Re: [FUG-BR] Relayd
Repare na linha:
relay_connect: session 762: forward failed: No route to host
O firewall pinga os demais hosts?
acessa porta 80?
Em 10 de maio de 2011 10:58, Éderson Chimbida chimb...@gmail.com escreveu:
Pessoal sei que a lista é FreeBSD mas as listas de OpenBSD do Brasil estão
meio mortas então segue minha dúvida...
Tenho 2 firewalls com PF e rodando CARP e recentemente substitui um
proxy-balance feito no apache 2.2 pelo relayd.
Tenho 3 regras de protocolo e 3 regras para relay, onde faço relay para
webservices .net rodando em servidores IIS, basicamente faço algumas
checagens no header do http, como o host, passo o ip do cliente para o IIS
(X-Forwarded-For) e algumas checagens do user_agent
Problema que o relayd esta fechando e não faço idéia porque!
quando rodo com -d -v
relay_connect: session 762: forward failed: No route to host
relay ws_acfc, session 762 (3 active), 0, 1xx.5x.1xx.1xx - 192.168.1.48:80,
session failed (502 Bad Gateway)
kill_tables: deleted 0 tables
flush_rulesets: flushed rules
pf update engine exiting
host check engine exiting
# socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
-- relayd.conf
relayd_addr=127.0.0.1
relay_ws_port=10082
web_port=80
table 47e48 { 192.168.1.47, 192.168.1.48 }
## Global Options
interval 10
timeout 200
prefork 5
log updates
http protocol ws_xxx {
### TCP performance options
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
### Return HTTP/HTML error pages
return error
### allow logging of remote client ips to internal web servers
header append $REMOTE_ADDR to X-Forwarded-For
header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By
### set Keep-Alive timeout to global timeout
header change Keep-Alive to $TIMEOUT
### close connections upon receipt
header change Connection to close
### Block bad or abusive User-Agents (case insensitive)
label BAD user agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
### Block bad Referrers, (case insensitive)
label BAD referrer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
### Anonymize our webserver's name/type
response header change Server to JustSomeServer
### Block requests to wrong host (case insensitive)
label HOST ERRADO
request header expect services.x.net from Host
request header expect servicesxx.x.net from Host
request header expect servicesxxx.x.net from Host
}
relay ws_xxx {
### listen and accept redirected connections from pf. For most
### protocol types you can also use the synproxy flag in your pf.conf
rules.
listen on $relayd_addr port $relay_ws_port
### apply web filters listed above
protocol ws_xxx
### forward to webserver(s) with load balancing and
forward to 47e48 port $web_port mode loadbalance check icmp
}
-- relayd.conf
Alguém pode tem alguma dica?
--
Éderson H. Chimbida
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] Relayd
Sim, ele consegue fazer a checagem por ICMP, os hosts estão OK...
Aumentei o limite de estados das tabelas no meu pf.conf:
set limit { states 5, frags 5000 }
Parece ter resolvido pois até agora esta aguentando, quando ultrapassava os
10.000 estados que é padrão no PF o relayd fechava!
--
Éderson H. Chimbida
2011/5/10 Rodrigo Mosconi free...@mosconi.mat.br
Repare na linha:
relay_connect: session 762: forward failed: No route to host
O firewall pinga os demais hosts?
acessa porta 80?
Em 10 de maio de 2011 10:58, Éderson Chimbida chimb...@gmail.com
escreveu:
Pessoal sei que a lista é FreeBSD mas as listas de OpenBSD do Brasil
estão
meio mortas então segue minha dúvida...
Tenho 2 firewalls com PF e rodando CARP e recentemente substitui um
proxy-balance feito no apache 2.2 pelo relayd.
Tenho 3 regras de protocolo e 3 regras para relay, onde faço relay para
webservices .net rodando em servidores IIS, basicamente faço algumas
checagens no header do http, como o host, passo o ip do cliente para o
IIS
(X-Forwarded-For) e algumas checagens do user_agent
Problema que o relayd esta fechando e não faço idéia porque!
quando rodo com -d -v
relay_connect: session 762: forward failed: No route to host
relay ws_acfc, session 762 (3 active), 0, 1xx.5x.1xx.1xx -
192.168.1.48:80,
session failed (502 Bad Gateway)
kill_tables: deleted 0 tables
flush_rulesets: flushed rules
pf update engine exiting
host check engine exiting
# socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
-- relayd.conf
relayd_addr=127.0.0.1
relay_ws_port=10082
web_port=80
table 47e48 { 192.168.1.47, 192.168.1.48 }
## Global Options
interval 10
timeout 200
prefork 5
log updates
http protocol ws_xxx {
### TCP performance options
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
### Return HTTP/HTML error pages
return error
### allow logging of remote client ips to internal web servers
header append $REMOTE_ADDR to X-Forwarded-For
header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By
### set Keep-Alive timeout to global timeout
header change Keep-Alive to $TIMEOUT
### close connections upon receipt
header change Connection to close
### Block bad or abusive User-Agents (case insensitive)
label BAD user agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
### Block bad Referrers, (case insensitive)
label BAD referrer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
### Anonymize our webserver's name/type
response header change Server to JustSomeServer
### Block requests to wrong host (case insensitive)
label HOST ERRADO
request header expect services.x.net from Host
request header expect servicesxx.x.net from Host
request header expect servicesxxx.x.net from Host
}
relay ws_xxx {
### listen and accept redirected connections from pf. For most
### protocol types you can also use the synproxy flag in your pf.conf
rules.
listen on $relayd_addr port $relay_ws_port
### apply web filters listed above
protocol ws_xxx
### forward to webserver(s) with load balancing and
forward to 47e48 port $web_port mode loadbalance check icmp
}
-- relayd.conf
Alguém pode tem alguma dica?
--
Éderson H. Chimbida
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] Relayd
busque no ports por pfstats, configure os graficos e ter'a uma
grande ferramenta para ajudar a resolver esses problemas
Em 10 de maio de 2011 11:17, Éderson Chimbida chimb...@gmail.com escreveu:
Sim, ele consegue fazer a checagem por ICMP, os hosts estão OK...
Aumentei o limite de estados das tabelas no meu pf.conf:
set limit { states 5, frags 5000 }
Parece ter resolvido pois até agora esta aguentando, quando ultrapassava os
10.000 estados que é padrão no PF o relayd fechava!
--
Éderson H. Chimbida
2011/5/10 Rodrigo Mosconi free...@mosconi.mat.br
Repare na linha:
relay_connect: session 762: forward failed: No route to host
O firewall pinga os demais hosts?
acessa porta 80?
Em 10 de maio de 2011 10:58, Éderson Chimbida chimb...@gmail.com
escreveu:
Pessoal sei que a lista é FreeBSD mas as listas de OpenBSD do Brasil
estão
meio mortas então segue minha dúvida...
Tenho 2 firewalls com PF e rodando CARP e recentemente substitui um
proxy-balance feito no apache 2.2 pelo relayd.
Tenho 3 regras de protocolo e 3 regras para relay, onde faço relay para
webservices .net rodando em servidores IIS, basicamente faço algumas
checagens no header do http, como o host, passo o ip do cliente para o
IIS
(X-Forwarded-For) e algumas checagens do user_agent
Problema que o relayd esta fechando e não faço idéia porque!
quando rodo com -d -v
relay_connect: session 762: forward failed: No route to host
relay ws_acfc, session 762 (3 active), 0, 1xx.5x.1xx.1xx -
192.168.1.48:80,
session failed (502 Bad Gateway)
kill_tables: deleted 0 tables
flush_rulesets: flushed rules
pf update engine exiting
host check engine exiting
# socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
-- relayd.conf
relayd_addr=127.0.0.1
relay_ws_port=10082
web_port=80
table 47e48 { 192.168.1.47, 192.168.1.48 }
## Global Options
interval 10
timeout 200
prefork 5
log updates
http protocol ws_xxx {
### TCP performance options
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
### Return HTTP/HTML error pages
return error
### allow logging of remote client ips to internal web servers
header append $REMOTE_ADDR to X-Forwarded-For
header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By
### set Keep-Alive timeout to global timeout
header change Keep-Alive to $TIMEOUT
### close connections upon receipt
header change Connection to close
### Block bad or abusive User-Agents (case insensitive)
label BAD user agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
### Block bad Referrers, (case insensitive)
label BAD referrer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
### Anonymize our webserver's name/type
response header change Server to JustSomeServer
### Block requests to wrong host (case insensitive)
label HOST ERRADO
request header expect services.x.net from Host
request header expect servicesxx.x.net from Host
request header expect servicesxxx.x.net from Host
}
relay ws_xxx {
### listen and accept redirected connections from pf. For most
### protocol types you can also use the synproxy flag in your pf.conf
rules.
listen on $relayd_addr port $relay_ws_port
### apply web filters listed above
protocol ws_xxx
### forward to webserver(s) with load balancing and
forward to 47e48 port $web_port mode loadbalance check icmp
}
-- relayd.conf
Alguém pode tem alguma dica?
--
Éderson H. Chimbida
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
Re: [FUG-BR] Relayd
A alteração só fez com que ficasse um pouco mais de tempo no ar... mas o
relayd acabou fechando quando os acessos aumentaram!
Verifiquei os estados e atingiu o limite, mesmo pq esta para 5
Rodrigo, gero os gráficos de states, searchs, block, pass etc...
tanto que foi nele que ví que os estados estavam chegando a 1!
Alguma dica?
--
Éderson H. Chimbida
2011/5/10 Rodrigo Mosconi free...@mosconi.mat.br
busque no ports por pfstats, configure os graficos e ter'a uma
grande ferramenta para ajudar a resolver esses problemas
Em 10 de maio de 2011 11:17, Éderson Chimbida chimb...@gmail.com
escreveu:
Sim, ele consegue fazer a checagem por ICMP, os hosts estão OK...
Aumentei o limite de estados das tabelas no meu pf.conf:
set limit { states 5, frags 5000 }
Parece ter resolvido pois até agora esta aguentando, quando ultrapassava
os
10.000 estados que é padrão no PF o relayd fechava!
--
Éderson H. Chimbida
2011/5/10 Rodrigo Mosconi free...@mosconi.mat.br
Repare na linha:
relay_connect: session 762: forward failed: No route to host
O firewall pinga os demais hosts?
acessa porta 80?
Em 10 de maio de 2011 10:58, Éderson Chimbida chimb...@gmail.com
escreveu:
Pessoal sei que a lista é FreeBSD mas as listas de OpenBSD do Brasil
estão
meio mortas então segue minha dúvida...
Tenho 2 firewalls com PF e rodando CARP e recentemente substitui um
proxy-balance feito no apache 2.2 pelo relayd.
Tenho 3 regras de protocolo e 3 regras para relay, onde faço relay
para
webservices .net rodando em servidores IIS, basicamente faço algumas
checagens no header do http, como o host, passo o ip do cliente para o
IIS
(X-Forwarded-For) e algumas checagens do user_agent
Problema que o relayd esta fechando e não faço idéia porque!
quando rodo com -d -v
relay_connect: session 762: forward failed: No route to host
relay ws_acfc, session 762 (3 active), 0, 1xx.5x.1xx.1xx -
192.168.1.48:80,
session failed (502 Bad Gateway)
kill_tables: deleted 0 tables
flush_rulesets: flushed rules
pf update engine exiting
host check engine exiting
# socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
socket relay engine exiting
-- relayd.conf
relayd_addr=127.0.0.1
relay_ws_port=10082
web_port=80
table 47e48 { 192.168.1.47, 192.168.1.48 }
## Global Options
interval 10
timeout 200
prefork 5
log updates
http protocol ws_xxx {
### TCP performance options
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
### Return HTTP/HTML error pages
return error
### allow logging of remote client ips to internal web servers
header append $REMOTE_ADDR to X-Forwarded-For
header append $SERVER_ADDR:$SERVER_PORT to X-Forwarded-By
### set Keep-Alive timeout to global timeout
header change Keep-Alive to $TIMEOUT
### close connections upon receipt
header change Connection to close
### Block bad or abusive User-Agents (case insensitive)
label BAD user agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
request header filter from User-Agent
### Block bad Referrers, (case insensitive)
label BAD referrer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
request header filter x* from Referer
### Anonymize our webserver's name/type
response header change Server to JustSomeServer
### Block requests to wrong host (case insensitive)
label HOST ERRADO
request header expect services.x.net from Host
request header expect servicesxx.x.net from Host
request header expect servicesxxx.x.net from Host
}
relay ws_xxx {
### listen and accept redirected connections from pf. For most
### protocol types you can also use the synproxy flag in your
pf.conf
rules.
listen on $relayd_addr port $relay_ws_port
### apply web filters listed above
protocol ws_xxx
### forward to webserver(s) with load balancing and
forward to 47e48 port $web_port mode loadbalance check icmp
}
-- relayd.conf
Alguém pode tem alguma dica?
--
Éderson H. Chimbida
-
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista:
