ipfw and carp problems
schmidt at ze.tum.de
Sun Nov 2 08:16:15 UTC 2014
Am 01.11.2014 06:56, schrieb Ian Smith:
> On Wed, 29 Oct 2014 20:55:16 +1100, Ian Smith wrote:
> > In freebsd-questions Digest, Vol 543, Issue 2, Message: 1
> > On Mon, 27 Oct 2014 15:16:33 +0100 Gerhard Schmidt <schmidt at ze.tum.de> wrote:
> > > Hi,
> > >
> > > I have a small problem with ipfw an carp.
> > >
> > > i have two server with two carp ips and a firewall via ipfw.
> > >
> > > the problem is tha ipfw via modul is default to deny. So when the carp
> > > interfaces are initialized ipfw has no custom rules. Everything is
> > > denied, even the carp packets. So every time I reboot one of the hosts
> > > it comes up as master and after the firewall rules are initialized one
> > > of the servers is demoted to backup, which one seams to be random.
> > >
> > > My problem is that my setup need a new server do come up as backup
> > > because is has to replicate the data from the running server before
> > > being able to act as master. There could be data loss if a newly booted
> > > server named master without prior replicating the data.
> > >
> > > Is there a way to ensure that the firewall rules are up before the carp
> > > interfaces are initialized or to load the ipfw module with default to
> > > accept.
> > The canonical way was to build a custom kernel with ipfw included as per
> > http://www.freebsd.org/doc/handbook/firewalls-ipfw.html including
> > 'options IPFIREWALL_DEFAULT_TO_ACCEPT' .. however you can accomplish
> > this with a GENERIC (or other) kernel by adding to /boot/loader.conf:
> > ipfw_load="YES" # to load the ipfw module early
> > and adding to /etc/sysctl.conf
> > net.inet.ip.fw.enable=0
> > net.inet6.ip6.fw.enable=0 # if using ipv6
> > /etc/rc.d/sysctl is run early (on 9.3, first) before other rc.d
> > scripts including netif and later ipfw, which will then only enable the
> > firewall after having loaded your ruleset.
> > I just tested this over ssh to a 9.3 GENERIC box not running ipfw:
> > root at x200:~/bin # kldload ipfw && sysctl net.inet.ip.fw.enable=0 \
> > && sysctl net.inet6.ip6.fw.enable=0
> > net.inet.ip.fw.enable: 1 -> 0
> > net.inet6.ip6.fw.enable: 1 -> 0
> > root at x200:~/bin # ipfw show
> > 65535 0 0 deny ip from any to any
> > which would have locked me out had it not worked :)
> > Of course you must accept that there is a vulnerable window between
> > starting net interfaces (netif) and starting ipfw, however miniscule.
> Excuse replying to my own message, but I've since discovered that you
> could also add 'net.inet.ip.fw.default_to_accept=1' to loader.conf as an
> alternative. I hadn't twigged that this one is a loader tunable, unlike
> the sysctls mentioned above, and so can be set before ipfw.ko is loaded,
> ie before the net.inet.ip.fw OIDs even exist.
> Please let the list know if either of these methods solve your issue?
Sorry was out of town for a view days.
I did solve my problem with activating the default_to_accept tunable.
Since this server should be running 24/7 the slight exposure on start up
shouldn't be a problem especially because the services protected are
started way after firewall is initialized.
Gerhard Schmidt | E-Mail: schmidt at ze.tum.de
Technische Universität München | Jabber: estartu at ze.tum.de
WWW & Online Services |
Tel: +49 89 289-25270 | PGP-PublicKey
Fax: +49 89 289-25257 | on request
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 526 bytes
Desc: OpenPGP digital signature
More information about the freebsd-questions