New tcp stack attack
Hi there, is there any weight to this new story on slashdot http://it.slashdot.org/it/08/10/01/0127245.shtml about a new attacker possible to break any tcp stack? Sounds rather shady, so here I am, perhaps you guys have your ears closer to the ground Regards
Re: Hardware recommendation request
I have successfully used the below Nic's on 4.3 and 4.4 -current setups (especially the 4 port version) http://h18004.www1.hp.com/products/servers/networking/index-nic.html They go well with the HP DL range in my experience. Example the HP DL385 will give you 4 PCI express lanes i.e 16 +2(onboard) 18 total 1000TX ports per firewall Enjoy nuffnough wrote: Hi, I read the thread that popped up a few months back, and the consensus was to buy a Dell or buy a switch and make VLANs, but neither of these options are suitable for my requirements. I presently have a pair of Intel Servers with 6 pci NICs plus one on board running as a clustered firewall. These are getting old, and I want to replace them. Only thing is, I am finding it impossible to find anyone who makes mobos with enough pci slots. Can anyone recommend a mobo that does? Or recommend dual port nics that I can use instead of my current intel nics? I am happy with getting individual components and putting something together, just need to know what components. TIA nuffi
Re: relayd http-https-redirects with sticky-address
I can relate to that, having load balancers fixing backend services.
If you have the time, you will probably find pound reverse proxy
http://www.apsis.ch/pound/ to be a nice alternative to try out in your lab.
I have pound on openbsd for several years and can recommend it for http
- https redirects, SSL termination and back-end load balancing with
health checks (not to mention the dynamic scaling ) and and weighted
priority between backend nodes.
Check it out
Reyk Floeter wrote:
On Wed, Sep 17, 2008 at 10:19:11PM +0200, Michiel van Baak wrote:
redirect web {
listen on $ext_ip1 port 80:443
sticky-address
forward to webservers port http check script /usr/local/sbin/chksrvs
}
note that this will match any traffic in the 80 - 443 port range, make
sure that you add additional pf rules to filter any other ports except
80 and 443. but it works with Source Tracking and should allow your
clients to move between http and https on the same server. another
limitation is that it only runs checks on one of the ports.
ugh, this looks ugly ;)
Instead of going this route I would say: find the source of why the
visitor should access the same host, and solve that.
no, it is not ugly. it is a reasonable solution for a very common
case. you can easilly block other incoming connections with
restrictive pf rules. but please face reality - not everyone is in
control of their backend web servers since it is VERY common that the
loadbalancers (networking group) are handled by a different group than
the backend webservers (servers group). and it is also very common
that you run your fancy nice openbsd box in front of some other
stuff. indeed, it is very common for loadbalancers and firewalls to
fix arbitrary systems attached to the network.
We use relayd in front of 6 servers, doing http and https.
It doesn't matter what backend box the user go. Hell, they can even go
to another box on a reload.
This of course means we are storing sessions etc on shared storage (NFS
in our case, and the new sharedance port looks like an alternative for
that)
of course this is a better solution if you're in control of the
backend servers. some people also use solutions like a clustered
database backend (eg. mysql), proprietary solutions like zend cache,
...
reyk
--
Michiel van Baak
[EMAIL PROTECTED]
http://michiel.vanbaak.eu
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x71C946BD
Why is it drug addicts and computer aficionados are both called users?
Carp and PF cluster design question
I'm in the process of setting up a redundant reverse proxy cluster for
someone.
Currently the setup is working in a single box non redundant setup and
everything is perfect and purring nicely.
What I want it to ultimately do:
I want to load balance the 2 boxes with carp and each box in their own
right is a separate load balancer (PF) to separate services residing
locally on the 2 boxes.
Something like this (super basic illustration)
TRAFFIC= CARP0 VIP HOSTA = PF-round robin={ HOST A XYY , HOST B XYZ }
= CARP0 VIP HOSTB = PF-round robin={ HOST B ABC , HOST A ABC }
Back to reality:
BEFORE:
This box is configured to accept SMTP (smarthosting) , HTTP and HTTPS
(pound SSL termination) on multiple alias addresses.
AFTER:
I have now added a second physical box and have converted all the IP
Aliases into carp interfaces in ip-stealth balancing mode. ie carp0 ,
carp1 carp2 etc..
The two boxes are linked with X-over cable using pfsync0 and all is dandy.
NB:I must add that these 2X OpenBSD boxes are behind 2X pix firewalls in
fail-over which in turn is behind (inline) 2X Nokia FW-1 firewalls in
fail-over (I know its a bad setup, but I cannot control that bit of the
equation)
Question = What is the best way to load balance incoming services into
these OpenBSD boxes. Do I do carp balancing and PF round robin? Also how
do I handle my source address (return traffic) trough these other crappy
firewalls?
Because if I NAT my source as carp0 then which MAC is the return traffic
going to go to ? Or do each OpenBSD host need its own SRC IP that in
turn has rules in the Pix's and Nokia's to allow the trafic to flow
instead on 1 nat'd carp VIP address ?
Hope all this makes sense.
