pfsync question
rascal
rascal1981 at gmail.com
Sat Jul 11 18:09:33 UTC 2009
Hello all,
I have a question regarding pfsync and configuring it. I guess the first
thing I need to make sure of is that I understand it's functionality. As I
understand it pfsync is used to sync the state tables and the pf.conf file
between two firewalls setup with pfsync/pf/carp.
So I have setup two firewalls in a test environment with the following
configurations (on both firewalls, em0 is the primary interface, em2 is the
heartbeat/crossover connection between the two firewalls and carp0 has a VIP
assigned to it):
*firewall 1
rc.conf*
# -- sysinstall generated deltas -- # Tue Jun 30 12:57:37 2009
# Created: Tue Jun 30 12:57:37 2009
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
sshd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
gateway_enable="YES"
pfsync_enable="YES"
pfsync_syncdev="em2"
defaultrouter="10.222.5.1"
hostname="firewall1"
network_interfaces="em0 em1 em2 lo0 pfsync0"
cloned_interfaces="carp0"
ifconfig_em0="inet 10.222.5.159 netmask 255.255.255.0"
ifconfig_em2="192.168.0.1 netmask 0xffffff00"
ifconfig_carp0="advskew 200 vhid 1 pass blah 10.222.5.164 netmask
255.255.255.0"
ifconfig_pfsync0="up syncif em2"
*pf.conf*
##### increase limit on states #####
set limit { states 100000, frags 5000 }
##### set our macros #####
#### testing the sync###
ext_if="em0"
int_if="em1"
sync_if="em2"
###### Network Infrastructure ######
infrastructure_ip="{bunch of ips}"
scrub in all
pass quick on $sync_if proto pfsync keep state
pass on { $ext_if, $sync_if } proto carp keep state
#pass on $sync_if proto pfsync
#pass quick on { em2 } proto pfsync keep state
#pass on { em0 em1 } proto carp keep state
*ifconfig output*
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu
1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:c0:9f:3d:b9:ad
inet 10.222.5.159 netmask 0xffffff00 broadcast 10.222.5.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:c0:9f:3d:b9:ae
media: Ethernet autoselect
status: no carrier
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:04:23:d6:df:16
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em3: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:04:23:d6:df:17
media: Ethernet autoselect
status: no carrier
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460
pfsync: syncdev: em2 syncpeer: 224.0.0.240 maxupd: 128
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 10.222.5.164 netmask 0xffffff00
carp: MASTER vhid 1 advbase 1 advskew 200
*pfctl -vvss output*
No ALTQ support in kernel
ALTQ related functions disabled
all pfsync 192.168.0.1 -> 224.0.0.240 SINGLE:NO_TRAFFIC
age 10:22:46, expires in 00:00:28, 20964:0 pkts, 2683640:0 bytes
id: 4a582b5900000000 creatorid: 1801692c (no-sync)
all carp 10.222.5.159 -> 224.0.0.18 SINGLE:NO_TRAFFIC
age 10:22:46, expires in 00:00:29, 20957:0 pkts, 1173592:0 bytes
id: 4a582b5900000002 creatorid: 1801692c
all pfsync 224.0.0.240 <- 192.168.0.2 NO_TRAFFIC:SINGLE
age 10:05:54, expires in 00:00:28, 20393:0 pkts, 2610328:0 bytes
id: 4a582b5900000003 creatorid: 1801692c (no-sync)
all carp 224.0.0.18 <- 10.222.5.159 NO_TRAFFIC:SINGLE
age 10:05:25, expires in 00:00:28, 0:0 pkts, 0:0 bytes
id: 4a582cf200000004 creatorid: 3b64bdb5
*pftop output*
pfTop: Up State 1-4/4, View: default, Order: none, Cache:
10000 12:27:19
PR DIR SRC
DEST STATE AGE EXP
PKTS BYTES
pfsync Out 192.168.0.1:0 224.0.0.240:0
SINGLE:NO_TRAFFIC 10:23:05 00:00:29 20975 2685048
carp Out 10.222.5.159:0 224.0.0.18:0
SINGLE:NO_TRAFFIC 10:23:05 00:00:30 20968 1174208
pfsync In 192.168.0.2:0 224.0.0.240:0
NO_TRAFFIC:SINGLE 10:06:13 00:00:29 20404 2611736
carp In 10.222.5.159:0 224.0.0.18:0
NO_TRAFFIC:SINGLE 10:05:44 00:00:29 0 0
*Firewall 2
rc.conf*
# -- sysinstall generated deltas -- # Tue Jun 30 13:09:12 2009
# Created: Tue Jun 30 13:09:12 2009
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.
sshd_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
gateway_enable="YES"
pfsync_enable="YES"
pfsync_syncdev="em2"
defaultrouter="10.222.5.1"
hostname="firewall2"
network_interfaces="em0 em1 em2 lo0 pfsync0"
cloned_interfaces="carp0"
ifconfig_em0="inet 10.222.5.160 netmask 255.255.255.0"
ifconfig_em2="192.168.0.2 netmask 0xffffff00"
ifconfig_carp0="advskew 202 vhid 1 pass blah 10.222.5.164 netmask
255.255.255.0"
ifconfig_pfsync0="up syncif em2"
*pf.conf*
##### increase limit on states #####
set limit { states 100000, frags 5000 }
##### set our macros #####
#### testing the sync###
ext_if="em0"
int_if="em1"
sync_if="em2"
###### Network Infrastructure ######
infrastructure_ip="{ bunch of ips }"
pass quick on $sync_if proto pfsync keep state
pass on { $ext_if, $sync_if } proto carp keep state
#pass on $sync_if proto pfsync
#pass quick on { em2 } proto pfsync keep state
#pass on { em0 em1 } proto carp keep state
*ifconfig output*
em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu
1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:c0:9f:3e:23:9d
inet 10.222.5.160 netmask 0xffffff00 broadcast 10.222.5.255
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:c0:9f:3e:23:9e
media: Ethernet autoselect
status: no carrier
em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:04:23:d6:de:0a
inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
media: Ethernet autoselect (1000baseTX <full-duplex>)
status: active
em3: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:04:23:d6:de:0b
media: Ethernet autoselect
status: no carrier
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460
pfsync: syncdev: em2 syncpeer: 224.0.0.240 maxupd: 128
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 10.222.5.164 netmask 0xffffff00
carp: BACKUP vhid 1 advbase 1 advskew 202
*pfctl -vvss output*
No ALTQ support in kernel
ALTQ related functions disabled
all pfsync 224.0.0.240 <- 192.168.0.1 NO_TRAFFIC:SINGLE
age 10:04:48, expires in 00:00:30, 20362:0 pkts, 2606504:0 bytes, rule 0
id: 4a582cf200000000 creatorid: 3b64bdb5 (no-sync)
all carp 10.222.5.159 -> 224.0.0.18 SINGLE:NO_TRAFFIC
age 10:21:40, expires in 00:00:30, 0:0 pkts, 0:0 bytes, rule 1
id: 4a582b5900000002 creatorid: 1801692c
all pfsync 192.168.0.2 -> 224.0.0.240 SINGLE:NO_TRAFFIC
age 10:04:47, expires in 00:00:30, 20354:0 pkts, 2605544:0 bytes, rule 0
id: 4a582cf200000003 creatorid: 3b64bdb5 (no-sync)
all carp 224.0.0.18 <- 10.222.5.159 NO_TRAFFIC:SINGLE
age 10:04:21, expires in 00:00:29, 20337:0 pkts, 1138872:0 bytes, rule 1
id: 4a582cf200000004 creatorid: 3b64bdb5
*pftop output*
pfTop: Up State 1-4/4, View: default, Order: none, Cache:
10000 12:16:18
PR DIR SRC
DEST STATE AGE EXP
PKTS BYTES
pfsync In 192.168.0.1:0 224.0.0.240:0
NO_TRAFFIC:SINGLE 10:05:15 00:00:29 20377 2608424
carp Out 10.222.5.159:0 224.0.0.18:0
SINGLE:NO_TRAFFIC 10:22:07 00:00:29 0 0
pfsync Out 192.168.0.2:0 224.0.0.240:0
SINGLE:NO_TRAFFIC 10:05:14 00:00:29 20369 2607464
carp In 10.222.5.159:0 224.0.0.18:0
NO_TRAFFIC:SINGLE 10:04:48 00:00:30 20353 1139768
As you can see from pf.conf on firewall1, I have added spacing and the
additional "scrub in all" line and on firewall2 these are not present. I
guess I am curious, based on what I have presented, is if I am not doing
something wrong (must be) or if I have something mis-configured or if pfsync
doesn't really sync the two files, just the state table.
Thanks in advance for any help!
--
Matthew
More information about the freebsd-pf
mailing list