From owner-freebsd-questions@FreeBSD.ORG Wed Oct 29 09:55:22 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 46D6550C for ; Wed, 29 Oct 2014 09:55:22 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9747EE98 for ; Wed, 29 Oct 2014 09:55:21 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s9T9tGv8033270; Wed, 29 Oct 2014 20:55:17 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 29 Oct 2014 20:55:16 +1100 (EST) From: Ian Smith To: Gerhard Schmidt Subject: Re: ipfw and carp problems In-Reply-To: Message-ID: <20141029202942.I74058@sola.nimnet.asn.au> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Oct 2014 09:55:22 -0000 In freebsd-questions Digest, Vol 543, Issue 2, Message: 1 On Mon, 27 Oct 2014 15:16:33 +0100 Gerhard Schmidt wrote: > Hi, > > I have a small problem with ipfw an carp. > > i have two server with two carp ips and a firewall via ipfw. > > the problem is tha ipfw via modul is default to deny. So when the carp > interfaces are initialized ipfw has no custom rules. Everything is > denied, even the carp packets. So every time I reboot one of the hosts > it comes up as master and after the firewall rules are initialized one > of the servers is demoted to backup, which one seams to be random. > > My problem is that my setup need a new server do come up as backup > because is has to replicate the data from the running server before > being able to act as master. There could be data loss if a newly booted > server named master without prior replicating the data. > > Is there a way to ensure that the firewall rules are up before the carp > interfaces are initialized or to load the ipfw module with default to > accept. The canonical way was to build a custom kernel with ipfw included as per http://www.freebsd.org/doc/handbook/firewalls-ipfw.html including 'options IPFIREWALL_DEFAULT_TO_ACCEPT' .. however you can accomplish this with a GENERIC (or other) kernel by adding to /boot/loader.conf: ipfw_load="YES" # to load the ipfw module early and adding to /etc/sysctl.conf net.inet.ip.fw.enable=0 net.inet6.ip6.fw.enable=0 # if using ipv6 /etc/rc.d/sysctl is run early (on 9.3, first) before other rc.d scripts including netif and later ipfw, which will then only enable the firewall after having loaded your ruleset. I just tested this over ssh to a 9.3 GENERIC box not running ipfw: root@x200:~/bin # kldload ipfw && sysctl net.inet.ip.fw.enable=0 \ && sysctl net.inet6.ip6.fw.enable=0 net.inet.ip.fw.enable: 1 -> 0 net.inet6.ip6.fw.enable: 1 -> 0 root@x200:~/bin # ipfw show 65535 0 0 deny ip from any to any which would have locked me out had it not worked :) Of course you must accept that there is a vulnerable window between starting net interfaces (netif) and starting ipfw, however miniscule. cheers, Ian