Date: Sun, 13 Mar 2005 21:19:18 +0800 From: sam wun <sam.wun@authtec.com> To: current@freebsd.org Subject: Re: Unauthorized PF CARP server bring down network connection Message-ID: <42343DD6.1090702@authtec.com>
next in thread | raw e-mail | index | archive | help
David Magda wrote: > sam <sam.wun@authtec.com> writes: > > >> Is this a bug? logically the existing PF CARP server should not be >> interrupted by unauthorized VRRP packet because password is >> unmatched. I intentionally wide open the PF rules allow all hosts >> in the LAN can talk to the CARP server. If I drop all unauthorized >> packets, the existing CARP server has no affected. > > > > Did you use a different ID number for the new CARP server? > > Each 'cluster' of CARP servers must have a different ID number. The > numbers go from 0 to 255. If you don't specify one a default may be > chosen. Double check the man pages. > The simpliest form should not rely on the id number, it should check for authentication the password only. If password is unmatched, there is no reason to continue the communication. Btw, the ID number can be spoofed VERY easily. Sam.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42343DD6.1090702>