From owner-freebsd-questions@FreeBSD.ORG Sat Nov 1 05:56:10 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0B8EC804 for ; Sat, 1 Nov 2014 05:56:10 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 53AB5934 for ; Sat, 1 Nov 2014 05:56:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id sA15u5jB082849; Sat, 1 Nov 2014 16:56:06 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 1 Nov 2014 16:56:05 +1100 (EST) From: Ian Smith To: Gerhard Schmidt Subject: Re: ipfw and carp problems In-Reply-To: <20141029202942.I74058@sola.nimnet.asn.au> Message-ID: <20141101164746.V52402@sola.nimnet.asn.au> References: <20141029202942.I74058@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Nov 2014 05:56:10 -0000 On Wed, 29 Oct 2014 20:55:16 +1100, Ian Smith wrote: > In freebsd-questions Digest, Vol 543, Issue 2, Message: 1 > On Mon, 27 Oct 2014 15:16:33 +0100 Gerhard Schmidt wrote: > > Hi, > > > > I have a small problem with ipfw an carp. > > > > i have two server with two carp ips and a firewall via ipfw. > > > > the problem is tha ipfw via modul is default to deny. So when the carp > > interfaces are initialized ipfw has no custom rules. Everything is > > denied, even the carp packets. So every time I reboot one of the hosts > > it comes up as master and after the firewall rules are initialized one > > of the servers is demoted to backup, which one seams to be random. > > > > My problem is that my setup need a new server do come up as backup > > because is has to replicate the data from the running server before > > being able to act as master. There could be data loss if a newly booted > > server named master without prior replicating the data. > > > > Is there a way to ensure that the firewall rules are up before the carp > > interfaces are initialized or to load the ipfw module with default to > > accept. > > The canonical way was to build a custom kernel with ipfw included as per > http://www.freebsd.org/doc/handbook/firewalls-ipfw.html including > 'options IPFIREWALL_DEFAULT_TO_ACCEPT' .. however you can accomplish > this with a GENERIC (or other) kernel by adding to /boot/loader.conf: > > ipfw_load="YES" # to load the ipfw module early > > and adding to /etc/sysctl.conf > > net.inet.ip.fw.enable=0 > net.inet6.ip6.fw.enable=0 # if using ipv6 > > /etc/rc.d/sysctl is run early (on 9.3, first) before other rc.d > scripts including netif and later ipfw, which will then only enable the > firewall after having loaded your ruleset. > > I just tested this over ssh to a 9.3 GENERIC box not running ipfw: > > root@x200:~/bin # kldload ipfw && sysctl net.inet.ip.fw.enable=0 \ > && sysctl net.inet6.ip6.fw.enable=0 > net.inet.ip.fw.enable: 1 -> 0 > net.inet6.ip6.fw.enable: 1 -> 0 > root@x200:~/bin # ipfw show > 65535 0 0 deny ip from any to any > > which would have locked me out had it not worked :) > > Of course you must accept that there is a vulnerable window between > starting net interfaces (netif) and starting ipfw, however miniscule. Excuse replying to my own message, but I've since discovered that you could also add 'net.inet.ip.fw.default_to_accept=1' to loader.conf as an alternative. I hadn't twigged that this one is a loader tunable, unlike the sysctls mentioned above, and so can be set before ipfw.ko is loaded, ie before the net.inet.ip[6].fw OIDs even exist. Please let the list know if either of these methods solve your issue? cheers, Ian