Hi,
Am 01.03.2013 um 15:24 schrieb Leonardo Santagostini <[email protected]>:
> Im facing maybe a misbehavior in my OpenBSD 5.2. This machine is
> virtualized with KVM with 2 CPU and 4 Gb RAM
>
> Im running 5.2 GENERIC#278 i386
>
> The point is:
>
> tld relay rule as show in my config is working properly. But, tld1 and
> tld2 doesnt work when post method is invoked from the page is served
> by the 4 webcaches i have working behind relayd.
>
Do you have any log messages from relayd? Run it in foreground with some -d and
-v flags to get more info...
Can you provide some information about the POST? Maybe a pcap or tcpdump text
dump: how do the HTTP headers look like, how large is the payload etc.
But please look below first, there are inconsistencies in your relayd.conf.
> ext_if="pcn0"
>
> set fingerprints "/etc/pf.os"
> set optimization aggressive
>
> # match on $ext_if all scrub (no-df)
>
> # Genero las tablas que voy a usar
> table <ips_malas> persist
> table <redes_yell> persist file "/etc/redes.yell"
> table <redes_permitidas> persist file "/etc/redes_permitidas.txt"
>
> # Defino la ip del balanceador para Mobile
> address_mobile = "10.0.1.181"
> address1 = "10.0.1.16"
>
> # Dejo de procesar cuando se trata de las redes internas
> pass in quick from <redes_yell> to any
>
> # Dejo pasar las ips desde las redes permitidas
> pass in quick from <redes_permitidas> to $address_mobile
>
> # Genero el block
> block in quick from <ips_malas>
> block in log quick on $ext_if proto tcp from any os "NMAP" to any
> label ExtNMAPScan
>
> # Proteccion contra nmap y herramientas similares
> # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
> block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
> block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
> block in quick on $ext_if proto tcp flags /WEUAPRSF
> block in quick on $ext_if proto tcp flags SR/SR
> block in quick on $ext_if proto tcp flags SF/SF
> block in quick from urpf-failed
>
>
> # Aplico reglas de DoS y Syn Flood en tld
> pass in log on $ext_if proto tcp to $address_mobile port www keep
> state (sloppy, max 10000, max-src-nodes 5000, max-src-conn 100,
> max-src-conn-rate 95/2, adap
> tive.start 6000, adaptive.end 12000, tcp.first 15, tcp.opening 5,
> tcp.established 3600, tcp.closing 5, tcp.finwait 15, tcp.closed 15,
> tcp.tsdiff 5)
>
>
> # Aplico reglas de DoS y Syn Flood en tld2
> pass in on $ext_if proto tcp to $address1 port www keep state (sloppy,
> max 10000, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
> 150/3)
>
>
> # Anchor Para relayd
> anchor "relayd/*"
>
> ----------------------------
> # Archivo de configuracion de balanceo
>
> ## Opciones globales
> interval 5
> timeout 1000
> prefork 5
>
> ## Direcciones de las vip
> address1="10.0.1.16"
> address2="10.0.1.181"
> address3="10.0.1.182"
>
>
> ## Direcciones de los servidores
> mobileWap01="10.0.1.200"
> mobileWap02="10.0.1.201"
> webcache01="10.0.1.70"
> webcache02="10.0.1.71"
> webcache03="10.0.1.72"
> webcache04="10.0.1.73"
>
> ## Definicion de Tablas
> table <mobileweb> { $mobileWap01 $mobileWap02 }
> table <webcaches> { $webcache01 $webcache02 $webcache03 $webcache04 }
> table <webcaches1> { $webcache01 }
>
> ## Definicion de protocolos (Filtros)
>
> http protocol "tld" {
>
OK, I see this is used by relay "tld".
> # Parametros de rendimiento
> tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>
FYI, the socket buffer option can probably be removed as we support dynamic
buffer scaling since a few releases.
> ## Prueba
> # return error
>
> # Cerramos la conexion
> header change "Connection" to "close"
>
> # Block disallowed sites
> label "URL Request DENIED"
> request header expect "tld.com.ar" from "Host"
> request header expect "www.tld.com.ar" from "Host"
> request header expect "s.tld.com.ar" from "Host"
> request header expect "get.tld.com.ar" from "Host"
> request header expect "test.tld.com.ar" from "Host"
>
> # Block disallowed browsers
> label "Please try a <em>different Browser</em>"
> header filter "Mozilla/4.0 *" from "User-Agent"
>
> header append "$REMOTE_ADDR" to "X-Forwarded-For"
> cookie hash "sessid"
>
> }
> http protocol "httpRural" {
This is not used by any of the relays.
>
> # Parametros de rendimiento
> tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>
> # return error
>
> # Cerramos la conexion
> header change "Connection" to "close"
>
> # Block disallowed sites
> label "URL Request DENIED"
> request header expect "tld1.com.ar" from "Host"
> request header expect "*.tld1.com.ar" from "Host"
> request header expect "rojas.tld1.com.ar" from "Host"
>
> # Block disallowed browsers
> label "Please try a <em>different Browser</em>"
> header filter "Mozilla/4.0 *" from "User-Agent"
>
> header append "$REMOTE_ADDR" to "X-Forwarded-For"
> cookie hash "sessid"
>
> }
>
> http protocol "httpBlancas" {
>
This is not used by any of the relays.
> # Parametros de rendimiento
> tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>
> # return error
>
> # Cerramos la conexion
> header change "Connection" to "close"
> # request header expect "*.tld2.com.ar" from "Host"
>
> header append "$REMOTE_ADDR" to "X-Forwarded-For"
> }
>
>
> ## Definicion de los relays
> relay tld {
> listen on $address2 port 80
> protocol "tld"
> forward to <mobileweb> port 80 mode roundrobin check http
> "/relaycheck/mobileWAP/index.php" code 200
> }
>
> relay tld1 {
> listen on $address3 port 80
> protocol "tld1"
This protocol "tld1" does not exist - do you mean httpRural or httpBlancas?
> forward to <webcaches> port 80 mode roundrobin check http
> "/monitoreo/relayd.txt" code 200
> }
>
> relay tld2 {
> listen on $address1 port 80
> protocol "tld2"
This protocol "tld2" does not exist - do you mean httpRural or httpBlancas?
> forward to <webcaches1> port 80 mode roundrobin check http
> "/monitoreo/relayd.txt" code 200
> }
>
> I would really apreciatte any clue or any idea that make this work.
>
> Thanks in advance
>
> Saludos / Regards
> Leonardo Santagostini
