Re: Carp & scp loosing connection
On Mon, Oct 24, 2005 at 10:48:03AM -0400, Monah Baki wrote: > Solved it, > > had to switch > > pass in quick on $int_if all > pass out quick on $int_if all > > to > > pass in quick on $int_if all keep state > pass out quick on $int_if all keep state Is there any particular reason you are using 'quick' on most of your rules? There are certain situations that quick is needed or recommended, but I'm of the school that using quick on all of your rules just leads to unnecessary confusion. Also, I'm not too sure what your intention was surrounding the ordering of your rules. The most common way is to put all your 'default block' rules at the top of your ruleset and all the specific allow rules following those. When you've got default block rules peppered throughout your ruleset, it'll quickly become fault prone and difficult to manage. IMO, of course. There was a thread some time ago that (I believe) discussed using 'quick' in large/complicated rulesets to speed up processing. I'm not 100% sure what the consensus was, but I think what part of it boiled down to was that the benefits that you gain by using quick are far outweighed by those of having a tight and easy to manage ruleset. http://marc.theaimsgroup.com/?l=openbsd-pf&m=111522051104764&w=2 -jon
Re: Carp & scp loosing connection
Solved it,
had to switch
pass in quick on $int_if all
pass out quick on $int_if all
to
pass in quick on $int_if all keep state
pass out quick on $int_if all keep state
On Fri, 21 Oct 2005 16:37:54 -0400, Monah Baki wrote
> Sorry all it's a Soekris net4801
>
> Thank you
>
> On Fri, 21 Oct 2005 13:47:05 -0400, Monah Baki wrote
> > Hi all,
> >
> > I have 2 Rasta 4801 (3.7 current) as a master and backup carp. One
> > solaris 10 server is behind them. When I try to scp a 600MB file
> > from 1 solaris server outside the network to the solaris server
> > behind the net4801, I get "network error: connection reset by peer" error.
> > If I halt the master carp and the backup becomes master, no problem
> > all 600MB gets transfered. I then went ahead and deleted the file
> > and rebooted the the master, the current Master switched to backup,
> > and I did the copy a "network error: connection reset by peer"
> > showed up.
> >
> > My pf.conf file on both machines are identical.
> >
> > Thank you.
> >
> > /etc/pf.conf
> > -
> > ext_if="sis0"
> > int_if="sis1"
> > ext_net="104.83.19.0/24"
> > int_net="172.16.0.0/24"
> >
> > carp5="carp5"
> >
> > ross="172.16.0.3"
> > ross_int_webzone="172.16.0.4"
> >
> > tcp_services="{22, 80}"
> > dns_services="{53}"
> >
> > set timeout interval 10
> > set timeout frag 30
> > set block-policy return
> > set loginterface sis0
> > set skip on lo0
> >
> > # scrub in all
> >
> > nat on $ext_if from $int_net to any -> $ext_if static-port
> >
> > rdr on $ext_if proto tcp from any to $carp5 port 22 ->
> > $ross_int_webzone port 22
> >
> > # Deny all packets
> > block in on sis0 all
> >
> > pass in quick on $int_if all
> > pass out quick on $int_if all
> >
> > pass in quick on $ext_if inet proto tcp from any to any port $tcp_services
> > flags S/SA keep state
> > pass out quick on $ext_if inet proto tcp from any to any port
$tcp_services
> > flags S/SA keep state
> >
> > pass in quick on $carp5 inet proto tcp from any to any port
> > $tcp_services keep state pass out quick on $carp5 inet proto tcp
> > from any to any port $tcp_services keep state
> >
> > pass quick on lo0 all
> >
> > pass quick on { sis2 } proto pfsync
> > pass in quick on { sis0 sis1 } proto carp keep state
> >
> > # Filter rules for sis0 outbound
> > block out on sis0 all
> >
> > # pass in all
> > # pass out all
> >
> > My master carp has the following:
> > -
> > ifconfig carp5 create
> > ifconfig carp5 vhid 5 carpdev sis0 pass netpasswd advskew 0 104.83.19.244
> > netmask 255.255.255.0
> >
> > My backup carp has the following:
> > -
> > ifconfig carp5 create
> > ifconfig carp5 vhid 5 carpdev sis0 pass netpasswd advskew 128
104.83.19.244
> > netmask 255.255.255.0
Fw: Carp & scp loosing connection
Sorry all a soekris 4801 not rasta, my mistake.
Hi all,
I have 2 Rasta 4801 (3.7 current) as a master and backup carp. One solaris 10
server is behind them. When I try to scp a 600MB file from 1 solaris server
outside the network to the solaris server behind the net4801, I get "network
error: connection reset by peer" error.
If I halt the master carp and the backup becomes master, no problem all 600MB
gets transfered. If I also halt the backup and the master is running by
itself, no problem either.
I then went ahead and deleted the file and rebooted the the master, the
current Master switched to backup, and I did the copy a "network error:
connection reset by peer" showed up.
So far its a either this or that running but not both, I'm completely lost here.
My pf.conf file on both machines are identical.
Thank you.
/etc/pf.conf
-
ext_if="sis0"
int_if="sis1"
ext_net="104.83.19.0/24"
int_net="172.16.0.0/24"
carp5="carp5"
ross="172.16.0.3"
ross_int_webzone="172.16.0.4"
tcp_services="{22, 80}"
dns_services="{53}"
set timeout interval 10
set timeout frag 30
set block-policy return
set loginterface sis0
set skip on lo0
# scrub in all
nat on $ext_if from $int_net to any -> $ext_if static-port
rdr on $ext_if proto tcp from any to $carp5 port 22 -> $ross_int_webzone port 22
# Deny all packets
block in on sis0 all
pass in quick on $int_if all
pass out quick on $int_if all
pass in quick on $ext_if inet proto tcp from any to any port $tcp_services
flags S/SA keep state
pass out quick on $ext_if inet proto tcp from any to any port $tcp_services
flags S/SA keep state
pass in quick on $carp5 inet proto tcp from any to any port $tcp_services keep
state
pass out quick on $carp5 inet proto tcp from any to any port $tcp_services
keep state
pass quick on lo0 all
pass quick on { sis2 } proto pfsync
pass in quick on { sis0 sis1 } proto carp keep state
# Filter rules for sis0 outbound
block out on sis0 all
# pass in all
# pass out all
My master carp has the following:
-
ifconfig carp5 create
ifconfig carp5 vhid 5 carpdev sis0 pass netpasswd advskew 0 104.83.19.244
netmask 255.255.255.0
My backup carp has the following:
-
ifconfig carp5 create
ifconfig carp5 vhid 5 carpdev sis0 pass netpasswd advskew 128 104.83.19.244
netmask 255.255.255.0
--- End of Forwarded Message ---
Carp & scp loosing connection
Hi all,
I have 2 Rasta 4801 (3.7 current) as a master and backup carp. One solaris 10
server is behind them. When I try to scp a 600MB file from 1 solaris server
outside the network to the solaris server behind the net4801, I get "network
error: connection reset by peer" error.
If I halt the master carp and the backup becomes master, no problem all 600MB
gets transfered. If I also halt the backup and the master is running by
itself, no problem either.
I then went ahead and deleted the file and rebooted the the master, the
current Master switched to backup, and I did the copy a "network error:
connection reset by peer" showed up.
So far its a either this or that running but not both, I'm completely lost here.
My pf.conf file on both machines are identical.
Thank you.
/etc/pf.conf
-
ext_if="sis0"
int_if="sis1"
ext_net="104.83.19.0/24"
int_net="172.16.0.0/24"
carp5="carp5"
ross="172.16.0.3"
ross_int_webzone="172.16.0.4"
tcp_services="{22, 80}"
dns_services="{53}"
set timeout interval 10
set timeout frag 30
set block-policy return
set loginterface sis0
set skip on lo0
# scrub in all
nat on $ext_if from $int_net to any -> $ext_if static-port
rdr on $ext_if proto tcp from any to $carp5 port 22 -> $ross_int_webzone port 22
# Deny all packets
block in on sis0 all
pass in quick on $int_if all
pass out quick on $int_if all
pass in quick on $ext_if inet proto tcp from any to any port $tcp_services
flags S/SA keep state
pass out quick on $ext_if inet proto tcp from any to any port $tcp_services
flags S/SA keep state
pass in quick on $carp5 inet proto tcp from any to any port $tcp_services keep
state
pass out quick on $carp5 inet proto tcp from any to any port $tcp_services
keep state
pass quick on lo0 all
pass quick on { sis2 } proto pfsync
pass in quick on { sis0 sis1 } proto carp keep state
# Filter rules for sis0 outbound
block out on sis0 all
# pass in all
# pass out all
My master carp has the following:
-
ifconfig carp5 create
ifconfig carp5 vhid 5 carpdev sis0 pass netpasswd advskew 0 104.83.19.244
netmask 255.255.255.0
My backup carp has the following:
-
ifconfig carp5 create
ifconfig carp5 vhid 5 carpdev sis0 pass netpasswd advskew 128 104.83.19.244
netmask 255.255.255.0
Carp & scp loosing connection
Hi all,
I have 2 Rasta 4801 (3.7 current) as a master and backup carp. One solaris 10
server is behind them. When I try to scp a 600MB file from 1 solaris server
outside the network to the solaris server behind the net4801, I get "network
error: connection reset by peer" error.
If I halt the master carp and the backup becomes master, no problem all 600MB
gets transfered.
I then went ahead and deleted the file and rebooted the the master, the
current Master switched to backup, and I did the copy a "network error:
connection reset by peer" showed up.
My pf.conf file on both machines are identical.
Thank you.
/etc/pf.conf
-
ext_if="sis0"
int_if="sis1"
ext_net="104.83.19.0/24"
int_net="172.16.0.0/24"
carp5="carp5"
ross="172.16.0.3"
ross_int_webzone="172.16.0.4"
tcp_services="{22, 80}"
dns_services="{53}"
set timeout interval 10
set timeout frag 30
set block-policy return
set loginterface sis0
set skip on lo0
# scrub in all
nat on $ext_if from $int_net to any -> $ext_if static-port
rdr on $ext_if proto tcp from any to $carp5 port 22 -> $ross_int_webzone port 22
# Deny all packets
block in on sis0 all
pass in quick on $int_if all
pass out quick on $int_if all
pass in quick on $ext_if inet proto tcp from any to any port $tcp_services
flags S/SA keep state
pass out quick on $ext_if inet proto tcp from any to any port $tcp_services
flags S/SA keep state
pass in quick on $carp5 inet proto tcp from any to any port $tcp_services keep
state
pass out quick on $carp5 inet proto tcp from any to any port $tcp_services
keep state
pass quick on lo0 all
pass quick on { sis2 } proto pfsync
pass in quick on { sis0 sis1 } proto carp keep state
# Filter rules for sis0 outbound
block out on sis0 all
# pass in all
# pass out all
My master carp has the following:
-
ifconfig carp5 create
ifconfig carp5 vhid 5 carpdev sis0 pass netpasswd advskew 0 104.83.19.244
netmask 255.255.255.0
My backup carp has the following:
-
ifconfig carp5 create
ifconfig carp5 vhid 5 carpdev sis0 pass netpasswd advskew 128 104.83.19.244
netmask 255.255.255.0
