Just realized that my replay address is not working :-(
Sorry for double posting.
---------- Forwarded Message ----------
Subject: carp + ipfw problem
Date: Tuesday 08 November 2005 02:10
From: Sarxan Elxanzade <sarxan@elxanzade.com>
To: stable@freebsd.org, Max Laier <mlaier@freebsd.org>
Cc: Rauf Kuliyev <rauf@kuliyev.com>
Hello all,
I'm trying to configure a firewall with carp + ipfw, but I encountered the
strange problem.
Packets are bypassing carp interface, instead ipfw log shows packet flow
to/from physical interface, e.g.:
FreeBSD host 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #6: Tue Sep 27 16:32:30
AZST 2005
root@host:/usr/obj/usr/src/sys/FIREWALL i386
# ifconfig fxp1
fxp1: flags=9943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,LINK0,MULTICAST> mtu
1500
options=8<VLAN_MTU>
inet 192.168.28.1 netmask 0xffffff00 broadcast 192.168.28.255
media: Ethernet 100baseTX <full-duplex>
status: active
# ifconfig carp1
carp1: flags=41<UP,RUNNING> mtu 1500
inet 192.168.28.2 netmask 0xffffff00
carp: MASTER vhid 4 advbase 1 advskew 0
# ipfw show
00001 0 0 check-state
00002 0 0 allow ip from any to any via lo0
00010 0 0 allow log icmp from any to any
00020 4 344 allow log tcp from any to any
00030 0 0 allow log udp from any to any
65534 0 0 allow ip from any to any
65535 0 0 deny ip from any to any
When I ping the IP address assigned to carp1 interface from host within the
same network
# ping 192.168.28.2
PING 192.168.28.2 (192.168.28.2): 56 data bytes
64 bytes from 192.168.28.2: icmp_seq=0 ttl=64 time=0.511 ms
I received in secure.log following:
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3
192.168.28.2 in via fxp1
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3
192.168.28.2 in via fxp1
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2
192.168.28.3 out via fxp1
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2
192.168.28.3 out via fxp1
The same situation with the tcp protocol.
Kernel's conf is in the attach.
May I missed something?
--
Best regards,
Elkhanzade Sarkhan
-------------------------------------------------------
--
Elkhanzade Sarkhan
Azerin ISP, U.Hajibeyov 36, Baku
Systems Administrator
Phone work : +994124982533
e-mail : sarxan@elxanzade.com
-------------- next part --------------
machine i386
cpu I586_CPU
ident FIREWALL
options SCHED_4BSD # 4BSD scheduler
options INET # InterNETworking
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big
directories
options PSEUDOFS # Pseudo-filesystem framework
options COMPAT_43 # Compatible with BSD 4.3 [KEEP
THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
# AMD K6
options CPU_WT_ALLOC
options NO_MEMORY_HOLE
device apic # I/O APIC
device isa
device eisa
device pci
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device vga # VGA video card driver
device sc
# Floating point support - do not disable.
device npx
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these
NICs!
device miibus # MII bus support
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
# Pseudo devices.
device loop # Network loopback
device mem # Memory and kernel memory devices
device io # I/O device
device random # Entropy device
device ether # Ethernet support
device pty # Pseudo-ttys (telnet etc)
#device carp
#device pf
#device pflog
#device pfsync
device bpf # Berkeley packet filter
options IPFIREWALL
options IPFIREWALL_FORWARD
device carp
It too late now, may be I need to get some sleep. Sorry again...
---------- Forwarded Message ----------
Subject: carp + ipfw problem
Date: Tuesday 08 November 2005 02:10
From: Sarxan Elxanzade <sarxan@elxanzade.com>
To: stable@freebsd.org, Max Laier <mlaier@freebsd.org>
Cc: Rauf Kuliyev <rauf@kuliyev.com>
Hello all,
I'm trying to configure a firewall with carp + ipfw, but I encountered the
strange problem.
Packets are bypassing carp interface, instead ipfw log shows packet flow
to/from physical interface, e.g.:
FreeBSD host 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #6: Tue Sep 27 16:32:30
AZST 2005
root@host:/usr/obj/usr/src/sys/FIREWALL i386
# ifconfig fxp1
fxp1: flags=9943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,LINK0,MULTICAST> mtu
1500
options=8<VLAN_MTU>
inet 192.168.28.1 netmask 0xffffff00 broadcast 192.168.28.255
media: Ethernet 100baseTX <full-duplex>
status: active
# ifconfig carp1
carp1: flags=41<UP,RUNNING> mtu 1500
inet 192.168.28.2 netmask 0xffffff00
carp: MASTER vhid 4 advbase 1 advskew 0
# ipfw show
00001 0 0 check-state
00002 0 0 allow ip from any to any via lo0
00010 0 0 allow log icmp from any to any
00020 4 344 allow log tcp from any to any
00030 0 0 allow log udp from any to any
65534 0 0 allow ip from any to any
65535 0 0 deny ip from any to any
When I ping the IP address assigned to carp1 interface from host within the
same network
# ping 192.168.28.2
PING 192.168.28.2 (192.168.28.2): 56 data bytes
64 bytes from 192.168.28.2: icmp_seq=0 ttl=64 time=0.511 ms
I received in secure.log following:
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3
192.168.28.2 in via fxp1
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3
192.168.28.2 in via fxp1
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2
192.168.28.3 out via fxp1
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2
192.168.28.3 out via fxp1
The same situation with the tcp protocol.
Kernel's conf is in the attach.
May I missed something?
--
Best regards,
Elkhanzade Sarkhan
-------------------------------------------------------
--
Elkhanzade Sarkhan
Azerin ISP, U.Hajibeyov 36, Baku
Systems Administrator
Phone work : +994124982533
e-mail : sarxan@azerin.com
-------------- next part --------------
machine i386
cpu I586_CPU
ident FIREWALL
options SCHED_4BSD # 4BSD scheduler
options INET # InterNETworking
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big
directories
options PSEUDOFS # Pseudo-filesystem framework
options COMPAT_43 # Compatible with BSD 4.3 [KEEP
THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
# AMD K6
options CPU_WT_ALLOC
options NO_MEMORY_HOLE
device apic # I/O APIC
device isa
device eisa
device pci
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device vga # VGA video card driver
device sc
# Floating point support - do not disable.
device npx
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these
NICs!
device miibus # MII bus support
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
# Pseudo devices.
device loop # Network loopback
device mem # Memory and kernel memory devices
device io # I/O device
device random # Entropy device
device ether # Ethernet support
device pty # Pseudo-ttys (telnet etc)
#device carp
#device pf
#device pflog
#device pfsync
device bpf # Berkeley packet filter
options IPFIREWALL
options IPFIREWALL_FORWARD
device carp
> Hello all, > > I'm trying to configure a firewall with carp + ipfw, but I encountered the > strange problem. > > Packets are bypassing carp interface, instead ipfw log shows packet flow > to/from physical interface, e.g.: >http://www.countersiege.com/doc/pfsync-carp/ "it is important to keep in mind that from pf's perspective, all traffic comes from the physical interface, even if it is routed through the carp address. However, the address is of course associated with the carp interface."