carp & spamd problems when using if_bridge + nat

Marko Lerota mlerota at iskon.hr
Fri Jan 19 11:04:44 UTC 2007 

Tom Uffner <tom at uffner.com> writes:

> box #0
> cloned_interfaces="bridge0 carp0 carp1"
> ifconfig_carp0="vhid 1 advskew 100 pass tengu 207.245.109.13/24"
> ifconfig_carp1="vhid 2 advskew 100 pass zruty 10.10.1.13/16"
>
> box #1
> cloned_interfaces="bridge0 carp0 carp1"
> ifconfig_carp0="vhid 1 advskew 100 pass tengu 207.245.109.13/24"
> ifconfig_carp1="vhid 2 advskew 100 pass zruty 10.10.1.13/16"
>
> this didn't work because i couldn't get the carp0 interface to run.

maybe this would help 

from man (4)pfsync 
     If it is preferable that one firewall handle the traffic, the advskew on
     the backup firewall's carp(4) interfaces should be set to something
     higher than the primary's.

You have the same advskew. Also try to remove bridge0 from cloned_interfaces.

> i am now using:
>
> hosts on the DMZ network (em0) cannot connect to hosts on the inside
> network (bge1) and vice versa though they can ping each other.
>
> here is my pf.conf:
>
> # don't filter loopback or virtual interfaces
> set skip on { carp0 carp1 }

maybe you should have 
set skip on { lo0 bridge0 carp0 carp1 }

or 

pass quick on lo0 all
pass quick on bridge0 all

before block in log on $ext_if all

> # block all inbound traffic not matched by a rule below, don't log smb
> packets
> block in log on $ext_if all
> block in on $ext_if proto udp from any port 137:139
>
> # return ident instead of dropping to prevent email delay
> block return in on $ext_if proto tcp to any port 113
>
> # allow all loopback traffic
> pass quick on lo0 all
> pass quick on bridge0 all
>
> # block packets claiming to be from an internal address
> #antispoof for $ext_if
>
> # allow CARP & pfsync
> pass quick on { $pfs_if } proto pfsync keep state (no-sync)
> pass on { $ext_if $dmz_if $int_if } proto carp keep state
>
> # allow all traffic on inside interface unless blocked by a rule below
> pass on { $dmz_if $int_if } all

-- 
One cannot sell the earth upon which the people walk
                               			Tacunka Witco

More information about the freebsd-pf mailing list