Date: Sat, 1 Nov 2014 16:56:05 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Gerhard Schmidt <schmidt@ze.tum.de> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw and carp problems Message-ID: <20141101164746.V52402@sola.nimnet.asn.au> In-Reply-To: <20141029202942.I74058@sola.nimnet.asn.au> References: <mailman.63.1414497602.35586.freebsd-questions@freebsd.org> <20141029202942.I74058@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 29 Oct 2014 20:55:16 +1100, Ian Smith wrote: > In freebsd-questions Digest, Vol 543, Issue 2, Message: 1 > On Mon, 27 Oct 2014 15:16:33 +0100 Gerhard Schmidt <schmidt@ze.tum.de> wrote: > > Hi, > > > > I have a small problem with ipfw an carp. > > > > i have two server with two carp ips and a firewall via ipfw. > > > > the problem is tha ipfw via modul is default to deny. So when the carp > > interfaces are initialized ipfw has no custom rules. Everything is > > denied, even the carp packets. So every time I reboot one of the hosts > > it comes up as master and after the firewall rules are initialized one > > of the servers is demoted to backup, which one seams to be random. > > > > My problem is that my setup need a new server do come up as backup > > because is has to replicate the data from the running server before > > being able to act as master. There could be data loss if a newly booted > > server named master without prior replicating the data. > > > > Is there a way to ensure that the firewall rules are up before the carp > > interfaces are initialized or to load the ipfw module with default to > > accept. > > The canonical way was to build a custom kernel with ipfw included as per > http://www.freebsd.org/doc/handbook/firewalls-ipfw.html including > 'options IPFIREWALL_DEFAULT_TO_ACCEPT' .. however you can accomplish > this with a GENERIC (or other) kernel by adding to /boot/loader.conf: > > ipfw_load="YES" # to load the ipfw module early > > and adding to /etc/sysctl.conf > > net.inet.ip.fw.enable=0 > net.inet6.ip6.fw.enable=0 # if using ipv6 > > /etc/rc.d/sysctl is run early (on 9.3, first) before other rc.d > scripts including netif and later ipfw, which will then only enable the > firewall after having loaded your ruleset. > > I just tested this over ssh to a 9.3 GENERIC box not running ipfw: > > root@x200:~/bin # kldload ipfw && sysctl net.inet.ip.fw.enable=0 \ > && sysctl net.inet6.ip6.fw.enable=0 > net.inet.ip.fw.enable: 1 -> 0 > net.inet6.ip6.fw.enable: 1 -> 0 > root@x200:~/bin # ipfw show > 65535 0 0 deny ip from any to any > > which would have locked me out had it not worked :) > > Of course you must accept that there is a vulnerable window between > starting net interfaces (netif) and starting ipfw, however miniscule. Excuse replying to my own message, but I've since discovered that you could also add 'net.inet.ip.fw.default_to_accept=1' to loader.conf as an alternative. I hadn't twigged that this one is a loader tunable, unlike the sysctls mentioned above, and so can be set before ipfw.ko is loaded, ie before the net.inet.ip[6].fw OIDs even exist. Please let the list know if either of these methods solve your issue? cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141101164746.V52402>