using first alias as masquerading ip on pf.conf
Hi all, I have a couple of firewalls with carp configured and I need them to reach the Internet even when they are in BACKUP state. I'm managing pf via Ansible/GIT, so I'd like to keep the configuration of pf.conf standard and simple as much as possible. Usually, I use the notation "nat-to ($interface)" to let pf use the correct ip, but in this case I've BGP configured and the provider forces me to use a complex configuration with an alias on the external interface, like this: # ifconfig vlan835 vlan835: flags=8943 mtu 1500 lladdr b0:26:28:1e:e6:6e index 13 priority 0 llprio 3 encap: vnetid 835 parent trunk0 txprio packet rxprio outer groups: vlan egress media: Ethernet autoselect status: active inet 1.1.1.1 netmask 0xfff0 broadcast 1.1.1.255 inet 2.2.2.2 netmask 0xfff0 broadcast 2.2.2.255 So, 1.1.1.1 is the "transit ip" for the BGP, the one we must use to talk with the provider's router and that I can't use as masquerading ip. The ip 2.2.2.2 is the one that I should use to mask my traffic to the Internet, and is different on each firewall. Is there a way to tell pf to use the first alias of interface to mask the traffic? Something like "nat-to (vlan835:1)"... I would like to keep things simple and avoid to use the include directive, if possible. Thank you for your suggestions. Bye
Re: automatically rotate isakmpd.pcap
On 2018-06-28 10:18, Federico Donati wrote: With newsyslog, logs are being rotated, but new file "isakmpd.pcap" is not usable with tcpdump (message is "tcpdump: bad dump file format"). I've also tried to stop isakmpd writing isakmpd.pcap (echo p > isakmpd.fifo), but it didn't work. Ok, this workaround works: conf file: # cat newsyslog_ipsec.conf /var/run/isakmpd.pcap root:wheel 600 30* $D0 ZB "rm /var/run/isakmpd.pcap ; echo p on > /var/run/isakmpd.fifo" command to be run: # echo p off > /var/run/isakmpd.fifo; newsyslog -Ff newsyslog_ipsec.conf -v Newsyslog creates an empty file during the rotation. Tcpdump doesn't like this file, so I need to stop the writing of isakmpd.pcap, rotate the log, remove the newly created file and activate the logging again (so isakmpd will create its working pcap file). This actually works, but I have to put in crontab rather than inside /etc/newsyslog.conf, and I find this pretty ugly. It would be nice if newsyslog had a "prerotate" function, something like logrotate. I'm always open to suggestion if you had similar needs. Bye
automatically rotate isakmpd.pcap
Hi all, I'm trying to rotate /var/run/isakmpd.pcap log, keeping 30 days of log files and rotating then everyday. With newsyslog, logs are being rotated, but new file "isakmpd.pcap" is not usable with tcpdump (message is "tcpdump: bad dump file format"). I've also tried to stop isakmpd writing isakmpd.pcap (echo p > isakmpd.fifo), but it didn't work. I tried also to SIGHUP isakmpd, but with bad results (IPSec stop working and had to restart isakmpd). This is the setup: # uname -a OpenBSD 6.1 GENERIC.MP#24 amd64 # cat newsyslog_ipsec.conf /var/run/isakmpd.pcap root:wheel 600 30* $D0 ZB "" This is the last test: echo p off > /var/run/isakmpd.fifo && newsyslog -Ff newsyslog_ipsec.conf && echo p on > /var/run/isakmpd.fifo Do you have any suggestion? Thank you in advance.
Re: rsyslog does not produce log on OpenBSD 6.0
On 12/17/2016 04:57 PM, Remi Locherer wrote: On December 17, 2016 12:07:18 PM GMT+01:00, Federico Donati <nix.b...@gmail.com> wrote: Hi all, I've a problem with an OpenBSD 6.0 box with rsyslog. I need to send every local logs to a remote server and I can't use syslogd, because it does not send the hostname of the server (the one indicated in /etc/myname), but on the remote server messages come with the PTR record of my public ip. have you tried -h for syslogd from base? Feeling stupid right now :/ Thank you very much.
rsyslog does not produce log on OpenBSD 6.0
Hi all, I've a problem with an OpenBSD 6.0 box with rsyslog. I need to send every local logs to a remote server and I can't use syslogd, because it does not send the hostname of the server (the one indicated in /etc/myname), but on the remote server messages come with the PTR record of my public ip. I've installed rsyslogd, but it doesn't send anything to the remote server. And more than that, it doesn't write anything local. I've also tried to run it in conjunction with syslogd, so locally syslogd writes all the logs, but on the remote server rsyslog doesn't send anything (verified also with tcpdump). This is my configuration rsyslog.conf file: ~ module(load="imuxsock") # provides support for local system logging (e.g. via logger command) module(load="imklog") # provides kernel logging support (previously done by rklogd) $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat *.* @@ip.ip.ip.ip:514 ~ Output of configuration file parser: ~ # rsyslogd -f /etc/rsyslog.conf -N 4 rsyslogd: version 8.16.0, config validation run (level 4), master config /etc/rsyslog.conf rsyslogd: End of config validation run. Bye. ~ My box uname -a: OpenBSD xxx.xxx.xx 6.0 GENERIC.MP#0 amd64 Anyone can help?
Re: problem with CARP+VLAN+OpenBSD 5.5
On 10/15/2014 03:43 PM, Fede wrote: I've removed defer from /etc/hostname.pfsync0, and I also added some bpf device (one for every carp I have) with MAKEDEV, as you suggested. Then, I've added no-sync to pf, so the running pf.conf is: set skip on lo0 pass quick on em0 proto pfsync keep state (no-sync) pass quick on em0 pass quick on { vlan2 vlan3 vlan4 vlan5 vlan6 vlan7 vlan1002 vlan1003 } proto { carp pfsync } keep state (no-sync) pass in quick pass out quick but my problem persists. UPDATE Today I've tried to put all carp interfaces in just 5 carp interfaces, using netmask 255.255.255.255 for IPs in the same broadcast domain, and the appropriate netmask for IPs outside the first ip's subnet. This way, the test systems are working fine for the moment. This solution is working, but it will need some revision of pf.conf. Let's say that we will have fewer file to maintain... BTW, I would like to understand where is the limit of the previous, non-working, configuration. I tried to load previous hostname.carpXX interfaces, once per time, with a reboot for every new carp activated. I wasn't able to find a pattern, because interfaces on system-2 turn into MASTER state randomly. When a split on a carp interface occur, I can see with tcpdump that on the backup machine advertisement packets are just ignored. For example: 16:08:19.848966 CARPv2-advertise 36: vhid=133 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 16:08:19.915796 CARPv2-advertise 36: vhid=133 advbase=1 advskew=200 demote=0 (DF) [tos 0x10] 16:08:20.898960 CARPv2-advertise 36: vhid=133 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] 16:08:21.715797 CARPv2-advertise 36: vhid=133 advbase=1 advskew=200 demote=0 (DF) [tos 0x10] 16:08:21.948972 CARPv2-advertise 36: vhid=133 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] And then, if I run a ksh /etc/nestart carpXX, the interface starts acting normal (MASTER/BACKUP) again. At the end, I have my workaround, but it would be nice if someone could spot the misconfiguration or the problem with the faulty configuration I described. Thank you all for the support.
Re: problem with CARP+VLAN+OpenBSD 5.5
On 10/14/2014 06:53 PM, Andy wrote: Why do you have so many CARP interfaces? Generally it's good practice to have one CARP interface per broadcast domain / VLAN etc, and have all your alias IP addresses defined in that one CARP interface. NB; when adding; inet alias ipaddress mask Always set the mask for each alias to 255.255.255.255 This is apparently correct according to the devs. cite; something I was told a long time ago even though you'll get a spurious error in the logs at fail-over time.. Hello Andy, we use so many carp interfaces because we have separate subnets, so the netmask 255.255.255.255 can't fit our requirements. In past, we tried to use the subnet netmask (i.e. 255.255.255.240), but we didn't feel so confident about this configuration, and the official documentation does not elaborate on the topic. Does it always start once you get to 19? I seem to remember having to increase the number of BPF devices which high numbers of VLANS etc.. for(( i=10; i = 30; i++ )); do mknod /dev/bpf$i c 23 $i; done for(( i=10; i = 30; i++ )); do chmod o-r,g-r /dev/bpf$i; done That's intresting. On a similar machine I have only 10 bpf devices (0-9). I will study this tomorrow. # pfsync0 system-1 up syncdev em0 syncpeer 10.10.26.4 defer # pfsync0 system-2 up syncdev em0 syncpeer 10.10.26.3 defer Why are you using defer? I'm guessing you know what this does and that it slows things down.. Usually only see this on systems with BGP (incase packets are recieved on the backup), or on active-active systems. Yes, sorry, defer was an experiment done while trying to understand where was the problem. # /etc/hostname.em0 system-1 inet 10.10.26.3 255.255.255.0 NONE # /etc/hostname.em0 system-2 inet 10.10.26.4 255.255.255.0 NONE Anyone can help? This issue is driving me crazy :q! This all generally looks ok and seems like you know what you're doing. The usual thing which causes multi master is PF. Also rememer to *not* sync your carp states over pfsync, this works for us; pass out quick proto carp keep state (no-sync) set prio 7 pass quick proto carp from { fe80::/10 } to { ff00::/8 } keep state (no-sync) pass quick proto carp from { $all_carpv4_ips } keep state (no-sync) pass quick on { $if_pfsync_dev } proto pfsync keep state (no-sync) block drop quick proto carp Thank you very much for your contribute. I have no access to the servers right now, tomorrow I will check on your advices. Thank you!