Contributed by jose on from the round-robin dept.
"OpenBSD has acquired load balancing support: you can now specify more than one destination address with a RDR statement. This is a great enhancement to PF, and a definite selling point for OpenBSD.This is something people have been asking for for a while, and I know this was in the works for a bit. Excellent work! Give it a whirl and test it out, help find the bugs and get things fixed.
From the commit message:
Date: Fri, 22 Nov 2002 22:22:25 -0700 (MST) From: Ryan Thomas McBride"Subject: CVS: cvs.openbsd.org: src CVSROOT: /cvs Module name: src Changes by: mcbride@cvs.openbsd.org 2002/11/22 22:22:24 Modified files: sbin/pfctl : parse.y pf_print_state.c pf_print_state.h pfctl.c pfctl_parser.c pfctl_parser.h Log message: code to support loading of pf rules with multiple redirection addresses (in nat, rdr, route-to, dup-to and reply-to) Syntax looks like this, see pf.conf(5) for details: nat on wi0 proto { tcp, icmp } from any to 192.168.0.2 -> 192.168.0.16/29 source-hash random rdr on wi0 proto { tcp } from any to 192.168.0.34 port 22 -> { 192.168.0.8/31, 192.168.0.15 } port 22 round-robin ok dhartmei@ henning@
(Comments are closed)
By Petr R. () on
Comments
By Anonymous Coward () on
Once again, the OpenBSD team succeeded in making something great even better! Keep up the good work!
By netzdamon () on
By Anonymous Coward () on
By Jason () jtestart@REMOVEMEryerson.ca on mailto:jtestart@REMOVEMEryerson.ca
By Anonymous Coward () on
Comments
By Anonymous Coward () on
of course, this adds complexity to pf, but it'd be well worth it to be able to replace standalone devices with openbsd machines that can also do firewalling. since it'd be done in the kernel, you don't have to mess with (or have the overhead of) userland programs.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Heres the recipe you want:
AutoUpdate PF Bread
220 Calories Per Serving (Not including the beer)
(1) Ounce wget
(2) Cups awk
(1) TSP sed
(1024) Bottles beer
Directions:
Add wget to mixing bowl, stir in awk and one bottle of beer until batter is thick. Bake at 350 degrees until dough rises, sprinkle SED as topping.
Eat one piece every 2 minutes. Drink extra beer regularly.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By Anonymous Coward () on
discussion on it, I'm sure. Short story is Theo refuses to implement
it because of patent issues.
Comments
By Dries Schellekens () on http://www.deadly.org/commentShow.php3?sid=2002112
It has been implemented. It just can't be added to OpenBSD because of the patent issues.
By Anonymous Coward () on
VRRP is encumbered.
Dont' do it the 'linux way' by just 'reinventing' someone elses work.
By Dam () on
The best method is to check http of the server:
1. Write a dynamic webpage on the webservers which will check the backend servers (DB servers...)
2. At the LB check for the availability of that specific web page.
I wait for the documentation but:
1. It's much better to write a userland daemon to monitor the servers with support for the folowing monitoring:
1.1 - ping
1.2 - tcp session
1.3 - webpage status code
1.4 - snmp
2. PF should add API to remove and add servers without reloading all the rules. And API to check how much connections/packets each server has.
3. PF should give the option for priority of servers or should allow to write the same server address twice or more (like old time SNA-SLDC)
Comments
By Anonymous Coward () on
The best method is to check http of the server: 1. Write a dynamic webpage on the webservers which will check the backend servers (DB servers...)
writing a specfic webpage is installing something on the webserver.
By Anonymous Coward () on
Comments
By Dries Schellekens () on
By Strog () on
http://www.obfuscation.org/ipf/ipf-howto.html#TOC_38
By Anonymous Coward () on
what do you guys think?
Comments
By Anonymous Coward () on
Comments
By Shane J Pearson () on
Hey, you used my favorite line! Does this mean I've "made it"? ; )
Anyway, pf just never ceases to amaze me.
Excellent performance, bandwidth throttling, load balancing, so is failover next...?
How can it get better?
By Strog () on
OpenBSD and pf are making leaps and bounds but that doesn't mean everything else is crap. The reason ipf was pulled wasn't because of it being a bad product. In fact it was highly regarded in OpenBSD circles for performance/security/stability reasons with OpenBSD patches applied. There was a change in the license (real or percieved, you be the judge) and the OpenBSD project was told that they can't modify it anymore without permission.
We all know Theo won't be told what he can or can't do so he commissioned pf to be created. pf has some some differences from ipf but is largely inspire by it. pf beats ipf in many areas while ipf still holds some areas (for how long?). ipf still has a little less overhead but that shouldn't matter as long as you provision a little overhead in your packet filtering box. I think as pf matures that it will prove itself to be a superior product in all areas.
I'm currently running a post-3.1 snapshot on the firewall and need to check out the load balancing on current. I keep an extra hard drive in there for just such ocassions
By click46 () click46@operamail.com on mailto:click46@operamail.com
By Anonymous Coward () on
Comments
By synfault () on
By A non e-mouse cow herd. () on
Comments
By Dries Schellekens () on http://www.kerneltrap.net/node.php?id=477
What patent issues are obstructing the work towards redundancy and fail-over?
Are you currently looking into alternative methods for providing redundancy and automatic failover?
And the comment VRRP patent issues by Daniel.
By sap (24.234.188.3) on
By Matt Van Mater () on
BTW: if anyone is interested in name based port forwarding, check out a project on sourceforge called portfwd, which can do this for a few protocols. Daniel suggested using squid in reverse proxy mode, but i thought this project might be easier to configure, haven't tried it out yet.
By Anonymous Coward () on
Comments
By Ray () rayl+deadly@spamcop.net on mailto:rayl+deadly@spamcop.net
Comments
By click46 () click46@operamail.com on mailto:click46@operamail.com
Comments
By zil0g () on
By Anonymous Coward () on
Anyone know if there's a way on an ipless, bridging firewall with pf to detect the ip address changes on a host in the DMZ with say arp or reverse-arp and auto change the ip address in the bridges pf.conf?
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
In this case, this is a transparent bridging firewall (ip-less box).
By zil0g () on
seems easier to just give it the dhcp interface and let pf do the job...
Comments
By Anonymous Coward () on
In this case, this is a transparent bridging firewall (ip-less box).
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Have the NAT box notify the bridge of any change to address via a hook in dhclient-script (and ssh or similar).
Windows will be a bit messy, but you could schedule a script to run every few minutes to check for changes to 'ipconfig' output and notify... it would have to route through the NAT box to reach the bridge, since Windows (at least Win2k) won't let you have an IP alias on a dhcp interface.
Not tested by me, but I don't immediately see a reason for it to not work (unless you really really don't want an IP address on the bridge or go by some other route, maybe rs232).
By kremlyn () on
Now, to the point..
A friend of mine and I were discussing last night implementing a perl script that can detect whether or not an uplink (on a firewall with multiple uplinks) has gone down and then load a new ruleset defining use of the next-preferenced uplink (after having changed the default route on the box).
We're thinking of having an /etc/uplink.interfaces which lists each available interface, as well as it's preference (in relation to other uplinks), and the external IP to ping to for connectivity checks.
The major problem we ran in to, was that ping doesn't support pinging from an interface - only from an IP with the `ping -I` command. We decided extracting the IP from ifconfig was the only way.
Then, when one link stops responding to pings generated by the script, the interface of next preference is selected and set as the default route, and pfctl is called, loading the new pf ruleset (which has presumably been pre-defined with $ext_if). One of these rulests should be built for each failover interface, and live in /etc/uplink.$interface (note that here $interface is a variable whereas above it wasn't).
We're confident we could get it to work as a perl script, but how about integration with pf?
//kremlyn
Comments
By Anonymous Coward () on
since the functionality doesn't change when the interface changes (e.g. still need ports 22,80 open, rest closed, but on new interface), why not have one file with your rulesets and another with your definitions. when calling pfctl, use:
cat definitions.$if rulesets | pfctl -f -
that way when modifying rules only one file needs editing. You'll also want to modify pfctl -f ${pf_rules} in /etc/rc.
By Anonymous Coward () on
It needs an external application to do this for it but that'll have to remove and add back a different rule. Sounds incredibly inefficient already.
Comments
By Anonymous Coward () on
For the same reason ftp-proxy works in userland, instead as in kernel like IPFilter did.
Think about it. It all makes sense.
By Dries Schellekens () on http://www.benzedrine.cx/pf/msg00612.html
a pool, without modifying the rule itself.
Now you just have to write a daemon to (HTTP, FTP, ICMP, TCP, ...) pings the machines and adds or removes addresses in the pool.
By Daniel Hartmeier () daniel@benzedrine.cx on mailto:daniel@benzedrine.cx
By Anonymous Coward () on
I just think "ineffeciency" doesn't matter if it is some script called once every few minutes if at all.