[FUG-BR] Relayd
Rodrigo Mosconi
freebsd em mosconi.mat.br
Terça Maio 10 11:32:40 BRT 2011
busque no ports por "pfstats", configure os graficos e ter'a uma
grande ferramenta para ajudar a resolver esses problemas
Em 10 de maio de 2011 11:17, Éderson Chimbida <chimbida em gmail.com> escreveu:
> Sim, ele consegue fazer a checagem por ICMP, os hosts estão OK...
>
> Aumentei o limite de estados das tabelas no meu pf.conf:
>
> set limit { states 50000, frags 5000 }
>
> Parece ter resolvido pois até agora esta aguentando, quando ultrapassava os
> 10.000 estados que é padrão no PF o relayd fechava!
>
> --
> Éderson H. Chimbida
>
>
> 2011/5/10 Rodrigo Mosconi <freebsd em mosconi.mat.br>
>
>> Repare na linha:
>>
>> relay_connect: session 762: forward failed: No route to host
>>
>> O firewall pinga os demais hosts?
>> acessa porta 80?
>>
>>
>> Em 10 de maio de 2011 10:58, Éderson Chimbida <chimbida em gmail.com>
>> escreveu:
>> > Pessoal sei que a lista é FreeBSD mas as listas de OpenBSD do Brasil
>> estão
>> > meio mortas então segue minha dúvida...
>> >
>> > Tenho 2 firewalls com PF e rodando CARP e recentemente substitui um
>> > proxy-balance feito no apache 2.2 pelo relayd.
>> >
>> > Tenho 3 regras de protocolo e 3 regras para relay, onde faço relay para
>> > webservices .net rodando em servidores IIS, basicamente faço algumas
>> > checagens no header do http, como o host, passo o ip do cliente para o
>> IIS
>> > (X-Forwarded-For) e algumas checagens do user_agent
>> >
>> > Problema que o relayd esta fechando e não faço idéia porque!
>> >
>> > quando rodo com -d -v
>> >
>> > relay_connect: session 762: forward failed: No route to host
>> > relay ws_acfc, session 762 (3 active), 0, 1xx.5x.1xx.1xx ->
>> 192.168.1.48:80,
>> > session failed (502 Bad Gateway)
>> > kill_tables: deleted 0 tables
>> > flush_rulesets: flushed rules
>> > pf update engine exiting
>> > host check engine exiting
>> > # socket relay engine exiting
>> > socket relay engine exiting
>> > socket relay engine exiting
>> > socket relay engine exiting
>> > socket relay engine exiting
>> > socket relay engine exiting
>> > socket relay engine exiting
>> >
>> > ------ relayd.conf----
>> > relayd_addr="127.0.0.1"
>> > relay_ws_port="10082"
>> >
>> > web_port="80"
>> > table <47e48> { 192.168.1.47, 192.168.1.48 }
>> >
>> > ## Global Options
>> > interval 10
>> > timeout 200
>> > prefork 5
>> > log updates
>> >
>> > http protocol "ws_xxx" {
>> > ### TCP performance options
>> > tcp { nodelay, sack, socket buffer 65536, backlog 100 }
>> > ### Return HTTP/HTML error pages
>> > return error
>> > ### allow logging of remote client ips to internal web servers
>> > header append "$REMOTE_ADDR" to "X-Forwarded-For"
>> > header append "$SERVER_ADDR:$SERVER_PORT" to "X-Forwarded-By"
>> > ### set Keep-Alive timeout to global timeout
>> > header change "Keep-Alive" to "$TIMEOUT"
>> > ### close connections upon receipt
>> > header change "Connection" to "close"
>> > ### Block bad or abusive User-Agents (case insensitive)
>> > label "BAD user agent"
>> > request header filter "xxxxxxxx" from "User-Agent"
>> > request header filter "xxxxxxxx" from "User-Agent"
>> > request header filter "xxxxxxxx" from "User-Agent"
>> > request header filter "xxxxxxxx" from "User-Agent"
>> > request header filter "xxxxxxxx" from "User-Agent"
>> > request header filter "xxxxxxxx" from "User-Agent"
>> > request header filter "xxxxxxxx" from "User-Agent"
>> > request header filter "xxxxxxxx" from "User-Agent"
>> > ### Block bad Referrers, (case insensitive)
>> > label "BAD referrer"
>> > request header filter "xxxxx*" from "Referer"
>> > request header filter "xxxxx*" from "Referer"
>> > request header filter "xxxxx*" from "Referer"
>> > request header filter "xxxxx*" from "Referer"
>> > request header filter "xxxxx*" from "Referer"
>> > request header filter "xxxxx*" from "Referer"
>> > ### Anonymize our webserver's name/type
>> > response header change "Server" to "JustSomeServer"
>> > ### Block requests to wrong host (case insensitive)
>> > label "HOST ERRADO"
>> > request header expect "services.xxxxx.net" from "Host"
>> > request header expect "servicesxx.xxxxx.net" from "Host"
>> > request header expect "servicesxxx.xxxxx.net" from "Host"
>> > }
>> >
>> >
>> > relay ws_xxx {
>> > ### listen and accept redirected connections from pf. For most
>> > ### protocol types you can also use the synproxy flag in your pf.conf
>> > rules.
>> > listen on $relayd_addr port $relay_ws_port
>> > ### apply web filters listed above
>> > protocol "ws_xxx"
>> > ### forward to webserver(s) with load balancing and
>> > forward to <47e48> port $web_port mode loadbalance check icmp
>> > }
>> > ------ relayd.conf----
>> >
>> > Alguém pode tem alguma dica?
>> >
>> > --
>> > Éderson H. Chimbida
>> > -------------------------
>> > Histórico: http://www.fug.com.br/historico/html/freebsd/
>> > Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>> >
>> -------------------------
>> Histórico: http://www.fug.com.br/historico/html/freebsd/
>> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>>
> -------------------------
> Histórico: http://www.fug.com.br/historico/html/freebsd/
> Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd
>
Mais detalhes sobre a lista de discussão freebsd