Openbsd as a transparent bridge

2009-02-11 Thread dabheeruz 
List,



I have following setup:





B sys:a ---SWITCHOPENBSD/BRIDGESWITCHsys:b

B 192.168.1.2(NO IPs)192.168.1.10

B 

B 

I have enabled bridging by doing the following:

B 

B B /etc/hostname.bge0

up

/etc/hostname.bge1

up




/etc/hostname.bridge0

add bge0

add bge1



I have enabled ip forwarding in /etc/sysctl.conf

B Shouldn't I see sys:a from sys:b???




I can't see the sys:a from sys:b or sys:b from sys:a. B It doesn't seem that
openbsd/bridge is forwarding the packets to the other side.




I would appreciate any help.




thx.

Transparent Bridge - Openbsd

2009-02-11 Thread dabheeruz 

sys:a ---SWITCHOPENBSD/BRIDGESWITCHsys:b
192.168.1.2(NO IPs)192.168.1.10

I have enabled bridging by doing the following:


/etc/hostname.bge0
   up
/etc/hostname.bge1
   up

/etc/hostname.bridge0
   add bge0
   add bge1
   
I have enabled ip forwarding in /etc/sysctl.conf


Shouldn't I see sys:a from sys:b???


I can't see the sys:a from sys:b or sys:b from sys:a. It doesn't seem 
that

openbsd/bridge is forwarding the packets to the other side.


I would appreciate any help.

**Sorry for the resend but rich text email was enabled.  I just 
disabled it now.

Re: Openbsd as a transparent bridge

2009-02-11 Thread dabheeruz 
Thanks Patrick.  Will give it a shot.


-Original Message-
From: patrick keshishian 
To: dabhee...@aim.com
Cc: misc@openbsd.org
Sent: Wed, 11 Feb 2009 9:44 pm
Subject: Re: Openbsd as a transparent bridge






On Wed, Feb 11, 2009 at 7:36 PM,   wrote:
> /etc/hostname.bridge0
>
>add bge0
>
>add bge1


You need to finished /etc/bridgename.bridge0 with an "up"

$ cat /etc/bridgename.bridge0
add dc0
add dc1
add dc2
up


> I have enabled ip forwarding in /etc/sysctl.conf

not necessary.


--patrick

OpenBSD 4.5 and RelayD

2009-06-26 Thread dabheeruz 
Before implementing relayd for load balancing needs I wanted to get 
some answers (Yes I have read relayd and relayd.conf manual and I am 
able to run them successfully in a test environment).  So here are some 
of the questions:


1. when I choose mode as loadbalance, what algorithm is is using? Is 
there a place where I can see that relayd is properly load balancing?


2.  I see that "sticky-address" is only available in redirect, can I 
achieve the same in a relay?


3.  Finally where is relayd logging everything?

Thanks
Dabheeruz

Snort and Dynamic rules help

2010-03-31 Thread dabheeruz 

I am trying to get snort with dynamic rules working.  Yes I did compile
it with --dynamic-plugin option already.  Unfortunately there is no
precompiled so_rules for OpenBSD.  Is there a snort master out there
that can help.  I have tried copying over the FreeBSD rules but they
don't work either.

Any help is highly appreciated.
thx.

Relayctl and reload command

2011-04-15 Thread dabheeruz 
Does anyone know why relayctl reload doesn't work?  I did see a post 
saying it wasn't implemented yet.  Is this true?


thx

Re: PF and States

2010-12-03 Thread dabheeruz 
Thanks Ryan! Unfortunately when this happened I was remote and could not 
grab those stats.  But what should I be looking for in term of badness.  
Maybe I can quickly setup something to monitor for particular stat.  
Really appreciate your input.


Thx.

On 12/3/10 12:41 AM, Ryan McBride wrote:

On Thu, Dec 02, 2010 at 11:22:08PM -0500, Godesi wrote:

1.  Do I need pf for relayd when I am not doing redirects?

I don't think so, but this is easy for you to test...



2.  How much states can i "really" have on a box that has 4 gig ram?

More than 100,000. I havn't tested lately (planning to do so soo), but I
would expect somewhere closer to 500,000.



Is it governed by how much mem is allocated to kernel?

Yes.


Can I change that?

Not directly. In fact, having too much RAM in your box will COST you
memory, as more kernel memory is used up tracking all your RAM. So
cutting your ram to 2 GB will probably improve the upper limit, though
it doesn't seem that that's the limit you are hitting.


What does 'pfctl -vvsi' show when this problem is happening?

Re: PF and States

2010-12-05 Thread dabheeruz 

Hi Jan,

This actually happened again really late at night , one thing that 
strangely happened was that we had nagios setup to monitor CARP state 
and basically the secondary lb (same config etc) had its carp interface 
in "init" state and once again the primary relayd box was displaying 
problems.  Users not being able to get to site and sometimes they 
could.  When I tried to ssh into the box , I  couldn't and after couple 
of retries when I was finally logged in.  I try to do "relayctl show 
hosts " or "relayctl show sessions " or any other command. I got error.  
When I looked at PF states they were around 20K.   I logged on to the 
secondary (backup carp) and of course saw that it was confused.  These 
two boxes are connected directly.  No switches or anything.  It seems 
like the secondary box also wasn't able to fully communicate with the 
MASTER.  When the states were back to around 8K, everything was back to 
normal.  I could do "relayctl show sessions" etc.


Very strange this problem!! Is it PF? or relayd?  can't really tell but 
I have to come up with something soon otherwise I would have to part way 
with this solution.  Which I really don't want to :(


thx
On 12/3/10 11:58 PM, Jan Johansson wrote:

Godesi  wrote:

We recently deployed OBSD4.7 boxes to do load balancing in our
environment with relayd.

After few hours we encountered problem with the server going beyond
10,000 states.

Are you convinced that it is a state problem?

In our tests we have found that a default setup of relayd will
handle 2540 connections and will then stop responding to new
connections might this be the limit you are seeing?

Our pf.conf is the default that comes with the install.

Re: PF and States

2010-12-08 Thread dabheeruz 

Hi Ryan,

We are seeing the issue again and I am writing a script to get the 
"pfctl -vvsi" data at regular intervals.  Can you please point me to 
what values I should be looking out for?


Thanks
Parvinder Bhasin

On 12/3/10 11:32 AM, dabheeruz wrote:
Thanks Ryan! Unfortunately when this happened I was remote and could 
not grab those stats.  But what should I be looking for in term of 
badness.  Maybe I can quickly setup something to monitor for 
particular stat.  Really appreciate your input.


Thx.

On 12/3/10 12:41 AM, Ryan McBride wrote:

On Thu, Dec 02, 2010 at 11:22:08PM -0500, Godesi wrote:

1.  Do I need pf for relayd when I am not doing redirects?

I don't think so, but this is easy for you to test...



2.  How much states can i "really" have on a box that has 4 gig ram?

More than 100,000. I havn't tested lately (planning to do so soo), but I
would expect somewhere closer to 500,000.



Is it governed by how much mem is allocated to kernel?

Yes.


Can I change that?

Not directly. In fact, having too much RAM in your box will COST you
memory, as more kernel memory is used up tracking all your RAM. So
cutting your ram to 2 GB will probably improve the upper limit, though
it doesn't seem that that's the limit you are hitting.


What does 'pfctl -vvsi' show when this problem is happening?

Re: PF and States

2010-12-11 Thread dabheeruz 

On 12/8/10 2:09 PM, Ryan McBride wrote:

On Wed, Dec 08, 2010 at 12:39:12PM -0800, dabheeruz wrote:

We are seeing the issue again and I am writing a script to get the
"pfctl -vvsi" data at regular intervals.  Can you please point me to
what values I should be looking out for?

You want to look for any of the counters in the Counters section besides
'match' increasing "A Lot". How much depends on your specific situation,
but if you get a feel for what you see when you're NOT having problems,
you should be able to see if any of the counters increases suddenly.

In your case, the most likely ones are:

- memory
- congestion
- state-limit

Thanks Ryan!!

Re: PF and States

2010-12-19 Thread dabheeruz 

On 12/19/10 4:16 AM, Henning Brauer wrote:

* Ryan McBride  [2010-12-03 09:52]:

On Thu, Dec 02, 2010 at 11:22:08PM -0500, Godesi wrote:

2.  How much states can i "really" have on a box that has 4 gig ram?

More than 100,000. I havn't tested lately (planning to do so soo), but I
would expect somewhere closer to 500,000.

you're way off ;)
I had 2 million during a DDoS. things got a bit slow but everything
worked.

Hmm..thanks guys.  I am stumped as even with 100K states set in pf, the 
box was dying.  Dying meaning I couldn't ssh (intermittent) , carp was 
failing etc, relayd (intermittent failure on the checks etc).


Using pftop I saw that there was only slight increase in states (around 
15-20K - total).  As I tried bunch of things which didn't work.   When 
the traffic was around 8-10K (total) states then the box was responding 
perfectly well.  I am on 4.7 for amd64.  This has now happened around 4 
times and I am totally clueless now as to what should my next 
troubleshooting step be like.  Wondering if there is some issue with 4.7 
amd64.

PF , WCCP and SQUID

2011-01-14 Thread dabheeruz 

Hi group,

I am having interesting problem here.

I would like to setup OpenBSD with Squid and transparently intercept 
port 80 traffic.  Problem is that I have cisco ASA in front which is the 
default gateway for outside traffic.  How can I setup my Openbsd squid 
box so that any packets destined for port 80 on the firewall are 
redirected to the openbsd squid box??.


I have read up on WCCP but the problem is that ASA supports WCCP v2 
whereas GRE tunneling on Openbsd only supports WCCPv1 packets.  Whenever 
I enable WCCP v1 in squid config, the ASA side complains and when I 
enabled WCCP v2 , openbsd gre tunnel complains.


Is there a solution or work around. Route maps are not the same as what 
you can setup in cisco routers.  Any help highly appreciated.


thx.

Re: PF and States

2011-01-24 Thread dabheeruz 

Hi Stuart,

Thanks a bunch for you suggestions.  This email got lost in my inbox.  
Will let you know if I have some questions.  Appreciate your help :)


Thx

On 1/11/11 1:43 PM, Stuart Henderson wrote:

On 2010-12-03, Godesi  wrote:

relay web {

Try applying this diff from -current and rebuilding relayd.
It is an inline diff, if your mail client has problems giving
you valid plaintext then try pasting it from a web-based
mailing list archive instead.

I think the diff will probably apply fairly cleanly as I don't
think there have been big changes in relayd since 4.7, but I am not
certain. If you don't know how or have problems patching/building,
hopefully someone else will have time to explain things, or you
could try a -current snapshot which includes this already.

Also check that the following limits are sufficiently high for
the number of TCP connections:

login.conf, "daemon" class, openfiles-cur
sysctl kern.maxfiles

-
PatchSet 489
Date: 2010/12/20 12:38:06
Author: dhill
Branch: HEAD
Tag: (none)
Log:
Only set SO_REUSEPORT for listening ports.

Fixes "Address already in use" errors seen on high load.

OK reyk@ pyr@

Members:
check_tcp.c:1.38->1.39
relay.c:1.127->1.128

Index: src/usr.sbin/relayd/check_tcp.c
diff -u src/usr.sbin/relayd/check_tcp.c:1.38 
src/usr.sbin/relayd/check_tcp.c:1.39
--- src/usr.sbin/relayd/check_tcp.c:1.38Tue Nov 30 14:38:45 2010
+++ src/usr.sbin/relayd/check_tcp.c Mon Dec 20 12:38:06 2010
@@ -50,7 +50,6 @@
  check_tcp(struct ctl_tcp_event *cte)
  {
int  s;
-   int  type;
socklen_tlen;
struct timeval   tv;
struct lingerlng;
@@ -79,10 +78,6 @@

bzero(&lng, sizeof(lng));
if (setsockopt(s, SOL_SOCKET, SO_LINGER,&lng, sizeof(lng)) == -1)
-   goto bad;
-
-   type = 1;
-   if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT,&type, sizeof(type)) == -1)
goto bad;

if (cte->host->conf.ttl>  0) {
Index: src/usr.sbin/relayd/relay.c
diff -u src/usr.sbin/relayd/relay.c:1.127 src/usr.sbin/relayd/relay.c:1.128
--- src/usr.sbin/relayd/relay.c:1.127   Tue Nov 30 14:49:14 2010
+++ src/usr.sbin/relayd/relay.c Mon Dec 20 12:38:06 2010
@@ -59,7 +59,7 @@
  void   relay_init(void);
  void   relay_launch(void);
  intrelay_socket(struct sockaddr_storage *, in_port_t,
-   struct protocol *, int);
+   struct protocol *, int, int);
  intrelay_socket_listen(struct sockaddr_storage *, in_port_t,
struct protocol *);
  intrelay_socket_connect(struct sockaddr_storage *, in_port_t,
@@ -622,7 +622,7 @@

  int
  relay_socket(struct sockaddr_storage *ss, in_port_t port,
-struct protocol *proto, int fd)
+struct protocol *proto, int fd, int reuseport)
  {
int s = -1, val;
struct linger lng;
@@ -640,9 +640,12 @@
bzero(&lng, sizeof(lng));
if (setsockopt(s, SOL_SOCKET, SO_LINGER,&lng, sizeof(lng)) == -1)
goto bad;
-   val = 1;
-   if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT,&val, sizeof(int)) == -1)
-   goto bad;
+   if (reuseport) {
+   val = 1;
+   if (setsockopt(s, SOL_SOCKET, SO_REUSEPORT,&val,
+   sizeof(int)) == -1)
+   goto bad;
+   }
if (fcntl(s, F_SETFL, O_NONBLOCK) == -1)
goto bad;
if (proto->tcpflags&  TCPFLAG_BUFSIZ) {
@@ -708,7 +711,7 @@
  {
int s;

-   if ((s = relay_socket(ss, port, proto, fd)) == -1)
+   if ((s = relay_socket(ss, port, proto, fd, 0)) == -1)
return (-1);

if (connect(s, (struct sockaddr *)ss, ss->ss_len) == -1) {
@@ -729,7 +732,7 @@
  {
int s;

-   if ((s = relay_socket(ss, port, proto, -1)) == -1)
+   if ((s = relay_socket(ss, port, proto, -1, 1)) == -1)
return (-1);

if (bind(s, (struct sockaddr *)ss, ss->ss_len) == -1)