From owner-freebsd-net@FreeBSD.ORG Fri May 8 17:06:28 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8663C106566B; Fri, 8 May 2009 17:06:28 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from relay1-bcrtfl2.verio.net (relay1-bcrtfl2.verio.net [131.103.218.142]) by mx1.freebsd.org (Postfix) with ESMTP id 33B258FC12; Fri, 8 May 2009 17:06:28 +0000 (UTC) (envelope-from ddesimone@verio.net) Received: from iad-wprd-xchw01.corp.verio.net (unknown [198.87.7.164]) by relay1-bcrtfl2.verio.net (Postfix) with ESMTP id B3E51B0380BB; Fri, 8 May 2009 12:44:34 -0400 (EDT) thread-index: AcnP/ER2T47ExsyCTsmlWT64j+Gnhw== Received: from dllstx1-8sst9f1.corp.verio.net ([10.144.0.1]) by iad-wprd-xchw01.corp.verio.net over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Fri, 8 May 2009 12:44:33 -0400 Received: by dllstx1-8sst9f1.corp.verio.net (sSMTP sendmail emulation); Fri, 08 May 2009 11:44:32 +0000 Date: Fri, 8 May 2009 11:44:32 -0500 From: "David DeSimone" Content-Transfer-Encoding: 7bit To: Importance: normal Priority: normal Content-Class: urn:content-classes:message Message-ID: <20090508164432.GW2160@verio.net> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168 Mail-Followup-To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org References: <736c47cb0905080552r70f45368va5dfa5af24720c1c@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <736c47cb0905080552r70f45368va5dfa5af24720c1c@mail.gmail.com> Precedence: bulk User-Agent: Mutt/1.5.18 (2008-05-17) X-OriginalArrivalTime: 08 May 2009 16:44:33.0207 (UTC) FILETIME=[43BF0470:01C9CFFC] Cc: freebsd-net@freebsd.org Subject: Re: Can pfsync be used over router or WAN? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 May 2009 17:06:28 -0000 Sam Wun wrote: > > Have anyone tried pfsync over router or WAN? > I have read setup guide of CARP+pfsync, the pfsync interface is > connected through a crossover cable. Can I connect 2 pfsync > interfaces through a router or WAN? pfsync(4) talks about this: NETWORK SYNCHRONISATION States can be synchronised between two or more firewalls using this interface, by specifying a synchronisation interface using ifconfig(8). For example, the following command sets fxp0 as the synchronisation interface: # ifconfig pfsync0 syncdev fxp0 It is important that the underlying synchronisation interface is up and has an IP address assigned. By default, state change messages are sent out on the synchronisation interface using IP multicast packets. The protocol is IP protocol 240, PFSYNC, and the multicast group used is 224.0.0.240. When a peer address is specified using the syncpeer keyword, the peer address is used as a destination for the pfsync traffic, and the traffic can then be protected using ipsec(4). In such a configuration, the syncdev should be set to the enc(4) interface, as this is where the traffic arrives when it is decapsulated, e.g.: # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0 It is important that the pfsync traffic be well secured as there is no authentication on the protocol and it would be trivial to spoof packets which create states, bypassing the pf ruleset. Either run the pfsync protocol on a trusted network - ideally a network dedicated to pfsync messages such as a crossover cable between two firewalls, or specify a peer address and protect the traffic with ipsec(4). For pfsync to start its operation automatically at the system boot time, pfsync_enable and pfsync_syncdev variables should be used in rc.conf(5). It is not advisable to set up pfsync with common network interface configuration variables of rc.conf(5) because pfsync must start after its syncdev, which cannot be always ensured in the latter case. Syncing over a WAN doesn't seem like it would make sense, offhand. Normally you psync between devices that will be able to provide routing for a firewalled connection. A device far across a WAN doesn't seem like it would be able to provide redundant service. But that's up to your design, I suppose. Syncing across a LAN could make sense, but you will want to take steps to secure the traffic. -- David DeSimone == Network Admin == fox@verio.net "I don't like spinach, and I'm glad I don't, because if I liked it I'd eat it, and I just hate it." -- Clarence Darrow This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.