Date: Fri, 8 May 2009 11:44:32 -0500 From: "David DeSimone" <fox@verio.net> To: <freebsd-pf@freebsd.org> Cc: freebsd-net@freebsd.org Subject: Re: Can pfsync be used over router or WAN? Message-ID: <20090508164432.GW2160@verio.net> In-Reply-To: <736c47cb0905080552r70f45368va5dfa5af24720c1c@mail.gmail.com> References: <736c47cb0905080552r70f45368va5dfa5af24720c1c@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sam Wun <swun2010@gmail.com> wrote:
>
> Have anyone tried pfsync over router or WAN?
> I have read setup guide of CARP+pfsync, the pfsync interface is
> connected through a crossover cable. Can I connect 2 pfsync
> interfaces through a router or WAN?
pfsync(4) talks about this:
NETWORK SYNCHRONISATION
States can be synchronised between two or more firewalls using
this interface, by specifying a synchronisation interface using
ifconfig(8). For example, the following command sets fxp0 as
the synchronisation interface:
# ifconfig pfsync0 syncdev fxp0
It is important that the underlying synchronisation interface
is up and has an IP address assigned.
By default, state change messages are sent out on the
synchronisation interface using IP multicast packets. The
protocol is IP protocol 240, PFSYNC, and the multicast group
used is 224.0.0.240. When a peer address is specified using
the syncpeer keyword, the peer address is used as a destination
for the pfsync traffic, and the traffic can then be protected
using ipsec(4). In such a configuration, the syncdev should
be set to the enc(4) interface, as this is where the traffic
arrives when it is decapsulated, e.g.:
# ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0
It is important that the pfsync traffic be well secured as
there is no authentication on the protocol and it would be
trivial to spoof packets which create states, bypassing the
pf ruleset. Either run the pfsync protocol on a trusted
network - ideally a network dedicated to pfsync messages such
as a crossover cable between two firewalls, or specify a peer
address and protect the traffic with ipsec(4).
For pfsync to start its operation automatically at the system
boot time, pfsync_enable and pfsync_syncdev variables should be
used in rc.conf(5). It is not advisable to set up pfsync with
common network interface configuration variables of rc.conf(5)
because pfsync must start after its syncdev, which cannot be
always ensured in the latter case.
Syncing over a WAN doesn't seem like it would make sense, offhand.
Normally you psync between devices that will be able to provide routing
for a firewalled connection. A device far across a WAN doesn't seem
like it would be able to provide redundant service. But that's up to
your design, I suppose.
Syncing across a LAN could make sense, but you will want to take steps
to secure the traffic.
--
David DeSimone == Network Admin == fox@verio.net
"I don't like spinach, and I'm glad I don't, because if I
liked it I'd eat it, and I just hate it." -- Clarence Darrow
This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090508164432.GW2160>