Re: Problem filtering CARP in PF
I just thought of something that bit me recently as well. With a real IPv6 address CARP will send out advertisements via IPv4 _and_ IPv6. It's the same CARP message so if either one reaches the backup it's ok. Your block rule had inet so you were probably blocking IPv4 only. But because of the send errors (due to pf blocking) fw1 started to demote itself. Anyway, you have to block inet6 too if you want to block carp completely. Hi, I thought of this yesterday shortly after leaving ... Indeed, after bumping the net.inet.carp.log value even more, there are messages such as this one in /var/log/messages : fw1 /bsd: carp0: ip_output failed: 65 fw1 /bsd: carp0: ip6_output failed: 65 fw1 /bsd: carp1: ip_output failed: 65 fw1 /bsd: carp1: ip6_output failed: 65 After clearing the states, reloading PF to allow CARP packets, fw1 says it transitioned from master to backup. I take it's because of the demote counter: as soon as I set it back up to 0, fw1 goes back to master and fw2 to backup. The demotion counter is decremented when you lose connectivity (ip_output errors for instance), but shouldn't it be reincremented when you regain connectivity? I'm guessing the user is expected to do this with something like ifstated if it isn't done automatically. I also tested the issue Frederic was having, and it seems to be fixed when you flush the rules and states after disabling PF. @Russell I think either pass quick proto carp keep state (no-sync) or pass quick proto carp no state is more appropriate, as it also takes into account pfsync presence and saves you from debugging issues like the one I was having. Thank you all for your help. Marios.
EuroBSDCon 2012 Call For Proposals
EuroBSDcon 2012 === EuroBSDcon is the European technical conference for users and developers on BSD-based systems. The EuroBSDcon 2012 conference will be held in Warsaw, Poland from Thursday 18 October 2012 to Sunday 21 October 2012, with tutorials on Thursday and Friday and talks on Saturday and Sunday. Call for Proposals -- The EuroBSDcon conference is inviting developers and users of BSD-based systems to submit innovative and original papers not submitted to other European conferences on BSD-related topics. Topics of interest to the conference include, but are not limited to applications, architecture, implementation, performance and security of BSD-based operating systems, as well as topics concerning the economic or organizational aspects of BSD use. Presentations are expected to be 45 minutes. Call for Tutorial Proposals --- The EuroBSDcon conference is inviting qualified practitioners in their field to submit proposals for half or full day tutorials on topics relevant to development, implementation and use of BSD-based systems. Submission address -- Proposals should be submitted by email to submiss...@eurobsdcon.org. Important dates --- The EuroBSDcon conference is accepting abstracts and tutorial proposals until 20 May 2012. Other important dates will be announced soon at the conference website http://2012.eurobsdcon.org/.
Re: Problem filtering CARP in PF
On 2-3-2012 9:23, Marios Makassikis wrote: I just thought of something that bit me recently as well. With a real IPv6 address CARP will send out advertisements via IPv4 _and_ IPv6. It's the same CARP message so if either one reaches the backup it's ok. Your block rule had inet so you were probably blocking IPv4 only. But because of the send errors (due to pf blocking) fw1 started to demote itself. Anyway, you have to block inet6 too if you want to block carp completely. Hi, I thought of this yesterday shortly after leaving ... Indeed, after bumping the net.inet.carp.log value even more, there are messages such as this one in /var/log/messages : fw1 /bsd: carp0: ip_output failed: 65 fw1 /bsd: carp0: ip6_output failed: 65 fw1 /bsd: carp1: ip_output failed: 65 fw1 /bsd: carp1: ip6_output failed: 65 After clearing the states, reloading PF to allow CARP packets, fw1 says it transitioned from master to backup. I take it's because of the demote counter: as soon as I set it back up to 0, fw1 goes back to master and fw2 to backup. Ok! The demotion counter is decremented when you lose connectivity (ip_output errors for instance), but shouldn't it be reincremented when you regain connectivity? Yup, it should. Maybe inet4 clears the errorcounter for inet6 or vice versa. I'll take a look. I also tested the issue Frederic was having, and it seems to be fixed when you flush the rules and states after disabling PF. Hmm, could be an issue as well. It looks like disabling pf does not clear out all states etc. @Russell I think either pass quick proto carp keep state (no-sync) or pass quick proto carp no state is more appropriate, as it also takes into account pfsync presence and saves you from debugging issues like the one I was having. As it trips up many people maybe pfctl and/or pf should apply no-sync automatically for carp.
may 7 carp addresses be too much on 5.0/amd64 ?
hello! we are running CARP-ed load balancers (carp over different vlans). it was running just great with 6 carp addresses. when we added 7th, randomly we get MASTERs on both server for certain carp interface. After reboot we can get different carp interface on dual MASTER state, and so on. carp negotiations are ok, tcpdump shows them all. both peers see each other. if I put one interface to BACKUP state, it goes to mASTER soon. we are runnung 5.0/amd64 Cheers, Ilya Shipitsin
Re: Problem filtering CARP in PF
On Fri, Mar 02, 2012 at 09:23:38AM +0100, Marios Makassikis wrote: The demotion counter is decremented when you lose connectivity (ip_output errors for instance), but shouldn't it be reincremented when you regain connectivity? Well, that's a chicken and egg problem there. It won't send out any further advertisements, because its demote count is higher. But without doing so, it cannot know that the error is gone. We could try to solve this by sending some probe carp advertisements using an unused/reserved vhid, but I'm not sure if that's worth the trouble..
Re: may 7 carp addresses be too much on 5.0/amd64 ?
On Fri, Mar 02, 2012 at 01:53:17PM +0500, ??? wrote: hello! we are running CARP-ed load balancers (carp over different vlans). it was running just great with 6 carp addresses. when we added 7th, randomly we get MASTERs on both server for certain carp interface. After reboot we can get different carp interface on dual MASTER state, and so on. carp negotiations are ok, tcpdump shows them all. both peers see each other. if I put one interface to BACKUP state, it goes to mASTER soon. we are runnung 5.0/amd64 Cheers, Ilya Shipitsin Carefully compare the address lists (including masks) on both machines. Likely they are not the same. -Otto
Re: may 7 carp addresses be too much on 5.0/amd64 ?
no, I copied hostname.carpXX, just added advskew 200 parameters are the same. 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL: On Fri, Mar 02, 2012 at 01:53:17PM +0500, ??? wrote: hello! we are running CARP-ed load balancers (carp over different vlans). it was running just great with 6 carp addresses. when we added 7th, randomly we get MASTERs on both server for certain carp interface. After reboot we can get different carp interface on dual MASTER state, and so on. carp negotiations are ok, tcpdump shows them all. both peers see each other. if I put one interface to BACKUP state, it goes to mASTER soon. we are runnung 5.0/amd64 Cheers, Ilya Shipitsin Carefully compare the address lists (including masks) on both machines. Likely they are not the same. -Otto
OpenNTPd leap-second handling
[checked archives, FAQ, website, etc] There's a leap-second on July 1st and I'm not seeing any equivalent configuration for OpenNTPd to the reference implementation's leapfile directive, to use a distributed leap-seconds file to let ntpd know of the leapseconds epoch rollover. A brief skim of the source (4.6p1) suggests that OpenNTPd passes on leap-second indicators found from servers but otherwise does nothing with them; in particular, the local clock is never adjusted as a result of leap-seconds, until after the event when the upstream servers pass on the new value of time and OpenNTPd corrects time accordingly, as though the local system were just a second fast (which it literally now is). Is this correct? If not, can someone aim the cluebat appropriately to point me to what I've missed, please? Is this correct it afterwards as though fast approach the planned behaviour, or merely a result of nobody getting around to implementing something better? Is there likely to be a release changing the behaviour before July 1st? Thanks, -Phil
Re: may 7 carp addresses be too much on 5.0/amd64 ?
hi list, we have same problem with carp. (with 45 ip addresses) and after reboot, host with advskew 200 became master, and with advskew 1 - slave. 2012/3/2 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com: no, I copied hostname.carpXX, just added advskew 200 parameters are the same. 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL: On Fri, Mar 02, 2012 at 01:53:17PM +0500, ??? wrote: hello! we are running CARP-ed load balancers (carp over different vlans). it was running just great with 6 carp addresses. when we added 7th, randomly we get MASTERs on both server for certain carp interface. After reboot we can get different carp interface on dual MASTER state, and so on. carp negotiations are ok, tcpdump shows them all. both peers see each other. if I put one interface to BACKUP state, it goes to mASTER soon. we are runnung 5.0/amd64 Cheers, Ilya Shipitsin Carefully compare the address lists (including masks) on both machines. Likely they are not the same. B B B B -Otto
Monitoring PF rules on egress interface not showing pass definitions
Hi, I created a virtual instance of OpenBSD 5.0 x64 RELEASE edition using VirtualBox and set it up to be used as router/gateway with NAT. Taking this: http://www.openbsd.org/faq/pf/example1.html as an example for practically getting to know packet filter which I've never used before and get more familiar with OpenBSD in itself. Through reading the FAQ on PF and trying to understand the way it works can someone clarify that the rule weightings are in bottom-up order. what I'm trying to clarify is that if I use a pseudo Cisco ACL statement: deny any any permit ip 1.1.1.1 any ip 2.2.2.2 80 line 2 with permit will **never** get matched because there is an implicit deny statement before which has full weighting. Therefor one must first specify the permit then the deny in order for the ACL to have relevance. In Pack Filter this seems to be the reverse according to the example page shown above or the FAQ: http://www.openbsd.org/faq/pf/filter.html meaning that using PF syntax, something like: block in log pass out quick antispoof quick for { lo $int_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services will block everything from the statement: block in log but if a pass statement is put after the filter's block statement the weighting will be on the pass line and hence a match will try to be determined. In accordance to the above I activated RIPD, took down packet filter using: pfctl -d and setup a connection to my router/gateway. Once everything was working, I activated packet filter again using: pfctl -e and restarted RIPD for good measure: /etc/rc.d/ripd restart All was good and RIPD wasn't able to send or receive any updates - actually due to the customization of Exmaple1 from the FAQ, I think RIP updates were being sent but not able to be received! --please correct me if wrong. So adding the line: pass in on egress inet proto tcp from any to (egress) \ port $tcp_services #-- pass in on egress inet proto udp from any to (egress) \ port $udp_services in the mix, RIP information was now being passed internally **to** OpenBSD (but not through to the other side of the NAT). The major issue I'm having with all of this is that I can't see anything! Even SSH'ing into the OBSD instance using tcpdump, from the example shown here: http://www.openbsd.org/faq/pf/logging.html [quote] # tcpdump -n -e -ttt -r /var/log/pflog port 80 This can be further refined by limiting the display of packets to a certain host and port combination: # tcpdump -n -e -ttt -r /var/log/pflog port 80 and host 192.168.1.3 The same idea can be applied when reading from the pflog0 interface: # tcpdump -n -e -ttt -i pflog0 host 192.168.4.2 [/quote] I get lines stating: Mar 02 16:38:38.875426 rule 3/(match) block in on em0: 192.168.0.1.520 255.255.255.255.520: RIPv2-resp [items 3]: {0.0.0.0}(1)[|rip] [tos 0xc0] which means that information is being matched by rule 3 and being blocked! However, running tcpdump without as many restrictions directly on interface em0 (external interface): tcpdump port 520 (automatically defaults to int. em0) 16:41:18.563311 OpenBSD.optiplex-networks.com.route rip2-routers.mcast.net.route: RIPv2-resp [items 2]: {88.88.88.0/255.255.254.0}(1) {192.168.0.0/255.255.255.0}(16) [tos 0xc0] [ttl 1] 16:41:24.354945 192.168.0.1.route 255.255.255.255.route: RIPv2-resp [items 3]: {0.0.0.0}(1) {192.168.1.0/255.255.255.0}(1) {192.168.2.0/255.255.255.0}(1) [tos 0xc0] Which also doesn't make sense as the router seems to be using Broadcast for RIP while OpenBSD is sending the updates to a multicast address located at 224.0.0.9:520. Neither of which however, tells me what the system is doing in terms of diagnostic or verbose output of if packet filter is accepting or rejecting this information. Taken from: ripctl: # ripctl show fib flags: * = valid, R = RIP, C = Connected, S = Static Flags Destination Nexthop *S 0.0.0.0/0192.168.0.1 *R 0.0.0.0/0192.168.0.1 *C 88.88.88.0/23link#2 *S 127.0.0.0/8 127.0.0.1 *C 127.0.0.1/8 link#0 * 127.0.0.1/32 127.0.0.1 *C 192.168.0.0/24 link#1 *S 192.168.0.55/32 127.0.0.1 *R 192.168.1.0/24 192.168.0.1 *R 192.168.2.0/24 192.168.0.1 *S 224.0.0.0/4 127.0.0.1 # ripctl show neighbor ID State Address Iface Uptime 192.168.0.1 ACTIVE/ACTIVE 192.168.0.1 em0 00:00:38 # ripctl show fib rip flags: * = valid, R = RIP, C = Connected, S = Static Flags Destination Nexthop *R 0.0.0.0/0192.168.0.1 *R 192.168.1.0/24 192.168.0.1 *R 192.168.2.0/24 192.168.0.1 Which shows from the rip side of things that everything's fine. or using: # pfctl -ss all tcp 192.168.0.55:22 - 192.168.0.82:32929
Re: may 7 carp addresses be too much on 5.0/amd64 ?
Do you have spanning tree enabled on the switch? The firewall ports should be in portfast mode, otherwise the backup may become master after a reboot or when bouncing the physical interface. And do you have carp preempt enabled? (net.inet.carp.preempt=1) On 2-3-2012 16:31, favar wrote: hi list, we have same problem with carp. (with 45 ip addresses) and after reboot, host with advskew 200 became master, and with advskew 1 - slave. 2012/3/2 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com: no, I copied hostname.carpXX, just added advskew 200 parameters are the same. 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL: On Fri, Mar 02, 2012 at 01:53:17PM +0500, ??? wrote: hello! we are running CARP-ed load balancers (carp over different vlans). it was running just great with 6 carp addresses. when we added 7th, randomly we get MASTERs on both server for certain carp interface. After reboot we can get different carp interface on dual MASTER state, and so on. carp negotiations are ok, tcpdump shows them all. both peers see each other. if I put one interface to BACKUP state, it goes to mASTER soon. we are runnung 5.0/amd64 Cheers, Ilya Shipitsin Carefully compare the address lists (including masks) on both machines. Likely they are not the same. B B B B -Otto
LOS MEJORES CURSOS PRESENCIALES Y PRIVADOS - SIMCA CAPACITACION - 2012
- Cursos Abiertos todos los meses en las principales ciudades. - Cursos Privados (IN HOUSE - IN COMPANY) en todo Mexico. - De Click en el Area de su interes y envienos su solicitud - [IMAGE] Cursos - SeminariosCredito y Cobranza [IMAGE] Cursos - SeminariosRecursos Humanos Listado de Cursos Abiertos Listado de Cursos Abiertos Listado de Cursos Privados Listado de Cursos Privados [IMAGE] Cursos - SeminariosManufactura y Produccion [IMAGE] Cursos - SeminariosAdquisiciones y Obras Publicas Listado de Cursos Abiertos Listado de Cursos Abiertos Listado de Cursos Privados Listado de Cursos Privados [IMAGE] Cursos - SeminariosSeguridad e Higiene [IMAGE] Cursos - SeminariosDesarrollo Humano Listado de Cursos Abiertos Listado de Cursos Abiertos Listado de Cursos Privados Listado de Cursos Privados [IMAGE] Cursos - SeminariosNegociacion y Compras [IMAGE] Cursos - SeminariosVentas Listado de Cursos Abiertos Listado de Cursos Abiertos Listado de Cursos Privados Listado de Cursos Privados [IMAGE] Cursos - SeminariosFinanzas [IMAGE] Cursos - SeminariosAlimentos y Bebidas Listado de Cursos Abiertos Listado de Cursos Abiertos Listado de Cursos Privados Listado de Cursos Privados [IMAGE] Cursos - SeminariosAsistentes y Secretarias [IMAGE] Cursos - SeminariosNuevas Tecnologias Listado de Cursos Privados Listado de Cursos Privados Diseqamos el curso a la medida de sus necesidades..!Impartimos CURSOS de forma PRIVADA en su empresa, envienos un correo especificando el numero de participantes, el lugar donde se impartira, su nombre, cargo, empresa y telefono.SOLICITE COTIZACION de Click Aqui Si necesita mayor informacion, comuniquese un Asesor lo atendera de inmediato. SIMCA CAPACITACION Entrenamiento Especializado E-MAIL: simca_capacitac...@hotmail.com Messenger: simca_capacitac...@hotmail.com Lada sin costo: 01 800 543 32 30 TEL: (999) 941 51 68 Si usted no desea que le enviemos mas invitaciones, de Click Aqui, gracias.
Taller Premier Gestión de Proyectos con MS Project
[IMAGE] Pms de Mixico prestigiada firma de Capacitacisn presenta: Taller de Gestisn de Proyectos con MS Project 13 de Marzo 2012, Ciudad de Mixico Obtenga las herramientas necesarias para alcanzar un sptimo desempeqo en su funcisn. !Reciba la informacisn completa! Por favor responda este e-mail con los datos siguientes Empresa Nombre Telifono Email Nzmero de Interesados En breve recibira temario, reseqa de expositor y tarifas. Pms Capacitacisn Efectiva de Mixico es una empresa Registrada ante la STPS Trabajamos con expertos en la materia para poder brindar herramientas tacticas, vanguardistas y de facil aplicacisn. 100% Garantma de Satisfaccisn.3 Si lo prefiere comunmquese a los telifonos donde con gusto uno de nuestros ejecutivos le atendera. Telifonos: (0133) 8851-2365, (0133) 8851-2741 con mas de 10 lmneas. Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico Copyright (C) 2011, PMS Capacitacisn Efectiva de Mixico S.C. Derechos Reservados. E-Mail MARKETING SERVICE POWERED BY MEDIAMKTOOLS. Este Mensaje ha sido enviado a misc@openbsd.org como usuario de Pms de Mixico o bien un usuario le refiris para recibir este boletmn. Como usuario de Pms de Mixico, en este acto autoriza de manera expresa que Pms de Mixico le puede contactar vma correo electrsnico u otros medios. ALTO, si en esta ocasisn la informacisn recibida no fue de su interis pero desea recibir informacisn personalizada en relacisn a otros temas favor de indicarlo. Si usted ha recibido este mensaje por error, haga caso omiso de el y de antemano una sincera disculpa por la molestia, reporte su cuenta respondiendo este correo con el subject BAJAMS Unsubscribe to this mailing list, reply a blank message with the subject UNSUBSCRIBE BAJAMS Tenga en cuenta que la gestisn de nuestras bases de datos es de suma importancia para nosotros y no es intencisn de la empresa la inconformidad del receptor, nuestra intencisn es promover herramientas de utilidad para el [demime 1.01d removed an attachment of type image/jpeg which had a name of imagemsporject001.jpg]
e-book en Cadeau
Bonjour, Juste un petit cadeau , le livre bien utile : Comment batir votre fortune C'est juste un cadeau ` tilicharger ici : en pdf : http://www.mygoldenway.com/comment.batir.sa.fortune.php Amicalement Mounir. http://www.mygoldenway.com