basic fail-over mechanism for home networking.

2006-02-23 Thread daviad 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Dear misc readers.

i have soekris box to do basic nat/rdr on my home networking, one
comp is a squid proxy
server and a client machines http requests are redirected to that
machine trough soekris box.
now i would like to have some kind of basic fail-over mechanism to
it, so if that squid proxy
machine is not available it would redirect the requests to another
proxy server in this case the
one that ISP offers but only for that time until the main squid
machine is available again. What
kind of basic solutions would you recommend?

-BEGIN PGP SIGNATURE-
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkP93OUACgkQVjWY/fP2rrUXJACfbb433lS+2QSwT7ZyJUWjKwcAkU8A
n35j/AL9vu+22yaBWL9K6nIGt1Gu
=u+qj
-END PGP SIGNATURE-

Re: basic fail-over mechanism for home networking.

2006-02-23 Thread Bob Beck 
two boxes at home, carped and pfsynced. Primary runs your squid,
backup either runs a backup squid yourself, or does an rdr for the
connections to it to the isp's proxy. 

-Bob



* [EMAIL PROTECTED] [EMAIL PROTECTED] [2006-02-23 09:40]:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 Dear misc readers.
 
 i have soekris box to do basic nat/rdr on my home networking, one
 comp is a squid proxy
 server and a client machines http requests are redirected to that
 machine trough soekris box.
 now i would like to have some kind of basic fail-over mechanism to
 it, so if that squid proxy
 machine is not available it would redirect the requests to another
 proxy server in this case the
 one that ISP offers but only for that time until the main squid
 machine is available again. What
 kind of basic solutions would you recommend?
 
 -BEGIN PGP SIGNATURE-
 Note: This signature can be verified at https://www.hushtools.com/verify
 Version: Hush 2.4
 
 wkYEARECAAYFAkP93OUACgkQVjWY/fP2rrUXJACfbb433lS+2QSwT7ZyJUWjKwcAkU8A
 n35j/AL9vu+22yaBWL9K6nIGt1Gu
 =u+qj
 -END PGP SIGNATURE-
 

-- 
| | | The ASCII Fork Campaign
 \|/   against gratuitous use of threads.
  |

Re: basic fail-over mechanism for home networking.

2006-02-23 Thread Joachim Schipper 
reformatted for 80 columns
On Thu, Feb 23, 2006 at 06:04:31PM +0200, [EMAIL PROTECTED] wrote:
 Dear misc readers.
 
 i have soekris box to do basic nat/rdr on my home networking, one comp
 is a squid proxy server and a client machines http requests are
 redirected to that machine trough soekris box.  now i would like to
 have some kind of basic fail-over mechanism to it, so if that squid
 proxy machine is not available it would redirect the requests to
 another proxy server in this case the one that ISP offers but only for
 that time until the main squid machine is available again. What kind
 of basic solutions would you recommend?

For sufficiently basic stuff, there's no reason not to go with a cron
job run as root. Create /etc/pf.conf and /etc/pf.conf.failover, then do
a lynx -dump www.google.com or whatever your site of choice is. Be sure
to set http_proxy in the environment first.

Once this is set up, go with something like the following (which looks
long, but it's really only ten lines plus exception handling), run from
cron, say, every five minutes.

#!/bin/sh
TMPFILE=`mktemp /tmp/fw.` || exit 1;
http_proxy='my.proxy.net';
export http_proxy;
if ! [ -e /etc/pf.nofailover ]  \
  ! [ -e /var/run/fw.error ]  \
  lynx -dump www.google.com /dev/null 21; then
if [ -e /var/run/fw.running_backup ]; then
if pfctl -f /etc/pf.conf $TMPFILE 21; then
if rm /var/run/fw.running_backup; then
echo 'ok' | mail -s 'Firewall failback' root;
else
{ touch /var/run/fw.error; \
  echo 'Could not remove'; \
  echo '/var/run/fw.running_backup?!'; \
} 21 | \
  mail -s 'Firewall failback: weird error';
fi
else
{ touch /var/run/fw.error; \
  echo 'Failed:'; \
  echo; \
  cat $TMPFILE; \
  echo 'Please fix /etc/pf.conf or whatever caused'; \
  echo 'the failure and remove /var/run/fw.error'; \
} 21 | \
  mail -s 'Firewall failed to failback; stalled' root;
fi
fi
else
if ! [ -e /var/run/fw.running_backup ]; then
if pfctl -f /etc/pf.conf.failover $TMPFILE 21; then
if touch /var/run/fw.running_backup; then
echo 'ok' | mail -s 'Firewall failover' root
else
{ touch /var/run/fw.error; \
  echo 'Could not touch'; \
  echo '/var/run/fw.running_backup; \
} 21 | \
  mail -s 'Firewall failover: weird error';
else
{ touch /var/run/fw.error; \
  echo 'Failed:'; \
  echo; \
  cat $TMPFILE; \
  echo 'Please fix /etc/pf.conf.failover or whatever'; \
  echo 'caused the failure and remove'; \
  echo '/var/run/fw.error'; \
} 21 | \
  mail -s 'Firewall failed to failover; stalled' root;
fi
fi
fi
rm $TMPFILE

This is of course rather simplistic (and only guards against the proxy
malfunctioning completely - no attempt is made to detect a proxy that
will only serve up cached pages, for instance), and it should be
possible to improve upon this design, but for a quick and dirty
solution, it works fine. I suppose - I haven't tested it.

Of course, this isn't exactly realtime failover. It should be very much
possible to get (near-)realtime failover, but that will be quite a bit
more difficult. Feel free to ask if that's what you're looking for.

Joachim