Issue with PF + Relayd

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Issue with PF + Relayd

Leonardo Santagostini
Hello all,

Im facing maybe a misbehavior in my OpenBSD 5.2. This machine is
virtualized with KVM with 2 CPU and 4 Gb RAM

Im running 5.2 GENERIC#278 i386

The point is:

tld relay rule as show in my config is working properly. But, tld1 and
tld2 doesnt work when post method is invoked from the page is served
by the 4 webcaches i have working behind relayd.

ext_if="pcn0"

set fingerprints "/etc/pf.os"
set optimization aggressive

# match on $ext_if all scrub (no-df)

# Genero las tablas que voy a usar
table <ips_malas> persist
table <redes_yell> persist file "/etc/redes.yell"
table <redes_permitidas> persist file "/etc/redes_permitidas.txt"

# Defino la ip del balanceador para Mobile
address_mobile = "10.0.1.181"
address1 = "10.0.1.16"

# Dejo de procesar cuando se trata de las redes internas
pass in quick from <redes_yell> to any

# Dejo pasar las ips desde las redes permitidas
pass in quick from <redes_permitidas> to $address_mobile

# Genero el block
block in quick from <ips_malas>
block in log quick on $ext_if proto tcp from any os "NMAP" to any
label ExtNMAPScan

# Proteccion contra nmap y herramientas similares
# block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in quick from urpf-failed


# Aplico reglas de DoS y Syn Flood en tld
pass in log on $ext_if proto tcp to $address_mobile port www keep
state (sloppy, max 10000, max-src-nodes 5000, max-src-conn 100,
max-src-conn-rate 95/2, adap
tive.start 6000, adaptive.end 12000, tcp.first 15, tcp.opening 5,
tcp.established 3600, tcp.closing 5, tcp.finwait 15, tcp.closed 15,
tcp.tsdiff 5)


# Aplico reglas de DoS y Syn Flood en tld2
pass in on $ext_if proto tcp to $address1 port www keep state (sloppy,
max 10000, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
150/3)


# Anchor Para relayd
anchor "relayd/*"

----------------------------
# Archivo de configuracion de balanceo

## Opciones globales
interval 5
timeout 1000
prefork 5

## Direcciones de las vip
address1="10.0.1.16"
address2="10.0.1.181"
address3="10.0.1.182"


## Direcciones de los servidores
mobileWap01="10.0.1.200"
mobileWap02="10.0.1.201"
webcache01="10.0.1.70"
webcache02="10.0.1.71"
webcache03="10.0.1.72"
webcache04="10.0.1.73"

## Definicion de Tablas
table <mobileweb> { $mobileWap01 $mobileWap02 }
table <webcaches> { $webcache01 $webcache02 $webcache03 $webcache04 }
table <webcaches1> { $webcache01 }

## Definicion de protocolos (Filtros)

http protocol "tld" {

        # Parametros de rendimiento
        tcp {nodelay, sack, socket buffer 65536, backlog 100 }

        ## Prueba
        # return error

        # Cerramos la conexion
        header change "Connection" to "close"

        # Block disallowed sites
        label "URL Request DENIED"
        request header expect "tld.com.ar" from "Host"
        request header expect "www.tld.com.ar" from "Host"
        request header expect "s.tld.com.ar" from "Host"
        request header expect "get.tld.com.ar" from "Host"
        request header expect "test.tld.com.ar" from "Host"

        # Block disallowed browsers
        label "Please try a <em>different Browser</em>"
        header filter "Mozilla/4.0 *" from "User-Agent"

        header append "$REMOTE_ADDR" to "X-Forwarded-For"
        cookie hash "sessid"

}
http protocol "httpRural" {

        # Parametros de rendimiento
        tcp {nodelay, sack, socket buffer 65536, backlog 100 }

        # return error

        # Cerramos la conexion
        header change "Connection" to "close"

        # Block disallowed sites
        label "URL Request DENIED"
        request header expect "tld1.com.ar" from "Host"
        request header expect "*.tld1.com.ar" from "Host"
        request header expect "rojas.tld1.com.ar" from "Host"

        # Block disallowed browsers
        label "Please try a <em>different Browser</em>"
        header filter "Mozilla/4.0 *" from "User-Agent"

        header append "$REMOTE_ADDR" to "X-Forwarded-For"
        cookie hash "sessid"

}

http protocol "httpBlancas" {

        # Parametros de rendimiento
        tcp {nodelay, sack, socket buffer 65536, backlog 100 }

        # return error

        # Cerramos la conexion
        header change "Connection" to "close"
        # request header expect "*.tld2.com.ar"  from "Host"

        header append "$REMOTE_ADDR" to "X-Forwarded-For"
}


## Definicion de los relays
relay tld {
        listen on $address2 port 80
        protocol "tld"
        forward to <mobileweb> port 80 mode roundrobin check http
"/relaycheck/mobileWAP/index.php" code 200
}

relay tld1 {
        listen on $address3 port 80
        protocol "tld1"
        forward to <webcaches> port 80 mode roundrobin check http
"/monitoreo/relayd.txt" code 200
}

relay tld2 {
        listen on $address1 port 80
        protocol "tld2"
        forward to <webcaches1> port 80 mode roundrobin check http
"/monitoreo/relayd.txt" code 200
}

I would really apreciatte any clue or any idea that make this work.

Thanks in advance

Saludos / Regards
Leonardo Santagostini

Reply | Threaded
Open this post in threaded view
|

Re: Issue with PF + Relayd

Reyk Floeter-2
Hi,

Am 01.03.2013 um 15:24 schrieb Leonardo Santagostini <[hidden email]>:

> Im facing maybe a misbehavior in my OpenBSD 5.2. This machine is
> virtualized with KVM with 2 CPU and 4 Gb RAM
>
> Im running 5.2 GENERIC#278 i386
>
> The point is:
>
> tld relay rule as show in my config is working properly. But, tld1 and
> tld2 doesnt work when post method is invoked from the page is served
> by the 4 webcaches i have working behind relayd.
>

Do you have any log messages from relayd? Run it in foreground with some -d and -v flags to get more info...

Can you provide some information about the POST? Maybe a pcap or tcpdump text dump: how do the HTTP headers look like, how large is the payload etc.

But please look below first, there are inconsistencies in your relayd.conf.

> ext_if="pcn0"
>
> set fingerprints "/etc/pf.os"
> set optimization aggressive
>
> # match on $ext_if all scrub (no-df)
>
> # Genero las tablas que voy a usar
> table <ips_malas> persist
> table <redes_yell> persist file "/etc/redes.yell"
> table <redes_permitidas> persist file "/etc/redes_permitidas.txt"
>
> # Defino la ip del balanceador para Mobile
> address_mobile = "10.0.1.181"
> address1 = "10.0.1.16"
>
> # Dejo de procesar cuando se trata de las redes internas
> pass in quick from <redes_yell> to any
>
> # Dejo pasar las ips desde las redes permitidas
> pass in quick from <redes_permitidas> to $address_mobile
>
> # Genero el block
> block in quick from <ips_malas>
> block in log quick on $ext_if proto tcp from any os "NMAP" to any
> label ExtNMAPScan
>
> # Proteccion contra nmap y herramientas similares
> # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
> block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
> block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
> block in quick on $ext_if proto tcp flags /WEUAPRSF
> block in quick on $ext_if proto tcp flags SR/SR
> block in quick on $ext_if proto tcp flags SF/SF
> block in quick from urpf-failed
>
>
> # Aplico reglas de DoS y Syn Flood en tld
> pass in log on $ext_if proto tcp to $address_mobile port www keep
> state (sloppy, max 10000, max-src-nodes 5000, max-src-conn 100,
> max-src-conn-rate 95/2, adap
> tive.start 6000, adaptive.end 12000, tcp.first 15, tcp.opening 5,
> tcp.established 3600, tcp.closing 5, tcp.finwait 15, tcp.closed 15,
> tcp.tsdiff 5)
>
>
> # Aplico reglas de DoS y Syn Flood en tld2
> pass in on $ext_if proto tcp to $address1 port www keep state (sloppy,
> max 10000, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
> 150/3)
>
>
> # Anchor Para relayd
> anchor "relayd/*"
>
> ----------------------------
> # Archivo de configuracion de balanceo
>
> ## Opciones globales
> interval 5
> timeout 1000
> prefork 5
>
> ## Direcciones de las vip
> address1="10.0.1.16"
> address2="10.0.1.181"
> address3="10.0.1.182"
>
>
> ## Direcciones de los servidores
> mobileWap01="10.0.1.200"
> mobileWap02="10.0.1.201"
> webcache01="10.0.1.70"
> webcache02="10.0.1.71"
> webcache03="10.0.1.72"
> webcache04="10.0.1.73"
>
> ## Definicion de Tablas
> table <mobileweb> { $mobileWap01 $mobileWap02 }
> table <webcaches> { $webcache01 $webcache02 $webcache03 $webcache04 }
> table <webcaches1> { $webcache01 }
>
> ## Definicion de protocolos (Filtros)
>
> http protocol "tld" {
>

OK, I see this is used by relay "tld".

>        # Parametros de rendimiento
>        tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>

FYI, the socket buffer option can probably be removed as we support dynamic buffer scaling since a few releases.

>        ## Prueba
>        # return error
>
>        # Cerramos la conexion
>        header change "Connection" to "close"
>
>        # Block disallowed sites
>        label "URL Request DENIED"
>        request header expect "tld.com.ar" from "Host"
>        request header expect "www.tld.com.ar" from "Host"
>        request header expect "s.tld.com.ar" from "Host"
>        request header expect "get.tld.com.ar" from "Host"
>        request header expect "test.tld.com.ar" from "Host"
>
>        # Block disallowed browsers
>        label "Please try a <em>different Browser</em>"
>        header filter "Mozilla/4.0 *" from "User-Agent"
>
>        header append "$REMOTE_ADDR" to "X-Forwarded-For"
>        cookie hash "sessid"
>
> }
> http protocol "httpRural" {

This is not used by any of the relays.

>
>        # Parametros de rendimiento
>        tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>
>        # return error
>
>        # Cerramos la conexion
>        header change "Connection" to "close"
>
>        # Block disallowed sites
>        label "URL Request DENIED"
>        request header expect "tld1.com.ar" from "Host"
>        request header expect "*.tld1.com.ar" from "Host"
>        request header expect "rojas.tld1.com.ar" from "Host"
>
>        # Block disallowed browsers
>        label "Please try a <em>different Browser</em>"
>        header filter "Mozilla/4.0 *" from "User-Agent"
>
>        header append "$REMOTE_ADDR" to "X-Forwarded-For"
>        cookie hash "sessid"
>
> }
>
> http protocol "httpBlancas" {
>

This is not used by any of the relays.

>        # Parametros de rendimiento
>        tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>
>        # return error
>
>        # Cerramos la conexion
>        header change "Connection" to "close"
>        # request header expect "*.tld2.com.ar"  from "Host"
>
>        header append "$REMOTE_ADDR" to "X-Forwarded-For"
> }
>
>
> ## Definicion de los relays
> relay tld {
>        listen on $address2 port 80
>        protocol "tld"
>        forward to <mobileweb> port 80 mode roundrobin check http
> "/relaycheck/mobileWAP/index.php" code 200
> }
>
> relay tld1 {
>        listen on $address3 port 80
>        protocol "tld1"

This protocol "tld1" does not exist - do you mean httpRural or httpBlancas?

>        forward to <webcaches> port 80 mode roundrobin check http
> "/monitoreo/relayd.txt" code 200
> }
>
> relay tld2 {
>        listen on $address1 port 80
>        protocol "tld2"

This protocol "tld2" does not exist - do you mean httpRural or httpBlancas?

>        forward to <webcaches1> port 80 mode roundrobin check http
> "/monitoreo/relayd.txt" code 200
> }
>
> I would really apreciatte any clue or any idea that make this work.
>
> Thanks in advance
>
> Saludos / Regards
> Leonardo Santagostini

Reply | Threaded
Open this post in threaded view
|

Re: Issue with PF + Relayd

Leonardo Santagostini
Hello Reyk, sorry for the inconsistencies, they was for hide the real
name (for protecting internal things).

Here comes the config with the homework well done (sorry again)

ext_if="pcn0"

set fingerprints "/etc/pf.os"
set optimization aggressive

# match on $ext_if all scrub (no-df)

# Genero las tablas que voy a usar
table <ips_malas> persist
table <redes_yell> persist file "/etc/redes.yell"
table <redes_permitidas> persist file "/etc/redes_permitidas.txt"

# Defino la ip del balanceador para Mobile
address_mobile = "10.0.1.181"
address1 = "10.0.1.16"

# Dejo de procesar cuando se trata de las redes internas
pass in quick from <redes_yell> to any

# Dejo pasar las ips desde las redes permitidas
pass in quick from <redes_permitidas> to $address_mobile

# Genero el block
block in quick from <ips_malas>
block in log quick on $ext_if proto tcp from any os "NMAP" to any
label ExtNMAPScan

# Proteccion contra nmap y herramientas similares
# block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
block in quick from urpf-failed


# Aplico reglas de DoS y Syn Flood en tld
pass in log on $ext_if proto tcp to $address_mobile port www keep
state (sloppy, max 10000, max-src-nodes 5000, max-src-conn 100,
max-src-conn-rate 95/2, adap
tive.start 6000, adaptive.end 12000, tcp.first 15, tcp.opening 5,
tcp.established 3600, tcp.closing 5, tcp.finwait 15, tcp.closed 15,
tcp.tsdiff 5)


# Aplico reglas de DoS y Syn Flood en tld2
pass in on $ext_if proto tcp to $address1 port www keep state (sloppy,
max 10000, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
150/3)


# Anchor Para relayd
anchor "relayd/*"

----------------------------
# Archivo de configuracion de balanceo

## Opciones globales
interval 5
timeout 1000
prefork 5

## Direcciones de las vip
address1="10.0.1.16"
address2="10.0.1.181"
address3="10.0.1.182"


## Direcciones de los servidores
mobileWap01="10.0.1.200"
mobileWap02="10.0.1.201"
webcache01="10.0.1.70"
webcache02="10.0.1.71"
webcache03="10.0.1.72"
webcache04="10.0.1.73"

## Definicion de Tablas
table <mobileweb> { $mobileWap01 $mobileWap02 }
table <webcaches> { $webcache01 $webcache02 $webcache03 $webcache04 }
table <webcaches1> { $webcache01 }

## Definicion de protocolos (Filtros)

http protocol "tld" {

        # Parametros de rendimiento
        tcp {nodelay, sack, socket buffer 65536, backlog 100 }

        ## Prueba
        # return error

        # Cerramos la conexion
        header change "Connection" to "close"

        # Block disallowed sites
        label "URL Request DENIED"
        request header expect "tld.com.ar" from "Host"
        request header expect "www.tld.com.ar" from "Host"
        request header expect "s.tld.com.ar" from "Host"
        request header expect "get.tld.com.ar" from "Host"
        request header expect "test.tld.com.ar" from "Host"

        # Block disallowed browsers
        label "Please try a <em>different Browser</em>"
        header filter "Mozilla/4.0 *" from "User-Agent"

        header append "$REMOTE_ADDR" to "X-Forwarded-For"
        cookie hash "sessid"

}
http protocol "tld1" {

        # Parametros de rendimiento
        tcp {nodelay, sack, socket buffer 65536, backlog 100 }

        # return error

        # Cerramos la conexion
        header change "Connection" to "close"

        # Block disallowed sites
        label "URL Request DENIED"
        request header expect "tld1.com.ar" from "Host"
        request header expect "*.tld1.com.ar" from "Host"
        request header expect "rojas.tld1.com.ar" from "Host"

        # Block disallowed browsers
        label "Please try a <em>different Browser</em>"
        header filter "Mozilla/4.0 *" from "User-Agent"

        header append "$REMOTE_ADDR" to "X-Forwarded-For"
        cookie hash "sessid"

}

http protocol "tld2" {

        # Parametros de rendimiento
        tcp {nodelay, sack, socket buffer 65536, backlog 100 }

        # return error

        # Cerramos la conexion
        header change "Connection" to "close"
        # request header expect "*.tld2.com.ar"  from "Host"

        header append "$REMOTE_ADDR" to "X-Forwarded-For"
}


## Definicion de los relays
relay tld {
        listen on $address2 port 80
        protocol "tld"
        forward to <mobileweb> port 80 mode roundrobin check http
"/relaycheck/mobileWAP/index.php" code 200
}

relay tld1 {
        listen on $address3 port 80
        protocol "tld1"
        forward to <webcaches> port 80 mode roundrobin check http
"/monitoreo/relayd.txt" code 200
}

relay tld2 {
        listen on $address1 port 80
        protocol "tld2"
        forward to <webcaches1> port 80 mode roundrobin check http
"/monitoreo/relayd.txt" code 200
}


I will provide shortly the tcpdump you request me.

Thanks in advance


Saludos / Regards
Leonardo Santagostini






2013/3/1 Reyk Floeter <[hidden email]>:

> Hi,
>
> Am 01.03.2013 um 15:24 schrieb Leonardo Santagostini <[hidden email]>:
>> Im facing maybe a misbehavior in my OpenBSD 5.2. This machine is
>> virtualized with KVM with 2 CPU and 4 Gb RAM
>>
>> Im running 5.2 GENERIC#278 i386
>>
>> The point is:
>>
>> tld relay rule as show in my config is working properly. But, tld1 and
>> tld2 doesnt work when post method is invoked from the page is served
>> by the 4 webcaches i have working behind relayd.
>>
>
> Do you have any log messages from relayd? Run it in foreground with some -d and -v flags to get more info...
>
> Can you provide some information about the POST? Maybe a pcap or tcpdump text dump: how do the HTTP headers look like, how large is the payload etc.
>
> But please look below first, there are inconsistencies in your relayd.conf.
>
>> ext_if="pcn0"
>>
>> set fingerprints "/etc/pf.os"
>> set optimization aggressive
>>
>> # match on $ext_if all scrub (no-df)
>>
>> # Genero las tablas que voy a usar
>> table <ips_malas> persist
>> table <redes_yell> persist file "/etc/redes.yell"
>> table <redes_permitidas> persist file "/etc/redes_permitidas.txt"
>>
>> # Defino la ip del balanceador para Mobile
>> address_mobile = "10.0.1.181"
>> address1 = "10.0.1.16"
>>
>> # Dejo de procesar cuando se trata de las redes internas
>> pass in quick from <redes_yell> to any
>>
>> # Dejo pasar las ips desde las redes permitidas
>> pass in quick from <redes_permitidas> to $address_mobile
>>
>> # Genero el block
>> block in quick from <ips_malas>
>> block in log quick on $ext_if proto tcp from any os "NMAP" to any
>> label ExtNMAPScan
>>
>> # Proteccion contra nmap y herramientas similares
>> # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
>> block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
>> block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
>> block in quick on $ext_if proto tcp flags /WEUAPRSF
>> block in quick on $ext_if proto tcp flags SR/SR
>> block in quick on $ext_if proto tcp flags SF/SF
>> block in quick from urpf-failed
>>
>>
>> # Aplico reglas de DoS y Syn Flood en tld
>> pass in log on $ext_if proto tcp to $address_mobile port www keep
>> state (sloppy, max 10000, max-src-nodes 5000, max-src-conn 100,
>> max-src-conn-rate 95/2, adap
>> tive.start 6000, adaptive.end 12000, tcp.first 15, tcp.opening 5,
>> tcp.established 3600, tcp.closing 5, tcp.finwait 15, tcp.closed 15,
>> tcp.tsdiff 5)
>>
>>
>> # Aplico reglas de DoS y Syn Flood en tld2
>> pass in on $ext_if proto tcp to $address1 port www keep state (sloppy,
>> max 10000, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
>> 150/3)
>>
>>
>> # Anchor Para relayd
>> anchor "relayd/*"
>>
>> ----------------------------
>> # Archivo de configuracion de balanceo
>>
>> ## Opciones globales
>> interval 5
>> timeout 1000
>> prefork 5
>>
>> ## Direcciones de las vip
>> address1="10.0.1.16"
>> address2="10.0.1.181"
>> address3="10.0.1.182"
>>
>>
>> ## Direcciones de los servidores
>> mobileWap01="10.0.1.200"
>> mobileWap02="10.0.1.201"
>> webcache01="10.0.1.70"
>> webcache02="10.0.1.71"
>> webcache03="10.0.1.72"
>> webcache04="10.0.1.73"
>>
>> ## Definicion de Tablas
>> table <mobileweb> { $mobileWap01 $mobileWap02 }
>> table <webcaches> { $webcache01 $webcache02 $webcache03 $webcache04 }
>> table <webcaches1> { $webcache01 }
>>
>> ## Definicion de protocolos (Filtros)
>>
>> http protocol "tld" {
>>
>
> OK, I see this is used by relay "tld".
>
>>        # Parametros de rendimiento
>>        tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>>
>
> FYI, the socket buffer option can probably be removed as we support dynamic buffer scaling since a few releases.
>
>>        ## Prueba
>>        # return error
>>
>>        # Cerramos la conexion
>>        header change "Connection" to "close"
>>
>>        # Block disallowed sites
>>        label "URL Request DENIED"
>>        request header expect "tld.com.ar" from "Host"
>>        request header expect "www.tld.com.ar" from "Host"
>>        request header expect "s.tld.com.ar" from "Host"
>>        request header expect "get.tld.com.ar" from "Host"
>>        request header expect "test.tld.com.ar" from "Host"
>>
>>        # Block disallowed browsers
>>        label "Please try a <em>different Browser</em>"
>>        header filter "Mozilla/4.0 *" from "User-Agent"
>>
>>        header append "$REMOTE_ADDR" to "X-Forwarded-For"
>>        cookie hash "sessid"
>>
>> }
>> http protocol "httpRural" {
>
> This is not used by any of the relays.
>
>>
>>        # Parametros de rendimiento
>>        tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>>
>>        # return error
>>
>>        # Cerramos la conexion
>>        header change "Connection" to "close"
>>
>>        # Block disallowed sites
>>        label "URL Request DENIED"
>>        request header expect "tld1.com.ar" from "Host"
>>        request header expect "*.tld1.com.ar" from "Host"
>>        request header expect "rojas.tld1.com.ar" from "Host"
>>
>>        # Block disallowed browsers
>>        label "Please try a <em>different Browser</em>"
>>        header filter "Mozilla/4.0 *" from "User-Agent"
>>
>>        header append "$REMOTE_ADDR" to "X-Forwarded-For"
>>        cookie hash "sessid"
>>
>> }
>>
>> http protocol "httpBlancas" {
>>
>
> This is not used by any of the relays.
>
>>        # Parametros de rendimiento
>>        tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>>
>>        # return error
>>
>>        # Cerramos la conexion
>>        header change "Connection" to "close"
>>        # request header expect "*.tld2.com.ar"  from "Host"
>>
>>        header append "$REMOTE_ADDR" to "X-Forwarded-For"
>> }
>>
>>
>> ## Definicion de los relays
>> relay tld {
>>        listen on $address2 port 80
>>        protocol "tld"
>>        forward to <mobileweb> port 80 mode roundrobin check http
>> "/relaycheck/mobileWAP/index.php" code 200
>> }
>>
>> relay tld1 {
>>        listen on $address3 port 80
>>        protocol "tld1"
>
> This protocol "tld1" does not exist - do you mean httpRural or httpBlancas?
>
>>        forward to <webcaches> port 80 mode roundrobin check http
>> "/monitoreo/relayd.txt" code 200
>> }
>>
>> relay tld2 {
>>        listen on $address1 port 80
>>        protocol "tld2"
>
> This protocol "tld2" does not exist - do you mean httpRural or httpBlancas?
>
>>        forward to <webcaches1> port 80 mode roundrobin check http
>> "/monitoreo/relayd.txt" code 200
>> }
>>
>> I would really apreciatte any clue or any idea that make this work.
>>
>> Thanks in advance
>>
>> Saludos / Regards
>> Leonardo Santagostini

Reply | Threaded
Open this post in threaded view
|

Re: Issue with PF + Relayd

Leonardo Santagostini
Hello Reyk,

After probing using my browser without proxy all worked fine. I tried
with 2 different proxies (one ISA and one Squid) without luck.

Th proxy gives to me a "Zero sized reply", maybe proxy doesnt like DSR

Sorry for bother you all :)

Saludos / Regards
Leonardo Santagostini






2013/3/1 Leonardo Santagostini <[hidden email]>:

> Hello Reyk, sorry for the inconsistencies, they was for hide the real
> name (for protecting internal things).
>
> Here comes the config with the homework well done (sorry again)
>
> ext_if="pcn0"
>
> set fingerprints "/etc/pf.os"
> set optimization aggressive
>
> # match on $ext_if all scrub (no-df)
>
> # Genero las tablas que voy a usar
> table <ips_malas> persist
> table <redes_yell> persist file "/etc/redes.yell"
> table <redes_permitidas> persist file "/etc/redes_permitidas.txt"
>
> # Defino la ip del balanceador para Mobile
> address_mobile = "10.0.1.181"
> address1 = "10.0.1.16"
>
> # Dejo de procesar cuando se trata de las redes internas
> pass in quick from <redes_yell> to any
>
> # Dejo pasar las ips desde las redes permitidas
> pass in quick from <redes_permitidas> to $address_mobile
>
> # Genero el block
> block in quick from <ips_malas>
> block in log quick on $ext_if proto tcp from any os "NMAP" to any
> label ExtNMAPScan
>
> # Proteccion contra nmap y herramientas similares
> # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
> block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
> block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
> block in quick on $ext_if proto tcp flags /WEUAPRSF
> block in quick on $ext_if proto tcp flags SR/SR
> block in quick on $ext_if proto tcp flags SF/SF
> block in quick from urpf-failed
>
>
> # Aplico reglas de DoS y Syn Flood en tld
> pass in log on $ext_if proto tcp to $address_mobile port www keep
> state (sloppy, max 10000, max-src-nodes 5000, max-src-conn 100,
> max-src-conn-rate 95/2, adap
> tive.start 6000, adaptive.end 12000, tcp.first 15, tcp.opening 5,
> tcp.established 3600, tcp.closing 5, tcp.finwait 15, tcp.closed 15,
> tcp.tsdiff 5)
>
>
> # Aplico reglas de DoS y Syn Flood en tld2
> pass in on $ext_if proto tcp to $address1 port www keep state (sloppy,
> max 10000, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
> 150/3)
>
>
> # Anchor Para relayd
> anchor "relayd/*"
>
> ----------------------------
> # Archivo de configuracion de balanceo
>
> ## Opciones globales
> interval 5
> timeout 1000
> prefork 5
>
> ## Direcciones de las vip
> address1="10.0.1.16"
> address2="10.0.1.181"
> address3="10.0.1.182"
>
>
> ## Direcciones de los servidores
> mobileWap01="10.0.1.200"
> mobileWap02="10.0.1.201"
> webcache01="10.0.1.70"
> webcache02="10.0.1.71"
> webcache03="10.0.1.72"
> webcache04="10.0.1.73"
>
> ## Definicion de Tablas
> table <mobileweb> { $mobileWap01 $mobileWap02 }
> table <webcaches> { $webcache01 $webcache02 $webcache03 $webcache04 }
> table <webcaches1> { $webcache01 }
>
> ## Definicion de protocolos (Filtros)
>
> http protocol "tld" {
>
>         # Parametros de rendimiento
>         tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>
>         ## Prueba
>         # return error
>
>         # Cerramos la conexion
>         header change "Connection" to "close"
>
>         # Block disallowed sites
>         label "URL Request DENIED"
>         request header expect "tld.com.ar" from "Host"
>         request header expect "www.tld.com.ar" from "Host"
>         request header expect "s.tld.com.ar" from "Host"
>         request header expect "get.tld.com.ar" from "Host"
>         request header expect "test.tld.com.ar" from "Host"
>
>         # Block disallowed browsers
>         label "Please try a <em>different Browser</em>"
>         header filter "Mozilla/4.0 *" from "User-Agent"
>
>         header append "$REMOTE_ADDR" to "X-Forwarded-For"
>         cookie hash "sessid"
>
> }
> http protocol "tld1" {
>
>         # Parametros de rendimiento
>         tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>
>         # return error
>
>         # Cerramos la conexion
>         header change "Connection" to "close"
>
>         # Block disallowed sites
>         label "URL Request DENIED"
>         request header expect "tld1.com.ar" from "Host"
>         request header expect "*.tld1.com.ar" from "Host"
>         request header expect "rojas.tld1.com.ar" from "Host"
>
>         # Block disallowed browsers
>         label "Please try a <em>different Browser</em>"
>         header filter "Mozilla/4.0 *" from "User-Agent"
>
>         header append "$REMOTE_ADDR" to "X-Forwarded-For"
>         cookie hash "sessid"
>
> }
>
> http protocol "tld2" {
>
>         # Parametros de rendimiento
>         tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>
>         # return error
>
>         # Cerramos la conexion
>         header change "Connection" to "close"
>         # request header expect "*.tld2.com.ar"  from "Host"
>
>         header append "$REMOTE_ADDR" to "X-Forwarded-For"
> }
>
>
> ## Definicion de los relays
> relay tld {
>         listen on $address2 port 80
>         protocol "tld"
>         forward to <mobileweb> port 80 mode roundrobin check http
> "/relaycheck/mobileWAP/index.php" code 200
> }
>
> relay tld1 {
>         listen on $address3 port 80
>         protocol "tld1"
>         forward to <webcaches> port 80 mode roundrobin check http
> "/monitoreo/relayd.txt" code 200
> }
>
> relay tld2 {
>         listen on $address1 port 80
>         protocol "tld2"
>         forward to <webcaches1> port 80 mode roundrobin check http
> "/monitoreo/relayd.txt" code 200
> }
>
>
> I will provide shortly the tcpdump you request me.
>
> Thanks in advance
>
>
> Saludos / Regards
> Leonardo Santagostini
>
>
>
>
>
>
> 2013/3/1 Reyk Floeter <[hidden email]>:
>> Hi,
>>
>> Am 01.03.2013 um 15:24 schrieb Leonardo Santagostini <[hidden email]>:
>>> Im facing maybe a misbehavior in my OpenBSD 5.2. This machine is
>>> virtualized with KVM with 2 CPU and 4 Gb RAM
>>>
>>> Im running 5.2 GENERIC#278 i386
>>>
>>> The point is:
>>>
>>> tld relay rule as show in my config is working properly. But, tld1 and
>>> tld2 doesnt work when post method is invoked from the page is served
>>> by the 4 webcaches i have working behind relayd.
>>>
>>
>> Do you have any log messages from relayd? Run it in foreground with some -d and -v flags to get more info...
>>
>> Can you provide some information about the POST? Maybe a pcap or tcpdump text dump: how do the HTTP headers look like, how large is the payload etc.
>>
>> But please look below first, there are inconsistencies in your relayd.conf.
>>
>>> ext_if="pcn0"
>>>
>>> set fingerprints "/etc/pf.os"
>>> set optimization aggressive
>>>
>>> # match on $ext_if all scrub (no-df)
>>>
>>> # Genero las tablas que voy a usar
>>> table <ips_malas> persist
>>> table <redes_yell> persist file "/etc/redes.yell"
>>> table <redes_permitidas> persist file "/etc/redes_permitidas.txt"
>>>
>>> # Defino la ip del balanceador para Mobile
>>> address_mobile = "10.0.1.181"
>>> address1 = "10.0.1.16"
>>>
>>> # Dejo de procesar cuando se trata de las redes internas
>>> pass in quick from <redes_yell> to any
>>>
>>> # Dejo pasar las ips desde las redes permitidas
>>> pass in quick from <redes_permitidas> to $address_mobile
>>>
>>> # Genero el block
>>> block in quick from <ips_malas>
>>> block in log quick on $ext_if proto tcp from any os "NMAP" to any
>>> label ExtNMAPScan
>>>
>>> # Proteccion contra nmap y herramientas similares
>>> # block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
>>> block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
>>> block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
>>> block in quick on $ext_if proto tcp flags /WEUAPRSF
>>> block in quick on $ext_if proto tcp flags SR/SR
>>> block in quick on $ext_if proto tcp flags SF/SF
>>> block in quick from urpf-failed
>>>
>>>
>>> # Aplico reglas de DoS y Syn Flood en tld
>>> pass in log on $ext_if proto tcp to $address_mobile port www keep
>>> state (sloppy, max 10000, max-src-nodes 5000, max-src-conn 100,
>>> max-src-conn-rate 95/2, adap
>>> tive.start 6000, adaptive.end 12000, tcp.first 15, tcp.opening 5,
>>> tcp.established 3600, tcp.closing 5, tcp.finwait 15, tcp.closed 15,
>>> tcp.tsdiff 5)
>>>
>>>
>>> # Aplico reglas de DoS y Syn Flood en tld2
>>> pass in on $ext_if proto tcp to $address1 port www keep state (sloppy,
>>> max 10000, max-src-nodes 5000, max-src-conn 150, max-src-conn-rate
>>> 150/3)
>>>
>>>
>>> # Anchor Para relayd
>>> anchor "relayd/*"
>>>
>>> ----------------------------
>>> # Archivo de configuracion de balanceo
>>>
>>> ## Opciones globales
>>> interval 5
>>> timeout 1000
>>> prefork 5
>>>
>>> ## Direcciones de las vip
>>> address1="10.0.1.16"
>>> address2="10.0.1.181"
>>> address3="10.0.1.182"
>>>
>>>
>>> ## Direcciones de los servidores
>>> mobileWap01="10.0.1.200"
>>> mobileWap02="10.0.1.201"
>>> webcache01="10.0.1.70"
>>> webcache02="10.0.1.71"
>>> webcache03="10.0.1.72"
>>> webcache04="10.0.1.73"
>>>
>>> ## Definicion de Tablas
>>> table <mobileweb> { $mobileWap01 $mobileWap02 }
>>> table <webcaches> { $webcache01 $webcache02 $webcache03 $webcache04 }
>>> table <webcaches1> { $webcache01 }
>>>
>>> ## Definicion de protocolos (Filtros)
>>>
>>> http protocol "tld" {
>>>
>>
>> OK, I see this is used by relay "tld".
>>
>>>        # Parametros de rendimiento
>>>        tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>>>
>>
>> FYI, the socket buffer option can probably be removed as we support dynamic buffer scaling since a few releases.
>>
>>>        ## Prueba
>>>        # return error
>>>
>>>        # Cerramos la conexion
>>>        header change "Connection" to "close"
>>>
>>>        # Block disallowed sites
>>>        label "URL Request DENIED"
>>>        request header expect "tld.com.ar" from "Host"
>>>        request header expect "www.tld.com.ar" from "Host"
>>>        request header expect "s.tld.com.ar" from "Host"
>>>        request header expect "get.tld.com.ar" from "Host"
>>>        request header expect "test.tld.com.ar" from "Host"
>>>
>>>        # Block disallowed browsers
>>>        label "Please try a <em>different Browser</em>"
>>>        header filter "Mozilla/4.0 *" from "User-Agent"
>>>
>>>        header append "$REMOTE_ADDR" to "X-Forwarded-For"
>>>        cookie hash "sessid"
>>>
>>> }
>>> http protocol "httpRural" {
>>
>> This is not used by any of the relays.
>>
>>>
>>>        # Parametros de rendimiento
>>>        tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>>>
>>>        # return error
>>>
>>>        # Cerramos la conexion
>>>        header change "Connection" to "close"
>>>
>>>        # Block disallowed sites
>>>        label "URL Request DENIED"
>>>        request header expect "tld1.com.ar" from "Host"
>>>        request header expect "*.tld1.com.ar" from "Host"
>>>        request header expect "rojas.tld1.com.ar" from "Host"
>>>
>>>        # Block disallowed browsers
>>>        label "Please try a <em>different Browser</em>"
>>>        header filter "Mozilla/4.0 *" from "User-Agent"
>>>
>>>        header append "$REMOTE_ADDR" to "X-Forwarded-For"
>>>        cookie hash "sessid"
>>>
>>> }
>>>
>>> http protocol "httpBlancas" {
>>>
>>
>> This is not used by any of the relays.
>>
>>>        # Parametros de rendimiento
>>>        tcp {nodelay, sack, socket buffer 65536, backlog 100 }
>>>
>>>        # return error
>>>
>>>        # Cerramos la conexion
>>>        header change "Connection" to "close"
>>>        # request header expect "*.tld2.com.ar"  from "Host"
>>>
>>>        header append "$REMOTE_ADDR" to "X-Forwarded-For"
>>> }
>>>
>>>
>>> ## Definicion de los relays
>>> relay tld {
>>>        listen on $address2 port 80
>>>        protocol "tld"
>>>        forward to <mobileweb> port 80 mode roundrobin check http
>>> "/relaycheck/mobileWAP/index.php" code 200
>>> }
>>>
>>> relay tld1 {
>>>        listen on $address3 port 80
>>>        protocol "tld1"
>>
>> This protocol "tld1" does not exist - do you mean httpRural or httpBlancas?
>>
>>>        forward to <webcaches> port 80 mode roundrobin check http
>>> "/monitoreo/relayd.txt" code 200
>>> }
>>>
>>> relay tld2 {
>>>        listen on $address1 port 80
>>>        protocol "tld2"
>>
>> This protocol "tld2" does not exist - do you mean httpRural or httpBlancas?
>>
>>>        forward to <webcaches1> port 80 mode roundrobin check http
>>> "/monitoreo/relayd.txt" code 200
>>> }
>>>
>>> I would really apreciatte any clue or any idea that make this work.
>>>
>>> Thanks in advance
>>>
>>> Saludos / Regards
>>> Leonardo Santagostini