Filtering CARP interface(s) and 'set skip on lo0'

Hey all,

I'm trying to clean up my PF rulesets, and I noticed today
that a CARP
master connecting to itself (on the CARP IP address) appears
to be
filtered even when 'set skip on lo0' is in effect.

At first I suspected that maybe CARP Master to itself is
routed
differently in FreeBSD (so it wouldn't actually be on lo0),
but a
tcpdump seems to say otherwise.  That is:

> ifconfig carp0
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu
1500
	inet 67.201.255.210 netmask 0xffffffe0
	carp: MASTER vhid 1 advbase 1 advskew 10

> sudo tcpdump -c 3 -n -i lo0
tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode
listening on lo0, link-type NULL (BSD loopback), capture
size 96 bytes
20:36:40.522108 IP 67.201.255.210.65404 >
67.201.255.210.53: 2673+ A?
daapiak-mtv.flux.com. (38)
20:36:40.522569 IP 67.201.255.210.53 >
67.201.255.210.65404: 2673
4/9/3 CNAME[|domain]
20:36:40.724506 IP 67.201.255.210.65404 >
67.201.255.210.53: 20823+
PTR? 240.189.73.209.


I tried the archives but couldn't find an explanation about
why 'set
skip on lo0' wouldn't apply here, so I'm wondering if any of
you could
point me in the right direction.  The simple answer would be
for me to
simply filter a little differently so the MASTER can talk to
itself,
but I figured this could be a learning experience too.

Is this intended FreeBSD-specific behavior, and if so, what
is the
recommended way to deal with it?

Thanks for any pointers,

Kian
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

On Monday 19 May 2008 05:38:20 Kian Mohageri wrote:
> Hey all,
>
> I'm trying to clean up my PF rulesets, and I noticed
today that a CARP
> master connecting to itself (on the CARP IP address)
appears to be
> filtered even when 'set skip on lo0' is in effect.
>
> At first I suspected that maybe CARP Master to itself
is routed
> differently in FreeBSD (so it wouldn't actually be on
lo0), but a
>
> tcpdump seems to say otherwise.  That is:
> > ifconfig carp0
>
> carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu
1500
> 	inet 67.201.255.210 netmask 0xffffffe0
> 	carp: MASTER vhid 1 advbase 1 advskew 10
>
> > sudo tcpdump -c 3 -n -i lo0
>
> tcpdump: verbose output suppressed, use -v or -vv for
full protocol
> decode listening on lo0, link-type NULL (BSD loopback),
capture size 96
> bytes 20:36:40.522108 IP 67.201.255.210.65404 >
67.201.255.210.53:
> 2673+ A? daapiak-mtv.flux.com. (38)
> 20:36:40.522569 IP 67.201.255.210.53 >
67.201.255.210.65404: 2673
> 4/9/3 CNAME[|domain]
> 20:36:40.724506 IP 67.201.255.210.65404 >
67.201.255.210.53: 20823+
> PTR? 240.189.73.209.

Just because the packets show up on lo0 "sometime"
doesn't mean that they 
won't pass through other interfaces before or after.  CARP
is special in 
that respect and needs special attention.

> I tried the archives but couldn't find an explanation
about why 'set
> skip on lo0' wouldn't apply here, so I'm wondering if
any of you could
> point me in the right direction.  The simple answer
would be for me to
> simply filter a little differently so the MASTER can
talk to itself,
> but I figured this could be a learning experience too.
>
> Is this intended FreeBSD-specific behavior, and if so,
what is the
> recommended way to deal with it?

The usual advise on how to debug rulesets that block stuff
you want to 
allow:
 1) Add "log" to all block rules
 2) Listen on pflog0
 3) Generate the traffic pattern you want to pass
 4) Find this offending rule (and also the interface and
direction the 
traffic was blocked on)
 5) Insert a rule to allow the traffic in question
 6) Repeat until everything works as required

-- 
/"  Best regards,                      | mlaierfreebsd.org
 /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.l
ove2party.net/  | mlaierEFnet
/   ASCII Ribbon Campaign              | Against HTML Mail
and News
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"

On Mon, May 19, 2008 at 2:11 AM, Max Laier <maxlove2party.net> wrote:
> On Monday 19 May 2008 05:38:20 Kian Mohageri wrote:
>> Hey all,
>>
>> I'm trying to clean up my PF rulesets, and I
noticed today that a CARP
>> master connecting to itself (on the CARP IP
address) appears to be
>> filtered even when 'set skip on lo0' is in effect.
>>
>> At first I suspected that maybe CARP Master to
itself is routed
>> differently in FreeBSD (so it wouldn't actually be
on lo0), but a
>>
>> tcpdump seems to say otherwise.  That is:
>> > ifconfig carp0
>>
>> carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0
mtu 1500
>>       inet 67.201.255.210 netmask 0xffffffe0
>>       carp: MASTER vhid 1 advbase 1 advskew 10
>>
>> > sudo tcpdump -c 3 -n -i lo0
>>
>> tcpdump: verbose output suppressed, use -v or -vv
for full protocol
>> decode listening on lo0, link-type NULL (BSD
loopback), capture size 96
>> bytes 20:36:40.522108 IP 67.201.255.210.65404 >
67.201.255.210.53:
>> 2673+ A? daapiak-mtv.flux.com. (38)
>> 20:36:40.522569 IP 67.201.255.210.53 >
67.201.255.210.65404: 2673
>> 4/9/3 CNAME[|domain]
>> 20:36:40.724506 IP 67.201.255.210.65404 >
67.201.255.210.53: 20823+
>> PTR? 240.189.73.209.
>
> Just because the packets show up on lo0
"sometime" doesn't mean that they
> won't pass through other interfaces before or after. 
CARP is special in
> that respect and needs special attention.
>

Does it pass through the CARP interface or does PF just
think so?
Tcpdump on carp0 doesn't show anything, and tcpdump on a
CARP
interface that's in "backup" only shows the
advertisements of the
master, which is why I am/was confused.

-Kian

PS:  Thank you for updating pf in 7.0!
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"