Hello Reyk,
After probing using my browser without proxy all worked fine. I tried
with 2 different proxies (one ISA and one Squid) without luck.
Th proxy gives to me a "Zero sized reply", maybe proxy doesnt like DSR
Sorry for bother you all :)
Saludos / Regards
Leonardo Santagostini
2013/3/1 Leonardo Santagostini <lsantagost...@gmail.com>:
> Hello Reyk, sorry for the inconsistencies, they was for hide the real
> name (for protecting internal things).
>
> Here comes the config with the homework well done (sorry again)
>
> ext_if="pcn0"
>
> set fingerprints "/etc/pf.os"
> set optimization aggressive
>
> # match on $ext_if all scrub (no-df)
>
> # Genero las tablas que voy a usar
> table <ips_malas> persist
> table <redes_yell> persist file "/etc/redes.yell"
> table <redes_permitidas> persist file "/etc/redes_permitidas.txt"
>
> # Defino la ip del balanceador para Mobile
> address_mobile = "10.0.1.181"
> address1 = "10.0.1.16"
>
> # Dejo de procesar cuando se trata de las redes internas
> pass in quick from <redes_yell> to any
>
> # Dejo pasar las ips desde las redes permitidas
> pass in quick from <redes_permitidas> to $address_mobile
>
> # Genero el block
> block in quick from <ips_malas>
> block in log quick on $ext_if proto tcp from any os "NMAP" to any
> label ExtNMAPScan
>
> # Proteccion contra nmap y herramientas similares
> # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
> block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
> block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
> block in quick on $ext_if proto tcp flags /WEUAPRSF
> block in quick on $ext_if proto tcp flags SR/SR
> block in quick on $ext_if proto tcp flags SF/SF
> block in quick from urpf-failed
>
>
> # Aplico reglas de DoS y Syn Flood en tld
> pass in log on $ext_if proto tcp to $address_mobile port www keep
> state (sloppy, max 10000, max-src-nodes 5000, max-src-conn 100,
> max-src-conn-rate 95/2, adap
> tive.start 6000, adaptive.end 12000, tcp.first 15, tcp.opening 5,
> tcp.established 3600, tcp.closing 5, tcp.finwait 15, tcp.closed 15,
> tcp.tsdiff 5)
>
>
> # Aplico reglas de DoS y Syn Flood en tld2
> pass in on $ext_if proto tcp to $address1 port www keep state (sloppy,
> max 10000, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
> 150/3)
>
>
> # Anchor Para relayd
> anchor "relayd/*"
>
> ----------------------------
> # Archivo de configuracion de balanceo
>
> ## Opciones globales
> interval 5
> timeout 1000
> prefork 5
>
> ## Direcciones de las vip
> address1="10.0.1.16"
> address2="10.0.1.181"
> address3="10.0.1.182"
>
>
> ## Direcciones de los servidores
> mobileWap01="10.0.1.200"
> mobileWap02="10.0.1.201"
> webcache01="10.0.1.70"
> webcache02="10.0.1.71"
> webcache03="10.0.1.72"
> webcache04="10.0.1.73"
>
> ## Definicion de Tablas
> table <mobileweb> { $mobileWap01 $mobileWap02 }
> table <webcaches> { $webcache01 $webcache02 $webcache03 $webcache04 }
> table <webcaches1> { $webcache01 }
>
> ## Definicion de protocolos (Filtros)
>
> http protocol "tld" {
>
> # Parametros de rendimiento
> tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>
> ## Prueba
> # return error
>
> # Cerramos la conexion
> header change "Connection" to "close"
>
> # Block disallowed sites
> label "URL Request DENIED"
> request header expect "tld.com.ar" from "Host"
> request header expect "www.tld.com.ar" from "Host"
> request header expect "s.tld.com.ar" from "Host"
> request header expect "get.tld.com.ar" from "Host"
> request header expect "test.tld.com.ar" from "Host"
>
> # Block disallowed browsers
> label "Please try a <em>different Browser</em>"
> header filter "Mozilla/4.0 *" from "User-Agent"
>
> header append "$REMOTE_ADDR" to "X-Forwarded-For"
> cookie hash "sessid"
>
> }
> http protocol "tld1" {
>
> # Parametros de rendimiento
> tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>
> # return error
>
> # Cerramos la conexion
> header change "Connection" to "close"
>
> # Block disallowed sites
> label "URL Request DENIED"
> request header expect "tld1.com.ar" from "Host"
> request header expect "*.tld1.com.ar" from "Host"
> request header expect "rojas.tld1.com.ar" from "Host"
>
> # Block disallowed browsers
> label "Please try a <em>different Browser</em>"
> header filter "Mozilla/4.0 *" from "User-Agent"
>
> header append "$REMOTE_ADDR" to "X-Forwarded-For"
> cookie hash "sessid"
>
> }
>
> http protocol "tld2" {
>
> # Parametros de rendimiento
> tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>
> # return error
>
> # Cerramos la conexion
> header change "Connection" to "close"
> # request header expect "*.tld2.com.ar" from "Host"
>
> header append "$REMOTE_ADDR" to "X-Forwarded-For"
> }
>
>
> ## Definicion de los relays
> relay tld {
> listen on $address2 port 80
> protocol "tld"
> forward to <mobileweb> port 80 mode roundrobin check http
> "/relaycheck/mobileWAP/index.php" code 200
> }
>
> relay tld1 {
> listen on $address3 port 80
> protocol "tld1"
> forward to <webcaches> port 80 mode roundrobin check http
> "/monitoreo/relayd.txt" code 200
> }
>
> relay tld2 {
> listen on $address1 port 80
> protocol "tld2"
> forward to <webcaches1> port 80 mode roundrobin check http
> "/monitoreo/relayd.txt" code 200
> }
>
>
> I will provide shortly the tcpdump you request me.
>
> Thanks in advance
>
>
> Saludos / Regards
> Leonardo Santagostini
>
>
>
>
>
>
> 2013/3/1 Reyk Floeter <r...@openbsd.org>:
>> Hi,
>>
>> Am 01.03.2013 um 15:24 schrieb Leonardo Santagostini
>> <lsantagost...@gmail.com>:
>>> Im facing maybe a misbehavior in my OpenBSD 5.2. This machine is
>>> virtualized with KVM with 2 CPU and 4 Gb RAM
>>>
>>> Im running 5.2 GENERIC#278 i386
>>>
>>> The point is:
>>>
>>> tld relay rule as show in my config is working properly. But, tld1 and
>>> tld2 doesnt work when post method is invoked from the page is served
>>> by the 4 webcaches i have working behind relayd.
>>>
>>
>> Do you have any log messages from relayd? Run it in foreground with some -d
>> and -v flags to get more info...
>>
>> Can you provide some information about the POST? Maybe a pcap or tcpdump
>> text dump: how do the HTTP headers look like, how large is the payload etc.
>>
>> But please look below first, there are inconsistencies in your relayd.conf.
>>
>>> ext_if="pcn0"
>>>
>>> set fingerprints "/etc/pf.os"
>>> set optimization aggressive
>>>
>>> # match on $ext_if all scrub (no-df)
>>>
>>> # Genero las tablas que voy a usar
>>> table <ips_malas> persist
>>> table <redes_yell> persist file "/etc/redes.yell"
>>> table <redes_permitidas> persist file "/etc/redes_permitidas.txt"
>>>
>>> # Defino la ip del balanceador para Mobile
>>> address_mobile = "10.0.1.181"
>>> address1 = "10.0.1.16"
>>>
>>> # Dejo de procesar cuando se trata de las redes internas
>>> pass in quick from <redes_yell> to any
>>>
>>> # Dejo pasar las ips desde las redes permitidas
>>> pass in quick from <redes_permitidas> to $address_mobile
>>>
>>> # Genero el block
>>> block in quick from <ips_malas>
>>> block in log quick on $ext_if proto tcp from any os "NMAP" to any
>>> label ExtNMAPScan
>>>
>>> # Proteccion contra nmap y herramientas similares
>>> # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
>>> block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
>>> block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
>>> block in quick on $ext_if proto tcp flags /WEUAPRSF
>>> block in quick on $ext_if proto tcp flags SR/SR
>>> block in quick on $ext_if proto tcp flags SF/SF
>>> block in quick from urpf-failed
>>>
>>>
>>> # Aplico reglas de DoS y Syn Flood en tld
>>> pass in log on $ext_if proto tcp to $address_mobile port www keep
>>> state (sloppy, max 10000, max-src-nodes 5000, max-src-conn 100,
>>> max-src-conn-rate 95/2, adap
>>> tive.start 6000, adaptive.end 12000, tcp.first 15, tcp.opening 5,
>>> tcp.established 3600, tcp.closing 5, tcp.finwait 15, tcp.closed 15,
>>> tcp.tsdiff 5)
>>>
>>>
>>> # Aplico reglas de DoS y Syn Flood en tld2
>>> pass in on $ext_if proto tcp to $address1 port www keep state (sloppy,
>>> max 10000, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
>>> 150/3)
>>>
>>>
>>> # Anchor Para relayd
>>> anchor "relayd/*"
>>>
>>> ----------------------------
>>> # Archivo de configuracion de balanceo
>>>
>>> ## Opciones globales
>>> interval 5
>>> timeout 1000
>>> prefork 5
>>>
>>> ## Direcciones de las vip
>>> address1="10.0.1.16"
>>> address2="10.0.1.181"
>>> address3="10.0.1.182"
>>>
>>>
>>> ## Direcciones de los servidores
>>> mobileWap01="10.0.1.200"
>>> mobileWap02="10.0.1.201"
>>> webcache01="10.0.1.70"
>>> webcache02="10.0.1.71"
>>> webcache03="10.0.1.72"
>>> webcache04="10.0.1.73"
>>>
>>> ## Definicion de Tablas
>>> table <mobileweb> { $mobileWap01 $mobileWap02 }
>>> table <webcaches> { $webcache01 $webcache02 $webcache03 $webcache04 }
>>> table <webcaches1> { $webcache01 }
>>>
>>> ## Definicion de protocolos (Filtros)
>>>
>>> http protocol "tld" {
>>>
>>
>> OK, I see this is used by relay "tld".
>>
>>> # Parametros de rendimiento
>>> tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>>>
>>
>> FYI, the socket buffer option can probably be removed as we support dynamic
>> buffer scaling since a few releases.
>>
>>> ## Prueba
>>> # return error
>>>
>>> # Cerramos la conexion
>>> header change "Connection" to "close"
>>>
>>> # Block disallowed sites
>>> label "URL Request DENIED"
>>> request header expect "tld.com.ar" from "Host"
>>> request header expect "www.tld.com.ar" from "Host"
>>> request header expect "s.tld.com.ar" from "Host"
>>> request header expect "get.tld.com.ar" from "Host"
>>> request header expect "test.tld.com.ar" from "Host"
>>>
>>> # Block disallowed browsers
>>> label "Please try a <em>different Browser</em>"
>>> header filter "Mozilla/4.0 *" from "User-Agent"
>>>
>>> header append "$REMOTE_ADDR" to "X-Forwarded-For"
>>> cookie hash "sessid"
>>>
>>> }
>>> http protocol "httpRural" {
>>
>> This is not used by any of the relays.
>>
>>>
>>> # Parametros de rendimiento
>>> tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>>>
>>> # return error
>>>
>>> # Cerramos la conexion
>>> header change "Connection" to "close"
>>>
>>> # Block disallowed sites
>>> label "URL Request DENIED"
>>> request header expect "tld1.com.ar" from "Host"
>>> request header expect "*.tld1.com.ar" from "Host"
>>> request header expect "rojas.tld1.com.ar" from "Host"
>>>
>>> # Block disallowed browsers
>>> label "Please try a <em>different Browser</em>"
>>> header filter "Mozilla/4.0 *" from "User-Agent"
>>>
>>> header append "$REMOTE_ADDR" to "X-Forwarded-For"
>>> cookie hash "sessid"
>>>
>>> }
>>>
>>> http protocol "httpBlancas" {
>>>
>>
>> This is not used by any of the relays.
>>
>>> # Parametros de rendimiento
>>> tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>>>
>>> # return error
>>>
>>> # Cerramos la conexion
>>> header change "Connection" to "close"
>>> # request header expect "*.tld2.com.ar" from "Host"
>>>
>>> header append "$REMOTE_ADDR" to "X-Forwarded-For"
>>> }
>>>
>>>
>>> ## Definicion de los relays
>>> relay tld {
>>> listen on $address2 port 80
>>> protocol "tld"
>>> forward to <mobileweb> port 80 mode roundrobin check http
>>> "/relaycheck/mobileWAP/index.php" code 200
>>> }
>>>
>>> relay tld1 {
>>> listen on $address3 port 80
>>> protocol "tld1"
>>
>> This protocol "tld1" does not exist - do you mean httpRural or httpBlancas?
>>
>>> forward to <webcaches> port 80 mode roundrobin check http
>>> "/monitoreo/relayd.txt" code 200
>>> }
>>>
>>> relay tld2 {
>>> listen on $address1 port 80
>>> protocol "tld2"
>>
>> This protocol "tld2" does not exist - do you mean httpRural or httpBlancas?
>>
>>> forward to <webcaches1> port 80 mode roundrobin check http
>>> "/monitoreo/relayd.txt" code 200
>>> }
>>>
>>> I would really apreciatte any clue or any idea that make this work.
>>>
>>> Thanks in advance
>>>
>>> Saludos / Regards
>>> Leonardo Santagostini
