From owner-freebsd-stable@FreeBSD.ORG Mon Nov 7 22:10:51 2005 Return-Path: X-Original-To: stable@freebsd.org Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 281E916A46F for ; Mon, 7 Nov 2005 22:10:51 +0000 (GMT) (envelope-from sarxan@elxanzade.com) Received: from mail.azerin.com (mail.azerin.com [212.47.128.23]) by mx1.FreeBSD.org (Postfix) with SMTP id DAB0443DCE for ; Mon, 7 Nov 2005 22:10:39 +0000 (GMT) (envelope-from sarxan@elxanzade.com) Received: (qmail 62352 invoked from network); 7 Nov 2005 22:10:56 -0000 Received: from qmail by qscan (mail filter); 7 Nov 2005 22:10:56 +0000 Received: from unknown (HELO elxanzade.com) (212.47.128.109) by mail.azerin.com with SMTP; 7 Nov 2005 22:10:56 -0000 From: Sarxan Elxanzade Organization: AzerIn To: stable@freebsd.org, Max Laier Date: Tue, 8 Nov 2005 02:10:51 +0400 User-Agent: KMail/1.8.2 MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_sD9bDmqLhexff+b" Message-Id: <200511080210.52249.sarxan@elxanzade.com> X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on ml350.azerin.com X-Spam-Level: X-Spam-Status: No, score=-2.8 required=3.5 tests=ALL_TRUSTED autolearn=failed version=3.0.4 Cc: Rauf Kuliyev Subject: carp + ipfw problem X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Nov 2005 22:10:51 -0000 --Boundary-00=_sD9bDmqLhexff+b Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Hello all, I'm trying to configure a firewall with carp + ipfw, but I encountered the strange problem. Packets are bypassing carp interface, instead ipfw log shows packet flow to/from physical interface, e.g.: FreeBSD host 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #6: Tue Sep 27 16:32:30 AZST 2005 root@host:/usr/obj/usr/src/sys/FIREWALL i386 # ifconfig fxp1 fxp1: flags=9943 mtu 1500 options=8 inet 192.168.28.1 netmask 0xffffff00 broadcast 192.168.28.255 media: Ethernet 100baseTX status: active # ifconfig carp1 carp1: flags=41 mtu 1500 inet 192.168.28.2 netmask 0xffffff00 carp: MASTER vhid 4 advbase 1 advskew 0 # ipfw show 00001 0 0 check-state 00002 0 0 allow ip from any to any via lo0 00010 0 0 allow log icmp from any to any 00020 4 344 allow log tcp from any to any 00030 0 0 allow log udp from any to any 65534 0 0 allow ip from any to any 65535 0 0 deny ip from any to any When I ping the IP address assigned to carp1 interface from host within the same network # ping 192.168.28.2 PING 192.168.28.2 (192.168.28.2): 56 data bytes 64 bytes from 192.168.28.2: icmp_seq=0 ttl=64 time=0.511 ms I received in secure.log following: Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3 192.168.28.2 in via fxp1 Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3 192.168.28.2 in via fxp1 Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2 192.168.28.3 out via fxp1 Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2 192.168.28.3 out via fxp1 The same situation with the tcp protocol. Kernel's conf is in the attach. May I missed something? -- Best regards, Elkhanzade Sarkhan --Boundary-00=_sD9bDmqLhexff+b Content-Type: text/plain; charset="us-ascii"; name="kernel.conf" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="kernel.conf" machine i386 cpu I586_CPU ident FIREWALL options SCHED_4BSD # 4BSD scheduler options INET # InterNETworking options FFS # Berkeley Fast Filesystem options SOFTUPDATES # Enable FFS soft updates support options UFS_ACL # Support for access control lists options UFS_DIRHASH # Improve performance on big directories options PSEUDOFS # Pseudo-filesystem framework options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!] options COMPAT_FREEBSD4 # Compatible with FreeBSD4 options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions options KBD_INSTALL_CDEV # install a CDEV entry in /dev options ADAPTIVE_GIANT # Giant mutex is adaptive. # AMD K6 options CPU_WT_ALLOC options NO_MEMORY_HOLE device apic # I/O APIC device isa device eisa device pci # ATA and ATAPI devices device ata device atadisk # ATA disk drives device atapicd # ATAPI CDROM drives device atapist # ATAPI tape drives options ATA_STATIC_ID # Static device numbering # atkbdc0 controls both the keyboard and the PS/2 mouse device atkbdc # AT keyboard controller device atkbd # AT keyboard device psm # PS/2 mouse device vga # VGA video card driver device sc # Floating point support - do not disable. device npx # PCI Ethernet NICs that use the common MII bus controller code. # NOTE: Be sure to keep the 'device miibus' line in order to use these NICs! device miibus # MII bus support device fxp # Intel EtherExpress PRO/100B (82557, 82558) # Pseudo devices. device loop # Network loopback device mem # Memory and kernel memory devices device io # I/O device device random # Entropy device device ether # Ethernet support device pty # Pseudo-ttys (telnet etc) #device carp #device pf #device pflog #device pfsync device bpf # Berkeley packet filter options IPFIREWALL options IPFIREWALL_FORWARD device carp --Boundary-00=_sD9bDmqLhexff+b--