thttpd with php

[Kiraly Zoltan]

Anyone use thttpd webserver with PHP in OpenBSD?

I don't know exactly what need to do to run this webserver with PHP in
OpenBSD. Exist a documentation which explain ?

Thanks !

openbsd 3.8 on a nokia ip110 and the reboot problems (it hangs after a soft reboot)

[[EMAIL PROTECTED]]

hi all,

i have a nokia ip110 (with 64mb ram), an it work BUT it hase some quirks.

my doing for the install:
boot the nokia ip with the org OS (ipso) and save the dmesg!
(for the mac adresses of the NIC, the mac sore in the eprom of the intel
nic on the IP is not the as nomal, no problem if whe saved the info and
use the lladdr param in the /etc/hostname.fxp)

(see my org ipso dmesg below)

-put the HD in a working openbsd system. (my torx screws i used was a 8)
-dd the org HD for the bakup of the ipso
format the IP HD with a ATA lowlevel format tool (for me i used the dft
(Drive Fitness Test) form ibm/hitachi
http://www.hitachigst.com/hdd/support/download.htm
the install workd only for me with the lowlevel format of the HD.
-install openbsd as normal BUT make shure:
Start sshd(8) by default? [yes] y
Change the default console to com0? [no] y
(with 9600bps)
/etc/boot.conf and /etc/ttys will be edited appropriately for you.

-if you want you can test the install frist on the install system for
booting.
-put the HD back to the IP
-connect the serial console with the setings 9600 8-N-1 and no flow control!
-power up the IP
-changing the /etc/hostname.fxp0-2 to the corect mac adresses (with the
lladdr param)

EOF

the showstoper for me is the reboot problem, so if i/we find no
workaround for   the bug the ip is go back to ebay...

best wiches
Wolfgang

org boot of the ipso

box[admin]# reboot
Feb  2 15:24:48 box [LOG_CRIT] reboot: rebooted by admin

Feb  2 15:24:48 box [LOG_CRIT] reboot: rebooted by admin

Feb  2 15:24:48 box [LOG_ERR] syslogd: exiting on signal 15

Feb  2 15:24:48 box [LOG_ERR] syslogd: exiting on signal 15


cleaning up...
syncing disks... 4 4 done
Rebooting...

1   Bootmgr
2   IPSO

Default: 1

-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\Starting
bootmgr
Loading boot manager..
Boot manager loaded.
Entering autoboot mode.
Type any character to enter command mode.
Booting /dev/wd0f:/image/IPSO-3.8-BUILD031-04.09.2004-011500-1388/kernel
[kernel] symtab 90732000, sym_start 90732004, sym_end 90777454
[kernel] sym_size 5c5c, str_size 66150
[ preserving 0xab5a4 bytes of kernel symbol table ]
Copyright (c) 1982, 1986, 1989, 1991, 1993
The Regents of the University of California.  All rights reserved.

Resizing packet buffers: mbufs 15360 clusters 7680
releng 1388  04.09.2004-011500
CPU: 267-MHz Pentium (586-class CPU)
real memory  = 67108864 (64M bytes)
avail memory = 53735424 (51M bytes)
mediagx0 Cyrix GXLV CPU with PCI/Memory Controller rev 0 on pci0:0:0
mediagx1 Cyrix CS5530 PCI to ISA bridge rev 0 on pci0:18:0
mediagx2 Cyrix CS5530 SMI rev 0 on pci0:18:1
mediagx3 Cyrix CS5530 IDE rev 0 on pci0:18:2
cyrix 5530
Probing for devices on the ISA bus:
sio0 at 0x3f8-0x3ff irq 4 on isa
5sio0: type 16550A
sio1 at 0x2f8-0x2ff irq 3 on isa
5sio1: type 16550A
wdc0 at 0x1f0-0x1f7 irq 14 on isa
Setting using 0x1000
wd0: mw=0x2, pio=0x4, pcirev=0x0, udma=0x2
wdc0: unit 0 (wd0): IBM-DJSA-205, LBA, DMA
wd0: 5000MB (9767520 sectors), LBA geometry: 608 cyls, 255 heads, 63 S/T
wd0: Physical geometry: 10336 cyls, 15 heads, 63 S/T
npx0 on motherboard
npx0: INT 16 interface
superio0 at 0x0 on isa
SEEPROM revision: actual=1, latest=2
mediagx4 Cyrix CS5530 audio rev 0 on pci0:18:3
fxp0 Intel EtherExpress Pro 10/100B Ethernet rev 9 int a irq 6 slot 1
netlog:eth-s1p1 .. Ethernet address 0:a0:8e:20:31:78
fxp1 Intel EtherExpress Pro 10/100B Ethernet rev 9 int a irq 10 slot 2
netlog:eth-s2p1 .. Ethernet address 0:a0:8e:20:31:79
fxp2 Intel EtherExpress Pro 10/100B Ethernet rev 9 int a irq 11 slot 3
netlog:eth-s3p1 .. Ethernet address 0:a0:8e:20:31:7a
changing root device to wd0f

RTC: 02/02/06 15:25:44, A=26, B=42, C=00
swapon: adding /dev/wd0b as swap device
Automatic reboot in progress...
/dev/rwd0f: clean, 310124 free (756 frags, 38671 blocks, 0.2% fragmentation)
/dev/rwd0a: clean, 38167 free (15 frags, 4769 blocks, 0.0% fragmentation)
/dev/rwd0d: clean, 2749305 free (145 frags, 343645 blocks, 0.0%
fragmentation)
/dev/rwd0e: clean, 529594 free (42 frags, 66194 blocks, 0.0% fragmentation)
Feb  2 15:26:03 xpand[39]: xpand will perform upgrade if necessary


clearing /tmp
checking for core dump...savecore: no core dump
recording kernel -c changes
starting system daemons: 

nologin shell allows me to connect to FTP server

[MK]

Hello to everybody

I meant that nologin shell disallows access for user account on all 
services. But I'm still able to connect to FTP server and POPA3D even that 
userID has assigned nologin shell. Is it correct behaviour? If so, where is 
difference between nologin shell and false shell.


Thank you for all replies
MK

Re: thttpd with php

[Stuart Henderson]

On 2006/02/19 15:31, Kiraly Zoltan wrote:
 Anyone use thttpd webserver with PHP in OpenBSD?
 
 I don't know exactly what need to do to run this webserver with PHP in
 OpenBSD. Exist a documentation which explain ?

CGI is possibly the easiest way, bearing in mind you won't handle a high
PHP load with thttpd anyway (it serializes PHP requests even with the
module version). Other options - there's 'premium thttpd' (commercial)
which multithreads FastCGI - aolserver (MPL) or Roxen (GPL) have PHP
modules which should perform better than thttpd (though I don't know how
PHP performance compares with Apache). Neither are in ports/packages
though.

Re: nologin shell allows me to connect to FTP server

[Otto Moerbeek]

On Sun, 19 Feb 2006, MK wrote:

 Hello to everybody
 
 I meant that nologin shell disallows access for user account on all services.
 But I'm still able to connect to FTP server and POPA3D even that userID has
 assigned nologin shell. Is it correct behaviour? If so, where is difference
 between nologin shell and false shell.

It is correct behaviour. The difference between nologin and false is
descibed in the man page of nologin.

-Otto

Re: OpenBGPD dropping sessions.

[tony sarendal]

On 17/02/06, Henning Brauer [EMAIL PROTECTED] wrote:

 * Pete Bristow [EMAIL PROTECTED] [2006-02-17 13:16]:
  Feb 17 12:16:05 a bgpd[28123]: neighbor 217.112.a.b (BD01): state change
  Established - Idle, reason: Connection closed
 
  Was all I got.

 and ther eis your reason, the remote router closed the connection
 (aka, tcp session went down). Why, we cannot know.



I'd bet my half-full beer that you hit the max-prefix limit of your peer.

/Tony

Re: Redundant Failover Firewalls

[Henning Brauer]

* John Brooks [EMAIL PROTECTED] [2006-02-19 02:43]:
 I am needing to build two identical failover firewalls 
 with openbsd, pf, pfsync, and carp. So far simple enough, 
 with so many articles and examples available. All of these
 are using NAT.
 
 However, I am needing to use public IP's out of a /25 
 allocation, without NAT. I have not been able to find any 
 articles or examples that discuss doing this in a routed 
 manner.

well - where should the problem be? just leave tat nat rules out.

-- 
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Re: thttpd with php

[Clint M. Sand]

Sorry, I did not read like an idiot. 

Maybe this is more helpful. 

http://halplant.com:88/server/thttpd_FAQ.html#PHP


On Sun, Feb 19, 2006 at 09:40:33AM -0500, Clint M. Sand wrote:
 On Sun, Feb 19, 2006 at 03:31:47PM +0200, Kiraly Zoltan wrote:
  Anyone use thttpd webserver with PHP in OpenBSD?
  
  I don't know exactly what need to do to run this webserver with PHP in
  OpenBSD. Exist a documentation which explain ?
  
  Thanks !
 
 $ cd /usr/ports/
 $ make search key=thttpd
 Port:   thttpd-2.25b
 Path:   www/thttpd
 Info:   tiny/turbo/throttling HTTP server
 Maint:  Jakob Schlyter [EMAIL PROTECTED]
 Index:  www
 L-deps:
 B-deps:
 R-deps:
 Archs:  any
 
 
 Just install the port or package. 
 
 http://www.openbsd.org/ports.html
 http://www.openbsd.org/3.8_packages/i386/thttpd-2.25b.tgz-long.html

Re: thttpd with php

[Christian Weisgerber]

Stuart Henderson [EMAIL PROTECTED] wrote:

 CGI is possibly the easiest way, bearing in mind you won't handle a high
 PHP load with thttpd anyway (it serializes PHP requests even with the
 module version). Other options - [...]

lighttpd with fastcgi php?

-- 
Christian naddy Weisgerber  [EMAIL PROTECTED]

Correct directory for group files

[William Kranec]

Hi,

I have a photo collection which I would like multiple users to be able to 
access, and I would like to do this by storing the files in a central location 
on my disk and linking /home/$USER/photos to that directory.

Where is the most appropriate place in the filesystem for this directory?  I've 
considered both /home/photos and /var/photos, but I'm not quite if one is 
better than the other, or if it just doesn't make a difference.

Any advice would be appreciated.

Thanks,

Bill

Re: Correct directory for group files

[A Rossi]

It probably doesn't make a difference, except if your /var partition (or 
/home for that matter) won't hold the photos directory as well as the 
regular data that is held there. But I do remember that in OpenBSD you 
can save your /home directory when upgrading , so there's something to 
keep in mind.

Hope this helps

-A Rossi


William Kranec wrote:

 Hi,

 I have a photo collection which I would like multiple users to be
 able to access, and I would like to do this by storing the files in a
 central location on my disk and linking /home/$USER/photos to that
 directory.

 Where is the most appropriate place in the filesystem for this
 directory?  I've considered both /home/photos and /var/photos, but
 I'm not quite if one is better than the other, or if it just doesn't
 make a difference.

 Any advice would be appreciated.

 Thanks,

 Bill

Re: Correct directory for group files

[scorch]

 Where is the most appropriate place in the filesystem for this
 directory?  I've considered both /home/photos and /var/photos, but
 I'm not quite if one is better than the other, or if it just doesn't
 make a difference.


if you put them on /var  run out of space due to people stuffing pr0n or 
baby photos (the difference is debatable) then apps that store stuff in /var 
like mysql may die due to lack of space.


if you put them on /home your users can't work.

it depends on who you want to suffer the pain. in this case, i usually go 
for the users; at least there's some link in responsibility to the issue at 
hand.


cheers, scorch
--
out of the frying pan and into the fire

Re: Correct directory for group files

[Matthias Kilian]

On Sun, Feb 19, 2006 at 11:03:44PM +0100, scorch wrote:
 if you put them on /var  run out of space [...]

quota(1) and referenced documentation may help.

Re: Correct directory for group files

[mike]

On Sun, 19 Feb 2006 16:19:01 -0500
William Kranec [EMAIL PROTECTED] wrote:

 Hi,
 
 I have a photo collection which I would like multiple users to be
 able to access, and I would like to do this by storing the files in a
central location on my disk and linking /home/$USER/photos to that
directory.
 
 Where is the most appropriate place in the filesystem for this
 directory?  I've considered both /home/photos and /var/photos, but
 I'm not quite if one is better than the other, or if it just doesn't
 make a difference.
 
 Any advice would be appreciated.
 
 Thanks,
 
 Bill
 
 

I'm partial to /pub

HP ML110

[Steve]

Hi All,

Can anyone comment on the compatibility of the HP ML110 server
with 3.8 release.

Thanks.
  Find a local business fast with Yahoo! Local Search

Re: Correct directory for group files

[Matthew Weigel]

William Kranec wrote:

Hi,

I have a photo collection which I would like multiple users to be able 
to access, and I would like to do this by storing the files in a central

 location on my disk and linking /home/$USER/photos to that directory.


Where is the most appropriate place in the filesystem for this directory?
I've considered both /home/photos and /var/photos, but I'm not quite if one

 is better than the other, or if it just doesn't make a difference.

#1: It should be on a filesystem that is writable by users in the normal 
case.

#2: If possible, it should be on its own filesystem.

I would favor /usr/photos or simply /photos.  I reserve /var for 
application data, and /home for each user's private data... but if it 
can't be its own filesystem, I'd say /home/photos.


If there were going to be a lot of directories like photos that were 
shared users' data, I might consider /share/photos (and /share/music, 
and...).

--
 Matthew Weigel

spamd-setup doesn't return

[knitti]

Hi,

on a server which run fine for a long time spamd-setup
doesn't return anymore (at least for a couple of days until
I kill it). Does have anyone an idea how to troubleshoot
this?
spamd-setup seems to update the tables and then
simply wait forever. spamd.conf hasn't been altered
since spamhaus has gone paid-for. first occurance of
this proble was on feb 10 or 11.


# uname -a
OpenBSD [cut] 3.7 GENERIC#0 i386
# /usr/libexec/spamd-setup -d
Getting http://www.openbsd.org/spamd/spews_list_level1.txt.gz
blacklist spews1 15353 entries
whitelist mywhite 15358 entries
blacklist myblack 0 entries
^C
# cat /etc/spamd.conf
all:\
:spews1:mywhite:myblack:

# Mirrored from http://www.spews.org/spews_list_level1.txt
spews1:\
:black:\
:msg=SPAM. Your address %A is in the spews level 1 database\n\
See http://www.spews.org/ask.cgi?x=%A for more details:\
:method=http:\
:file=www.openbsd.org/spamd/spews_list_level1.txt.gz:

mywhite:\
:white:\
:method=file:\
:file=/etc/spamdwhite.txt:

myblack:\
:black:\
:msg=SPAM. Your address %A is in my blacklist.\n Contact ++xx \
xxx xxx for details.:\
:method=file:\
:file=/etc/spamdblack.txt:

thanks for reading,
knitti

Re: viasio hw.sensors problem

[Constantine A. Murenin]

On 15/02/06, Sable Keech [EMAIL PROTECTED] wrote:

 TEMP1 is not shown when calling sysctl hw.sensors.
 If I combine the command with 'openssl speed'
 it shows the temperature.

 Bad hardware? (new board, didn't run openbsd on it before,
 so i dont know if it ever worked.)

 viasio0 at isa0 port 0x2e/2: VT1211 rev 0x02: HM WDG: not activated

Yes, bad design (of the available datasheet for VT1211).

VIA does not seem to provide an adequate documentation for the chip,
which is needed in order know on how to convert the raw data into
Kelvins. Their datasheet for VT1211 dated 2002-01-08, Revision 1.0
goes around the net (google VT1211 filetype:pdf), but it does not seem
to contain the magic formula.

And as there is no formula, the conversion table is thus guessed; so I
guess what you experience is the lack of conversion values for the
lower temperatures that the board has whilst idling.

tvc:sys {1134} grep -A3 uK /usr/src/sys/dev/isa/viasio.c
/* Convert to uK */
/* XXX: conversion function is guessed */
val = viasio_raw2temp(val);
if (val == -1) {

Also, some comments are available at
http://www.almico.com/foruminfo.php?id=879461

Cheers,
Constantine.

PF problem? Connection reset, but only from behind NAT.

[viq]

Ok, this is crazy. I read about that new OpenBSD LiveCD so I wanted to try it. 
(http://g.paderni.free.fr/olivebsd/) I click on the page and... Nothing 
happens. Neither in Opera nor Firefox (that's my desktop, linux). So, just to 
verify, I open it via lynx from my OpenBSD router, and it opens... And I just 
had problems opening other site hosted by free.fr, same story, opens from 
router, not from desktop.
Any ideas what i should be looking at?
Here's tcpdump (tcpdump -p -nn host 212.27.63.124) when opening it via lynx 
from router:
TCPDUMP
01:44:55.741008 62.121.113.251.31886  212.27.63.124.80: SWE 
4252130529:4252130529(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 
0,nop,nop,timestamp 1699248027 0 (DF)
01:44:55.783597 212.27.63.124.80  62.121.113.251.31886: S 976963389:976963389
(0) ack 4252130530 win 5792 mss 1460,sackOK,timestamp 960425614 
1699248027,nop,wscale 8 (DF)
01:44:55.783700 62.121.113.251.31886  212.27.63.124.80: . ack 1 win 16384 
nop,nop,timestamp 1699248027 960425614 (DF)
01:44:55.790935 62.121.113.251.31886  212.27.63.124.80: P 1:233(232) ack 1 
win 16384 nop,nop,timestamp 1699248027 960425614 (DF)
01:44:55.834654 212.27.63.124.80  62.121.113.251.31886: . ack 233 win 27 
nop,nop,timestamp 960425627 1699248027 (DF)
01:44:55.877260 212.27.63.124.80  62.121.113.251.31886: . 1:1449(1448) ack 
233 win 27 nop,nop,timestamp 960425637 1699248027 (DF)
01:44:55.878099 212.27.63.124.80  62.121.113.251.31886: . 1449:2897(1448) ack 
233 win 27 nop,nop,timestamp 960425637 1699248027 (DF)
01:44:55.878227 62.121.113.251.31886  212.27.63.124.80: . ack 2897 win 14936 
nop,nop,timestamp 1699248028 960425637 (DF)
01:44:55.920781 212.27.63.124.80  62.121.113.251.31886: . 2897:4345(1448) ack 
233 win 27 nop,nop,timestamp 960425648 1699248028 (DF)
01:44:55.920938 62.121.113.251.31886  212.27.63.124.80: . ack 4345 win 16384 
nop,nop,timestamp 1699248028 960425648 (DF)
01:44:55.921050 212.27.63.124.80  62.121.113.251.31886: . 4345:5793(1448) ack 
233 win 27 nop,nop,timestamp 960425648 1699248028 (DF)
01:44:55.930243 212.27.63.124.80  62.121.113.251.31886: . 5793:7241(1448) ack 
233 win 27 nop,nop,timestamp 960425648 1699248028 (DF)
01:44:55.930312 62.121.113.251.31886  212.27.63.124.80: . ack 7241 win 14936 
nop,nop,timestamp 1699248028 960425648 (DF)
01:44:55.974415 212.27.63.124.80  62.121.113.251.31886: . 7241:8689(1448) ack 
233 win 27 nop,nop,timestamp 960425662 1699248028 (DF)
01:44:55.974553 62.121.113.251.31886  212.27.63.124.80: . ack 8689 win 16384 
nop,nop,timestamp 1699248028 960425662 (DF)
01:44:55.974794 212.27.63.124.80  62.121.113.251.31886: . 8689:10137(1448) 
ack 233 win 27 nop,nop,timestamp 960425662 1699248028 (DF)
01:44:55.986491 212.27.63.124.80  62.121.113.251.31886: . 10137:11585(1448) 
ack 233 win 27 nop,nop,timestamp 960425662 1699248028 (DF)
01:44:55.986619 62.121.113.251.31886  212.27.63.124.80: . ack 11585 win 14936 
nop,nop,timestamp 1699248028 960425662 (DF)
01:44:55.990232 212.27.63.124.80  62.121.113.251.31886: FP 14481:14912(431) 
ack 233 win 27 nop,nop,timestamp 960425662 1699248028 (DF)
01:44:55.990416 62.121.113.251.31886  212.27.63.124.80: . ack 11585 win 16384 
nop,nop,timestamp 1699248028 960425662,nop,nop,sack 1 {14481:14912}  (DF)
01:44:56.002667 212.27.63.124.80  62.121.113.251.31886: . 11585:13033(1448) 
ack 233 win 27 nop,nop,timestamp 960425662 1699248028 (DF)
01:44:56.002783 62.121.113.251.31886  212.27.63.124.80: . ack 13033 win 14936 
nop,nop,timestamp 1699248028 960425662,nop,nop,sack 1 {14481:14912}  (DF)
01:44:56.014837 212.27.63.124.80  62.121.113.251.31886: . 13033:14481(1448) 
ack 233 win 27 nop,nop,timestamp 960425662 1699248028 (DF)
01:44:56.014944 62.121.113.251.31886  212.27.63.124.80: . ack 14913 win 14505 
nop,nop,timestamp 1699248028 960425662 (DF)
01:44:56.030833 62.121.113.251.31886  212.27.63.124.80: F 233:233(0) ack 
14913 win 16384 nop,nop,timestamp 1699248028 960425662 (DF)
01:44:56.074224 212.27.63.124.80  62.121.113.251.31886: . ack 234 win 27 
nop,nop,timestamp 960425687 1699248028 (DF)
01:45:10.422854 62.121.113.251.55826  212.27.63.124.80: FP 
1022798788:1022799222(434) ack 942035112 win 1460 nop,nop,timestamp 
192768686 960421549 (DF)
01:45:10.466259 212.27.63.124.80  62.121.113.251.55826: R 942035112:942035112
(0) win 0 (DF)


Now when i try to open it from my internal machine, this is what happens (same 
tcpdump command):
TCPDUMP
01:53:41.212087 62.121.113.251.57178  212.27.63.124.80: S 
1606868703:1606868703(0) win 5840 mss 1460,sackOK,timestamp 192896449 
0,nop,wscale 2 (DF)
01:53:41.254268 212.27.63.124.80  62.121.113.251.57178: S 
1537657453:1537657453(0) ack 1606868704 win 5792 mss 1460,sackOK,timestamp 
960557071 192896449,nop,wscale 8 (DF)
01:53:41.254626 62.121.113.251.57178  212.27.63.124.80: . ack 1 win 1460 
nop,nop,timestamp 192896460 960557071 (DF)
01:54:11.108603 212.27.63.124.80  62.121.113.251.57178: . ack 1 win 23 
nop,nop,timestamp 960564582 192896460 (DF) [tos 0x80]
01:54:11.108821 

Re: PF problem? Connection reset, but only from behind NAT.

[Reid Nichol]

 No set options in pf.conf, i had scrub in, then changed to scrub
 in on 
 $ext_if, then commented out at all.
 Quite simple NAT, couple rules redirecting incoming traffic, pass
 out keep 
 state. Or should I paste the whole thing?
 
 3.9 GENERIC#597 i386, snapshot from 5th/6th Feb, or should I paste
 the whole 
 thing? I'll have to reboot for that, as for now it got filled with
 messages 
 about me trying to write to a full system, eh, the habit of mirroring
 whole 
 install sets of various distributions... ;)
 
 Thanks in advance for any help, pointers, or kicks in the right
 direction. I 
 think i saw someone with a problem like that, but didn't manage to
 find 
 anything in the archives...
 
 -- 
 viq
 (I am subscribed to the list)


I had something like this problem awhile ago.  It had to do with
something regarding the default max-mss values.  Don't know the exact
details, but changing the scrub lines to the below solved my issue,
perhaps yours too.


scrub in all max-mss 1452
scrub out all max-mss 1452


Hope that helps, or at least gives you something else to look at.

best regards,
Reid Nichol

We're in a giant car heading into a brick wall at 100 miles/hr and
everybody's arguing about where they want to sit.
-David Suzuki
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: CARP+pf+pfsync redundant firewalls running active/active doable?

[Jason Stubbs]

Joseph C. Bender wrote:

Jason Stubbs wrote:

Hi,

I'm looking to set up redundant firewalls in pretty much the same way 
as is detailed in the PF FAQ. For discussion purposes, I've reproduced 
the basic network layout below.


From your description and questions below, it looks like you're not 
trying to do it the same way, and your understanding may be incomplete.


Apologies. I stated what I want to do but forgot to state the why. We're
moving to a new data center. Originally, I was looking at setting up
stock redundant firewalls but we will be charged almost as much for the
inactive line to the data center as the active line costs.

While inbound traffic isn't such a problem, output can reach up to 
60Mbps during peak times. Hence, what I'd like to do is run 2 active 
30Mbps lines and balance outgoing traffic between them rather than 
having active/passive 60Mbps lines.



[Snip Layout]


Firewall External IP addresses
10.0.0.1 nat'ed to sv1 with fw1 being the master
10.0.0.2 nat'ed to sv2 with fw2 being the master

Firewall Internal IP addresses
192.168.0.1 with fw1 being the master
192.168.0.2 with fw2 being the master


Are these CARP'd addresses, as in you have multiple CARP interfaces 
per NIC?  If so, why?


CARP'd addresses, yes. The external addresses are those of the services 
being ran on sv1 and sv2 (which are in fact LVS'd Linux farms). The 
multiple internal addresses are for the internal servers to round-robin 
outgoing traffic to.


Now with sv1's default route being set to 192.168.0.1 and sv2's 
default route being set to 192.168.0.2 all should work fine (at least 
as far as documentation goes). However, what I'd like to do is have 
both sv1 and sv2 use both 192.168.0.1 and 192.168.0.2 for routing in a 
round-robin fashion. With fw1 handling sv1's nat'ing, will fw2 
correctly be able to un'nat and send out replies sent by sv1?


I'm not going to answer this directly, mostly because I can't figure 
out, given you have a really kickass failover system, why you'd even 
want to do this.  Given you're using hardware that is capable of using 
em cards, box loading shouldn't be an issue.


Put simply, you're trying to make this harder than it really is, I 
think.  I suggest the following, which is what we use at the office and 
is a heck of a lot closer to what the PF User's Guide suggests:


[snip configuration details]

If fw1 goes paws up or needs maintenance, and if you've done everything 
right, fw2 will take the load almost instantly (within milliseconds in 
my experience).


This configuration is essentially what I'm looking at doing. The only 
difference is that instead of having one internal address, I'd like to 
have two. As I said above, the goal is to balance outgoing traffic and 
still have redundancy. I'm aware that when one box goes down there won't 
be enough bandwidth for peak times, but that's a cost/performance 
tradeoff that's been approved.



[snip rest, as it's not relevant to my answer]

My whole point is that with the CARP and pfsync redundancy, there's no 
need to have really complicated routes to and from your servers and 
their firewalls.


Actually, we'd need to be looking to find a way to balance outgoing 
traffic anyway. We're at about 60Mbps during peak times now but that's 
only going to grow. As we can only get a maximum of 100Mbps out of each 
line, overcoming that limit is also on the agenda.


From what I understand of the theory, it should work but I was hoping 
to get a yes, I'm doing it from somebody. Unless there's a reason it 
won't work, I'll be having a go and getting it set up in the first week 
of March and will write back with the results.


--
Jason Stubbs