Re: carp+pfsync+relayd question

Leonardo Santagostini Thu, 21 Nov 2013 11:36:25 -0800

Hello list,

painfully i had to migrate the relayd service to a linux boxes with piranha
until find the issue that caused relayd exit unexpectedly.


So if someone want to make some smoke test to find the issue, please tellme.

Best regads,

Leonardo


Saludos.-
Leonardo Santagostini

<http://ar.linkedin.com/in/santagostini>





2013/11/18 Leonardo Santagostini <lsantagost...@gmail.com>

> Hello all, unfortunally i have to setup a cron entry that bounce relayd.
>
> Here the log that show how relayd stopped working
>
> Nov 18 18:34:55 v-arcbabalancer01 relayd[20347]: relay relay5, session
> 1961 (54 active), 0, 200.16.99.232 -> 172.19.224.71:80, done
> Nov 18 18:34:55 v-arcbabalancer01 relayd[28629]: relay relay4, session
> 1959 (40 active), 0, 201.251.221.57 -> 172.19.224.72:80, done
> Nov 18 18:34:55 v-arcbabalancer01 relayd[13074]: relay relay4, session
> 1990 (61 active), 0, 190.189.189.171 -> 172.19.224.70:80, done
> Nov 18 18:34:55 v-arcbabalancer01 relayd[24546]: relay exiting, pid 24546
> Nov 18 18:34:55 v-arcbabalancer01 relayd[13924]: relay relay4, session
> 1883 (43 active), 0, 190.228.28.250 -> :0, buffer event timeout
> Nov 18 18:34:55 v-arcbabalancer01 relayd[27128]: relay relay4, session
> 2063 (49 active), 0, 201.255.217.232 -> 172.19.224.71:80, done
> Nov 18 18:34:55 v-arcbabalancer01 relayd[24551]: pfe exiting, pid 24551
> Nov 18 18:34:55 v-arcbabalancer01 relayd[3602]: hce exiting, pid 3602
> Nov 18 18:34:55 v-arcbabalancer01 relayd[13924]: relay relay4, session
> 1964 (43 active), 0, 190.12.181.160 -> 172.19.224.73:80, done
> Nov 18 18:34:55 v-arcbabalancer01 relayd[17688]: relay relay4, session
> 2080 (49 active), 0, 186.126.250.165 -> 172.19.224.72:80, done
> Nov 18 18:34:55 v-arcbabalancer01 relayd[28629]: relay relay5, session
> 1891 (39 active), 0, 190.179.204.226 -> :0, buffer event timeout
> Nov 18 18:34:55 v-arcbabalancer01 relayd[28629]: relay relay4, session
> 1962 (39 active), 0, 190.189.189.171 -> 172.19.224.70:80, done
> Nov 18 18:34:55 v-arcbabalancer01 relayd[22840]: relay exiting, pid 22840
> Nov 18 18:34:55 v-arcbabalancer01 relayd[5545]: relay exiting, pid 5545
> Nov 18 18:34:55 v-arcbabalancer01 relayd[1089]: relay exiting, pid 1089
> Nov 18 18:34:55 v-arcbabalancer01 relayd[28629]: relay exiting, pid 28629
> Nov 18 18:34:55 v-arcbabalancer01 relayd[857]: relay exiting, pid 857
> Nov 18 18:34:55 v-arcbabalancer01 relayd[27128]: relay exiting, pid 27128
> Nov 18 18:34:55 v-arcbabalancer01 relayd[20347]: relay exiting, pid 20347
> Nov 18 18:34:55 v-arcbabalancer01 relayd[13074]: relay exiting, pid 13074
> Nov 18 18:34:55 v-arcbabalancer01 relayd[7637]: relay exiting, pid 7637
> Nov 18 18:34:55 v-arcbabalancer01 relayd[8449]: relay exiting, pid 8449
> Nov 18 18:34:55 v-arcbabalancer01 relayd[30009]: relay exiting, pid 30009
> Nov 18 18:34:55 v-arcbabalancer01 relayd[13924]: relay exiting, pid 13924
> Nov 18 18:34:55 v-arcbabalancer01 relayd[4542]: relay exiting, pid 4542
> Nov 18 18:34:55 v-arcbabalancer01 relayd[13505]: parent terminating, pid
> 13505
> Nov 18 18:39:11 v-arcbabalancer01 puppet-agent[20912]: Finished catalog
> run in 2.59 seconds
> Nov 18 18:58:04 v-arcbabalancer01 relayd[9964]: startup
>
>
> Best regards, yours
>
> Saludos.-
> Leonardo Santagostini
>
> <http://ar.linkedin.com/in/santagostini>
>
>
>
>
>
> 2013/11/18 Leonardo Santagostini <lsantagost...@gmail.com>
>
>> Hello Jan, thanks for answering.
>>
>> The point was with booting without bsd.mp, now box rebooted and showing
>> 4 procs =)
>>
>> By now, all is working fine. Thank for all your support. I will keep you
>> all informed how things are going.
>>
>> Best regards
>>
>> Saludos.-
>> Leonardo Santagostini
>>
>> <http://ar.linkedin.com/in/santagostini>
>>
>>
>>
>>
>>
>> 2013/11/18 Jan Lambertz <jd.arb...@googlemail.com>
>>
>>> qemu-kvm ...-smp sockets=2 ... solved it for me. What qemu version an
>>> build
>>> are you using ?
>>> Am 14.11.2013 18:47 schrieb "Leonardo Santagostini" <
>>> lsantagost...@gmail.com
>>> >:
>>> >
>>> > Thanks a lot to all, i will give it a try and gives tou you feedback as
>>> > soon as it get implemented.
>>> >
>>> > Saludos.-
>>> > Leonardo Santagostini
>>> >
>>> > <http://ar.linkedin.com/in/santagostini>
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > 2013/11/14 Andy <a...@brandwatch.com>
>>> >
>>> > >  On 14/11/13 15:21, Leonardo Santagostini wrote:
>>> > >
>>> > > Hello misc,
>>> > >
>>> > > Im doing my final approach to put a production system with
>>> > > carp+pfsync+relayd on production.
>>> > >
>>> > > The point is that im facing some trouble setting more than one ip
>>> alias
>>> > > address with different vhid and different passwd.
>>> > >
>>> > > So, this is the scenario.
>>> > >
>>> > > Im trying to relayd more or less 15 sites so i have conceptual
>>> doubts.
>>> > >
>>> > > 1) is it nesessary to create one carp interface for each one of my
>>> > > internals VIP address
>>> > > 2) my understanding is that i have to work with pf on my carp
>>> interfaces.
>>> > >
>>> > > I have tried to put two different VIP's on my carp, but whitout
>>> lucky.
>>> > >
>>> > > Here is the homework.
>>> > >
>>> > > [root@server ~]# uname -a
>>> > > OpenBSD server.internaldomain.com 5.4 GENERIC#37 amd64
>>> > > [root@server ~]#
>>> > >
>>> > > [root@server ~]# cat /etc/hostname.em0
>>> > > inet 172.19.224.180 255.255.255.0
>>> > >
>>> > > [root@server ~]# cat /etc/hostname.em1
>>> > > inet 172.19.226.231 255.255.255.0 172.19.226.255
>>> > >
>>> > > [root@server ~]# cat /etc/hostname.carp0
>>> > > # inet alias 172.19.224.16 255.255.255.255 172.19.224.255 vhid 1
>>> advskew 10
>>> > > carpdev em0 pass Ahsooqu3
>>> > > inet alias 172.19.224.131 255.255.255.0 172.19.224.255 vhid 2
>>> advskew 10
>>> > > carpdev em0 pass Meixo9oe
>>> > > # inet alias 172.19.224.41 255.255.255.255 172.19.224.255 vhid 3
>>> advskew 10
>>> > > carpdev em0 pass av5eG9Gi
>>> > > # inet alias 172.19.224.40 255.255.255.255 172.19.224.255 vhid 4
>>> advskew 10
>>> > > carpdev em0 pass Rei6thai
>>> > > # inet alias 172.19.224.181 255.255.255.0 172.19.224.255 vhid 5
>>> advskew
>>> 10
>>> > > carpdev em0 pass Toobohz3
>>> > > # inet alias 172.19.224.182 255.255.255.255 172.19.224.255 vhid 6
>>> adskew 10
>>> > > carpdev em0 pass Quahng6U
>>> > >
>>> > >  CARP should look like this (master);
>>> > > inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0
>>> pass
>>> > > Ahsooqu3 advskew 0
>>> > > inet alias 172.19.224.131 255.255.255.255
>>> > > inet alias 172.19.224.41 255.255.255.255
>>> > > inet alias 172.19.224.40 255.255.255.255
>>> > > inet alias 172.19.224.181 255.255.255.255
>>> > > inet alias 172.19.224.182 255.255.255.255
>>> > >
>>> > > And (backup);
>>> > > inet 172.19.224.16 255.255.255.0 172.19.224.255 vhid 1 carpdev em0
>>> pass
>>> > > Ahsooqu3 advskew 200
>>> > > inet alias 172.19.224.131 255.255.255.255
>>> > > inet alias 172.19.224.41 255.255.255.255
>>> > > inet alias 172.19.224.40 255.255.255.255
>>> > > inet alias 172.19.224.181 255.255.255.255
>>> > > inet alias 172.19.224.182 255.255.255.255
>>> > >
>>> > > And yes the subnet masks for the alias' should be /32 and you will
>>> see a
>>> > > warning in the logs during fail-over. This is fine, the devs just
>>> haven't
>>> > > muted the check warning yet.
>>> > >
>>> > > You've done it right if 'netstat -rn' shows;
>>> > >
>>> > > 172.19.224.131     127.0.0.1          UGHS       0        0 33152
>>>   8
>>> > > lo0
>>> > > 172.19.224.131/32  172.19.224.131     U          0        0     -
>>>   4
>>> > > carp0
>>> > >
>>> > >
>>> > >  [root@server ~]# cat /etc/hostname.pfsync0
>>> > > up syncdev em1
>>> > >
>>> > > [root@server ~]# cat /etc/pf.conf
>>> > > ext_if="carp0"
>>> > >
>>> > >  You don't refer to CARP as an interface, it is simply a VRRP
>>> watchdog
>>> > > interface (for example you cannot set the MTU on a CARP interface as
>>> it
>>> is
>>> > > not really an interface.
>>> > > Use the physical..
>>> > >
>>> > > ext_if="em0"
>>> > >
>>> > >
>>> > >
>>> > > set fingerprints "/etc/pf.os"
>>> > > set optimization aggressive
>>> > > set limit states 90000
>>> > >
>>> > >  Definitely needs to be higher! try 1 million..
>>> > >
>>> > >
>>> > >  set limit src-nodes 65000
>>> > >
>>> > > table <bad_ip> persist
>>> > > table <internat_net> persist file "/etc/internal_net"
>>> > > table <admitted_net> persist file "/etc/admitted.txt"
>>> > >
>>> > > # vip1_address = "172.19.224.181"
>>> > > # vip2_address = "172.19.224.16"
>>> > > vip3_address = "172.19.224.131"
>>> > > # vip4_address = "172.19.224.41"
>>> > > # vip5_address = "172.19.224.40"
>>> > >
>>> > >  Just to keep you sane remember these rules;
>>> > > # (SNAT) NATing is done before filtering, 'pass out on $if_ext from
>>> > > $external_carp_ip1' (public address as src for outbound).
>>> > > # (DNAT) RDRing is done before filtering, 'pass in on $if_ext from
>>> any
>>> to
>>> > > $internal_ip1' (private address as dst for inbound).
>>> > >
>>> > > [image: OpenBSD_PF_flow]
>>> > >
>>> > >
>>> > >
>>> > > # Dejo de procesar cuando se trata de las redes internas
>>> > > pass in quick from <internat_net> to any
>>> > >
>>> > > # Dejo pasar las ips desde las redes permitidas
>>> > > # pass in quick from <admitted_net> to $vip1_address
>>> > > pass in quick from <admitted_net> to $vip3_address
>>> > >
>>> > > # Genero el block
>>> > > block in quick from <bad_ip>
>>> > >
>>> > >  Your 'block in quick's should be above your 'pass in quick's!
>>> > > quick means stop evaluating and do this action now..
>>> > >
>>> > >
>>> > >  block in log quick on $ext_if proto tcp from any os "NMAP" to any
>>> label
>>> > > ExtNMAPScan
>>> > >
>>> > > # Proteccion contra nmap y herramientas similares
>>> > > # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
>>> > > block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
>>> > > block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
>>> > > block in quick on $ext_if proto tcp flags /WEUAPRSF
>>> > > block in quick on $ext_if proto tcp flags SR/SR
>>> > > block in quick on $ext_if proto tcp flags SF/SF
>>> > > block in quick from urpf-failed
>>> > >
>>> > >
>>> > > # Aplico reglas de DoS y Syn Flood en site1
>>> > > # pass in log on $mob_if proto tcp to $vip1_address port www keep
>>> state
>>> > > (sloppy, max 10000, max-src-nodes 5000, max-src-conn 100,
>>> max-src-conn-rate
>>> > > 95/2, adaptive                  .start 6000, adaptive.end 12000,
>>> tcp.first
>>> > > 15, tcp.opening 5, tcp.established 3600, tcp.closing 5, tcp.finwait
>>> 15,
>>> > > tcp.closed 15, tcp.tsdiff 5)
>>> > >
>>> > >  Be careful, Direct Server Return does require sloppy states but be
>>> aware
>>> > > that this totally undermines state security!
>>> > > You still need a firewall on the outside of the load balancer to
>>> sanitize
>>> > > the flows.. Catch 22 as you cannot have the load balancer (with DSR)
>>> on
>>> the
>>> > > same box as your PF filtering if you want load balancing (with DSR)
>>> and
>>> > > full security..
>>> > > I.e. DSR and full state modulation/security are mutually exclusive..
>>> > >
>>> > >
>>> > > # Aplico reglas de DoS y Syn Flood en site2
>>> > > # pass in on $ext_if proto tcp to $vip2_address port www keep state
>>> > > (sloppy, max 10000, max-src-nodes 5000, max-src-conn 150,
>>> max-src-conn-rate
>>> > > 150/3)
>>> > >
>>> > > # Aplico reglas para site3
>>> > > pass in on $ext_if proto tcp to $vip3_address port www keep state
>>> (sloppy,
>>> > > max 10000, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
>>> 100/3)
>>> > >
>>> > > # Aplico reglas de DoS y Syn Flood en site4
>>> > > # pass in on $ext_if proto tcp to $vip4_address port www keep state
>>> > > (sloppy, max 10000, max-src-nodes 5000, max-src-conn 150,
>>> max-src-conn-rate
>>> > > 100/3)
>>> > >
>>> > > # Aplico reglas de DoS y Syn Flood en site5
>>> > > # pass in on $ext_if proto tcp to $vip5_address port www keep state
>>> > > (sloppy, max 10000, max-src-nodes 5000, max-src-conn 150,
>>> max-src-conn-rate
>>> > > 100/3)
>>> > >
>>> > > # Anchor Para relayd
>>> > > anchor "relayd/*"
>>> > >
>>> > >
>>> > > [root@server ~]# cat /etc/relayd.conf
>>> > > # Archivo de configuracion de balanceo
>>> > >
>>> > > ## Opciones globales
>>> > > interval 5
>>> > > timeout 500
>>> > > prefork 15
>>> > > log all
>>> > >
>>> > > ## Direcciones de las vip
>>> > > # address1="172.19.224.16"
>>> > > # address2="172.19.224.181"
>>> > > address3="172.19.224.131"
>>> > > # address4="172.19.224.41"
>>> > > # address5="172.19.224.40"
>>> > >
>>> > > ## Direcciones de los servidores
>>> > > wsapp1="172.19.224.200"
>>> > > wsapp2="172.19.224.201"
>>> > > webcache01="172.19.224.70"
>>> > > webcache02="172.19.224.71"
>>> > > webcache03="172.19.224.72"
>>> > > webcache04="172.19.224.73"
>>> > >
>>> > > ## Definicion de Tablas
>>> > > table <mobileweb> { $wsapp1 $wsapp2 }
>>> > > table <webcaches> { $webcache01 $webcache02 $webcache03 $webcache04 }
>>> > > table <webcaches1> { $webcache01 }
>>> > >
>>> > > ## Definicion de protocolos (Filtros)
>>> > >
>>> > > http protocol "httpSite1" {
>>> > >
>>> > >         header change "Connection" to "close"
>>> > >         header append "$REMOTE_ADDR" to "X-Forwarded-For"
>>> > >         cookie hash "sessid"
>>> > >
>>> > > }
>>> > >
>>> > > http protocol "httpSite2" {
>>> > >
>>> > > header change "Connection" to "close"
>>> > >         header append "$REMOTE_ADDR" to "X-Forwarded-For"
>>> > >         cookie hash "sessid"
>>> > >
>>> > > }
>>> > >
>>> > > http protocol "httpSite3" {
>>> > >
>>> > >         header change "Connection" to "close"
>>> > >         header append "$REMOTE_ADDR" to "X-Forwarded-For"
>>> > > }
>>> > >
>>> > > http protocol "httpSite4" {
>>> > >
>>> > >         header append "$REMOTE_ADDR" to "X-Forwarded-For"
>>> > >
>>> > > }
>>> > >
>>> > > http protocol "httpSite5" {
>>> > >
>>> > >         header append "$REMOTE_ADDR" to "X-Forwarded-For"
>>> > >
>>> > > }
>>> > >
>>> > > ## Definicion de los relays
>>> > >
>>> > > #relay site1 {
>>> > > #        listen on $address2 port 80
>>> > > #        protoc

Re: carp+pfsync+relayd question

Reply via email to