OSPF over GRE and failover
Hi misc@,
I have a pair of 5.2-current in failover setup.
On both ext-iface and int-iface are CARP'd.
This setup servers mostly as a firewall for internal machines, but also
as a OSPF-router.
OSPF runs on top of GRE on top of IPSec.
I have /29 net for external and thus the rest of IP not used for CARP
are aliases on carp-iface.
isakmpd listens on one of those aliased IP, as well as gre for outer
tunnel. isakmpd.conf, ipsec.conf and gre-ifaces configured exactly the
same on both machines, except ospfd.conf which has different router-id.
Now the problematic part.
Then failover occurs ospfd gets unstable, eg. what I see from
tcpdump-output on gre-iface is that one machines which should be in
stand-by state still sends OSPF-pkts. While active machines switches
OSPF-state
from INIT to EXCHG to FULL.FULL is up for several seconds and then this
process repeates. At the time of DOWN/INIT och the active machines,
stand-by machine mamages to send out OSPF-pkts. carp iface on stand-by
is in BACKUP state and not changes, while active one is MASTER (as
expected).
I have three GRE tunnels and three OSPF-routers to talk to.
Two of three run quagga and the last one is ospfd on 5.2-current.
I see OSPF-pkts going out on all three gre-ifaces on the stand-by
machine, but only quagga-peers are unstable.
The question is why ospfd still sends out on stand-by machine?
Or is it something wrong with setup I have?
Any other way to solve failover for OSPF on GRE? ifstated?
Below is configuration for MASTER-machine:
-hostname.carp2
inet 212.x.x.194 255.255.255.248 212.x.x.199 -inet6 vhid 2 advbase 1
advskew 0 carpdev vlan2 pass password description EXTERNAL
inet alias 212.x.x.198 255.255.255.248 NONE
---isakmpd.conf
[General]
Listen-on= 212.x.x.198
-hostname.gre1
tunnel 212.x.x.198 x.x.175.x
!/sbin/ifconfig gre1 inet 10.10.0.1 10.10.1.1 netmask 0x -inet6
link0 up
-ospfd.conf
router-id 0.0.1.1
area 0.0.0.0 {
interface trunk0 {
}
##
interface gre0
##
interface gre1 { auth-type none }
##
interface gre2 { auth-type none }
## Internal net
interface carp1
}
Regards,
Maxim
El Gerente de Ventas como Administrador, Vendedor y Lider
El Gerente de Ventas como Administrador, Vendedor y Líder SEMINARIO ONLINE EN VIVO este 25 de Septiembre de 2012. Los Gerentes de Ventas tienen en sus manos uno de los procesos más importantes y fundamentales para el ÉXITO o FRACASO de las empresas, por lo que constantemente se ven obligados y presionados ante las situaciones adversas del mercado, las reacciones de la competencia y los clientes, debiendo desarrollar estrategias efectivas que permitan a sus empresas posicionar sus productos y/o servicios con altos niveles de rentabilidad y ventajas competitivas duraderas. Este Seminario le ofrece un panorama claro y efectivo de las medidas inmediatas que debe considerar, incluyendo: Métodos eficaces para administrar su equipo de VENTAS centrado en resultados. Análisis de casos reales - ¿Por qué fracasan las fuerzas de ventas? ¿Cómo identificar y vencer los obstáculos que le impiden obtener mejores resultados? TEMARIO: 1. ¿Cómo entender los nuevos retos del gerente de ventas? 2. Evaluando la potencia de su fuerza de ventas para lograr resultados. 3. ¿Cómo mejorar la productividad fijando metas y evaluaciones? 4. Autoevaluación del liderazgo gerencial ¿oportunidad o problema? 5. Técnicas probadas para el control administrativo de ventas. Adquiera la información completa y sin compromiso, solo responda este correo con asunto -Deseo Folleto Ventas o Comuníquese al (507) 279-1083 / 279-0258 / 279-0887 - y a la brevedad lo recibirá! ESTE CORREO NO PUEDE SER CONSIDERADO INTRUSIVO YA QUE CUMPLE CON LAS POLÍTICAS ANTISPAM INTERNACIONALES Y LOCALES: Responda este correo con el Asunto borrar y automáticamente quedará fuera de nuestras listas. Este correo ha sido enviado a: misc@openbsd.org
bi-nat biavior and anchor limitation
Hi,
I just encounter a stange biavior with the bi-nat rules. Since we optimize
our firewall script via multiple anchor for our thousand of bi-nat rule, we
don't use the bi-nat rule but instead use the 2 rules in different anchor.
Exemple:
anchor out on $ext_if from 192.168.0.0/16 {
anchor out on $ext_if from 192.168.0.0/24 {
match out on $ext_if inet from 192.168.0.1 to any nat-to
X.Y.Z.1 static-port
match out on $ext_if inet from 192.168.0.2 to any nat-to
X.Y.Z.2 static-port
}
}
anchor in on $ext_if to X.Y.Z.0/20 {
anchor in on $ext_if to X.Y.Z.0/24 {
match in on $ext_if inet from any to X.Y.Z.1 rdr-to 192.168.0.1
match in on $ext_if inet from any to X.Y.Z.2 rdr-to 192.168.0.2
}
We just found that by adding the in rules before the out rules in the pf
script, only the incoming rules will be apply and ougoing paquet will
match default nat instead.
Any reason that I can understand to this behavior ? Anyway, I also
wanted to let a note on misc info archive about this since I didn't find
anything will searching on marc.info and search it for days.
Also, is it a pfctl limitation to not be able to use it on anchor inside
a other anchor or I'm missing something ? Exemple, I load a anchor in
main ruleset named A and in A, I load a other anchor named B. Is there
any way to use pfctl on B anchor ?
# pfctl -sA
A
# pfctl -a A -sA
B
#
Thanks
Michel
Multihomed openbsd firewall with squid and dansguardian
I am trying to use OpenBSD 5.1 i386 as a firewall and content filter for a
network of ~ 40 people.
I have two modem internet connections which I want to load balance outgoing
traffic. 3 nics.
# I couldnt find a pf rule which sends packet from self (127.0.0.1?) to out
when not using /etc/mygate file. So I kept it filled
/etc/mygate
192.168.0.1 # ip of one modem
/etc/hostname.rl0
inet 192.168.0.249 255.255.255.255 # external if to default gw
/etc/hostname.re0
inet192.168.2.249 255.255.255.255 # external if to the second modem
/etc/hostname.rl1
inet 192.168.5.249 255.255.255.255 # internal if
I use named as a local name server. This causes some trouble.Sometimes when
rebooting computer hangs at named initiation
and after a Ctrl+C it continues. I tried some hacks (like disabling acpi
when booting) but I couldnt find the underlying reason and left
it as is.(You might consider this as a question)
/etc/resolv.conf
search ARRIS
nameserver 127.0.0.1
nameserver 208.67.222.222
nameserver 8.26.56.26
Here is the pf.conf
intif=rl1
extif1=rl0
extif2=re0
gw1=192.168.0.1
gw2=192.168.2.1
tcp_in_services={ ssh,https,2020,2021}
udpservices={ domain,ntp }
lannet=$intif:network
ext1net=$extif1:network
ext2net=$extif2:network
anchor ftp-proxy/*
pass in quick on $intif inet proto tcp to port 21 divert-to 127.0.0.1 port
8021
pass quick inet proto icmp all
# This is for local dns requests coming to self
pass in quick log on $intif inet proto {tcp,udp} from $lannet to port
$udpservices
#T his is for syslogging some modem logs to firewall which will be useless
if I accomplish my pf setup
pass in quick on $extif2 proto udp to any port 514
# I am doing nat to both external interfaces. Is this correct for my setup?
match out on $extif1 from $lannet nat-to $extif1
match out on $extif2 from $lannet nat-to $extif2
# This is for Dansguardian and - squid
pass in quick log inet proto tcp from $lannet to port 80 divert-to
127.0.0.1 port 8080
block all
# Route-to rules for load balancing
pass in on $intif inet proto tcp from $lannet route-to { ($extif1 $gw1),
($extif2 $gw2) } round-robin modulate state
pass in on $intif inet proto udp from $lannet route-to { ($extif1 $gw1),
($extif2 $gw2) } round-robin modulate state
pass in on $intif inet proto icmp from $lannet route-to { ($extif1 $gw1),
($extif2 $gw2) } round-robin modulate state
# This is for some tcp,udp services made available across local networks
pass in on {$extif1,$extif2} inet proto tcp to port $tcp_in_services
pass in on {$extif1,$extif2} inet proto {tcp,udp} to port $udpservices
# Rules I copied from the FAQ for outgoing load balancing
pass out on $extif1
pass out on $extif2
pass out on $extif1 from $extif2 route-to ($extif2 $gw2)
pass out on $extif2 from $extif1 route-to ($extif1 $gw1)
I have read the FAQ many times, browsed through earlier emails sent to
@misc.
I should say that the FAQ is unclear about using /etc/mygate for my case.
It is unclear about the keyword self (or the handling of packets generated
from firewall), or I didnt understand the theory.
It is unclear about when one must use multipath routing and when not.
And IMHO the FAQ should contain some more elaborate pf configurations like
mine(?).
Because internet resources are either too outdated or too scarce.
I believe OpenBSD is a secure, easy OS for networking purposes like mines.
I will continue trying to use and evaluate it even if it costs too many
hours of reading and trying for me.
First question of mine. Is this pf.conf correct?
How can I place Squid into this configuration to achieve load balance
outgoing traffic?
What would be the necessary Squid configs or pf rules?
Thanks for reading.
Excelente curso de Comunicación Asertiva con PNL Nueva Fecha
¡Muy Importante! Si no puede visualizar correctamente este correo, le pedimos que lo arrastre a su Bandeja de Entrada Apreciable Ejecutivo: TIEM de México Empresa Líder en Capacitación y Actualización de Capital Humano Pone nuevamente a su disposición este exitoso curso denominado: Comunicación Asertiva con PNL Que se llevará a cabo el día: 27 de Septiembre en la Ciudad de México Inscríbase antes del 22 de Septiembre y obtenga un descuento del 15% con Inversión Inmediata No deje pasar esta nueva oportunidad y reserve sus lugares con anticipación La Asertividad es una forma de comunicación que permite decir lo que uno piensa y actuar en consecuencia, haciendo lo que se considera más apropiado, sin agredir u ofender a nadie, ni permitir ser agredido u ofendido y evitando situaciones conflictivas, por esta razón la comunicación asertiva en el trabajo es sumamente importante para lograr relaciones agradables aunado a un ambiente de trabajo sano en donde puedan fluir las ideas sin discrepancias y así llegar con éxito al objetivo de cualquier organización. La comunicación asertiva en el área laboral tiene que ver en la interpretación de la información Jefe subordinado, en ocasiones cuando la comunicación no es clara y asertiva se llega a mal interpretar las indicaciones, por lo tanto las actividades que se hicieron no llevaron el enfoque esperado, dando como resultado un conflicto entre personas y organización, vienen las discusiones, que pudiesen evitarse con una comunicación clara que no contenga ruidos que se interpongan en una asimilación exacta, que coadyuvara a que todas las estrategias que ha desarrollado la empresa se cumplan conforme a lo esperado. Durante este curso los participantes: Desarrollarán habilidades que les permitan comunicarse de manera asertiva y solidaria en sus relaciones interpersonales usando técnicas y herramientas de Programación Neurolingüística. Logrará un manejo productivo de las situaciones conflictivas en cualquier ámbito de su vida personal y/o profesional. Si al momento de recibir este correo ya realizo su confirmación le pedimos haga caso omiso. De lo contrario, favor de responder este correo con los siguientes datos: Empresa: Nombre: Ciudad: Teléfono: O si lo prefiere comuníquese a los teléfonos: Del DF al 5611-0969 con 10 líneas Interior del País Lada sin Costo 01 800 900 TIEM (8436) Aceptamos todas las TDC y Débito. **Promoción: 3 meses sin Intereses pagando con American Express **Aplica solo con Inversión Normal ®Todos los Derechos Reservados ©2011 TIEM Talento e Innovación Empresarial de México Este Mensaje le ha sido enviado como usuario de TIEM de México o bien un usuario le refirió para recibir este boletín. Como usuario de TIEM de México, en este acto autoriza de manera expresa que TIEM de México le puede contactar vía correo electrónico u otros medios. Si usted ha recibido este mensaje por error, haga caso omiso de él y reporte su cuenta respondiendo este correo con el subject BAJABD Tenga en cuenta que la gestión de nuestras bases de datos es de suma importancia y no es intención de la empresa la inconformidad del receptor.
Applying 001_libcrypto.patch prompts for File to Patch:
I've created a /usr/src/patches directory which I've downloaded and untarred the 5.1.tar.gz into. Per the patch instructions, I cd to /usr/src and then: # patch -p0 /usr/src/patches/5.1/common/001_libcrypto.patch this is what I get: # patch -p0 /usr/src/patches/5.1/common/001_libcrypto.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -- |Apply by doing: | cd /usr/src | patch -p0 001_libcrypto.patch | |And then rebuild and install libcrypto: | cd lib/libssl/crypto | make obj | make depend | make | make install | |Index: lib/libssl/src/crypto/mem.c |=== |RCS file: /cvs/src/lib/libssl/src/crypto/mem.c,v |retrieving revision 1.13 |retrieving revision 1.13.8.1 |diff -u -p -r1.13 -r1.13.8.1 |--- lib/libssl/src/crypto/mem.c1 Oct 2010 22:58:53 - 1.13 |+++ lib/libssl/src/crypto/mem.c22 Apr 2012 01:39:22 - 1.13.8.1 -- Patching file lib/libssl/src/crypto/mem.c using Plan A... Hunk #1 succeeded at 362. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -- |Index: lib/libssl/src/crypto/asn1/a_d2i_fp.c |=== |RCS file: /cvs/src/lib/libssl/src/crypto/asn1/a_d2i_fp.c,v |retrieving revision 1.5 |retrieving revision 1.5.16.1 |diff -u -p -r1.5 -r1.5.16.1 |--- lib/libssl/src/crypto/asn1/a_d2i_fp.c 6 Sep 2008 12:17:48 - 1.5 |+++ lib/libssl/src/crypto/asn1/a_d2i_fp.c 22 Apr 2012 01:39:22 - 1.5.16.1 -- Patching file lib/libssl/src/crypto/asn1/a_d2i_fp.c using Plan A... Hunk #1 succeeded at 57. Hunk #2 succeeded at 144. Hunk #3 succeeded at 164. Hunk #4 succeeded at 176. Hunk #5 succeeded at 208. Hunk #6 succeeded at 227. Hunk #7 succeeded at 251. Hunk #8 succeeded at 272. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -- |Index: lib/libssl/src/crypto/buffer/buffer.c |=== |RCS file: /cvs/src/lib/libssl/src/crypto/buffer/buffer.c,v |retrieving revision 1.8 |retrieving revision 1.8.8.1 |diff -u -p -r1.8 -r1.8.8.1 |--- lib/libssl/src/crypto/buffer/buffer.c 1 Oct 2010 22:58:54 - 1.8 |+++ lib/libssl/src/crypto/buffer/buffer.c 22 Apr 2012 01:39:22 - 1.8.8.1 -- File to patch: I've read some prior posts, and I THOUGHT the patch is wanting me to tell it the path to the buffer.c file, but I don't have a /usr/src/lib/libssl/src/crypto/buffer/ directory with the buffer.c file (I only have a /usr/src/lib/libssl/src/crypto directory). Can someone tell me what I'm doing wrong? Thank you, Ed
Re: Applying 001_libcrypto.patch prompts for File to Patch:
On Thu, Sep 13, 2012 at 10:15, Ed Flecko wrote: I've read some prior posts, and I THOUGHT the patch is wanting me to tell it the path to the buffer.c file, but I don't have a /usr/src/lib/libssl/src/crypto/buffer/ directory with the buffer.c file (I only have a /usr/src/lib/libssl/src/crypto directory). Can someone tell me what I'm doing wrong? Checking out the src tree the wrong way. There has been a buffer/buffer.c file since OpenBSD 2.5. And still is.
Re: Applying 001_libcrypto.patch prompts for File to Patch:
Thanks Ted. After I installed 5.1, I downloaded the src.tar.gz and untarred it into /usr/src If that's not the correct way (and I guess it's not), can you tell me what IS the correct way to check out the src tree? Ed On Thu, Sep 13, 2012 at 10:42 AM, Ted Unangst t...@tedunangst.com wrote: On Thu, Sep 13, 2012 at 10:15, Ed Flecko wrote: I've read some prior posts, and I THOUGHT the patch is wanting me to tell it the path to the buffer.c file, but I don't have a /usr/src/lib/libssl/src/crypto/buffer/ directory with the buffer.c file (I only have a /usr/src/lib/libssl/src/crypto directory). Can someone tell me what I'm doing wrong? Checking out the src tree the wrong way. There has been a buffer/buffer.c file since OpenBSD 2.5. And still is.
Re: Emacs Meta bindings not working after upgrade
On 2012-09-12, Clint Pachl pa...@ecentryx.com wrote: After upgrading my system to the latest snapshot my Emacs META bindings are not working properly in the terminal. For instance, from xterm, the bindings: M-B (backward-word), M-F (forward-word), M-D (kill-word), output the the characters, â, æ, ä, respectively. However, the standard or control bindings work as expected. For example: C-D (delete-char) C-B (backward-char) C-E (end-of-line) How can I get the META bindings working normally at the command line? I don't have a solution; I'd just like to chime in: I'm seeing this, too, on vanilla 5.1/i386, outside of X. -- Dennis den Brok
Re: Applying 001_libcrypto.patch prompts for File to Patch:
On Thu, Sep 13, 2012 at 10:53, Ed Flecko wrote: Thanks Ted. After I installed 5.1, I downloaded the src.tar.gz and untarred it into /usr/src If that's not the correct way (and I guess it's not), can you tell me what IS the correct way to check out the src tree? I can only speculate as to why there would be files missing from there, but I'd consult the anoncvs.html page on how to get an accurate checkout. Bonus: a -stable checkout will have patches already applied.
Re: Applying 001_libcrypto.patch prompts for File to Patch:
Thank you Ted...I appreciate the advice and tips! Ed
Re: Applying 001_libcrypto.patch prompts for File to Patch:
On Thu, Sep 13, 2012 at 10:53:49AM -0700, Ed Flecko wrote: I downloaded the src.tar.gz and untarred it into /usr/src You should also get sys.tar.gz and you should take a look at: http://www.openbsd.org/stable.html Or get yourself a CD Set an read the inlet :-) Have a nice day, Frank. -- Frank Brodbeck f...@guug.de
Re: bi-nat biavior and anchor limitation
Le 2012-09-13 11:34, Michel Blais a écrit : Also, is it a pfctl limitation to not be able to use it on anchor inside a other anchor or I'm missing something ? Exemple, I load a anchor in main ruleset named A and in A, I load a other anchor named B. Is there any way to use pfctl on B anchor ? # pfctl -sA A # pfctl -a A -sA B # Thanks to Martin Pelikan that answered me outside of the mailing list, syntax is : # pfctl -a A/B -sA Before he writeded me, I didn't notice that while using # pfctl -a A -sA it was display like A/B A/C A/D -- Michel Blais Administrateur réseau / Network administrator Targo Communications www.targo.ca 514-448-0773
w(1) weirdness
w(1) gives the -a option: -a Attempt to translate network addresses into names. But this appears to be the default: wrath~;w 5:46PM up 8 days, 1:08, 1 user, load averages: 0.50, 0.45, 0.37 USERTTY FROM LOGIN@ IDLE WHAT mwlucas p0 adsl-99-103-114- 5:44PM 0 w Adding -a doesn't change the output. I would *think* (there's my problem, I know) that if -a is the default, then there would be a -n or somesuch to turn off hostname resolution. What am I missing here? Yes, there's other ways to see what IP I'm logged in from, just seemed strangely inconsistent for you folks. ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery mwlu...@michaelwlucas.com, Twitter @mwlauthor
Re: w(1) weirdness
On Thu, Sep 13, 2012 at 17:48, Michael W. Lucas wrote: w(1) gives the -a option: -a Attempt to translate network addresses into names. But this appears to be the default: wrath~;w 5:46PM up 8 days, 1:08, 1 user, load averages: 0.50, 0.45, 0.37 USERTTY FROM LOGIN@ IDLE WHAT mwlucas p0 adsl-99-103-114- 5:44PM 0 w Adding -a doesn't change the output. I would *think* (there's my problem, I know) that if -a is the default, then there would be a -n or somesuch to turn off hostname resolution. What am I missing here? It depends on the program writing the utmp entry. If it writes the hostname, then that's what it prints. -a will attempt to turn it into a hostname *again*. The source even calls the option 'nflag' internally, it's on by default. -a turns it off.
Balanced Scorecard - Sistema de Información Gerencial
Balanced Scorecard - Sistema de Información Gerencial Integral Panama este 19 de Septiembre de 2012 Sheraton Panama Hotel Convention Center Los altos Ejecutivos de las empresas globales dirigen organizaciones de proporciones enormes y utilizan el Balanced Scorecard para planear, evaluar y balancear estratégicamente la visión con los objetivos de la empresa, integrando equipos gerenciales capaces de lograr resultados sobresalientes. Esta revolucionaria metodología ayudará a los Directores y Ejecutivos a pensar más ampliamente sobre lo que significa hoy el verdadero liderazgo en los negocios... Un experto en Alta Dirección de Empresas presentará este seminario práctico y efectivo donde se discutirán las mejores prácticas del Balanced Scorecard, incluyendo: - Cómo traducir la visión en objetivos concretos - Trazo y ejecución de planes - - Implementar controles de desempeño gerencial - Remuneración por resultados - - Establecer sistemas de información de los medidores Balanced Scorecard - Mejorar la rentabilidad de la empresa, conservar clientes leales y empleados de talento - Ingredientes esenciales para crear valor en la nueva economía- Adquiera la información completa y sin compromiso, solo responda este correo con asunto -Deseo Folleto Balanced o Comuníquese al (507) 279-1083 / 279-0258 / 279-0887 - y a la brevedad lo recibirá! ESTE CORREO NO PUEDE SER CONSIDERADO INTRUSIVO YA QUE CUMPLE CON LAS POLÍTICAS ANTISPAM INTERNACIONALES Y LOCALES: Responda este correo con el Asunto borrar y automáticamente quedará fuera de nuestras listas. Este correo ha sido enviado a: misc@openbsd.org
plumas bic
Si no puedes ver este correo, haz click en el siguiente vinculo http://www.gtventas.com/boletines/2012/enero/15.htm PROMOCIONES 2012 [IMAGE] [IMAGE] [IMAGE] Bajos las normas internacionales de ANTI-SPAM este correo cumple con la opción de poder ser removido de la lista por favor responder dar de baja
