Re: manual about jobs control
On 04/11/12 01:23, f5b wrote: In OpenBSD we can use commands like jobs fg or something else, but why man jobs man fg not work? and are there anything about jobs control in the base Manual? These are shell builtins. You may refer to your shell's man. Regards. -- Samuel Martmn Moro Inginieur Systhmes et Riseaux tel 01 41 40 11 22 gsm 06 30 52 01 79 SMILE - Open Source Solutions 48 rue de Villiers, 92300 Levallois Perret
Re: IPSEC, CARP - BACKUP firewall unreachable
On 01/20/12 19:50, Samuel Martin Moro wrote: Hello, list! Using OpenBSD 4.9 GENERIC.MP#819 amd64 - if any relevant. I have 3 offices, each of them with a couple firewalls, running isakmpd/sasyncd, carp/pfsync, ifstated, and of course pf, for firewalls handling 10 vlans, and 1 ADSL+1 SDSL links. Both ISP provide us with a single public IP. I configured my public carps like this: hostname.emx: up hostname.carpx: inet...carpdev emx vhid...advbase...advskew...pass... When I attempt to join a remote backup firewall, connection times out. Also, using master firewall to ssh to the backup one, when I try to join IPSEC remote networks, tcpdump confirms traffic goes through enc0. I still can't join them if, in my ifstated.conf, I add static routes so carp backup uses carp master as gateway for IPSEC remote networks. I firstly used to kill these IPSEC esp/flows on the carp backup, so traffic uses my static route. Then I added a pf rule in both firewalls so traffic going to the other firewall is natted with master's IP, in the required vlan. This seems to work just fine, and remain the cleaner way I could think of for now. Maybe I could try playing with pf anchors? This way, I might also be able to allow backup firewall to join remote networks. Since I managed to configure them as puppet clients, they sometimes try to update their configuration. Having the backup firewall taking mastership without its updated configuration is quite a shame. I could add some puppetd -vdt in my ifstated configuration file, however I'm not sure this is a good idea. Last observation: we also have, in a data-center, an other pair of openbsd. There, we actually have one public IP per firewall. And moreover, joining backup firewall from remote networks is not a problem. IPSEC traffic leaves backup firewall, announcing its carp IP, traffic comes back to master, master re-route it to slave, slave talks for itself, ... and everything works just fine. Whatever. My questions are: - is there a way I missed, to configure isakmpd (or sasyncd?) so that my slaves do not try to actually use its shared tunnels? - is anyone here knowing about some 'good practice' I'm missing, regarding carp using a single IP? and, isn't this use of carp kinda ugly? may I add the carp IP as physical interface's IP (in hostname.emx, instead of 'up', actually configuring my IP)? I'm just thinking about this one, this looks doable, I'll check about that... Kind regards. Hi again, I tried configuring my carp IP both in my carp and my physical interfaces. From now on, I'm able to reach remote IPSEC end with backup firewalls. Sorry for the noise. Regards. -- Samuel Martmn Moro EPITECH 2011
IPSEC, CARP - BACKUP firewall unreachable
Hello, list! Using OpenBSD 4.9 GENERIC.MP#819 amd64 - if any relevant. I have 3 offices, each of them with a couple firewalls, running isakmpd/sasyncd, carp/pfsync, ifstated, and of course pf, for firewalls handling 10 vlans, and 1 ADSL+1 SDSL links. Both ISP provide us with a single public IP. I configured my public carps like this: hostname.emx: up hostname.carpx: inet...carpdev emx vhid...advbase...advskew...pass... When I attempt to join a remote backup firewall, connection times out. Also, using master firewall to ssh to the backup one, when I try to join IPSEC remote networks, tcpdump confirms traffic goes through enc0. I still can't join them if, in my ifstated.conf, I add static routes so carp backup uses carp master as gateway for IPSEC remote networks. I firstly used to kill these IPSEC esp/flows on the carp backup, so traffic uses my static route. Then I added a pf rule in both firewalls so traffic going to the other firewall is natted with master's IP, in the required vlan. This seems to work just fine, and remain the cleaner way I could think of for now. Maybe I could try playing with pf anchors? This way, I might also be able to allow backup firewall to join remote networks. Since I managed to configure them as puppet clients, they sometimes try to update their configuration. Having the backup firewall taking mastership without its updated configuration is quite a shame. I could add some puppetd -vdt in my ifstated configuration file, however I'm not sure this is a good idea. Last observation: we also have, in a data-center, an other pair of openbsd. There, we actually have one public IP per firewall. And moreover, joining backup firewall from remote networks is not a problem. IPSEC traffic leaves backup firewall, announcing its carp IP, traffic comes back to master, master re-route it to slave, slave talks for itself, ... and everything works just fine. Whatever. My questions are: - is there a way I missed, to configure isakmpd (or sasyncd?) so that my slaves do not try to actually use its shared tunnels? - is anyone here knowing about some 'good practice' I'm missing, regarding carp using a single IP? and, isn't this use of carp kinda ugly? may I add the carp IP as physical interface's IP (in hostname.emx, instead of 'up', actually configuring my IP)? I'm just thinking about this one, this looks doable, I'll check about that... Kind regards. -- Samuel Martmn Moro EPITECH 2011
