New tcp stack attack
Hi there, is there any weight to this new story on slashdot http://it.slashdot.org/it/08/10/01/0127245.shtml about a new attacker possible to break any tcp stack? Sounds rather shady, so here I am, perhaps you guys have your ears closer to the ground Regards
Re: Hardware recommendation request
I have successfully used the below Nic's on 4.3 and 4.4 -current setups (especially the 4 port version) http://h18004.www1.hp.com/products/servers/networking/index-nic.html They go well with the HP DL range in my experience. Example the HP DL385 will give you 4 PCI express lanes i.e 16 +2(onboard) 18 total 1000TX ports per firewall Enjoy nuffnough wrote: Hi, I read the thread that popped up a few months back, and the consensus was to buy a Dell or buy a switch and make VLANs, but neither of these options are suitable for my requirements. I presently have a pair of Intel Servers with 6 pci NICs plus one on board running as a clustered firewall. These are getting old, and I want to replace them. Only thing is, I am finding it impossible to find anyone who makes mobos with enough pci slots. Can anyone recommend a mobo that does? Or recommend dual port nics that I can use instead of my current intel nics? I am happy with getting individual components and putting something together, just need to know what components. TIA nuffi
Re: relayd http-https-redirects with sticky-address
I can relate to that, having load balancers fixing backend services. If you have the time, you will probably find pound reverse proxy http://www.apsis.ch/pound/ to be a nice alternative to try out in your lab. I have pound on openbsd for several years and can recommend it for http - https redirects, SSL termination and back-end load balancing with health checks (not to mention the dynamic scaling ) and and weighted priority between backend nodes. Check it out Reyk Floeter wrote: On Wed, Sep 17, 2008 at 10:19:11PM +0200, Michiel van Baak wrote: redirect web { listen on $ext_ip1 port 80:443 sticky-address forward to webservers port http check script /usr/local/sbin/chksrvs } note that this will match any traffic in the 80 - 443 port range, make sure that you add additional pf rules to filter any other ports except 80 and 443. but it works with Source Tracking and should allow your clients to move between http and https on the same server. another limitation is that it only runs checks on one of the ports. ugh, this looks ugly ;) Instead of going this route I would say: find the source of why the visitor should access the same host, and solve that. no, it is not ugly. it is a reasonable solution for a very common case. you can easilly block other incoming connections with restrictive pf rules. but please face reality - not everyone is in control of their backend web servers since it is VERY common that the loadbalancers (networking group) are handled by a different group than the backend webservers (servers group). and it is also very common that you run your fancy nice openbsd box in front of some other stuff. indeed, it is very common for loadbalancers and firewalls to fix arbitrary systems attached to the network. We use relayd in front of 6 servers, doing http and https. It doesn't matter what backend box the user go. Hell, they can even go to another box on a reload. This of course means we are storing sessions etc on shared storage (NFS in our case, and the new sharedance port looks like an alternative for that) of course this is a better solution if you're in control of the backend servers. some people also use solutions like a clustered database backend (eg. mysql), proprietary solutions like zend cache, ... reyk -- Michiel van Baak [EMAIL PROTECTED] http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD Why is it drug addicts and computer aficionados are both called users?
Carp and PF cluster design question
I'm in the process of setting up a redundant reverse proxy cluster for someone. Currently the setup is working in a single box non redundant setup and everything is perfect and purring nicely. What I want it to ultimately do: I want to load balance the 2 boxes with carp and each box in their own right is a separate load balancer (PF) to separate services residing locally on the 2 boxes. Something like this (super basic illustration) TRAFFIC= CARP0 VIP HOSTA = PF-round robin={ HOST A XYY , HOST B XYZ } = CARP0 VIP HOSTB = PF-round robin={ HOST B ABC , HOST A ABC } Back to reality: BEFORE: This box is configured to accept SMTP (smarthosting) , HTTP and HTTPS (pound SSL termination) on multiple alias addresses. AFTER: I have now added a second physical box and have converted all the IP Aliases into carp interfaces in ip-stealth balancing mode. ie carp0 , carp1 carp2 etc.. The two boxes are linked with X-over cable using pfsync0 and all is dandy. NB:I must add that these 2X OpenBSD boxes are behind 2X pix firewalls in fail-over which in turn is behind (inline) 2X Nokia FW-1 firewalls in fail-over (I know its a bad setup, but I cannot control that bit of the equation) Question = What is the best way to load balance incoming services into these OpenBSD boxes. Do I do carp balancing and PF round robin? Also how do I handle my source address (return traffic) trough these other crappy firewalls? Because if I NAT my source as carp0 then which MAC is the return traffic going to go to ? Or do each OpenBSD host need its own SRC IP that in turn has rules in the Pix's and Nokia's to allow the trafic to flow instead on 1 nat'd carp VIP address ? Hope all this makes sense.