On Friday 21 July 2006 17:46, Jason Dixon wrote:
> I believe you're looking for "reflection". If you're using the IP
> instead of the hostname, either TCP proxying or the "rdr / nat / no
> nat" combination should work.
>
> http://www.openbsd.org/faq/pf/rdr.html#reflect
Thanks Jason
That is
On Friday 21 July 2006 17:39, Stuart Henderson wrote:
> split dns (or /etc/hosts, but split dns is likely to be easier to
> find in the future when it changes address...) and issue the cert for
> the name rather than IP address?
Hi Stuart
I changed the hosts file on the server in the end. Turns
Hi
We have a website on a server in our DMZ that hits a webservice over SSL
identified by an external IP. However, the webservice is on the same box.
PF won't route requests to the external IP that come in on the DMZ interface
back out of the same interface, so we can't hit it.
I've tried ma
On Sep 20, 2006, at 7:18 pm, Tim Pushor wrote:
As for the multiple carp addresses - This is in a lab environment
but will end up protecting a rack of machines in a colo. I'm
planning on having a carp address for each external address that's
required (not many - maybe 4-5 eventually).
Tim
Thanks for the off list replies I got. I suspect this was a driver issue as
it's working on 3.9 after spending all day reinstalling the firewalls.
Ashley
--
"If you do it the stupid way, you will have to do it again"
- Gregory Chudnovsky
I'm trying to diagnose the problem in our new firewall setup. I've
drawn a digram below. We have two IP ranges, one serviced by an
IPCop Linux distro, another by a CARPed OpenBSD pf pair (currently
OpenBSD 3.8). Currently our old windows web server is assigned
addresses from the first ra
Hi... can anyone work out what is wrong with my PF rules?
We have a DMZ and internal corporate network. Externally, we have to IP
ranges with 28 bit netmasks. Currently, we have an IPCop server handling the
old range in the DMZ (say a.b.c.d, which is rdr'd to 10.0.x.x inside the DMZ)
and the
Hi people...
I wonder if anyone can see what is up with these firewall rules.
We have two external IP ranges from our ISP. We're trying to migrate from
IPCop to OpenBSD so we can use the extra range, using a CARPed cluster of two
3.8 machines. Initially we just want to get a single Windows we
I wrote this little script to copy and reload rules on two firewalls. Thought
I'd share it here in case it is any use or I am missing something. ( My
money's on the latter :) ) it just needs a separate user with correct sudo
privileges to run certain commands.
It's very verbose just so I cou
On Wednesday 10 May 2006 09:07, NetNeanderthal wrote:
> On 5/9/06, Ashley Moran <[EMAIL PROTECTED]> wrote:
> You're way off on what you're trying to do and need to seriously
> consider re-reading the PF FAQ and/or trying the examples. This being
> said...
Thanks for
I'm trying to put together a firewall for our DMZ and internal network. For
some reason, a server in the DMZ can only hit the external DNS server if it
has keep state on the DMZ interface. Basically the following (relvant
extract) blocks access:
ext_if = "vr0"
dmz_if
I've googled like my life depends on it and looked through the 6 months of
misc messages in my inbox and can't find any simple guides to setting up
pfsync over IPSec. Does anyone use this setup? I just want to get it up and
running to test without reading all the IPSec documentation.
Thanks f
On Friday 21 April 2006 13:54, Stephan A. Rickauer wrote:
> All heartbeat does is having one virtual IP on the live server. In case
> of failure, a script runs which takes up the IP on the secondary, while
> some arp faking is done to update the arp tables. You can then also
> start services in the
On Friday 21 April 2006 15:50, you wrote:
> I must be missing something. Is this a mission critical setup? If
> so why not just get it over with and use hardware LB with checking
> and let the servers do a single job well. There are several cheap LB
> on ebay radware and the like that are surely af
On Friday 21 April 2006 12:18, Stuart Henderson wrote:
> On 2006/04/21 12:08, Ashley Moran wrote:
> > I think rdr/source-hash avoids the need to use CARP on the web servers,
>
> Failover should be quicker if you CARP on the web servers. Otherwise
> you have to wait until the mo
On Friday 21 April 2006 09:08, Stephan A. Rickauer wrote:
> I use 'heartbeast' for several years now and would not do so again.
> Failover always takes several seconds because of ARP change propagation.
I though Heartbeast ( I'm assuming you wrote that on purpose :) ) was the
flagship output of t
On Thursday 20 April 2006 19:26, Joachim Schipper wrote:
> Some monitoring script sounds like the way to go, though.
Perhaps you're right. Monit looks good - presumably I could install that both
on the firewalls and the webservers, so that in the event of an httpd failure
the local monit could
On Thursday 20 April 2006 12:11, Stuart Henderson wrote:
> > > 10.0.0.1 is master of CARP 10.0.0.3 and 10.0.0.2 is master of CARP
> > > 10.0.0.4.
> > > Then, use rdr load balancing on the firewall to hit the .3/.4 CARP
> > > addresses, instead of the server addresses.
> > >
> > > At first glance
Hi
I've just been through the recent messages on this list and saw something
similar but not exactly the same as what I was planning to implement. We've
just got two new firewalls (now installed with OpenBSD 3.8, which will soon
be CARPed and pfsynced) and two new webservers which we want to c
Stephan A. Rickauer wrote:
Ashley Moran wrote:
fw1# cat /etc/hostname.carp0
inet 192.168.67.3 255.255.255.0 192.168.67.255 carpdev rl0 vhid 1 pass
mycarp
fw2# cat /etc/hostname.carp0
inet 192.168.67.3 255.255.255.0 192.168.67.255 carpdev rl0 vhid 1
advskew 10 pass mycarpstudio
Could
Stephan A. Rickauer wrote:
Ashley Moran wrote:
fw1# cat /etc/hostname.carp0
inet 192.168.67.3 255.255.255.0 192.168.67.255 carpdev rl0 vhid 1 pass
mycarp
fw2# cat /etc/hostname.carp0
inet 192.168.67.3 255.255.255.0 192.168.67.255 carpdev rl0 vhid 1
advskew 10 pass mycarpstudio
Could
Hi
This is my first post to openbsd-misc so forgive me if this has been
raised before. That said, I've just read through the 1200 messages in
the archives this month and can't find the same issue.
I am trying to configure a redundant firewall pair. So far almost
everything is fine and it b
22 matches
Mail list logo
