Re: [AMaViS-user] p0f-analyzer load balancing problem

Bartek,

> Now I have
> set up test domain, and checked it as you wanted it to be: no
> os_fingerprint in triggered policy bank and a '*' in global config:
>
> Nov 30 12:48:28 scanner00 amavis[55170]: (55170-01) Original mail size:
> 1405; quota set to: 702500 bytes
> Nov 30 12:48:28 scanner00 amavis[55170]: (55170-01) dynamic
> destination: p0f:*:1234 -> p0f:[10.10.3.244]:1234
> Nov 30 12:48:28 scanner00 amavis[55170]: (55170-01) Fingerprint query:
> 10.10.3.244 port=1234 195.46.43.224 KgZcfI2cjZsj
> Nov 30 12:48:28 scanner00 amavis[55170]: (55170-01)
> Checking: KgZcfI2cjZsj MX00 [195.46.43.224] <r@robakdesign.com> ->
> <aa@tester.e.pl>

So what was the IP address reported in a "CONNECT TCP Peer" log entry?
Was it 10.10.3.244 or 10.10.3.49?

> As you may see, in this case amavisd is trying to ask itself for p0f
> service, which is uncorrect, as the connection came from 10.10.3.49.

If the "CONNECT TCP Peer" log entry reported 10.10.3.244 but the
connection came in from 10.10.3.49, I'd like to see a tcpdump
of a connection, taken on this host where amavisd runs
(e.g.: tcpdump -i <interface> -s 0 -w 0.log 'tcp port 10024'
or similar).

> Im not sure if it is haproxy or Net::Server issue, and I have no idea
> how to test that, but what is more annoying, that I could walkover this
> bug (if it is a bug) with static ip settings for os_fingerprint_method
> in policy banks - but in that case nothing happens (as shown in logs
> from my previous post). Why is that?

The log showed that the following query was sent:
Fingerprint query: 10.10.3.49 port=1234 150.254.88.204 o6mMHn6FYEJV
i.e., an UDP packet was sent to 10.10.3.49, port 1234.

Why a reply did not come back is to be sought in the p0f-analyzer.pl
running on 10.10.3.49. Either it was not running, or it refused
to listen to foreign queries: you need to adjust its $bind_addr
and @inet_acl to let it listen on an ethernet interface (not on a
loopback interface)

my($bind_addr) = '127.0.0.1'; # bind just to a loopback interface
my(@inet_acl) = qw( 127.0.0.1 ); # list of IP addresses from which queries

needs to be changed to something like:

my($bind_addr) = '0.0.0.0'; # bind to all IPv4 interfaces
my(@inet_acl) = qw(10.10.3.244 10.10.3.245 10.10.3.246 10.10.3.247);

Mark


-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell. From the desktop to the data center, Linux is going
mainstream. Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
AMaViS-user mailing list
AMaViS-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/...fo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/