Hello Reyk, After probing using my browser without proxy all worked fine. I tried with 2 different proxies (one ISA and one Squid) without luck.
Th proxy gives to me a "Zero sized reply", maybe proxy doesnt like DSR Sorry for bother you all :) Saludos / Regards Leonardo Santagostini 2013/3/1 Leonardo Santagostini <lsantagost...@gmail.com>: > Hello Reyk, sorry for the inconsistencies, they was for hide the real > name (for protecting internal things). > > Here comes the config with the homework well done (sorry again) > > ext_if="pcn0" > > set fingerprints "/etc/pf.os" > set optimization aggressive > > # match on $ext_if all scrub (no-df) > > # Genero las tablas que voy a usar > table <ips_malas> persist > table <redes_yell> persist file "/etc/redes.yell" > table <redes_permitidas> persist file "/etc/redes_permitidas.txt" > > # Defino la ip del balanceador para Mobile > address_mobile = "10.0.1.181" > address1 = "10.0.1.16" > > # Dejo de procesar cuando se trata de las redes internas > pass in quick from <redes_yell> to any > > # Dejo pasar las ips desde las redes permitidas > pass in quick from <redes_permitidas> to $address_mobile > > # Genero el block > block in quick from <ips_malas> > block in log quick on $ext_if proto tcp from any os "NMAP" to any > label ExtNMAPScan > > # Proteccion contra nmap y herramientas similares > # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF > block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF > block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF > block in quick on $ext_if proto tcp flags /WEUAPRSF > block in quick on $ext_if proto tcp flags SR/SR > block in quick on $ext_if proto tcp flags SF/SF > block in quick from urpf-failed > > > # Aplico reglas de DoS y Syn Flood en tld > pass in log on $ext_if proto tcp to $address_mobile port www keep > state (sloppy, max 10000, max-src-nodes 5000, max-src-conn 100, > max-src-conn-rate 95/2, adap > tive.start 6000, adaptive.end 12000, tcp.first 15, tcp.opening 5, > tcp.established 3600, tcp.closing 5, tcp.finwait 15, tcp.closed 15, > tcp.tsdiff 5) > > > # Aplico reglas de DoS y Syn Flood en tld2 > pass in on $ext_if proto tcp to $address1 port www keep state (sloppy, > max 10000, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate > 150/3) > > > # Anchor Para relayd > anchor "relayd/*" > > ---------------------------- > # Archivo de configuracion de balanceo > > ## Opciones globales > interval 5 > timeout 1000 > prefork 5 > > ## Direcciones de las vip > address1="10.0.1.16" > address2="10.0.1.181" > address3="10.0.1.182" > > > ## Direcciones de los servidores > mobileWap01="10.0.1.200" > mobileWap02="10.0.1.201" > webcache01="10.0.1.70" > webcache02="10.0.1.71" > webcache03="10.0.1.72" > webcache04="10.0.1.73" > > ## Definicion de Tablas > table <mobileweb> { $mobileWap01 $mobileWap02 } > table <webcaches> { $webcache01 $webcache02 $webcache03 $webcache04 } > table <webcaches1> { $webcache01 } > > ## Definicion de protocolos (Filtros) > > http protocol "tld" { > > # Parametros de rendimiento > tcp {nodelay, sack, socket buffer 65536, backlog 100 } > > ## Prueba > # return error > > # Cerramos la conexion > header change "Connection" to "close" > > # Block disallowed sites > label "URL Request DENIED" > request header expect "tld.com.ar" from "Host" > request header expect "www.tld.com.ar" from "Host" > request header expect "s.tld.com.ar" from "Host" > request header expect "get.tld.com.ar" from "Host" > request header expect "test.tld.com.ar" from "Host" > > # Block disallowed browsers > label "Please try a <em>different Browser</em>" > header filter "Mozilla/4.0 *" from "User-Agent" > > header append "$REMOTE_ADDR" to "X-Forwarded-For" > cookie hash "sessid" > > } > http protocol "tld1" { > > # Parametros de rendimiento > tcp {nodelay, sack, socket buffer 65536, backlog 100 } > > # return error > > # Cerramos la conexion > header change "Connection" to "close" > > # Block disallowed sites > label "URL Request DENIED" > request header expect "tld1.com.ar" from "Host" > request header expect "*.tld1.com.ar" from "Host" > request header expect "rojas.tld1.com.ar" from "Host" > > # Block disallowed browsers > label "Please try a <em>different Browser</em>" > header filter "Mozilla/4.0 *" from "User-Agent" > > header append "$REMOTE_ADDR" to "X-Forwarded-For" > cookie hash "sessid" > > } > > http protocol "tld2" { > > # Parametros de rendimiento > tcp {nodelay, sack, socket buffer 65536, backlog 100 } > > # return error > > # Cerramos la conexion > header change "Connection" to "close" > # request header expect "*.tld2.com.ar" from "Host" > > header append "$REMOTE_ADDR" to "X-Forwarded-For" > } > > > ## Definicion de los relays > relay tld { > listen on $address2 port 80 > protocol "tld" > forward to <mobileweb> port 80 mode roundrobin check http > "/relaycheck/mobileWAP/index.php" code 200 > } > > relay tld1 { > listen on $address3 port 80 > protocol "tld1" > forward to <webcaches> port 80 mode roundrobin check http > "/monitoreo/relayd.txt" code 200 > } > > relay tld2 { > listen on $address1 port 80 > protocol "tld2" > forward to <webcaches1> port 80 mode roundrobin check http > "/monitoreo/relayd.txt" code 200 > } > > > I will provide shortly the tcpdump you request me. > > Thanks in advance > > > Saludos / Regards > Leonardo Santagostini > > > > > > > 2013/3/1 Reyk Floeter <r...@openbsd.org>: >> Hi, >> >> Am 01.03.2013 um 15:24 schrieb Leonardo Santagostini >> <lsantagost...@gmail.com>: >>> Im facing maybe a misbehavior in my OpenBSD 5.2. This machine is >>> virtualized with KVM with 2 CPU and 4 Gb RAM >>> >>> Im running 5.2 GENERIC#278 i386 >>> >>> The point is: >>> >>> tld relay rule as show in my config is working properly. But, tld1 and >>> tld2 doesnt work when post method is invoked from the page is served >>> by the 4 webcaches i have working behind relayd. >>> >> >> Do you have any log messages from relayd? Run it in foreground with some -d >> and -v flags to get more info... >> >> Can you provide some information about the POST? Maybe a pcap or tcpdump >> text dump: how do the HTTP headers look like, how large is the payload etc. >> >> But please look below first, there are inconsistencies in your relayd.conf. >> >>> ext_if="pcn0" >>> >>> set fingerprints "/etc/pf.os" >>> set optimization aggressive >>> >>> # match on $ext_if all scrub (no-df) >>> >>> # Genero las tablas que voy a usar >>> table <ips_malas> persist >>> table <redes_yell> persist file "/etc/redes.yell" >>> table <redes_permitidas> persist file "/etc/redes_permitidas.txt" >>> >>> # Defino la ip del balanceador para Mobile >>> address_mobile = "10.0.1.181" >>> address1 = "10.0.1.16" >>> >>> # Dejo de procesar cuando se trata de las redes internas >>> pass in quick from <redes_yell> to any >>> >>> # Dejo pasar las ips desde las redes permitidas >>> pass in quick from <redes_permitidas> to $address_mobile >>> >>> # Genero el block >>> block in quick from <ips_malas> >>> block in log quick on $ext_if proto tcp from any os "NMAP" to any >>> label ExtNMAPScan >>> >>> # Proteccion contra nmap y herramientas similares >>> # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF >>> block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF >>> block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF >>> block in quick on $ext_if proto tcp flags /WEUAPRSF >>> block in quick on $ext_if proto tcp flags SR/SR >>> block in quick on $ext_if proto tcp flags SF/SF >>> block in quick from urpf-failed >>> >>> >>> # Aplico reglas de DoS y Syn Flood en tld >>> pass in log on $ext_if proto tcp to $address_mobile port www keep >>> state (sloppy, max 10000, max-src-nodes 5000, max-src-conn 100, >>> max-src-conn-rate 95/2, adap >>> tive.start 6000, adaptive.end 12000, tcp.first 15, tcp.opening 5, >>> tcp.established 3600, tcp.closing 5, tcp.finwait 15, tcp.closed 15, >>> tcp.tsdiff 5) >>> >>> >>> # Aplico reglas de DoS y Syn Flood en tld2 >>> pass in on $ext_if proto tcp to $address1 port www keep state (sloppy, >>> max 10000, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate >>> 150/3) >>> >>> >>> # Anchor Para relayd >>> anchor "relayd/*" >>> >>> ---------------------------- >>> # Archivo de configuracion de balanceo >>> >>> ## Opciones globales >>> interval 5 >>> timeout 1000 >>> prefork 5 >>> >>> ## Direcciones de las vip >>> address1="10.0.1.16" >>> address2="10.0.1.181" >>> address3="10.0.1.182" >>> >>> >>> ## Direcciones de los servidores >>> mobileWap01="10.0.1.200" >>> mobileWap02="10.0.1.201" >>> webcache01="10.0.1.70" >>> webcache02="10.0.1.71" >>> webcache03="10.0.1.72" >>> webcache04="10.0.1.73" >>> >>> ## Definicion de Tablas >>> table <mobileweb> { $mobileWap01 $mobileWap02 } >>> table <webcaches> { $webcache01 $webcache02 $webcache03 $webcache04 } >>> table <webcaches1> { $webcache01 } >>> >>> ## Definicion de protocolos (Filtros) >>> >>> http protocol "tld" { >>> >> >> OK, I see this is used by relay "tld". >> >>> # Parametros de rendimiento >>> tcp {nodelay, sack, socket buffer 65536, backlog 100 } >>> >> >> FYI, the socket buffer option can probably be removed as we support dynamic >> buffer scaling since a few releases. >> >>> ## Prueba >>> # return error >>> >>> # Cerramos la conexion >>> header change "Connection" to "close" >>> >>> # Block disallowed sites >>> label "URL Request DENIED" >>> request header expect "tld.com.ar" from "Host" >>> request header expect "www.tld.com.ar" from "Host" >>> request header expect "s.tld.com.ar" from "Host" >>> request header expect "get.tld.com.ar" from "Host" >>> request header expect "test.tld.com.ar" from "Host" >>> >>> # Block disallowed browsers >>> label "Please try a <em>different Browser</em>" >>> header filter "Mozilla/4.0 *" from "User-Agent" >>> >>> header append "$REMOTE_ADDR" to "X-Forwarded-For" >>> cookie hash "sessid" >>> >>> } >>> http protocol "httpRural" { >> >> This is not used by any of the relays. >> >>> >>> # Parametros de rendimiento >>> tcp {nodelay, sack, socket buffer 65536, backlog 100 } >>> >>> # return error >>> >>> # Cerramos la conexion >>> header change "Connection" to "close" >>> >>> # Block disallowed sites >>> label "URL Request DENIED" >>> request header expect "tld1.com.ar" from "Host" >>> request header expect "*.tld1.com.ar" from "Host" >>> request header expect "rojas.tld1.com.ar" from "Host" >>> >>> # Block disallowed browsers >>> label "Please try a <em>different Browser</em>" >>> header filter "Mozilla/4.0 *" from "User-Agent" >>> >>> header append "$REMOTE_ADDR" to "X-Forwarded-For" >>> cookie hash "sessid" >>> >>> } >>> >>> http protocol "httpBlancas" { >>> >> >> This is not used by any of the relays. >> >>> # Parametros de rendimiento >>> tcp {nodelay, sack, socket buffer 65536, backlog 100 } >>> >>> # return error >>> >>> # Cerramos la conexion >>> header change "Connection" to "close" >>> # request header expect "*.tld2.com.ar" from "Host" >>> >>> header append "$REMOTE_ADDR" to "X-Forwarded-For" >>> } >>> >>> >>> ## Definicion de los relays >>> relay tld { >>> listen on $address2 port 80 >>> protocol "tld" >>> forward to <mobileweb> port 80 mode roundrobin check http >>> "/relaycheck/mobileWAP/index.php" code 200 >>> } >>> >>> relay tld1 { >>> listen on $address3 port 80 >>> protocol "tld1" >> >> This protocol "tld1" does not exist - do you mean httpRural or httpBlancas? >> >>> forward to <webcaches> port 80 mode roundrobin check http >>> "/monitoreo/relayd.txt" code 200 >>> } >>> >>> relay tld2 { >>> listen on $address1 port 80 >>> protocol "tld2" >> >> This protocol "tld2" does not exist - do you mean httpRural or httpBlancas? >> >>> forward to <webcaches1> port 80 mode roundrobin check http >>> "/monitoreo/relayd.txt" code 200 >>> } >>> >>> I would really apreciatte any clue or any idea that make this work. >>> >>> Thanks in advance >>> >>> Saludos / Regards >>> Leonardo Santagostini