try in a few moments to further boost your traffic, mesh.

Irc2PGuest66955 dr|z3d: oh lay it on me

dr|z3d download the latest /dev/ build mesh.

dr|z3d then before you restart, add the following to your router.config -> router.blockOldRouters=false

dr|z3d you'll still block some old routers, notably those that have been identified as hostile, but not so many.

Irc2PGuest66955 aren't the old routers those being used by the attacker for evil?

Irc2PGuest66955 hehe ok

dr|z3d some are, sure. those will still be blocked.

dr|z3d defaults tend to err on the side of caution rather than permissive.

Irc2PGuest66955 dr|z3d: I come back to the concept of a "carrier node

dr|z3d hostile routers do damage to the network, so you can't be totally hands off.

Irc2PGuest66955 dr|z3d: like I set "router.profile=carrier" and it sets all these configuration knobs to maximize transit because this router is really just for transit

dr|z3d you've got as many knobs as you're going to get.

dr|z3d and they should be more than sufficient. :)

dr|z3d don't forget i2np.ntcp.maxConnections and i2np.udp.maxConnections mesh.

dr|z3d try setting both of those to something like 8000 or more.

dr|z3d no restart required.

dr|z3d you can also experiment with setting ntcp low and udp high to see how that adjusts things. ntcp appears to be preferred.

dr|z3d also make sure ulimit -n in the account you're running i2p from isn't returning 1024. not fatal, but you want that much higher.

dr|z3d_ > also make sure ulimit -n in the account you're running i2p from isn't returning 1024. not fatal, but you want that much higher.

dr|z3d_ if you don't know how to adjust that, google for /etc/security/limits.conf and ulimit

zzz we fixup ulimit in i2prouter, what matters is the hard limit (-n -H) not the soft limit

dr|z3d yeah, you really want to be editing limits.conf and setting both hard and soft limits to something high, 65535 or more.

zzz no, you don't have to as long as the hard limit is >= 2048, we'll raise the soft limit to 2048 in i2prouter

dr|z3d maybe I need to reread the docs, but 2048 seems like a very conservative limit to me, especially when you're running other things on the box, like nginx.

zzz it's per-process

dr|z3d yeah, per-process, and nginx can use a ton more than that when it's handling a lot of traffic, iirc service_workers is limited by file descriptors for concurrent connections.

dr|z3d also, have you looked at your netdb country list lately?

dr|z3d check Iran.

dr|z3d I saw Iran briefly at the top, above US, though it's dropped now to 2nd place.

zzz in canon we essentially cap NTCP conns at 1500 which leaves plenty for everything else, and haven't heard any complaints

zzz no iran spike here

dr|z3d Iran hit over 900 on one of my routers.

dr|z3d maybe you need to be a ff to see the spike, dunno.

zzz maybe the china botnet hopped over there

dr|z3d or it could be the russians working in tandem with the iranians.

dr|z3d china's still a large contingent here

zzz look if they're all the same version or something else in common

dr|z3d yeah, I looked. a couple of version strings and caps jump out.

dr|z3d PR/PU

dr|z3d no consistent version string, everything from 0.9.55 up.

dr|z3d mostly 0.9.62

zzz since it's all i2pd there's not a lot of caps variation anyway

dr|z3d vast majority are P tier

zzz typical for i2pd

dr|z3d a few FXRs in there as well.

dr|z3d about ntcp, it appears to be preferred over ssu where available?

dr|z3d there's a rebalance algorithm to attempt to push some connections over to ssu, but presumably that only kicks in when ntcp connection limits are hit?

dr|z3d I don't remember if orignal was reporting ssu or ntcp being faster, but he had an opinion :)

zzz no, we still prefer ssu, at least a little

dr|z3d but that's based on connection limits per transport or something else?

zzz that and "cost"

dr|z3d ok, just trying to work out why no one's bothering to connect via ssu2 here. outbound connections look fairly balanced between the two transports.

dr|z3d on one router with http blocklist active, 50 odd dests blocked in the last 3 days.

dr|z3d for odd read "or so"

dr|z3d dests piped to tunnel filter for instant-o-bans.

zzz how many patterns do you have?

dr|z3d around 100, give or take.

zzz zowie

dr|z3d cribbed from the vuln scanner spider urls.

dr|z3d no latency on connections, all seems to be functioning a.ok :)

dr|z3d probably all it needs now is some zzz sprinkles and fairy dust. :)

zzz aka total rewrite? :)

dr|z3d :P

not_bob I take it that killyourtv is back?

not_bob The most recent "new" host is irc.killyourtv.i2p, but that host has been around for a long while.

dr|z3d your powers of observation are exceptional, not_bob

not_bob And it works!

not_bob Not that anyone is using it.

dr|z3d what works? I missed that part.

not_bob The IRC server.

dr|z3d mostly for test purposes afaik

not_bob Yeah, it's lonely.

dr|z3d have you taken the new http blocklist feature for a spin yet in +?

not_bob I have not.

not_bob I should get some time today to play with that.

not_bob I think I'm a week behind on + dev builds.

dr|z3d I have a list of urls, ping me if you want them. + is currently at -3+

dr|z3d as you probably read, 50+ dests snagged in the course of 3 days on one router.

not_bob Ahh, yeah. I did read about the scanners and whatnot.

not_bob So long as you arn't blocking my scanner, it's all good.

dr|z3d if your scanner happens to be cycling through a list of potentially vulnerable urls, then yes. otherwise, no.

not_bob No, it does not.

snex is it at all possible that my issues are due to my external IP changing? or is that just a red herring?

dr|z3d how frequently, snex?

snex very rarely. it changed like a week ago and thats when i saw the problems start

dr|z3d shouldn't be an issue.

snex i am forcing the router to use hostname based peer config

dr|z3d keep an eye on the dev builds.

not_bob Are the blocklist urls dynamic?

dr|z3d dynamic?

not_bob Rather, do I pull them once, or pull them every 24 hours or something for updates?

dr|z3d neither. you supply your own list.

not_bob Ahh

not_bob I assume it's a list of blacklisted b32s?

dr|z3d no

not_bob Ok, now I'm curious.

dr|z3d it's a list of prohibited urls or strings you don't want matched in requests.

not_bob Ahh!

not_bob I can understand that.

dr|z3d requests that match any in your blocklist will get logged to a separate file you can then use the tunnel filter to block.

dr|z3d ie the dest (b32) making the request will get logged.

not_bob Understood

dr|z3d snex: you could just try letting your ip be automatically detected.

dr|z3d see if that helps.

snex i had it that way originally but things stopped working entirely when my IP changed. the autodetect simply didnt work (this might have been i2p not i2p+) which is why i set it to the hostname based resolution

dr|z3d ok, maybe turn on warn level logging and see if anything obvious appears.

snex lots of WARN errors but not sure how relevant they are

dr|z3d yeah, warn is constant. most won't be related to your issue.

cumlord Can I set allow only certain requests and block all else?

dr|z3d you'll have to be a bit more specific, cumlord

cumlord Like if I only want someone to be able to access /index and block everything else on a site

not_bob_afk Why would you put stuff on the site you don't want people to access?

dr|z3d oh, you mean with the http blocklist?

StormyCloud change the permissions on the other pages/folders?

snex seems like something you do on the http server

dr|z3d yeah, plenty of ways to achieve that, mostly server-side.

dr|z3d but if you wanted to actually block requests to the resource in + before webserver gets to see the request, you'd give it a list of urls you want to block.

dr|z3d that's a roundabout way of saying, no, there is no whitelist feature yet. just a blacklist.

cumlord Yeah with http blocklist is what I meant

not_bob_afk Depending on your server, you can use url rewrite.