Topic: KanoPool kano.is lowest 0.9% fee 🐈 since 2014 - Worldwide - 2432 blocks - page 1076. (Read 5352445 times)

That is cool!  When I saw the 660, my brain saw TH/s instead of GH/s.  That block hit was impressive!

No idea what that miner was, quite an old cgminer version
But awsesome luck - an ~660GHs long term miner

Not attempting to answer his question, but, on linux a firewall is just a set of iptables commands (and other optional stuff like tc and ipset)

Most people on linux tend to believe that there's some magic to that and allow standard packages to decide those rules, but in general it's quite straight forward to add your own iptables rules to an existing one, or even do your own one from scratch.

While routers do usually let you decide the rules in them also, I'm not one to trust a router to decide the actual rules in an environment I'd want secured, since you need to spend a lot of money on a standard router if you want to have something that's reliable in that area ... e.g. my home configuration is a linux box as a router (12G ram, raid1 SSD, old i5) that talks bridge mode to the internet connection and of course the firewall is scripted by me

If you add one of my DNS servers it will only resolve domains I manage - and thus the only domains that have anything to do with mining being kano.is/kano.space
I have 3 DNS servers for those domains (a 4th one soon in china when I get around to setting it up)
I run my DNS servers - and mail servers and web servers and ... everything

However, if you're concern is MITM DNS redirection, then as I mentioned before, using proxies means that if you do need to change where they point, you only need to change the proxies you are running (and the firewall), not all the miners, since the miners would all point to the few proxies and the proxies would decide where they are mining. Of course that could all still be IP address based as you're currently doing, and the proxies would of course be in there with the miners, not outside somewhere.

Edit: you could then make your firewall rules even more specific, only allowing the proxies to talk to the pool/pools

Now you have me curious..   What kind of firewall is it?

Yep, that is 100% the problem.  The problem isn't name resolution, it is I want to control what outbound connections the machines on my network connect to.  With tons of machines running all types of god knows what on them (I am not talking about cgminer , I don't want it to be a free-for-all.  Basically, I trust them to make outbound connections to any server Kano sets up (and to a few other places), but not to anywhere else.  Thus, the need to use the IP address of the pool server as it can not be done by name (stratum.kano.is).  As I said before, I like to lock everything down as much as possible!  It makes some things more of a pain, but I like to sleep at night

Thanks for the input guys!

Nice job Buzz.. someday I too will be on "the board"!

Block by buzzsport!  Welcome to the Acclaim Board with your 1st Kano block!    This is our 1st of the day! 

That won't work for him either. The shortcoming (not going to say problem) is that the firewall would need to do the DNS lookup at the time it boots (and maybe periodically to refresh) to determine what firewall rule to put in place and it doesn't support that.

The "fix" would be to allow all outbound traffic to TCP port 3333, but that would open him to up his miners being able to connect to pools he doesn't want them to (which I would assume is what is trying to be prevented).

Since the firewall you use only works with IP addresses in the rules, maybe allow your miners to 8.8.8.8 and 8.8.4.4 port 53 for DNS?  Set your miners DNS to those 2 IP's, then you wouldn't have to worry next time an IP changes.  Just throwing out options for you..

Thank you for the info, I will get on changing things over to the new IP address in the next 24 hours.  

The problem with using DNS is the firewalls I use only allow rules using an IP address.  So in a way, yes, I can not use DNS where the miners are as the firewalls do not use DNS (only IP addresses).  100% understood that if you change stratum.kano.is to point to a new IP address then I will need to update it again.

Thanks again for the info!

24-36 hours
They can't both run.

So basically you are saying you cannot access any sort of DNS where your miners are?
I guess point it at the IP of the new passthru.
If that ever changes, then you'll have to change it again.

Kano, while I appreciate that you think using an IP isn't the way to do it (in general DNS is a much easier way to propagate any IP address changes), please realize it is what works best for my setup.  If, for nothing else the firewalls I use restrict by IP address only, and I assume you agree that people should use firewalls.  So, let me ask again, Kano, how long are you leaving the old server in Vegas up for?

Over an hour since the last network block. Sure would be nice to get this one with all those fees out there!  

Come on Blocks!

The process is progressing well.
A few minor issues with the old backend provider, supplying a problematic server for a frontend, so I wont be using them for that ever again (i.e. none of the new servers are from them)

As I've already mentioned, I've pointed the DNS to a new frontend for mining.
When I change the backend over to the new one in the next 24-36 hours, I'll simply modify where it sends/gets it's work so, of course, no one will need to change anything when I do that, but as mentioned above, there will be about a 5 minute mining outage when that happens.

I'm also setting up (almost done) a new front end server to the web site - the 2nd new server mentioned above.
That will be done before the final change over.
It will also be able to be easily switched from getting data from the old server to the new server when the change over occurs.
Web/API access will probably be a longer outage when the changeover occurs, since there's 2 steps, the back end move, and then a ckdb restart (or 2) which adds another 5-10 minutes to the outage.
i.e. it could be up to a 15 minute web/api outage when I do the final change.

Using the IP address is a bad idea for anyone.
The new IP address doesn't point to the new server, just to a front end passthru (which uses truck loads of CPU even though it does nothing else, and reports zeros for everything, I guess no one actually ever tested/used it including the developer )
Thus if ever something drastic happens (e.g. like an extended DDoS, which hasn't happened before, or an extended server/provider failure) it's a minor change to move the front end and change the IP address via DNS.

Soon after I complete the changes I'll contact a few of the large miners and give them a 2nd front end whitelisted to allow a second (similar) access.
(i.e. I'll only allow access to that server from a set of IP addresses)
However, of course, there's no guarantee that one could never be DDoSed either, since a large DDoS can affect a whole data center, and of course server failures are always possible.

A redirect to point miners to another frontend, if an outage is known in advance, will fail if you mine to the IP address.
Redirect in cgminer works based on matching your current connection with the redirect, if they don't match, the redirect will be ignored.
e.g. stratum.kano.is => zomg.kano.is would work, but IPADDRESS => zomg.kano.is wont.

You could use a passthru at your data center, and point all your miners to that and then only need to change that if ever anything needed changing.
(Edit: or a straight proxy since that uses a lot less bandwidth and thus means slightly faster block changes for your miners when you have a lot of miners - usually setup as multiple proxies if you have lots of miners, so your miners can failover among them if one ever fails/restarts/whatever, but also, of course, have a final pool failover in the miner pool list)

Kano, how long are you leaving the old server in Vegas up for?  I have a bunch of things that are hard coded to point to only to the IP address of the old server and need to change everything to the IP address of the new server before that old Vegas server is taken down.  I like to lock everything down as much as possible.

kano can you see any connection from me at your end? i got a new router and modem setup, but seems i cant send any info to you. my ip is the same.

i got the same name here as on your site

nevermind me.. some lame auto AIprotection the router  has.. works now

always good to wake up to good mining news!

Haha!  I went to a hockey game tonight...I saw the notification come across my iPhone!