Re: OpenBSD 6.0 - Silicom PE2G4SFPI35L Intel i340AM4 based
Stuart, Thank you for your quick response. We are in requirement of a 4-Port 1000Base-LX capable network card, whether it's 10GbE or 1GbE it doesn't matter. I took a look a the vendor, and I have to say it feels awesome learn something new every day. I did not know this vendor and the mere fact that they openly support OpenBSD is reassuring. I'll have my distributor take a look at it. Thanks a lot. /Uday On Fri, Mar 10, 2017 at 1:47 AM, Stuart Henderson <s...@spacehopper.org> wrote: > On 2017-03-09, Uday MOORJANI <umoorjani.v...@gmail.com> wrote: >> Dear Community, >> >> Hope all is well. I'm on my last stretch to put in production our >> OpenBSD/OpenBGPd implementation. I have chosen a SuperMicro box as my >> platform, some of our transit providers at the data center come in >> through 1000-Base-LX fiber cross connects hence the search for an SFP >> and LX capable network card. >> >> My question is, does the em driver work with Intel-based network cards >> of other vendors such as the Silicom PE2G4SFPI35L or the PE2G4SFPI80L, >> both respectively are based on Intel i340AM4 and 82580EB controllers. > > I haven't tried those Silicom cards but I have a couple of 6-port > HotLava 1000base-T em(4) cards which are working nicely. > > I don't see I340AM4 on the list in the em(4) manual. I can't say whether > this is just an omission from the manual, or whether it's unsupported. > 82580EB is listed there. > >> Or is there another card with 4-Ports 1000-Base-LX capable hardware I >> missed? >> >> Sincerely, >> >> Uday MOORJANI >> >> PS >> Loving the OS. >> >> > > When I had a circuit delivered on single-mode fibre I couldn't find > a suitable 1Gb SFP card for any sensible money so I used a 10Gb card > instead (in my case some 82599-based Intel SFP+ which uses the ix(4) > driver), which also work with 1Gb SFPs. > > $ ifconfig ix1 | grep -e ^ix -e media > ix1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > media: Ethernet autoselect (1000baseLX full-duplex,rxpause,txpause) > > $ dmesg | grep ^ix1 | tail -1 > ix1 at pci1 dev 0 function 1 "Intel 82599" rev 0x01: msi, address > 00:1b:21:c0:25:bd
OpenBSD 6.0 - Silicom PE2G4SFPI35L Intel i340AM4 based
Dear Community, Hope all is well. I'm on my last stretch to put in production our OpenBSD/OpenBGPd implementation. I have chosen a SuperMicro box as my platform, some of our transit providers at the data center come in through 1000-Base-LX fiber cross connects hence the search for an SFP and LX capable network card. My question is, does the em driver work with Intel-based network cards of other vendors such as the Silicom PE2G4SFPI35L or the PE2G4SFPI80L, both respectively are based on Intel i340AM4 and 82580EB controllers. Or is there another card with 4-Ports 1000-Base-LX capable hardware I missed? Sincerely, Uday MOORJANI PS Loving the OS.
Re: gKrypt GPU Accelerated Encryption for OpenBSD
PS. This seems to be a proprietary project, on the other thoughts are towards a new open source BSD license integration of commodity GPU to native encryption in OpenBSD. If this has already been done, by all means please advise as to where I can get more information. On Fri, Mar 3, 2017 at 11:51 AM, Uday MOORJANI <umoorjani.v...@gmail.com> wrote: > Hi Guys, > > Do you think this would be a good project to port? I have a personal > project based on OpenBSD (not limited to), it's a network function for the > SDDC space; since scalability is CPU intensive I believe the ability to > offload encryption hooks native to OS used by services (VPN, SSL/TLS, > SSL-VPN, SSL Offloading etc..) in the SDDC could be a good addition to > OpenBSD, a great niche as well. :) > > Glad to hear your thoughts. > > Sincerely, > > Uday M
gKrypt GPU Accelerated Encryption for OpenBSD
Hi Guys, Do you think this would be a good project to port? I have a personal project based on OpenBSD (not limited to), it's a network function for the SDDC space; since scalability is CPU intensive I believe the ability to offload encryption hooks native to OS used by services (VPN, SSL/TLS, SSL-VPN, SSL Offloading etc..) in the SDDC could be a good addition to OpenBSD, a great niche as well. :) Glad to hear your thoughts. Sincerely, Uday M
OpenBSD BFD Implementation
Dear Misc Hope all is fine. I'm trying to find an implementation of BFD for OpenBSD and I read Peter's that is was still under development. My questions are: - Has anyone tried OpenBFDd on OpenBSD? - Same question but with BIRD's implementation of BFD? Read on a forum that BIRD on OpenBSD doesn't support BFD, but I'm having doubts as the website of BIRD says otherwise. Thanks guys, Uday
OpenBGPd - Multi-home ISP : DDoS Protection
Dear OpenBSD-Misc, First of all, awesome work on the OpenBGPd and BFD code. I'm working on a WAN setup for an enterprise and we are migrating from static route WAN to a full fledge BGP transit in a multi home environment for the specific purpose of providing the best possible path/route to our service catalogue. The service catalogue within the enterprise is orchestrated by a private vmware cloud with added software defined networking (micro-segmentation) capabilities within the private cloud via NSX. My concern is about DDoS protection from the ingress traffic, in my logic it makes no sense to contract a service such as Imperva or Cloudflare as DDoS protection on the network level, as proper PF (firewall) rules in place should protect us at line rate. My doubts are: - Are the rules provided for anti-ddos sufficient? Is there a good soul to share some rulesets? - Am I out of my mind for choosing OpenBGPd/OpenBSD for my transit WAN? I love the fact that we're sandboxed and hyperthreaded and am particularly content with the resolution of convergence time problems ( http://undeadly.org/cgi?action=article=20151106171337=expanded) - Is there a way to contract a support in case sh*t hits the fan with OpenBGPd? - What are the best tools to supervise and test bed the performance of an OpenBGPd instance? (most the definately the dumbest question) Again, love the fact I can get some sleep with OpenBSD/OpenBGPd, please do get back to me for commercial support to calm the nerves. Sincerely, Uday MOORJANI
Re: CARP problem : slave rioting
Can you post configuration files for the carp interfaces ? Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
pf-relayd-carp - multiple carp aliases to be used in relayd
Hi, I've setup pf relayd and carp to work together as a load balancer. I have one carp interface on the public internet on both servers : inet 192.168.172.77 255.255.255.240 192.168.172.79 vhid 1 pass foo inet alias 192.168.172.74 255.255.255.255 I wish to use ip aliases on the carp interface to send load balanced traffic through relayd, traffic such as http/https. I goal here is the to be able to bind service ports to external ip aliases on the carp interface and proxy the traffic to my internal network. I have relayd configured to recieve https traffic from aliased ip of the carp interface : relay https-proxy { listen on 192.168.172.74 port 443 ssl protocol https forward to webhosts port 80 mode loadbalance check http / code 200 } Now this configuration works like a charm..but not for long. After a while I get timed out to the server. I tried setting up a second carp interface with a different vhid to be sure that there was no conflicts. Even after that I get the same symptom. When I try to tcpdump the incoming traffic I see nothing coming in. All of this happens after a while not right away, I have to do sh /etc/netstart on both servers for it to go back to normal and then a while later it starts to have the same reaction. Has anyone tried this sort of configuration ? If Yes, do you have production examples or best practices you can share ? Thank you very much for your kind support. Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr.
Re: CARP problem : slave rioting
Pierre, If I'm not mistaken the vhid on all your carp interfaces are the same value. I would suggest you use a unique value for each group. From the man : The Virtual Host ID. This is a unique number that is used to identify the redundancy group to other nodes on the network. Acceptable values are from 1 to 255. I think this is the way to go but I'm not sure. UM Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Fri, Jun 26, 2009 at 6:31 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, CARP is configured using a script. Here it is (truncated version) : ifconfig carp5 create ifconfig carp5 vhid 10 advskew $1 pass $PASS 10.31.0.254/16 description LAN ifconfig carp2 create ifconfig carp2 vhid 10 advskew $1 pass $PASS 193.57.199.254/24 description DMZ 1 ifconfig carp3 create ifconfig carp3 vhid 10 advskew $1 pass $PASS 10.193.57.254/24 description DMZ 2 ifconfig carp12 create ifconfig carp12 vhid 10 advskew $1 pass $PASS 8.8.0.254/24 description DMZ 3 ifconfig carp13 create ifconfig carp13 vhid 10 advskew $1 pass $PASS 10.193.70.254/24 description DMZ 5 ifconfig carp4 create ifconfig carp4 vhid 10 advskew $1 pass $PASS 10.60.0.254/24 description DMZ Internet ifconfig carp4 alias 217.109.108.1/24 ifconfig carp14 create ifconfig carp14 vhid 10 advskew $1 pass $PASS 217.109.xxx.xxx/28 description Internet -- Cordialement, Pierre BARDOU -Message d'origine- De : uday [mailto:umoorjani@gmail.com] Envoyi : vendredi 26 juin 2009 12:21 @ : BARDOU Pierre Cc : misc@openbsd.org Objet : Re: CARP problem : slave rioting Can you post configuration files for the carp interfaces ? Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Mon, Jun 22, 2009 at 11:01 AM, BARDOU Pierrebardo...@mipih.fr wrote: Hello, I have a setup with 2 openBSD boxes used as firewall, redundancy is made using CARP. Each has 4 NIC : 1 for internet, 1 for pfsync, and the two last are used as a trunk, collecting all other VLANs. Master's advskew is 10, slave's is 50. All worked like a charm since nearly 2 years, but since 3 weeks I have odd problems : * on the net interface, the backup becomes master, but the master remains master - Nearly half of the packets are lost I did a tcpdump on the slave's interface, carp packets from the master arrive. But it remains master ! Jun 22 16:42:50.572205 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=10 demote=0 (DF) [tos 0x10] Jun 22 16:42:50.748122 00:00:5e:00:01:0a 01:00:5e:00:00:12 0800 70: CARPv2-advertise 36: vhid=10 advbase=1 advskew=50 demote=0 (DF) [tos 0x10] * on my DMZ interface (vlan 4), the carp is in INIT state. By the way, as it is part of a trunk, physical connections are good : they work for all other VLANs. When I shut down the corresponding carp interface on the slave (ifconfig carp4 down), master becomes master again. Could you give me any clue to keep my master in master state ? Thank you -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
Re: binding services on carp
I got it, for those who don't know, you have to bind to the carp adresse but with a specific pf entry. rdr on $ExtIf proto tcp from any to carp0 port ftp tag FTPROXY - lo0 port 8021 pass in log on $ExtIf inet proto tcp from any to lo0 port 8021 flags S/SA keep state tagged FTPROXY Works like a charm ! Gotta love OpenBSD ! Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr. On Wed, May 27, 2009 at 8:25 AM, Stephan A. Rickauer stephan.ricka...@ini.phys.ethz.ch wrote: On Tue, 2009-05-26 at 16:18 -0400, uday wrote: Hey guys, A quick question, is there a way to bind services to the carp interface ? You see I have an ftp-proxy running and I wanted to use carp since I'm already doing fail-over with PF. FTP client -- Redundant Firewall w/ftp-proxy -- Internal FTP-SERVER man ftp-proxy, see -a flag.
binding services on carp
Hey guys, A quick question, is there a way to bind services to the carp interface ? You see I have an ftp-proxy running and I wanted to use carp since I'm already doing fail-over with PF. FTP client -- Redundant Firewall w/ftp-proxy -- Internal FTP-SERVER HTTP Client -- Redundant Firewall w/ Relayd -- Internal Apache Servers If carp is not suitable, does anyone have any experience implementing something like this ? Thanks for tips. UM Nonviolence means avoiding not only external physical violence but also internal violence of spirit. You not only refuse to shoot a man, but you refuse to hate him. Rev. Martin Luther King Jr.
relayd - trunked web pages
Hi, I'm experiencing something very peculiar with relayd. I have relayd for quite sometime in production and I'm observing on a long term that relayd starts to trunk http responses and I don't seem to know why. When I restart relayd everything starts working again. Can anyone point to me a direction to where I can start looking to debug this issue, eventually resolve it ? Here is my relayd.conf relayd_addr=192.168.172.77 https_port=443 http_port=80 table web_hosts { 192.168.223.58 } interval 10 timeout 1000 prefork 5 log all http protocol httpssl { ssl { sslv3, tlsv1, ciphers MEDIUM:!ADH, no sslv2 } header append $REMOTE_ADDR to X-Forwarded-For } http protocol httpsimple { header append $REMOTE_ADDR to X-Forwarded-For } relay https-proxy { listen on $relayd_addr port $https_port ssl protocol httpssl forward to web_hosts port $http_port mode loadbalance check http / code 200 } relay http-proxy { listen on $relayd_addr port $http_port protocol httpsimple forward to web_hosts port $http_port mode loadbalance check http / code 200 } Here is my pf.conf: ext_if = vic0 int_if = vic1 ext_ip = 192.168.172.77 ftp_ip = 192.168.223.58 nat-anchor ftp-proxy/* nat on $ext_if inet from $int_if - ($ext_if) rdr-anchor relayd/* rdr-anchor ftp-proxy/* pass in on $ext_if inet proto tcp to $ext_ip port 21 flags S/SA keep state pass out on $int_if inet proto tcp to $ftp_ip port 21 user proxy flags S/SA keep state pass in log (all, to pflog1) on $ext_if inet proto tcp to $ext_if port 21 keep state anchor relayd/* anchor ftp-proxy/* UM
Thank you for Relayd
I just wanted thank the developers and contributors of Relayd. It's a wonderful load balancer, very well written GOOD JOB guys ! FYI, you saved us 75,000$ in F5 equipments. um
Re: Thank you for Relayd
I'm negotiating a community contribution budget for all the open source software we're using. It should be a good thing for the community. um. On Mon, Jan 26, 2009 at 1:53 PM, Dag Richards dagricha...@speakeasy.net wrote: I assume that your company will send say 10% of that saved cash to the project now to ensure continued development and maintenance ? ;) On 1/26/09 9:32 AM, uday wrote: I just wanted thank the developers and contributors of Relayd. It's a wonderful load balancer, very well written GOOD JOB guys ! FYI, you saved us 75,000$ in F5 equipments. um
Re: Can't get relayd to work for DNS + problem with relayctl reload
pierre, i'm seeing the same result with relayctl i don't know where it's coming from. um On Wed, Jan 14, 2009 at 8:16 AM, BARDOU Pierre bardo...@mipih.fr wrote: Shame on me, it didn't worked because I allowed connexion to the real IP (10.60.0.10x) and no to relayd IP (10.31.33.254). Now it works, thanks for the help :) But I still have the issue I reported a few monthes ago : when I use a relay, relayctl reload fails saying command failed. The relayd logs says nothing. Will I be forced to pkill relayd and restart it each time ? -- Cordialement, Pierre BARDOU -Message d'origine- De : Nigel J. Taylor [mailto:njtay...@asterisk.demon.co.uk] Envoyi : mercredi 14 janvier 2009 02:22 @ : BARDOU Pierre Objet : Re: Can't get relayd to work for DNS I have this in my relayd.conf, it's just an extract, only a pass in in pf.conf you use either relay or redirect not both at once redirect requires an anchor in pf.conf, relay doesn't. dns protocol dnsudp tcp protocol dnstcp relay relaydnsudp { protocol dnsudp listen on $dns_int port domain forward to DNSSERVERS \ check script /usr/local/bin/dnscheck } relay relaydnstcp { protocol dnstcp listen on $dns_int port domain forward to DNSSERVERS \ check script /usr/local/bin/dnscheck } dnscheck script does a dig to check dns is up #!/bin/ksh dnsserver=$1 if ping -n -c1 -w 1 $dnsserver /dev/null 21 dig -x \ $dnsserver @$dnsserver /dev/null then exit 1 fi exit 0 Regards Nigel Taylor BARDOU Pierre wrote: Hello, I am trying to setup relayd for loadbalancing on my DNS servers. The problem is that relayd seems to handle only TCP connexions, UDP isn't taken into account. I found a known bug on openBSD 4.2, but I am using openBSD 4.4. I've tried the same setup with a relay, and still have the same problem. Where am I mistaking ? # pfctl -a relayd/DNS -s nat rdr inet proto tcp from any to 10.31.33.254 port = domain (tcp.established 600) - DNS port 53 round-robin # cat /etc/relayd.conf node1=10.60.0.101 node2=10.60.0.102 node3=10.60.0.103 squid_int=10.31.33.254 dns_int=10.31.33.254 # Global Options interval 5 log updates prefork 10 timeout 1500 table squid { $node1 , $node3 } table DNS { $node1 , $node3 } redirect squid { listen on $squid_int port 3128 forward to squid mode roundrobin check tcp } redirect DNS { listen on $dns_int port 53 forward to DNS mode roundrobin check tcp } Relay config : dns protocol dnsfilter { ### TCP performance options tcp { nodelay, sack, socket buffer 1024, backlog 1000 } } relay dns { ### listen and accept redirected connections from pf listen on $dns_int port 53 ### apply web filters protocol dnsfilter ### forward to web server(s) forward to DNS mode roundrobin check tcp } -- Cordialement, Pierre BARDOU CSIM - Bureau 012 Midi Picardie Informatique Hospitalihre 12 rue Michel Labrousse BP93668 F-31036 Toulouse CEDEX 1 Til : 05 67 31 90 84 Fax : 05 34 61 51 00 Mail : bardo...@mipih.fr
relayd - ssl offloading
hi, I'm trying to get relayd to work with ssl and I'm having quite a hard time. I get the error message : SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed relay, which is involves /dev/random issues. So test if it was a general problem with /dev/random I installed stunnel and forwarded all https packets from stunnel to the webhosts in relayd and it works so narrowed it down to relayd. I checked the rights on /dev/random and I don't have any issues with it. Can someone point me in the direction to resolving my problem please ? Any idea on how to solve this ? Here is the relayd log snippet : startup init_filter: filter init done init_tables: created 0 tables relay_privinit: adding relay httpproxy protocol 0: name httpfilter flags: 0x20004 type: tcp request change Connection to close request change Keep-Alive to $TIMEOUT request append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By request append $REMOTE_ADDR to X-Forwarded-For response change Server to Server1 relay_init: max open files 11095 relay_init: max open files 11095 relay_ssl_ctx_create: loading certificate relay_ssl_ctx_create: loading certificate relay_ssl_ctx_create: loading private key relay_ssl_ctx_create: loading private key adding 1 hosts from table web_hosts:80 adding 1 hosts from table web_hosts:80 relay_launch: running relay httpproxy relay_launch: running relay httpproxy relay_init: max open files 11095 relay_init: max open files 11095 relay_ssl_ctx_create: loading certificate relay_ssl_ctx_create: loading certificate relay_ssl_ctx_create: loading private key relay_ssl_ctx_create: loading private key adding 1 hosts from table web_hosts:80 adding 1 hosts from table web_hosts:80 relay_launch: running relay httpproxy relay_launch: running relay httpproxy relay_init: max open files 11095 relay_ssl_ctx_create: loading certificate relay_ssl_ctx_create: loading private key adding 1 hosts from table web_hosts:80 relay_launch: running relay httpproxy hce_notify_done: 192.168.190.53 (recv_icmp: done) host 192.168.190.53, check icmp (0ms), state unknown - up, availability 100.00% pfe_dispatch_imsg: state 1 for host 1 192.168.190.53 hce_notify_done: 192.168.190.53 (recv_icmp: done) Here is my relayd.conf : relayd_addr=192.168.172.77 relayd_port=8080 web_port=80 table web_hosts { 192.168.190.53 } interval 10 timeout 200 prefork 5 http protocol httpfilter { return error header append $REMOTE_ADDR to X-Forwarded-For header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By header change Keep-Alive to $TIMEOUT header change Connection to close response header change Server to Server1 ssl { sslv3, tlsv1, ciphers HIGH:!ADH, no sslv2 } } relay httpproxy { listen on $relayd_addr port $relayd_port ssl protocol httpfilter forward to web_hosts port $web_port mode loadbalance check icmp } Here is my pf.conf int_if=bce0 rdr-anchor relayd/* rdr pass on $int_if proto tcp to port 443 - 192.168.172.77 port 8080 -- uday
Re: relayd - ssl offloading
Hi guys, I tried generating random numbers with the _relayd user without a problem : [_rel...@myserver /etc/ssl]$ od -D -A n /dev/random | head -2 2530374051 2874409472 1650458018 3736200264 1776311775 448067355 3385764049 245858356 [_rel...@myserver /etc/ssl]$ od -D -A n /dev/random | head -2 3500873714 1514410290 1261638879 3441183390 1244646393 1231567229 2455711758 3155117271 [_rel...@myserver /etc/ssl]$ od -X -A n /dev/random | head -2 ec656a22865705affba217e99141ec7c 24cab1151d520b9aba1e1c48a5016cbd [_rel...@myserver /etc/ssl]$ od -X -A n /dev/random | head -2 82028e10a31642abea289fa8986233be 620b5ed369888e5b938c7cdf2e9f2794 Now I really don't know where to go. I tried out pound and it handled ssl proxy like a pro. Am I missing something here ? Am I even debugging correctly ? Thanks alot for the help guys. uday On Fri, Dec 19, 2008 at 11:08 AM, uday umoorjani@gmail.com wrote: hi, I'm trying to get relayd to work with ssl and I'm having quite a hard time. I get the error message : SSL library error: httpproxy: relay_ssl_accept: error:140B512D:SSL routines:SSL_GET_NEW_SESSION:ssl session id callback failed relay, which is involves /dev/random issues. So test if it was a general problem with /dev/random I installed stunnel and forwarded all https packets from stunnel to the webhosts in relayd and it works so narrowed it down to relayd. I checked the rights on /dev/random and I don't have any issues with it. Can someone point me in the direction to resolving my problem please ? Any idea on how to solve this ? Here is the relayd log snippet : startup init_filter: filter init done init_tables: created 0 tables relay_privinit: adding relay httpproxy protocol 0: name httpfilter flags: 0x20004 type: tcp request change Connection to close request change Keep-Alive to $TIMEOUT request append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By request append $REMOTE_ADDR to X-Forwarded-For response change Server to Server1 relay_init: max open files 11095 relay_init: max open files 11095 relay_ssl_ctx_create: loading certificate relay_ssl_ctx_create: loading certificate relay_ssl_ctx_create: loading private key relay_ssl_ctx_create: loading private key adding 1 hosts from table web_hosts:80 adding 1 hosts from table web_hosts:80 relay_launch: running relay httpproxy relay_launch: running relay httpproxy relay_init: max open files 11095 relay_init: max open files 11095 relay_ssl_ctx_create: loading certificate relay_ssl_ctx_create: loading certificate relay_ssl_ctx_create: loading private key relay_ssl_ctx_create: loading private key adding 1 hosts from table web_hosts:80 adding 1 hosts from table web_hosts:80 relay_launch: running relay httpproxy relay_launch: running relay httpproxy relay_init: max open files 11095 relay_ssl_ctx_create: loading certificate relay_ssl_ctx_create: loading private key adding 1 hosts from table web_hosts:80 relay_launch: running relay httpproxy hce_notify_done: 192.168.190.53 (recv_icmp: done) host 192.168.190.53, check icmp (0ms), state unknown - up, availability 100.00% pfe_dispatch_imsg: state 1 for host 1 192.168.190.53 hce_notify_done: 192.168.190.53 (recv_icmp: done) Here is my relayd.conf : relayd_addr=192.168.172.77 relayd_port=8080 web_port=80 table web_hosts { 192.168.190.53 } interval 10 timeout 200 prefork 5 http protocol httpfilter { return error header append $REMOTE_ADDR to X-Forwarded-For header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By header change Keep-Alive to $TIMEOUT header change Connection to close response header change Server to Server1 ssl { sslv3, tlsv1, ciphers HIGH:!ADH, no sslv2 } } relay httpproxy { listen on $relayd_addr port $relayd_port ssl protocol httpfilter forward to web_hosts port $web_port mode loadbalance check icmp } Here is my pf.conf int_if=bce0 rdr-anchor relayd/* rdr pass on $int_if proto tcp to port 443 - 192.168.172.77 port 8080 -- uday
Re: relayd exits when disabling and enabling hosts
I like relayd and am fully satisfied with it. Pyr and Reyk have done a great job. Just needs a little more algorithms and other features but overall it does the job. I know I couldn't have done better :-) Just my 2 cts.
offloading layer 7 packet classification to hardware
hi guys, i just wanted to know if anyone has any experience with offloading PF layer 7 packet classification with hardware accelerators such as sensory networks's hyperscan ? http://sensorynetworks.com/Products/HyperScan sincerely, uday
commercial support - pf/relayd
Hi, just wanted to know if there were any commercial support available for pf/relayd in particular or any other support contract that could include these two components. sincerely, uday
Re: relayd - tcp_write: connect timed out
Ick: those are pre-HTTP-1.0 requests, as they lack a protocol and version identifier. What relayd actually sends is a HEAD request with protocol HTTP/1.0. You don't specify a hostname in your config, so it doesn't send a Host: header field. Try those again using something like: printf HEAD / HTTP/1.0\r\n\r\n | nc 192.168.4.76 80 Did exactly what you said : # printf HEAD / HTTP/1.0\r\n\r\n | nc 192.168.4.76 80 HTTP/1.1 200 OK Date: Mon, 27 Oct 2008 10:51:32 GMT Server: Apache/2.2.8 (Ubuntu) Last-Modified: Wed, 01 Oct 2008 20:01:13 GMT ETag: 1bd35-34-458368fed1440 Accept-Ranges: bytes Content-Length: 52 Connection: close Content-Type: text/html uday
Re: IBM x3350
I don't know about that, but if it doesn't you can install obsd over vmware esxi and it will work like a charm :) uday On Mon, Oct 27, 2008 at 4:03 PM, Johan Borch [EMAIL PROTECTED] wrote: Hi, I know that there has been a lot of mails about the IBM x-series lately, but is it the same problem with all of them (Adaptec raid)? I couldn't find anything about the x3350 on the lists, anyone knows if that one works with OpenBSD? Regards Johan
Re: relayd - tcp_write: connect timed out
For instance can you ensure that you can connect to the web server from the redirector(the machine running relayd) by using netcat? Run this on the web server. $ nc -l 1234 and from the relayd machine try $ nc 192.168.4.78 1234 Well this worked out : # nc 192.168.4.78 80 GET / htmlbodyh1It works! web01 /h1/body/html # nc 192.168.4.76 80 GET / htmlbodyh1It works! web02 /h1/body/html For instance have you ensured that the web server and the clients are in separate networks connected/routed by the relayd machine? My nodes have the relayd machine as default gateway. Is that sufficient ? There are certain unwritten ground rules to be followed for rdr to work. For instance if your reverse path does not match the forward path between the client and the server, then rdr will fail and the TCP handshake will not go through. Okay, as a client we have a firewall that serves as our default gateway for our laptops which 192.168.4.254. The relayd server has that as a default gateway as well. But the nodes have the relayd server as their default gateway so the forward/return should be identical in my configuration if I'm not mistaken. Basically rdr should get a chance to see the packets in both directions to function properly. Thanks for your kind attention to my problem, I'm still confused though, I'll go ahead and tcpdump this and see where it takes me. I would appreciate greater understanding of this. Sincerely, Uday
Re: relayd - tcp_write: connect timed out
I think I'm on to something here, when I change the check instructions from 'http / get 200' to 'icmp' I get no errors and the relaying works like a charm (you should've seen my face). The issue is to get relayd to check http correctly. I'll continue this and post my results for the others after me. uday
relayd - tcp_write: connect timed out
Hi Guys, I'm trying out relayd here and first of all, filicitation to PYR and the community for their work on this piece of software. This is my first time install and while trying it out, I came on to an issue, I keep on getting tcp_write: connect timed out when relayd checks the hosts table. I searched the entire net for a solution and the only solution I found is that a good timeout could solve the issue (rather than a patch that is wrong said by the man himself PYR), I just ran out of luck I tried in every possible way to change the config of this it's just not working, on the webserver side I'm not even seing an attempt to connect, this is weird for me. I know I'm doing something wrong here but I don't see it, I greatly appreciate if anyone encountered this problem to share a bit of info with me. This is the message I'm getting when I try to connect to the loadbalancer on port 80: relay httpproxy, session 1 (1 active), 0, 192.168.4.22 - :80, session failed This is the full debug of relayd with -d -vv : -- startup relay_privinit: adding relay httpproxy protocol 0: name httpfilter flags: 0x20004 type: tcp request change Keep-Alive to $TIMEOUT request append $REMOTE_ADDR to X-Forwarded-For relay_init: max open files 3520 adding 2 hosts from table web_hosts:80 relay_launch: running relay httpproxy init_filter: filter init done init_tables: created 0 tables relay_init: max open files 3520 adding 2 hosts from table web_hosts:80 relay_launch: running relay httpproxy relay_init: max open files 3520 adding 2 hosts from table web_hosts:80 relay_launch: running relay httpproxy relay_init: max open files 3520 adding 2 hosts from table web_hosts:80 relay_launch: running relay httpproxy relay_init: max open files 3520 adding 2 hosts from table web_hosts:80 relay_launch: running relay httpproxy tcp_write: connect timed out hce_notify_done: 192.168.4.78 (tcp_write: connect failed) host 192.168.4.78, check http code (18ms), state unknown - down, availability 0.00% tcp_write: connect timed out hce_notify_done: 192.168.4.76 (tcp_write: connect failed) host 192.168.4.76, check http code (19ms), state unknown - down, availability 0.00% pfe_dispatch_imsg: state -1 for host 3 192.168.4.78 pfe_dispatch_imsg: state -1 for host 2 192.168.4.76 tcp_write: connect timed out relay httpproxy, session 1 (1 active), 0, 192.168.4.22 - :80, session failed hce_notify_done: 192.168.4.78 (tcp_write: connect failed) tcp_write: connect timed out hce_notify_done: 192.168.4.76 (tcp_write: connect failed) -- Running OpenBSD 4.3 Here is my relayd.conf : -- relayd_addr=127.0.0.1 relayd_port=8080 web_port=80 table web_hosts { 192.168.4.78, 192.168.4.76 } interval 10 timeout 1000 prefork 5 log updates http protocol httpfilter { return error header append $REMOTE_ADDR to X-Forwarded-For header change Keep-Alive to $TIMEOUT } relay httpproxy { listen on $relayd_addr port $relayd_port protocol httpfilter forward to web_hosts port $web_port mode loadbalance check http / code 200 } -- Here is my pf.conf: -- int_if=vic0 rdr-anchor relayd/* rdr pass on $int_if proto tcp to port http - 127.0.0.1 port 8080 -- Thanks for the help guys. Sincerely, Uday