| I am trying to get npf to play nicely with a carp interface and am having trouble. The basic setup is that two hosts share in IP via carp and I want to connect to that interface (i.e., either host) via ssh. The following works: - Carp will switch the interface from host to host - Ssh connects to either host via its native IP - Ssh connects to a carp IP only if npf is not active; this is the problem. I have tried to simplify the npf rules as much as possible to try to isolate the problem. Below is the npf.conf I am using. Note that the rules for the native interface (group "external") are equivalent to those for the carp interface (group "external_carp") except for the rule passing the multicast address for carp, which allows the carp switching to take place. I do not understand why one of the ssh rules works and the other does not. I would appreciate any help you can offer. Thanks a lot. Cheers, Brook # /etc/npf.conf $ext_if = inet4(xennet3) $ext_if_carp = inet4(carp0) $localnet = { XXX.XXX.XXX.0/24 } $multicast_carp = { 224.0.0.18 } alg "icmp" procedure "log" { log: npflog0 } group "external" on $ext_if { pass stateful out final all pass stateful in final family inet4 proto tcp to $ext_if port ssh apply "log" } group "external_carp" on $ext_if_carp { pass stateful out final all pass stateful in final family inet4 proto tcp to $ext_if_carp port ssh apply "log" pass in final from $localnet to $multicast_carp } group default { pass stateful final proto icmp all apply "log" block in all block out all } |