diff options
Diffstat (limited to 'contrib/pf/man/pfsync.4')
-rw-r--r-- | contrib/pf/man/pfsync.4 | 166 |
1 files changed, 156 insertions, 10 deletions
diff --git a/contrib/pf/man/pfsync.4 b/contrib/pf/man/pfsync.4 index 9b22f57..5375a52 100644 --- a/contrib/pf/man/pfsync.4 +++ b/contrib/pf/man/pfsync.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: pfsync.4,v 1.6 2003/06/06 10:29:41 jmc Exp $ +.\" $OpenBSD: pfsync.4,v 1.16 2004/03/22 21:04:36 jmc Exp $ .\" .\" Copyright (c) 2002 Michael Shalayeff .\" All rights reserved. @@ -32,19 +32,48 @@ .Nm pfsync .Nd packet filter states table logging interface .Sh SYNOPSIS -.Sy device pfsync +.Cd "device pfsync" .Sh DESCRIPTION The -.Nm pfsync -interface is the interface to the packet filter, -.Xr pf 4 , -exposing all the changes to the state table. -This allows for both debugging of rulesets and monitoring -for changes in the table by invoking +.Nm +interface is a pseudo-device which exposes certain changes to the state +table used by +.Xr pf 4 . +State changes can be viewed by invoking .Xr tcpdump 8 on the .Nm interface. +If configured with a physical synchronisation interface, +.Nm +will also send state changes out on that interface using IP multicast, +and insert state changes received on that interface from other systems +into the state table. +.Pp +By default, all local changes to the state table are exposed via +.Nm . +However, state changes from packets received by +.Nm +over the network are not rebroadcast. +States created by a rule marked with the +.Ar no-sync +keyword are omitted from the +.Nm +interface (see +.Xr pf.conf 5 +for details). +.Pp +The +.Nm +interface will attempt to collapse multiple updates of the same +state into one message where possible. +The maximum number of times this can be done before the update is sent out +is controlled by the +.Ar maxupd +to ifconfig. +(see +.Xr ifconfig 8 +and the example below for more details) .Pp Each packet retrieved on this interface has a header associated with it of length @@ -63,16 +92,133 @@ struct pfsync_header { u_int8_t count; }; .Ed +.Sh NETWORK SYNCHRONISATION +States can be synchronised between two or more firewalls using this +interface, by specifying a synchronisation interface using +.Xr ifconfig 8 . +For example, the following command sets fxp0 as the synchronisation +interface. +.Bd -literal -offset indent +# ifconfig pfsync0 syncif fxp0 +.Ed +.Pp +State change messages are sent out on the synchronisation +interface using IP multicast packets. +The protocol is IP protocol 240, PFSYNC, and the multicast group +used is 224.0.0.240. +.Pp +It is important that the synchronisation interface be on a trusted +network as there is no authentication on the protocol and it would +be trivial to spoof packets which create states, bypassing the pf ruleset. +Ideally, this is a network dedicated to pfsync messages, +i.e. a crossover cable between two firewalls. +.Pp +There is a one-to-one correspondence between packets seen by +.Xr bpf 4 +on the +.Nm +interface, and packets sent out on the synchronisation interface, i.e.\& +a packet with 4 state deletion messages on +.Nm +means that the same 4 deletions were sent out on the synchronisation +interface. +However, the actual packet contents may differ as the messages +sent over the network are "compressed" where possible, containing +only the necessary information. .Sh EXAMPLES +.Nm +and +.Xr carp 4 +can be used together to provide automatic failover of a pair of firewalls +configured in parallel. +One firewall handles all traffic \- if it dies or +is shut down, the second firewall takes over automatically. +.Pp +Both firewalls in this example have three +.Xr sis 4 +interfaces. +sis0 is the external interface, on the 10.0.0.0/24 subnet, sis1 is the +internal interface, on the 192.168.0.0/24 subnet, and sis2 is the +.Nm +interface, using the 192.168.254.0/24 subnet. +A crossover cable connects the two firewalls via their sis2 interfaces. +On all three interfaces, firewall A uses the .254 address, while firewall B +uses .253. +The interfaces are configured as follows (firewall A unless otherwise +indicated): +.Pp +.Pa /etc/hostname.sis0 : +.Bd -literal -offset indent +inet 10.0.0.254 255.255.255.0 NONE +.Ed +.Pp +.Pa /etc/hostname.sis1 : +.Bd -literal -offset indent +inet 192.168.0.254 255.255.255.0 NONE +.Ed +.Pp +.Pa /etc/hostname.sis2 : +.Bd -literal -offset indent +inet 192.168.254.254 255.255.255.0 NONE +.Ed +.Pp +.Pa /etc/hostname.carp0 : +.Bd -literal -offset indent +inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo +.Ed +.Pp +.Pa /etc/hostname.carp1 : +.Bd -literal -offset indent +inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar +.Ed +.Pp +.Pa /etc/hostname.pfsync0 : +.Bd -literal -offset indent +up syncif sis2 +.Ed +.Pp +.Xr pf 4 +must also be configured to allow +.Nm +and +.Xr carp 4 +traffic through. +The following should be added to the top of +.Pa /etc/pf.conf : +.Bd -literal -offset indent +pass quick on { sis2 } proto pfsync +pass on { sis0 sis1 } proto carp keep state +.Ed +.Pp +If it is preferable that one firewall handle the traffic, +the +.Ar advskew +on the backup firewall's +.Xr carp 4 +interfaces should be set to something higher than +the primary's. +For example, if firewall B is the backup, its +.Pa /etc/hostname.carp1 +would look like this: +.Bd -literal -offset indent +inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar \e + advskew 100 +.Ed +.Pp +The following must also be added to +.Pa /etc/sysctl.conf : .Bd -literal -offset indent -# ifconfig pfsync0 up -# tcpdump -s1500 -evtni pfsync0 +net.inet.carp.preempt=1 .Ed .Sh SEE ALSO +.Xr bpf 4 , .Xr inet 4 , .Xr inet6 4 , .Xr netintro 4 , .Xr pf 4 , +.Xr hostname.if 5 , +.Xr pf.conf 5 , +.Xr protocols 5 , .Xr ifconfig 8 , .Xr tcpdump 8 .Sh HISTORY |