Filtering CARP interface(s) and 'set skip on lo0'

Max Laier max at love2party.net
Mon May 19 09:11:28 UTC 2008 

On Monday 19 May 2008 05:38:20 Kian Mohageri wrote:
> Hey all,
>
> I'm trying to clean up my PF rulesets, and I noticed today that a CARP
> master connecting to itself (on the CARP IP address) appears to be
> filtered even when 'set skip on lo0' is in effect.
>
> At first I suspected that maybe CARP Master to itself is routed
> differently in FreeBSD (so it wouldn't actually be on lo0), but a
>
> tcpdump seems to say otherwise.  That is:
> > ifconfig carp0
>
> carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
> 	inet 67.201.255.210 netmask 0xffffffe0
> 	carp: MASTER vhid 1 advbase 1 advskew 10
>
> > sudo tcpdump -c 3 -n -i lo0
>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode listening on lo0, link-type NULL (BSD loopback), capture size 96
> bytes 20:36:40.522108 IP 67.201.255.210.65404 > 67.201.255.210.53:
> 2673+ A? daapiak-mtv.flux.com. (38)
> 20:36:40.522569 IP 67.201.255.210.53 > 67.201.255.210.65404: 2673
> 4/9/3 CNAME[|domain]
> 20:36:40.724506 IP 67.201.255.210.65404 > 67.201.255.210.53: 20823+
> PTR? 240.189.73.209.

Just because the packets show up on lo0 "sometime" doesn't mean that they 
won't pass through other interfaces before or after.  CARP is special in 
that respect and needs special attention.

> I tried the archives but couldn't find an explanation about why 'set
> skip on lo0' wouldn't apply here, so I'm wondering if any of you could
> point me in the right direction.  The simple answer would be for me to
> simply filter a little differently so the MASTER can talk to itself,
> but I figured this could be a learning experience too.
>
> Is this intended FreeBSD-specific behavior, and if so, what is the
> recommended way to deal with it?

The usual advise on how to debug rulesets that block stuff you want to 
allow:
 1) Add "log" to all block rules
 2) Listen on pflog0
 3) Generate the traffic pattern you want to pass
 4) Find this offending rule (and also the interface and direction the 
traffic was blocked on)
 5) Insert a rule to allow the traffic in question
 6) Repeat until everything works as required

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

More information about the freebsd-pf mailing list