Re: bridge and carp

[alexander lind]

On Aug 20, 2008, at 12:06 AM, Marco Fretz wrote:


Is it possible to have two OpenBSD bridging firewalls work together
with CARP now?


What do you mean by "work together"? Only fail-over? load-share?


Fail-over is my primary concern.



Update the ifp of bridge cache entries if the entry is not static.
This makes carp(4) fail-over work over bridge(4).


I think this means only that it is possible to use carp over bridges,
not for bridges. but maybe I'm wrong. :-)


Ah, that makes sense I suppose since I can't find many references to  
this particular scenario elsewhere!



So my question is, am I understanding this right if I say that it is
indeed possible to set up a pair of redundant carped firewalls using
OpenBSD 4.2 or above?


Bridges are layer 2, carp is layer 3 (it shares IP addresses). So carp
can not handle this by its nature I think. Just place the both bridges
in your LAN and you have your fail-over solution. I've never done
something with openbsd bridges but as I know it from bridge-utils from
linux you can set STP priority and costs to influence spanning tree  
path

selection. Of course your LAN switch should be capable of basic
spanning-tree functions as well.

after the first bridge goes down, spanning tree takes automatically  
the
next best path by setting the needed switchports to forward (instead  
of

blocking).


This sounds like the best route for us. I will experiment and see if I  
can get it working like this later today.


Thanks for your advice!

Alec

Re: bridge and carp

[alexander lind]

On Aug 19, 2008, at 6:11 PM, alexander lind wrote:


Is it possible to have two OpenBSD bridging firewalls work together
with CARP now?

In the past I know it has been impossible to use CARP between two
bridging firewalls, but reading the 4.1 ->  4.2 changelog, I learned
about this change:

Update the ifp of bridge cache entries if the entry is not static.
This makes carp(4) fail-over work over bridge(4).

So my question is, am I understanding this right if I say that it is
indeed possible to set up a pair of redundant carped firewalls using
OpenBSD 4.2 or above?


A pair of redundant carped BRIDGING firewalls, that is. Sorry.

Alec

bridge and carp

[alexander lind]

Is it possible to have two OpenBSD bridging firewalls work together  
with CARP now?

In the past I know it has been impossible to use CARP between two  
bridging firewalls, but reading the 4.1 ->  4.2 changelog, I learned  
about this change:

Update the ifp of bridge cache entries if the entry is not static.  
This makes carp(4) fail-over work over bridge(4).

So my question is, am I understanding this right if I say that it is  
indeed possible to set up a pair of redundant carped firewalls using  
OpenBSD 4.2 or above?

Alec

bridging and NAT:ing on the same interface

[alexander lind]

Hi List

Is it possible to bridge and NAT on one single network interface?

I have two machines that I want to bind public IP:s on, and I want to  
bridge these. I have a few other machines that I want to put on a  
private network with internal IP addresses, and I want to NAT to these  
machines.


My OpenBSD machine only has two interfaces, one which is connected to  
the internet, and the other that is connected to my switch. If  
possible, I want the interface that is connected to switch do both  
bridging and NAT:ing to accommodate the setup above.


Thanks
Alec

Re: detection of machines behind PF firewall

[alexander lind]

On Jun 13, 2008, at 4:22 PM, Aaron Stellman wrote:


On Fri, Jun 13, 2008 at 04:05:12PM -0400, alexander lind wrote:

Hi all

Is there currently any known method for detecting information about a
machine behind a PF firewall?

Specifically, if I have a machine with two IP addresses, is it
possible for a remote attacker to detect that these two IP addresses
are bound on the same machine  (this machine would be behind a PF
firewall with the scrubbing option). The two IP addresses would be
known to the attacker.


Nobody will answer your question without seeing your ruleset and other
detailed information.


I was just discussing this with someone, I don't have a machine set up  
right now. But if we just assume a really simple configuration with  
the 'scrub all' directive in use, and using the common 'block in all'  
statement as well?


Thanks
Alec

detection of machines behind PF firewall

[alexander lind]

Hi all

Is there currently any known method for detecting information about a  
machine behind a PF firewall?


Specifically, if I have a machine with two IP addresses, is it  
possible for a remote attacker to detect that these two IP addresses  
are bound on the same machine  (this machine would be behind a PF  
firewall with the scrubbing option). The two IP addresses would be  
known to the attacker.


Thanks
Alec

pf.conf propagation

[Alexander Lind]

Hello misc.

Can anyone recommend a pf propagation script, intended to be used to 
spread changes from one carp:ed openbsd firewall to another?


I found one bash script which seems to do a decent job here:
http://archives.neohapsis.com/archives/openbsd/2006-11/1134.html

But it requires bash and supports only two firewalls.

Also does anyone know if there are any plans to make this pf.conf 
propagation a feature in openbsd itself?


Alec

Re: keep state for http connections

[Alexander Lind]

I just did some really basic stuff with http_load. 


Without pf at all, the mean connect() times were horrible, ranging from
48 to 76 ms. But, after a few runs with stateless (using pass quick)
and keep state, the data I got showed that keep state is 12% faster.
Now, of course, this number will vary between installations, but it
does show keep state is indeed faster. My bad.

  

Sorry been very pressed for time, but interesting results, thanks!

Alec

Travers Buda

keep state for http connections

[Alexander Lind]

If I have a busy http server or cluster (by busy I mean one that gets 
hundreds of thousands of visitors per day), and I use an openbsd 
firewall, should I keep state for all incoming http connections, or 
should I just pass them all in without state and then pass them all out 
without state instead of using states?


I'm afraid the state table will get filled up.

This is on openbsd 3.9

Alec

Re: Script to sync pf rules for CARP fws

[Alexander Lind]

no need to run pfctl on the other machines, if you are using pfsync, is
there?

alec

z0mbix wrote:
> On 14/11/06, C. L. Martinez <[EMAIL PROTECTED]> wrote:
>> Hi all,
>>
>>  Somebody knows where I can find a good shell script to sync pf.conf
>> rules
>> over a several Openbsd firewalls using CARP?
>>
>> many thanks.
>>
>
> Surely a simple shell script using scp to copy the pf.conf to each
> host and ssh to run pfctl to update the ruleset with the new file?
>
> Cheers z0mbix

Re: Expected 802.11g speeds?

[Alexander Lind]

mb as in megabit or megabyte?

alec

Steve Shockley wrote:
> I've got an OpenBSD 3.9 firewall/AP with a ral wireless card, and I'm
> connecting to it from a WinXP machine with an Intel 2915 wireless and
> Broadcom 5751 Ethernet.
>
> My provider just upgraded my speeds, so I was using
> http://speed.rutgers.edu to test it.  When connected via Ethernet
> (100), I'm getting ~10mb down, but over wireless I'm getting ~2mb with
> no other changes.  Is ~2mb expected speed over 802.11g?  I'm getting
> "Excellent" signal quality according to WinXP, and ifconfig -M shows:
> lladdr 00:15:00:32:8a:1c 64dB 54M privacy,short_slottime assoc
> for my node.  Just wondering if I've got a problem to diagnose, or if
> I'm already getting what I'm going to get out of it.
>
>
> dmesg for firewall/AP:
>
> OpenBSD 3.9 (GENERIC.MP) #598: Thu Mar  2 02:37:06 MST 2006
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC.MP
> cpu0: Intel Pentium III ("GenuineIntel" 686-class) 796 MHz
> cpu0:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
>
> real mem  = 2138611712 (2088488K)
> avail mem = 1945260032 (1899668K)
> using 4278 buffers containing 107032576 bytes (104524K) of memory
> mainbus0 (root)
> bios0 at mainbus0: AT/286+(82) BIOS, date 03/26/01, BIOS32 rev. 0 @
> 0xfd7e3
> pcibios0 at bios0: rev 2.1 @ 0xfd680/0x980
> pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdf00/224 (12 entries)
> pcibios0: PCI Interrupt Router at 000:18:0 ("Intel 82371FB ISA" rev 0x00)
> pcibios0: PCI bus #2 is the last bus
> bios0: ROM list: 0xc/0x8000 0xc8000/0x1800
> mainbus0: Intel MP Specification (Version 1.4) (INTELLancewood   )
> cpu0 at mainbus0: apid 1 (boot processor)
> cpu0: apic clock running at 99 MHz
> cpu1 at mainbus0: apid 0 (application processor)
> cpu1: Intel Pentium III ("GenuineIntel" 686-class) 796 MHz
> cpu1:
> FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE
>
> mainbus0: bus 0 is type PCI
> mainbus0: bus 1 is type PCI
> mainbus0: bus 2 is type PCI
> mainbus0: bus 3 is type ISA
> ioapic0 at mainbus0: apid 2 pa 0xfec0, version 11, 24 pins
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> pchb0 at pci0 dev 0 function 0 "Intel 82440BX AGP" rev 0x00
> ppb0 at pci0 dev 1 function 0 "Intel 82440BX AGP" rev 0x00
> pci1 at ppb0 bus 1
> ppb1 at pci1 dev 15 function 0 "DEC 21150-BC PCI-PCI" rev 0x06
> pci2 at ppb1 bus 2
> em0 at pci2 dev 4 function 0 "Intel PRO/1000 (82542)" rev 0x03: apic 2
> int 20 (irq 11), address 00:08:c7:86:39:f5
> ral0 at pci0 dev 9 function 0 "Ralink RT2560" rev 0x01: apic 2 int 19
> (irq 11), address 00:09:f3:70:13:52
> ral0: MAC/BBP RT2560 (rev 0x04), RF RT2525
> wi0 at pci0 dev 11 function 0 "Intersil PRISM2.5" rev 0x01: apic 2 int
> 18 (irq 11)
> wi0: PRISM2.5 ISL3874A(Mini-PCI) (0x8013), Firmware 1.1.1 (primary),
> 1.8.0 (station), address 00:09:5b:11:cf:b6
> ahc0 at pci0 dev 12 function 0 "Adaptec AIC-7896/7 U2" rev 0x00: apic
> 2 int 19 (irq 11)
> scsibus0 at ahc0: 16 targets
> ahc1 at pci0 dev 12 function 1 "Adaptec AIC-7896/7 U2" rev 0x00: apic
> 2 int 19 (irq 11)
> scsibus1 at ahc1: 16 targets
> fxp0 at pci0 dev 13 function 0 "Intel 8255x" rev 0x0d, i82550: apic 2
> int 17 (irq 5), address 00:02:b3:8f:1a:3f
> inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
> fxp1 at pci0 dev 14 function 0 "Intel 8255x" rev 0x08, i82559: apic 2
> int 21 (irq 10), address 00:d0:b7:89:03:69
> inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4
> fxp2 at pci0 dev 16 function 0 "Intel 8255x" rev 0x05, i82558: apic 2
> int 16 (irq 11), address 00:90:27:34:c7:da
> inphy2 at fxp2 phy 1: i82555 10/100 PHY, rev. 0
> pcib0 at pci0 dev 18 function 0 "Intel 82371AB PIIX4 ISA" rev 0x02
> pciide0 at pci0 dev 18 function 1 "Intel 82371AB IDE" rev 0x01: DMA,
> channel 0 wired to compatibility, channel 1 wired to compatibility
> wd0 at pciide0 channel 0 drive 0: 
> wd0: 16-sector PIO, LBA, 78167MB, 160086528 sectors
> atapiscsi0 at pciide0 channel 0 drive 1
> scsibus2 at atapiscsi0: 2 targets
> cd0 at scsibus2 targ 0 lun 0: <, ATAPI CDROM., 10AH> SCSI0 5/cdrom
> removable
> wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
> cd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
> pciide0: channel 1 disabled (no drives)
> uhci0 at pci0 dev 18 function 2 "Intel 82371AB USB" rev 0x01: apic 2
> int 21 (irq 10)
> usb0 at uhci0: USB revision 1.0
> uhub0 at usb0
> uhub0: Intel UHCI root hub, rev 1.00/1.00, addr 1
> uhub0: 2 ports with 2 removable, self powered
> piixpm0 at pci0 dev 18 function 3 "Intel 82371AB Power" rev 0x02: SMI
> iic0 at piixpm0
> "unknown" at iic0 addr 0x18 not configured
> "unknown" at iic0 addr 0x4e not configured
> vga1 at pci0 dev 20 function 0 "Cirrus Logic CL-GD5480" rev 0x23
> wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
> wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
> isa0 at pcib0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskb

Re: Option 3G+ UMTS HSDPA on Soekris 4521 not attaching

[Alexander Lind]

wild guess; maybe the drivers for it are not included in the default
kernel, so you may have to roll your own kernel with the necessary
drivers enabled?

alec

Matt Hamilton wrote:
> Hi All,
>   I've just installed a -current snapshop (the day before 4.0 release,
> sods law) onto a Soekris 4521 board.  It is booting and running off a
> 512MB flash card.  I just signed up for T-Mobile's (UK) flat rate 3G
> data service, which came with an Option Globetrotter card.  The card
> is detected as shown below.  It is a T-mobile branded card, but on the
> back the model is a Option GT Fusion+.
>
> From what I can read there seem to be quite a variety of 'Option
> Globetrotter' cards out there, so not sure if mine is really
> supported, but the fact it is detected makes me think it must be.  I'm
> aware the WLAN driver (Marvell) might not work, but I just want to get
> the 3G bit going.  As you can see from the dmesg below, whilst it
> seems to be detected it is not attached to usbcom.
>
> Any Ideas?  Let me know if you need any more info.
>
> -Matt
>
> OpenBSD 4.0-current (GENERIC) #1187: Mon Oct 30 16:48:50 MST 2006
> [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
> cpu0: AMD Am486DX4 W/B or Am5x86 W/B 150 ("AuthenticAMD" 486-class)
> cpu0: FPU
> real mem  = 66678784 (65116K)
> avail mem = 52580352 (51348K)
> using 844 buffers containing 3457024 bytes (3376K) of memory
> mainbus0 (root)
> bios0 at mainbus0: AT/286+(00) BIOS, date 20/50/27, BIOS32 rev. 0 @
> 0xf7840
> pcibios0 at bios0: rev 2.0 @ 0xf/0x1
> pcibios0: pcibios_get_intr_routing - function not supported
> pcibios0: PCI IRQ Routing information unavailable.
> pcibios0: PCI bus #2 is the last bus
> bios0: ROM list: 0xc8000/0x9000
> cpu0 at mainbus0
> pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
> elansc0 at pci0 dev 0 function 0 "AMD ElanSC520 PCI" rev 0x00: product
> 0 stepping 1.1, CPU clock 133MHz, reset 0
> gpio0 at elansc0: 32 pins
> cbb0 at pci0 dev 17 function 0 "TI PCI1420 CardBus" rev 0x00: irq 10
> cbb1 at pci0 dev 17 function 1 "TI PCI1420 CardBus" rev 0x00: irq 10
> sis0 at pci0 dev 18 function 0 "NS DP83815 10/100" rev 0x00, DP83816A:
> irq 11, address 00:00:24:c7:2b:24
> nsphyter0 at sis0 phy 0: DP83815 10/100 PHY, rev. 1
> sis1 at pci0 dev 19 function 0 "NS DP83815 10/100" rev 0x00, DP83816A:
> irq 5, address 00:00:24:c7:2b:25
> nsphyter1 at sis1 phy 0: DP83815 10/100 PHY, rev. 1
> cardslot0 at cbb0 slot 0 flags 0
> cardbus0 at cardslot0: bus 1 device 0 cacheline 0x10, lattimer 0x3f
> pcmcia0 at cardslot0
> cardslot1 at cbb1 slot 1 flags 0
> cardbus1 at cardslot1: bus 2 device 0 cacheline 0x10, lattimer 0x3f
> pcmcia1 at cardslot1
> isa0 at mainbus0
> isadma0 at isa0
> pckbc0 at isa0 port 0x60/5
> pckbd0 at pckbc0 (kbd slot)
> pckbc0: using irq 1 for kbd slot
> wskbd0 at pckbd0: console keyboard
> wdc0 at isa0 port 0x1f0/8 irq 14
> wd0 at wdc0 channel 0 drive 0: 
> wd0: 1-sector PIO, LBA, 488MB, 1000944 sectors
> wd0(wdc0:0:0): using BIOS timings
> pcppi0 at isa0 port 0x61
> midi0 at pcppi0: 
> spkr0 at pcppi0
> npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
> pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
> pccom0: console
> pccom1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
> biomask f7c5 netmask ffe5 ttymask ffe7
> pctr: no performance counters in CPU
> "Marvell Libertas 88W8335" rev 0x43 at cardbus1 dev 0 function 0 not
> configured
> vendor "Marvell", unknown product 0x1fb7 (class network subclass
> ethernet, rev 0x43) at cardbus1 dev 0 function 1 not configured
> "Option 3G+ UMTS HSDPA (F32)" rev 0x00 at cardbus1 dev 0 function 2
> not configured
> unknown vendor 0x product 0x (class prehistoric subclass
> miscellaneous, rev 0x00) at cardbus1 dev 0 function 3 not configured
> unknown vendor 0x product 0x (class prehistoric subclass
> miscellaneous, rev 0x00) at cardbus1 dev 0 function 6 not configured
> unknown vendor 0x product 0x (class prehistoric subclass
> miscellaneous, rev 0x00) at cardbus1 dev 0 function 7 not configured
> dkcsum: wd0 matches BIOS drive 0x80
> root on wd0a
> rootdev=0x0 rrootdev=0x300 rawdev=0x302

Re: How much traffic can it route?

[Alexander Lind]

Absolutely.

Alec

Der Engel wrote:
> Hi,
>
> I have a doubt about if OpenBSD/PF can NAT 40Mbits with a simple rule
> set and like 60 redirects.
> The box has a xeon proc and two integrated NICs, one fxp and a bge,
> can it handle it?
>
> Thanks

Re: CPU selection

[Alexander Lind]

Thanks, I do stand corrected.

Next time I spec out firewalls, I will keep your arguments in mind for
sure, they do make a lot of sense.

Alec

J.C. Roberts wrote:
> On Thu, 02 Nov 2006 22:03:05 -0800, Alexander Lind <[EMAIL PROTECTED]>
> wrote:
>
>   
>>> RAID, kiddo.
>>> It's more complex.  It is something else that can go wrong.
>>> And...it DOES go wrong.  Either believe me now, or wish you believed me
>>> later.  Your call.  I spent a lot of time profiting from people who
>>> ignored my advice. :)
>>>   
>>>   
>> Of course raid are more complex on a hardware level, but that doesn't
>> exactly make it more complex for _me_, the user, does it?
>>
>> 
>
> Alexander,
>
> Yes, it does. Not realizing the increased complexity and risks for the
> user just means you drank the koolaid and actually believe the marketing
> and advertising nonsense for hardware RAID products. If with *your*
> experience you really believe that hardware and firmware never have
> serious bugs or catastrophic failures, then you are statistically
> overdue for a number of unpleasant surprises.
>
> Here is an interesting question for you which may help you grasp the
> concept Nick is preaching; in the event of a nasty failure on a RAID
> where you absolutely *must* be able to recover the valuable data, do you
> stand a better chance of recovering the data from a hardware RAID
> configuration or a software RAID configuration?
>
> Though contrary to the marketing koolaid, the answer is software RAID.
> In a hardware RAID you are blindly trusting incompletely documented
> hardware and undisclosed firmware. You will *NEVER* have access to the
> firmware source code or the chip logic, so you never really know how it
> works exactly. In a software RAID configuration (ccd/raidframe/etc), you
> have the source code, know exactly how it works and the hardware is far
> less complex as well as reasonably well documented in most cases. With
> software RAID, at least you have a chance of mounting the raw disks and
> piecing thing back together manually. The odds of recovery are always
> better when things are simple and you actually know how they work.
>
> Mindlessly slapping a new disk into a hardware RAID after a disk failure
> only works *some* of the time and only for *some* types of failures. If
> you're not lucky enough to be in the *some* category, then you'll be
> dusting off those outdated backup tapes and updating your resume.
> Imagine telling your boss that there is no way to recover the data from
> the trashed RAID disks because the vendor refuses to release required
> hardware/firmware information.
>
> If you had kept things known and simple by using a software RAID, you
> may have had a chance of recovering the companys' financial records. 
>
> Hardware RAID is fun, fast and useful for some applications but you
> should at least understand the additional complexity you're deploying,
> the additional risks caused by the complexity and the additional costs
> you will bear. When your only concern is reliability then your goal
> should be to keep it as simple as feasible. Less complexity and fewer
> unknowns not only means fewer things can go wrong but it also means a
> greater chance of recovery.
>
> Still not convinced? Let's say a bug is committed to the -CURRENT source
> tree in the driver for your hardware RAID card. Since reliability is so
> critical to you, you must have a completely identical hardware setup for
> constantly testing your hardware RAID controller with -CURRENT to
> prevent that bug from getting into a -RELEASE? Or maybe you went out and
> spent the few hundred bucks for an additional RAID controller like the
> one you use so you could donate it to one of the developers in the
> project who actually work on the driver?
>
> Nope, statistically you're probably a typical user who waits until
> release to see if your RAID volumes are hosed by an undiscovered bug.
> Luckily, with OpenBSD you have extremely dedicated expert developers
> covering up for your short-sightedness.
>
> The path of "Simple, Known and Tested" should be looking really good to
> you about now for reliability but if not, then there is really no point
> in arguing it any further. Not everyone can provoke Nick into yet
> another world class RAID RANT, but those who do darn well ought to learn
> something before he pulls out the nail gun again to show you what a
> worst case disk failure is really like. (no joke, search the archives).
>
> /JCR
>
>
> --
> Free, Open Source CAD, CAM and EDA Tools
> http://www.DesignTools.org

Re: CPU selection

[Alexander Lind]

>> what complexity?
>> 
>
> RAID, kiddo.
> It's more complex.  It is something else that can go wrong.
> And...it DOES go wrong.  Either believe me now, or wish you believed me
> later.  Your call.  I spent a lot of time profiting from people who
> ignored my advice. :)
>   
Of course raid are more complex on a hardware level, but that doesn't
exactly make it more complex for _me_, the user, does it?
I have deployed lots and lots of servers, both with and without raid and
using various different OS:es, and I give you that it used to be a
little tricky to get for example slackware to boot off some
semi-supported raid devices back in the day, but nowadays its all pretty
simple imho.
And the times when disks have failed, we have plopped in new disks and
they got rebuilt and I lived happily afterwards.
So really, where is you're profit margin on someone like me? ;)
>   
>>>  added boot time, and
>>> disks that can't be used without the RAID controller,
>>>   
>> why would you want to use your disk WITHOUT the raid controller?
>> 
>
> Oh, say, maybe your RAID controller failed?
> Or the spare machine you had didn't happen to have the same brand and
> model RAID card?
> Or the replacement RAID card happened to have a different firmware on
> it, and the newer firmware wouldn't read your old disk pack?  (yes,
> that's a real issue).
>   
If indeed the raid card failed, unlikely as it would be, then that could
be a little messy. Not that I ever had this problem, but you ought to be
able to downgrade raid cards if you run into the firmware problem?
>   
>>>  it is a major
>>> loser when it comes to total up-time if you do things right.  Put a
>>> second disk in the machine, and regularly dump the primary to the
>>> secondary.  Blow the primary drive, you simply remove it, and boot off
>>> the secondary (and yes, you test test test this to make sure you did it
>>> right!). 
>>>   
>> Now you're talking crazy. Lets consider the two setups:
>> No-raid setup:
>>   - two separately controlled disks, you are in charge of syncing
>> between them
>> 
>
> yep.  you better test your work from time to time.
> (wow...come to think of it, you better test your RAID assumptions, too.
>  Few people do that, they just assume "it works".  This leads to people
> proving me right about simplicity vs. complexity)
>   
If you configure it right it tends to work right. At least it does for me.
>   
>>   - if one dies, the machine goes down, and you go to the machine, and
>> manually boot from the backup disk
>> 
>
> yep.  Meanwhile, the system has been running just fine on the SECONDARY
> SYSTEM.
>   
>   
>>   - IF you had important data on the dead disk not yet backed up, you
>> are screwed.
>> 
>
> Ah, so you are in the habit of keeping important, non-backed up data on
> your firewall?  wow.
>   
of course, thats where i store my porn.
>   
>> you could almost look at this as poor mans manual pretend raid.
>> 
>
> Or as part of RAIC: Redundant Array of Inexpensive Computers.
>   
which may not always be feasible in an already densely packed rack where
every U is expensive.
>   
>> Raid setup:
>>   - two disks, constantly synced, if one dies, the machine does NOT go down
>> 
>
> you are funny.  Or inexperienced.
>   
master, you flatter me!
maybe i'm a lucky bastard, but every single disk failure i have seen in
a raided machine has been solved by pulling the disk out, and putting a
new back in.
rebuild for some time, and then the machine is happy again.
i think this has happened to servers i maintain or help maintain 5 or so
times now.
>   
>>   - if a disk fails, just go and plug a new one in _at your
>> convenience*_ and it will autmatically rebuild, a task any person could
>> perform with proper direction. Not a seconds downtime.
>> 
>
> That's the way it is SUPPOSED to work.
> Reality is very, very different some times.
>   
my servers must be living in fantasyland or something.
> Simple systems have simple problems.
> Complex systems have complex problems.
>
> Worst down-time events I've ever seen always seem to involve a RAID
> system, usually managed by someone who said, "does NOT go down!", who
> believed that complexity was the solution to a problem
>   
how exactly did the machine go down then, i wonder?
> A RAID controller never causes downtime in a system its not installed
> in.  Power distribution boards don't fail on machines that don't have
> them.  Hotplug backplanes don't fail on machines that don't have them.
> (seen 'em all happen).
>   
flawless logic sir, i wish courts would apply it in the same way
concerning rapists genitals, and lying politicians left brainhalves (a
study i read suggested the left side is most active when you lie).
>   
>> * this is _very_ important if your machine is hosted where you don't
>> have easy physical access to it. Machines at a colo center would be a
>> very common scenario.
>> 
>
> That is correct... IF that was what we were talking about. 

Re: CPU selection

[Alexander Lind]

Ingo Schwarze wrote:
> Perhaps you missed that Nick was talking about a pair of carp'ed
> firewalls.  Failure of one machine means *no* downtime.  Besides,
> firewalls rarely need to store any valuable data, almost by definition.
>   
I'm not saying that digging up parts and building a couple of machines
out of old scrap that you could find in my attic (and you could find
enough to build a server farm, I assure you) and making a whole farm of
carp:ed firewalls will not do the trick.
But from an enterprise point of view, spending a few hundred dollars
extra to build machines that are very unlikely to go down in the first
place - but if they do go down can be rebuilt with minimum effort - is
usually going to be worthwhile. Carped or not.

Different story for home users, or someone that are hard up for cash of
course.


>> Now you're talking crazy.
>> 
>
> That happens rarely to Nick.  ;-)
>
> I remember about one or two instances where he was actually proven
> wrong, in a long time.
>   
Perhaps your memory just isn't that great?
j/k ;)

Alec

Re: CPU selection

[Alexander Lind]

> As for RAID on a firewall, uh...no, all things considered, I'd rather
> AVOID that, actually.  Between added complexity,
what complexity?
>  added boot time, and
> disks that can't be used without the RAID controller,
why would you want to use your disk WITHOUT the raid controller?
>  it is a major
> loser when it comes to total up-time if you do things right.  Put a
> second disk in the machine, and regularly dump the primary to the
> secondary.  Blow the primary drive, you simply remove it, and boot off
> the secondary (and yes, you test test test this to make sure you did it
> right!). 
Now you're talking crazy. Lets consider the two setups:
No-raid setup:
  - two separately controlled disks, you are in charge of syncing
between them
  - if one dies, the machine goes down, and you go to the machine, and
manually boot from the backup disk
  - IF you had important data on the dead disk not yet backed up, you
are screwed.
you could almost look at this as poor mans manual pretend raid.

Raid setup:
  - two disks, constantly synced, if one dies, the machine does NOT go down
  - if a disk fails, just go and plug a new one in _at your
convenience*_ and it will autmatically rebuild, a task any person could
perform with proper direction. Not a seconds downtime.

* this is _very_ important if your machine is hosted where you don't
have easy physical access to it. Machines at a colo center would be a
very common scenario.
>  RAID is great when you have constantly changing data and you
> don't want to lose ANYTHING EVER (i.e., mail server).  When you have a
> mostly-static system like a firewall, there are simpler and better ways.
>   
RAID is great for any server. So are scsi drives. If you are a company
that loses more money on a few hours (or even minutes) downtime than it
costs to invest in proper servers with proper hw raid + scsi disks, then
you are ill-advised _not_ to raid all your missioncritical servers. And
have backup machines, too!  Preferably loadbalanced.
> A couple months ago, our Celeron 600 firewall seemed to be having
> "problems", which we thought may have been due to processor load.  We
> were able to pull the disk out of it, put it in a much faster machine,
> adjust a few files, and we were back up and running quickly...and found
> that the problem was actually due to a router misconfig and a run-away
> nmap session.  Would not have been able to do that with a RAID card.
>   
Next time, you may want to check what the machine is actually doing
before you start blaming your hardware.
I personally would not trust the OS setup on one machine to run smoothly
in any machine not more or less identical to itself as far as the hw
goes. Especially not for a production unit.
But if you really wanted too, you could move the entire raid array over
to a different machine, if that makes you happy.

Alec

Re: CPU selection

[Alexander Lind]

Hello Paolo

Then at least make sure you get a machine with a backup psu and raid. If
downtime is expensive (and it tends to be for most companies) you want
to make sure that your assets are covered when the hw fails :)

Alec

Paolo Supino wrote:
> Hi Alexander
>
>   I completely agree with you and in the long run it will happen, but
> getting a second machine is beyond my budget for the next couple of
> months.
>
>
>
>
> TIA
> Paolo
>
>
>
>
>
> Alexander Lind wrote:
>
>> I don't think the celeron CPU will have any problems coping with that.
>>
>> Consider getting two of the machines and CARPing them, for redundancy
>> and load balancing (not that you will likely really need that).
>> Also consider putting some extra cash down on a hw raid controller, and
>> 2 scsi disks for each machine, and run raid 1 on them, for even more
>> failover safety.
>>
>> Alec
>>
>> Paolo Supino wrote:
>>  
>>
>>> Hi
>>>
>>> I'm in the process of configuring a Dell PowerEdge 860 as firewall
>>> and I debating what kind of CPU to get for the firewall for an office
>>> of about 50 people, 20MB metro ethernet, and 15 lightly used Internet
>>> servers: FTP, web, DNS, email, NTP, etc ... In addition for the
>>> computer being a firewall it will also act as a NIDS and IPSEC peer
>>> (something like 10 concurrent tunnels). The options I have for the CPU
>>> are:
>>> 1. Intel Celeron 336 at 2.8Ghz/256K cache, 533Mhz FSB.
>>> 2. Dual Core Intel Pentium D 915 at 2.8Ghz/2x2MB cache, 800Mhz FSB.
>>> 3. Dual Core Xeon 3050, 2.13Ghz, 2MB cache, 1066Mhz FSB.
>>> 4. Dual Core Xeon 3060, 2.40Ghz, 4MB cache, 1066Mhz FSB.
>>> 5. Dual Core Xeon 3070, 2.66Ghz, 4MB cache, 1066Mhz FSB.
>>>
>>> I have to be very price concious so will the celeron CPU hold the
>>> load or should I take one of the Xeon CPU's for the load?
>>>
>>>
>>>
>>>
>>> TIA
>>> Paolo

Re: CPU selection

[Alexander Lind]

>> Also consider putting some extra cash down on a hw raid controller, and
>> 2 scsi disks for each machine, and run raid 1 on them, for even more
>> failover safety.
>> 
>
> but that doubles the cost of the machine and makes for a more complex
> system - if that type of money is available, the extra box is probably
> more useful
>
>   
i don't agree, the cost of a hw raid card and a second scsi disk is more
money than one sata disk, but it does not exactly double the price.
setting up openbsd on a raided machine is also extremely simple
(provided you use a supported raid card of course).

the harddrives, next after the psu:s, are in my experience the most
common points of failure, so whenever i set up a server to be used in
production (even if it has a carp buddy) i try to make sure they are
raided also.

alec

Re: CPU selection

[Alexander Lind]

I don't think the celeron CPU will have any problems coping with that.

Consider getting two of the machines and CARPing them, for redundancy
and load balancing (not that you will likely really need that).
Also consider putting some extra cash down on a hw raid controller, and
2 scsi disks for each machine, and run raid 1 on them, for even more
failover safety.

Alec

Paolo Supino wrote:
> Hi
>
>  I'm in the process of configuring a Dell PowerEdge 860 as firewall
> and I debating what kind of CPU to get for the firewall for an office
> of about 50 people, 20MB metro ethernet, and 15 lightly used Internet
> servers: FTP, web, DNS, email, NTP, etc ... In addition for the
> computer being a firewall it will also act as a NIDS and IPSEC peer
> (something like 10 concurrent tunnels). The options I have for the CPU
> are:
> 1. Intel Celeron 336 at 2.8Ghz/256K cache, 533Mhz FSB.
> 2. Dual Core Intel Pentium D 915 at 2.8Ghz/2x2MB cache, 800Mhz FSB.
> 3. Dual Core Xeon 3050, 2.13Ghz, 2MB cache, 1066Mhz FSB.
> 4. Dual Core Xeon 3060, 2.40Ghz, 4MB cache, 1066Mhz FSB.
> 5. Dual Core Xeon 3070, 2.66Ghz, 4MB cache, 1066Mhz FSB.
>
>  I have to be very price concious so will the celeron CPU hold the
> load or should I take one of the Xeon CPU's for the load?
>
>
>
>
> TIA
> Paolo

pf load balancing and failover

[Alexander Lind]

OpenBSDs PF loadbalancing functionality does not support any sort of 
failover rule rewriting, or conditional rulesets, does it?


For example, if I have PF round-robin to 4 webservers, and one goes 
down, is there any way to make PF notice this and remove the downed host 
from the pool, based on something as simple as missing ping replies?


Even cooler if it could interface with some SNMP service, like nagios.

If not supported natively, does anyone know of any other software I 
could use to achieve something like this?


Alec

Re: Oldest Server you run

[Alexander Lind]

$ sysctl hw
hw.machine = intellivision
hw.model = General Instrument CP1610 16-bit @ 895 kHz 
, absolutely no FPU
hw.ncpu = 1
hw.byteorder = 4321
hw.physmem = 1352 bytes
hw.usermem = 0
hw.pagesize = 0
hw.disknames = cartridge1
hw.diskcount = 0
$ uname -a
OpenBSD cj.net 0.1 beta eLiTe#1

who's your daddy?

Robert Waldner wrote:
> On Thu, 12 Oct 2006 14:12:19 CDT, [EMAIL PROTECTED] writes:
>   
>> I think I am winning at this point:
>> $ sysctl hw
>> hw.machine = i386
>> 
>
> $ sysctl hw
> hw.machine = sparc
> hw.model = Sun 4/65, MB86900/1A or L64801 @ 25 MHz, WTL3170/2 FPU
> hw.ncpu = 1
> hw.byteorder = 4321
> hw.physmem = 54476800
> hw.usermem = 53579776
> hw.pagesize = 4096
> hw.disknames = fd0,sd0
> hw.diskcount = 2
> $ uname -a
> OpenBSD taz.woas.net 3.2 GENERIC#36 sparc
>
> cheers,
> &rw

Re: layer-7 pf loadbalancing

[Alexander Lind]

bumer.
anyone know of any alternatives that can run on openbsd?

Raymond Pasco wrote:
> On Thu, Oct 12, 2006 at 01:26:01PM -0700, Alexander Lind wrote:
>   
>> does anyone know if there are any plans for adding layer-7 support to
>> openbsds pf?
>> 
> As far as I know, the pf developers consider anything in layer 7 outside
> the scope of pf, so no.

layer-7 pf loadbalancing

[Alexander Lind]

hi all

i tried googling for references to layer-7 load balancing support in
openbsd:s pf, but came up with nothing.

does anyone know if there are any plans for adding layer-7 support to
openbsds pf?

thanks
alec