Re: Firewalling with PF, AUUG2005 edition
This is nice, Peter. At 07:22 PM 10/17/2005, Peter wrote: I've updated the Firewalling with PF manuscript, mainly for the tutorial .. The updated versions are up at http://www.bgnett.no/~peter/pf/en/ - full text, html, English http://www.bgnett.no/~peter/pf/en/long-firewall.html - full text, one html file, English http://www.bgnett.no/~peter/pf/en/pf-firewall.pdf - full text, pdf, English http://www.bgnett.no/~peter/pf/en/foils/
Re: CARP and VRRP incompatible on the same network segment?
On 10/19/05, Jason Dixon [EMAIL PROTECTED] wrote: I wouldn't be surprised if they're incompatible on the same segment. They use the same protocol number, and I'm willing to be you have identical VRID/VHID's in there. Even if the ID's are not the same, the OS is trying to make sense of what it believes to be a CARP packet, but really isn't. The CARP packet format is described in src/ sys/netinet/ip_carp.h. The VRRP packet format is in the RFC (http:// www.faqs.org/rfcs/rfc2338.html). It does work, I have this type of setup at work. However I also only allow CARP packets in from the IP of the CARP peer. On the VRRP side of things, my poor collegues are getting inundated with broken VRRP messages from the CARP firewalls, but it does work in practice with both Nortel 8600 routers and Nortel Contivity IPSec switches. Doesn't mean other network gear works better. --Bill
