PF Config problem

Thu, 19 Jul 2007 07:44:03 -0700 

I've got two OBSD 4.1 boxes. They are setup identically, and I'm using CARP (&
pfsync) to obtain a redundant firewall. I appear to have CARP working fine. My
problem is when I enable pf. The initial TCP packet goes through fine, but the
return packet gets blocked. (I have verified this by putting "LOG" entries in
my ruleset) If I disable PF, everything works fine

Cutting down the pf ruleset to the bare minimum, I have:

adsl_if="em2"
int_if="em0"
pfsync_if="bge0"

scrub in
set skip on lo

block in

#These three lines allow the failover mechanisms to work
pass on { $int_if } proto carp keep state
pass on { $adsl_if } proto carp keep state
pass quick on { $pfsync_if} proto pfsync

#Allow internal people to SSH in.
pass in on $int_if proto tcp to ($int_if) port ssh keep state

#ICMP
pass in proto icmp to <me>

pass in on $int_if proto tcp from 172.16.2.34 to 192.168.249.3 keep state

With this config, 172.16.2.34 cannot make a TCP connection to 192.168.249.3.

What stupid thing have I missed ?

For reference, below are the details of the carp & em interfaces. If anything
else is needed, let me know.

Thanks,

GTG


# ifconfig carp0
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:5e:00:01:01
        carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
        groups: carp
        inet 192.168.253.253 netmask 0xffffff00 broadcast 192.168.253.255
        inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0xb
# ifconfig carp2
carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:00:5e:00:01:03
        carp: MASTER carpdev em2 vhid 3 advbase 1 advskew 0
        groups: carp
        inet6 fe80::200:5eff:fe00:103%carp2 prefixlen 64 scopeid 0xc
        inet 192.168.249.253 netmask 0xffffff00 broadcast 192.168.249.255
# ifconfig em0
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1b:21:01:c8:30
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet 192.168.253.20 netmask 0xffffff00 broadcast 192.168.253.255
        inet6 fe80::21b:21ff:fe01:c830%em0 prefixlen 64 scopeid 0x3
# ifconfig em2
em2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:1b:21:01:c8:32
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet 192.168.249.251 netmask 0xffffff00 broadcast 192.168.249.255
        inet6 fe80::21b:21ff:fe01:c832%em2 prefixlen 64 scopeid 0x5

Reply via email to