RE: PF - Removing Server from Pool when Service is Down
Hey Sylvester: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sylwester S. Biernacki Sent: Tuesday, December 12, 2006 2:21 PM To: pf@benzedrine.cx Subject: Re: PF - Removing Server from Pool when Service is Down On Tuesday, December 12, 2006, at 19:31:31, Michael K. Smith - Adhost wrote: Hello All: We are using PF on FreeBSD to Round-Robin across multiple mail servers. We would like to be able to remove a server from the round-robin pool based upon its application state *and/or* its physical state. So, if server x is down, or not responding on port 25, it's removed from the round-robin table automatically and then put back in the table when service is restored. I'm comfortable with the pfctl syntax to perform these tasks but I'm wondering if there are tools to automate the process. Any help would be greatly appreciated. I will tell you exactly the same as Daniel wrote to me when I asked for it: what for? shell scripts+pfctl is good enough ;-) anyway, if you find anything worthing look at it, please let me know ;) -- I think that's the route we're going to take. I'm thinking about writing a listener on all of the servers in the pool that report to a server on the pf-enabled load balancers. The server would then add/remove devices from the tables using pfctl. We're interested in having this work in a heterogeneous OS environment so we'll probably use PERL instead of a Shell. If anyone wants a copy of the scripts just let me know and I'll send them individually or as an announcement to the list if there's enough interest. Regards, Mike
Re: PF - Removing Server from Pool when Service is Down
OpenBSD has ifstated, which is pretty simple to configure state engine. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re[2]: PF - Removing Server from Pool when Service is Down
On Wednesday, December 13, 2006, at 15:59:02, Karl O. Pinc wrote: OpenBSD has ifstated, which is pretty simple to configure state engine. it's true, but it's unusable here - if machine get 100% cpu load it won't put down their interface. Also if you use load balancer almost everytime you have 2 or more servers in server farm behind load balancer so you don't connect load balancer to servers in server farm via cross-over cable ;P IMHO the solution for such config is not to use OSI Layer 1 and 2, but 3 4 :) -- Sylwester S. Biernacki [EMAIL PROTECTED] X-NET, http://www.xnet.com.pl/
establish
Hi all How can I translate this ipfw rule ipfw add permit from any to any establisd into pf rule ? Regards. -- Albert SHIH Universite de Paris 7 (Denis DIDEROT) U.F.R. de Mathematiques. 7 ième étage, plateau D, bureau 10 Heure local/Local time: Wed Dec 13 15:43:05 CET 2006
Re: Re[2]: PF - Removing Server from Pool when Service is Down
On 12/13/2006 09:40:03 AM, Sylwester S. Biernacki wrote: On Wednesday, December 13, 2006, at 15:59:02, Karl O. Pinc wrote: OpenBSD has ifstated, which is pretty simple to configure state engine. it's true, but it's unusable here - if machine get 100% cpu load it won't put down their interface. ifstatd will run scripts. You'd have to write various scripts on the load balancer to monitor various aspects of the webservers. And various scripts to fiddle with the load balancing as a result. The only thing ifstatd would do automatically is detect if one of the load balancer's interfaces went down for whatever reason. That _is_ something that you'd want to do to be through. You could use snmp or roll your own for whatever monitoring plugin scripts you'd need. All ifstatd provides is a basic control framework. This is an advantage because the state engine approach makes things nice and modular. The only limitation is that ifstatd uses polling for everything but the interface detection. YMMV. Karl [EMAIL PROTECTED] Free Software: You don't pay back, you pay forward. -- Robert A. Heinlein
Re[2]: PF - Removing Server from Pool when Service is Down
On Wednesday, December 13, 2006, at 09:20:11, pf@benzedrine.cx wrote: I think that's the route we're going to take. I'm thinking about writing a listener on all of the servers in the pool that report to a server on the pf-enabled load balancers. The server would then add/remove devices from the tables using pfctl. We're interested in having this work in a heterogeneous OS environment so we'll probably use PERL instead of a Shell. But remember about the following: 1. if you only send info to PF load-balancer it will newer get known if your sender will get down. So you have to use sth what will check if sender is up or not. 2. when you have feedback from server farm (aka senders) just like it's written in point 1., you can make clever load-balancing, i.e. if your sender will tell you oh, my cpu is going to have 95% load you can send to him half less packets than before (of course as soon as other protocol than round-robin or source-hash will be supported in PF rdr rule). BTW, Daniel and other developers: do you plan such thing? 3. No matter if it's case 1 or 2 you have to put some software which will tell you sth is wrong at the server-farm boxes - we've made simple script which was writing OK/ERRROR NUMBER XXX if shell script connected to it (on other port of course and it was simple script binded to that port) If anyone wants a copy of the scripts just let me know and I'll send them individually or as an announcement to the list if there's enough interest. If I can help in that case please let me know :) -- Sylwester S. Biernacki [EMAIL PROTECTED] X-NET, http://www.xnet.com.pl/
pf on FreeBSD
Hi all I've very strange problem I've FreeBSD box running pf with 3 NIC, one on each different subnet (all public), I'm using ipfw for making a router. I want use pf now I've using keep state option of all my rules but it's seem not working. With keep state option I've got a dynamic rule on pfctl but it's in wrong direction. It's a problem with FreeBSD or it's with pf ? For example I've put this kind of rule pass in on $first-nic proto tcp from IP-A to IP-B port 22 keep state When I try to connect from IP-A to IP-B using ssh the connection don't work. And I've got self tcp IP-B:22 - IP-A:56906 CLOSED:SYN_SENT self tcp IP-B:22 - IP-A:59496 CLOSED:SYN_SENT in my pfctl -s state and got deny for outgoing packet from IP-B to IP-A On my old FreeBSD I'm using something like ipfw add permit any to any established. How can I do that on pf. Regards. -- Albert SHIH Universite de Paris 7 (Denis DIDEROT) U.F.R. de Mathematiques. 7 ième étage, plateau D, bureau 10 Heure local/Local time: Wed Dec 13 17:44:00 CET 2006
Re: mismatch on route through packet/byte counts
On Mon, Dec 04, 2006 at 02:02:38PM +0100, Axel Rau wrote: If flags S/SA would just be ignored by none-tcp packets, I would be happy. Be happy, it is. ;) But the man page says: This rule only applies to TCP packets that have the flags a set out of set b. This means to me: all none-tcp packets are ignored by this rule. This probably should read instead This rule only applies to TCP packets which have the flags a set out o set b. Daniel
Re: pf on FreeBSD
On Wed, Dec 13, 2006 at 05:52:03PM +0100, Albert Shih wrote: It's a problem with FreeBSD or it's with pf ? With neither, you're assuming a state entry has the same effect in pf as in ipfw, which is not the case. For example I've put this kind of rule pass in on $first-nic proto tcp from IP-A to IP-B port 22 keep state When I try to connect from IP-A to IP-B using ssh the connection don't work. And I've got self tcp IP-B:22 - IP-A:56906 CLOSED:SYN_SENT self tcp IP-B:22 - IP-A:59496 CLOSED:SYN_SENT in my pfctl -s state and got deny for outgoing packet from IP-B to IP-A That is expected with pf. A state entry created for an incoming packet on one interface does not allow the same packet to go out through another interface, it merely allows further packets through the same interface and _replies_ back out through the same interface. If you do want to allow the packets to pass through another interface (as is usually the case with legitimate forwarded connections), you have to add pass out on $second-nic proto tcp from IP-A to IP-B port 22 keep state which will then create a _second_ state entry for the same connection. The point of this is that you can control _which_ interface(s) a connection must flow through, instead of granting a permission to pass any and all interfaces. This may seem pointless to want to control in a simple setup which only forwards between two NICs, but it isn't in a more complex case with multiple NICs and routing tables dynamically updated and/or not trusted. On my old FreeBSD I'm using something like ipfw add permit any to any established. The pf counterpart would be pass from any to any keep state i.e. leaving out the 'on $if' part makes the rule apply to all interfaces, and leaving out the 'out' or 'in' direction makes it apply to both directions. Daniel
Re: establish
On 2006/12/13 15:44, Albert Shih wrote: How can I translate this ipfw rule ipfw add permit from any to any establisd into pf rule ? Assuming the established session setup was allowed by a 'keep state' rule, you don't do anything, it's done by default. With keep state option I've got a dynamic rule on pfctl but it's in wrong direction. pass in on $first-nic proto tcp from IP-A to IP-B port 22 keep state How about a rule to allow outgoing packets out of the other nic? Make sure you have 'log' on your block rules, and use: # tcpdump -nettipflog0 then you will see which packets are being dropped.
Re[4]: PF - Removing Server from Pool when Service is Down
On Wednesday, December 13, 2006, at 17:14:39, Karl O. Pinc wrote: On 12/13/2006 09:40:03 AM, Sylwester S. Biernacki wrote: On Wednesday, December 13, 2006, at 15:59:02, Karl O. Pinc wrote: OpenBSD has ifstated, which is pretty simple to configure state engine. it's true, but it's unusable here - if machine get 100% cpu load it won't put down their interface. ifstatd will run scripts. ifstated(8) ? ifstatd is on FreeBSD :P You'd have to write various scripts on the load balancer to monitor various aspects of the webservers. And various scripts to fiddle with the load balancing as a result. The only thing ifstatd would do automatically is detect if one of the load balancer's interfaces went down for whatever reason. That _is_ something that you'd want to do to be through. ok, i agree, it can be useful, however the main problem is not to check if load-balancer interface is down, but if webservers are working and replying to i.e. HTTP or not. Load balancing in PF is just packet redirection what makes it without a big impact on CPU or kernel. And it makes load-balancer much more reliable than webservers. Anyway, if you have two CARP load-balancers and wish to make checking only once (by current MASTER) it is good to use it :) You could use snmp or roll your own for whatever monitoring plugin scripts you'd need. All ifstatd provides is a basic control framework. This is an advantage because the state engine approach makes things nice and modular. ok, if it's nice or not I won't tell - I know nicer progs :P The only limitation is that ifstatd uses polling for everything but the interface detection. There are no perfect progs (even if m$ are telling that :P)... But imho it may not be limitation for other purposes of ifstated :) -- Sylwester S. Biernacki [EMAIL PROTECTED] X-NET, http://www.xnet.com.pl/
Re[2]: PF - Removing Server from Pool when Service is Down
On Wed, 13 Dec 2006, Sylwester S. Biernacki wrote: On Wednesday, December 13, 2006, at 15:59:02, Karl O. Pinc wrote: OpenBSD has ifstated, which is pretty simple to configure state engine. it's true, but it's unusable here - if machine get 100% cpu load it won't put down their interface. Also if you use load balancer almost everytime you have 2 or more servers in server farm behind load balancer so you don't connect load balancer to servers in server farm via cross-over cable ;P IMHO the solution for such config is not to use OSI Layer 1 and 2, but 3 4 :) Yep, and writing something to do those checks (or just grabbing a bunch of existing tools, like maybe Nagios' check_http plugin) would be easy. My question re: pfsense is what kind of API is there (if any) to twiddle config values from the command line? I'm only speaking of items that are already visible in the web interface... Thanks, Charles -- Sylwester S. Biernacki [EMAIL PROTECTED] X-NET, http://www.xnet.com.pl/