pf.conf propagation

Hello misc. Can anyone recommend a pf propagation script, intended to be used to spread changes from one carp:ed openbsd firewall to another? I found one bash script which seems to do a decent job here: http://archives.neohapsis.com/archives/openbsd/2006-11/1134.html But it requires bash and

Re: CPU selection

>> Also consider putting some extra cash down on a hw raid controller, and >> 2 scsi disks for each machine, and run raid 1 on them, for even more >> failover safety. >> > > but that doubles the cost of the machine and makes for a more complex > system - if that type of money is available, the

Re: CPU selection

with you and in the long run it will happen, but > getting a second machine is beyond my budget for the next couple of > months. > > > > > TIA > Paolo > > > > > > Alexander Lind wrote: > >> I don't think the celeron CPU will have any problems

Re: CPU selection

> As for RAID on a firewall, uh...no, all things considered, I'd rather > AVOID that, actually. Between added complexity, what complexity? > added boot time, and > disks that can't be used without the RAID controller, why would you want to use your disk WITHOUT the raid controller? > it is a maj

Re: CPU selection

Ingo Schwarze wrote: > Perhaps you missed that Nick was talking about a pair of carp'ed > firewalls. Failure of one machine means *no* downtime. Besides, > firewalls rarely need to store any valuable data, almost by definition. > I'm not saying that digging up parts and building a couple of ma

Re: CPU selection

>> what complexity? >> > > RAID, kiddo. > It's more complex. It is something else that can go wrong. > And...it DOES go wrong. Either believe me now, or wish you believed me > later. Your call. I spent a lot of time profiting from people who > ignored my advice. :) > Of course raid are

Re: CPU selection

Thanks, I do stand corrected. Next time I spec out firewalls, I will keep your arguments in mind for sure, they do make a lot of sense. Alec J.C. Roberts wrote: > On Thu, 02 Nov 2006 22:03:05 -0800, Alexander Lind <[EMAIL PROTECTED]> > wrote: > > >>> RAID, kiddo.

Re: How much traffic can it route?

Absolutely. Alec Der Engel wrote: > Hi, > > I have a doubt about if OpenBSD/PF can NAT 40Mbits with a simple rule > set and like 60 redirects. > The box has a xeon proc and two integrated NICs, one fxp and a bge, > can it handle it? > > Thanks

Re: Option 3G+ UMTS HSDPA on Soekris 4521 not attaching

wild guess; maybe the drivers for it are not included in the default kernel, so you may have to roll your own kernel with the necessary drivers enabled? alec Matt Hamilton wrote: > Hi All, > I've just installed a -current snapshop (the day before 4.0 release, > sods law) onto a Soekris 4521 boa

Re: Expected 802.11g speeds?

mb as in megabit or megabyte? alec Steve Shockley wrote: > I've got an OpenBSD 3.9 firewall/AP with a ral wireless card, and I'm > connecting to it from a WinXP machine with an Intel 2915 wireless and > Broadcom 5751 Ethernet. > > My provider just upgraded my speeds, so I was using > http://speed

Re: Script to sync pf rules for CARP fws

no need to run pfctl on the other machines, if you are using pfsync, is there? alec z0mbix wrote: > On 14/11/06, C. L. Martinez <[EMAIL PROTECTED]> wrote: >> Hi all, >> >> Somebody knows where I can find a good shell script to sync pf.conf >> rules >> over a several Openbsd firewalls using CARP?

keep state for http connections

If I have a busy http server or cluster (by busy I mean one that gets hundreds of thousands of visitors per day), and I use an openbsd firewall, should I keep state for all incoming http connections, or should I just pass them all in without state and then pass them all out without state instea

Re: keep state for http connections

I just did some really basic stuff with http_load. Without pf at all, the mean connect() times were horrible, ranging from 48 to 76 ms. But, after a few runs with stateless (using pass quick) and keep state, the data I got showed that keep state is 12% faster. Now, of course, this number will va

layer-7 pf loadbalancing

hi all i tried googling for references to layer-7 load balancing support in openbsd:s pf, but came up with nothing. does anyone know if there are any plans for adding layer-7 support to openbsds pf? thanks alec

Re: layer-7 pf loadbalancing

bumer. anyone know of any alternatives that can run on openbsd? Raymond Pasco wrote: > On Thu, Oct 12, 2006 at 01:26:01PM -0700, Alexander Lind wrote: > >> does anyone know if there are any plans for adding layer-7 support to >> openbsds pf? >> > As far a

Re: Oldest Server you run

$ sysctl hw hw.machine = intellivision hw.model = General Instrument CP1610 16-bit @ 895 kHz , absolutely no FPU hw.ncpu = 1 hw.byteorder = 4321 hw.physmem = 1352 bytes hw.usermem = 0 hw.pagesize = 0 hw.disknames = cartridge1 hw.diskcount = 0 $ uname -a Open

pf load balancing and failover

OpenBSDs PF loadbalancing functionality does not support any sort of failover rule rewriting, or conditional rulesets, does it? For example, if I have PF round-robin to 4 webservers, and one goes down, is there any way to make PF notice this and remove the downed host from the pool, based on s

Re: CPU selection

I don't think the celeron CPU will have any problems coping with that. Consider getting two of the machines and CARPing them, for redundancy and load balancing (not that you will likely really need that). Also consider putting some extra cash down on a hw raid controller, and 2 scsi disks for each

detection of machines behind PF firewall

Hi all Is there currently any known method for detecting information about a machine behind a PF firewall? Specifically, if I have a machine with two IP addresses, is it possible for a remote attacker to detect that these two IP addresses are bound on the same machine (this machine would

Re: detection of machines behind PF firewall

On Jun 13, 2008, at 4:22 PM, Aaron Stellman wrote: On Fri, Jun 13, 2008 at 04:05:12PM -0400, alexander lind wrote: Hi all Is there currently any known method for detecting information about a machine behind a PF firewall? Specifically, if I have a machine with two IP addresses, is it

bridging and NAT:ing on the same interface

Hi List Is it possible to bridge and NAT on one single network interface? I have two machines that I want to bind public IP:s on, and I want to bridge these. I have a few other machines that I want to put on a private network with internal IP addresses, and I want to NAT to these machines.

bridge and carp

Is it possible to have two OpenBSD bridging firewalls work together with CARP now? In the past I know it has been impossible to use CARP between two bridging firewalls, but reading the 4.1 -> 4.2 changelog, I learned about this change: Update the ifp of bridge cache entries if the entry is

Re: bridge and carp

On Aug 19, 2008, at 6:11 PM, alexander lind wrote: Is it possible to have two OpenBSD bridging firewalls work together with CARP now? In the past I know it has been impossible to use CARP between two bridging firewalls, but reading the 4.1 -> 4.2 changelog, I learned about this cha

Re: bridge and carp

On Aug 20, 2008, at 12:06 AM, Marco Fretz wrote: Is it possible to have two OpenBSD bridging firewalls work together with CARP now? What do you mean by "work together"? Only fail-over? load-share? Fail-over is my primary concern. Update the ifp of bridge cache entries if the entry is not