Date: Mon, 19 May 2008 11:11:18 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Subject: Re: Filtering CARP interface(s) and 'set skip on lo0' Message-ID: <200805191111.18113.max@love2party.net> In-Reply-To: <fee88ee40805182038t71446la85f2c799e14b9dd@mail.gmail.com> References: <fee88ee40805182038t71446la85f2c799e14b9dd@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Monday 19 May 2008 05:38:20 Kian Mohageri wrote: > Hey all, > > I'm trying to clean up my PF rulesets, and I noticed today that a CARP > master connecting to itself (on the CARP IP address) appears to be > filtered even when 'set skip on lo0' is in effect. > > At first I suspected that maybe CARP Master to itself is routed > differently in FreeBSD (so it wouldn't actually be on lo0), but a > > tcpdump seems to say otherwise. That is: > > ifconfig carp0 > > carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 > inet 67.201.255.210 netmask 0xffffffe0 > carp: MASTER vhid 1 advbase 1 advskew 10 > > > sudo tcpdump -c 3 -n -i lo0 > > tcpdump: verbose output suppressed, use -v or -vv for full protocol > decode listening on lo0, link-type NULL (BSD loopback), capture size 96 > bytes 20:36:40.522108 IP 67.201.255.210.65404 > 67.201.255.210.53: > 2673+ A? daapiak-mtv.flux.com. (38) > 20:36:40.522569 IP 67.201.255.210.53 > 67.201.255.210.65404: 2673 > 4/9/3 CNAME[|domain] > 20:36:40.724506 IP 67.201.255.210.65404 > 67.201.255.210.53: 20823+ > PTR? 240.189.73.209. Just because the packets show up on lo0 "sometime" doesn't mean that they won't pass through other interfaces before or after. CARP is special in that respect and needs special attention. > I tried the archives but couldn't find an explanation about why 'set > skip on lo0' wouldn't apply here, so I'm wondering if any of you could > point me in the right direction. The simple answer would be for me to > simply filter a little differently so the MASTER can talk to itself, > but I figured this could be a learning experience too. > > Is this intended FreeBSD-specific behavior, and if so, what is the > recommended way to deal with it? The usual advise on how to debug rulesets that block stuff you want to allow: 1) Add "log" to all block rules 2) Listen on pflog0 3) Generate the traffic pattern you want to pass 4) Find this offending rule (and also the interface and direction the traffic was blocked on) 5) Insert a rule to allow the traffic in question 6) Repeat until everything works as required -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200805191111.18113.max>