Hi Theo,
Agreed, I guess I'm really just concerned about CARP and PF and not
wanting to direct packets to the firewall before its ready. But I guess
this should be fine and I'm just worrying..
Because I cannot get the carp backup to announce routes with a higher
cost I'm struggling to come up with a design which I think will be
stable.
For all important purposes, our internal v4 nets are RFC1918 nets and
so I have to run CARP on the internal NICs (server default routes), and
CARP on the outside for NAT RDR BINAT etc, with filtering and state
checking/modulation.
So v4 OSPF is mostly fine for now (adding 'network carp1' to area 0
where carp1 is the internal carp) with 5.4 as I would like the
different data centres to communicate across our layer 2 WAN without
NATing reliably even during CARP failover.
The bad feeling I have ;) is to do with v6. We are trying to dual-stack
our entire network, we have /many/ networks behind our BSD routers, and
I'm freaked at the thought of loops (packet enters the backup firewall,
ingresses the network, server replies, and the reply egresses the
network via the master firewall.
'defer' seems like it would slow things down, and sloppy states scares
me as it disables security (server has to use its own mechanism to
prevent ICMP teardown attack and/or insertion attacks etc etc). But I
admit I don't understand it properly yet.
To me being able to control route costs would be a better solution and
stop any loops.
I appreciate this problem is being born out of the fact that I am
trying to run the boxes as both firewalls /and/ routers.
Does this make sense, and does anyone have an idea of how to cope with
this dual-stack scenario?
Cheers, Andy.
PS; ignore all the slanderus bull**** It's impossible to make everyone
happy and to think the same way.. ;)
On Wed 09 Oct 2013 15:20:33 BST, Theo de Raadt wrote:
It seems that OSPF starts quite early in the boot process before other
things have finished booting.
Is their a way to delay the start so that it only starts announcing once
all the start up scripts have run etc?
That would be wrong. I can figure out why you want it.
The starting of routes from OSPF is not meant to indicate that higher
level services are now available. In fact there may be higher-level
services which require that the routes are available before they can
start.