carp fails when firewall enabled

R

rtt010567

I have carp and pfsync working flawless on two 8.2 machines, each with two network interfaces and configured as firewalls/routers.

It works perfectly AS LONG AS BOTH MACHINES BOOT WITH FIREWALL SET TO "OPEN". (My kernel was built WITHOUT IPFIREWALL_DEFAULT_TO_ACCEPT so default is to deny).

The problem occurs as soon as I turn on the default "SIMPLE" firewall on the master (and leave the backup machine's firewall "OPEN"). At that point, the backup machine thinks it is the master and takes charge even though the master is still running. Moreover, the master still thinks it's in charge, so I now have two competing masters which obviously doesn't work.

To summarise: turning on the "SIMPLE" firewall (which works as expected otherwise) on the master blocks the carp protocol somehow. Of course, I have tried adding all manner of rules to my rc.firewall to enable carp/pfsync, but none of these have any effect:

Code: 
${fwcmd} add pass carp from any to any
${fwcmd} add pass carp from any to any setup
${fwcmd} add pass carp from any to any established
${fwcmd} add pass carp from any to any keep-state
${fwcmd} add pass pfsync from any to any
${fwcmd} add pass pfsync from any to any setup
${fwcmd} add pass pfsync from any to any established
${fwcmd} add pass pfsync from any to any keep-state
The TRULY WEIRD thing is that carp remains wedged on both machines even after I explictly reset the master's firewall to "OPEN", as in:

sh /etc/rc.firewall open >&/dev/null

The only way to get them back to their original working state is to reboot the master (again, configured to come up with the firewall enabled but "OPEN").

Has anyone gotten carp to work with the firewall(s) enabled?

Stumped.

Thanks,

Rick
 
Obviously some rule is blocking outgoing CARP/VRRP packets from master. Can you post your full ruleset?

Code: 
ipfw -a list

Or alternatively add log option to all rules to see what is going on..
 
rtt010567 said:
I have carp and pfsync working flawless on two 8.2 machines, each with two network interfaces and configured as firewalls/routers.

It works perfectly AS LONG AS BOTH MACHINES BOOT WITH FIREWALL SET TO "OPEN". (My kernel was built WITHOUT IPFIREWALL_DEFAULT_TO_ACCEPT so default is to deny).
Click to expand...

I don't think pfsync works with ipfw. So the first step is to turn it off and use pf instead.
 
solved: carp works with pf, not ipfw

I don't think pfsync works with ipfw. So the first step is to turn it off and use pf instead.
Click to expand...

That was the answer.

I rebuilt my kernel without IPFIREWALL and borrowed a canned set of rules from here:

https://sites.google.com/site/clickdeathsquad/Home/cds-bsdfirewall

and added these rules as per the instructions regarding the use of carp with pfsync from the pfsync(4) man page:

Code: 
           pass quick on { sis2 } proto pfsync
           pass on { sis0 sis1 } proto carp

Thanks.

R
 
You must log in or register to reply here.
Back
Top