qemu-kvm ...-smp sockets=2 ... solved it for me. What qemu version an build
are you using ?
Am 14.11.2013 18:47 schrieb "Leonardo Santagostini" <lsantagost...@gmail.com
>:
>
> Thanks a lot to all, i will give it a try and gives tou you feedback as
> soon as it get implemented.
>
> Saludos.-
> Leonardo Santagostini
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2013/11/14 Andy <a...@brandwatch.com>
>
> > On 14/11/13 15:21, Leonardo Santagostini wrote:
> >
> > Hello misc,
> >
> > Im doing my final approach to put a production system with
> > carp+pfsync+relayd on production.
> >
> > The point is that im facing some trouble setting more than one ip alias
> > address with different vhid and different passwd.
> >
> > So, this is the scenario.
> >
> > Im trying to relayd more or less 15 sites so i have conceptual doubts.
> >
> > 1) is it nesessary to create one carp interface for each one of my
> > internals VIP address
> > 2) my understanding is that i have to work with pf on my carp
interfaces.
> >
> > I have tried to put two different VIP's on my carp, but whitout lucky.
> >
> > Here is the homework.
> >
> > [root@server ~]# uname -a
> > OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64
> > [root@server ~]#
> >
> > [root@server ~]# cat /etc/hostname.em0
> > inet 172.19.224.180 255.255.255.0
> >
> > [root@server ~]# cat /etc/hostname.em1
> > inet 172.19.226.231 255.255.255.0 172.19.226.255
> >
> > [root@server ~]# cat /etc/hostname.carp0
> > # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1
advskew 10
> > carpdev em0 pass Ahsooqu3
> > inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2 advskew 10
> > carpdev em0 pass Meixo9oe
> > # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3
advskew 10
> > carpdev em0 pass av5eG9Gi
> > # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4
advskew 10
> > carpdev em0 pass Rei6thai
> > # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5 advskew
10
> > carpdev em0 pass Toobohz3
> > # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6
adskew 10
> > carpdev em0 pass Quahng6U
> >
> > CARP should look like this (master);
> > inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass
> > Ahsooqu3 advskew 0
> > inet alias 172.19.224.131 255.255.255.255
> > inet alias 172.19.224.41 255.255.255.255
> > inet alias 172.19.224.40 255.255.255.255
> > inet alias 172.19.224.181 255.255.255.255
> > inet alias 172.19.224.182 255.255.255.255
> >
> > And (backup);
> > inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0 pass
> > Ahsooqu3 advskew 200
> > inet alias 172.19.224.131 255.255.255.255
> > inet alias 172.19.224.41 255.255.255.255
> > inet alias 172.19.224.40 255.255.255.255
> > inet alias 172.19.224.181 255.255.255.255
> > inet alias 172.19.224.182 255.255.255.255
> >
> > And yes the subnet masks for the alias' should be /32 and you will see a
> > warning in the logs during fail-over. This is fine, the devs just
haven't
> > muted the check warning yet.
> >
> > You've done it right if 'netstat -rn' shows;
> >
> > 172.19.224.131 127.0.0.1 UGHS 0 0 33152 8
> > lo0
> > 172.19.224.131/32 172.19.224.131 U 0 0 - 4
> > carp0
> >
> >
> > [root@server ~]# cat /etc/hostname.pfsync0
> > up syncdev em1
> >
> > [root@server ~]# cat /etc/pf.conf
> > ext_if="carp0"
> >
> > You don't refer to CARP as an interface, it is simply a VRRP watchdog
> > interface (for example you cannot set the MTU on a CARP interface as it
is
> > not really an interface.
> > Use the physical..
> >
> > ext_if="em0"
> >
> >
> >
> > set fingerprints "/etc/pf.os"
> > set optimization aggressive
> > set limit states 90000
> >
> > Definitely needs to be higher! try 1 million..
> >
> >
> > set limit src-nodes 65000
> >
> > table <bad_ip> persist
> > table <internat_net> persist file "/etc/internal_net"
> > table <admitted_net> persist file "/etc/admitted.txt"
> >
> > # vip1_address = "172.19.224.181"
> > # vip2_address = "172.19.224.16"
> > vip3_address = "172.19.224.131"
> > # vip4_address = "172.19.224.41"
> > # vip5_address = "172.19.224.40"
> >
> > Just to keep you sane remember these rules;
> > # (SNAT) NATing is done before filtering, 'pass out on $if_ext from
> > $external_carp_ip1' (public address as src for outbound).
> > # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from any
to
> > $internal_ip1' (private address as dst for inbound).
> >
> > [image: OpenBSD_PF_flow]
> >
> >
> >
> > # Dejo de procesar cuando se trata de las redes internas
> > pass in quick from <internat_net> to any
> >
> > # Dejo pasar las ips desde las redes permitidas
> > # pass in quick from <admitted_net> to $vip1_address
> > pass in quick from <admitted_net> to $vip3_address
> >
> > # Genero el block
> > block in quick from <bad_ip>
> >
> > Your 'block in quick's should be above your 'pass in quick's!
> > quick means stop evaluating and do this action now..
> >
> >
> > block in log quick on $ext_if proto tcp from any os "NMAP" to any label
> > ExtNMAPScan
> >
> > # Proteccion contra nmap y herramientas similares
> > # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
> > block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
> > block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
> > block in quick on $ext_if proto tcp flags /WEUAPRSF
> > block in quick on $ext_if proto tcp flags SR/SR
> > block in quick on $ext_if proto tcp flags SF/SF
> > block in quick from urpf-failed
> >
> >
> > # Aplico reglas de DoS y Syn Flood en site1
> > # pass in log on $mob_if proto tcp to $vip1_address port www keep state
> > (sloppy, max 10000, max-src-nodes 5000, max-src-conn 100,
max-src-conn-rate
> > 95/2, adaptive .start 6000, adaptive.end 12000,
tcp.first
> > 15, tcp.opening 5, tcp.established 3600, tcp.closing 5, tcp.finwait 15,
> > tcp.closed 15, tcp.tsdiff 5)
> >
> > Be careful, Direct Server Return does require sloppy states but be
aware
> > that this totally undermines state security!
> > You still need a firewall on the outside of the load balancer to
sanitize
> > the flows.. Catch 22 as you cannot have the load balancer (with DSR) on
the
> > same box as your PF filtering if you want load balancing (with DSR) and
> > full security..
> > I.e. DSR and full state modulation/security are mutually exclusive..
> >
> >
> > # Aplico reglas de DoS y Syn Flood en site2
> > # pass in on $ext_if proto tcp to $vip2_address port www keep state
> > (sloppy, max 10000, max-src-nodes 5000, max-src-conn 150,
max-src-conn-rate
> > 150/3)
> >
> > # Aplico reglas para site3
> > pass in on $ext_if proto tcp to $vip3_address port www keep state
(sloppy,
> > max 10000, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
100/3)
> >
> > # Aplico reglas de DoS y Syn Flood en site4
> > # pass in on $ext_if proto tcp to $vip4_address port www keep state
> > (sloppy, max 10000, max-src-nodes 5000, max-src-conn 150,
max-src-conn-rate
> > 100/3)
> >
> > # Aplico reglas de DoS y Syn Flood en site5
> > # pass in on $ext_if proto tcp to $vip5_address port www keep state
> > (sloppy, max 10000, max-src-nodes 5000, max-src-conn 150,
max-src-conn-rate
> > 100/3)
> >
> > # Anchor Para relayd
> > anchor "relayd/*"
> >
> >
> > [root@server ~]# cat /etc/relayd.conf
> > # Archivo de configuracion de balanceo
> >
> > ## Opciones globales
> > interval 5
> > timeout 500
> > prefork 15
> > log all
> >
> > ## Direcciones de las vip
> > # address1="172.19.224.16"
> > # address2="172.19.224.181"
> > address3="172.19.224.131"
> > # address4="172.19.224.41"
> > # address5="172.19.224.40"
> >
> > ## Direcciones de los servidores
> > wsapp1="172.19.224.200"
> > wsapp2="172.19.224.201"
> > webcache01="172.19.224.70"
> > webcache02="172.19.224.71"
> > webcache03="172.19.224.72"
> > webcache04="172.19.224.73"
> >
> > ## Definicion de Tablas
> > table <mobileweb> { $wsapp1 $wsapp2 }
> > table <webcaches> { $webcache01 $webcache02 $webcache03 $webcache04 }
> > table <webcaches1> { $webcache01 }
> >
> > ## Definicion de protocolos (Filtros)
> >
> > http protocol "httpSite1" {
> >
> > header change "Connection" to "close"
> > header append "$REMOTE_ADDR" to "X-Forwarded-For"
> > cookie hash "sessid"
> >
> > }
> >
> > http protocol "httpSite2" {
> >
> > header change "Connection" to "close"
> > header append "$REMOTE_ADDR" to "X-Forwarded-For"
> > cookie hash "sessid"
> >
> > }
> >
> > http protocol "httpSite3" {
> >
> > header change "Connection" to "close"
> > header append "$REMOTE_ADDR" to "X-Forwarded-For"
> > }
> >
> > http protocol "httpSite4" {
> >
> > header append "$REMOTE_ADDR" to "X-Forwarded-For"
> >
> > }
> >
> > http protocol "httpSite5" {
> >
> > header append "$REMOTE_ADDR" to "X-Forwarded-For"
> >
> > }
> >
> > ## Definicion de los relays
> >
> > #relay site1 {
> > # listen on $address2 port 80
> > # protoc
