Re: [FUG-BR] Relayd
Repare na linha: relay_connect: session 762: forward failed: No route to host O firewall pinga os demais hosts? acessa porta 80? Em 10 de maio de 2011 10:58, Éderson Chimbida chimb...@gmail.com escreveu: Pessoal sei que a lista é FreeBSD mas as listas de OpenBSD do Brasil estão meio mortas então segue minha dúvida... Tenho 2 firewalls com PF e rodando CARP e recentemente substitui um proxy-balance feito no apache 2.2 pelo relayd. Tenho 3 regras de protocolo e 3 regras para relay, onde faço relay para webservices .net rodando em servidores IIS, basicamente faço algumas checagens no header do http, como o host, passo o ip do cliente para o IIS (X-Forwarded-For) e algumas checagens do user_agent Problema que o relayd esta fechando e não faço idéia porque! quando rodo com -d -v relay_connect: session 762: forward failed: No route to host relay ws_acfc, session 762 (3 active), 0, 1xx.5x.1xx.1xx - 192.168.1.48:80, session failed (502 Bad Gateway) kill_tables: deleted 0 tables flush_rulesets: flushed rules pf update engine exiting host check engine exiting # socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting -- relayd.conf relayd_addr=127.0.0.1 relay_ws_port=10082 web_port=80 table 47e48 { 192.168.1.47, 192.168.1.48 } ## Global Options interval 10 timeout 200 prefork 5 log updates http protocol ws_xxx { ### TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 100 } ### Return HTTP/HTML error pages return error ### allow logging of remote client ips to internal web servers header append $REMOTE_ADDR to X-Forwarded-For header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By ### set Keep-Alive timeout to global timeout header change Keep-Alive to $TIMEOUT ### close connections upon receipt header change Connection to close ### Block bad or abusive User-Agents (case insensitive) label BAD user agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent ### Block bad Referrers, (case insensitive) label BAD referrer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer ### Anonymize our webserver's name/type response header change Server to JustSomeServer ### Block requests to wrong host (case insensitive) label HOST ERRADO request header expect services.x.net from Host request header expect servicesxx.x.net from Host request header expect servicesxxx.x.net from Host } relay ws_xxx { ### listen and accept redirected connections from pf. For most ### protocol types you can also use the synproxy flag in your pf.conf rules. listen on $relayd_addr port $relay_ws_port ### apply web filters listed above protocol ws_xxx ### forward to webserver(s) with load balancing and forward to 47e48 port $web_port mode loadbalance check icmp } -- relayd.conf Alguém pode tem alguma dica? -- Éderson H. Chimbida - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] Relayd
Sim, ele consegue fazer a checagem por ICMP, os hosts estão OK... Aumentei o limite de estados das tabelas no meu pf.conf: set limit { states 5, frags 5000 } Parece ter resolvido pois até agora esta aguentando, quando ultrapassava os 10.000 estados que é padrão no PF o relayd fechava! -- Éderson H. Chimbida 2011/5/10 Rodrigo Mosconi free...@mosconi.mat.br Repare na linha: relay_connect: session 762: forward failed: No route to host O firewall pinga os demais hosts? acessa porta 80? Em 10 de maio de 2011 10:58, Éderson Chimbida chimb...@gmail.com escreveu: Pessoal sei que a lista é FreeBSD mas as listas de OpenBSD do Brasil estão meio mortas então segue minha dúvida... Tenho 2 firewalls com PF e rodando CARP e recentemente substitui um proxy-balance feito no apache 2.2 pelo relayd. Tenho 3 regras de protocolo e 3 regras para relay, onde faço relay para webservices .net rodando em servidores IIS, basicamente faço algumas checagens no header do http, como o host, passo o ip do cliente para o IIS (X-Forwarded-For) e algumas checagens do user_agent Problema que o relayd esta fechando e não faço idéia porque! quando rodo com -d -v relay_connect: session 762: forward failed: No route to host relay ws_acfc, session 762 (3 active), 0, 1xx.5x.1xx.1xx - 192.168.1.48:80, session failed (502 Bad Gateway) kill_tables: deleted 0 tables flush_rulesets: flushed rules pf update engine exiting host check engine exiting # socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting -- relayd.conf relayd_addr=127.0.0.1 relay_ws_port=10082 web_port=80 table 47e48 { 192.168.1.47, 192.168.1.48 } ## Global Options interval 10 timeout 200 prefork 5 log updates http protocol ws_xxx { ### TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 100 } ### Return HTTP/HTML error pages return error ### allow logging of remote client ips to internal web servers header append $REMOTE_ADDR to X-Forwarded-For header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By ### set Keep-Alive timeout to global timeout header change Keep-Alive to $TIMEOUT ### close connections upon receipt header change Connection to close ### Block bad or abusive User-Agents (case insensitive) label BAD user agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent ### Block bad Referrers, (case insensitive) label BAD referrer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer ### Anonymize our webserver's name/type response header change Server to JustSomeServer ### Block requests to wrong host (case insensitive) label HOST ERRADO request header expect services.x.net from Host request header expect servicesxx.x.net from Host request header expect servicesxxx.x.net from Host } relay ws_xxx { ### listen and accept redirected connections from pf. For most ### protocol types you can also use the synproxy flag in your pf.conf rules. listen on $relayd_addr port $relay_ws_port ### apply web filters listed above protocol ws_xxx ### forward to webserver(s) with load balancing and forward to 47e48 port $web_port mode loadbalance check icmp } -- relayd.conf Alguém pode tem alguma dica? -- Éderson H. Chimbida - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] Relayd
busque no ports por pfstats, configure os graficos e ter'a uma grande ferramenta para ajudar a resolver esses problemas Em 10 de maio de 2011 11:17, Éderson Chimbida chimb...@gmail.com escreveu: Sim, ele consegue fazer a checagem por ICMP, os hosts estão OK... Aumentei o limite de estados das tabelas no meu pf.conf: set limit { states 5, frags 5000 } Parece ter resolvido pois até agora esta aguentando, quando ultrapassava os 10.000 estados que é padrão no PF o relayd fechava! -- Éderson H. Chimbida 2011/5/10 Rodrigo Mosconi free...@mosconi.mat.br Repare na linha: relay_connect: session 762: forward failed: No route to host O firewall pinga os demais hosts? acessa porta 80? Em 10 de maio de 2011 10:58, Éderson Chimbida chimb...@gmail.com escreveu: Pessoal sei que a lista é FreeBSD mas as listas de OpenBSD do Brasil estão meio mortas então segue minha dúvida... Tenho 2 firewalls com PF e rodando CARP e recentemente substitui um proxy-balance feito no apache 2.2 pelo relayd. Tenho 3 regras de protocolo e 3 regras para relay, onde faço relay para webservices .net rodando em servidores IIS, basicamente faço algumas checagens no header do http, como o host, passo o ip do cliente para o IIS (X-Forwarded-For) e algumas checagens do user_agent Problema que o relayd esta fechando e não faço idéia porque! quando rodo com -d -v relay_connect: session 762: forward failed: No route to host relay ws_acfc, session 762 (3 active), 0, 1xx.5x.1xx.1xx - 192.168.1.48:80, session failed (502 Bad Gateway) kill_tables: deleted 0 tables flush_rulesets: flushed rules pf update engine exiting host check engine exiting # socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting -- relayd.conf relayd_addr=127.0.0.1 relay_ws_port=10082 web_port=80 table 47e48 { 192.168.1.47, 192.168.1.48 } ## Global Options interval 10 timeout 200 prefork 5 log updates http protocol ws_xxx { ### TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 100 } ### Return HTTP/HTML error pages return error ### allow logging of remote client ips to internal web servers header append $REMOTE_ADDR to X-Forwarded-For header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By ### set Keep-Alive timeout to global timeout header change Keep-Alive to $TIMEOUT ### close connections upon receipt header change Connection to close ### Block bad or abusive User-Agents (case insensitive) label BAD user agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent ### Block bad Referrers, (case insensitive) label BAD referrer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer ### Anonymize our webserver's name/type response header change Server to JustSomeServer ### Block requests to wrong host (case insensitive) label HOST ERRADO request header expect services.x.net from Host request header expect servicesxx.x.net from Host request header expect servicesxxx.x.net from Host } relay ws_xxx { ### listen and accept redirected connections from pf. For most ### protocol types you can also use the synproxy flag in your pf.conf rules. listen on $relayd_addr port $relay_ws_port ### apply web filters listed above protocol ws_xxx ### forward to webserver(s) with load balancing and forward to 47e48 port $web_port mode loadbalance check icmp } -- relayd.conf Alguém pode tem alguma dica? -- Éderson H. Chimbida - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] Relayd
A alteração só fez com que ficasse um pouco mais de tempo no ar... mas o relayd acabou fechando quando os acessos aumentaram! Verifiquei os estados e atingiu o limite, mesmo pq esta para 5 Rodrigo, gero os gráficos de states, searchs, block, pass etc... tanto que foi nele que ví que os estados estavam chegando a 1! Alguma dica? -- Éderson H. Chimbida 2011/5/10 Rodrigo Mosconi free...@mosconi.mat.br busque no ports por pfstats, configure os graficos e ter'a uma grande ferramenta para ajudar a resolver esses problemas Em 10 de maio de 2011 11:17, Éderson Chimbida chimb...@gmail.com escreveu: Sim, ele consegue fazer a checagem por ICMP, os hosts estão OK... Aumentei o limite de estados das tabelas no meu pf.conf: set limit { states 5, frags 5000 } Parece ter resolvido pois até agora esta aguentando, quando ultrapassava os 10.000 estados que é padrão no PF o relayd fechava! -- Éderson H. Chimbida 2011/5/10 Rodrigo Mosconi free...@mosconi.mat.br Repare na linha: relay_connect: session 762: forward failed: No route to host O firewall pinga os demais hosts? acessa porta 80? Em 10 de maio de 2011 10:58, Éderson Chimbida chimb...@gmail.com escreveu: Pessoal sei que a lista é FreeBSD mas as listas de OpenBSD do Brasil estão meio mortas então segue minha dúvida... Tenho 2 firewalls com PF e rodando CARP e recentemente substitui um proxy-balance feito no apache 2.2 pelo relayd. Tenho 3 regras de protocolo e 3 regras para relay, onde faço relay para webservices .net rodando em servidores IIS, basicamente faço algumas checagens no header do http, como o host, passo o ip do cliente para o IIS (X-Forwarded-For) e algumas checagens do user_agent Problema que o relayd esta fechando e não faço idéia porque! quando rodo com -d -v relay_connect: session 762: forward failed: No route to host relay ws_acfc, session 762 (3 active), 0, 1xx.5x.1xx.1xx - 192.168.1.48:80, session failed (502 Bad Gateway) kill_tables: deleted 0 tables flush_rulesets: flushed rules pf update engine exiting host check engine exiting # socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting socket relay engine exiting -- relayd.conf relayd_addr=127.0.0.1 relay_ws_port=10082 web_port=80 table 47e48 { 192.168.1.47, 192.168.1.48 } ## Global Options interval 10 timeout 200 prefork 5 log updates http protocol ws_xxx { ### TCP performance options tcp { nodelay, sack, socket buffer 65536, backlog 100 } ### Return HTTP/HTML error pages return error ### allow logging of remote client ips to internal web servers header append $REMOTE_ADDR to X-Forwarded-For header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By ### set Keep-Alive timeout to global timeout header change Keep-Alive to $TIMEOUT ### close connections upon receipt header change Connection to close ### Block bad or abusive User-Agents (case insensitive) label BAD user agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent request header filter from User-Agent ### Block bad Referrers, (case insensitive) label BAD referrer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer request header filter x* from Referer ### Anonymize our webserver's name/type response header change Server to JustSomeServer ### Block requests to wrong host (case insensitive) label HOST ERRADO request header expect services.x.net from Host request header expect servicesxx.x.net from Host request header expect servicesxxx.x.net from Host } relay ws_xxx { ### listen and accept redirected connections from pf. For most ### protocol types you can also use the synproxy flag in your pf.conf rules. listen on $relayd_addr port $relay_ws_port ### apply web filters listed above protocol ws_xxx ### forward to webserver(s) with load balancing and forward to 47e48 port $web_port mode loadbalance check icmp } -- relayd.conf Alguém pode tem alguma dica? -- Éderson H. Chimbida - Histórico: http://www.fug.com.br/historico/html/freebsd/ Sair da lista: