[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Problems with PF and CARP



I have a problem with PF and a CARP host. PF is not passing traffic back to the carp master host. I can see the traffic leaving my external interface, but nothing makes it back into my internal interface. If i down the carp interface on the firewall traffic passes just fine, bring it back up and it stops my traffic. Nothing gets logged into /var/log/pflog While the carp interface is up on the firewall it is in backup status. Both hosts are running the i386 snapshot from OpenBSD 3.6 (GENERIC) #55: Sat Sep 11 13:46:53 MDT 2004

Host 192.168.1.41 is the carp master that i am trying to connect out with.

moon/192.168.1.55  is my gateway/firewall

# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
       inet 127.0.0.1 netmask 0xff000000
       inet6 ::1 prefixlen 128
       inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
dc0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
       address: 00:03:6d:14:2c:0f
       media: Ethernet autoselect (100baseTX full-duplex)
       status: active
       inet 192.168.1.55 netmask 0xffffff00 broadcast 192.168.1.255
       inet6 fe80::203:6dff:fe14:2c0f%dc0 prefixlen 64 scopeid 0x1
ep0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
       address: 00:20:af:a7:33:f3
       media: Ethernet 10baseT
       inet6 fe80::220:afff:fea7:33f3%ep0 prefixlen 64 scopeid 0x2
       inet 69.170.51.245 netmask 0xfffff800 broadcast 69.170.55.255
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 2020
enc0: flags=0<> mtu 1536
carp0: flags=41<UP,RUNNING> mtu 1500
       carp: BACKUP vhid 1 advbase 1 advskew 0
       inet 192.168.1.41 netmask 0xffffff00



Sep 13 00:01:07 moon /bsd: pf: BAD state: TCP 192.168.1.41:9155 69.170.51.245:64782 216.239.39.99:80 [lo=2837829566 high=2837837756 win=16384 modulator=344918158] [lo=2329487913 high=2329504297 win=8190 modulator=4104031942] 10:10 SA seq=3973724899 ack=2837829566 len=0 ackskew=0 pkts=3:1 dir=in,rev
Sep 13 00:01:07 moon /bsd: pf: State failure on: 1 | 5
Sep 13 00:01:19 moon /bsd: pf: BAD state: TCP 192.168.1.41:9155 69.170.51.245:64782 216.239.39.99:80 [lo=2837829566 high=2837837756 win=16384 modulator=344918158] [lo=2329487913 high=2329504297 win=8190 modulator=4104031942] 10:10 SA seq=3973724899 ack=2837829566 len=0 ackskew=0 pkts=4:1 dir=in,rev
Sep 13 00:01:19 moon /bsd: pf: State failure on: 1 | 5
Sep 13 00:01:43 moon /bsd: pf: BAD state: TCP 192.168.1.41:9155 69.170.51.245:64782 216.239.39.99:80 [lo=2837829566 high=2837837756 win=16384 modulator=344918158] [lo=2329487913 high=2329504297 win=8190 modulator=4104031942] 10:10 SA seq=3973724899 ack=2837829566 len=0 ackskew=0 pkts=5:1 dir=in,rev
Sep 13 00:01:43 moon /bsd: pf: State failure on: 1 | 5
Sep 13 00:02:30 moon /bsd: pf_map_addr: selected address 69.170.51.245
Sep 13 00:02:52 moon last message repeated 2 times
Sep 13 00:04:40 moon last message repeated 4 times



pf.conf ruleset

ext_if="ep0"
int_if="dc0"
set loginterface $ext_if
set block-policy drop
nat on $ext_if inet from $int_if:network to !192.168.1.0/24 -> ($ext_if)
block log all
pass quick on lo0 all
pass in on $int_if inet proto {tcp udp} from $int_if:network to $int_if port { 22, 53 } keep state
pass on $int_if proto carp
pass out from 192.168.1.55 to $int_if:network keep state
#allow nat traffic out
pass in quick on $int_if from $int_if:network to any modulate state
pass out quick on $ext_if from ($ext_if) to any modulate state


tcpdump on the firewall shows something like this
from the inside
00:09:51.821640 192.168.1.41.27601 > 216.109.112.135.80: S [tcp sum ok] 920660534:920660534(0) win 16384
kOK,nop,wscale 0,nop,nop,timestamp 2072976705 0> (DF) (ttl 64, id 45428)
00:09:57.822488 192.168.1.41.27601 > 216.109.112.135.80: S [tcp sum ok] 920660534:920660534(0) win 16384
kOK,nop,wscale 0,nop,nop,timestamp 2072976717 0> (DF) (ttl 64, id 49271)
00:10:09.824665 192.168.1.41.27601 > 216.109.112.135.80: S [tcp sum ok] 920660534:920660534(0) win 16384
kOK,nop,wscale 0,nop,nop,timestamp 2072976741 0> (DF) (ttl 64, id 34850)



from the outside

00:09:51.822363 69.170.51.245.51724 > 216.109.112.135.80: S [tcp sum ok] 2449680799:2449680799(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2072976705 0> (DF) (ttl 63, id 45428)
00:09:51.842678 216.109.112.135.80 > 69.170.51.245.51724: S [tcp sum ok] 1075598338:1075598338(0) ack 2449680800 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2072976705 0> (DF) (ttl 118, id 41699)
00:09:51.842874 69.170.51.245.51724 > 216.109.112.135.80: R [tcp sum ok] 2449680800:2449680800(0) win 0 (DF) (ttl 64, id 45334)
00:09:57.822648 69.170.51.245.51724 > 216.109.112.135.80: S [tcp sum ok] 2449680799:2449680799(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2072976717 0> (DF) (ttl 63, id 49271)
00:09:57.839134 216.109.112.135.80 > 69.170.51.245.51724: S [bad tcp cksum c0c3!] 1075598338:1075598338(0) ack 2449680800 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2072976717 0> (DF) (ttl 118, id 44094)
00:10:09.824851 69.170.51.245.51724 > 216.109.112.135.80: S [tcp sum ok] 2449680799:2449680799(0) win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2072976741 0> (DF) (ttl 63, id 34850)
00:10:09.845497 216.109.112.135.80 > 69.170.51.245.51724: S [bad tcp cksum c0c3!] 1075598338:1075598338(0) ack 2449680800 win 16384 <mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2072976741 0> (DF) (ttl 118, id 48854)




from my carp master that can't get out
$ ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
       inet 127.0.0.1 netmask 0xff000000
       inet6 ::1 prefixlen 128
       inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
sis0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
       address: 00:09:5b:0a:f0:24
       media: Ethernet autoselect (100baseTX full-duplex)
       status: active
       inet 192.168.1.41 netmask 0xffffff00 broadcast 192.168.1.255
       inet6 fe80::209:5bff:fe0a:f024%sis0 prefixlen 64 scopeid 0x1
ep0: flags=8822<BROADCAST,NOTRAILERS,SIMPLEX,MULTICAST> mtu 1500
       address: 00:20:af:a7:33:d4
       media: Ethernet 10baseT
pflog0: flags=0<> mtu 33224
pfsync0: flags=0<> mtu 2020
enc0: flags=0<> mtu 1536
carp0: flags=41<UP,RUNNING> mtu 1500
       carp: MASTER vhid 1 advbase 1 advskew 0
       inet 192.168.1.41 netmask 0xffffff00



Visit your host, monkey.org