Contributed by jose on from the super-stable-networking dept.
(Comments are closed)
OpenBSD Journal
Contributed by jose on from the super-stable-networking dept.
(Comments are closed)
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]
By Anonymous Coward () on
By Christian () on http://www.cschwede.de
Comments
By Anonymous Coward () on
Comments
By ViPER () viper@dmrt.net on http://www.dmrt.net
(Just guessing that we are not dealing with your box at home running a *LOT* of sessions)
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
* The proprietary alternative is quite expansive on the long term (you have to pay maintenance and support contract for nothing more than a simple license key without any services),
* In case of failure with OpenBSD/pf, we can move easily to a working status without shutting down business. With the proprietary alternative, sometimes you don't know why the system goes down and if you find where is the issue, you can't make the update by yourself because you don't have access to the inner operation of the system),
* Accounting is more easy and flexible than the proprietary alternative. A simple label on a rule and we have an excellent accounting per rules. Try that on a proprietary : reset a counter on a specific rule,....
* ...
Comments
By Anonymous Coward () on
By OBSD User () on
Is amazing how this "heads" made CARPS, but I have a question.
If i have a connection to a web server (a php page, ie), and I am wating for a sql reply form a php.
And then... the webserver crashes. Whata happen with the connection, to de webserver-php-sql?
Thanks in advance.
and sorry for my english ;)
Comments
By Anthony () on
Comments
By OBSD User () on
Anyways, thanks!
By Michael van der Westhuizen () on
By Petr R. () pruzicka@openbsd.cz on mailto:pruzicka@openbsd.cz
Comments
By Anonymous Coward () on
If I'm wrong, awesome - but it's my understanding that such a thing would really need to be tied more closely to the app (or VPN/ipsec code in this case).
Comments
By Petr R. () on
however,i do not have a need for 'statefull' failover. what i need is tunel that will be renegotiated after firewall failure. but i could not run isakmpd on both HA firewalls right ? or I could but only one shouldbe active,second should be launched incase of faliure.
By Strog () on
[Phase 1]
xx.xx.xx.xx= vpnserver
xx.xx.xx.yy= vpnserver2
Define each the same settings except for IP in the peer section. You basically make 2 entries for each network (one for vpnserver and another for vpnserver2). There's a little more to it but that's the gist of it.
Just imagine how robust your connection would be if each concentrator was sitting behind a couple CARP enabled OpenBSD firewalls. Of course robust has a different meaning when someone cuts a fiber line but that's another topic.
P.S.
(I have to give credit to elmore for hosting the vpn servers and getting the framework all setup. thanks man)
Comments
By Petr R. () pruzicka@openbsd.cz on mailto:pruzicka@openbsd.cz
Thanks.
By Mike () on
But I can't setup OpenBSD. Please can somebody give link or advice to set up this?
Thanks a lot and sorry for OT
Comments
By Petr R. () pruzicka@openbsd.cz on mailto:pruzicka@openbsd.cz
Comments
By Anonymous Coward () on
Hope your hospital stay isn't too serious and that you get better.
Comments
By Petr R. () on
I do have a plan to replace one side with CARP cluster(there are two conn. to ISPs, so it should be firewall and ISP HA :-),so the setup will be interesting.
By Anthony () on
The question is, can this result in a connection being left in an inconsistent state?
I'm thinking it only allows pfsync updates to be postponed until the ACK packet comes back from the internal host, as the external host is obligated to be able to retransmit packets that haven't been ACKed... am I out to lunch here?
By Anonymous Coward () on
http://www.openbsd.org/lyrics.html#35
Licenser: How much did you pay for that?
The customer say:
Customer: Sixty quid, and twenty grand for the PIX.
If I refer to the money slang dictonary one quid is one pound. I doubt that the cost of the cisco software is 60 pounds...
How much does the same setup cost in the cisco world ?
Comments
By Petr R. () pruzicka@openbsd.cz on mailto:pruzicka@openbsd.cz
You have active/passive failover(one pix is waiting all the time doing nothing).
i'm not so sure about price, i will findit tommorrow, but I think that one Pix 515 is about 5k USD ?!?
By Sam () on
By Petr R. () pruzicka@openbsd.cz on mailto:pruzicka@openbsd.cz
By Eduardo Alvarenga () eduardo at thrx dot org on mailto:eduardo at thrx dot org
Comments
By engineer () on
As you can see PF project has done this - pfsync.
PS: sorry, bad english
--
engineer
By Rafael Coninck Teigao () on
http://www.cs.umd.edu/~keleher/dsm.html
With DSM you can share memory between nodes and try to tie it up with some application mods to do application level failover.
By Anonymous Coward () on
This stuff is great!