Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 8 Nov 2005 02:10:51 +0400
From:      Sarxan Elxanzade <sarxan@elxanzade.com>
To:        stable@freebsd.org, Max Laier <mlaier@freebsd.org>
Cc:        Rauf Kuliyev <rauf@kuliyev.com>
Subject:   carp + ipfw problem
Message-ID:  <200511080210.52249.sarxan@elxanzade.com>

next in thread | raw e-mail | index | archive | help
--Boundary-00=_sD9bDmqLhexff+b
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hello all,

I'm trying to configure a firewall with carp + ipfw, but I encountered the 
strange problem. 

Packets are bypassing carp interface, instead ipfw log shows packet flow 
to/from physical interface, e.g.:

FreeBSD host 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #6: Tue Sep 27 16:32:30 
AZST 2005
root@host:/usr/obj/usr/src/sys/FIREWALL  i386

# ifconfig fxp1
fxp1: flags=9943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,LINK0,MULTICAST> mtu 
1500
        options=8<VLAN_MTU>
        inet 192.168.28.1 netmask 0xffffff00 broadcast 192.168.28.255
        media: Ethernet 100baseTX <full-duplex>
        status: active

# ifconfig carp1
carp1: flags=41<UP,RUNNING> mtu 1500
        inet 192.168.28.2 netmask 0xffffff00
        carp: MASTER vhid 4 advbase 1 advskew 0

# ipfw show
00001 0   0 check-state
00002 0   0 allow ip from any to any via lo0
00010 0   0 allow log icmp from any to any
00020 4 344 allow log tcp from any to any
00030 0   0 allow log udp from any to any
65534 0   0 allow ip from any to any
65535 0   0 deny ip from any to any

When I ping the IP address assigned to carp1 interface from host within the 
same network 
# ping 192.168.28.2
PING 192.168.28.2 (192.168.28.2): 56 data bytes
64 bytes from 192.168.28.2: icmp_seq=0 ttl=64 time=0.511 ms

I received in secure.log following:

Nov  8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3 
192.168.28.2 in via fxp1
Nov  8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3 
192.168.28.2 in via fxp1
Nov  8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2 
192.168.28.3 out via fxp1
Nov  8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2 
192.168.28.3 out via fxp1

The same situation with the tcp protocol.

Kernel's conf is in the attach.

May I missed something?

-- 
Best regards,
Elkhanzade Sarkhan

--Boundary-00=_sD9bDmqLhexff+b
Content-Type: text/plain;
  charset="us-ascii";
  name="kernel.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename="kernel.conf"

machine         i386
cpu             I586_CPU
ident           FIREWALL

options         SCHED_4BSD              # 4BSD scheduler
options         INET                    # InterNETworking
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         UFS_ACL                 # Support for access control lists
options         UFS_DIRHASH             # Improve performance on big 
directories
options         PSEUDOFS                # Pseudo-filesystem framework
options         COMPAT_43               # Compatible with BSD 4.3 [KEEP 
THIS!]
options         COMPAT_FREEBSD4         # Compatible with FreeBSD4
options         _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time 
extensions
options         KBD_INSTALL_CDEV        # install a CDEV entry in /dev
options         ADAPTIVE_GIANT          # Giant mutex is adaptive.
# AMD K6
options         CPU_WT_ALLOC
options         NO_MEMORY_HOLE

device          apic                    # I/O APIC
device          isa
device          eisa
device          pci


# ATA and ATAPI devices
device          ata
device          atadisk         # ATA disk drives
device          atapicd         # ATAPI CDROM drives
device          atapist         # ATAPI tape drives
options         ATA_STATIC_ID   # Static device numbering

# atkbdc0 controls both the keyboard and the PS/2 mouse
device          atkbdc          # AT keyboard controller
device          atkbd           # AT keyboard
device          psm             # PS/2 mouse
device          vga             # VGA video card driver
device          sc

# Floating point support - do not disable.
device          npx

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device          miibus          # MII bus support
device          fxp             # Intel EtherExpress PRO/100B (82557, 82558)

# Pseudo devices.
device          loop            # Network loopback
device          mem             # Memory and kernel memory devices
device          io              # I/O device
device          random          # Entropy device
device          ether           # Ethernet support
device          pty             # Pseudo-ttys (telnet etc)
#device         carp
#device         pf
#device         pflog
#device         pfsync
device          bpf             # Berkeley packet filter


options         IPFIREWALL
options         IPFIREWALL_FORWARD
device          carp
--Boundary-00=_sD9bDmqLhexff+b--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511080210.52249.sarxan>