Re: CARP

[ed]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sun, 12 Dec 2004 10:54:28 -0500
Jason Dixon <[EMAIL PROTECTED]> wrote:

> On Dec 12, 2004, at 8:54 AM, ed wrote:
> 
> > Anyway, I have a /etc/pf.conf file which was originally for a single
> > firewall, which worked for a normal layout with two interfaces. I am
> > 
> > now
> > attempting to do the following:
> > [snip]
> > The two boxes have two interfaces, although most documentation
> > suggests using a third interface with cross over, which I don't
> > currently have.
> 
> It's not a requirement;  I've sent pfsync traffic across the int_if, 
> but it's not ideal.
> 
> > My existing firewall script allows access to 83.146.42.164 and
> > 83.146.42.165, should I be treating incoming packets as packets for
> > 83.146.42.163/4, or 83.146.42.165?
> 
> You can filter on all of them.  The "real" address on each interface 
> still allows dedicated access to each firewall.  However, when 
> filtering traffic across CARP virtual interfaces, remember that you 
> filter on the PHYSICAL interface (fxp0), not on the virtual interface 
> (carp0).
> 
> > Is it possible to provide two CARP interfaces over the fxp0 like I 
> > have,
> > and if I do, will it work as intended?
> 
> Yes, I've done many CARP interfaces using aliases on a single physical
> 
> interface.
> 
> > Needless to say, what I am trying to has not worked.
> 
> Without providing your configuration (hostname.*, pf.conf), it's 
> impossible to help you.  It would also help to know what 
> troubleshooting you've already tried and what errors/failures you're 
> encountered.

Sorry for this lengthy reply, I hope you all can forgive me for this,
but as I am but a beginner with PF/CARP I hope we can avoid hostility.

I have two boxes, with similar configs, on IP addresses 10.10.1.131 and
10.10.1.134, both /16.

- -------- 10.10.1.131 ------------

cat /etc/pf.conf
#       $OpenBSD: pf.conf,v 1.27 2004/03/02 20:13:55 cedric Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.

# -( pf.conf )-
# Written by Ed Neville for @UK PLC.
# Takes a /28 and distrubutes to NATed clients
# Forwards on ports 22 (ssh), 25 (mail), 80 (web), 110 (pop), 113 (auth)
# and 143 (IMAP)

# FTP sesame can provide outgoing FTP, from NAT computers in either
# ACTIVE or PASSIVE transfer. Not tested.
# FTP sesame SHOULD give FTP access to computers in DMZ, tested and does
# not work using config example 2.
# BINAT to computers where FTP is required.
# based on some work in the post of
# http://archives.neohapsis.com/archives/openbsd/2004-01/0417.html

# macro definitions

loif="lo0"
ext_if="{ dc0,carp1 }"
int_if="{ fxp0,carp0 }"

IP="83.146.42.171"

# External Addresses
BIP1="83.146.42.163"
BIP2="83.146.42.164"

CARP0="83.146.42.172"

# Internal Address
LAN="10.10.0.0/16"

# External NATs
MAIL0="192.168.1.32"
WEB0="10.10.1.250"
NS0="192.168.1.33"
FTP0="192.168.1.38"
SSH0="10.10.1.250"

#tcp_services = "{ 22, 25, 80, 110, 113, 143 }"
# Services
FTP=21
SSH=22
MAIL=25
WEB=80
POP=110
IMAP=143
NS=53

#table <spamd> persist
#table <spamd-white> persist

scrub in

# nat rules
#binat on $ext_if proto {tcp, icmp, udp} from $NS0 to any -> $BIP1

# rdr on $ext_if inet proto tcp from any to $BIP1 port $MAIL -> $MAIL0
port $MAIL nat on $ext_if from $LAN to any -> $CARP0

# blocking rules
# block all

block log all

block drop in  quick on $ext_if from $LAN to any
block drop out quick on $ext_if from any to $LAN

pass in on $ext_if proto tcp from any to $MAIL0 port $MAIL flags S/SA
synproxy state 
pass in on $ext_if proto tcp from any to $WEB0 port $WEB flags S/SA
synproxy state pass in on $ext_if proto tcp from any to $IP port $SSH
flags S/SA synproxy state pass in on $ext_if proto tcp from any to $FTP0
port $FTP flags S/SA pass in on $ext_if proto tcp from any to $NS0 port
$NS flags S/SA synproxy state pass in on $ext_if proto udp from any to
$NS0 port$NS keep state

pass in on $ext_if proto tcp from any to $FTP0 port { 1:65535 } flags
S/SAFR synproxy state

# let internal traffic out
pass in quick on lo0 all
pass out quick on lo0 all


#pass in on $int_if from $int_if:network to any keep state
#pass out on $int_if from any to $int_if:network keep state

pass in on $int_if from $LAN to any keep state
pass out on $int_if from any to $LAN keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp, icmp} all keep state

pass in proto carp keep state
pass quick proto pfsync



# for i in `ls /etc/hostname.*` ; do echo $i ; cat $i ; done ;
/etc/hostname.carp0
inet 10.10.5.1 255.255.0.0 10.10.255.255 vhid 1 pass 3Waster

/etc/hostname.carp1
inet 83.146.42.172 255.255.255.240 83.146.42.175 vhid 2 pass 3Waster

/etc/hostname.dc0
inet 83.146.42.171 255.255.255.240 NONE

/etc/hostname.fxp0
#inet 10.10.1.251 255.255.0.0 NONE
#dhcp NONE NONE NONE
inet 10.10.1.131 255.255.0.0 NONE

/etc/hostname.pfsync
up syncif fxp0


- ----------- 10.10.1.134 -------------
 cat /etc/pf.conf
#       $OpenBSD: pf.conf,v 1.27 2004/03/02 20:13:55 cedric Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.

# -( pf.conf )-
# Written by Ed Neville for @UK PLC.
# Takes a /28 and distrubutes to NATed clients
# Forwards on ports 22 (ssh), 25 (mail), 80 (web), 110 (pop), 113 (auth)
# and 143 (IMAP)

# FTP sesame can provide outgoing FTP, from NAT computers in either
# ACTIVE or PASSIVE transfer. Not tested.
# FTP sesame SHOULD give FTP access to computers in DMZ, tested and does
# not work using config example 2.
# BINAT to computers where FTP is required.
# based on some work in the post of
# http://archives.neohapsis.com/archives/openbsd/2004-01/0417.html

# macro definitions

loif="lo0"
ext_if="{ sis0,carp1 }"
int_if="{ fxp0,carp0 }"

IP="83.146.42.174"

# External Addresses
BIP1="83.146.42.163"
BIP2="83.146.42.164"

CARP0="83.146.42.172"

# Internal Address
LAN="10.10.0.0/16"

# External NATs
MAIL0="192.168.1.32"
WEB0="10.10.1.250"
NS0="192.168.1.33"
FTP0="192.168.1.38"
SSH0="10.10.1.250"

#tcp_services = "{ 22, 25, 80, 110, 113, 143 }"
# Services
FTP=21
SSH=22
MAIL=25
WEB=80
POP=110
IMAP=143
NS=53

#table <spamd> persist
#table <spamd-white> persist

scrub in

# nat rules
#binat on $ext_if proto {tcp, icmp, udp} from $NS0 to any -> $BIP1

# rdr on $ext_if inet proto tcp from any to $BIP1 port $MAIL -> $MAIL0
port $MAIL nat on $ext_if from $LAN to any -> $CARP0

# blocking rules
# block all

block log all

block drop in  quick on $ext_if from $LAN to any
block drop out quick on $ext_if from any to $LAN

#pass in on $ext_if proto tcp from any to $MAIL0 port $MAIL flags S/SA
synproxy state
#pass in on $ext_if proto tcp from any to $WEB0 port $WEB flags S/SA
synproxy state#pass in on $ext_if proto tcp from any to $IP port $SSH
flags S/SA synproxy state#pass in on $ext_if proto tcp from any to $FTP0
port $FTP flags S/SA#pass in on $ext_if proto tcp from any to $NS0 port
$NS flags S/SA synproxy state#pass in on $ext_if proto udp from any to
$NS0 port$NS keep state

#pass in on $ext_if proto tcp from any to $FTP0 port { 1:65535 } flags
S/SAFR synproxy state

# let internal traffic out
pass in quick on lo0 all
pass out quick on lo0 all


#pass in on $int_if from $int_if:network to any keep state
#pass out on $int_if from any to $int_if:network keep state
pass in on $int_if from $LAN to any keep state
pass out on $int_if from any to $LAN keep state


pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp, icmp} all keep state

pass in proto carp keep state
pass quick proto pfsync


# for i in `ls /etc/hostname.*` ; do echo $i ; cat $i ; done ;
/etc/hostname.carp0
inet 10.10.5.1 255.255.0.0 10.10.255.255 vhid 1 pass 3Waster

/etc/hostname.carp1
inet 83.146.42.172 255.255.255.240 83.146.42.175 vhid 2 pass 3Waster

/etc/hostname.fxp0
#dhcp NONE NONE NONE
inet 10.10.1.134 255.255.0.0 NONE

/etc/hostname.pfsync
up syncif fxp0

/etc/hostname.sis0
inet 83.146.42.174 255.255.255.240 NONE




- -- 
/--  _| | Regards. Please note, my PGP key ID has changed.
|-- / | | If you are planning on sending me something encrypted
\__ \_| | please update your keyring. Debian/OpenBSD. 53C9FC6C.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBv1UDjtZArFPJ/GwRAvLvAJ4rP8xsdKEqByFuvgYB/sU6+oeaaACfXCgK
xUlVkt6u/3/1m42sft7Z0Y4=
=Ai4h
-----END PGP SIGNATURE-----