Can pfsync be used over router or WAN?

David DeSimone fox at verio.net
Fri May 8 17:06:28 UTC 2009 

Sam Wun <swun2010 at gmail.com> wrote:
>
> Have anyone tried pfsync over router or WAN?
> I have read setup guide of CARP+pfsync, the pfsync interface is
> connected through a crossover cable.  Can I connect 2 pfsync
> interfaces through a router or WAN?

pfsync(4) talks about this:

    NETWORK SYNCHRONISATION
         States can be synchronised between two or more firewalls using
         this interface, by specifying a synchronisation interface using
         ifconfig(8).  For example, the following command sets fxp0 as
         the synchronisation interface:

           # ifconfig pfsync0 syncdev fxp0

         It is important that the underlying synchronisation interface
         is up and has an IP address assigned.

         By default, state change messages are sent out on the
         synchronisation interface using IP multicast packets.  The
         protocol is IP protocol 240, PFSYNC, and the multicast group
         used is 224.0.0.240.  When a peer address is specified using
         the syncpeer keyword, the peer address is used as a destination
         for the pfsync traffic, and the traffic can then be protected
         using ipsec(4).  In such a configuration, the syncdev should
         be set to the enc(4) interface, as this is where the traffic
         arrives when it is decapsulated, e.g.:

           # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0

         It is important that the pfsync traffic be well secured as
         there is no authentication on the protocol and it would be
         trivial to spoof packets which create states, bypassing the
         pf ruleset.  Either run the pfsync protocol on a trusted
         network - ideally a network dedicated to pfsync messages such
         as a crossover cable between two firewalls, or specify a peer
         address and protect the traffic with ipsec(4).

         For pfsync to start its operation automatically at the system
         boot time, pfsync_enable and pfsync_syncdev variables should be
         used in rc.conf(5).  It is not advisable to set up pfsync with
         common network interface configuration variables of rc.conf(5)
         because pfsync must start after its syncdev, which cannot be
         always ensured in the latter case.

Syncing over a WAN doesn't seem like it would make sense, offhand.
Normally you psync between devices that will be able to provide routing
for a firewalled connection.  A device far across a WAN doesn't seem
like it would be able to provide redundant service.  But that's up to
your design, I suppose.

Syncing across a LAN could make sense, but you will want to take steps
to secure the traffic.

-- 
David DeSimone == Network Admin == fox at verio.net
  "I don't like spinach, and I'm glad I don't, because if I
   liked it I'd eat it, and I just hate it." -- Clarence Darrow


This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free.  Thank you.

More information about the freebsd-net mailing list