Tentativa de executar o relayd no modo de redirecionamento em um roteador - enviando a conexão TLS a dois servidores da Web em uma configuração round-robin. Tentativas de conexão TLS - é só pegar um pacote TCP Reset retornado.
172.16.0.1/24
192.168.0.1/24
192.168.0.50/24
192.168.0.51/24
net.inet.ip.forwarding=1
Passos que estou tomando:
Verifiquei que o relayd ainda não está em execução: ps aux | grep relayd
root 90198 0.0 0.0 140 372 p0 R+/8 4:37PM 0:00.00 grep relayd
Então, eu começo a relayd manualmente com relayd -dvv
router0# relayd -dvv
startup
pfe: filter init done
socket_rlimit: max open files 2048
socket_rlimit: max open files 2048
socket_rlimit: max open files 2048
socket_rlimit: max open files 2048
parent_tls_ticket_rekey: rekeying tickets
init_tables: created 1 tables
Verifico que posso me conectar ao servidor da Web a partir do roteador com openssl s_client -connect 192.168.0.50:443 - ele responde com o certificado.
De uma máquina no lado de baixo do roteador eu me conecto com openssl s_client -connect 172.16.0.1:443 . No roteador eu vejo a resposta de reset (nada nos logs para relayd ou no console).
tcpdump: listening on em3, link-type EN10MB
172.16.0.130.46312 > 172.16.0.1.443: S [tcp sum ok] 98822116:98822116(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 6,nop,nop,timestamp 3533333263 0> (DF) (ttl 64, id 43891, len 64) 172.16.0.1.443 > 172.16.0.130.46312: R [tcp sum ok] 0:0(0) ack 98822117 win 0 (ttl 64, id 29245, len 40)
Eu simplifiquei a configuração do relayd tanto quanto possível:
relayd_addr="172.16.0.1"
relayd_port="443"
relayd_int="em3"
table <web_servers> { 192.168.0.50, 192.168.0.51 }
servers_port="443"
interval 10
timeout 200
prefork 5
log all
redirect web_name {
listen on $relayd_addr port $relayd_port interface $relayd_int
forward to <web_servers> port $servers_port mode roundrobin check icmp
}
Eu simplifiquei a configuração do pf.conf no roteador para tentar garantir que não é algo no meu pf.conf que está causando problemas:
wan_if = "em3"
lan_if = "em0"
wan_ip = "172.16.0.1"
web0_ip = "192.168.0.50"
web1_ip = "192.168.0.51"
table <ssh_access> persist file "/etc/ssh_access"
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
pass log
anchor "relayd/*"
pass in on $wan_if inet proto tcp from <ssh_access> to $wan_ip port 22 modulate state (no-sync)
pass in on $wan_if proto tcp from <ssh_access> to $wan_ip port 60008 rdr-to $web0_ip port 22 keep state
pass out on $lan_if proto tcp from <ssh_access> to $web0_ip port 22 keep state
block return in on ! lo0 proto tcp to port 6000:6010
block return out log proto {tcp udp} user _pbuild
dmesg:
OpenBSD 6.3 (GENERIC.MP) #10: Wed Aug 22 16:42:31 CEST 2018
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 17079107584 (16287MB)
avail mem = 16554414080 (15787MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 3.0 @ 0x8ce6a000 (85 entries)
bios0: vendor American Megatrends Inc. version "1.10" date 12/28/2017
bios0: Micro-Star International Co., Ltd. MS-7B54
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG SSDT SSDT HPET SSDT SSDT UEFI SSDT LPIT SSDT SSDT SSDT SSDT DBGP DBG2 WSMT
acpi0: wakeup devices PXSX(S4) RP09(S4) PXSX(S4) RP10(S4) PXSX(S4) RP11(S4) PXSX(S4) RP12(S4) PXSX(S4) RP13(S4) PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz, 3201.24 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,$
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 23MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.2.4.1.1.1, IBE
cpu1 at mainbus0: apid 2 (application processor)
cpu1: Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz, 3200.00 MHz
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,SDBG,FMA3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,MOVBE,$
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 0, core 1, package 0
acpivideo0 at acpi0: GFX0
acpivout0 at acpivideo0: DD1F
cpu0: Enhanced SpeedStep 3201 MHz: speeds: 3201, 3200, 3000, 2900, 2700, 2500, 2300, 2200, 2000, 1800, 1700, 1500, 1300, 1100, 1000, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 8G Host" rev 0x07
vga1 at pci0 dev 2 function 0 "Intel UHD Graphics 630" rev 0x00
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"Intel Core GMM" rev 0x00 at pci0 dev 8 function 0 not configured
xhci0 at pci0 dev 20 function 0 "Intel 200 Series xHCI" rev 0x00: msi
usb0 at xhci0: USB revision 3.0
uhub0 at usb0 configuration 1 interface 0 "Intel xHCI root hub" rev 3.00/1.00 addr 1
"Intel 200 Series Thermal" rev 0x00 at pci0 dev 20 function 2 not configured
"Intel 200 Series MEI" rev 0x00 at pci0 dev 22 function 0 not configured
ahci0 at pci0 dev 23 function 0 "Intel 200 Series AHCI" rev 0x00: msi, AHCI 1.3.1
ahci0: PHY offline on port 0
ahci0: PHY offline on port 1
ahci0: PHY offline on port 2
ahci0: PHY offline on port 3
ahci0: PHY offline on port 4
ahci0: PHY offline on port 5
scsibus1 at ahci0: 32 targets
ppb0 at pci0 dev 27 function 0 "Intel 200 Series PCIE" rev 0xf0
pci1 at ppb0 bus 1
ppb1 at pci0 dev 27 function 4 "Intel 200 Series PCIE" rev 0xf0: msi
pci2 at ppb1 bus 2
nvme0 at pci2 dev 0 function 0 "Samsung SM961/PM961 NVMe" rev 0x00: msi, NVMe 1.2
nvme0: Samsung SSD 960 EVO 250GB, firmware 3B7QCXE7, serial S3ESNX0JB78420A
scsibus2 at nvme0: 1 targets
sd0 at scsibus2 targ 0 lun 0: <NVMe, Samsung SSD 960, 3B7Q> SCSI4 0/direct fixed
sd0: 238475MB, 512 bytes/sector, 488397168 sectors
pcib0 at pci0 dev 31 function 0 "Intel Z370 LPC" rev 0x00
"Intel 200 Series PMC" rev 0x00 at pci0 dev 31 function 2 not configured
azalia0 at pci0 dev 31 function 3 "Intel 200 Series HD Audio" rev 0x00: msi
azalia0: codecs: Realtek/0x0892, Intel/0x280b, using Realtek/0x0892
audio0 at azalia0
ichiic0 at pci0 dev 31 function 4 "Intel 200 Series SMBus" rev 0x00: apic 2 int 16
iic0 at ichiic0
iic0: addr 0x19 00=00 01=00 02=00 03=00 04=00 05=c1 06=1c 07=22 08=00 words 00=00ef 01=0000 02=0000 03=0000 04=0000 05=c17c 06=1c85 07=2221
iic0: addr 0x1b 00=00 01=00 02=00 03=00 04=00 05=c1 06=1c 07=22 08=00 words 00=00ef 01=0000 02=0000 03=0000 04=0000 05=c180 06=1c85 07=2221
isa0 at pcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
vmm0 at mainbus0: VMX/EPT (using slow L1TF mitigation)
uhidev0 at uhub0 port 7 configuration 1 interface 0 "Microsoft Microsoft\M-. Digital Media oard 3000" rev 2.00/2.00 addr 2
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub0 port 7 configuration 1 interface 1 "Microsoft Microsoft\M-. Digital Media oard 3000" rev 2.00/2.00 addr 2
uhidev1: iclass 3/0, 3 report ids
uhid0 at uhidev1 reportid 1: input=7, output=0, feature=0
uhid1 at uhidev1 reportid 3: input=1, output=0, feature=0
vscsi0 at root
scsibus4 at vscsi0: 256 targets
scsibus5 at softraid0: 256 targets
root on sd2a (103d2d8a37ad6452.a) swap on sd2b dump on sd2b
Estou sem idéias porque isso não está funcionando e não sei para onde ir a partir daqui. Eu tenho o RTFM na página de manual relayd.conf ... Eu realmente não quero bugá-los ainda em vários.
Tags openbsd