Hello all,
I'm trying to configure a firewall with carp + ipfw, but I encountered the
strange problem.
Packets are bypassing carp interface, instead ipfw log shows packet flow
to/from physical interface, e.g.:
FreeBSD host 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #6: Tue Sep 27 16:32:30
AZST 2005
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/FIREWALL i386
# ifconfig fxp1
fxp1: flags=9943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,LINK0,MULTICAST> mtu
1500
options=8<VLAN_MTU>
inet 192.168.28.1 netmask 0xffffff00 broadcast 192.168.28.255
media: Ethernet 100baseTX <full-duplex>
status: active
# ifconfig carp1
carp1: flags=41<UP,RUNNING> mtu 1500
inet 192.168.28.2 netmask 0xffffff00
carp: MASTER vhid 4 advbase 1 advskew 0
# ipfw show
00001 0 0 check-state
00002 0 0 allow ip from any to any via lo0
00010 0 0 allow log icmp from any to any
00020 4 344 allow log tcp from any to any
00030 0 0 allow log udp from any to any
65534 0 0 allow ip from any to any
65535 0 0 deny ip from any to any
When I ping the IP address assigned to carp1 interface from host within the
same network
# ping 192.168.28.2
PING 192.168.28.2 (192.168.28.2): 56 data bytes
64 bytes from 192.168.28.2: icmp_seq=0 ttl=64 time=0.511 ms
I received in secure.log following:
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3
192.168.28.2 in via fxp1
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 192.168.28.3
192.168.28.2 in via fxp1
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2
192.168.28.3 out via fxp1
Nov 8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 192.168.28.2
192.168.28.3 out via fxp1
The same situation with the tcp protocol.
Kernel's conf is in the attach.
May I missed something?
--
Best regards,
Elkhanzade Sarkhan
-------------------------------------------------------
--
Elkhanzade Sarkhan
Azerin ISP, U.Hajibeyov 36, Baku
Systems Administrator
Phone work : +994124982533
e-mail : [EMAIL PROTECTED]
machine i386
cpu I586_CPU
ident FIREWALL
options SCHED_4BSD # 4BSD scheduler
options INET # InterNETworking
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big
directories
options PSEUDOFS # Pseudo-filesystem framework
options COMPAT_43 # Compatible with BSD 4.3 [KEEP
THIS!]
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time
extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
# AMD K6
options CPU_WT_ALLOC
options NO_MEMORY_HOLE
device apic # I/O APIC
device isa
device eisa
device pci
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
device atapicd # ATAPI CDROM drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device vga # VGA video card driver
device sc
# Floating point support - do not disable.
device npx
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device fxp # Intel EtherExpress PRO/100B (82557, 82558)
# Pseudo devices.
device loop # Network loopback
device mem # Memory and kernel memory devices
device io # I/O device
device random # Entropy device
device ether # Ethernet support
device pty # Pseudo-ttys (telnet etc)
#device carp
#device pf
#device pflog
#device pfsync
device bpf # Berkeley packet filter
options IPFIREWALL
options IPFIREWALL_FORWARD
device carp
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
