I have written my first real (I've toyed around quit a bit) set of pf
rules and I was wondering if people on the list would take a minute or
two (ok maybe more than that actually) to evaluate them and let me and
other n00bs to pf, know if I have come even close to what a
complete/sane/efficient set of rules should contain (or more than what
it should contain for that matter). I have tried to be concise with my
rules and i also tried to comment on the rules as much as possible so
any reasoning for a rule will hopefully be there. If it matters I have
pasted my dmesg at the bottom so all hardware info will be there. This
is a completely stock install of 4.2.
Thanks in advance and thanks for a great OS.
Aaron.
PF.CONF
#
# TB firewall configuration file.
# Pleas append modification dates/time/explanations at the end of this
# section in a line preceded with a # mark, each change on a new line.
#
#
# PF enabled in /etc/rc.conf.local "pf=YES"
# Remember, to make this machine work as a gateway
# using carp interfaces that assume command
# you have to tweak sysctl:
# net.inet.ip.forwarding=1
# net.inet.carp.allow=1
# net.inet.carp.preempt=1
# net.inet.carp.log=1
#
# Since we use host names in this file
# you will need to keep the /etc/hosts file
# up to date.
#
# To show the effective pf-rules:
# pfctl -s rules
#
# To reload your ruleset:
# pfctl -Rf /path/to/ruleset
#
# To flush your ruleset:
# pfctl -F all
#
# To flush just states:
# pfctl -Fs
#
# To test your changes before reloading ruleset:
# pfctl -nf /etc/pf.conf
# pfctl -nvf /etc/pf.conf (more verbose)
#
#
# change:11/25/07:22:30- added <sshbruteforce> table to handle overload of
# brute force ssh and telnet traffic.
#
#
# PHRASE MACROS
#
bio = "block in on"
bolo = "block out log on"
boo = "block out on"
bilo = "block in log on"
bilqo = "block in log quick on"
biqo = "block in quick on"
fat = "from any to"
fata = "from any to any"
pio = "pass in on"
poo = "pass out on"
pqo = "pass quick on"
pilo = "pass in log on"
pilqo = "pass in log quick on"
piqo = "pass in quick on"
#ip = "inet proto"
ms = "modulate state"
tu = "{ tcp udp }"
icmpt = "icmp-type echoreq"
# INTERFACE MACROS
# Local interfaces and addresses
wanp_if = "fxp0" # san0 without cisco
wanp_ip = "fxp0" # san0 without cisco
#wanp = "san0"
wanb_if = "fxp1"
wanb_ip = "fxp1"
wan_ifs = "{ fxp0 fxp1 }" # different with san
#wan_ifs = "{ san0 fxp1 }"
wanp_carp_if = "carp0" # this won't exist with san
wanp_carp_ip = "carp0" # this won't exist with san
wanb_carp_if = "carp1"
wanb_carp_ip = "carp1"
wan_carp_ifs = "{ carp0 carp1 }"
wan_carp_ips = "{ carp0 carp1 }"
carp_ifs = "{ carp0 carp1 carp2 carp3 }"
carp_ips = "{ carp0 carp1 carp2 carp3 }"
dmz_carp_if = "carp2"
dmz_carp_ip = "carp2"
lan_carp_if = "carp3"
lan_carp_ip = "carp3"
dmz_if = "fxp2"
dmz_ip = "fxp2"
dmz_net = "carp2:network"
lan_if = "fxp3"
lan_ip = "fxp3"
lan_net = "carp3:network"
pfsync_if = "rl0"
pfsync_ip = "rl0"
web_servers = "{ gargoyle smtp-out scrappy }"
smtp_servers = "{ gargoyle }"
lan_smtp_servers= "{ gargoyle smtp-out }"
dns_servers = "{ ns1 ns2 }"
ftp_servers = "{ ftp tbcnexpress }"
ext_dns_servers = "{ 20.70.3.56 2.70.46.6 }"
ext_time_servers= "{ pool.ntp.org }"
vpnsgb_net = "192.168.1.0/24"
vpnrw_net = "10.4.0.0/24"
vpnnoc_net = "10.5.0.0/24"
vpntunnel_net = "10.3.0.0/24"
sgbpub_ips = "{ 10.123.123.135 12.123.123.59 }"
noc_ips = "{ 3.4.5.128 5.4.6.68 5.4.6.69 }"
ori_ips = "1.2.3.184"
tbcn_ssh = "1068"
topform_ssh = "1055"
#freehosts = "{ joe mike sam }"
# Lists
# These are ports we don't want to let in as destination ports. We
don't have
# any servies, including ftp that will use these as we assign a range
for ftp
# ports.
specialports_tcp= "{ 6670 1243 27374 6711:6713 12345:12346 20034 137:139
445 55117 1080 }"
# 1080=SubSeven 2.2/WinHole 1243=SubSevenApocalypse # # #
specialports_udp= "{ 1243 27374 28431 31337:31338 137:139 445 1900 67 68 }"
#
# client out macros
# ports that the lan clients are allowed out on. Lan machines don't need
# to connect to the internet on smtp and a lot
# of other ports that are for games
# or chatting only.
lan_dmz_tcp = "{ www https ssh telnet ftp imap imaps 10000
47568 8081 ntp 4444 5555 }"
lan_dmz_udp = "{ ntp 1195 }"
lan_out_tcp = "{ www https ssh telnet ftp ntp }"
lan_out_udp = "{ ntp }"
# let the vpn come into the lan for remote desktop. anything else needs
# to be specifically requested.
vpn_lan = "3389"
# 3389=rdp protocol for remote desktop
#
# **** TABLES ****
# Tables are similar to lists however they don't suffer from the problem
# of negated lists and they are faster on lookups while using less
# memory.
#
# Local nets minus the firewall interface
table <dmz_hosts> const { $dmz_carp_if:network !carp2 }
table <lan_hosts> const { $lan_carp_if:network !carp3 }
table <internet> persist { !$dmz_net !self !$lan_net }
table <bogons> const persist file "/etc/pf/tables/bogon-bn-nonagg.txt"
table <badguys> persist
table <dmz_badguys> persist
table <sshbruteforce> persist
# List of ips collected on ftp machine of people
# trying to log into administrator and inetuser accts
# which we don't have.
table <ftpbreakins> persist file "/etc/pf/tables/ftpbreaks"
#
#
# Rules set options
#
#
set limit { states 20000, frags 10000 }
set block-policy drop
set timeout { frag 10 tcp.established 3600 }
set skip on lo
set fingerprints "/etc/pf.os"
#
# Normalization
#
# scrub out on { $wan_carp_ifs } random-id # (use modulate state out
instead)
# can't do macro expansion so have to spread this over 3 lines
scrub in on $carp_ifs random-id
scrub in on $wan_ifs random-id
scrub in on { $lan_if $dmz_if } random-id
##########################################################
#
# Translation
#
##########################################################
##########################################
#
# Nat the LAN out
#
##########################################
nat on $wanp_if inet from <lan_hosts> to any -> $wanp_carp_ip
nat on $wanb_if inet from <lan_hosts> to any -> $wanb_carp_ip
#############################################
#
# Internet to lan redirections (BADDDD IDEA)
#
#############################################
rdr on $wan_ifs proto tcp $fat tal_rts port { www 4444 } -> 192.168.47.8
rdr on $wan_ifs proto tcp $fat bec port www -> 192.168.47.5
##############################################
# Root DNS servers are better than our ISP's.
# cache it too for faster lookups.
##############################################
rdr pass on $lan_if proto $tu from <lan_hosts> to any port domain ->
127.0.0.1
########################################
#
# FTP-PROXY
# Remember to add ftp line to rc.conf.local
# ftpproxy_flags="-T "ftproxied" -t 14400 -v"
#########################################
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $wan_ifs proto tcp from <internet> to ftp_servers port 21 ->
127.0.0.1 port 8021
rdr on $lan_if proto tcp from <lan_hosts> to any port 21 -> 127.0.0.1
port 8021
##########################################################
#
# FILTER RULES
#
############################################################
######################################################
# default rule.. block everything
######################################################
block log label catchall
#antispoof for self
block in quick from urpf-failed
#############################################################
# Block these quick, we know they are bad
##############################################################
$bilqo $wan_ifs from <ftpbreakins>
$bilqo $wan_ifs from <sshbruteforce>
# We don't do ipV6
block quick inet6
#############################################################
# Block people port scanning us
############################################################
$bilqo $wan_carp_ifs from <internet> os nmap
$bilqo $wan_ifs from <internet> os nmap
#############################################################
# Block ident but send reset so connection can procoeed
############################################################
block return in on $wan_ifs proto tcp $fata port auth
block return in on $lan_if proto tcp from <lan_hosts> port auth
########################################
# Make sure to let carp and pfsync through
########################################
$piqo $carp_ifs proto carp
$piqo $pfsync_if proto pfsync
############################################################
# catch bad guys doing ssh brute force to port 22
# The addresses caught are cleared every 3 days
# if counters for the ip aren't cleared. The job
# that removed addreses is.
# 1 * */3 * * /sbin/pfctl -t sshbruteforce -T expire 259200
############################################################
pass in on fxp0 proto tcp from any to any port { ssh telnet }keep state
(max-src-conn 1, max-src-conn-rate 1/60, overload <sshbruteforce> flush
global)
######################################################
# block bogons in and out of the ext interfaces.
######################################################
$bolo $wan_ifs from <bogons> label bogons_out
$bilqo $wan_ifs from <bogons> label bogons_in
######################################################
# block and log ports that shouldn't be coming
# into our network from the internet
# but not quick in case we want to let them in specifically later.
######################################################
$bilo $wan_ifs proto tcp $fata port $specialports_tcp label
"specialports TCP"
$bilo $wan_ifs proto udp $fata port $specialports_udp label
"specialports UDP"
######################################################
# Self out and already filtered connections out
#####################################################
$poo $wan_ifs proto tcp from { <lan_hosts> <dmz_hosts> } to <internet> $ms
$poo $wan_ifs proto { udp icmp } from { <lan_hosts> <dmz_hosts> } to
<internet>
$poo $dmz_if from { <internet> <lan_hosts> } to <dmz_hosts>
# already filtered, but paranoid
$poo $lan_if proto tcp from ovpn to <lan_hosts> port $vpn_lan
#############################################################
# Redirected traffic from internet to lan **BAD BAD BAD****
############################################################
$poo $lan_if proto tcp from <internet> to { bec_inside tal_inside } port
www tagged BEC-TAL
$poo $lan_if proto tcp from <internet> to tal_inside port 4444 $ms
tagged TAL
# Allow the ftp proxied traffic out on lo to ftp servers
pass out quick on $dmz_if proto tcp from lo0 to $ftp_servers tagged
ftproxied
# Allow firewall to troubleshoot network
$poo self proto icmp from $carp_ifs to any $icmpt
#############################################################################
# Into the firewall
############################################################################
# Other's can ping us, but not too fast
# had to add the inet lines because got errors w/o it.
# pf.sanitized:332: proto icmp doesn't match address family inet6
# pf.sanitized:332: skipping rule due to errors
# pf.sanitized:332: proto icmp doesn't match address family inet6
# pf.sanitized:332: skipping rule due to errors
$pio $wan_carp_ifs inet proto icmp from <internet> to $wan_carp_ips
$icmpt keep state \
(max-src-nodes 30, max-src-states 10, max-src-conn-rate 2/1, overload
<badguys> flush global)
# Let the dmz ping us as well
$pio $dmz_carp_if inet proto icmp from <dmz_hosts> to $dmz_carp_ip
$icmpt keep state \
(max-src-nodes 30, max-src-states 10, max-src-conn-rate 2/1, overload
<dmz_badguys> flush global)
# Yup, the lan can ping us too
$pio $lan_carp_if inet proto icmp from <lan_hosts> to $lan_carp_ip $icmpt
########################################
# Let the lan roam
########################################
# The lan can get email from the dmz
$pio $lan_if proto tcp from <lan_hosts> to gargoyle port { imap imaps } $ms
# The lan can send mail to the dmz
$pio $lan_if proto tcp from <lan_hosts> to $smtp_servers port smtp $ms
# The lan can check tbcn web pages
$pio $lan_if proto tcp from <lan_hosts> to $web_servers port { www https
} $ms
# The lan can telnetand ssh to topform but they should really ssh there
$pio $lan_if proto tcp from <lan_hosts> to topform port { telnet ssh } $ms
# The lan can ftp into the dmz
$pio $lan_if proto tcp from <lan_hosts> to lo0 port 8081 $ms
# don't forget to add the lo0 out dmz tagged ftproxied for
# The lan can go to webmin on the dmz
$pio $lan_if proto tcp from <lan_hosts> to <dmz_hosts> port 10000 $ms
# The lan can go anywhere on the internet
$pio $lan_if proto tcp from <lan_hosts> to <internet> port $lan_out_tcp $ms
$pio $lan_if proto udp from <lan_hosts> to <internet> port $lan_out_udp
$pio $lan_if inet proto icmp from <lan_hosts> to <internet> $icmpt
#$piqo $lan_if proto tcp from $freehosts to any $ms
#$piqo $lan_if proto { udp icmp } from $freehosts to any
##########################################
#
# Dmz needs to breath too
#
##########################################
# let dmz get their own dns and time syncs
$pio $dmz_if proto tcp from <dmz_hosts> to $ext_dns_servers port domain $ms
$pio $dmz_if proto udp from <dmz_hosts> to $ext_dns_servers port domain
$pio $dmz_if proto tcp from <dmz_hosts> to $ext_time_servers port ntp $ms
$pio $dmz_if proto udp from <dmz_hosts> to $ext_time_servers port ntp
# gargoyle mail out
$pio $dmz_if proto tcp from $lan_smtp_servers to <internet> port smtp $ms
# gargoyle getting blacklist updates
$pio $dmz_if proto tcp from $smtp_servers to
www.sa-blacklist.stearns.org port rsync $ms
# gargoyle getting clamav updates
$pio $dmz_if proto tcp from $smtp_servers to db.us.clamav.net port www $ms
# gargoyle getting weather data for webmail
$pio $dmz_if proto tcp from $smtp_servers to www.weather.com port www $ms
# DMZ machine updates
$pio $dmz_if proto tcp from <dmz_hosts> to mirror.centos.org port www
# VPN machine to lan
$pio $dmz_if proto tcp from ovpn to <dmz_hosts> port $vpn_lan
# Troubleshooting connectivity, ping helps.
$pio $dmz_if inet proto icmp from <dmz_hosts> to <internet> $icmpt keep
state \
(max-src-nodes 30, max-src-states 10, max-src-conn-rate 2/1, overload
<dmz_badguys> flush)
########################################
#
# Let outside people use us
#
########################################
######################################################
# Ftp Servers
#####################################################
anchor "ftp-proxy/*"
$pio $wan_ifs proto tcp from <internet> to lo0 port 8081 $ms
#FTPS for express
$pio $wan_ifs proto tcp from <internet> to tbcnexpress port ssh $ms
$pio $wan_ifs proto tcp from <internet> to tbcnexpress port 8000:8010 $ms
#######################################################
# WEB SERVERS
########################################################
$pio $wan_ifs proto tcp to $web_servers port { www https } $ms
########################################################
# mail coming but not from win95 and 98
########################################################
$pio $wan_ifs proto tcp $fat $smtp_servers port smtp $ms \
(max-src-conn 50, max-src-conn-rate 50/5, overload <badguys> flush)
# figure out how/what OS to put here to block non-Server MS
# boxes from sending email to us. will hopefully block a lot of spam
# if i use the "Windows" from pfctl -os will it block ALL versions of
windozzzze?
$bilqo $wan_ifs proto tcp from <internet> $smtp_servers port smtp os \
{ "Windows 95" "Windows 95 b" "Windows 95 winsock2" "Windows 98" \
"Windows 98 lowTTL" "Windows 98 noSack" "Windows 98 RFC1323" \
"Windows CE" "Windows CE 2.0" "Windows ME" "Windows XP" \
"Windows XP cisco" "Windows XP RFC1323" "Windows XP SP1" \
"Windows XP SP3" }
#######################################################
# WEB SERVERS
########################################################
$pio $wan_ifs proto tcp to $web_servers port { www https } $ms
###########################################################
# SSH into dmz
###########################################################
# Allow ori and myself to dmz hosts via ssh
$pio $wan_ifs proto tcp from { $ori_ips $noc_ips } to <dmz_hosts> port {
$tbcn_ssh ssh }$ms
# Allow ssh to topform from topform guys
#$pio $wan_ifs proto tcp from <ip of top guys> to topform port
topform_ssh $ms
##########################################################
# VPN from everywhere
##########################################################
# SGB - TB ptp vpn
$pio $wan_ifs proto udp from ovpnsgb port 1194 to ovpn port 1194
# Road Warrior and me vpn.
$pio $wan_ifs proto udp from <internet> to ovpn port { 1195 1196 }
##########################################################
# DNS service
#########################################################
$pio $wan_ifs proto tcp from <internet> to $dns_servers port domain $ms
$pio $wan_ifs proto udp from <internet> to $dns_servers port domain
########################################################
#
# Redirects from outside to lan servers
# *** STILL *** a VERY bad idea
# These are older IIS machines, and i thought about synproxying
# state, but even though i'm trying to protect the network
# I would hate to compromise the firewall to do it.
#######################################################
$pilo $wan_ifs proto tcp from <internet> to { bec_inside tal_inside }
port www $ms tag BEC-TAL
$pilo $wan_ifs proto tcp from <internet> to tal_inside port 4444 $ms tag TAL
-------------------------------------------------------
END OF PF.CONF
I do have one routing situation that I didn't put into this rule set
yet, I wanted to see if I had set up a sane rule set before dealing
w/the routing. I have 2 isps and on my dmz interface i have one real
address and an alias. I need to make sure that reply traffic coming
into my dmz gets routed out the ISP it came in on. I have planned on
handling that with the following:
R1 ------- R1 - Router 1 R2 - Router 2
\ S - Server PF - Firewall
PF ------- S
/
R2 -------
Let's say incoming request to S comes from either R1 or R2 and must use
the same return path.
Here is what I would do (dug up from my memory), with OpenBSD 4.2 (which
doesn't require flags and keep state) :
% pass in on $r1_if proto tcp to $s port http tag "okR1"
% pass in on $r2_if proto tcp to $s port http tag "okR2"
% pass out on $s_if reply-to ($r1_if $r1_ip) all tagged "okR1"
% pass out on $s_if reply-to ($r2_if $r2_ip) all tagged "okR2"
(snagged from the archives, thanks Jeremie)
Thanks again to anyone who took the time to have a look.
Aaron
OpenBSD 4.2 (GENERIC) #375: Tue Aug 28 10:38:44 MDT 2007
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Celeron(R) CPU 2.00GHz ("GenuineIntel" 686-class) 2 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID
real mem = 536440832 (511MB)
avail mem = 511070208 (487MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 07/22/03, BIOS32 rev. 0 @ 0xfb160,
SMBIOS rev. 2.3 @ 0xf0800 (38 entries)
bios0: vendor Award Software International, Inc. version "6.00 PG" date
07/22/2003
bios0: Supermicro P4SDA
apm0 at bios0: Power Management spec V1.2
apm0: AC on, battery charge unknown
apm0: flags 70102 dobusy 1 doidle 1
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xdf84
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfdec0/192 (10 entries)
pcibios0: PCI Exclusive IRQs: 3 5 7 9 10 11
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 82371SB ISA" rev 0x00)
pcibios0: PCI bus #2 is the last bus
bios0: ROM list: 0xc0000/0x10000 0xd0000/0x1800 0xd2000/0x1800
0xd4000/0x1800
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82845 Host" rev 0x04
ppb0 at pci0 dev 1 function 0 "Intel 82845 AGP" rev 0x04
pci1 at ppb0 bus 1
vga1 at pci1 dev 0 function 0 "SiS 300/305/630 VGA" rev 0x90: aperture
at 0xe0000000, size 0x400000
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
ppb1 at pci0 dev 30 function 0 "Intel 82801BA AGP" rev 0x05
pci2 at ppb1 bus 2
san0 at pci2 dev 0 function 0 "Sangoma A10x" rev 0x00 irq 9
fxp0 at pci2 dev 1 function 0 "Intel 8255x" rev 0x10, i82551: irq 3,
address 00:0e:0c:74:6d:61
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
fxp1 at pci2 dev 2 function 0 "Intel 8255x" rev 0x10, i82551: irq 7,
address 00:0e:0c:3b:3f:2e
inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4
fxp2 at pci2 dev 3 function 0 "Intel 8255x" rev 0x10, i82551: irq 5,
address 00:0e:0c:74:6d:a2
inphy2 at fxp2 phy 1: i82555 10/100 PHY, rev. 4
fxp3 at pci2 dev 4 function 0 "Intel 8255x" rev 0x08, i82559: irq 10,
address 00:03:47:b1:2c:c4
inphy3 at fxp3 phy 1: i82555 10/100 PHY, rev. 4
rl0 at pci2 dev 5 function 0 "Realtek 8139" rev 0x10: irq 11, address
00:50:bf:72:51:c9
rlphy0 at rl0 phy 0: RTL internal PHY
ichpcib0 at pci0 dev 31 function 0 "Intel 82801BA LPC" rev 0x05: 24-bit
timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 "Intel 82801BA IDE" rev 0x05: DMA,
channel 0 wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 0: <ACCUSYS ACS75130 1.4>
wd0: 16-sector PIO, LBA48, 38166MB, 78165360 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
atapiscsi0 at pciide0 channel 1 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <SAMSUNG, CD-ROM SH-152A, C504> SCSI0
5/cdrom removable
cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2
uhci0 at pci0 dev 31 function 2 "Intel 82801BA USB" rev 0x05: irq 7
ichiic0 at pci0 dev 31 function 3 "Intel 82801BA SMBus" rev 0x05: irq 9
iic0 at ichiic0
uhci1 at pci0 dev 31 function 4 "Intel 82801BA USB" rev 0x05: irq 11
isa0 at ichpcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
pckbc0: using irq 12 for aux slot
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lm0 at isa0 port 0x290/8: W83627HF
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: 1.44MB 80 cyl, 2 head, 18 sec
usb0 at uhci0: USB revision 1.0
uhub0 at usb0: Intel UHCI root hub, rev 1.00/1.00, addr 1
usb1 at uhci1: USB revision 1.0
uhub1 at usb1: Intel UHCI root hub, rev 1.00/1.00, addr 1
biomask ebc5 netmask efed ttymask ffef
pctr: user-level cycle counter enabled
mtrr: Pentium Pro MTRR support
dkcsum: wd0 matches BIOS drive 0x80
root on wd0a swap on wd0b dump on wd0b
carp: carp1 demoted group carp to 129
