From owner-freebsd-pf@FreeBSD.ORG Sat May 9 00:54:25 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8035B106566C; Sat, 9 May 2009 00:54:25 +0000 (UTC) (envelope-from swun2010@gmail.com) Received: from mail-ew0-f159.google.com (mail-ew0-f159.google.com [209.85.219.159]) by mx1.freebsd.org (Postfix) with ESMTP id D557A8FC15; Sat, 9 May 2009 00:54:24 +0000 (UTC) (envelope-from swun2010@gmail.com) Received: by ewy3 with SMTP id 3so2211111ewy.43 for ; Fri, 08 May 2009 17:54:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=1EOsYG2m8/uABxfPR6KEweluIblFFmAemm5P2nLgJvw=; b=u/VhqVfOLiadQLl+rk698m0Kg5k7HwtFv6f9g1AnND1Yp4ZEFYIHe6kJyHjamb2pQr mWsLu54uniGim1NiVDSOIzlXVqu06oeEnwnJT1MNb4UPaUXF3abnpvXuewJLI1puNyED reQGfgbloEn3U+uddgn33CzLT1HnzfOHKhVEU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=ZDk+jHBTHJGQH9pojgtjjX5qdxqcGdUoRJBh8OhTBHuYw7fuwA0AdNj+yC2BKyO9Ai NaOyyMM4o2aKVdArKOQyVwlHfrEv+28TLSPXkv3+rwv2ZddOm2Wn5wETdWy5+nuYhdh9 qVuL9tZKA1Vr0bfXeeBAr7K5Qhf4W9kUUKvV0= MIME-Version: 1.0 Received: by 10.210.88.3 with SMTP id l3mr1579109ebb.55.1241830463968; Fri, 08 May 2009 17:54:23 -0700 (PDT) In-Reply-To: <20090508164432.GW2160@verio.net> References: <736c47cb0905080552r70f45368va5dfa5af24720c1c@mail.gmail.com> <20090508164432.GW2160@verio.net> Date: Sat, 9 May 2009 10:54:23 +1000 Message-ID: <736c47cb0905081754s32d9414fhe89f1920c8675869@mail.gmail.com> From: Sam Wun To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: Subject: Re: Can pfsync be used over router or WAN? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 May 2009 00:54:26 -0000 Establish a IPSEC bewteen this 2 pfsync points is a way to go. On Sat, May 9, 2009 at 2:44 AM, David DeSimone wrote: > Sam Wun wrote: >> >> Have anyone tried pfsync over router or WAN? >> I have read setup guide of CARP+pfsync, the pfsync interface is >> connected through a crossover cable. =A0Can I connect 2 pfsync >> interfaces through a router or WAN? > > pfsync(4) talks about this: > > =A0 =A0NETWORK SYNCHRONISATION > =A0 =A0 =A0 =A0 States can be synchronised between two or more firewalls = using > =A0 =A0 =A0 =A0 this interface, by specifying a synchronisation interface= using > =A0 =A0 =A0 =A0 ifconfig(8). =A0For example, the following command sets f= xp0 as > =A0 =A0 =A0 =A0 the synchronisation interface: > > =A0 =A0 =A0 =A0 =A0 # ifconfig pfsync0 syncdev fxp0 > > =A0 =A0 =A0 =A0 It is important that the underlying synchronisation inter= face > =A0 =A0 =A0 =A0 is up and has an IP address assigned. > > =A0 =A0 =A0 =A0 By default, state change messages are sent out on the > =A0 =A0 =A0 =A0 synchronisation interface using IP multicast packets. =A0= The > =A0 =A0 =A0 =A0 protocol is IP protocol 240, PFSYNC, and the multicast gr= oup > =A0 =A0 =A0 =A0 used is 224.0.0.240. =A0When a peer address is specified = using > =A0 =A0 =A0 =A0 the syncpeer keyword, the peer address is used as a desti= nation > =A0 =A0 =A0 =A0 for the pfsync traffic, and the traffic can then be prote= cted > =A0 =A0 =A0 =A0 using ipsec(4). =A0In such a configuration, the syncdev s= hould > =A0 =A0 =A0 =A0 be set to the enc(4) interface, as this is where the traf= fic > =A0 =A0 =A0 =A0 arrives when it is decapsulated, e.g.: > > =A0 =A0 =A0 =A0 =A0 # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0 > > =A0 =A0 =A0 =A0 It is important that the pfsync traffic be well secured a= s > =A0 =A0 =A0 =A0 there is no authentication on the protocol and it would b= e > =A0 =A0 =A0 =A0 trivial to spoof packets which create states, bypassing t= he > =A0 =A0 =A0 =A0 pf ruleset. =A0Either run the pfsync protocol on a truste= d > =A0 =A0 =A0 =A0 network - ideally a network dedicated to pfsync messages = such > =A0 =A0 =A0 =A0 as a crossover cable between two firewalls, or specify a = peer > =A0 =A0 =A0 =A0 address and protect the traffic with ipsec(4). > > =A0 =A0 =A0 =A0 For pfsync to start its operation automatically at the sy= stem > =A0 =A0 =A0 =A0 boot time, pfsync_enable and pfsync_syncdev variables sho= uld be > =A0 =A0 =A0 =A0 used in rc.conf(5). =A0It is not advisable to set up pfsy= nc with > =A0 =A0 =A0 =A0 common network interface configuration variables of rc.co= nf(5) > =A0 =A0 =A0 =A0 because pfsync must start after its syncdev, which cannot= be > =A0 =A0 =A0 =A0 always ensured in the latter case. > > Syncing over a WAN doesn't seem like it would make sense, offhand. > Normally you psync between devices that will be able to provide routing > for a firewalled connection. =A0A device far across a WAN doesn't seem > like it would be able to provide redundant service. =A0But that's up to > your design, I suppose. > > Syncing across a LAN could make sense, but you will want to take steps > to secure the traffic. > > -- > David DeSimone =3D=3D Network Admin =3D=3D fox@verio.net > =A0"I don't like spinach, and I'm glad I don't, because if I > =A0 liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has b= een sent, and may contain information that is confidential or legally prote= cted. If you are not the intended recipient or have received this message i= n error, you are not authorized to copy, distribute, or otherwise use this = message or its attachments. Please notify the sender immediately by return = e-mail and permanently delete this message and any attachments. Verio, Inc.= makes no warranty that this email is error or virus free. =A0Thank you. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >