Date: Wed, 29 Oct 2014 20:55:16 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Gerhard Schmidt <schmidt@ze.tum.de> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw and carp problems Message-ID: <20141029202942.I74058@sola.nimnet.asn.au> In-Reply-To: <mailman.63.1414497602.35586.freebsd-questions@freebsd.org> References: <mailman.63.1414497602.35586.freebsd-questions@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
In freebsd-questions Digest, Vol 543, Issue 2, Message: 1 On Mon, 27 Oct 2014 15:16:33 +0100 Gerhard Schmidt <schmidt@ze.tum.de> wrote: > Hi, > > I have a small problem with ipfw an carp. > > i have two server with two carp ips and a firewall via ipfw. > > the problem is tha ipfw via modul is default to deny. So when the carp > interfaces are initialized ipfw has no custom rules. Everything is > denied, even the carp packets. So every time I reboot one of the hosts > it comes up as master and after the firewall rules are initialized one > of the servers is demoted to backup, which one seams to be random. > > My problem is that my setup need a new server do come up as backup > because is has to replicate the data from the running server before > being able to act as master. There could be data loss if a newly booted > server named master without prior replicating the data. > > Is there a way to ensure that the firewall rules are up before the carp > interfaces are initialized or to load the ipfw module with default to > accept. The canonical way was to build a custom kernel with ipfw included as per http://www.freebsd.org/doc/handbook/firewalls-ipfw.html including 'options IPFIREWALL_DEFAULT_TO_ACCEPT' .. however you can accomplish this with a GENERIC (or other) kernel by adding to /boot/loader.conf: ipfw_load="YES" # to load the ipfw module early and adding to /etc/sysctl.conf net.inet.ip.fw.enable=0 net.inet6.ip6.fw.enable=0 # if using ipv6 /etc/rc.d/sysctl is run early (on 9.3, first) before other rc.d scripts including netif and later ipfw, which will then only enable the firewall after having loaded your ruleset. I just tested this over ssh to a 9.3 GENERIC box not running ipfw: root@x200:~/bin # kldload ipfw && sysctl net.inet.ip.fw.enable=0 \ && sysctl net.inet6.ip6.fw.enable=0 net.inet.ip.fw.enable: 1 -> 0 net.inet6.ip6.fw.enable: 1 -> 0 root@x200:~/bin # ipfw show 65535 0 0 deny ip from any to any which would have locked me out had it not worked :) Of course you must accept that there is a vulnerable window between starting net interfaces (netif) and starting ipfw, however miniscule. cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141029202942.I74058>