Here's my pf.conf:
# $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# macros
ext_if = "re0" # External Interface (169.229.158.0/24)
int_if = "xl0" # Internal Interface (192.168.1.0/24)
localnet = $int_if:network
webserver = "192.168.1.50"
webports = "{ http , https }"
tcp_services = "{ ssh }"
icmp_types = "echoreq"
carpdevs = "{ carp0 , carp1 }"
syncdev = "{ re1 }"
ssh_allowed = "192.168.1.100"
carp_mcast = "224.0.0.18"
# extra tweaks
set skip on lo
set block-policy return
set loginterface $ext_if
scrub in
# nat/rdr
nat on $ext_if from $localnet to any -> ($ext_if)
nat on $int_if proto tcp from $localnet to $webserver port $webports -> $int_if
no nat on $int_if proto tcp from $int_if to $localnet
rdr on $ext_if proto tcp from any to any port $webports -> $webserver
rdr on $int_if proto tcp from $localnet to $ext_if port $webports -> $webserver
# pass rules
block in
pass out keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $webserver port $webports \
flags S/SA synproxy state
pass on $carpdevs proto carp keep state
pass quick on $ext_if proto carp \
from $ext_if:network to $carp_mcast keep state
pass on $syncdev proto pfsync
pass in on $int_if from $ssh_allowed to self keep state (no-sync)
antispoof quick for { lo $int_if }
Here's my pf.conf.BAK:
# $OpenBSD: pf.conf,v 1.35 2008/02/29 17:04:55 reyk Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# macros
ext_if = "re0" # External Interface (169.229.158.0/24)
int_if = "xl0" # Internal Interface (192.168.1.0/24)
localnet = $int_if:network
webserver = "192.168.1.50"
webports = "{ http , https }"
tcp_services = "{ ssh }"
icmp_types = "echoreq"
# extra tweaks
set skip on lo
set block-policy return
set loginterface $ext_if
scrub in
# nat/rdr
nat on $ext_if from $localnet to any -> ($ext_if)
nat on $int_if proto tcp from $localnet to $webserver port $webports -> $int_if
no nat on $int_if proto tcp from $int_if to $localnet
rdr on $ext_if proto tcp from any to any port $webports -> $webserver
rdr on $int_if proto tcp from $localnet to $ext_if port $webports -> $webserver
# pass rules
block in
pass out keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $webserver port $webports \
flags S/SA synproxy state
antispoof quick for { lo $int_if }
I still don't think it makes sense sshing into your carp interface. I
mean, if you ssh once and you're in one machine, but then the next
time, you're in another. Anyways, take a look and see what can be
done. pf.conf is my current CARP setup, while pf.conf.BAK is before I
setup CARP.
Thanks,
Vivek
On Sun, Oct 19, 2008 at 6:53 AM, Jason Dixon <[EMAIL PROTECTED]> wrote:
> On Sun, Oct 19, 2008 at 01:04:35PM +0530, Girish Venkatachalam wrote:
>> On 22:45:49 Oct 18, Vivek Ayer wrote:
>> > Actually, I feel kind of stupid for asking the question. Of course you
>> > can never ssh into the virtual carp interface, which is what I was
>> > trying to do. SSHing into the physical interface still works no
>> > problem. Then again, it would be Yay..CARP is working 100%.
>
> You can do most things with a CARP interface that you can with a regular
> interface. Exceptions would be applications that rely on bpf.
>
>> You can of course use the CARP virtual interface. In fact you are
>> supposed to use that if you setup CARP. ;)
>
> For services that you want to failover, yes. For administrative
> purposes (i.e. ssh access), probably not.
>
> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net/
