Fwd: carp + ipfw problem

Sarxan Elxanzade sarxan at azerin.com
Mon Nov 7 14:34:38 PST 2005

It too late now, may be I need to get some sleep. Sorry again...

----------  Forwarded Message  ----------

Subject: carp + ipfw problem
Date: Tuesday 08 November 2005 02:10
From: Sarxan Elxanzade <sarxan at elxanzade.com>
To: stable at freebsd.org, Max Laier <mlaier at freebsd.org>
Cc: Rauf Kuliyev <rauf at kuliyev.com>

Hello all,

I'm trying to configure a firewall with carp + ipfw, but I encountered the
strange problem.

Packets are bypassing carp interface, instead ipfw log shows packet flow
to/from physical interface, e.g.:

FreeBSD host 5.4-RELEASE-p7 FreeBSD 5.4-RELEASE-p7 #6: Tue Sep 27 16:32:30
AZST 2005
root at host:/usr/obj/usr/src/sys/FIREWALL  i386

# ifconfig fxp1
        inet netmask 0xffffff00 broadcast
        media: Ethernet 100baseTX <full-duplex>
        status: active

# ifconfig carp1
carp1: flags=41<UP,RUNNING> mtu 1500
        inet netmask 0xffffff00
        carp: MASTER vhid 4 advbase 1 advskew 0

# ipfw show
00001 0   0 check-state
00002 0   0 allow ip from any to any via lo0
00010 0   0 allow log icmp from any to any
00020 4 344 allow log tcp from any to any
00030 0   0 allow log udp from any to any
65534 0   0 allow ip from any to any
65535 0   0 deny ip from any to any

When I ping the IP address assigned to carp1 interface from host within the
same network
# ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=0.511 ms

I received in secure.log following:

Nov  8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 in via fxp1
Nov  8 01:54:46 border kernel: ipfw: 10 Accept ICMP:8.0 in via fxp1
Nov  8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 out via fxp1
Nov  8 01:54:46 border kernel: ipfw: 10 Accept ICMP:0.0 out via fxp1

The same situation with the tcp protocol.

Kernel's conf is in the attach.

May I missed something?

Best regards,
Elkhanzade Sarkhan


Elkhanzade Sarkhan 
Azerin ISP, U.Hajibeyov 36, Baku
Systems Administrator
Phone  work     : +994124982533
e-mail          : sarxan at azerin.com
-------------- next part --------------
machine         i386
cpu             I586_CPU
ident           FIREWALL

options         SCHED_4BSD              # 4BSD scheduler
options         INET                    # InterNETworking
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         UFS_ACL                 # Support for access control lists
options         UFS_DIRHASH             # Improve performance on big 
options         PSEUDOFS                # Pseudo-filesystem framework
options         COMPAT_43               # Compatible with BSD 4.3 [KEEP 
options         COMPAT_FREEBSD4         # Compatible with FreeBSD4
options         _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time 
options         KBD_INSTALL_CDEV        # install a CDEV entry in /dev
options         ADAPTIVE_GIANT          # Giant mutex is adaptive.
# AMD K6
options         CPU_WT_ALLOC
options         NO_MEMORY_HOLE

device          apic                    # I/O APIC
device          isa
device          eisa
device          pci

# ATA and ATAPI devices
device          ata
device          atadisk         # ATA disk drives
device          atapicd         # ATAPI CDROM drives
device          atapist         # ATAPI tape drives
options         ATA_STATIC_ID   # Static device numbering

# atkbdc0 controls both the keyboard and the PS/2 mouse
device          atkbdc          # AT keyboard controller
device          atkbd           # AT keyboard
device          psm             # PS/2 mouse
device          vga             # VGA video card driver
device          sc

# Floating point support - do not disable.
device          npx

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device          miibus          # MII bus support
device          fxp             # Intel EtherExpress PRO/100B (82557, 82558)

# Pseudo devices.
device          loop            # Network loopback
device          mem             # Memory and kernel memory devices
device          io              # I/O device
device          random          # Entropy device
device          ether           # Ethernet support
device          pty             # Pseudo-ttys (telnet etc)
#device         carp
#device         pf
#device         pflog
#device         pfsync
device          bpf             # Berkeley packet filter

options         IPFIREWALL
options         IPFIREWALL_FORWARD
device          carp

More information about the freebsd-stable mailing list