I was testing a pair of firewalls yesterday and found that there were no
issues with CARP except for ICMP echo requests not failing over when a
master fails. Are there any known issues with just using ping(8) to test
load balanced firewalls? TCP connections work just fine without problem.
Here's my configurations.
# /etc/hostname.carp0
inet 10.19.81.200 255.255.255.128 10.19.81.255 vhid 1 pass bar advskew 100
# /etc/hostname.carp1
inet 172.19.81.130 255.255.255.128 172.19.81.255 vhid 2 pass foo
# /etc/hostname.fxp0
inet 192.168.255.253 255.255.255.252 192.168.255.255 media 100baseTX mediaopt
full-duplex description "pfsync crossover"
# /etc/hostname.fxp1
inet 172.19.81.131 255.255.255.128 172.19.81.255 media 100baseTX mediaopt
full-duplex description "inside"
# /etc/hostname.pfsync0
up syncif fxp0
# /etc/hostname.xl0
inet 10.19.81.201 255.255.255.128 10.19.81.255 media 100baseTX mediaopt
full-duplex description "outside"
#; /etc/pf.conf
#;
#; variables
###################################################################
# interfaces
loopbk = "lo0"
ext_if = "xl0"
wire_if = "fxp1"
pfsync_if = "fxp0"
carp_ext_if = "carp0"
carp_int_if = "carp1"
all_if = "{" $loopbk $wire_if "}"
ipsec_if = "enc0"
# hosts
broadcast = "255.255.255.255"
# host group definitions
# service definitions
tcp_wireif = "{ ftp, ssh, www, https }"
# tables
table <admin> persist { 10.19.81.128/25, 10.13.2.0/24 }
table <bogon> persist file "/etc/bogon.txt"
# administrative aliases
aspf = "antispoof log"
bi = "block in"
bo = "block out"
bil = "block in log"
biq = "block in quick"
blk = "block"
bol = "block out log"
boq = "block out quick"
bilq = "block in log quick"
bolq = "block out log quick"
pi = "pass in"
po = "pass out"
pil = "pass in log"
piq = "pass in quick"
pol = "pass out log"
poq = "pass out quick"
pqk = "pass quick"
pilq = "pass in log quick"
polq = "pass out log quick"
ks = "keep state"
ms = "modulate state"
ss = "synproxy state"
#; behavior options
###################################################################
set loginterface $ext_if
set timeout { interval 11, frag 27 }
set limit { frags 45000, states 35000 }
set optimization normal
set block-policy return
set state-policy if-bound
set debug urgent
# scrub-a-dub-dub
scrub out all no-df random-id max-mss 1440
scrub in all no-df fragment reassemble min-ttl 2
#; network translations and redirection
###################################################################
# nat specific hard-wired hosts
nat on $ext_if from any to any -> ($ext_if)
# redirect for ftp-proxy
rdr on $wire_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
#; misc. authpf anchors
###################################################################
#binat-anchor "authpf/*"
#anchor "authpf/*"
#; rules
###################################################################
# default block-all
$blk log \
label "$if-block-log"
# pass everything on loopback
$pqk on lo0 all \
label "$if-pass"
pass quick on { $pfsync_if } proto pfsync
pass on { $ext_if, $wire_if } proto carp $ks
# block broadcast noise, but dont log
$biq on $ext_if from any to $broadcast \
label "$if-broadcast"
$biq on $ext_if from $broadcast to any \
label "$if-broadcast"
# drop bogon tables from /etc/bogon.txt
$bilq on $ext_if from <bogon> \
to any label "$if-bogon"
$bil on $wire_if from { !$wire_if:network, <bogon> } \
to any label "$if-bogon"
# prevent spoofing from this host
$bolq on $ext_if from !$ext_if \
to any label "$if-block-out"
# prevent spoofing of all interfaces
$aspf for $loopbk label "$if-antispoof"
$aspf for $ext_if label "$if-antispoof"
$aspf for $wire_if label "$if-antispoof"
# pass out packets on any interface
$poq inet proto tcp all flags S/SA label "$if-pass-synack-out" $ms
$poq inet proto udp all label "$if-pass-udp-out" $ks
$poq inet proto icmp all label "$if-pass-icmp-out" $ks
$poq all label "$if-pass-ip-out"
# allow bootp, dns lookups and ntp access (including
# sntp) to $wire_if
$pi on $wire_if inet proto udp from any \
to any port bootps label "$if-bootps-in" $ks
$pi on $wire_if inet proto udp from $wire_if:network \
to $wire_if port domain label "$if-domain-udp-in" $ks
$pi on $wire_if inet proto udp from $wire_if:network \
to $wire_if port ntp label "$if-ntp-in" $ks
# allow users to ssh into this host for future authpf
$pilq on $wire_if inet proto tcp from any \
to any port ssh label "$if-ssh-authpf-in" $ks
# icmp controls; log anything to our interfaces; pass everything else
$pil on $wire_if inet proto icmp from any \
to $wire_if icmp-type echoreq label "$if-icmp-echo" $ks
$pil on $ext_if inet proto icmp from any \
to $ext_if icmp-type echoreq label "$if-icmp-echo" $ks
# ssh access to ext_if
$pil on $ext_if inet proto tcp from <admin> \
to $ext_if port ssh label "$if-admin-ssh-in" $ms
# permit active ftp
$pi on $ext_if inet proto tcp from port 20 \
to ($ext_if) user proxy flags S/SA label "$if-ftp-proxy" $ks
# pass-through for clients on wire_if:network not to wire_if
$piq inet proto tcp from $wire_if:network \
to ! $wire_if flags S/SA label "$if-$srcaddr-$dstport-in" $ms
$piq inet proto tcp from $wire_if:network \
to ! $wire_if label "$if-$srcaddr-$dstport-in" $ks
$piq inet proto udp from $wire_if:network \
to ! $wire_if label "$if-$srcaddr-$dstport-in" $ks
$piq inet proto icmp from $wire_if:network \
to ! $wire_if label "$if-$srcaddr-$dstport-in" $ks
$piq from $wire_if:network \
to ! $wire_if label "$if-$srcaddr-$dstport-in" $ks
