relayd for lan servers with carp and pfsync
Hi misc,
I have 2 OpenBSD 5.1 64bit boxes. I want to setup relayd for lan servers
with carp and pfsync for LAN USERS.
What I want to achieve is that LAN USERS connect to carp1 ip address ( lan
shared ip - 192.168.0.100 ). then, relayd will redirect that traffic to 2
lan servers running services http, smtp and pop. If one server goes down,
relayd will remove it from the table.
*This is What I did. *
let's assume 2 OpenBSD 5.1 64bit boxes are fw1 and fw2
fw1
em0 - 192.168.0.10 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 - 192.168.9.67 ( for pfsync )
fw2
em0 - 192.168.0.11 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 - 192.168.9.68 ( for pfsync )
LAN shared IP: 192.168.0.100 ( carp1 ip address on both nodes fw1 and fw2 )
net.inet.ip.forwarding=1 in /etc/sysctl.conf on both fw1 and fw2
Configure fw1:
! enable preemption and group interface failover
# sysctl -w net.inet.carp.preempt=1
! configure pfsync
# ifconfig em1 192.168.9.67 netmask 255.255.255.0
# ifconfig pfsync0 syncdev em1
# ifconfig pfsync0 up
! configure CARP on the LAN side
# ifconfig carp1 create
# ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
192.168.0.100 netmask 255.255.255.0
Configure fw2:
! enable preemption and group interface failover
# sysctl -w net.inet.carp.preempt=1
! configure pfsync
# ifconfig em1 192.168.9.68 netmask 255.255.255.0
# ifconfig pfsync0 syncdev em1
# ifconfig pfsync0 up
! configure CARP on the LAN side
# ifconfig carp1 create
# ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
advskew 128 192.168.0.100 netmask 255.255.255.0
*/etc/pf.conf * looks like this on both nodes ( fw1 and fw2 )
# cat
/etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if=em0
pfsync_if=em1
servers = { 192.168.0.66, 192.168.0.67 }
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor ftp-proxy/*
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
# anchor for relayd(8)
#anchor relayd/*
pass quick on { em1 } proto pfsync keep state (no-sync)
pass on { em0 em1 } proto carp keep state
##END
pass log# to establish keep-state
# rules for spamd(8)
#table spamd-white persist
#table nospamd persist file /etc/mail/nospamd
#pass in on egress proto tcp from any to any port smtp \
#rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from nospamd to any port smtp
#pass in log on egress proto tcp from spamd-white to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
#block in on ! lo0 proto tcp to port 6000:6010
*
/etc/relayd.conf* is like this on both nodes ( fw1 and fw2 )
# cat
/etc/relayd.conf
# $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
#
# Macros
#
ext_addr=192.168.0.100
webhost1=192.168.0.66
webhost2=192.168.0.67
table servers { $webhost1 $webhost2 }
redirect www {
listen on $ext_addr port 80
#forward to servers port 80 mode loadbalance check tcp
forward to servers port 80 mode roundrobin check tcp
}
redirect smtp {
listen on $ext_addr port 25
#forward to servers port 25 mode loadbalance check tcp
forward to servers port 25 mode roundrobin check tcp
}
redirect pop {
listen on $ext_addr port 110
#forward to servers port 110 mode loadbalance check tcp
forward to servers port 110 mode roundrobin check tcp
}
then I issued below 2 commands on both nodes (fw1 and fw2 )
# pfctl -f /etc/pf.conf
# relayd
then, from a lan PC ( actually my fedora 12 desktop), I executed below 2
commands
telnet 192.168.0.100 80 and telnet 192.168.0.100 25
*Both worked round ribbon manner as I expected. *
then, I added these on both nodes ( fw1 and fw2 )
/etc/hostname.carp1
inet 192.168.0.100 255.255.255.0 192.168.0.255 vhid 1 carpdev em0 \
pass lanpasswd
/etc/hostname.pfsync0
up syncdev em1
Then, I rebooted both hosts (first fw1 and then fw2 )
Then, I run telnet command again to carp1 ip address ( 192.168.0.100 ) in
following way,
telnet 192.168.0.100 80 and telnet 192.168.0.100 25
It does NOT work.
Could you pls let me know why?
since fw2 is backup, I think /etc/hostname.carp1 should be diffrent. ( with
advskew 128 ) in following way?
/etc/hostname.carp1
inet 192.168.0.100 255.255.255.0 192.168.0.255 vhid 1 carpdev em0 \
pass lanpasswd advskew 128
*relayctl show summary* gives in this way on both nodes ( Pls note that
port *pop3 is NOT yet configured* )
# relayctl show
summary
Id TypeNameAvlblty Status
1 redirectwww active
1 table servers:80 active (2
Re: Question about redirecting to a multiple log files from pflogd
carlopm...@gmail.com (C. L. Martinez), 2012.08.15 (Wed) 20:20 (CEST):
On Tue, Aug 14, 2012 at 10:00 AM, C. L. Martinez carlopm...@gmail.com
wrote:
Hi all,
I have some rules that I would like to redirect in syslog format to a
log file. I don't need to touch /var/log/pflog. To accomplish this I
have tried to start pflogd daemon with the following options:
-s 256 -i pflog0 -f /var/log/pflog -i pflog1 -f /tmp/test.log
... but it doesn't works. After, I have tried to start another pflogd
instance with -s 256 -i pflog1 -f /tmp/test.log:
25317 ?? S 0:49.58 pflogd: [running] -s 256 -i pflog1 -f
/tmp/test.log (pflogd)
13851 ?? Ss 0:00.23 ntpd: ntp engine (ntpd)
16445 ?? Is 0:00.03 ntpd: dns engine (ntpd)
11227 ?? Ss 0:00.02 ntpd: [priv] (ntpd)
21752 ?? Is 0:00.05 /usr/sbin/sshd
14014 ?? Ss 0:00.30 sendmail: accepting connections (sendmail)
14724 ?? Is 0:00.01 /usr/sbin/ftp-proxy
14277 ?? Ss 0:00.04 /usr/sbin/cron
11070 ?? Ss 0:35.46 sshd: root@ttyp0 (sshd)
18112 ?? Is 0:00.01 pflogd: [priv] (pflogd)
14997 ?? S 0:01.08 pflogd: [running] -s 256 -i pflog0 -f
/var/log/pflog (pflogd)
.. but it doesn't works. /var/log/pflog doesn't register activitvy
(pflog0 and pflog1 interfaces are up)
At this stage, I only to need to try if this approach works using
tcpdump file format in both log files ...
Is it possible to use several pflogX interfaces an redirect all logs
to several log files?? I am using OpenBSD 5.1
Thanks.
Please, any tip??
I'm not completely sure I understand what you want: is your log file
supposed to contain tcpdump(8) binary format or the format resulting
from tcpdump -r file or tcpdump -i pflogX?
anyway, I use the following to get tcpdump -i pflogX to syslog:
#!/bin/sh -e
ifconfig pflog0 /dev/null 21 || sudo ifconfig pflog0 create up
logger -p local1.notice -t pflog |
logger_pid=${!}
exec 5p 6p
exec 16
exec /usr/sbin/tcpdump -qtvneli pflog0 21
bye, Marcus
!DSPAM:502be9f9135391644713982!
pf 'synproxy state' doesn't work with pppoe
Hi! I'm using 5.1-stable on two machines with pppoe connections. The pf synproxy state option doesn't work on pppoe interfaces, it just sends back a TCP reset when trying to connect to a port configured with synproxy state. Meanwhile it works on any other interface (eg. the internal LAN interface). This rule works: pass in quick on vge0 inet proto tcp from any to vge0 port synproxy state This rule doesn't work: pass in quick on pppoe0 inet proto tcp from any to pppoe0 port synproxy state I'm testing with simple `nc -l ` listens and `nc dst ` connections. When connecting to the pppoe interface this is happening: Aug 16 12:08:55.383308 client.5451 host.: S 1485898386:1485898386(0) win 16384 mss 1452,nop,nop,sackOK,nop,wscale 3,nop,nop,timestamp 1254725494 0 (DF) Aug 16 12:08:55.383384 host. client.5451: S 639112012:639112012(0) ack 1485898387 win 0 mss 1452 (DF) [tos 0x10] Aug 16 12:08:55.397346 client.5451 host.: . ack 1 win 16384 (DF) Aug 16 12:08:55.397368 host. client.5451: R 3655855284:3655855284(0) ack 752585916 win 0 (DF) [tos 0x10] When connecting to a real interface (in this case vge0) eg. on a LAN, synproxy state works. Now I don't know since when this isn't working because I'm only using pppoe since 5.1. Any help would be appreciated. Thanks, Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: pf 'synproxy state' doesn't work with pppoe
On cs, aug 16, 2012 at 12:19:06 +0200, LEVAI Daniel wrote: [...] Forgot the dmesg. If it matters. OpenBSD 5.1-stable (GENERIC) #0: Tue Aug 7 02:00:34 CEST 2012 root@.:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel(R) Pentium(R) 4 CPU 2.40GHz (GenuineIntel 686-class) 2.42 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID real mem = 1073213440 (1023MB) avail mem = 1045561344 (997MB) mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 11/05/02, BIOS32 rev. 0 @ 0xfdb60, SMBIOS rev. 2.3 @ 0xf0630 (32 entries) bios0: vendor American Megatrends Inc. version V1.2 11 date 11/05/2002 bios0: MICRO-STAR INC. MS-6704 acpi0 at bios0: rev 0 acpi0: sleep states S0 S1 S4 S5 acpi0: tables DSDT FACP APIC acpi0: wakeup devices USB1(S3) USB2(S3) USB3(S3) EHCI(S3) ICHB(S4) PS2M(S4) PS2K(S4) UAR1(S4) MC9_(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 133MHz ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 2 (ICHB) acpicpu0 at acpi0 acpipwrres0 at acpi0: URP1 acpipwrres1 at acpi0: URP2 acpipwrres2 at acpi0: FDDP acpipwrres3 at acpi0: LPTP acpibtn0 at acpi0: PWRB bios0: ROM list: 0xc/0xd000 0xcd000/0x4800 0xd1800/0x1000 0xe/0x1000 pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 Intel 82845G Host rev 0x02 intelagp0 at pchb0 agp0 at intelagp0: aperture at 0xe000, size 0x400 ppb0 at pci0 dev 1 function 0 Intel 82845G AGP rev 0x02 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 ATI Radeon 9600 rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) radeondrm0 at vga1: apic 2 int 16 drm0 at radeondrm0 ATI Radeon 9600 XT Sec rev 0x00 at pci1 dev 0 function 1 not configured uhci0 at pci0 dev 29 function 0 Intel 82801DB USB rev 0x02: apic 2 int 16 uhci1 at pci0 dev 29 function 1 Intel 82801DB USB rev 0x02: apic 2 int 19 uhci2 at pci0 dev 29 function 2 Intel 82801DB USB rev 0x02: apic 2 int 18 ehci0 at pci0 dev 29 function 7 Intel 82801DB USB rev 0x02: apic 2 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb1 at pci0 dev 30 function 0 Intel 82801BA Hub-to-PCI rev 0x82 pci2 at ppb1 bus 2 pciide0 at pci2 dev 3 function 0 CMD Technology SiI3512 SATA rev 0x01: DMA pciide0: using apic 2 int 19 for native-PCI interrupt pciide0: port 0: device present, speed: 1.5Gb/s wd0 at pciide0 channel 0 drive 0: ST3250310AS wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors wd0(pciide0:0:0): using BIOS timings, Ultra-DMA mode 5 pciide0: port 1: device present, speed: 1.5Gb/s wd1 at pciide0 channel 1 drive 0: SAMSUNG HD501LJ wd1: 16-sector PIO, LBA48, 476940MB, 976773168 sectors wd1(pciide0:1:0): using BIOS timings, Ultra-DMA mode 7 em0 at pci2 dev 4 function 0 Intel PRO/1000GT (82541GI) rev 0x05: apic 2 int 16, address xx:xx:xx:xx:xx:xx vge0 at pci2 dev 5 function 0 VIA VT612x rev 0x11: apic 2 int 17, address xx:xx:xx:xx:xx:xx ciphy0 at vge0 phy 1: CS8201 10/100/1000TX PHY, rev. 1 ichpcib0 at pci0 dev 31 function 0 Intel 82801DB LPC rev 0x02 ichiic0 at pci0 dev 31 function 3 Intel 82801DB SMBus rev 0x02: apic 2 int 17 iic0 at ichiic0 iic0: addr 0x2f 00=00 02=0f 03=00 04=00 06=0f 07=00 08=00 0a=06 0b=00 0c=00 0d=07 0e=85 0f=00 10=c4 11=10 12=00 13=60 words 00=00ff 01= 02=0fff 03=00ff 04=00ff 05= 06=0fff 07=00ff spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM non-parity PC3200CL3.0 usb1 at uhci0: USB revision 1.0 uhub1 at usb1 Intel UHCI root hub rev 1.00/1.00 addr 1 usb2 at uhci1: USB revision 1.0 uhub2 at usb2 Intel UHCI root hub rev 1.00/1.00 addr 1 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 Intel UHCI root hub rev 1.00/1.00 addr 1 isa0 at ichpcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 wbsio0 at isa0 port 0x2e/2: W83627HF rev 0x17 lm1 at wbsio0 port 0x290/8: W83627HF npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec mtrr: Pentium Pro MTRR support vscsi0 at root scsibus0 at vscsi0: 256 targets softraid0 at root scsibus1 at softraid0: 256 targets root on wd0a (69dbc259cb64de66.a) swap on wd0b dump on wd0b WARNING: / was not properly unmounted pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received unexpected PADO pppoe0: received
Re: relayd for lan servers with carp and pfsync
Hi ALL,
I myself got it working after changing pf.conf file and relayd.conf files
here are the new working ones
*
in /etc/pf.conf file* *( on both nodes - fw1 and fw2 )*
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if=em0
pfsync_if=em1
servers = { 192.168.0.66, 192.168.0.67 }
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor ftp-proxy/*
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
# anchor for relayd(8)
*anchor relayd/*
pass on em1 proto pfsync
pass on { em0 em1 } proto carp *
##END
*pass log * # to establish keep-state
# rules for spamd(8)
#table spamd-white persist
#table nospamd persist file /etc/mail/nospamd
#pass in on egress proto tcp from any to any port smtp \
#rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from nospamd to any port smtp
#pass in log on egress proto tcp from spamd-white to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
#block in on ! lo0 proto tcp to port 6000:6010
*in /etc/relayd.conf file* *( on both nodes - fw1 and fw2 )*
# cat
/etc/relayd.conf
# $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
#
# Macros
#
ext_addr=192.168.0.100
webhost1=192.168.0.66
webhost2=192.168.0.67
#ext_if=em0
table servers { $webhost1 $webhost2 }
*relay www* {
listen on $ext_addr port 80
#forward to servers port 80 mode loadbalance check tcp
forward to servers port 80 mode roundrobin check tcp
}
*relay smtp* {
listen on $ext_addr port 25
#forward to servers port 25 mode loadbalance check tcp
forward to servers port 25 mode roundrobin check tcp
}
anyway, I had to add below lines in /etc/rc.local files
/etc/rc.local (*on fw1*)
# cat
/etc/rc.local
# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
#configure pfsync
*ifconfig em1 192.168.9.67 netmask 255.255.255.0
ifconfig pfsync0 syncdev em1
ifconfig pfsync0 up*
#configure CARP on the LAN side
*ifconfig carp1 create
ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
192.168.0.100 netmask 255.255.255.0*
#Staring relayd
*relayd *
*
*/etc/rc.local (*on fw2) *
# cat
/etc/rc.local
# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
#configure pfsync
*ifconfig em1 192.168.9.68 netmask 255.255.255.0
ifconfig pfsync0 syncdev em1
ifconfig pfsync0 up*
#configure CARP on the LAN side
*ifconfig carp1 create
ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
advskew 128 192.168.0.100 netmask 255.255.255.0*
#Staring relayd
*relayd *
That's it.
Pls NOTE that , in /etc/relayd.conf file, I had to add *relay *www* *instead
of *redirect* www and *relay *smtp instead* *of *redirect* smtp
also in /etc/pf.conf file , instead of the below lines,
# anchor for relayd(8)
*#anchor relayd/*
pass quick on { em1 } proto pfsync keep state (no-sync)
pass on { em0 em1 } proto carp keep state*
I added below lines
# anchor for relayd(8)
*anchor relayd/*
pass on em1 proto pfsync
pass on { em0 em1 } proto carp *
Now. my setup works
On Thu, Aug 16, 2012 at 12:13 PM, Indunil Jayasooriya
induni...@gmail.comwrote:
Hi misc,
I have 2 OpenBSD 5.1 64bit boxes. I want to setup relayd for lan servers
with carp and pfsync for LAN USERS.
What I want to achieve is that LAN USERS connect to carp1 ip address ( lan
shared ip - 192.168.0.100 ). then, relayd will redirect that traffic to 2
lan servers running services http, smtp and pop. If one server goes down,
relayd will remove it from the table.
*This is What I did. *
let's assume 2 OpenBSD 5.1 64bit boxes are fw1 and fw2
fw1
em0 - 192.168.0.10 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 - 192.168.9.67 ( for pfsync )
fw2
em0 - 192.168.0.11 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 - 192.168.9.68 ( for pfsync )
LAN shared IP: 192.168.0.100 ( carp1 ip address on both nodes fw1 and fw2 )
net.inet.ip.forwarding=1 in /etc/sysctl.conf on both fw1 and fw2
Configure fw1:
! enable preemption and group interface failover
# sysctl -w net.inet.carp.preempt=1
! configure pfsync
# ifconfig em1 192.168.9.67 netmask 255.255.255.0
# ifconfig pfsync0 syncdev em1
# ifconfig pfsync0 up
!
Re: pf 'synproxy state' doesn't work with pppoe
Any help would be appreciated. Works for me on 5.1 I don't think it's the rule but the combination of rules. Try reordering your ruleset. I've had a problem before but I forget or never found the specific reason. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) ___
Re: pf 'synproxy state' doesn't work with pppoe
On cs, aug 16, 2012 at 12:20:56 +0100, Kevin Chadwick wrote: Any help would be appreciated. Works for me on 5.1 I don't think it's the rule but the combination of rules. Try reordering your ruleset. I've had a problem before but I forget or never found the specific reason. Okay, okay, I'm trying to get my head around this, but how do you explain that changing *only* the 'synproxy' word to 'keep' in the exact same rule makes it working again (not changing order, combination, nothing, but only changing synproxy state to the default keep state)? Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: relayd for lan servers with carp and pfsync
Serwus
W czwartek, 16 sie 2012 o 16:18 CEST
Indunil Jayasooriya induni...@gmail.com napisał(a):
I myself got it working after changing pf.conf file and relayd.conf files
You've changed redirect to relay in relayd.conf. I suppose this is the
real solution (it changes the way how relayd handle connections to
backends). All the rest of your changes (especially the ones in
rc.local) are probably irrelevant...
here are the new working ones
*
in /etc/pf.conf file* *( on both nodes - fw1 and fw2 )*
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if=em0
pfsync_if=em1
servers = { 192.168.0.66, 192.168.0.67 }
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor ftp-proxy/*
#pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
# anchor for relayd(8)
*anchor relayd/*
pass on em1 proto pfsync
pass on { em0 em1 } proto carp *
##END
*pass log * # to establish keep-state
# rules for spamd(8)
#table spamd-white persist
#table nospamd persist file /etc/mail/nospamd
#pass in on egress proto tcp from any to any port smtp \
#rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from nospamd to any port smtp
#pass in log on egress proto tcp from spamd-white to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
#block in on ! lo0 proto tcp to port 6000:6010
*in /etc/relayd.conf file* *( on both nodes - fw1 and fw2 )*
# cat
/etc/relayd.conf
# $OpenBSD: relayd.conf,v 1.14 2011/04/07 13:33:52 reyk Exp $
#
# Macros
#
ext_addr=192.168.0.100
webhost1=192.168.0.66
webhost2=192.168.0.67
#ext_if=em0
table servers { $webhost1 $webhost2 }
*relay www* {
listen on $ext_addr port 80
#forward to servers port 80 mode loadbalance check tcp
forward to servers port 80 mode roundrobin check tcp
}
*relay smtp* {
listen on $ext_addr port 25
#forward to servers port 25 mode loadbalance check tcp
forward to servers port 25 mode roundrobin check tcp
}
anyway, I had to add below lines in /etc/rc.local files
/etc/rc.local (*on fw1*)
# cat
/etc/rc.local
# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
#configure pfsync
*ifconfig em1 192.168.9.67 netmask 255.255.255.0
ifconfig pfsync0 syncdev em1
ifconfig pfsync0 up*
#configure CARP on the LAN side
*ifconfig carp1 create
ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
192.168.0.100 netmask 255.255.255.0*
#Staring relayd
*relayd *
*
*/etc/rc.local (*on fw2) *
# cat
/etc/rc.local
# $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
# Site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode. For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel.
#configure pfsync
*ifconfig em1 192.168.9.68 netmask 255.255.255.0
ifconfig pfsync0 syncdev em1
ifconfig pfsync0 up*
#configure CARP on the LAN side
*ifconfig carp1 create
ifconfig carp1 vhid 1 carpdev em0 pass lanpasswd \
advskew 128 192.168.0.100 netmask 255.255.255.0*
#Staring relayd
*relayd *
That's it.
Pls NOTE that , in /etc/relayd.conf file, I had to add *relay *www* *instead
of *redirect* www and *relay *smtp instead* *of *redirect* smtp
also in /etc/pf.conf file , instead of the below lines,
# anchor for relayd(8)
*#anchor relayd/*
pass quick on { em1 } proto pfsync keep state (no-sync)
pass on { em0 em1 } proto carp keep state*
I added below lines
# anchor for relayd(8)
*anchor relayd/*
pass on em1 proto pfsync
pass on { em0 em1 } proto carp *
Now. my setup works
On Thu, Aug 16, 2012 at 12:13 PM, Indunil Jayasooriya
induni...@gmail.comwrote:
Hi misc,
I have 2 OpenBSD 5.1 64bit boxes. I want to setup relayd for lan servers
with carp and pfsync for LAN USERS.
What I want to achieve is that LAN USERS connect to carp1 ip address ( lan
shared ip - 192.168.0.100 ). then, relayd will redirect that traffic to 2
lan servers running services http, smtp and pop. If one server goes down,
relayd will remove it from the table.
*This is What I did. *
let's assume 2 OpenBSD 5.1 64bit boxes are fw1 and fw2
fw1
em0 - 192.168.0.10 (and carp1 - LAN shared IP - 192.168.0.100 )
em1 -
Re: pf 'synproxy state' doesn't work with pppoe
On cs, aug 16, 2012 at 14:26:05 +0200, LEVAI Daniel wrote: On cs, aug 16, 2012 at 12:20:56 +0100, Kevin Chadwick wrote: Any help would be appreciated. Works for me on 5.1 I don't think it's the rule but the combination of rules. Try reordering your ruleset. I've had a problem before but I forget or never found the specific reason. Okay, okay, I'm trying to get my head around this, but how do you explain that changing *only* the 'synproxy' word to 'keep' in the exact same rule makes it working again (not changing order, combination, nothing, but only changing synproxy state to the default keep state)? There is definitely something wrong with pppoe + synproxy state: # pfctl -sr pass all flags S/SA pass in on pppoe0 inet proto tcp from src to dst port = flags S/SA synproxy state This is the only rule. Otherwise it's just 'pass all'. If I remove this rule too *or* change synproxy to keep, the connection is working. I can reproduce this on two different machines, with different ISPs and different NICs facing the ISPs using pppoe. Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
OpenBGPd - how to blackhole traffic?
Hi list, I'd like to blackhole some traffic. For instance, my AS is 12.34.56.0/20, so 12.34.58.0 might be announced, but is not necessarily connected (internal routing via OSPFd). On Cisco one uses: ip route 0.0.0.0 0.0.0.0 Null0 This would throw any traffic headed to a network within my AS, which is *not* connected (via OSPF), onto the floor. Is there a way to achieve this on OpenBSD? Thanks in advance, Bernd
Re: The ultimate OpenBSD email server
Le 15 août 2012 à 16:16, L. V. Lammert a écrit : On Wed, 15 Aug 2012, Mikkel Bang wrote: But with so many people recommending so many different tools, it gets hard to come to a conclusion. Looks like I'm finally arriving at this though: postfix (postfix-anti-UCE.txt) + dspam - what do you guys think? Take a look at mailserv, https://github.com/mailserv. The admin interface is nice, and all components are integrated. This looked interesting so I had a look at it for a few hours. My (2 cents) conclusions are: - it has a pretty interface indeed ; - it has a few configuration bugs (php modules are not enabled and it expects 5.2, not 5.3) ; - it is supposed to use sqlgrey but it seems it isn't linked to postfix ; - why isn't it using spamd(8) ; - it stores clear passwords ; - roundcube and suhosin don't play well together ; - it has to be installed with its own mysql db. no way to use external (if not using the console). I have written a quick review on my WordPress instance. Just PM for the URL if you wish to read more. Regards, Jo
Re: Question about redirecting to a multiple log files from pflogd
On Thu, Aug 16, 2012 at 11:41 AM, MERIGHI Marcus mcmer-open...@tor.at wrote:
carlopm...@gmail.com (C. L. Martinez), 2012.08.15 (Wed) 20:20 (CEST):
On Tue, Aug 14, 2012 at 10:00 AM, C. L. Martinez carlopm...@gmail.com
wrote:
Hi all,
I have some rules that I would like to redirect in syslog format to a
log file. I don't need to touch /var/log/pflog. To accomplish this I
have tried to start pflogd daemon with the following options:
-s 256 -i pflog0 -f /var/log/pflog -i pflog1 -f /tmp/test.log
... but it doesn't works. After, I have tried to start another pflogd
instance with -s 256 -i pflog1 -f /tmp/test.log:
25317 ?? S 0:49.58 pflogd: [running] -s 256 -i pflog1 -f
/tmp/test.log (pflogd)
13851 ?? Ss 0:00.23 ntpd: ntp engine (ntpd)
16445 ?? Is 0:00.03 ntpd: dns engine (ntpd)
11227 ?? Ss 0:00.02 ntpd: [priv] (ntpd)
21752 ?? Is 0:00.05 /usr/sbin/sshd
14014 ?? Ss 0:00.30 sendmail: accepting connections (sendmail)
14724 ?? Is 0:00.01 /usr/sbin/ftp-proxy
14277 ?? Ss 0:00.04 /usr/sbin/cron
11070 ?? Ss 0:35.46 sshd: root@ttyp0 (sshd)
18112 ?? Is 0:00.01 pflogd: [priv] (pflogd)
14997 ?? S 0:01.08 pflogd: [running] -s 256 -i pflog0 -f
/var/log/pflog (pflogd)
.. but it doesn't works. /var/log/pflog doesn't register activitvy
(pflog0 and pflog1 interfaces are up)
At this stage, I only to need to try if this approach works using
tcpdump file format in both log files ...
Is it possible to use several pflogX interfaces an redirect all logs
to several log files?? I am using OpenBSD 5.1
Thanks.
Please, any tip??
I'm not completely sure I understand what you want: is your log file
supposed to contain tcpdump(8) binary format or the format resulting
from tcpdump -r file or tcpdump -i pflogX?
anyway, I use the following to get tcpdump -i pflogX to syslog:
#!/bin/sh -e
ifconfig pflog0 /dev/null 21 || sudo ifconfig pflog0 create up
logger -p local1.notice -t pflog |
logger_pid=${!}
exec 5p 6p
exec 16
exec /usr/sbin/tcpdump -qtvneli pflog0 21
bye, Marcus
Thanks Marcus, that is my second phase. At this moment, I need to use
different pflog's file names (and different pflogX interfaces) for
some rules, here is on I have problems
Re: pf 'synproxy state' doesn't work with pppoe
# pfctl -sr pass all flags S/SA pass in on pppoe0 inet proto tcp from src to dst port = flags S/SA synproxy state This is the only rule. Otherwise it's just 'pass all'. If I remove this rule too *or* change synproxy to keep, the connection is working. I remember being puzzled by that myself. I thought I had got it working but I'm struggling to be sure now whether I got it working or switched synproxy off on that machine, sorry. I can reproduce this on two different machines, with different ISPs and different NICs facing the ISPs using pppoe. Is it possible or have you tried the NIC that it works on in pppoe mode. -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) ___
Re: OpenBGPd - how to blackhole traffic?
http://www.openbsd.org/cgi-bin/man.cgi?query=routeapropos=0sektion=0manpath=OpenBSD+Currentarch=i386format=html Route has a -blackhole option, so you might try route add -blackhole 0.0.0.0/0 127.0.0.1 On Thu, Aug 16, 2012 at 7:47 AM, Bernd be...@kroenchenstadt.de wrote: Hi list, I'd like to blackhole some traffic. For instance, my AS is 12.34.56.0/20, so 12.34.58.0 might be announced, but is not necessarily connected (internal routing via OSPFd). On Cisco one uses: ip route 0.0.0.0 0.0.0.0 Null0 This would throw any traffic headed to a network within my AS, which is *not* connected (via OSPF), onto the floor. Is there a way to achieve this on OpenBSD? Thanks in advance, Bernd
Re: OpenBGPd - how to blackhole traffic?
On Thu, 16 Aug 2012 14:47:25 +0200 Bernd be...@kroenchenstadt.de wrote: Is there a way to achieve this on OpenBSD? Directly from my mind... To blackhole some google stuff. route add -blackhole 8.8.0.0/16 127.0.0.1 /Martin
Re: OpenBGPd - how to blackhole traffic?
On Thu, Aug 16, 2012 at 02:47:25PM +0200, Bernd wrote: Hi list, I'd like to blackhole some traffic. For instance, my AS is 12.34.56.0/20, so 12.34.58.0 might be announced, but is not necessarily connected (internal routing via OSPFd). On Cisco one uses: ip route 0.0.0.0 0.0.0.0 Null0 This would throw any traffic headed to a network within my AS, which is *not* connected (via OSPF), onto the floor. Is there a way to achieve this on OpenBSD? route add default 127.0.0.1 -blackhole or for IPv6 (not tested) route add -inet6 default ::1 -blackhole -- :wq Claudio
Выиграй путевку от ICredit
Ïðèìè ó÷àñòèå â àêöèè îò iCredit è îòïðàâëÿéñÿ íà ×åðíîå ìîðå! Àêöèÿ ïðîâîäèòñÿ ïî 31 àâãóñòà âêëþ÷èòåëüíî Ðàçûãðûâàþòñÿ 3 ïóòåâêè, êàæäàÿ èç êîòîðûõ ðàññ÷èòàíà íà 2-õ ÷åëîâåê, íà Êðûìñêîå ïîáåðåæüå íà ïåðèîä áàðõàòíîãî ñåçîíà è ïîäàðêè ñóìêè äëÿ ïóòåøåñòâèé. Óñëîâèÿ àêöèè: 1. Äëÿ òîãî, ÷òîáû ñòàòü ó÷àñòíèêîì ðîçûãðûøà ïóòåâîê è äîðîæíûõ ñóìîê îò ÎÎÎ Èçè Êðåäèò, íåîáõîäèìî ïîäàòü çàÿâêó è ïîëó÷èòü êðåäèò ñîãëàñíî óñòàíîâëåííûì ïðàâèëàì ÎÎÎ Èçè Êðåäèò. Ñðîê ïîäà÷è çàÿâêè äî 31.08.2012 âêëþ÷èòåëüíî. Íà÷àëî àêöèè - 1.08.2012 2.  ðîçûãðûøå ïðèíèìàþò ó÷àñòèå êðåäèòû, êîòîðûå íà ìîìåíò çàâåðøåíèÿ àêöèè íå èìåþò çàäîëæåííîñòåé è ïðîñðî÷åê ïî îïëàòå 3. Êîëè÷åñòâî ïóòåâîê, êîòîðûå ðàçûãðûâàþòñÿ ñðåäè ó÷àñòíèêîâ àêöèè, - 3. 4. Ðåçóëüòàòû àêöèè áóäóò îïóáëèêîâàíû íà ñàéòå ÎÎÎ Èçè Êðåäèò 4.09.2012 è â îôèñàõ êîìïàíèè. Íå óïóñòèòå ñâîé øàíñ ïðîäëèòü ëåòî ïîäàâàéòå çàÿâêó, ïîëó÷àéòå êðåäèò, îòïðàâëÿéòåñü íà îòäûõ â Êðûì! Óñëîâèÿ êðåäèòîâàíèÿ: - Íóæåí òîëüêî ïàñïîðò è ÈÍÍ. - Áåç çàëîãà, ïîñðåäíèêîâ è êîìèññèé. - Îò 750 äî 15000 ãðèâåí íàëè÷íûìè ôèçè÷åñêèì ëèöàì è ÔÎÏ. - Ðåøåíèå çà 24 ÷àñà. - Áåç ñïðàâêè î äîõîäàõ. Çâîíèòå: Èíôîðìàöèîííûé êîíòàêò-öåíòð Èçè Êðåäèò 0 800 601 810 Ñî ñòàöèîíàðíûõ òåëåôîíîâ ïî òåððèòîðèè Óêðàèíû áåñïëàòíî. Ïîñåòèòü ñàéò: http://bit.ly/jdAhQL Êîíàêòû íàøèõ îòäåëåíèé: http://bit.ly/N1ZjTF [demime 1.01d removed an attachment of type image/jpeg which had a name of image001.jpg]
Re: pf 'synproxy state' doesn't work with pppoe
On Thu, 16 Aug 2012 14:37:50 +0200 LEVAI Daniel l...@ecentrum.hu wrote: On cs, aug 16, 2012 at 14:26:05 +0200, LEVAI Daniel wrote: On cs, aug 16, 2012 at 12:20:56 +0100, Kevin Chadwick wrote: Any help would be appreciated. Works for me on 5.1 I don't think it's the rule but the combination of rules. Try reordering your ruleset. I've had a problem before but I forget or never found the specific reason. Okay, okay, I'm trying to get my head around this, but how do you explain that changing *only* the 'synproxy' word to 'keep' in the exact same rule makes it working again (not changing order, combination, nothing, but only changing synproxy state to the default keep state)? There is definitely something wrong with pppoe + synproxy state: # pfctl -sr pass all flags S/SA pass in on pppoe0 inet proto tcp from src to dst port = flags S/SA synproxy state This is the only rule. Otherwise it's just 'pass all'. If I remove this rule too *or* change synproxy to keep, the connection is working. I can reproduce this on two different machines, with different ISPs and different NICs facing the ISPs using pppoe. Do you filter on loopback? The handshake between proxy and server process is done via loopback. You need to pass this traffic, too. Christopher
Re: pf 'synproxy state' doesn't work with pppoe
On cs, aug 16, 2012 at 17:18:08 +0200, Christopher Zimmermann wrote: On Thu, 16 Aug 2012 14:37:50 +0200 LEVAI Daniel l...@ecentrum.hu wrote: On cs, aug 16, 2012 at 14:26:05 +0200, LEVAI Daniel wrote: On cs, aug 16, 2012 at 12:20:56 +0100, Kevin Chadwick wrote: Any help would be appreciated. Works for me on 5.1 I don't think it's the rule but the combination of rules. Try reordering your ruleset. I've had a problem before but I forget or never found the specific reason. Okay, okay, I'm trying to get my head around this, but how do you explain that changing *only* the 'synproxy' word to 'keep' in the exact same rule makes it working again (not changing order, combination, nothing, but only changing synproxy state to the default keep state)? There is definitely something wrong with pppoe + synproxy state: # pfctl -sr pass all flags S/SA pass in on pppoe0 inet proto tcp from src to dst port = flags S/SA synproxy state This is the only rule. Otherwise it's just 'pass all'. If I remove this rule too *or* change synproxy to keep, the connection is working. I can reproduce this on two different machines, with different ISPs and different NICs facing the ISPs using pppoe. Do you filter on loopback? The handshake between proxy and server process is done via loopback. You need to pass this traffic, too. With, or without 'set skip on lo0' the symptoms are the same. Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: pf 'synproxy state' doesn't work with pppoe
On cs, aug 16, 2012 at 15:10:51 +0100, Kevin Chadwick wrote: # pfctl -sr pass all flags S/SA pass in on pppoe0 inet proto tcp from src to dst port = flags S/SA synproxy state This is the only rule. Otherwise it's just 'pass all'. If I remove this rule too *or* change synproxy to keep, the connection is working. I remember being puzzled by that myself. I thought I had got it working but I'm struggling to be sure now whether I got it working or switched synproxy off on that machine, sorry. I can reproduce this on two different machines, with different ISPs and different NICs facing the ISPs using pppoe. Is it possible or have you tried the NIC that it works on in pppoe mode. I could try it, but the two machines have two different types of NICs (re and em) using pppoe. It would be a really weird bug in both re and em if these drivers were to act up with pppoe and not with eg. vge (which is the other card in one of the machines with which I'll try this variation tomorrow). Daniel -- LÉVAI Dániel PGP key ID = 0x83B63A8F Key fingerprint = DBEC C66B A47A DFA2 792D 650C C69B BE4C 83B6 3A8F
Re: pf 'synproxy state' doesn't work with pppoe
pass all flags S/SA pass in on pppoe0 inet proto tcp from src to dst port = flags S/SA synproxy state Originally you posted pass in quick. Keep the quick in there, not for any reason other than I have a quick in my rules. Same with the NIC, I don't have any logical hopes for you. This is the only rule. Otherwise it's just 'pass all'. If I remove this rule too *or* change synproxy to keep, the connection is working. I remember being puzzled by that myself. I thought I had got it working but I'm struggling to be sure now whether I got it working or switched synproxy off on that machine, sorry. I can reproduce this on two different machines, with different ISPs and different NICs facing the ISPs using pppoe. Is it possible or have you tried the NIC that it works on in pppoe mode. I could try it, but the two machines have two different types of NICs (re and em) using pppoe. It would be a really weird bug in both re and em if these drivers were to act up with pppoe and not with eg. vge (which is the other card in one of the machines with which I'll try this variation tomorrow). -- ___ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) ___
Normas de Informacion Financieras
copy; 2012 Conference Corporativo S.C. Asista a los 45 Mejores Cursos en Meacute;xico de la Serie: CONTABILIDAD Y FINANZAS Incluye Temas Criacute;ticos Sobre: Cierre de Gestioacute;n, Observaciones y Responsabilidades Cursos, Contenidos y Metodologiacute;as Desarrollados en Alianza con las Mejores Universidades Europeas con Calidad ISO 9000. Haga click para desplegar informacioacute;n Curso 1 Solventar Observaciones. (NUEVO) Curso 2 Libro Blanco y las Memorias Documentales del Sector Puacute;blico Mexicano. (NUEVO) Curso 3 Elaboracioacute;n Puntual de las Memorias Documentales. (NUEVO) Curso 4 Acta de Entrega Recepcioacute;n y Rendicioacute;n de Cuentas. (NUEVO) Curso 5 Servicio Profesional de Carrera. Curso 6 Defensa Estrateacute;gica de los Servidores Puacute;blicos. Curso 7 Coacute;mo Enfrentar con Eacute;xito Auditoriacute;as Gubernamentales. Curso 8 Ley Federal de Responsabilidades Administrativas. Curso 9 (Nueva)Ley Federal Anticorrupcioacute;n. Curso 10 Derecho Laboral Burocraacute;tico. Curso 11 Matriz de Administracioacute;n de Riesgos (MAR). Curso 12 Lineamientos sobre Indicadores para Medir los Avances Fiacute;sicos Financieros y la MIR. Curso 13 Coacute;mo Ejecutar Adecuaciones Presupuestarias. Curso 14 Contabilidad Gubernamental en la Transparencia de las Finanzas Puacute;blicas (Incluye Ley). Curso 15 Anaacute;lisis Integral de las Disposiciones del CONAC. Curso 16 Clasificador por Objeto del Gasto. Curso 17 Ley Federal de Presupuesto y Responsabilidad Hacendaria y su Reglamento. Curso 18 Contabilidad Gubernamental en la Armonizacioacute;n Contable y el Nuevo Plan Nacional de Cuentas. Curso 19 Normas de Informacioacute;n Financiera Generales y Gubernamentales (NIF 2012). Curso 20 Manual de Contabilidad Gubernamental. Curso 21 (Nueva) Ley de la Firma Electroacute;nica Avanzada para Servidores Puacute;blicos. Curso 22 Presupuesto Basado en Resultados (PBR) Curso 23 Manual Administrativo de Aplicacioacute;n General en Materia de Recursos Financieros. (Incluye IMPLEMENTACIOacute;N TOTAL) Curso 24 Marco Loacute;gico para la Evaluacioacute;n del PBR. Curso 25 (Nueva)Investigacioacute;n de Mercados y los Criterios de Evaluacioacute;n para Adquisiciones. Curso 26 Archivonomiacute;a Gubernamental. Curso 27 Almacenes e Inventarios Gubernamentales. Curso 28 COMPRANET 5.0 (Licitaciones Electroacute;nicas de las Adquisiciones). Curso 29 COMPRANET 5.0 (Licitaciones Electroacute;nicas de las Obras Puacute;blicas). Curso 30 Ley de Adquisiciones. Curso 31 Ley de Obras Puacute;blicas. Curso 32 Licitaciones y Contrataciones de las Adquisiciones. Curso 33 Licitaciones y Contrataciones de las Obras Puacute;blicas. Curso 34 Criterios de Evaluacioacute;n de Propuestas Econoacute;micas en Obra Puacute;blica. Curso 35 Manual Administrativo de Aplicacioacute;n General en Materia de Adquisiciones. (Incluye IMPLEMENTACIOacute;N TOTAL) Curso 36 Manual Administrativo de Aplicacioacute;n General en Materia de Obras Puacute;blicas. (Incluye IMPLEMENTACIOacute;N TOTAL) Curso 37 Manual Administrativo de Recursos Materiales y Servicios Generales. (Incluye IMPLEMENTACIOacute;N TOTAL) Curso 38 Manual Administrativo de Recursos Humanos. (Incluye IMPLEMENTACIOacute;N TOTAL) Curso 39 Manual Administrativo Sobre Tecnologiacute;as de la Informacioacute;n y Comunicaciones (TIC). Curso 40 Disposiciones en Materia de Control Interno y su Manual Administrativo.(Incluye IMPLEMENTACIOacute;N TOTAL) Curso 41 (Nuevo)Manual del Servicio Profesional de Carrera para el Gobierno Federal Mexicano. Curso 42 Manual de Transparencia.(Incluye IMPLEMENTACIOacute;N TOTAL) Curso 43 Capiacute;tulo 1000 y el Nuevo Manual De Percepciones de los Servidores Puacute;blicos. Curso 44 Auditoriacute;as, Revisiones y Visitas de Inspeccioacute;n. Curso 45 (Nueva)Ley de Asociaciones Puacute;blico-Privadas (LAPP). Curso 46 (Nueva)Ley Federal de Archivos Atencioacute;n Ejecutiva Centro de Atencioacute;n Telefoacute;nica: DF y Aacute;rea Metropolitana (55) 91 40 30 30 Lada sin costo: (01 800) 439 66 66 Correo dirigido a: ESTE MAIL CUMPLE CON LAS POLiacute;TICAS ANTISPAM INTERNACIONALES Y LOCALES. Para darse de baja soacute;lo haga click aquiacute;
Excelente curso de Comunicación Asertiva con PNL Nueva Fecha
¡Muy Importante! Si no puede visualizar correctamente este correo, le pedimos que lo arrastre a su Bandeja de Entrada Apreciable Ejecutivo: TIEM de México Empresa Líder en Capacitación y Actualización de Capital Humano Pone nuevamente a su disposición este exitoso curso denominado: Comunicación Asertiva con PNL Que se llevará a cabo el día: 22 de Agosto en la Ciudad de México Inscríbase antes del 15 de Junio y obtenga un descuento del 15% con Inversión Inmediata No deje pasar esta oportunidad e Invierta en su Desarrollo Personal y Profesional La Asertividad es una forma de comunicación que permite decir lo que uno piensa y actuar en consecuencia, haciendo lo que se considera más apropiado, sin agredir u ofender a nadie, ni permitir ser agredido u ofendido y evitando situaciones conflictivas, por esta razón la comunicación asertiva en el trabajo es sumamente importante para lograr relaciones agradables aunado a un ambiente de trabajo sano en donde puedan fluir las ideas sin discrepancias y así llegar con éxito al objetivo de cualquier organización. La comunicación asertiva en el área laboral tiene que ver en la interpretación de la información Jefe subordinado, en ocasiones cuando la comunicación no es clara y asertiva se llega a mal interpretar las indicaciones, por lo tanto las actividades que se hicieron no llevaron el enfoque esperado, dando como resultado un conflicto entre personas y organización, vienen las discusiones, que pudiesen evitarse con una comunicación clara que no contenga ruidos que se interpongan en una asimilación exacta, que coadyuvara a que todas las estrategias que ha desarrollado la empresa se cumplan conforme a lo esperado. Durante este curso los participantes: Desarrollarán habilidades que les permitan comunicarse de manera asertiva y solidaria en sus relaciones interpersonales usando técnicas y herramientas de Programación Neurolingüística. Logrará un manejo productivo de las situaciones conflictivas en cualquier ámbito de su vida personal y/o profesional. Si al momento de recibir este correo ya realizo su confirmación le pedimos haga caso omiso. De lo contrario, favor de responder este correo con los siguientes datos: Empresa: Nombre: Ciudad: Teléfono: O si lo prefiere comuníquese a los teléfonos: Del DF al 5611-0969 con 10 líneas Interior del País Lada sin Costo 01 800 900 TIEM (8436) Aceptamos todas las TDC y Débito. **Promoción: 3 meses sin Intereses pagando con American Express **Aplica solo con Inversión Normal ®Todos los Derechos Reservados ©2011 TIEM Talento e Innovación Empresarial de México Este Mensaje le ha sido enviado como usuario de TIEM de México o bien un usuario le refirió para recibir este boletín. Como usuario de TIEM de México, en este acto autoriza de manera expresa que TIEM de México le puede contactar vía correo electrónico u otros medios. Si usted ha recibido este mensaje por error, haga caso omiso de él y reporte su cuenta respondiendo este correo con el subject BAJABD Tenga en cuenta que la gestión de nuestras bases de datos es de suma importancia y no es intención de la empresa la inconformidad del receptor.
Re: iked.conf question - muplitple clients with certs.
I'm not sure if it's relevant for your situation, but do you know that, according to the iked(8) manpage, iked is 'not finished' and not recommended for production networks? (See the last section - 'caveats') It might be better to use isakmpd(8) with ipsec(4)/ipsecctl(8)/ipsec.conf(5) if your running this in production. On Wed, Aug 15, 2012 at 01:36:47PM -0400, Bentley, Dain wrote: Hello Misc, I'm having a small issue with my iked.conf on my openbsd 4.9 firewall. I have the following config and it works fine: Ikev2 laptop passive esp \ From 192.168.10.0/24 to 1.1.1.0/24 local any peer any \ srcid xxx.xxx.xxx.xxx \ config address 1.1.1.2 I have a win 7 laptop with certs and I connect with no issue. Now I'd like to add a couple of more clients in the mix. So I created certs for them and distributed them correctly and now have the following: Ikev2 home-PC passive esp \ From 192.168.10.0/24 to 1.1.1.0/24 local any peer any \ srcid xxx.xxx.xxx.xxx \ config address 1.1.1.3 Ikev2 laptop passive esp \ From 192.168.10.0/24 to 1.1.1.0/24 local any peer any \ srcid xxx.xxx.xxx.xxx \ config address 1.1.1.2 But when I connect I cannot and starting iked -dvv shows it's trying to connect with the laptop policy. I'm afraid I have the config wrong. Is this the correct way to add multiple clients and if not what would I do? I can't seem to find any info on the web or man pages.
