I think you will find that since carp is communicated with multicast
that your rules are not behaving as you think.
They are allowing the outbound transmissions, but since you are not
establishing tcp sessions the keep state does not do what you want.
Try explicitly allowing in protocol carp
What I do is this:
pass out quick proto carp
pass in quick proto carp
Gordon Ross wrote:
I've got two OBSD 4.1 boxes. They are setup identically, and I'm using CARP (&
pfsync) to obtain a redundant firewall. I appear to have CARP working fine. My
problem is when I enable pf. The initial TCP packet goes through fine, but the
return packet gets blocked. (I have verified this by putting "LOG" entries in
my ruleset) If I disable PF, everything works fine
Cutting down the pf ruleset to the bare minimum, I have:
adsl_if="em2"
int_if="em0"
pfsync_if="bge0"
scrub in
set skip on lo
block in
#These three lines allow the failover mechanisms to work
pass on { $int_if } proto carp keep state
pass on { $adsl_if } proto carp keep state
pass quick on { $pfsync_if} proto pfsync
#Allow internal people to SSH in.
pass in on $int_if proto tcp to ($int_if) port ssh keep state
#ICMP
pass in proto icmp to <me>
pass in on $int_if proto tcp from 172.16.2.34 to 192.168.249.3 keep state
With this config, 172.16.2.34 cannot make a TCP connection to 192.168.249.3.
What stupid thing have I missed ?
For reference, below are the details of the carp & em interfaces. If anything
else is needed, let me know.
Thanks,
GTG
# ifconfig carp0
carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:01
carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0
groups: carp
inet 192.168.253.253 netmask 0xffffff00 broadcast 192.168.253.255
inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0xb
# ifconfig carp2
carp2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:00:5e:00:01:03
carp: MASTER carpdev em2 vhid 3 advbase 1 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:103%carp2 prefixlen 64 scopeid 0xc
inet 192.168.249.253 netmask 0xffffff00 broadcast 192.168.249.255
# ifconfig em0
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:1b:21:01:c8:30
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.253.20 netmask 0xffffff00 broadcast 192.168.253.255
inet6 fe80::21b:21ff:fe01:c830%em0 prefixlen 64 scopeid 0x3
# ifconfig em2
em2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:1b:21:01:c8:32
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet 192.168.249.251 netmask 0xffffff00 broadcast 192.168.249.255
inet6 fe80::21b:21ff:fe01:c832%em2 prefixlen 64 scopeid 0x5
