[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

carp alias / system crash



hi all,
i've now nearly managed all of my problems - but one problem still
remain.
For testing i've only used one external ip address assigned to carp0 -
now i've try to assign a second one then after a few seconds my system
got unreachable and then it will reboot automatically.
When i disable the packet filter with pfctl -d and then assign more
addresses - then everything will work fine until i reenable the packet
filter.
As far as i read it should be no problem to use multiple ip addresses
with the carp interface.
Does anyone know what went wrong here ?
attached my pf.conf and my rc
best regards
Wolfgang
# Macros
###########################################
#
# Die einzelnen Schnittstellen
#
ext_if="sis0"
int_if="sis1"
cross_if="sis2"
lo_if="lo0"
###########################################
#
# Die Server im DMZ (obwohls kein echtes DMZ ist)
# 
dmz_webserver="172.16.0.46"
dmz_testserver="172.16.0.79"
dmz_mailserver="172.16.0.46"
dmz_replicator="172.16.0.48"
# The dialog Private Address Range
prv_ad = "172.16.0.0/24"
# My Primary External Address
ext_ad = "83.64.16.130"
# My Normal Extern Addresses
ext_ads = "83.64.16.130/30"
# Protocols for which we are doing nat
nat_proto = "{tcp, udp, icmp}"
###########################################
#
# Unsere externen IP's
#
ext_webprimary="83.64.16.130"
ext_websecondary="83.64.16.131"
ext_mailserver="83.64.16.132"
#
# Dazu die internen
#
int_webprimary="172.16.0.148"
int_websecondary="172.16.0.79"
int_mailserver="172.16.0.148"
int_webproxy="172.16.0.148"
int_nameserver="172.16.0.148"
lowqueueports = "{ 25, 110, 80, 443, 21}"
highqueueports = "{ 53, 22, 23 }"
torrentports = "6881:6999"
# Reservierte Adressen
prv_ads = "{10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, 240.0.0.0/5, 127.0.0.0/8, 0.0.0.0}"
# Tables
table <DMZ> persist {172.16.0.13, 172.16.0.27, 172.16.0.46, 172.16.0.48, 172.16.0.79}
table <WEBSERVERS> persist {172.16.0.46, 172.16.0.48, 172.16.0.79}
table <MAILSERVERS> persist {172.16.0.46}
#######################################################
#
# Options
#
# Limit the number of fragments kept in memory to 5000
set limit frags 	5000
# Set the timeout for Fragements kept in memory to 30 seconds
# set timeout frag 30
# set the timeouts for packet states
# set timeout { tcp.first 20, tcp.established 10, adaptive.start 5000, adaptive.end 20000 }
# set the amount of states the firewall will keep in memory
set limit states 	20000
set optimization 	aggressive
set block-policy 	drop
set loginterface 	none
#######################################################
#
# Scrub Rules
#
# Scrub all packetes coming from the world
scrub in on $ext_if from any
#######################################################
#
# Packet Queuing Rules
altq on $ext_if hfsc bandwidth 256Kb queue{ highqueue, lowqueue, bitqueue, other }
queue highqueue hfsc(linkshare (50% 10000 65%) upperlimit (60% 5000 75%))
queue lowqueue hfsc(linkshare (35% 5000 20%) upperlimit (35% 5000 20%))
queue bitqueue hfsc(linkshare (5% 1000 3%) upperlimit (5% 1000 5%))
queue other hfsc(default)
#######################################################
#
# Packet Redirection rules
# Do Simple Masquerading
nat on $ext_if inet proto $nat_proto from $prv_ad to any -> ($ext_if)
# Redirect Packets
rdr on $ext_if inet proto tcp \
	from any to $ext_webprimary port 80 -> $int_webprimary port 80
rdr on $ext_if inet proto tcp \
	from any to $ext_websecondary port 80 -> $int_websecondary port 80
rdr on {$ext_if, $int_if} inet proto tcp \
	from any to $ext_mailserver port 25 -> $int_mailserver port 25
rdr on {$ext_if, $int_if} inet proto tcp \
	from any to $ext_mailserver port 110 -> $int_mailserver port 110
# Send all outgoing traffic (expect the traffic from the proxy) on port 80 to my web proxy
no rdr on $int_if inet proto tcp \
	from $int_webproxy to any port 80
rdr on $int_if proto tcp from $prv_ad to any port 80 -> \
   $int_webproxy port 3128
no nat on $int_if proto tcp from $int_if to $prv_ad
nat on $int_if proto tcp from $prv_ad to $int_webproxy port 3128 -> \
   $int_if
#######################################################
#
# Packet Filtering Rules
# generally block all incoming packets on the external interface
block in on $ext_if all
block out on $ext_if all
# pass all to loopback interface
pass quick on lo0 all
# let pfsync and carp traffic through
pass quick on { $cross_if } proto pfsync
pass quick on { $ext_if $int_if } proto carp keep state
# pass all connections from our lan
pass in quick on $int_if from any to any flags S/SA
pass out quick on $int_if from any to any flags S/SA
# pass all for the webserver
pass in on $ext_if inet proto tcp from any to $int_webprimary port 80 flags S/SA synproxy state
pass in on $ext_if inet proto tcp from any to $int_websecondary port 80 flags S/SA synproxy state
# pass all for the mail server
pass in on $ext_if inet proto tcp from any to $int_mailserver port 25 flags S/SA synproxy state
pass in on $ext_if inet proto tcp from any to $int_mailserver port 110 flags S/SA synproxy state
# pass all for the name server
pass in on $ext_if inet proto tcp from any to $int_nameserver port 53 flags S/SA synproxy state
pass in on $ext_if inet proto udp from any to $int_nameserver port 53 keep state
# return destination-unreachable to auth requests
block return-icmp in quick on $ext_if proto tcp from any to $ext_ads port auth
# block spoofed packets
block in quick log on $ext_if from $prv_ads
antispoof for $ext_if
antispoof for $int_if
# allow the ping (echo 8)
pass in quick inet proto icmp icmp-type 8 code 0 keep state
# allow ssh
pass in quick inet proto tcp from any to $ext_ad port 22 flags S/SA keep state
# To Handle the queueing thing
# highqueue
pass out quick on $ext_if inet proto udp from any to any \
	port $highqueueports keep state queue highqueue
pass out quick on $ext_if inet proto tcp from any to any \
	port $highqueueports synproxy state queue highqueue
# lowqueue
pass out quick on $ext_if inet proto udp from any to any \
	port $lowqueueports keep state queue lowqueue
pass out quick on $ext_if inet proto tcp from any to any \
	port $lowqueueports synproxy state queue lowqueue
# bitqueue
pass out quick on $ext_if inet proto tcp from any to any \
	port $torrentports synproxy state queue bitqueue
# pass all connections originating from the firewall
pass out quick on $ext_if inet proto tcp from ($ext_if) to any \
	modulate state queue other
pass out quick on $ext_if inet proto udp from ($ext_if) to any \
	keep state queue other
pass out quick on $ext_if inet proto icmp from ($ext_if) to any
# Example config: Soekris net4xxx Boot for router with DHCP, NAT, VLAN
#
# [email protected]
 
stty status '^T'
 
# Set shell to ignore SIGINT (2), but not children;
# shell catches SIGQUIT (3) and returns to single user.
trap : 2
trap : 3
 
HOME=/; export HOME
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH
 
if [ "$1" == "shutdown" ]; then
        mount -o ro /
        exit 0
fi
 
# Filesystem should never be dirty unless we acked while fs was mounted
# read/write
fsck -p
 
echo mfs: mounting /tmp...
mount_mfs -s 16384 /dev/wd0b /tmp
 
echo mfs: populating /tmp...
# flashdist makes /var a link to /tmp/var
mkdir /tmp/var
mkdir /tmp/var/tmp
mkdir /tmp/var/tmp/vi.recover
mkdir /tmp/var/run
mkdir /tmp/var/log
mkdir /tmp/var/db
mkdir /tmp/var/empty
if [ -d /root ]; then
 cp -R /root /tmp/root
fi
chmod -R 755 /tmp/var
chmod a+rwxt /tmp/var/tmp/vi.recover
touch /tmp/var/run/utmp
touch /tmp/var/log/authlog
touch /tmp/var/log/messages
 
# Copy over devices created from flashdist into a place where the permissions
# can be changed.  Flashdist already created links to /var/run/dev/XXX for
# these devices.
mkdir /var/run/dev
tar cf - -C /dev/devtmp . | tar xpf - -C /var/run/dev
 
# You don't need to make databases, but they help ps and some other
# programs ... (skipped kvm for now since /dev/ksyms is a waste of time
# on an embedded router)
#
echo -n "databases:"
echo -n " dev"
dev_mkdb
echo
 
# Init will do this for us, but to be proper we should do it now, before
# remote login services start
echo -n "securelevel: "
sysctl -w kern.securelevel=1
 
echo -n "setting carp preempt: "
sysctl -w net.inet.carp.preempt=1
                                                                                                                                    
echo -n "activating ARP balancing: "
sysctl -w net.inet.carp.arpbalance=1
 
echo -n "turning on carp logging: "
sysctl -w net.inet.carp.log=1
 
echo -n "on panic reboot: "
sysctl -w ddb.panic=0
 
echo -n "watchdog: "
sysctl -w kern.watchdog.period=32
echo -n "watchdog: "
sysctl -w kern.watchdog.auto=1
 
if [ -f /etc/nshrc -a -x /bin/nsh ]; then
 echo nsh: starting nsh
 nsh -i /etc/nshrc
else
 # Setup hostname, IPs, and pf/nat
 
 hostname=firewall
 echo hostname: setting hostname to $hostname...
 hostname $hostname
 
 echo inet: configuring IP on system interfaces...
 ifconfig lo0 127.0.0.1 netmask 255.0.0.0
 ifconfig sis0 83.64.16.134 netmask 255.255.255.248
 ifconfig sis1 172.16.0.254 netmask 255.255.255.0 broadcast 172.16.0.255
 ifconfig sis2 192.168.254.254 netmask 255.255.255.0 broadcast 192.168.254.255
 ifconfig carp0 83.64.16.130 netmask 255.255.255.248 broadcast 83.64.16.135 vhid 1 pass pass1
# ifconfig carp0 alias 83.64.16.131 netmask 255.255.255.248 broadcast 83.64.16.135 vhid 1 pass pass1
# ifconfig carp0 alias 83.64.16.132 netmask 255.255.255.248 broadcast 83.64.16.135 vhid 1 pass pass1
 ifconfig carp1 172.16.0.2 netmask 255.255.255.0 broadcast 172.16.0.255 vhid 2 pass pass2
 ifconfig pfsync0 up syncif sis2
 
 echo route: adding default route...
 route add default 83.64.16.129
 
 echo pf/nat: configuring and enabling...
 pfctl -e -f /etc/pf.conf
fi
 
if [ -f /etc/syslog.conf ]; then
  echo syslogd: starting log daemon...
  syslogd -p /var/run/log
fi
 
#echo dhcp: starting server...
#touch /var/db/dhcpd.leases
#dhcpd -q vlan0
 
if [ -d /etc/ssh -a ! -f /etc/ssh/ssh_host_dsa_key ]; then
 echo -n "ssh-keygen: generating new DSA host key... "
 mount -o rw /dev/wd0a /
 if /usr/bin/ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -N ''; then
  echo done.
 else
  echo failed.
 fi
 mount -o ro /
fi
if [ -d /etc/ssh -a ! -f /etc/ssh/ssh_host_rsa_key ]; then
 echo -n "ssh-keygen: generating new RSA host key... "
 mount -o rw /dev/wd0a /
 if /usr/bin/ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -N ''; then
  echo done.
 else
  echo failed.
 fi
 mount -o ro /
fi
if [ -d /etc/ssh -a ! -f /etc/ssh/ssh_host_key ]; then
 echo -n "ssh-keygen: generating new RSA1 host key... "
 mount -o rw /dev/wd0a /
 if /usr/bin/ssh-keygen -q -t rsa1 -f /etc/ssh/ssh_host_key -N ''; then
  echo done.
 else
  echo failed.
 fi
 mount -o ro /
fi
 
echo ssh: starting daemon...
sshd