Fwd: carp + ipfw problem

• Previous message: Sarxan Elxanzade: "Fwd: carp + ipfw problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: stable@freebsd.org, Max Laier <mlaier@freebsd.org>
Date: Tue, 8 Nov 2005 02:34:27 +0400

It too late now, may be I need to get some sleep. Sorry again...

---------- Forwarded Message ----------

Subject: carp + ipfw problem
Date: Tuesday 08 November 2005 02:10
From: Sarxan Elxanzade <sarxan@elxanzade.com>
To: stable@freebsd.org, Max Laier <mlaier@freebsd.org>
Cc: Rauf Kuliyev <rauf@kuliyev.com>

Hello all,

I'm trying to configure a firewall with carp + ipfw, but I encountered the
strange problem.

Packets are bypassing carp interface, instead ipfw log shows packet flow
to/from physical interface, e.g.:

FreeBSD host 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #6: Tue Sep 27 16:32:30
AZST 2005
root@host:/usr/obj/usr/src/sys/FIREWALL i386

# ifconfig fxp1
fxp1: flags=9943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,LINK0,MULTICAST> mtu
1500
        options=8<VLAN_MTU>
        inet 192.168.28.1 netmask 0xffffff00 broadcast 192.168.28.255
        media: Ethernet 100baseTX <full-duplex>
        status: active

# ifconfig carp1
carp1: flags=41<UP,RUNNING> mtu 1500
        inet 192.168.28.2 netmask 0xffffff00
        carp: MASTER vhid 4 advbase 1 advskew 0

# ipfw show
00001 0 0 check-state
00002 0 0 allow ip from any to any via lo0
00010 0 0 allow log icmp from any to any
00020 4 344 allow log tcp from any to any
00030 0 0 allow log udp from any to any
65534 0 0 allow ip from any to any
65535 0 0 deny ip from any to any

When I ping the IP address assigned to carp1 interface from host within the
same network
# ping 192.168.28.2
PING 192.168.28.2 (192.168.28.2): 56 data bytes
64 bytes from 192.168.28.2: icmp_seq=0 ttl=64 time=0.511 ms

I received in secure.log following:

Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3
192.168.28.2 in via fxp1
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3
192.168.28.2 in via fxp1
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2
192.168.28.3 out via fxp1
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2
192.168.28.3 out via fxp1

The same situation with the tcp protocol.

Kernel's conf is in the attach.

May I missed something?

--
Best regards,
Elkhanzade Sarkhan
-------------------------------------------------------
-- 
Elkhanzade Sarkhan 
Azerin ISP, U.Hajibeyov 36, Baku
Systems Administrator
Phone  work     : +994124982533
e-mail          : sarxan@azerin.com

_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"

• text/plain attachment: kernel.conf

• Previous message: Sarxan Elxanzade: "Fwd: carp + ipfw problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Fwd: carp + ipfw problem ... Subject: carp + ipfw problem ... I'm trying to configure a firewall with carp + ipfw, ... # ifconfig fxp1 ... (freebsd-stable) RE: Dummynet,VLAN and CARP broken?? ... I found out that you still need to let carp packets through even though ... So ipfw add 1 allow carp from any to any ... ipfw queue 1 config pipe 100 weight 100 ... This e-mail is intended only for the use of the addressees named above ... (freebsd-isp) carp + ipfw problem ... I'm trying to configure a firewall with carp + ipfw, ... Packets are bypassing carp interface, instead ipfw log shows packet flow ... # ifconfig fxp1 ... (freebsd-stable) Natd and natd_interface ... And now what interface in rc.conf must be natd_interface, fxp1 or fxp0? ... Secend question is: ... This rule for ipfw is OK for configuration what i have? ... (freebsd-questions) Re: Fwd: carp + ipfw problem ... > I'm trying to configure a firewall with carp + ipfw, ... > Packets are bypassing carp interface, instead ipfw log shows packet flow ... (freebsd-stable)