229 lines
6.5 KiB
Groff
229 lines
6.5 KiB
Groff
.\" $OpenBSD: pfsync.4,v 1.16 2004/03/22 21:04:36 jmc Exp $
|
|
.\"
|
|
.\" Copyright (c) 2002 Michael Shalayeff
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
|
|
.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
|
|
.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
|
|
.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
|
|
.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF MIND,
|
|
.\" USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd November 29, 2002
|
|
.Dt PFSYNC 4
|
|
.Os
|
|
.Sh NAME
|
|
.Nm pfsync
|
|
.Nd packet filter states table logging interface
|
|
.Sh SYNOPSIS
|
|
.Cd "device pfsync"
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
interface is a pseudo-device which exposes certain changes to the state
|
|
table used by
|
|
.Xr pf 4 .
|
|
State changes can be viewed by invoking
|
|
.Xr tcpdump 8
|
|
on the
|
|
.Nm
|
|
interface.
|
|
If configured with a physical synchronisation interface,
|
|
.Nm
|
|
will also send state changes out on that interface using IP multicast,
|
|
and insert state changes received on that interface from other systems
|
|
into the state table.
|
|
.Pp
|
|
By default, all local changes to the state table are exposed via
|
|
.Nm .
|
|
However, state changes from packets received by
|
|
.Nm
|
|
over the network are not rebroadcast.
|
|
States created by a rule marked with the
|
|
.Ar no-sync
|
|
keyword are omitted from the
|
|
.Nm
|
|
interface (see
|
|
.Xr pf.conf 5
|
|
for details).
|
|
.Pp
|
|
The
|
|
.Nm
|
|
interface will attempt to collapse multiple updates of the same
|
|
state into one message where possible.
|
|
The maximum number of times this can be done before the update is sent out
|
|
is controlled by the
|
|
.Ar maxupd
|
|
to ifconfig.
|
|
(see
|
|
.Xr ifconfig 8
|
|
and the example below for more details)
|
|
.Pp
|
|
Each packet retrieved on this interface has a header associated
|
|
with it of length
|
|
.Dv PFSYNC_HDRLEN .
|
|
The header indicates the version of the protocol, address family,
|
|
action taken on the following states and the number of state
|
|
table entries attached in this packet.
|
|
This structure, defined in
|
|
.Aq Pa net/if_pfsync.h
|
|
looks like:
|
|
.Bd -literal -offset indent
|
|
struct pfsync_header {
|
|
u_int8_t version;
|
|
u_int8_t af;
|
|
u_int8_t action;
|
|
u_int8_t count;
|
|
};
|
|
.Ed
|
|
.Sh NETWORK SYNCHRONISATION
|
|
States can be synchronised between two or more firewalls using this
|
|
interface, by specifying a synchronisation interface using
|
|
.Xr ifconfig 8 .
|
|
For example, the following command sets fxp0 as the synchronisation
|
|
interface.
|
|
.Bd -literal -offset indent
|
|
# ifconfig pfsync0 syncif fxp0
|
|
.Ed
|
|
.Pp
|
|
State change messages are sent out on the synchronisation
|
|
interface using IP multicast packets.
|
|
The protocol is IP protocol 240, PFSYNC, and the multicast group
|
|
used is 224.0.0.240.
|
|
.Pp
|
|
It is important that the synchronisation interface be on a trusted
|
|
network as there is no authentication on the protocol and it would
|
|
be trivial to spoof packets which create states, bypassing the pf ruleset.
|
|
Ideally, this is a network dedicated to pfsync messages,
|
|
i.e. a crossover cable between two firewalls.
|
|
.Pp
|
|
There is a one-to-one correspondence between packets seen by
|
|
.Xr bpf 4
|
|
on the
|
|
.Nm
|
|
interface, and packets sent out on the synchronisation interface, i.e.\&
|
|
a packet with 4 state deletion messages on
|
|
.Nm
|
|
means that the same 4 deletions were sent out on the synchronisation
|
|
interface.
|
|
However, the actual packet contents may differ as the messages
|
|
sent over the network are "compressed" where possible, containing
|
|
only the necessary information.
|
|
.Sh EXAMPLES
|
|
.Nm
|
|
and
|
|
.Xr carp 4
|
|
can be used together to provide automatic failover of a pair of firewalls
|
|
configured in parallel.
|
|
One firewall handles all traffic \- if it dies or
|
|
is shut down, the second firewall takes over automatically.
|
|
.Pp
|
|
Both firewalls in this example have three
|
|
.Xr sis 4
|
|
interfaces.
|
|
sis0 is the external interface, on the 10.0.0.0/24 subnet, sis1 is the
|
|
internal interface, on the 192.168.0.0/24 subnet, and sis2 is the
|
|
.Nm
|
|
interface, using the 192.168.254.0/24 subnet.
|
|
A crossover cable connects the two firewalls via their sis2 interfaces.
|
|
On all three interfaces, firewall A uses the .254 address, while firewall B
|
|
uses .253.
|
|
The interfaces are configured as follows (firewall A unless otherwise
|
|
indicated):
|
|
.Pp
|
|
.Pa /etc/hostname.sis0 :
|
|
.Bd -literal -offset indent
|
|
inet 10.0.0.254 255.255.255.0 NONE
|
|
.Ed
|
|
.Pp
|
|
.Pa /etc/hostname.sis1 :
|
|
.Bd -literal -offset indent
|
|
inet 192.168.0.254 255.255.255.0 NONE
|
|
.Ed
|
|
.Pp
|
|
.Pa /etc/hostname.sis2 :
|
|
.Bd -literal -offset indent
|
|
inet 192.168.254.254 255.255.255.0 NONE
|
|
.Ed
|
|
.Pp
|
|
.Pa /etc/hostname.carp0 :
|
|
.Bd -literal -offset indent
|
|
inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo
|
|
.Ed
|
|
.Pp
|
|
.Pa /etc/hostname.carp1 :
|
|
.Bd -literal -offset indent
|
|
inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar
|
|
.Ed
|
|
.Pp
|
|
.Pa /etc/hostname.pfsync0 :
|
|
.Bd -literal -offset indent
|
|
up syncif sis2
|
|
.Ed
|
|
.Pp
|
|
.Xr pf 4
|
|
must also be configured to allow
|
|
.Nm
|
|
and
|
|
.Xr carp 4
|
|
traffic through.
|
|
The following should be added to the top of
|
|
.Pa /etc/pf.conf :
|
|
.Bd -literal -offset indent
|
|
pass quick on { sis2 } proto pfsync
|
|
pass on { sis0 sis1 } proto carp keep state
|
|
.Ed
|
|
.Pp
|
|
If it is preferable that one firewall handle the traffic,
|
|
the
|
|
.Ar advskew
|
|
on the backup firewall's
|
|
.Xr carp 4
|
|
interfaces should be set to something higher than
|
|
the primary's.
|
|
For example, if firewall B is the backup, its
|
|
.Pa /etc/hostname.carp1
|
|
would look like this:
|
|
.Bd -literal -offset indent
|
|
inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar \e
|
|
advskew 100
|
|
.Ed
|
|
.Pp
|
|
The following must also be added to
|
|
.Pa /etc/sysctl.conf :
|
|
.Bd -literal -offset indent
|
|
net.inet.carp.preempt=1
|
|
.Ed
|
|
.Sh SEE ALSO
|
|
.Xr bpf 4 ,
|
|
.Xr inet 4 ,
|
|
.Xr inet6 4 ,
|
|
.Xr netintro 4 ,
|
|
.Xr pf 4 ,
|
|
.Xr hostname.if 5 ,
|
|
.Xr pf.conf 5 ,
|
|
.Xr protocols 5 ,
|
|
.Xr ifconfig 8 ,
|
|
.Xr tcpdump 8
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
device first appeared in
|
|
.Ox 3.3 .
|