d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

- remove OpenBSDisms, add FreeBSDisms

Browse Source 
- comment out feature, we do not have yet: tcpdumping on pfsync,
  add a BUGS section
- reference carp.4
- dereference bpf(4), tcpdump(7), hostname.if(5)
- sort references
- tell when pfsync appeared in FreeBSD

Reviewed by:	mlaier
MFC after:	1 week
This commit is contained in:
Gleb Smirnoff 2005-02-23 17:37:39 +00:00
parent 9da3e5bad4
commit 469f8a6aca
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=142319
1 changed files with 46 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
contrib/pf/man/pfsync.4
View File

@ -25,7 +25,7 @@
.\" .\"
.\" $FreeBSD$ .\" $FreeBSD$
.\" .\"
.Dd November 29, 2002 .Dd February 23, 2005
.Dt PFSYNC 4 .Dt PFSYNC 4
.Os .Os
.Sh NAME .Sh NAME
@ -39,14 +39,15 @@ The
interface is a pseudo-device which exposes certain changes to the state interface is a pseudo-device which exposes certain changes to the state
table used by table used by
.Xr pf 4 . .Xr pf 4 .
State changes can be viewed by invoking .\" XXX: not yet!
.Xr tcpdump 8 .\" State changes can be viewed by invoking
on the .\" .Xr tcpdump 8
.Nm .\" on the
interface. .\" .Nm
.\" interface.
If configured with a physical synchronisation interface, If configured with a physical synchronisation interface,
.Nm .Nm
will also send state changes out on that interface using IP multicast, will send state changes out on that interface using IP multicast,
and insert state changes received on that interface from other systems and insert state changes received on that interface from other systems
into the state table. into the state table.
.Pp .Pp
@ -113,18 +114,19 @@ be trivial to spoof packets which create states, bypassing the pf ruleset.
Ideally, this is a network dedicated to pfsync messages, Ideally, this is a network dedicated to pfsync messages,
i.e. a crossover cable between two firewalls. i.e. a crossover cable between two firewalls.
.Pp .Pp
There is a one-to-one correspondence between packets seen by .\" XXX: not yet!
.Xr bpf 4 .\" There is a one-to-one correspondence between packets seen by
on the .\" .Xr bpf 4
.Nm .\" on the
interface, and packets sent out on the synchronisation interface, i.e.\& .\" .Nm
a packet with 4 state deletion messages on .\" interface, and packets sent out on the synchronisation interface, i.e.\&
.Nm .\" a packet with 4 state deletion messages on
means that the same 4 deletions were sent out on the synchronisation .\" .Nm
interface. .\" means that the same 4 deletions were sent out on the synchronisation
However, the actual packet contents may differ as the messages .\" interface.
sent over the network are "compressed" where possible, containing .\" However, the actual packet contents may differ as the messages
only the necessary information. .\" sent over the network are "compressed" where possible, containing
.\" only the necessary information.
.Sh EXAMPLES .Sh EXAMPLES
.Nm .Nm
and and
@ -147,34 +149,17 @@ uses .253.
The interfaces are configured as follows (firewall A unless otherwise The interfaces are configured as follows (firewall A unless otherwise
indicated): indicated):
.Pp .Pp
.Pa /etc/hostname.sis0 : Interfaces configuration in
.Pa /etc/rc.conf :
.Bd -literal -offset indent .Bd -literal -offset indent
inet 10.0.0.254 255.255.255.0 NONE cloned_interfaces="carp0 carp1"
.Ed network_interfaces="lo0 sis0 sis1 sis2 carp0 carp1 pfsync0"
.Pp ifconfig_sis0="10.0.0.254/24"
.Pa /etc/hostname.sis1 : ifconfig_sis1="192.168.0.254/24"
.Bd -literal -offset indent ifconfig_sis2="192.168.254.254/24"
inet 192.168.0.254 255.255.255.0 NONE ifconfig_carp0="vhid 1 pass foo 10.0.0.1/24"
.Ed ifconfig_carp1="vhid 2 pass bar 192.168.0.1/24"
.Pp ifconfig_pfsync0="up syncif sis2"
.Pa /etc/hostname.sis2 :
.Bd -literal -offset indent
inet 192.168.254.254 255.255.255.0 NONE
.Ed
.Pp
.Pa /etc/hostname.carp0 :
.Bd -literal -offset indent
inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo
.Ed
.Pp
.Pa /etc/hostname.carp1 :
.Bd -literal -offset indent
inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar
.Ed
.Pp
.Pa /etc/hostname.pfsync0 :
.Bd -literal -offset indent
up syncif sis2
.Ed .Ed
.Pp .Pp
.Xr pf 4 .Xr pf 4
@ -198,11 +183,9 @@ on the backup firewall's
interfaces should be set to something higher than interfaces should be set to something higher than
the primary's. the primary's.
For example, if firewall B is the backup, its For example, if firewall B is the backup, its
.Pa /etc/hostname.carp1 carp1 configuration would look like this:
would look like this:
.Bd -literal -offset indent .Bd -literal -offset indent
inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar \e ifconfig_carp1="vhid 2 pass bar advskew 100 192.168.0.1/24"
advskew 100
.Ed .Ed
.Pp .Pp
The following must also be added to The following must also be added to
@ -210,19 +193,28 @@ The following must also be added to
.Bd -literal -offset indent .Bd -literal -offset indent
net.inet.carp.preempt=1 net.inet.carp.preempt=1
.Ed .Ed
.Sh BUGS
Possibility to view state changes using
.Xr tcpdump 8
has not been ported from
.Ox
yet.
.Sh SEE ALSO .Sh SEE ALSO
.Xr bpf 4 , .Xr carp 4 ,
.Xr ifconfig 8 ,
.Xr inet 4 , .Xr inet 4 ,
.Xr inet6 4 , .Xr inet6 4 ,
.Xr netintro 4 , .Xr netintro 4 ,
.Xr pf 4 , .Xr pf 4 ,
.Xr hostname.if 5 ,
.Xr pf.conf 5 , .Xr pf.conf 5 ,
.Xr protocols 5 , .Xr protocols 5 ,
.Xr ifconfig 8 , .Xr rc.conf 5
.Xr tcpdump 8
.Sh HISTORY .Sh HISTORY
The The
.Nm .Nm
device first appeared in device first appeared in
.Ox 3.3 . .Ox 3.3 .
The
.Nm
device was imported to
.Fx 5.3 .