OpenBSD Journal

Portugal group spreads the word on CARP

Contributed by jolan on from the desenrascanco dept.

Nuno Morgadinho writes:
Last weekend, at an event in Portugal, the local user group showed a redundant OpenBSD firewall working with two soekrises and two laptops. They had one laptop playing an mp3 that was physically on the second laptop, being shared via NFS, and then simulated a failure on the firewall. A second machine claimed automatically the firewall identity on the network and the music playing just choked a bit and recovered nicely. Kind of what Ryan McBride did at EuroBSDCon but without the axe part! Anyway, it definitely was fun to watch and it is also a good reminder of an OpenBSD based solution that companies can implement under a low budget. Some photos are also available.

(Comments are closed)


Comments
  1. By Anonymous Coward (24.226.124.161) on

    You have to admit tho, the axing was cool! ;^)

    Comments
    1. By Anonymous Coward (66.8.250.79) on

      Nothing like a bit of showmanship

    2. By Anonymous Coward (216.175.250.42) on

      Anything involving an axe is automatically bumped up a few notches on the coolometer.

  2. By Anonymous Coward (131.130.1.135) on

    why does this guy think he needs a microphone when there are something like 3-5 people attending?

    Comments
    1. By anonymous pedro (201.17.60.11) on

      yeah, from the pics it is very clear that he's using the microphone

      definitely

      but then, perhaps it was... turned off?

    2. By Anonymous Coward (139.142.184.213) on

      because you can only see the first row?

      Comments
      1. By Amir Mesry (66.23.227.241) starkiller@web-illusions.net on

        Exactly, if you look closely you see a leg of one of the chairs of the second row.

    3. By Anonymous Coward (69.193.125.65) on

      Recording? Broadcast?

  3. By Anonymous Coward (72.66.28.35) on

    Just from what I can tell on the net, there seems to be a sizable Portuguese user population. Is that a fair assessment?

    Comments
    1. By Anonymous Coward (81.84.174.230) on

      Not really. But the relatively few Open/Free/Net users here in Portugal are very active :-)

    2. By Rodolfo Gouveia (213.146.199.119) on

      We are few but all goodfellas :-)

      Comments
      1. By Anonymous Coward (128.171.90.200) on

        ?

        Comments
        1. By anonymous pedro (201.17.60.11) on

          those are the italians, but there's a link :)

  4. By Bastiaan Jacques (86.83.136.97) on

    A second machine claimed automatically the firewall identity on the network and the music playing just choked a bit and recovered nicely. Kind of what Ryan McBride did at EuroBSDCon but without the axe part!

    When McBride did it, the sound reportedly didn't skip at all. Were the guys in Portugal doing something wrong?

    Comments
    1. By Anonymous Coward (87.78.70.102) on

      for the showeffect mp3 is quite nice. not many ppl will ask how much you had prebuffered.

      Comments
      1. By mcbride (216.19.177.194) mcbride@openbsd.org on

        I use mpg321, which has no pre-buffering option, and does not do any significant buffering on it's own. I also never play the same song twice on a single boot, to avoid filesystem buffering.

        If you've seen my demo live, you'll know that I also demonstrate unplugging BOTH firewalls, to show how quickly the music dies when theres no network. the awswer: almost instantaneously (not measured, but I'd guess under 0.5 seconds)

        I've learned to be very careful about showing that there is no smoke-and-mirrors, ever since a demo in Ireland where the music contiued playing after both firewalls were unplugged. Either filesystem or mpg123 buffering were the cause.

        Comments
        1. By Anonymous Coward (87.78.70.202) on

          k

    2. By Anonymous Coward (134.58.253.114) on

      Probably they didn't prebuffer very much... If you buffer a few seconds of sound, there's plenty of time to failover and refill the buffer before it underruns.

      Comments
      1. By Anonymous Coward (202.45.99.46) on

        Why should it drop packets in the first place? And why shouldn't the failover happen quick enough for skip free mp3 playback?

  5. By Chas (12.217.82.49) on

    Somebody really needs to write a book on firewalling with OpenBSD. I really need to learn this stuff in more detail.

    Was this NFS v4 over TCP? I didn't realize that NFS could be firewalled in this way (seems even more difficult than FTP).

    And the CARP stuff seems absolutely amazing.

    I wonder if CARP could work with the TIS Firewall Toolkit. I still use this stuff a lot at work (and tn-gw is still something that is impossible to do with ssh).

    Comments
    1. By J.Jacques Roh (83.228.162.7) on

      The book exists already : Building Firewalls with OpenBSD and PF Book By Jacek Artymiak, Second Edition, ISBN 83-916651-1-9 - Covers OpenBSD 3.4 you can buy it here : OpenBSD support but since it cover OpenBSD 3.4 some things may have changed since in OpenBSD and pf

    2. By Peter N. M. Hansteen (194.54.107.19) peter@bgnett.no on http://www.bgnett.no/~peter/pf/

      As others have pointed out, several books have been written about OpenBSD and PF already. Jacek's is very good. If you prefer not to wait until the bookstores open, you could get a feel for the subject by browsing my PF tutorial at http://www.bgnett.no/~peter/pf/ (more updates due after BSDCan and SANE).

    3. By me (81.204.188.152) on

      The thing is, carp is (I think) not in these books yet as it started with 3.5 and higer I think..?

  6. By Lennie (82.75.30.141) on

    personally I think the bigger achievement is pfsync, I'm not sure, but CARP always (atleast to me) seemed easier to me.

    I could be wrong. :-)

    Well, the combination makes it a real HA-free-and-open-stateful-connection-tracking-firewall.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]