Re: Problem filtering CARP in PF

[Marios Makassikis]

 I just thought of something that bit me recently as well.

 With a real IPv6 address CARP will send out advertisements via IPv4
 _and_ IPv6.  It's the same CARP message so if either one reaches the
 backup it's ok.

 Your block rule had inet so you were probably blocking IPv4 only.  But
 because of the send errors (due to pf blocking) fw1 started to demote
 itself.

 Anyway, you have to block inet6 too if you want to block carp completely.



Hi,

I thought of this yesterday shortly after leaving ...
Indeed, after bumping the net.inet.carp.log value even more, there
are messages such as this one in /var/log/messages :
fw1 /bsd: carp0: ip_output failed: 65
fw1 /bsd: carp0: ip6_output failed: 65
fw1 /bsd: carp1: ip_output failed: 65
fw1 /bsd: carp1: ip6_output failed: 65

After clearing the states, reloading PF to allow CARP packets, fw1 says it
transitioned from master to backup. I take it's because of the demote
counter:
as soon as I set it back up to 0, fw1 goes back to master and fw2 to backup.

The demotion counter is decremented when you lose connectivity (ip_output
errors for instance), but shouldn't it be reincremented when you regain
connectivity?

I'm guessing the user is expected to do this with something like ifstated if
it
isn't done automatically.

I also tested the issue Frederic was having, and it seems to be fixed when
you
flush the rules and states after disabling PF.

@Russell
I think either

pass quick proto carp keep state (no-sync)

or

pass quick proto carp no state

is more appropriate, as it also takes into account pfsync presence and saves
you from debugging issues like the one I was having.

Thank you all for your help.

Marios.

EuroBSDCon 2012 Call For Proposals

[Peter N. M. Hansteen]

EuroBSDcon 2012
===

EuroBSDcon is the European technical conference for users and
developers on BSD-based systems. The EuroBSDcon 2012 conference
will be held in Warsaw, Poland from Thursday 18 October 2012
to Sunday 21 October 2012, with tutorials on Thursday and Friday
and talks on Saturday and Sunday.

Call for Proposals
--

The EuroBSDcon conference is inviting developers and users of
BSD-based systems to submit innovative and original papers not
submitted to other European conferences on BSD-related topics.

Topics of interest to the conference include, but are not limited
to applications, architecture, implementation, performance and
security of BSD-based operating systems, as well as topics
concerning the economic or organizational aspects of BSD use.

Presentations are expected to be 45 minutes.

Call for Tutorial Proposals
---

The EuroBSDcon conference is inviting qualified practitioners in
their field to submit proposals for half or full day tutorials on
topics relevant to development, implementation and use of BSD-based
systems.

Submission address
--

Proposals should be submitted by email to submiss...@eurobsdcon.org.

Important dates
---

The EuroBSDcon conference is accepting abstracts and tutorial
proposals until 20 May 2012. Other important dates will be
announced soon at the conference website http://2012.eurobsdcon.org/.

Re: Problem filtering CARP in PF

[Camiel Dobbelaar]

On 2-3-2012 9:23, Marios Makassikis wrote:
 I just thought of something that bit me recently as well.

 With a real IPv6 address CARP will send out advertisements via IPv4
 _and_ IPv6.  It's the same CARP message so if either one reaches the
 backup it's ok.

 Your block rule had inet so you were probably blocking IPv4 only.  But
 because of the send errors (due to pf blocking) fw1 started to demote
 itself.

 Anyway, you have to block inet6 too if you want to block carp completely.

 
 
 Hi,
 
 I thought of this yesterday shortly after leaving ...
 Indeed, after bumping the net.inet.carp.log value even more, there
 are messages such as this one in /var/log/messages :
 fw1 /bsd: carp0: ip_output failed: 65
 fw1 /bsd: carp0: ip6_output failed: 65
 fw1 /bsd: carp1: ip_output failed: 65
 fw1 /bsd: carp1: ip6_output failed: 65
 
 After clearing the states, reloading PF to allow CARP packets, fw1 says it
 transitioned from master to backup. I take it's because of the demote
 counter:
 as soon as I set it back up to 0, fw1 goes back to master and fw2 to backup.

Ok!

 The demotion counter is decremented when you lose connectivity (ip_output
 errors for instance), but shouldn't it be reincremented when you regain
 connectivity?

Yup, it should.  Maybe inet4 clears the errorcounter for inet6 or vice
versa.  I'll take a look.

 I also tested the issue Frederic was having, and it seems to be fixed when
 you
 flush the rules and states after disabling PF.

Hmm, could be an issue as well.  It looks like disabling pf does not
clear out all states etc.

 @Russell
 I think either
 
 pass quick proto carp keep state (no-sync)
 
 or
 
 pass quick proto carp no state
 
 is more appropriate, as it also takes into account pfsync presence and saves
 you from debugging issues like the one I was having.

As it trips up many people maybe pfctl and/or pf should apply no-sync
automatically for carp.

may 7 carp addresses be too much on 5.0/amd64 ?

[Илья Шипицин]

hello!

we are running CARP-ed load balancers (carp over different vlans).
it was running just great with 6 carp addresses.

when we added 7th, randomly we get MASTERs on both server for certain carp
interface. After reboot we can get different carp interface on dual MASTER
state, and so on.
carp negotiations are ok, tcpdump shows them all. both peers see each other.

if I put one interface to BACKUP state, it goes to mASTER soon.

we are runnung 5.0/amd64

Cheers,
Ilya Shipitsin

Re: Problem filtering CARP in PF

[Marco Pfatschbacher]

On Fri, Mar 02, 2012 at 09:23:38AM +0100, Marios Makassikis wrote:
 
 The demotion counter is decremented when you lose connectivity (ip_output
 errors for instance), but shouldn't it be reincremented when you regain
 connectivity?
 
Well, that's a chicken and egg problem there.
It won't send out any further advertisements, because its demote
count is higher. But without doing so, it cannot know that the error
is gone.
We could try to solve this by sending some probe carp advertisements
using an unused/reserved vhid, but I'm not sure if that's worth the
trouble..

Re: may 7 carp addresses be too much on 5.0/amd64 ?

[Otto Moerbeek]

On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:

 hello!
 
 we are running CARP-ed load balancers (carp over different vlans).
 it was running just great with 6 carp addresses.
 
 when we added 7th, randomly we get MASTERs on both server for certain carp
 interface. After reboot we can get different carp interface on dual MASTER
 state, and so on.
 carp negotiations are ok, tcpdump shows them all. both peers see each other.
 
 if I put one interface to BACKUP state, it goes to mASTER soon.
 
 we are runnung 5.0/amd64
 
 Cheers,
 Ilya Shipitsin

Carefully compare the address lists (including masks) on both
machines. Likely they are not the same.

-Otto

Re: may 7 carp addresses be too much on 5.0/amd64 ?

[Илья Шипицин]

no, I copied hostname.carpXX, just added advskew 200
parameters are the same.

2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL:

 On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:

  hello!
 
  we are running CARP-ed load balancers (carp over different vlans).
  it was running just great with 6 carp addresses.
 
  when we added 7th, randomly we get MASTERs on both server for certain
 carp
  interface. After reboot we can get different carp interface on dual
 MASTER
  state, and so on.
  carp negotiations are ok, tcpdump shows them all. both peers see each
 other.
 
  if I put one interface to BACKUP state, it goes to mASTER soon.
 
  we are runnung 5.0/amd64
 
  Cheers,
  Ilya Shipitsin

 Carefully compare the address lists (including masks) on both
 machines. Likely they are not the same.

-Otto

OpenNTPd leap-second handling

[Phil Pennock]

[checked archives, FAQ, website, etc]

There's a leap-second on July 1st and I'm not seeing any equivalent
configuration for OpenNTPd to the reference implementation's leapfile
directive, to use a distributed leap-seconds file to let ntpd know of
the leapseconds epoch rollover.

A brief skim of the source (4.6p1) suggests that OpenNTPd passes on
leap-second indicators found from servers but otherwise does nothing
with them; in particular, the local clock is never adjusted as a result
of leap-seconds, until after the event when the upstream servers pass on
the new value of time and OpenNTPd corrects time accordingly, as though
the local system were just a second fast (which it literally now is).

Is this correct?  If not, can someone aim the cluebat appropriately to
point me to what I've missed, please?

Is this correct it afterwards as though fast approach the planned
behaviour, or merely a result of nobody getting around to implementing
something better?  Is there likely to be a release changing the
behaviour before July 1st?

Thanks,
-Phil

Re: may 7 carp addresses be too much on 5.0/amd64 ?

[favar]

hi list, we have same problem with carp. (with 45 ip addresses)
and after reboot, host with advskew 200 became master, and with
advskew 1 - slave.

2012/3/2 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com:
 no, I copied hostname.carpXX, just added advskew 200
 parameters are the same.

 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL:

 On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:

  hello!
 
  we are running CARP-ed load balancers (carp over different vlans).
  it was running just great with 6 carp addresses.
 
  when we added 7th, randomly we get MASTERs on both server for certain
 carp
  interface. After reboot we can get different carp interface on dual
 MASTER
  state, and so on.
  carp negotiations are ok, tcpdump shows them all. both peers see each
 other.
 
  if I put one interface to BACKUP state, it goes to mASTER soon.
 
  we are runnung 5.0/amd64
 
  Cheers,
  Ilya Shipitsin

 Carefully compare the address lists (including masks) on both
 machines. Likely they are not the same.

 B  B  B  B -Otto

Monitoring PF rules on egress interface not showing pass definitions

[Kaya Saman]

Hi,

I created a virtual instance of OpenBSD 5.0 x64 RELEASE edition using 
VirtualBox and set it up to be used as router/gateway with NAT.

Taking this:

http://www.openbsd.org/faq/pf/example1.html

as an example for practically getting to know packet filter which I've 
never used before and get more familiar with OpenBSD in itself.


Through reading the FAQ on PF and trying to understand the way it works 
can someone clarify that the rule weightings are in bottom-up order.

what I'm trying to clarify is that if I use a pseudo Cisco ACL statement:

deny any any
permit ip 1.1.1.1 any ip 2.2.2.2 80

line 2 with permit will **never** get matched because there is an 
implicit deny statement before which has full weighting. Therefor one 
must first specify the permit then the deny in order for the ACL to have 
relevance.

In Pack Filter this seems to be the reverse according to the example 
page shown above or the FAQ:

http://www.openbsd.org/faq/pf/filter.html

meaning that using PF syntax, something like:

block in log
pass out quick

antispoof quick for { lo $int_if }

pass in on egress inet proto tcp from any to (egress) \
 port $tcp_services


will block everything from the statement: block in log but if a pass 
statement is put after the filter's block statement the weighting will 
be on the pass line and hence a match will try to be determined.



In accordance to the above I activated RIPD, took down packet filter 
using: pfctl -d and setup a connection to my router/gateway.


Once everything was working, I activated packet filter again using: 
pfctl -e and restarted RIPD for good measure: /etc/rc.d/ripd restart

All was good and RIPD wasn't able to send or receive any updates - 
actually due to the customization of Exmaple1 from the FAQ, I think RIP 
updates were being sent but not able to be received! --please correct me 
if wrong.

So adding the line:


pass in on egress inet proto tcp from any to (egress) \
 port $tcp_services


#--
pass in on egress inet proto udp from any to (egress) \
 port $udp_services

in the mix, RIP information was now being passed internally **to** 
OpenBSD (but not through to the other side of the NAT).


The major issue I'm having with all of this is that I can't see anything!


Even SSH'ing into the OBSD instance using tcpdump, from the example 
shown here:

http://www.openbsd.org/faq/pf/logging.html

[quote]

 # tcpdump -n -e -ttt -r /var/log/pflog port 80 

 This can be further refined by limiting the display of packets to a 
 certain host and port combination:

 # tcpdump -n -e -ttt -r /var/log/pflog port 80 and host 192.168.1.3 

 The same idea can be applied when reading from the pflog0 interface:

 # tcpdump -n -e -ttt -i pflog0 host 192.168.4.2 



[/quote]


I get lines stating:

Mar 02 16:38:38.875426 rule 3/(match) block in on em0: 192.168.0.1.520  
255.255.255.255.520: RIPv2-resp [items 3]: {0.0.0.0}(1)[|rip] [tos 0xc0]

which means that information is being matched by rule 3 and being blocked!


However, running tcpdump without as many restrictions directly on 
interface em0 (external interface):

tcpdump port 520 (automatically defaults to int. em0)


16:41:18.563311 OpenBSD.optiplex-networks.com.route  
rip2-routers.mcast.net.route: RIPv2-resp [items 2]: 
{88.88.88.0/255.255.254.0}(1) {192.168.0.0/255.255.255.0}(16) [tos 0xc0] 
[ttl 1]
16:41:24.354945 192.168.0.1.route  255.255.255.255.route: RIPv2-resp 
[items 3]: {0.0.0.0}(1) {192.168.1.0/255.255.255.0}(1) 
{192.168.2.0/255.255.255.0}(1) [tos 0xc0]


Which also doesn't make sense as the router seems to be using Broadcast 
for RIP while OpenBSD is sending the updates to a multicast address 
located at 224.0.0.9:520.


Neither of which however, tells me what the system is doing in terms 
of diagnostic or verbose output of if packet filter is accepting or 
rejecting this information.


Taken from: ripctl:
 # ripctl show fib
 flags: * = valid, R = RIP, C = Connected, S = Static
 Flags  Destination  Nexthop
 *S 0.0.0.0/0192.168.0.1
 *R 0.0.0.0/0192.168.0.1
 *C 88.88.88.0/23link#2
 *S 127.0.0.0/8  127.0.0.1
 *C 127.0.0.1/8  link#0
 *  127.0.0.1/32 127.0.0.1
 *C 192.168.0.0/24   link#1
 *S 192.168.0.55/32  127.0.0.1
 *R 192.168.1.0/24   192.168.0.1
 *R 192.168.2.0/24   192.168.0.1
 *S 224.0.0.0/4  127.0.0.1

 # ripctl show neighbor
 ID  State   Address Iface Uptime
 192.168.0.1 ACTIVE/ACTIVE   192.168.0.1 em0   00:00:38


 # ripctl show fib rip
 flags: * = valid, R = RIP, C = Connected, S = Static
 Flags  Destination  Nexthop
 *R 0.0.0.0/0192.168.0.1
 *R 192.168.1.0/24   192.168.0.1
 *R 192.168.2.0/24   192.168.0.1


Which shows from the rip side of things that everything's fine.

or using:


 # pfctl -ss
 all tcp 192.168.0.55:22 - 192.168.0.82:32929   
 

Re: may 7 carp addresses be too much on 5.0/amd64 ?

[Camiel Dobbelaar]

Do you have spanning tree enabled on the switch?  The firewall ports
should be in portfast mode, otherwise the backup may become master after
a reboot or when bouncing the physical interface.

And do you have carp preempt enabled?  (net.inet.carp.preempt=1)


On 2-3-2012 16:31, favar wrote:
 hi list, we have same problem with carp. (with 45 ip addresses)
 and after reboot, host with advskew 200 became master, and with
 advskew 1 - slave.
 
 2012/3/2 PP;QQ P(P8P?P8QP8P= chipits...@gmail.com:
 no, I copied hostname.carpXX, just added advskew 200
 parameters are the same.

 2 MARTA 2012 G. 15:25 POLXZOWATELX Otto Moerbeek o...@drijf.net NAPISAL:

 On Fri, Mar 02, 2012 at 01:53:17PM +0500,  ??? wrote:

 hello!

 we are running CARP-ed load balancers (carp over different vlans).
 it was running just great with 6 carp addresses.

 when we added 7th, randomly we get MASTERs on both server for certain
 carp
 interface. After reboot we can get different carp interface on dual
 MASTER
 state, and so on.
 carp negotiations are ok, tcpdump shows them all. both peers see each
 other.

 if I put one interface to BACKUP state, it goes to mASTER soon.

 we are runnung 5.0/amd64

 Cheers,
 Ilya Shipitsin

 Carefully compare the address lists (including masks) on both
 machines. Likely they are not the same.

 B  B  B  B -Otto

LOS MEJORES CURSOS PRESENCIALES Y PRIVADOS - SIMCA CAPACITACION - 2012

[simca capacitacion]

 - Cursos Abiertos todos los meses en las principales ciudades.

 - Cursos Privados (IN HOUSE - IN COMPANY) en todo Mexico.

- De Click en el Area de su interes y envienos su solicitud -

[IMAGE]

Cursos - SeminariosCredito y Cobranza

[IMAGE]

Cursos - SeminariosRecursos Humanos

Listado de Cursos Abiertos

Listado de Cursos Abiertos

Listado de Cursos Privados

Listado de Cursos Privados

[IMAGE]

Cursos - SeminariosManufactura y Produccion

[IMAGE]

Cursos - SeminariosAdquisiciones y Obras Publicas

Listado de Cursos Abiertos

Listado de Cursos Abiertos

Listado de Cursos Privados

Listado de Cursos Privados

[IMAGE]

Cursos - SeminariosSeguridad e Higiene

[IMAGE]

Cursos - SeminariosDesarrollo Humano

Listado de Cursos Abiertos

Listado de Cursos Abiertos

Listado de Cursos Privados

Listado de Cursos Privados

[IMAGE]

Cursos - SeminariosNegociacion y Compras

[IMAGE]

Cursos - SeminariosVentas

Listado de Cursos Abiertos

Listado de Cursos Abiertos

Listado de Cursos Privados

Listado de Cursos Privados

[IMAGE]

Cursos - SeminariosFinanzas

[IMAGE]

Cursos - SeminariosAlimentos y Bebidas

Listado de Cursos Abiertos

Listado de Cursos Abiertos

Listado de Cursos Privados

Listado de Cursos Privados

[IMAGE]

Cursos - SeminariosAsistentes y Secretarias

[IMAGE]

Cursos - SeminariosNuevas Tecnologias

Listado de Cursos Privados

Listado de Cursos Privados

Diseqamos el curso a la medida de sus necesidades..!Impartimos CURSOS de
forma PRIVADA en su empresa, envienos un correo especificando el numero
de participantes, el lugar donde se impartira, su nombre, cargo, empresa
y telefono.SOLICITE COTIZACION de Click Aqui

Si necesita mayor informacion, comuniquese un Asesor lo atendera de
inmediato.

SIMCA CAPACITACION
Entrenamiento Especializado
E-MAIL: simca_capacitac...@hotmail.com
Messenger: simca_capacitac...@hotmail.com
Lada sin costo: 01 800 543 32 30
TEL: (999) 941 51 68

Si usted no desea que le enviemos mas invitaciones, de Click Aqui,
gracias.

Taller Premier Gestión de Proyectos con MS Project

[Lic. Luna Rodriguez]

[IMAGE]
Pms de Mixico prestigiada firma de Capacitacisn presenta:
Taller de Gestisn de Proyectos con MS Project
13 de Marzo 2012, Ciudad de Mixico
Obtenga las herramientas necesarias para alcanzar un sptimo desempeqo en
su funcisn.
!Reciba la informacisn completa! Por favor responda este e-mail con los
datos siguientes
Empresa
Nombre
Telifono
Email
Nzmero de Interesados
En breve recibira temario, reseqa de expositor y tarifas.
Pms Capacitacisn Efectiva de Mixico es una empresa Registrada ante la
STPS
Trabajamos con expertos en la materia para poder brindar herramientas
tacticas, vanguardistas y de facil aplicacisn.
100% Garantma de Satisfaccisn.3

Si lo prefiere comunmquese a los telifonos donde con gusto uno de
nuestros ejecutivos le atendera.
Telifonos: (0133) 8851-2365, (0133) 8851-2741 con mas de 10 lmneas.
Smguenos en Twitter@pmscapacitacion o bien en Facebook PMS de Mixico
Copyright (C) 2011, PMS Capacitacisn Efectiva de Mixico  S.C. Derechos
Reservados.
E-Mail MARKETING SERVICE POWERED BY MEDIAMKTOOLS.

Este Mensaje ha sido enviado a misc@openbsd.org  como usuario de Pms de
Mixico o bien un usuario le refiris para recibir este boletmn.
Como usuario de Pms de Mixico, en este acto autoriza de manera expresa
que Pms de Mixico le puede contactar vma correo electrsnico u otros
medios.
ALTO, si en esta ocasisn la informacisn recibida no fue de su interis
pero desea recibir informacisn personalizada en relacisn a otros temas
favor de indicarlo.
Si usted ha recibido este mensaje por error, haga caso omiso de el y de
antemano una sincera disculpa por la molestia, reporte su cuenta
respondiendo este correo con el subject BAJAMS
Unsubscribe to this mailing list, reply a blank message with the subject
UNSUBSCRIBE BAJAMS
Tenga en cuenta que la gestisn de nuestras bases de datos es de suma
importancia para nosotros y no es intencisn de la empresa la
inconformidad del receptor, nuestra intencisn es promover herramientas de
utilidad para el

[demime 1.01d removed an attachment of type image/jpeg which had a name of 
imagemsporject001.jpg]

e-book en Cadeau

[contact]

Bonjour,

Juste un petit cadeau , le
livre bien utile :

Comment batir votre fortune

C'est juste un cadeau ` tilicharger ici :

en pdf :

http://www.mygoldenway.com/comment.batir.sa.fortune.php

Amicalement

Mounir.

http://www.mygoldenway.com