[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    pf failover state problem
From:       ed <ed () ednevitible ! co ! uk>
Date:       2005-12-28 22:24:53
Message-ID: 20051228222453.712f4b64 () workstation
[Download RAW message or body]

(Also posted on misc@ - some one here may have experience of this
problem)

I have the following pf.conf on two identical firewalls, which combine
two external ISP connections to a single RFC1819 network, providing
complete failover if the ISP drops off the edge of the world.

However, I notice that when I force the firewall to fail over that the
states do not appear to function any longer, new states can be
established just fine though. I am wondering if this is related to the
tagging, or that the firewall has no default gateway, but neither seem
to be definite causes.

(As most of the rules repeat I have cut the config to just three IP
addresses).

int_network="172.22.96.0/24"
int_if="bge0"

ext_network1="12.22.96.0/24"
ext_if1="dc0"
ext_gw1="12.22.96.1"

ext_network2="94.143.189.0/24"
ext_if2="dc1"
ext_gw2="94.143.189.1"

pri_network="192.168.250.0/24"
pri_if="xl0"

int_carp0="carp0"
ext_carp1="carp1"
ext_carp2="carp2"

outboundports="{ 20,21,22,25,43,53,80,443,2222,11500,60000:65535 }"
mailports="{ 25 }"
webports="{ 80, 443 }"
webmailports="{ 25,80,110,143,443 }"
dnsports="{ 53 }"
webftpports="{ 20,21,80,443,60000:65535 }"
fdlports="{ 25,80,11000 }"

table <abuse_src>
set limit states 100000
scrub in

nat on $ext_if2 inet proto { tcp,icmp,udp } from 172.22.96.15 to any ->\
94.143.189.15 
nat on $ext_if2 inet proto { tcp,icmp,udp } from 172.22.96.16 to any ->\
94.143.189.16 
nat on $ext_if2 inet proto { tcp,icmp,udp } from 172.22.96.17 to any ->\
94.143.189.17

rdr on $ext_if1 proto tcp from any to 212.22.96.15 port $webports -> \
172.22.96.15
rdr on $ext_if2 proto tcp from any to 194.143.189.15 port $webports -> \
172.22.96.15
rdr on $ext_if1 proto tcp from any to 212.22.96.17 port $webports -> \
172.22.96.17 
rdr on $ext_if2 proto tcp from any to 194.143.189.17 port $webports -> \
172.22.96.17

block drop log all
block quick on { $ext_if1, $ext_if2 } from <abuse_src>
pass out keep state

pass in log on $ext_if1 proto { tcp } from any to 172.22.96.15 port \
$webports tag EXT_IF1 keep state 

pass in log on $ext_if2 proto { tcp } from any to 172.22.96.15 port \
$webports tag EXT_IF2 keep state 

pass in log on $ext_if1 proto { tcp } from any to 172.22.96.17 port \
$webports tag EXT_IF1 keep state 
pass in log on $ext_if2 proto { tcp } from any to 172.22.96.17 port \
$webports tag EXT_IF2 keep state p

pass in log on $int_if route-to { ( $ext_carp2 $ext_gw2 ) } proto { \
tcp, udp } from $int_network to !$int_network port $outboundports keep \
state

pass in log on $int_if route-to { ( $ext_carp2 $ext_gw2 ) } proto icmp \
from $int_network to !$int_network keep state 

pass out log on $int_if reply-to ( $ext_carp1 $ext_gw1 ) tagged EXT_IF1\
keep state pass out log on $int_if reply-to ( $ext_carp2 $ext_gw2 ) \
tagged EXT_IF2 keep state

pass out log on { $ext_if1, $ext_carp1 } route-to ( $ext_carp2 $ext_gw2\
) from { $ext_if2, $ext_carp2 } to any 

pass out log on { $ext_if2, $ext_carp2 } route-to ( $ext_carp1 $ext_gw1\
) from { $ext_if1, $ext_carp1 } to any

###
### carp/pfsync specific, must be here like this in order for the
failover to work pass quick on $pri_if proto pfsync
pass quick on { $ext_if1, $ext_if2, $int_if } proto carp keep state

###
### private interface, this is the emergency rule to contact the other
### box should the private/public interface be blocked for some reason,
### we should have this as a reserve
pass quick on $pri_if from $pri_network

pass quick on { lo }



-- 
Regards, Ed http://www.usenix.org.uk - http://irc.is-cool.net 
:%s/Open Source/Free Software/g
[prev in list] [next in list] [prev in thread] [next in thread]