Can pfsync be used over router or WAN?
swun2010 at gmail.com
Sat May 9 00:54:26 UTC 2009
Establish a IPSEC bewteen this 2 pfsync points is a way to go.
On Sat, May 9, 2009 at 2:44 AM, David DeSimone <fox at verio.net> wrote:
> Sam Wun <swun2010 at gmail.com> wrote:
>> Have anyone tried pfsync over router or WAN?
>> I have read setup guide of CARP+pfsync, the pfsync interface is
>> connected through a crossover cable. Can I connect 2 pfsync
>> interfaces through a router or WAN?
> pfsync(4) talks about this:
> NETWORK SYNCHRONISATION
> States can be synchronised between two or more firewalls using
> this interface, by specifying a synchronisation interface using
> ifconfig(8). For example, the following command sets fxp0 as
> the synchronisation interface:
> # ifconfig pfsync0 syncdev fxp0
> It is important that the underlying synchronisation interface
> is up and has an IP address assigned.
> By default, state change messages are sent out on the
> synchronisation interface using IP multicast packets. The
> protocol is IP protocol 240, PFSYNC, and the multicast group
> used is 126.96.36.199. When a peer address is specified using
> the syncpeer keyword, the peer address is used as a destination
> for the pfsync traffic, and the traffic can then be protected
> using ipsec(4). In such a configuration, the syncdev should
> be set to the enc(4) interface, as this is where the traffic
> arrives when it is decapsulated, e.g.:
> # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0
> It is important that the pfsync traffic be well secured as
> there is no authentication on the protocol and it would be
> trivial to spoof packets which create states, bypassing the
> pf ruleset. Either run the pfsync protocol on a trusted
> network - ideally a network dedicated to pfsync messages such
> as a crossover cable between two firewalls, or specify a peer
> address and protect the traffic with ipsec(4).
> For pfsync to start its operation automatically at the system
> boot time, pfsync_enable and pfsync_syncdev variables should be
> used in rc.conf(5). It is not advisable to set up pfsync with
> common network interface configuration variables of rc.conf(5)
> because pfsync must start after its syncdev, which cannot be
> always ensured in the latter case.
> Syncing over a WAN doesn't seem like it would make sense, offhand.
> Normally you psync between devices that will be able to provide routing
> for a firewalled connection. A device far across a WAN doesn't seem
> like it would be able to provide redundant service. But that's up to
> your design, I suppose.
> Syncing across a LAN could make sense, but you will want to take steps
> to secure the traffic.
> David DeSimone == Network Admin == fox at verio.net
> "I don't like spinach, and I'm glad I don't, because if I
> liked it I'd eat it, and I just hate it." -- Clarence Darrow
> This email message is intended for the use of the person to whom it has been sent, and may contain information that is confidential or legally protected. If you are not the intended recipient or have received this message in error, you are not authorized to copy, distribute, or otherwise use this message or its attachments. Please notify the sender immediately by return e-mail and permanently delete this message and any attachments. Verio, Inc. makes no warranty that this email is error or virus free. Thank you.
> freebsd-pf at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
More information about the freebsd-net