Just realized that my replay address is not working :-( Sorry for double posting. ---------- Forwarded Message ---------- Subject: carp + ipfw problem Date: Tuesday 08 November 2005 02:10 From: Sarxan Elxanzade <sarxan@elxanzade.com> To: stable@freebsd.org, Max Laier <mlaier@freebsd.org> Cc: Rauf Kuliyev <rauf@kuliyev.com> Hello all, I'm trying to configure a firewall with carp + ipfw, but I encountered the strange problem. Packets are bypassing carp interface, instead ipfw log shows packet flow to/from physical interface, e.g.: FreeBSD host 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #6: Tue Sep 27 16:32:30 AZST 2005 root@host:/usr/obj/usr/src/sys/FIREWALL i386 # ifconfig fxp1 fxp1: flags=9943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,LINK0,MULTICAST> mtu 1500 options=8<VLAN_MTU> inet 192.168.28.1 netmask 0xffffff00 broadcast 192.168.28.255 media: Ethernet 100baseTX <full-duplex> status: active # ifconfig carp1 carp1: flags=41<UP,RUNNING> mtu 1500 inet 192.168.28.2 netmask 0xffffff00 carp: MASTER vhid 4 advbase 1 advskew 0 # ipfw show 00001 0 0 check-state 00002 0 0 allow ip from any to any via lo0 00010 0 0 allow log icmp from any to any 00020 4 344 allow log tcp from any to any 00030 0 0 allow log udp from any to any 65534 0 0 allow ip from any to any 65535 0 0 deny ip from any to any When I ping the IP address assigned to carp1 interface from host within the same network # ping 192.168.28.2 PING 192.168.28.2 (192.168.28.2): 56 data bytes 64 bytes from 192.168.28.2: icmp_seq=0 ttl=64 time=0.511 ms I received in secure.log following: Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3 192.168.28.2 in via fxp1 Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3 192.168.28.2 in via fxp1 Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2 192.168.28.3 out via fxp1 Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2 192.168.28.3 out via fxp1 The same situation with the tcp protocol. Kernel's conf is in the attach. May I missed something? -- Best regards, Elkhanzade Sarkhan ------------------------------------------------------- -- Elkhanzade Sarkhan Azerin ISP, U.Hajibeyov 36, Baku Systems Administrator Phone work : +994124982533 e-mail : sarxan@elxanzade.com -------------- next part -------------- machine i386 cpu I586_CPU ident FIREWALL options SCHED_4BSD # 4BSD scheduler options INET # InterNETworking options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options PSEUDOFS # Pseudo-filesystem framework options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!] options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options ADAPTIVE_GIANT # Giant mutex is adaptive. # AMD K6 options CPU_WT_ALLOC options NO_MEMORY_HOLE device apic # I/O APIC device isa device eisa device pci # ATA and ATAPI devices device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives device atapist # ATAPI tape drives options ATA_STATIC_ID # Static device numbering # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device vga # VGA video card driver device sc # Floating point support - do not disable. device npx # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device fxp # Intel EtherExpress PRO/100B (82557, 82558) # Pseudo devices. device loop # Network loopback device mem # Memory and kernel memory devices device io # I/O device device random # Entropy device device ether # Ethernet support device pty # Pseudo-ttys (telnet etc) #device carp #device pf #device pflog #device pfsync device bpf # Berkeley packet filter options IPFIREWALL options IPFIREWALL_FORWARD device carp
It too late now, may be I need to get some sleep. Sorry again... ---------- Forwarded Message ---------- Subject: carp + ipfw problem Date: Tuesday 08 November 2005 02:10 From: Sarxan Elxanzade <sarxan@elxanzade.com> To: stable@freebsd.org, Max Laier <mlaier@freebsd.org> Cc: Rauf Kuliyev <rauf@kuliyev.com> Hello all, I'm trying to configure a firewall with carp + ipfw, but I encountered the strange problem. Packets are bypassing carp interface, instead ipfw log shows packet flow to/from physical interface, e.g.: FreeBSD host 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #6: Tue Sep 27 16:32:30 AZST 2005 root@host:/usr/obj/usr/src/sys/FIREWALL i386 # ifconfig fxp1 fxp1: flags=9943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,LINK0,MULTICAST> mtu 1500 options=8<VLAN_MTU> inet 192.168.28.1 netmask 0xffffff00 broadcast 192.168.28.255 media: Ethernet 100baseTX <full-duplex> status: active # ifconfig carp1 carp1: flags=41<UP,RUNNING> mtu 1500 inet 192.168.28.2 netmask 0xffffff00 carp: MASTER vhid 4 advbase 1 advskew 0 # ipfw show 00001 0 0 check-state 00002 0 0 allow ip from any to any via lo0 00010 0 0 allow log icmp from any to any 00020 4 344 allow log tcp from any to any 00030 0 0 allow log udp from any to any 65534 0 0 allow ip from any to any 65535 0 0 deny ip from any to any When I ping the IP address assigned to carp1 interface from host within the same network # ping 192.168.28.2 PING 192.168.28.2 (192.168.28.2): 56 data bytes 64 bytes from 192.168.28.2: icmp_seq=0 ttl=64 time=0.511 ms I received in secure.log following: Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3 192.168.28.2 in via fxp1 Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3 192.168.28.2 in via fxp1 Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2 192.168.28.3 out via fxp1 Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2 192.168.28.3 out via fxp1 The same situation with the tcp protocol. Kernel's conf is in the attach. May I missed something? -- Best regards, Elkhanzade Sarkhan ------------------------------------------------------- -- Elkhanzade Sarkhan Azerin ISP, U.Hajibeyov 36, Baku Systems Administrator Phone work : +994124982533 e-mail : sarxan@azerin.com -------------- next part -------------- machine i386 cpu I586_CPU ident FIREWALL options SCHED_4BSD # 4BSD scheduler options INET # InterNETworking options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options PSEUDOFS # Pseudo-filesystem framework options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!] options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options ADAPTIVE_GIANT # Giant mutex is adaptive. # AMD K6 options CPU_WT_ALLOC options NO_MEMORY_HOLE device apic # I/O APIC device isa device eisa device pci # ATA and ATAPI devices device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives device atapist # ATAPI tape drives options ATA_STATIC_ID # Static device numbering # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device vga # VGA video card driver device sc # Floating point support - do not disable. device npx # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device fxp # Intel EtherExpress PRO/100B (82557, 82558) # Pseudo devices. device loop # Network loopback device mem # Memory and kernel memory devices device io # I/O device device random # Entropy device device ether # Ethernet support device pty # Pseudo-ttys (telnet etc) #device carp #device pf #device pflog #device pfsync device bpf # Berkeley packet filter options IPFIREWALL options IPFIREWALL_FORWARD device carp
> Hello all, > > I'm trying to configure a firewall with carp + ipfw, but I encountered the > strange problem. > > Packets are bypassing carp interface, instead ipfw log shows packet flow > to/from physical interface, e.g.: >http://www.countersiege.com/doc/pfsync-carp/ "it is important to keep in mind that from pf's perspective, all traffic comes from the physical interface, even if it is routed through the carp address. However, the address is of course associated with the carp interface."