Project

General

Profile

Actions

Bug #598

closed

Need to block carp traffic to hosts self to avoid loops

Added by Scott Ullrich almost 14 years ago. Updated over 12 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
05/14/2010
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

block in log quick proto carp from (self) to any

Without this change if the firewall sees traffic for itself (ethernet loop) then it will cause the host to go to backup mode.

Actions #1

Updated by Jim Pingle almost 14 years ago

  • Status changed from New to Resolved

The antispoof directive we already have on each interface should already prevent such looping, or any traffic from entering an interface that has a source address that belongs to the router itself.

Actions #2

Updated by Chris Buechler almost 14 years ago

  • Status changed from Resolved to New

That's not the case, I think because of the state that sending the traffic creates (maybe). Otherwise VMware's looping multicast bug wouldn't flake out CARP and OSPF.

Actions #3

Updated by Scott Ullrich almost 14 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions #4

Updated by Chris Buechler over 13 years ago

  • Status changed from Feedback to Resolved
Actions #5

Updated by Michele Di Maria over 12 years ago

Hi,
this change is causing a lot of logs in the case there are two nics on the same network segment. See http://forum.pfsense.org/index.php/topic,43102.0.html.
Is it necessary to log this events?

Actions

Also available in: Atom PDF