From owner-freebsd-doc@FreeBSD.ORG Mon Aug 22 10:10:31 2005 Return-Path: X-Original-To: freebsd-doc@hub.freebsd.org Delivered-To: freebsd-doc@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B04B16A41F for ; Mon, 22 Aug 2005 10:10:31 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2E1B43D5F for ; Mon, 22 Aug 2005 10:10:22 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j7MAAHCU031175 for ; Mon, 22 Aug 2005 10:10:17 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j7MAAHcs031172; Mon, 22 Aug 2005 10:10:17 GMT (envelope-from gnats) Resent-Date: Mon, 22 Aug 2005 10:10:17 GMT Resent-Message-Id: <200508221010.j7MAAHcs031172@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-doc@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Alexandre Snarskii Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8017F16A41F for ; Mon, 22 Aug 2005 10:03:37 +0000 (GMT) (envelope-from snar@pf2.eltel.net) Received: from pf2.eltel.net (pf2.eltel.net [81.222.255.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADD7243D45 for ; Mon, 22 Aug 2005 10:03:36 +0000 (GMT) (envelope-from snar@pf2.eltel.net) Received: from pf2.eltel.net (localhost [127.0.0.1]) by pf2.eltel.net (8.13.3/8.13.1) with ESMTP id j7MA3Y2A026277 for ; Mon, 22 Aug 2005 14:03:34 +0400 (MSD) (envelope-from snar@pf2.eltel.net) Received: (from root@localhost) by pf2.eltel.net (8.13.3/8.13.1/Submit) id j7MA3X5D026276; Mon, 22 Aug 2005 14:03:33 +0400 (MSD) (envelope-from snar) Message-Id: <200508221003.j7MA3X5D026276@pf2.eltel.net> Date: Mon, 22 Aug 2005 14:03:33 +0400 (MSD) From: Alexandre Snarskii To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: Subject: docs/85209: pfsync man page corrections X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Alexandre Snarskii List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Aug 2005 10:10:31 -0000 >Number: 85209 >Category: docs >Synopsis: pfsync man page corrections >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Mon Aug 22 10:10:16 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Alexandre Snarskii >Release: FreeBSD 5.4-STABLE i386 >Organization: Eltel JSC >Environment: System: FreeBSD pf2.eltel.net 5.4-STABLE FreeBSD 5.4-STABLE #0: Sat Aug 20 14:59:12 MSD 2005 root@pf2.eltel.net:/usr/obj/usr/src/sys/PF i386 >Description: manual page for pfsync clearly states that: State change messages are sent out on the synchronisation interface using IP multicast packets. The protocol is IP protocol 240, PFSYNC, and the multicast group used is 224.0.0.240. but, for ip multicast to work - interface need to be configured with ip address. (I spent over one hour to recognise, why it does not works without ip address). Another place in pfsync man that should be upgraded is the next one: pf(4) must also be configured to allow pfsync and carp(4) traffic through. The following should be added to the top of /etc/pf.conf: pass quick on { sis2 } proto pfsync pass on { sis0 sis1 } proto carp keep state That's ok, but if the user then uncomments next example in /etc/pf.conf block in log all - carp packets will be blocked by firewall.. And, as they will be blocked, both firewalls will become master and this usually leads to NAT'ed sessions drop... So, i propose to rewrite next line in example pass on { sis0 sis1 } proto carp keep state as pass quick on { sis0 sis1 } proto carp keep state >How-To-Repeat: >Fix: Proposed changes is: after the phrase "The protocol is IP protocol 240, PFSYNC, and the multicast group used is 224.0.0.240." add note: "Note: for IP Multicast to work, syncronisation interface must be configured with IP address". Another change is to rewrite: pass on { sis0 sis1 } proto carp keep state as pass quick on { sis0 sis1 } proto carp keep state >Release-Note: >Audit-Trail: >Unformatted: