diff options
Diffstat (limited to 'contrib/pf/man/pfsync.4')
| -rw-r--r-- | contrib/pf/man/pfsync.4 | 226 |
1 files changed, 0 insertions, 226 deletions
diff --git a/contrib/pf/man/pfsync.4 b/contrib/pf/man/pfsync.4 deleted file mode 100644 index f7b39df4bcaa8..0000000000000 --- a/contrib/pf/man/pfsync.4 +++ /dev/null @@ -1,226 +0,0 @@ -.\" $OpenBSD: pfsync.4,v 1.16 2004/03/22 21:04:36 jmc Exp $ -.\" -.\" Copyright (c) 2002 Michael Shalayeff -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR -.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, -.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF MIND, -.\" USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd November 29, 2002 -.Dt PFSYNC 4 -.Os -.Sh NAME -.Nm pfsync -.Nd packet filter states table logging interface -.Sh SYNOPSIS -.Cd "pseudo-device pfsync" -.Sh DESCRIPTION -The -.Nm -interface is a pseudo-device which exposes certain changes to the state -table used by -.Xr pf 4 . -State changes can be viewed by invoking -.Xr tcpdump 8 -on the -.Nm -interface. -If configured with a physical synchronisation interface, -.Nm -will also send state changes out on that interface using IP multicast, -and insert state changes received on that interface from other systems -into the state table. -.Pp -By default, all local changes to the state table are exposed via -.Nm . -However, state changes from packets received by -.Nm -over the network are not rebroadcast. -States created by a rule marked with the -.Ar no-sync -keyword are omitted from the -.Nm -interface (see -.Xr pf.conf 5 -for details). -.Pp -The -.Nm -interface will attempt to collapse multiple updates of the same -state into one message where possible. -The maximum number of times this can be done before the update is sent out -is controlled by the -.Ar maxupd -to ifconfig. -(see -.Xr ifconfig 8 -and the example below for more details) -.Pp -Each packet retrieved on this interface has a header associated -with it of length -.Dv PFSYNC_HDRLEN . -The header indicates the version of the protocol, address family, -action taken on the following states and the number of state -table entries attached in this packet. -This structure, defined in -.Aq Pa net/if_pfsync.h -looks like: -.Bd -literal -offset indent -struct pfsync_header { - u_int8_t version; - u_int8_t af; - u_int8_t action; - u_int8_t count; -}; -.Ed -.Sh NETWORK SYNCHRONISATION -States can be synchronised between two or more firewalls using this -interface, by specifying a synchronisation interface using -.Xr ifconfig 8 . -For example, the following command sets fxp0 as the synchronisation -interface. -.Bd -literal -offset indent -# ifconfig pfsync0 syncif fxp0 -.Ed -.Pp -State change messages are sent out on the synchronisation -interface using IP multicast packets. -The protocol is IP protocol 240, PFSYNC, and the multicast group -used is 224.0.0.240. -.Pp -It is important that the synchronisation interface be on a trusted -network as there is no authentication on the protocol and it would -be trivial to spoof packets which create states, bypassing the pf ruleset. -Ideally, this is a network dedicated to pfsync messages, -i.e. a crossover cable between two firewalls. -.Pp -There is a one-to-one correspondence between packets seen by -.Xr bpf 4 -on the -.Nm -interface, and packets sent out on the synchronisation interface, i.e.\& -a packet with 4 state deletion messages on -.Nm -means that the same 4 deletions were sent out on the synchronisation -interface. -However, the actual packet contents may differ as the messages -sent over the network are "compressed" where possible, containing -only the necessary information. -.Sh EXAMPLES -.Nm -and -.Xr carp 4 -can be used together to provide automatic failover of a pair of firewalls -configured in parallel. -One firewall handles all traffic \- if it dies or -is shut down, the second firewall takes over automatically. -.Pp -Both firewalls in this example have three -.Xr sis 4 -interfaces. -sis0 is the external interface, on the 10.0.0.0/24 subnet, sis1 is the -internal interface, on the 192.168.0.0/24 subnet, and sis2 is the -.Nm -interface, using the 192.168.254.0/24 subnet. -A crossover cable connects the two firewalls via their sis2 interfaces. -On all three interfaces, firewall A uses the .254 address, while firewall B -uses .253. -The interfaces are configured as follows (firewall A unless otherwise -indicated): -.Pp -.Pa /etc/hostname.sis0 : -.Bd -literal -offset indent -inet 10.0.0.254 255.255.255.0 NONE -.Ed -.Pp -.Pa /etc/hostname.sis1 : -.Bd -literal -offset indent -inet 192.168.0.254 255.255.255.0 NONE -.Ed -.Pp -.Pa /etc/hostname.sis2 : -.Bd -literal -offset indent -inet 192.168.254.254 255.255.255.0 NONE -.Ed -.Pp -.Pa /etc/hostname.carp0 : -.Bd -literal -offset indent -inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo -.Ed -.Pp -.Pa /etc/hostname.carp1 : -.Bd -literal -offset indent -inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar -.Ed -.Pp -.Pa /etc/hostname.pfsync0 : -.Bd -literal -offset indent -up syncif sis2 -.Ed -.Pp -.Xr pf 4 -must also be configured to allow -.Nm -and -.Xr carp 4 -traffic through. -The following should be added to the top of -.Pa /etc/pf.conf : -.Bd -literal -offset indent -pass quick on { sis2 } proto pfsync -pass on { sis0 sis1 } proto carp keep state -.Ed -.Pp -If it is preferable that one firewall handle the traffic, -the -.Ar advskew -on the backup firewall's -.Xr carp 4 -interfaces should be set to something higher than -the primary's. -For example, if firewall B is the backup, its -.Pa /etc/hostname.carp1 -would look like this: -.Bd -literal -offset indent -inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar \e - advskew 100 -.Ed -.Pp -The following must also be added to -.Pa /etc/sysctl.conf : -.Bd -literal -offset indent -net.inet.carp.preempt=1 -.Ed -.Sh SEE ALSO -.Xr bpf 4 , -.Xr inet 4 , -.Xr inet6 4 , -.Xr netintro 4 , -.Xr pf 4 , -.Xr hostname.if 5 , -.Xr pf.conf 5 , -.Xr protocols 5 , -.Xr ifconfig 8 , -.Xr tcpdump 8 -.Sh HISTORY -The -.Nm -device first appeared in -.Ox 3.3 . |