Re: Logging daemon message in a specific file

2023-11-11 Thread Rosen Iliev 

Hello,

man syslog.conf is your friend.

/!!prog/ causes the subsequent block to abort evaluation when a message 
matches, ensuring that only a single set of actions is taken. /!*/ 
 can be used to ensure that 
any ensuing blocks are further evaluated (i.e. cancelling the effect of 
a /!prog/ or /!!prog/).


Regards,

Rosen

On 11/11/2023 20:37, Mik J wrote:

Hello,
I would like to log isakmpd and unbound messages in a specific file but I don't 
want them to be logged in messages or daemon.
1) With this first method, the messages are logged in their files but also in 
messages and I don't want them to be logged in messages: I find many queries 
and isakmpd logs in messages

!isakmpd
daemon.*    /var/log/isakmpd.log

!unbound
daemon.*    
/var/unbound/var/queries.log
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;syslog,user.info /var/log/messages



2) With this second method, the messages are logged in their files but not in 
messages. So I'm happy the way it behaves for isakmpd and unbound because it's 
logged in their files and not in messages.The problem is that any other message 
are not logged in messages. No more syslogs are added to messages.

!!isakmpd
daemon.*    /var/log/isakmpd.log

!!unbound
daemon.*    
/var/unbound/var/queries.log
*.notice;auth,authpriv,cron,ftp,kern,lpr,mail,user.none /var/log/messages
kern.debug;syslog,user.info /var/log/messages
How can I first filter syslogs so they can be logged in a specific log and 
everything that doesn't match would end in messages.That second solution should 
have done that but it doesn't.
Regards

Re: pf synproxy

2021-11-12 Thread Rosen Iliev 
Don't know what are you trying to see here, but what that rules does is 
simple passing the traffic on any interface to your $front_smtp4 hosts 
on port 25, with synproxy.
If you trying to forward traffic from the firewall to your $fornt_smtp4 
servers, you are missing stuff.

https://www.openbsd.org/faq/pf/rdr.html

Rosen


Lyndon Nerenberg (VE7TFX/VE6BBM) wrote on 11/10/2021 14:41:

I'm trying to get synproxy working on a firewall, using the following
rule:

   pass quick proto tcp from any to $front_smtp4 port 25 synproxy state

The firewall accepts the connection on the outside interface, but
I don't see (tcpdump) any attempt to complete the connectiom on the
inside interface.  The state table shows a pair of entries with state
PROXY:SRC and DST:PROXY which line up with the connection, but all I
get it dead air.

This seems like it should 'just work'.  Is there something obvious
I'm missing?  I can give more detailed info (pf rules, ifconfig)
offline for anyone interested in helping out.

Thanks!

--lyndon

Re: Remote LAN access from local IPSec Gateway

2017-03-28 Thread Rosen Iliev 

Hi Dante,

It was an dirty hack if I recall, you'll need an static route to 
destination network to the LAN:Address.


Regards,

Rosen

Dante F. B. Colò wrote on 3/28/2017 11:52 AM:

Hi everyone,

i configured an ipsec network using isakmpd on both sides, access 
between local networks are ok  except from the gateways theirselves  , 
is it accomplishable ?



Regards

Dante F. B. Colò

Re: Squid proxy

2013-03-10 Thread Rosen Iliev 

Hi Alessandro,

Transparent proxy will not be useful for HTTPS connections.
To handle HTTPS you'll need not-transparent proxy.

Provisioning users / computers, you should give more information about 
the OS those users are using.
In our environment, I have about 400 workstations running windows, and I 
do handle all through a single server running FreeBSD with squid, 
negotiate kerberos auth to Active Directory and digest authentication 
over LDAP to AD too.
I do provision the users proxy settings with GPO (group policy objects) 
and proxy auto-configuration as Sven mentioned.
I had two servers running carp before, after that I had two servers 
using DNS round robin. Windows (didn't try other OSes, it should be the 
browser that handles the fialover) seems to work with the DNS for the 
proxy, if one of the hosts is down, IE and Firefox was able to fail over 
to the second host. I didn't test with other browsers.


Cheers,

Rosen

Alessandro Baggi wrote, On 3/10/2013 5:38 AM:

Hi list,
I'm plannig to setup a squid proxy for a network with about 120 User.
I have not great experience with proxying network that has over 20 user.
For this scenario, is better transparent or not-trasparent proxy?

I've searched on the web but can't get real experience pros and cons 
with these two type of method.


Someone has expirience about using trasparent vs not-trasparent proxy, 
problems found with these two method, ecc?


Another question is about DansGuarding. More people say that seems to 
be dead. It's true?


Thanks in advance.

Re: Nginx, FCGI and C programs

2012-10-04 Thread Rosen Iliev 

Ville Valkonen wrote, On 10/4/2012 1:34 PM:

On 4 October 2012 20:36, Jiri B ji...@devio.us wrote:

On Thu, Oct 04, 2012 at 08:20:43PM +0300, Ville Valkonen wrote:

Hi,

I've configured Nginx and FCGI to run some C/C++ apps, well almost.

When navitaging to http://host.foo/weezel/progut/default.cgi nginx's error log
states the following (below there is test.c, test.c == default.cgi):

2012/10/04 16:52:22 [error] 26690#0: *14 kevent() reported that connect()
failed (61: Connection refused) while connecting to upstream, client:
192.168.50.102, server: host.foo, request: GET /weezel/progut/ HTTP/1.1,
upstream: fastcgi://127.0.0.1:9001, host: host.foo

Not sure but is your dns working inside chroot?

jirib

I tried the following: mkdir /var/www/etc  cd /var/www/etc  sudo cp -p
/etc/hosts /etc/resolv.conf .
but no success. Any other hints?

--
Ville


Hi Ville,

Can you telnet to 127.0.0.1:9001.

The error you've got from nginx says connection refused, which means 
nginx could not connect to 127.0.0.1 port 9001.


Rosen

Re: Reverse-proxy PF ?

2011-06-06 Thread Rosen Iliev 

You should try nginx.

R

hvom .org wrote, On 6/6/2011 3:54 AM:

Hi all

I look the doc, ftp-proxy, no reverse-proxy PF ?.  Varnish, ultimate soluce
?

Cordialy

Re: OpenBSD users.

2010-07-21 Thread Rosen Iliev 

San Jose, Costa Rica

Rosen

Luis F Urrea wrote, On 7/21/2010 12:05 PM:

Central America

San JosC), Costa Rica

On Wed, Jul 21, 2010 at 1:43 AM, riwanlkyriwan...@mcojaya.com  wrote:

   

Riwan, Jakarta, Indonesia


Mateusz Gierblinski wrote:

 

Hi misc@

I'm just wondering. Where are you OpenBSD users from?

I'm from Belgium, anyone else?

Take care

Re: 4.6: load balancing and active/active

2009-07-16 Thread Rosen Iliev 

Hi Federico,

Did you try to change the balancing mode to ip-unicast or ip-stealth?

from man carp(4)

IP balancing is activated by setting the *balancing* mode to /ip/.  This is
the recommended default setting.  In this mode, carp uses a multicast MAC
address, so that a switch sends incoming traffic towards all nodes.

However, there are a few OS and routers that do not accept a multicast
MAC address being mapped to a unicast IP.  This can be resolved by using
one of the following unicast options.  For scenarios where a hub is used
it is not necessary to use a multicast MAC and it is safe to use the /ip-/
/unicast/ mode.  Manageable switches can usually be tricked into forwarding
unicast traffic to all cluster nodes ports by configuring them into some
sort of monitoring mode.  If this is not possible, using the /ip-stealth/
mode is another option, which should work on most switches.  In this mode
*carp* never sends packets with its virtual MAC address as source.  Stealth
mode prevents a switch from learning the virtual MAC address, so that it
has to flood the traffic to all its ports.  Please note that activating
stealth mode on a *carp* interface that has already been running might not
work instantly.  As a workaround the VHID of the first carpnode can be
changed to a previously unused one, or just wait until the MAC table en-
try in the switch times out.  Some Layer-3 switches do port learning
based on ARP packets.  Therefore the stealth mode cannot hide the virtual
MAC address from these kind of devices.

If IP balancing is being used on a firewall, it is recommended to config-
ure the *carpnodes* in a symmetrical manner.  This is achieved by simply
using the same *carpnodes* list on all sides of the firewall.  This ensures
that packets of one connection will pass in and out on the same host and
are not routed asymmetrically.

Cheers,

Rosen



Federico wrote, On 7/16/2009 2:01 AM:

active/active pfsync works absolutely fine, if you have some way to
send traffic to both firewalls. one way you can do that is if you run
OSPF on the firewalls and the router/s in front of them and enable
multipath.



Ok, but I'd like that firewalls share their load, so the traffic coming
from the Internet is managed from both machines (behind those firewall I
have a group of web server).

Maybe I'm missing the point with active/active and load balancing?

Re: rotate logs

2009-03-08 Thread Rosen Iliev 

syslogd does not rotate the logs.
check newsyslog(8)

cheers


x03 wrote:

hello folks!

Have way to add an entry to syslogd just for rotation?
I mean use syslogd to rotate all kinds of logs in /var/log/*

Thanks a lot

Re: Trouble ticket system suggestions

2008-12-28 Thread Rosen Iliev 

Hi Ivo,

You have to install xbaseXX.tgz first to be able to install gd and alike.

Rosen

Ivo Chutkin wrote, On 12/28/2008 6:46 AM:

Hello Guys,

Thank you for your suggestions.
I will give a try to RT first.

Although, it does not install on my 4.4 stable :-)
Exits with Error code 1 on other port, namely gd-2.0.35
I can provide more info if needed, but I think ports mailing list is 
appropriate place to report it.

Does some of you have similar problem?

Best regards,
Ivo

open...@bgone.net wrote:

Hello guys,

I would like to get your suggestions and experience with some Trouble
Ticket Systems on OpenBSD.
It should be rather simple.
Users should be able to sand notes to support and check status of it.
Support should be able to answer the tickets and check old tickets from
the same user, etc.
No need of phone integration.

I really appreciate your help.
Best regards,
Ivo



__ NOD32 3715 (20081224) Information __

This message was checked by NOD32 antivirus system.
http://www.eset.com

Re: pf - queue filter directive sticky?

2008-09-30 Thread Rosen Iliev 

Why you just not use quick in the first rule?

pass in quick on $int_if from 10.0.0.1 queue tens
pass in on $int_if

Rosen

(private) HKS wrote, On 9/29/2008 1:29 PM:

If the following two rules apply to a given packet in the order shown,
will the packet be queued?

pass in on $int_if from 10.0.0.1 queue tens
pass in on $int_if

I've not been able to find a clear answer in pf.conf(5) or the online
PF documentation. If I overlooked it, please let me know. Thanks in
advance for the help.

-HKS

Re: About Squid port for OpenBSD 4.2

2008-03-29 Thread Rosen Iliev 

Hi,

I guess you didn't install openldap-client package?

Rosen

ComC(te wrote:

Hi,

i'm trying to recompile SQUID 2.6-STABLE13 port for OpenBSD 4.2
with LDAP auth helpers and ldap_group helpers support and get errors
during the compilation. This is what i modified in the Makefile:

...
CONFIGURE_ARGS+=--datadir=${PREFIX}/share/squid \
   --enable-auth=basic digest \
   --enable-arp-acl \
   --enable-basic-auth-helpers=NCSA YP LDAP \
   --enable-digest-auth-helpers=password \
   --enable-external-acl-helpers=ip_user unix_group
ldap_group \
   --enable-removal-policies=lru heap \
   --enable-ssl \
   --enable-storeio=ufs diskd null \
   --localstatedir=${SQUIDDIR}
...

i precise that i have installed openldap-client package before to get
the ldap libraries and this is what i get when building Squid:

# make
Making all in LDAP
if cc -DHAVE_CONFIG_H -I.
-I/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP 


-I../../../include
-I/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/include -O2
-pipe -MT squid_ldap_auth.o -MD -MP -MF .deps/squid_ldap_auth.Tpo -c
-o squid_ldap_auth.o
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c; 


then mv -f .deps/squid_ldap_auth.Tpo .deps/squid_ldap_auth.Po; else
rm -f .deps/squid_ldap_auth.Tpo; exit 1; fi
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:121:18: 


lber.h: No such file or directory
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:122:18: 


ldap.h: No such file or directory
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:135: 


error: `LDAP_SCOPE_SUBTREE' undeclared here (not in a function)
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:139: 


error: `LDAP_DEREF_NEVER' undeclared here (not in a function)
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:145: 


error: `LDAP_NO_LIMIT' undeclared here (not in a function)
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:152: 


error: syntax error before '*' token
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:206: 


error: syntax error before '*' token
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c: 


In function `squid_ldap_errno':
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:208: 


error: `ld' undeclared (first use in this function)
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:208: 


error: (Each undeclared identifier is reported only once
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:208: 


error: for each function it appears in.)
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c: 


At top level:
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:211: 


error: syntax error before '*' token
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c: 


In function `squid_ldap_set_aliasderef':
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:213: 


error: `ld' undeclared (first use in this function)
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:213: 


error: `deref' undeclared (first use in this function)
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c: 


At top level:
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:216: 


error: syntax error before '*' token
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c: 


In function `squid_ldap_set_referrals':
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:218: 


error: `referrals' undeclared (first use in this function)
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:219: 


error: `ld' undeclared (first use in this function)
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:219: 


error: `LDAP_OPT_REFERRALS' undeclared (first use in this function)
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c: 


At top level:
/usr/obj/ports/squid-2.6.STABLE13/squid-2.6.STABLE13/helpers/basic_auth/LDAP/squid_ldap_auth.c:224: 


error: syntax error before '*' token

Re: apache/proxy - monitoring access to reverse proxy

2008-02-18 Thread Rosen Iliev 

Hi Frank,

That has nothing to do with the Apache or OpenBSD at all.
All the authentications are done at your web app.
So, the question should be: Can my web app do that?

Regards,

Rosen

Frank Bax wrote:

I'm wondering if an OpenBSD box with apache can solve this problem...

A website requires authentication to access and the are a limited 
number of accounts setup (within web application, not .htaccess) on 
that website; so accounts are shared.  Of course, this situation 
causes problems when two people use the same account, since the second 
login will disconnect the first one.  The simple/ideal solution is to 
create more accounts, but in this case, that is not possible.


I did manage to setup a local OpenBSD box with apache to access the 
real site using mod_proxy (ProxyPass  ProxyPassReverse).  Today's 
problem is unrelated to my previous question on this topic.


But I don't see anything in docs about software that will add yet 
another layer to manage the connections to remote server.  When a user 
log's into local webserver; it would be nice if I could present a list 
of used/unused account/connections to remote server/website.  Is this 
possible?  Is it possible to block access to local server when 
accounts on remote server are already in use?


Frank

Re: APACHE source modification

2008-01-28 Thread Rosen Iliev 

As per some of the patches, for example:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/common/001_httpd.patch
rebuild and install httpd and its modules:
cd usr.sbin/httpd
make -f Makefile.bsd-wrapper obj
make -f Makefile.bsd-wrapper cleandir
make -f Makefile.bsd-wrapper depend
make -f Makefile.bsd-wrapper
make -f Makefile.bsd-wrapper install

If httpd had been started, you might want to run
apachectl stop
before running make install, and
apachectl start
afterwards.

Rosen

Bambero wrote:

On Sun, 27 Jan 2008 08:36:22 -0500
Josh Grosse [EMAIL PROTECTED] wrote:

  

On Sun, Jan 27, 2008 at 02:12:38PM +0100, Bambero wrote:


Hello

I have modified apache source in /usr/src/usr.sbin/httpd.
What commands should I use to build it to override my current binary
instalation ?
  

FAQ 5.3.5 will work.  Of course, afterwards, your browser may not.



Read post carefully. As i suppose apache is specific package, there is
no Makefile like in others packages, so reding FAQ 5.3.5 doesn't help.

I used the following command but I'm not sure it's correct
cd /usr/src/usr.sbin/httpd
make -f Makefile.bsd-wrapper install

Re: help with pf

2007-12-02 Thread Rosen Iliev 

Hi Aaron,

The problem is that you pass base on  src not destination:
pass in on fxp3 inet proto tcp from $lan_net port { ssh www ntp https 
smtp imap imaps domain } to any


it should be
pass in on fxp3 inet proto tcp from $lan_net to port { ssh www ntp https 
smtp imap imaps domain }


Also be aware:
keep state - works with TCP, UDP, and ICMP. In OpenBSD 4.1 and later, 
this option is the default for all filter rules.


Rosen


Aaron wrote:
I have decided to switch my linux routers over to openbsd and as such 
need to have pf up and running on them.  I have a test network that I 
am testing this on and am having some issues getting things working as 
expected..  My network configuration is as follows:


my ascii art sux so i'll try to describe the network and provide 
config files:


I have a fresh openbsd 4.2 set up with 5 physical interfaces.  fxp0-3 
and rl0. and carp set up on the fxp interfaces and rl0 is my pfsync 
interface.  carp3 is my lan interface and fxp0/carp0 is my wan 
interface and default gw.


/etc/mygate:   192.168.3.158

# netstat -rn | more
Routing tables
Internet:
DestinationGatewayFlagsRefs  UseMtu  
Interface
default192.168.3.158  UGS 7 3923  -   
carp0

10/8   link#6 UC  00  -   rl0
10.125.221/24  link#2 UC  00  -   
fxp0
10.126.221/24  link#3 UC  00  -   
fxp1
10.127.221/24  link#4 UC  00  -   
fxp2

127/8  127.0.0.1  UGRS00  33208   lo0
127.0.0.1  127.0.0.1  UH  2   77  33208   lo0
172.16.10/24   link#12UC  10  -   
carp3
172.16.10.26   00:08:02:0b:63:59  UHLc0 2436  -   
carp3
192.168.3.128/27   link#9 UC  10  -   
carp0
192.168.3.158  00:40:f4:76:43:62  UHLc1 1423  -   
carp0
192.168.23/24  link#5 UC  00  -   
fxp3
192.168.45/24  link#11UC  00  -   
carp2
192.168.55.0/27link#11UC  00  -   
carp2

224/4  127.0.0.1  URS 00  33208   lo0

# ifconfig -a
lo0: flags=8049UP,LOOPBACK,RUNNING,MULTICAST mtu 33208
   groups: lo
   inet 127.0.0.1 netmask 0xff00
   inet6 ::1 prefixlen 128
   inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
san0: flags=8010POINTOPOINT,MULTICAST mtu 1500
   media: TDM t1
fxp0: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:0e:0c:74:6d:61
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   inet 10.125.221.2 netmask 0xff00 broadcast 10.125.221.255
   inet6 fe80::20e:cff:fe74:6d61%fxp0 prefixlen 64 scopeid 0x2
fxp1: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:0e:0c:3b:3f:2e
   media: Ethernet autoselect (none)
   status: no carrier
   inet 10.126.221.2 netmask 0xff00 broadcast 10.126.221.255
   inet6 fe80::20e:cff:fe3b:3f2e%fxp1 prefixlen 64 scopeid 0x3
fxp2: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:0e:0c:74:6d:a2
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   inet 10.127.221.2 netmask 0xff00 broadcast 10.127.221.255
   inet6 fe80::20e:cff:fe74:6da2%fxp2 prefixlen 64 scopeid 0x4
fxp3: flags=8943UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:03:47:b1:2c:c4
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   inet 192.168.23.2 netmask 0xff00 broadcast 192.168.23.255
   inet6 fe80::203:47ff:feb1:2cc4%fxp3 prefixlen 64 scopeid 0x5
rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:50:bf:72:51:c9
   media: Ethernet autoselect (100baseTX full-duplex)
   status: active
   inet 10.23.183.1 netmask 0xff00 broadcast 10.255.255.255
   inet6 fe80::250:bfff:fe72:51c9%rl0 prefixlen 64 scopeid 0x6
enc0: flags=0 mtu 1536
pflog0: flags=141UP,RUNNING,PROMISC mtu 33208
   groups: pflog
carp0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:00:5e:00:01:01
   carp: MASTER carpdev fxp0 vhid 1 advbase 1 advskew 0
   groups: carp egress
   inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x9
   inet 192.168.3.150 netmask 0xffe0 broadcast 192.168.3.159
carp1: flags=8803UP,BROADCAST,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:00:5e:00:01:02
   carp: INIT carpdev fxp1 vhid 2 advbase 1 advskew 0
   groups: carp
   inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0xa
   inet 10.126.221.4 netmask 0xff00 broadcast 10.126.221.255
carp2: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500
   lladdr 00:00:5e:00:01:03

Re: Is this load balancing Idea for squid ok while using route-to or is there a better one?

2007-11-21 Thread Rosen Iliev 

Hi Siju,

Are you running the squid on the same box where the firewall is?
If so, tags will not be preserved on the outgoing connections from squid 
to the internet.


Regards,

Rosen

Siju George wrote:

Hi,

QUITE UNFORTUNATELY THIS DOES NOT SEEM TO WORK :-(

Could some one please let me see the flaw in logic or implementation?

Thank you so much :-)

Kind Regards

Siju


On Nov 21, 2007 10:46 AM, Siju George [EMAIL PROTECTED] wrote:
  

Hi,

I have two internet connections connected to my firewall now.
Both are from the same ISPs with IP addresses IP1 and IP2
Both have the same gateway GWIP

$ext_if=IP1
$ext_if2=IP2

Now to load balance squid what I am doing is to tag half of the
packets comming to squid using the rules

===
pass in on $int_if inet proto tcp from $int_if:network to any port 8080 \
keep state tag squid probability 50% label squid

pass in quick on $int_if inet proto tcp from $int_if:network to any
port { 21, 8080 } keep state

pass in on $int_if route-to { ($ext_if $gateway), ($ext_if2 $gateway)
} round-robin \
 from $int_if:network to any keep state

===

This gets half of the traffic that comes to squid tagged and labeled as 'squid'

then I have the following NAT rule for the $ext_if which is the
default route to  NAT the tagged rules ( i.e half of squid traffic )
to IP2 on $ext_if2

=

nat on $ext_if from $int_if:network to any tagged squid - ($ext_if2)

nat on $ext_if from $int_if:network to any - ($ext_if)

nat on $ext_if2 from $int_if:network to any - ($ext_if2)

=

and finally for the filter rules to route the tagged packets through
the second interface.

==

pass out quick on $ext_if route-to ( $ext_if2 $gateway ) inet proto tcp \
all modulate state flags S/SA tagged squid

pass out on $ext_if route-to ( $ext_if $gateway ) proto tcp \
all modulate state flags S/SA

pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto tcp \
all modulate state flags S/SA

pass out on $ext_if route-to ( $ext_if $gateway ) proto { udp, icmp }
all keep state

pass out on $ext_if2 route-to ( $ext_if2 $gateway ) proto { udp, icmp
} all keep state

===

derived this Idea from

http://osdir.com/ml/openbsd.pf/2005-02/msg00124.html

after searching the archives.

Just wondering if there is a better way to do it :-)

Thank you so much especially Danny for the post :-)))

Kind Regards

Siju

Re: Internal loadbalancing

2007-10-17 Thread Rosen Iliev 

Hi Vladimir,

You should post your pf.conf from 10.0.5.200. It seems that you block 
port 80 on 10.0.5.200.


Vladimir wrote:

dane johansen wrote:

Probably you run into this situation:

client (10.0.5.233 http://10.0.5.233) - firewall (10.0.5.200 
http://10.0.5.200) - rdr - server (10.0.5.81 http://10.0.5.81)


No servers see's that packet came in from the same subnet and goes 
directly to the client which does not expect reply from 10.0.5.81 
http://10.0.5.81 it expects reply from 10.0.5.200 http://10.0.5.200.


You may want to read this:

http://www.openbsd.org/faq/pf/rdr.html#reflect


I obviously omitted the most pertinent information. My apologies.

client's IP is actually 10.0.1.50 coming from a different subnet so 
the path is really


client (10.0.1.50) - firewall (10.0.1.1) - firewall (10.0.5.200) -  
rdr - server (10.0.5.81 = gw is 10.0.5.1)




Vladimir

Re: keep state for http connections

2007-01-24 Thread Rosen Iliev 
I have OpenBSD 3.9 doing load balancing to a farm of web servers (11 web 
servers). In the pick hours the traffic jumps over 32Mbits and around 
15,000 entries in the states table.

You can check my graph at: http://www.ilievi.net/15days.jpg
The firewall is running on:
cpu0: Intel Pentium III (GenuineIntel 686-class) 1 GHz
cpu0: 
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,SER,MMX,FXSR,SSE

real mem  = 534290432 (521768K)
avail mem = 480735232 (469468K)

load averages:  0.92,  0.88,  0.83 13:58:18
27 processes:  26 idle, 1 on processor
CPU states:  2.2% user,  0.0% nice,  5.9% system, 12.5% interrupt, 79.4% 
idle

Memory: Real: 31M/99M act/tot  Free: 398M  Swap: 0K/1024M used/tot

My current limit
set limit states 3



Alexander Lind wrote:
If I have a busy http server or cluster (by busy I mean one that gets 
hundreds of thousands of visitors per day), and I use an openbsd 
firewall, should I keep state for all incoming http connections, or 
should I just pass them all in without state and then pass them all 
out without state instead of using states?


I'm afraid the state table will get filled up.

This is on openbsd 3.9

Alec

Re: pf examples needed

2007-01-16 Thread Rosen Iliev 

Hi Charles,

If you try to access X.X.X.25 from within 192.168.100.x it will not 
work. Because of the NAT.

The same apply for 192.168.200.x.
It will be much easy to have two separate firewalls, one for browsing 
and one for servers.


Rosen

Charles Farinella wrote:

Thanks to all for the help.

Martin Toft wrote:

On Tue, Jan 16, 2007 at 09:32:02AM -0500, Charles Farinella wrote:

I have an OpenBSD 3.9 machine with a public IP providing NAT and
firewalling for our internal network.  It has 3 interfaces:

dc0: public ip from internet X.X.X.25
dc1: 192.168.100.x to internal network.  This works well.
dc2: 192.168.200.x -- to Windows server.

I need to allow public access to the Windows server connected to dc2
(one port only).  Currently I have a private network address assigned
to dc2 and a public one (X.X.X.26) assigned to the machine connected
to it.


You should put a private 192.168.200.x IP address on the Windows box,
not a global X.X.X.26 address. Afterwards, do a simple port forwarding
(redirection in pf language) at the OpenBSD box, e.g.


I currently have it set up like this:

dc0 = X.X.X.25
dc2 = 192.168.200.254
test_box = 192.168.25.123
services = { ssh, smtp, http, https }

I have the following in my pf.conf:
rdr pass on dc0 proto tcp from any to X.X.X.25 port 80 - 
192.168.25.122 port 80


If I ssh into the X.X.X.25 box I can access the test_box on port 80.  
I cannot access X.X.X.25 port 80 however.


I've been using pfctl -f /etc/pf.conf to reload my rules.  I see no 
reference in my pflog to any attempts to access port 80 on X.X.X.25.




Remember to set up a default route on the Windows box (it should of
course use the OpenBSD box as its default route).


Routing tables

Internet:
DestinationGatewayFlagsRefs  UseMtu 
Interface

default192.168.25.254 UGS 07  -   ne3
loopback   localhost.localnet UGRS00  33224   lo0
localhost.localnet localhost.localnet UH  09  33224   lo0
192.168.25/24  link#1 UC  00  -   ne3
192.168.25.254 00:18:f8:08:b4:27  UHLc0  592  -   ne3
BASE-ADDRESS.MCAST localhost.localnet URS 00  33224   lo0

Is this correct?

Thanks again.

--charlie

Re: mssql.so

2006-01-14 Thread Rosen Iliev 

Joachim Schipper wrote:


On Sat, Jan 14, 2006 at 12:10:56AM -0200, Ricardo Lucas wrote:
 


It's a stupid question but very useful for me, how can I install or find the
mssql.so extension, or if it not existe what can I do instead?
And if it not exist, why there is a line for that extension in the
php.iniin the package from the ports tree?
That is it!
   



I'd take a look at
ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/i386/php5-mysql-5.0.4.tgz
or php4-mysql-4.4.1p0.tgz in the same directory.

These will be generated by /usr/ports/www/php{4,5}/extensions.

Joachim
 


Richard is looking for MS SQL, not MySQL.

http://www.php.net/manual/en/ref.mssql.php
   To use the MSSQL extension on Unix/Linux, you first need to build 
and install the FreeTDS library. Source code and installation 
instructions are available at the FreeTDS home page: http://www.freetds.org/


I did not have 3.8 installed, so I don't know what else you will need, 
and if there is a port for php(4,5)-mssql. But I can see that there is 
msdblib pakcage:

ftp://ftp.openbsd.org/pub/OpenBSD/3.8/packages/i386/freetds-0.63-msdblib.tgz


Cheers,

Rosen

OT: Help wanted in Caracas, Venezuela

2005-10-02 Thread Rosen Iliev 
Hi misc,

I need help in Caracas, Venezuela.
We have a remote location, that doesn't have tech on stuff. They just lost 
there Firewall. I guess it was some kind of power faulier.
We will have to reinstall the box. They will pay you for your help.

Please contact me off the list.

It's emergency.

Thank you,


Rosen Iliev

IT Department Manager
www.betcris.com
San Jose, Costa Rica
Direct: + (506) 242-4927
Fax: + (506) 210.7828