Date: Sun, 02 Nov 2014 09:15:58 +0100 From: Gerhard Schmidt <schmidt@ze.tum.de> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw and carp problems Message-ID: <5455E83E.2050608@ze.tum.de> In-Reply-To: <20141101164746.V52402@sola.nimnet.asn.au> References: <mailman.63.1414497602.35586.freebsd-questions@freebsd.org> <20141029202942.I74058@sola.nimnet.asn.au> <20141101164746.V52402@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --8INgTqfOMqt5RG3q07LWkwudOcFG2A1ej Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 01.11.2014 06:56, schrieb Ian Smith: > On Wed, 29 Oct 2014 20:55:16 +1100, Ian Smith wrote: > > In freebsd-questions Digest, Vol 543, Issue 2, Message: 1 > > On Mon, 27 Oct 2014 15:16:33 +0100 Gerhard Schmidt <schmidt@ze.tum.d= e> wrote: > > > Hi, > > >=20 > > > I have a small problem with ipfw an carp. > > >=20 > > > i have two server with two carp ips and a firewall via ipfw. > > >=20 > > > the problem is tha ipfw via modul is default to deny. So when the= carp > > > interfaces are initialized ipfw has no custom rules. Everything i= s > > > denied, even the carp packets. So every time I reboot one of the = hosts > > > it comes up as master and after the firewall rules are initialize= d one > > > of the servers is demoted to backup, which one seams to be random= =2E > > >=20 > > > My problem is that my setup need a new server do come up as backu= p > > > because is has to replicate the data from the running server befo= re > > > being able to act as master. There could be data loss if a newly = booted > > > server named master without prior replicating the data. > > >=20 > > > Is there a way to ensure that the firewall rules are up before th= e carp > > > interfaces are initialized or to load the ipfw module with defaul= t to > > > accept. > >=20 > > The canonical way was to build a custom kernel with ipfw included as= per=20 > > http://www.freebsd.org/doc/handbook/firewalls-ipfw.html including=20 > > 'options IPFIREWALL_DEFAULT_TO_ACCEPT' .. however you can accomplish= =20 > > this with a GENERIC (or other) kernel by adding to /boot/loader.conf= : > >=20 > > ipfw_load=3D"YES" # to load the ipfw module early > >=20 > > and adding to /etc/sysctl.conf > >=20 > > net.inet.ip.fw.enable=3D0 > > net.inet6.ip6.fw.enable=3D0 # if using ipv6 > >=20 > > /etc/rc.d/sysctl is run early (on 9.3, first) before other rc.d=20 > > scripts including netif and later ipfw, which will then only enable = the=20 > > firewall after having loaded your ruleset. > >=20 > > I just tested this over ssh to a 9.3 GENERIC box not running ipfw: > >=20 > > root@x200:~/bin # kldload ipfw && sysctl net.inet.ip.fw.enable=3D0 \= > > && sysctl net.inet6.ip6.fw.enable=3D0 > > net.inet.ip.fw.enable: 1 -> 0 > > net.inet6.ip6.fw.enable: 1 -> 0 > > root@x200:~/bin # ipfw show > > 65535 0 0 deny ip from any to any > >=20 > > which would have locked me out had it not worked :) > >=20 > > Of course you must accept that there is a vulnerable window between = > > starting net interfaces (netif) and starting ipfw, however miniscule= =2E >=20 > Excuse replying to my own message, but I've since discovered that you=20 > could also add 'net.inet.ip.fw.default_to_accept=3D1' to loader.conf as= an=20 > alternative. I hadn't twigged that this one is a loader tunable, unlik= e=20 > the sysctls mentioned above, and so can be set before ipfw.ko is loaded= ,=20 > ie before the net.inet.ip[6].fw OIDs even exist. >=20 > Please let the list know if either of these methods solve your issue? Sorry was out of town for a view days. I did solve my problem with activating the default_to_accept tunable. Since this server should be running 24/7 the slight exposure on start up shouldn't be a problem especially because the services protected are started way after firewall is initialized. Regards Estartu --=20 ---------------------------------------------------------- Gerhard Schmidt | E-Mail: schmidt@ze.tum.de Technische Universit=E4t M=FCnchen | Jabber: estartu@ze.tum.de WWW & Online Services | Tel: +49 89 289-25270 | PGP-PublicKey Fax: +49 89 289-25257 | on request --8INgTqfOMqt5RG3q07LWkwudOcFG2A1ej Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEUAwUBVFXoQ9l1K6RAAKkVAQLwJQf41YsWAYw5kYkuqM4NYrE6UwcWNuRy1twB EL7WLgsIcAYC+gcWPOPIrzeiKpHFzyqXJVkxjsaHiEfq2PNRt8Yqf9AXqfOEC4O/ 2vl/is+lojGItlVZe/AVaHL24VI96nkA570nSXGCSVgP5TyacbLQhz0hbcUQFI37 TG7NfbO9xohbR4ofaNhpP5dz8fPyyfVMCpeH2GslwYQf73lSegwdDEbgNDztU3VY 7lTtZtIM9Bl+C7aPUQM0Imsu7mbpRRyjcadUnBiUNxCo9baundHb7UnpwklpJpGg ZE+vN5QfUn7GeW7nY/fJHF6wdHR0sQm7DqWhb1mMHRnqnAoTJ0PR =haPx -----END PGP SIGNATURE----- --8INgTqfOMqt5RG3q07LWkwudOcFG2A1ej--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5455E83E.2050608>