From owner-freebsd-pf@FreeBSD.ORG Fri Jan 19 11:04:44 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 76BDA16A407 for ; Fri, 19 Jan 2007 11:04:44 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: from claresco.hr (zid.claresco.hr [85.114.42.226]) by mx1.freebsd.org (Postfix) with ESMTP id ADD3413C45A for ; Fri, 19 Jan 2007 11:04:43 +0000 (UTC) (envelope-from marko.lerota@claresco.hr) Received: (qmail 56706 invoked by uid 1001); 19 Jan 2007 10:15:13 -0000 To: Tom Uffner Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJFBMVEWgnbRLVpRNVY9jMRPh s21jSlEyNVX45Mv4zI+sbUclFAtMVpT8V0lFAAACZ0lEQVR4nG3Tv2vbQBQHcFMogWyeNeVK BLXGl5j6xnABOaNTuXFGmWpwtw519yj4soW6AatT4GKD3+aDZrl/rt/Tr9qlGiz7Pn7v3bsf HVc/NrIiSfElqH53GgijcCqzk/+AmBF5cN0DsFlIRGMh/oHuqxkTM6VlzB4EoZEs2aSZOASb EQJYZpweQshE697GTDndBXtgp9LIT9+OpDGHEfb9knk+nx+jfN1JCVZMCl6XwFm0a2EXztZD 3s4fj47ZbKI2VeBmJImeEfGLJ+M9sDPilX7IB5rN6sdfcGhuoHU+LC4nxfnI7YOJtdb95Gb+ fbgJ2uJ2ZgaA++f5ZzBqNCCYfMTd5q0BfBVNqm7I8gUjQ+YtXotRW6PH9AEj+dKs/KuNQAl5 o/NY+QkonW8aQAl0oXMYPvRiXIM4pRJifbXytnhTA8alBx/jefG2ar3DBlt34/PXz9M+nMVN iNaPUdCApJc2ItejOmLGoK1qQLV9pJmXBnL10DYoBA5aHNfj8ZNwZa5O4CzgTJeilKJmrQJs IHIt1/7/Sg2p3iq/Hz0/5W05rq4M9aN2B5FLohUP4ylVyfxhEIjAs8J4PhIJ9U+CEroogib5 BXAf7bB4vkfAzgPFt1tM9sJZAOH+lCexhwswuNtim4QTZdokqo4o89LkH7V6iFxICeqfp+Wh fmUuGPunLj2Meti6Cn4DjJ/UReROqR+aqawAi/JkfgKE64rrfkhjU8MtT8ivR4S5n6Yo08A7 HvgAlHDWRSGlNSDxwK9HtXy4FS2I60EdUIJM+Ut9OZNJG4CpbEQW1VBQoQoPuBw2EVa4P0u0 TgzQF+VoAAAAAElFTkSuQmCC In-Reply-To: <45B04DF1.40800@uffner.com> (Tom Uffner's message of "Thu, 18 Jan 2007 23:49:53 -0500") References: <45B04DF1.40800@uffner.com> Organization: *BSD Users - Fanatics Dept. From: Marko Lerota Date: Fri, 19 Jan 2007 11:15:13 +0100 Message-ID: <86k5zjwcem.fsf@sparrow.local> User-Agent: Gnus/5.1008 (Gnus v5.10.8) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: freebsd-pf@freebsd.org Subject: Re: carp & spamd problems when using if_bridge + nat X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Jan 2007 11:04:44 -0000 Tom Uffner writes: > box #0 > cloned_interfaces="bridge0 carp0 carp1" > ifconfig_carp0="vhid 1 advskew 100 pass tengu 207.245.109.13/24" > ifconfig_carp1="vhid 2 advskew 100 pass zruty 10.10.1.13/16" > > box #1 > cloned_interfaces="bridge0 carp0 carp1" > ifconfig_carp0="vhid 1 advskew 100 pass tengu 207.245.109.13/24" > ifconfig_carp1="vhid 2 advskew 100 pass zruty 10.10.1.13/16" > > this didn't work because i couldn't get the carp0 interface to run. maybe this would help from man (4)pfsync If it is preferable that one firewall handle the traffic, the advskew on the backup firewall's carp(4) interfaces should be set to something higher than the primary's. You have the same advskew. Also try to remove bridge0 from cloned_interfaces. > i am now using: > > hosts on the DMZ network (em0) cannot connect to hosts on the inside > network (bge1) and vice versa though they can ping each other. > > here is my pf.conf: > > # don't filter loopback or virtual interfaces > set skip on { carp0 carp1 } maybe you should have set skip on { lo0 bridge0 carp0 carp1 } or pass quick on lo0 all pass quick on bridge0 all before block in log on $ext_if all > # block all inbound traffic not matched by a rule below, don't log smb > packets > block in log on $ext_if all > block in on $ext_if proto udp from any port 137:139 > > # return ident instead of dropping to prevent email delay > block return in on $ext_if proto tcp to any port 113 > > # allow all loopback traffic > pass quick on lo0 all > pass quick on bridge0 all > > # block packets claiming to be from an internal address > #antispoof for $ext_if > > # allow CARP & pfsync > pass quick on { $pfs_if } proto pfsync keep state (no-sync) > pass on { $ext_if $dmz_if $int_if } proto carp keep state > > # allow all traffic on inside interface unless blocked by a rule below > pass on { $dmz_if $int_if } all -- One cannot sell the earth upon which the people walk Tacunka Witco