thttpd with php
Anyone use thttpd webserver with PHP in OpenBSD? I don't know exactly what need to do to run this webserver with PHP in OpenBSD. Exist a documentation which explain ? Thanks !
openbsd 3.8 on a nokia ip110 and the reboot problems (it hangs after a soft reboot)
hi all, i have a nokia ip110 (with 64mb ram), an it work BUT it hase some quirks. my doing for the install: boot the nokia ip with the org OS (ipso) and save the dmesg! (for the mac adresses of the NIC, the mac sore in the eprom of the intel nic on the IP is not the as nomal, no problem if whe saved the info and use the lladdr param in the /etc/hostname.fxp) (see my org ipso dmesg below) -put the HD in a working openbsd system. (my torx screws i used was a 8) -dd the org HD for the bakup of the ipso format the IP HD with a ATA lowlevel format tool (for me i used the dft (Drive Fitness Test) form ibm/hitachi http://www.hitachigst.com/hdd/support/download.htm the install workd only for me with the lowlevel format of the HD. -install openbsd as normal BUT make shure: Start sshd(8) by default? [yes] y Change the default console to com0? [no] y (with 9600bps) /etc/boot.conf and /etc/ttys will be edited appropriately for you. -if you want you can test the install frist on the install system for booting. -put the HD back to the IP -connect the serial console with the setings 9600 8-N-1 and no flow control! -power up the IP -changing the /etc/hostname.fxp0-2 to the corect mac adresses (with the lladdr param) EOF the showstoper for me is the reboot problem, so if i/we find no workaround for the bug the ip is go back to ebay... best wiches Wolfgang org boot of the ipso box[admin]# reboot Feb 2 15:24:48 box [LOG_CRIT] reboot: rebooted by admin Feb 2 15:24:48 box [LOG_CRIT] reboot: rebooted by admin Feb 2 15:24:48 box [LOG_ERR] syslogd: exiting on signal 15 Feb 2 15:24:48 box [LOG_ERR] syslogd: exiting on signal 15 cleaning up... syncing disks... 4 4 done Rebooting... 1 Bootmgr 2 IPSO Default: 1 -\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\Starting bootmgr Loading boot manager.. Boot manager loaded. Entering autoboot mode. Type any character to enter command mode. Booting /dev/wd0f:/image/IPSO-3.8-BUILD031-04.09.2004-011500-1388/kernel [kernel] symtab 90732000, sym_start 90732004, sym_end 90777454 [kernel] sym_size 5c5c, str_size 66150 [ preserving 0xab5a4 bytes of kernel symbol table ] Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Resizing packet buffers: mbufs 15360 clusters 7680 releng 1388 04.09.2004-011500 CPU: 267-MHz Pentium (586-class CPU) real memory = 67108864 (64M bytes) avail memory = 53735424 (51M bytes) mediagx0 Cyrix GXLV CPU with PCI/Memory Controller rev 0 on pci0:0:0 mediagx1 Cyrix CS5530 PCI to ISA bridge rev 0 on pci0:18:0 mediagx2 Cyrix CS5530 SMI rev 0 on pci0:18:1 mediagx3 Cyrix CS5530 IDE rev 0 on pci0:18:2 cyrix 5530 Probing for devices on the ISA bus: sio0 at 0x3f8-0x3ff irq 4 on isa 5sio0: type 16550A sio1 at 0x2f8-0x2ff irq 3 on isa 5sio1: type 16550A wdc0 at 0x1f0-0x1f7 irq 14 on isa Setting using 0x1000 wd0: mw=0x2, pio=0x4, pcirev=0x0, udma=0x2 wdc0: unit 0 (wd0): IBM-DJSA-205, LBA, DMA wd0: 5000MB (9767520 sectors), LBA geometry: 608 cyls, 255 heads, 63 S/T wd0: Physical geometry: 10336 cyls, 15 heads, 63 S/T npx0 on motherboard npx0: INT 16 interface superio0 at 0x0 on isa SEEPROM revision: actual=1, latest=2 mediagx4 Cyrix CS5530 audio rev 0 on pci0:18:3 fxp0 Intel EtherExpress Pro 10/100B Ethernet rev 9 int a irq 6 slot 1 netlog:eth-s1p1 .. Ethernet address 0:a0:8e:20:31:78 fxp1 Intel EtherExpress Pro 10/100B Ethernet rev 9 int a irq 10 slot 2 netlog:eth-s2p1 .. Ethernet address 0:a0:8e:20:31:79 fxp2 Intel EtherExpress Pro 10/100B Ethernet rev 9 int a irq 11 slot 3 netlog:eth-s3p1 .. Ethernet address 0:a0:8e:20:31:7a changing root device to wd0f RTC: 02/02/06 15:25:44, A=26, B=42, C=00 swapon: adding /dev/wd0b as swap device Automatic reboot in progress... /dev/rwd0f: clean, 310124 free (756 frags, 38671 blocks, 0.2% fragmentation) /dev/rwd0a: clean, 38167 free (15 frags, 4769 blocks, 0.0% fragmentation) /dev/rwd0d: clean, 2749305 free (145 frags, 343645 blocks, 0.0% fragmentation) /dev/rwd0e: clean, 529594 free (42 frags, 66194 blocks, 0.0% fragmentation) Feb 2 15:26:03 xpand[39]: xpand will perform upgrade if necessary clearing /tmp checking for core dump...savecore: no core dump recording kernel -c changes starting system daemons:
nologin shell allows me to connect to FTP server
Hello to everybody I meant that nologin shell disallows access for user account on all services. But I'm still able to connect to FTP server and POPA3D even that userID has assigned nologin shell. Is it correct behaviour? If so, where is difference between nologin shell and false shell. Thank you for all replies MK
Re: thttpd with php
On 2006/02/19 15:31, Kiraly Zoltan wrote: Anyone use thttpd webserver with PHP in OpenBSD? I don't know exactly what need to do to run this webserver with PHP in OpenBSD. Exist a documentation which explain ? CGI is possibly the easiest way, bearing in mind you won't handle a high PHP load with thttpd anyway (it serializes PHP requests even with the module version). Other options - there's 'premium thttpd' (commercial) which multithreads FastCGI - aolserver (MPL) or Roxen (GPL) have PHP modules which should perform better than thttpd (though I don't know how PHP performance compares with Apache). Neither are in ports/packages though.
Re: nologin shell allows me to connect to FTP server
On Sun, 19 Feb 2006, MK wrote: Hello to everybody I meant that nologin shell disallows access for user account on all services. But I'm still able to connect to FTP server and POPA3D even that userID has assigned nologin shell. Is it correct behaviour? If so, where is difference between nologin shell and false shell. It is correct behaviour. The difference between nologin and false is descibed in the man page of nologin. -Otto
Re: OpenBGPD dropping sessions.
On 17/02/06, Henning Brauer [EMAIL PROTECTED] wrote: * Pete Bristow [EMAIL PROTECTED] [2006-02-17 13:16]: Feb 17 12:16:05 a bgpd[28123]: neighbor 217.112.a.b (BD01): state change Established - Idle, reason: Connection closed Was all I got. and ther eis your reason, the remote router closed the connection (aka, tcp session went down). Why, we cannot know. I'd bet my half-full beer that you hit the max-prefix limit of your peer. /Tony
Re: Redundant Failover Firewalls
* John Brooks [EMAIL PROTECTED] [2006-02-19 02:43]: I am needing to build two identical failover firewalls with openbsd, pf, pfsync, and carp. So far simple enough, with so many articles and examples available. All of these are using NAT. However, I am needing to use public IP's out of a /25 allocation, without NAT. I have not been able to find any articles or examples that discuss doing this in a routed manner. well - where should the problem be? just leave tat nat rules out. -- BS Web Services, http://www.bsws.de/ OpenBSD-based Webhosting, Mail Services, Managed Servers, ... Unix is very simple, but it takes a genius to understand the simplicity. (Dennis Ritchie)
Re: thttpd with php
Sorry, I did not read like an idiot. Maybe this is more helpful. http://halplant.com:88/server/thttpd_FAQ.html#PHP On Sun, Feb 19, 2006 at 09:40:33AM -0500, Clint M. Sand wrote: On Sun, Feb 19, 2006 at 03:31:47PM +0200, Kiraly Zoltan wrote: Anyone use thttpd webserver with PHP in OpenBSD? I don't know exactly what need to do to run this webserver with PHP in OpenBSD. Exist a documentation which explain ? Thanks ! $ cd /usr/ports/ $ make search key=thttpd Port: thttpd-2.25b Path: www/thttpd Info: tiny/turbo/throttling HTTP server Maint: Jakob Schlyter [EMAIL PROTECTED] Index: www L-deps: B-deps: R-deps: Archs: any Just install the port or package. http://www.openbsd.org/ports.html http://www.openbsd.org/3.8_packages/i386/thttpd-2.25b.tgz-long.html
Re: thttpd with php
Stuart Henderson [EMAIL PROTECTED] wrote: CGI is possibly the easiest way, bearing in mind you won't handle a high PHP load with thttpd anyway (it serializes PHP requests even with the module version). Other options - [...] lighttpd with fastcgi php? -- Christian naddy Weisgerber [EMAIL PROTECTED]
Correct directory for group files
Hi, I have a photo collection which I would like multiple users to be able to access, and I would like to do this by storing the files in a central location on my disk and linking /home/$USER/photos to that directory. Where is the most appropriate place in the filesystem for this directory? I've considered both /home/photos and /var/photos, but I'm not quite if one is better than the other, or if it just doesn't make a difference. Any advice would be appreciated. Thanks, Bill
Re: Correct directory for group files
It probably doesn't make a difference, except if your /var partition (or /home for that matter) won't hold the photos directory as well as the regular data that is held there. But I do remember that in OpenBSD you can save your /home directory when upgrading , so there's something to keep in mind. Hope this helps -A Rossi William Kranec wrote: Hi, I have a photo collection which I would like multiple users to be able to access, and I would like to do this by storing the files in a central location on my disk and linking /home/$USER/photos to that directory. Where is the most appropriate place in the filesystem for this directory? I've considered both /home/photos and /var/photos, but I'm not quite if one is better than the other, or if it just doesn't make a difference. Any advice would be appreciated. Thanks, Bill
Re: Correct directory for group files
Where is the most appropriate place in the filesystem for this directory? I've considered both /home/photos and /var/photos, but I'm not quite if one is better than the other, or if it just doesn't make a difference. if you put them on /var run out of space due to people stuffing pr0n or baby photos (the difference is debatable) then apps that store stuff in /var like mysql may die due to lack of space. if you put them on /home your users can't work. it depends on who you want to suffer the pain. in this case, i usually go for the users; at least there's some link in responsibility to the issue at hand. cheers, scorch -- out of the frying pan and into the fire
Re: Correct directory for group files
On Sun, Feb 19, 2006 at 11:03:44PM +0100, scorch wrote: if you put them on /var run out of space [...] quota(1) and referenced documentation may help.
Re: Correct directory for group files
On Sun, 19 Feb 2006 16:19:01 -0500 William Kranec [EMAIL PROTECTED] wrote: Hi, I have a photo collection which I would like multiple users to be able to access, and I would like to do this by storing the files in a central location on my disk and linking /home/$USER/photos to that directory. Where is the most appropriate place in the filesystem for this directory? I've considered both /home/photos and /var/photos, but I'm not quite if one is better than the other, or if it just doesn't make a difference. Any advice would be appreciated. Thanks, Bill I'm partial to /pub
HP ML110
Hi All, Can anyone comment on the compatibility of the HP ML110 server with 3.8 release. Thanks. Find a local business fast with Yahoo! Local Search
Re: Correct directory for group files
William Kranec wrote: Hi, I have a photo collection which I would like multiple users to be able to access, and I would like to do this by storing the files in a central location on my disk and linking /home/$USER/photos to that directory. Where is the most appropriate place in the filesystem for this directory? I've considered both /home/photos and /var/photos, but I'm not quite if one is better than the other, or if it just doesn't make a difference. #1: It should be on a filesystem that is writable by users in the normal case. #2: If possible, it should be on its own filesystem. I would favor /usr/photos or simply /photos. I reserve /var for application data, and /home for each user's private data... but if it can't be its own filesystem, I'd say /home/photos. If there were going to be a lot of directories like photos that were shared users' data, I might consider /share/photos (and /share/music, and...). -- Matthew Weigel
spamd-setup doesn't return
Hi, on a server which run fine for a long time spamd-setup doesn't return anymore (at least for a couple of days until I kill it). Does have anyone an idea how to troubleshoot this? spamd-setup seems to update the tables and then simply wait forever. spamd.conf hasn't been altered since spamhaus has gone paid-for. first occurance of this proble was on feb 10 or 11. # uname -a OpenBSD [cut] 3.7 GENERIC#0 i386 # /usr/libexec/spamd-setup -d Getting http://www.openbsd.org/spamd/spews_list_level1.txt.gz blacklist spews1 15353 entries whitelist mywhite 15358 entries blacklist myblack 0 entries ^C # cat /etc/spamd.conf all:\ :spews1:mywhite:myblack: # Mirrored from http://www.spews.org/spews_list_level1.txt spews1:\ :black:\ :msg=SPAM. Your address %A is in the spews level 1 database\n\ See http://www.spews.org/ask.cgi?x=%A for more details:\ :method=http:\ :file=www.openbsd.org/spamd/spews_list_level1.txt.gz: mywhite:\ :white:\ :method=file:\ :file=/etc/spamdwhite.txt: myblack:\ :black:\ :msg=SPAM. Your address %A is in my blacklist.\n Contact ++xx \ xxx xxx for details.:\ :method=file:\ :file=/etc/spamdblack.txt: thanks for reading, knitti
Re: viasio hw.sensors problem
On 15/02/06, Sable Keech [EMAIL PROTECTED] wrote: TEMP1 is not shown when calling sysctl hw.sensors. If I combine the command with 'openssl speed' it shows the temperature. Bad hardware? (new board, didn't run openbsd on it before, so i dont know if it ever worked.) viasio0 at isa0 port 0x2e/2: VT1211 rev 0x02: HM WDG: not activated Yes, bad design (of the available datasheet for VT1211). VIA does not seem to provide an adequate documentation for the chip, which is needed in order know on how to convert the raw data into Kelvins. Their datasheet for VT1211 dated 2002-01-08, Revision 1.0 goes around the net (google VT1211 filetype:pdf), but it does not seem to contain the magic formula. And as there is no formula, the conversion table is thus guessed; so I guess what you experience is the lack of conversion values for the lower temperatures that the board has whilst idling. tvc:sys {1134} grep -A3 uK /usr/src/sys/dev/isa/viasio.c /* Convert to uK */ /* XXX: conversion function is guessed */ val = viasio_raw2temp(val); if (val == -1) { Also, some comments are available at http://www.almico.com/foruminfo.php?id=879461 Cheers, Constantine.
PF problem? Connection reset, but only from behind NAT.
Ok, this is crazy. I read about that new OpenBSD LiveCD so I wanted to try it. (http://g.paderni.free.fr/olivebsd/) I click on the page and... Nothing happens. Neither in Opera nor Firefox (that's my desktop, linux). So, just to verify, I open it via lynx from my OpenBSD router, and it opens... And I just had problems opening other site hosted by free.fr, same story, opens from router, not from desktop. Any ideas what i should be looking at? Here's tcpdump (tcpdump -p -nn host 212.27.63.124) when opening it via lynx from router: TCPDUMP 01:44:55.741008 62.121.113.251.31886 212.27.63.124.80: SWE 4252130529:4252130529(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1699248027 0 (DF) 01:44:55.783597 212.27.63.124.80 62.121.113.251.31886: S 976963389:976963389 (0) ack 4252130530 win 5792 mss 1460,sackOK,timestamp 960425614 1699248027,nop,wscale 8 (DF) 01:44:55.783700 62.121.113.251.31886 212.27.63.124.80: . ack 1 win 16384 nop,nop,timestamp 1699248027 960425614 (DF) 01:44:55.790935 62.121.113.251.31886 212.27.63.124.80: P 1:233(232) ack 1 win 16384 nop,nop,timestamp 1699248027 960425614 (DF) 01:44:55.834654 212.27.63.124.80 62.121.113.251.31886: . ack 233 win 27 nop,nop,timestamp 960425627 1699248027 (DF) 01:44:55.877260 212.27.63.124.80 62.121.113.251.31886: . 1:1449(1448) ack 233 win 27 nop,nop,timestamp 960425637 1699248027 (DF) 01:44:55.878099 212.27.63.124.80 62.121.113.251.31886: . 1449:2897(1448) ack 233 win 27 nop,nop,timestamp 960425637 1699248027 (DF) 01:44:55.878227 62.121.113.251.31886 212.27.63.124.80: . ack 2897 win 14936 nop,nop,timestamp 1699248028 960425637 (DF) 01:44:55.920781 212.27.63.124.80 62.121.113.251.31886: . 2897:4345(1448) ack 233 win 27 nop,nop,timestamp 960425648 1699248028 (DF) 01:44:55.920938 62.121.113.251.31886 212.27.63.124.80: . ack 4345 win 16384 nop,nop,timestamp 1699248028 960425648 (DF) 01:44:55.921050 212.27.63.124.80 62.121.113.251.31886: . 4345:5793(1448) ack 233 win 27 nop,nop,timestamp 960425648 1699248028 (DF) 01:44:55.930243 212.27.63.124.80 62.121.113.251.31886: . 5793:7241(1448) ack 233 win 27 nop,nop,timestamp 960425648 1699248028 (DF) 01:44:55.930312 62.121.113.251.31886 212.27.63.124.80: . ack 7241 win 14936 nop,nop,timestamp 1699248028 960425648 (DF) 01:44:55.974415 212.27.63.124.80 62.121.113.251.31886: . 7241:8689(1448) ack 233 win 27 nop,nop,timestamp 960425662 1699248028 (DF) 01:44:55.974553 62.121.113.251.31886 212.27.63.124.80: . ack 8689 win 16384 nop,nop,timestamp 1699248028 960425662 (DF) 01:44:55.974794 212.27.63.124.80 62.121.113.251.31886: . 8689:10137(1448) ack 233 win 27 nop,nop,timestamp 960425662 1699248028 (DF) 01:44:55.986491 212.27.63.124.80 62.121.113.251.31886: . 10137:11585(1448) ack 233 win 27 nop,nop,timestamp 960425662 1699248028 (DF) 01:44:55.986619 62.121.113.251.31886 212.27.63.124.80: . ack 11585 win 14936 nop,nop,timestamp 1699248028 960425662 (DF) 01:44:55.990232 212.27.63.124.80 62.121.113.251.31886: FP 14481:14912(431) ack 233 win 27 nop,nop,timestamp 960425662 1699248028 (DF) 01:44:55.990416 62.121.113.251.31886 212.27.63.124.80: . ack 11585 win 16384 nop,nop,timestamp 1699248028 960425662,nop,nop,sack 1 {14481:14912} (DF) 01:44:56.002667 212.27.63.124.80 62.121.113.251.31886: . 11585:13033(1448) ack 233 win 27 nop,nop,timestamp 960425662 1699248028 (DF) 01:44:56.002783 62.121.113.251.31886 212.27.63.124.80: . ack 13033 win 14936 nop,nop,timestamp 1699248028 960425662,nop,nop,sack 1 {14481:14912} (DF) 01:44:56.014837 212.27.63.124.80 62.121.113.251.31886: . 13033:14481(1448) ack 233 win 27 nop,nop,timestamp 960425662 1699248028 (DF) 01:44:56.014944 62.121.113.251.31886 212.27.63.124.80: . ack 14913 win 14505 nop,nop,timestamp 1699248028 960425662 (DF) 01:44:56.030833 62.121.113.251.31886 212.27.63.124.80: F 233:233(0) ack 14913 win 16384 nop,nop,timestamp 1699248028 960425662 (DF) 01:44:56.074224 212.27.63.124.80 62.121.113.251.31886: . ack 234 win 27 nop,nop,timestamp 960425687 1699248028 (DF) 01:45:10.422854 62.121.113.251.55826 212.27.63.124.80: FP 1022798788:1022799222(434) ack 942035112 win 1460 nop,nop,timestamp 192768686 960421549 (DF) 01:45:10.466259 212.27.63.124.80 62.121.113.251.55826: R 942035112:942035112 (0) win 0 (DF) Now when i try to open it from my internal machine, this is what happens (same tcpdump command): TCPDUMP 01:53:41.212087 62.121.113.251.57178 212.27.63.124.80: S 1606868703:1606868703(0) win 5840 mss 1460,sackOK,timestamp 192896449 0,nop,wscale 2 (DF) 01:53:41.254268 212.27.63.124.80 62.121.113.251.57178: S 1537657453:1537657453(0) ack 1606868704 win 5792 mss 1460,sackOK,timestamp 960557071 192896449,nop,wscale 8 (DF) 01:53:41.254626 62.121.113.251.57178 212.27.63.124.80: . ack 1 win 1460 nop,nop,timestamp 192896460 960557071 (DF) 01:54:11.108603 212.27.63.124.80 62.121.113.251.57178: . ack 1 win 23 nop,nop,timestamp 960564582 192896460 (DF) [tos 0x80] 01:54:11.108821
Re: PF problem? Connection reset, but only from behind NAT.
No set options in pf.conf, i had scrub in, then changed to scrub in on $ext_if, then commented out at all. Quite simple NAT, couple rules redirecting incoming traffic, pass out keep state. Or should I paste the whole thing? 3.9 GENERIC#597 i386, snapshot from 5th/6th Feb, or should I paste the whole thing? I'll have to reboot for that, as for now it got filled with messages about me trying to write to a full system, eh, the habit of mirroring whole install sets of various distributions... ;) Thanks in advance for any help, pointers, or kicks in the right direction. I think i saw someone with a problem like that, but didn't manage to find anything in the archives... -- viq (I am subscribed to the list) I had something like this problem awhile ago. It had to do with something regarding the default max-mss values. Don't know the exact details, but changing the scrub lines to the below solved my issue, perhaps yours too. scrub in all max-mss 1452 scrub out all max-mss 1452 Hope that helps, or at least gives you something else to look at. best regards, Reid Nichol We're in a giant car heading into a brick wall at 100 miles/hr and everybody's arguing about where they want to sit. -David Suzuki Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: CARP+pf+pfsync redundant firewalls running active/active doable?
Joseph C. Bender wrote: Jason Stubbs wrote: Hi, I'm looking to set up redundant firewalls in pretty much the same way as is detailed in the PF FAQ. For discussion purposes, I've reproduced the basic network layout below. From your description and questions below, it looks like you're not trying to do it the same way, and your understanding may be incomplete. Apologies. I stated what I want to do but forgot to state the why. We're moving to a new data center. Originally, I was looking at setting up stock redundant firewalls but we will be charged almost as much for the inactive line to the data center as the active line costs. While inbound traffic isn't such a problem, output can reach up to 60Mbps during peak times. Hence, what I'd like to do is run 2 active 30Mbps lines and balance outgoing traffic between them rather than having active/passive 60Mbps lines. [Snip Layout] Firewall External IP addresses 10.0.0.1 nat'ed to sv1 with fw1 being the master 10.0.0.2 nat'ed to sv2 with fw2 being the master Firewall Internal IP addresses 192.168.0.1 with fw1 being the master 192.168.0.2 with fw2 being the master Are these CARP'd addresses, as in you have multiple CARP interfaces per NIC? If so, why? CARP'd addresses, yes. The external addresses are those of the services being ran on sv1 and sv2 (which are in fact LVS'd Linux farms). The multiple internal addresses are for the internal servers to round-robin outgoing traffic to. Now with sv1's default route being set to 192.168.0.1 and sv2's default route being set to 192.168.0.2 all should work fine (at least as far as documentation goes). However, what I'd like to do is have both sv1 and sv2 use both 192.168.0.1 and 192.168.0.2 for routing in a round-robin fashion. With fw1 handling sv1's nat'ing, will fw2 correctly be able to un'nat and send out replies sent by sv1? I'm not going to answer this directly, mostly because I can't figure out, given you have a really kickass failover system, why you'd even want to do this. Given you're using hardware that is capable of using em cards, box loading shouldn't be an issue. Put simply, you're trying to make this harder than it really is, I think. I suggest the following, which is what we use at the office and is a heck of a lot closer to what the PF User's Guide suggests: [snip configuration details] If fw1 goes paws up or needs maintenance, and if you've done everything right, fw2 will take the load almost instantly (within milliseconds in my experience). This configuration is essentially what I'm looking at doing. The only difference is that instead of having one internal address, I'd like to have two. As I said above, the goal is to balance outgoing traffic and still have redundancy. I'm aware that when one box goes down there won't be enough bandwidth for peak times, but that's a cost/performance tradeoff that's been approved. [snip rest, as it's not relevant to my answer] My whole point is that with the CARP and pfsync redundancy, there's no need to have really complicated routes to and from your servers and their firewalls. Actually, we'd need to be looking to find a way to balance outgoing traffic anyway. We're at about 60Mbps during peak times now but that's only going to grow. As we can only get a maximum of 100Mbps out of each line, overcoming that limit is also on the agenda. From what I understand of the theory, it should work but I was hoping to get a yes, I'm doing it from somebody. Unless there's a reason it won't work, I'll be having a go and getting it set up in the first week of March and will write back with the results. -- Jason Stubbs