Re: two bridges on an etherchannel link

2004-12-13 Thread Jason Opperisano 
On Mon, 2004-12-13 at 11:24, Alain wrote:
 Hi,
 
 I'm working on an high availability bridged firewall solution.
 Would it be possible to put two openbsd bridged firewall on an 
 etherchannel link (between two cisco switch) and let the switch manage 
 the failover ?

i don't think etherchannel is the technology you're looking for.  i've
seen setups where you put the two bridging firewalls in between two
switches and allow spanning tree to handle fail-over if one of the
firewalls dies.

-j

--
It takes two to lie. One to lie and one to listen.
--The Simpsons

Re: new ftp proxy: pftpx

2004-12-13 Thread Camiel Dobbelaar 


On Tue, 14 Dec 2004, Tobias Wigand wrote:
 hope it doesn´t have any severe exploitable bugs, though. ;-)

Peer review would be good...  but it already does some mitigation:
check the security section below.

I've put up the latest version at
http://www.sentia.org/downloads/pftpx-0.5.tar.gz

it includes a manpage as well, which is pretty short so I'll paste it 
below.

--
Cam


PFTPX(8)OpenBSD System Manager's Manual   PFTPX(8)

NAME
 pftpx - FTP proxy

SYNOPSIS
 pftpx [-6d] [-b address] [-c port] [-D level] [-f address] [-g port] [-m
   maxsessions] [-p address] [-q queue] [-t timeout]

DESCRIPTION
 pftpx is a proxy for the Internet File Transfer Protocol.  FTP control
 connections should be redirected into the proxy using the pf(4) rdr com-
 mand, after which the proxy connects to the server on behalf of the
 client.

 The proxy allows data connections to pass, rewriting and redirecting them
 so that the right addresses are used.  All connections from the client to
 the server have their source address rewritten so they appear to come
 from the proxy.  Consequently, all connections from the server to the
 proxy have their destination address rewritten, so they are redirected to
 the client.  The proxy uses the pf(4) anchor facility for this.

 Assuming the FTP control connection is from $client to $server, the proxy
 connected to the server using the $proxy source address, and $port is ne-
 gotiated, then pftpx adds the following rules to the various anchors.
 (These example rules use inet, but the proxy also supports inet6.)

 In case of active mode (PORT or EPRT):

   rdr from $server to $proxy port $port - $client
   pass log quick inet proto tcp \
   from $server to $client port $port flags S/SAFR keep state

 In case of passive mode (PASV or EPSV):

   nat from $client to $server port $port - $proxy
   pass log quick inet proto tcp \
   from $client to $server port $port flags S/SAFR keep state
   pass log quick inet proto tcp \
   from $proxy to $server port $port flags S/SAFR keep state

 The options are as follows:

 -6  IPv6 mode.  The proxy will expect and use IPv6 addresses for all
 communication.  Only the extended FTP modes EPSV and EPRT are al-
 lowed with IPv6.  The proxy is in IPv4 mode by default.

 -b address
 Address where the proxy will listen for redirected connections.
 The default is 127.0.0.1, or ::1 in IPv6 mode.

 -c port
 Port where the proxy will listen for redirected connections.  The
 default is port 8021.

 -d  Do not daemonize.  The process will stay in the foreground, log-
 ging to stderr.

 -D level
 Debug level, ranging from 0 to 7.  Higher is more verbose.  The
 default is 5.  (These levels correspond to the syslog(3) levels.)

 -f address
 Fixed server address.  The proxy will always connect to the same
 server, regardless of where the client wanted to connect to (be-
 fore it was redirected).  Use this option to proxy for a server
 behind NAT, or to forward all connections to another proxy.

 -g port
 Fixed server port.  Only used in combination with the previous
 option.  The default is port 21.

 -m maxsessions
 Maximum number of concurrent FTP sessions.  When the proxy reach-
 es this limit, new connections are denied.  The default is 100.

 -p address
 Proxy source address.  The proxy will use this as the source ad-
 dress to connect to servers.

 -q queue
 Create rules with queue queue appended, so that data connections
 can be queued.

 -t timeout
 Number of seconds that the control connection can be idle, before
 the proxy will disconnect.  The default is 24 hours.  Do not set
 this too low, because the control connection is usually idle when
 large data transfers are taking place.

CONFIGURATION
 To make use of the proxy, pf.conf(5) needs the following rules.  All an-
 chors are mandatory.  The rdr pass rule can be adjusted as needed.

 In the NAT section:

   nat-anchor pftpx/*
   rdr-anchor pftpx/*
   rdr pass on $int_if proto tcp from $lan to any port 21 - 127.0.0.1 port 
8021

 In the rule section:

   anchor pftpx/*

SECURITY
 Negotiated data connection ports below 1024 are not allowed.

 The negotiated IP address for active modes is ignored for security rea-
 sons.  This makes third party file transfers impossible.

 pftpx chroots to /var/empty and changes to user proxy to drop privi-
 leges.

SEE ALSO
 ftp(1), pf(4), pf.conf(5),

two bridges on an etherchannel link

2004-12-13 Thread Alain 
Hi,
I'm working on an high availability bridged firewall solution.
Would it be possible to put two openbsd bridged firewall on an 
etherchannel link (between two cisco switch) and let the switch manage 
the failover ?

Thanks,

Re: two bridges on an etherchannel link

2004-12-13 Thread Edy Lie 
Hi Alain,

Take a look at the following URL

http://www.seattlecentral.edu/~dmartin/docs/bridge.html

Cheers,
Edy.

On Tue, 2004-12-14 at 00:24, Alain wrote:
 Hi,
 
 I'm working on an high availability bridged firewall solution.
 Would it be possible to put two openbsd bridged firewall on an 
 etherchannel link (between two cisco switch) and let the switch manage 
 the failover ?
 
 Thanks,

Re: two bridges on an etherchannel link

2004-12-13 Thread Dylan Martin 
I don't know what etherchannel is, but I did what 
you're describing with spanning tree and two cisco switches.  I tried to
write up a little blurb about it here:

http://seattlecentral.edu/~dmartin/docs/bridge.html

-Dylan

 Hi,
 
 I'm working on an high availability bridged firewall solution.
 Would it be possible to put two openbsd bridged firewall on an 
 etherchannel link (between two cisco switch) and let the switch manage 
 the failover ?
 
 Thanks,

Re: two bridges on an etherchannel link

2004-12-13 Thread Dan 
i dont think it will work without UDLD and even then...:
(use mono spaced fonts or copy to notepad/vi...)

 ++
 ||
 |   CATALIST 1   |
 +--+++
| f0/1   | f0/2
||
|int2| int 2
 +--+---++---+-+
 |  || |
 |PF1   || PF2 |
 |  || |
 +--+---++--+--+
| int1  | int1
|
|
| f0/1  | f0/2
 +--+---+---+
 |  |
 |CATALIST 2|
 +--+
if the link between catalist 2 interface f0/2 and int1 on PF2 will fail,  
how CATALIST1 will know this?

if your switch supports UDLD, then it should work because CAT1 will sense  
a unidirectional link between him and CAT2
try to see if you got the UDLD command in an interface or as global  
command.

even if udld will work oyu wont be able to use keep state because you  
might get a symetrical rouing (switching in this case)

Other option will be to just use spanning tree and tune the timers to  
lower the failover time (which is 50 sec by default)

HTH
On Mon, 13 Dec 2004 17:24:44 +0100, Alain [EMAIL PROTECTED] wrote:
Hi,
I'm working on an high availability bridged firewall solution.
Would it be possible to put two openbsd bridged firewall on an  
etherchannel link (between two cisco switch) and let the switch manage  
the failover ?

Thanks,

--
Best Regards,
Dan
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/