when to use synproxy (and when not ;)

[Joel CARNAT]

Hi,

On my firewall (not bridge), all accepted incoming requests to my hosted
services are allowed with 'flags S/SA modulate state'. As my firewall is
a NAT router, I thought I might use 'synproxy' rather than 'modulate
state'. Because my firewall is not configured as a bridge, and according
to the man page, this looks like a good idea.

Reading OpenBSD pf documentation and reading pf.conf example on google,
it seems using 'synproxy' is not that automatic.

So my question is, can I automatically use 'flags S/SA modulate state'
to allow incoming requests or are there any restrictions (for eg, not
with ICMP, or not with domain/UDP, ...) ?

TIA,
Jo
-- 
,- This mail runs --.
`- NetBSD/smtp -'


pgp1Zjx6xhIC9.pgp
Description: PGP signature

Re: Re: (why can't)/(does) carp work on bridges ?

[Joel CARNAT]

On Thu, Dec 16 2004 - 20:46, Jason Dixon wrote:
 On Dec 16, 2004, at 10:18 AM, Joel CARNAT wrote:
 
 I wanted to do CARPing on interfaces which were part on bridges.
 According to my readings and testing (it's been 1 week I'm trying to
 have it working ;), it seems you can't enable carp on an interface that
 is bridged to some other...
 
 I believe you can, so long as your interface has an IP assigned to it.  
 An IP is needed, but you will not be routing- don't let it confuse you. 
  You're still bridging all packets between the external segment and the 
 protected segment.  I haven't tried it myself (yet), so caveat emptor.

 I just (re)test this configuration :
bge0: 192.168.10.201
bge1: 192.168.10.202
carp0: 192.168.10.200 carpdev bge0
bridge0: add bge0 add bge1

my test is pinging 192.168.10.200 (the carp interface).
it's OK until I brconfig bridge0 up.
from then, I can see (tcpdump) echo request on bge0 and bge1 but nowhere else 
(and no ack anywhere).
then I brconfig bridge0 down and the ping works back.

that's why I'm pretty sure the bug is the bridge (or @least the way I
configured it ;)...
I thought, maybe, setting the bridge confuses carp because paquets are
first forwarded from bge0 to bge1 and as carp0 is linked to bge0, it
doesn't work on the paquet (yes, I already tried to set carp0 on bge1
and same error occurs).

another weird thing (or @least one I don't understand =) is, on the
working config (aka ping carp is OK), I see rq/ack on bge0 and rq only
on carp0. shouldn't I see rq/ack on carp0 too ? maybe the clue ?

 
 Is is really true (or did I miss a bit of configuration) ?
 And, if so, why ? What makes it impossible ?
 
 Actually, Ryan McBride recently posted a diff to -current to allow CARP 
 interfaces to bind to the physical interface (without IP) using the 
 carpdev keyword.
 

 well, I already had this discussion with him (I think it was either
privatly or on [EMAIL PROTECTED]) ; anyway, I did install the snapshot
(timestamped about Dec 8th) that allows the carpdev feature.

 so this is OK, I can have carp listen on some IP while the real
interface has no IP (or IP on some different IP range - in my case,
interface as private IP and carp has public).

 but even with this patch apply, my carp stops working as soon as I
ifconfig bridge0 up.

 http://marc.theaimsgroup.com/?l=openbsd-techm=110229937028512w=2

-- 
,-- This mail runs -.
` NetBSD/i386 --'

(why can't)/(does) carp work on bridges ?

[Joel CARNAT]

Hi,

I wanted to do CARPing on interfaces which were part on bridges.
According to my readings and testing (it's been 1 week I'm trying to
have it working ;), it seems you can't enable carp on an interface that
is bridged to some other...

Is is really true (or did I miss a bit of configuration) ?
And, if so, why ? What makes it impossible ?

PS: my initial plan was
Internet---ex0 (no IP)==bridge0==ex1 (privateIP) / carp0 (public IP)---LAN with 
public IPs
the bridge is connected on a internet routeur, and serves as a FW/GTW
for the public servers. I wanted to have failover on this equipement.

TIA,
Jo
-- 
,-- This mail runs -.
` NetBSD/i386 --'