HAProxy leaving IPFW rule after removing backend or uninstall

  • Greetings,

    HAProxy: 0.59_19

    I noticed that if you enable clientip on a backend and subsequently disable clientip or remove the backend or even uninstall HAProxy , it always leaves at least one IPFW rule in place. For example:

    00010 767 283204 fwd ::1 tcp from 80 to any in recv hn1

    If you have multiple backends with clientip enabled, HAProxy seems to remove the IPFW rules for all but one. The last one never goes away. Uninstalling HAProxy does not seem to remove the rule either. This rule will break NAT port forwarding if using the same IP and port.

    There is also the default 65535 IPFW rule as well. I'm thinking since I'm not using Captive Portal, with HAProxy uninstalled, IPFW shouldn't be running at all, but I'm a little out of my league.

    After uninstall, HAProxy also leaves this file:

    /tmp/ipfw_4000.haproxy.rules , with contents:

    add 10 fwd localhost tcp from 80 to any in recv hn1

    Perhaps I am doing something wrong or maybe there is an issue with HAProxy (btw, huge fan). What would be a good way to remove the orphaned IPFW fwd rule, and the default 65535 rule? I've read the IPFW man page but didn't want to freewheel without seeking expertise. Finally, should IPFW be running at all if I'm not running HAProxy or Captive Portal? There are only the two IPFW rules.

    Thank you.

  • @lido14
    'Normally' IPFW is not running when only pfSense is used without captive-portal..

    The quickest fix is probably to give pfSense a reboot.. Haproxy loads and configures IPFW if it 'needs' transparent-client-ip with its current config settings.. If none of the backends require this the IPFW related configuration code is likely completely skipped. It does not remember that it still needs to disable the old ipfw settings.... I guess i need to set a little 'flag' that transparent-client-ip was used and check that to remove the last rules if the current config doesn't use it anymore.. I'm not sure if unloading ipfw itself is possible.. i think there was a issue there...

Log in to reply