If some of you will recall, quite some time ago I complained that I
found that CARP was being transmitted on my untrusted interfaces between
a couple of test boxes in a lab instead of on their synchronization
interface; something that the rest of the list seemed to think a
non-issue. It has arisen again, this time rather more disconcerting - I
find that my single pfSense box fronting my home network is "leaking"
carp messages out the external interface, regardless of the fact that
I've turned off carp (1.0-BETA1).
I don't like it - no matter what any one else's perception of what is
exposed, it gives someone on my segment at least a layer-2 knob on my
network that shouldn't exist. It's enough to make me want to put a box
running ebtables outside of it just to filter out spurious stuff like
this... Or, "worse" yet, just replace my pf box with the GNAP image
I've been working on. I'm certainly up to customizing pfSense to
eliminate this behavior, but without upstream support it's something I'd
have to hunt down and change every time I updated.
What has anyone else done? Am I alone in disliking this? I'm not a fan
of "security by obscurity", but I do believe that good security is best
bolstered by a healthy dose of paranoia and some slick, black,
featureless walls. What do you guys think? Any differently than before?
RB
- [pfSense-discussion] CARP leak... revisited Randy B
-
