docs/85209: pfsync man page corrections

Alexandre Snarskii snar at eltel.net
Mon Aug 22 10:10:31 UTC 2005 

>Number:         85209
>Category:       docs
>Synopsis:       pfsync man page corrections
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Aug 22 10:10:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Alexandre Snarskii
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
Eltel JSC
>Environment:

System: FreeBSD pf2.eltel.net 5.4-STABLE FreeBSD 5.4-STABLE #0: Sat Aug 20 14:59:12 MSD 2005 root at pf2.eltel.net:/usr/obj/usr/src/sys/PF i386


>Description:
	
manual page for pfsync clearly states that: 
     State change messages are sent out on the synchronisation interface using
     IP multicast packets.  The protocol is IP protocol 240, PFSYNC, and the
     multicast group used is 224.0.0.240.
but, for ip multicast to work - interface need to be configured with 
ip address. (I spent over one hour to recognise, why it does not works
without ip address). 
Another place in pfsync man that should be upgraded is the next one: 
     pf(4) must also be configured to allow pfsync and carp(4) traffic
     through.  The following should be added to the top of /etc/pf.conf:

           pass quick on { sis2 } proto pfsync
           pass on { sis0 sis1 } proto carp keep state

That's ok, but if the user then uncomments next example in /etc/pf.conf
block in log all 
- carp packets will be blocked by firewall.. And, as they will be 
blocked, both firewalls will become master and this usually leads to 
NAT'ed sessions drop... 
So, i propose to rewrite next line in example
           pass on { sis0 sis1 } proto carp keep state
as 
           pass quick on { sis0 sis1 } proto carp keep state



>How-To-Repeat:
>Fix:

Proposed changes is: after the phrase "The protocol is IP protocol 240, 
PFSYNC, and the multicast group used is 224.0.0.240." add note: 
"Note: for IP Multicast to work, syncronisation interface must be configured 
with IP address".
Another change is to rewrite: 
           pass on { sis0 sis1 } proto carp keep state
as 
           pass quick on { sis0 sis1 } proto carp keep state

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-doc mailing list