Date: Sat, 11 Jul 2009 13:44:30 -0400 From: rascal <rascal1981@gmail.com> To: freebsd-pf@freebsd.org Subject: pfsync question Message-ID: <3228ef7c0907111044i55b965d3me10ad146314517bf@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello all, I have a question regarding pfsync and configuring it. I guess the first thing I need to make sure of is that I understand it's functionality. As I understand it pfsync is used to sync the state tables and the pf.conf file between two firewalls setup with pfsync/pf/carp. So I have setup two firewalls in a test environment with the following configurations (on both firewalls, em0 is the primary interface, em2 is the heartbeat/crossover connection between the two firewalls and carp0 has a VIP assigned to it): *firewall 1 rc.conf* # -- sysinstall generated deltas -- # Tue Jun 30 12:57:37 2009 # Created: Tue Jun 30 12:57:37 2009 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. sshd_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" gateway_enable="YES" pfsync_enable="YES" pfsync_syncdev="em2" defaultrouter="10.222.5.1" hostname="firewall1" network_interfaces="em0 em1 em2 lo0 pfsync0" cloned_interfaces="carp0" ifconfig_em0="inet 10.222.5.159 netmask 255.255.255.0" ifconfig_em2="192.168.0.1 netmask 0xffffff00" ifconfig_carp0="advskew 200 vhid 1 pass blah 10.222.5.164 netmask 255.255.255.0" ifconfig_pfsync0="up syncif em2" *pf.conf* ##### increase limit on states ##### set limit { states 100000, frags 5000 } ##### set our macros ##### #### testing the sync### ext_if="em0" int_if="em1" sync_if="em2" ###### Network Infrastructure ###### infrastructure_ip="{bunch of ips}" scrub in all pass quick on $sync_if proto pfsync keep state pass on { $ext_if, $sync_if } proto carp keep state #pass on $sync_if proto pfsync #pass quick on { em2 } proto pfsync keep state #pass on { em0 em1 } proto carp keep state *ifconfig output* em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:c0:9f:3d:b9:ad inet 10.222.5.159 netmask 0xffffff00 broadcast 10.222.5.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:c0:9f:3d:b9:ae media: Ethernet autoselect status: no carrier em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:04:23:d6:df:16 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active em3: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:04:23:d6:df:17 media: Ethernet autoselect status: no carrier pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204 pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460 pfsync: syncdev: em2 syncpeer: 224.0.0.240 maxupd: 128 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 inet 10.222.5.164 netmask 0xffffff00 carp: MASTER vhid 1 advbase 1 advskew 200 *pfctl -vvss output* No ALTQ support in kernel ALTQ related functions disabled all pfsync 192.168.0.1 -> 224.0.0.240 SINGLE:NO_TRAFFIC age 10:22:46, expires in 00:00:28, 20964:0 pkts, 2683640:0 bytes id: 4a582b5900000000 creatorid: 1801692c (no-sync) all carp 10.222.5.159 -> 224.0.0.18 SINGLE:NO_TRAFFIC age 10:22:46, expires in 00:00:29, 20957:0 pkts, 1173592:0 bytes id: 4a582b5900000002 creatorid: 1801692c all pfsync 224.0.0.240 <- 192.168.0.2 NO_TRAFFIC:SINGLE age 10:05:54, expires in 00:00:28, 20393:0 pkts, 2610328:0 bytes id: 4a582b5900000003 creatorid: 1801692c (no-sync) all carp 224.0.0.18 <- 10.222.5.159 NO_TRAFFIC:SINGLE age 10:05:25, expires in 00:00:28, 0:0 pkts, 0:0 bytes id: 4a582cf200000004 creatorid: 3b64bdb5 *pftop output* pfTop: Up State 1-4/4, View: default, Order: none, Cache: 10000 12:27:19 PR DIR SRC DEST STATE AGE EXP PKTS BYTES pfsync Out 192.168.0.1:0 224.0.0.240:0 SINGLE:NO_TRAFFIC 10:23:05 00:00:29 20975 2685048 carp Out 10.222.5.159:0 224.0.0.18:0 SINGLE:NO_TRAFFIC 10:23:05 00:00:30 20968 1174208 pfsync In 192.168.0.2:0 224.0.0.240:0 NO_TRAFFIC:SINGLE 10:06:13 00:00:29 20404 2611736 carp In 10.222.5.159:0 224.0.0.18:0 NO_TRAFFIC:SINGLE 10:05:44 00:00:29 0 0 *Firewall 2 rc.conf* # -- sysinstall generated deltas -- # Tue Jun 30 13:09:12 2009 # Created: Tue Jun 30 13:09:12 2009 # Enable network daemons for user convenience. # Please make all changes to this file, not to /etc/defaults/rc.conf. # This file now contains just the overrides from /etc/defaults/rc.conf. sshd_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" gateway_enable="YES" pfsync_enable="YES" pfsync_syncdev="em2" defaultrouter="10.222.5.1" hostname="firewall2" network_interfaces="em0 em1 em2 lo0 pfsync0" cloned_interfaces="carp0" ifconfig_em0="inet 10.222.5.160 netmask 255.255.255.0" ifconfig_em2="192.168.0.2 netmask 0xffffff00" ifconfig_carp0="advskew 202 vhid 1 pass blah 10.222.5.164 netmask 255.255.255.0" ifconfig_pfsync0="up syncif em2" *pf.conf* ##### increase limit on states ##### set limit { states 100000, frags 5000 } ##### set our macros ##### #### testing the sync### ext_if="em0" int_if="em1" sync_if="em2" ###### Network Infrastructure ###### infrastructure_ip="{ bunch of ips }" pass quick on $sync_if proto pfsync keep state pass on { $ext_if, $sync_if } proto carp keep state #pass on $sync_if proto pfsync #pass quick on { em2 } proto pfsync keep state #pass on { em0 em1 } proto carp keep state *ifconfig output* em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:c0:9f:3e:23:9d inet 10.222.5.160 netmask 0xffffff00 broadcast 10.222.5.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active em1: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:c0:9f:3e:23:9e media: Ethernet autoselect status: no carrier em2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:04:23:d6:de:0a inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255 media: Ethernet autoselect (1000baseTX <full-duplex>) status: active em3: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> ether 00:04:23:d6:de:0b media: Ethernet autoselect status: no carrier pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204 pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460 pfsync: syncdev: em2 syncpeer: 224.0.0.240 maxupd: 128 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 inet 10.222.5.164 netmask 0xffffff00 carp: BACKUP vhid 1 advbase 1 advskew 202 *pfctl -vvss output* No ALTQ support in kernel ALTQ related functions disabled all pfsync 224.0.0.240 <- 192.168.0.1 NO_TRAFFIC:SINGLE age 10:04:48, expires in 00:00:30, 20362:0 pkts, 2606504:0 bytes, rule 0 id: 4a582cf200000000 creatorid: 3b64bdb5 (no-sync) all carp 10.222.5.159 -> 224.0.0.18 SINGLE:NO_TRAFFIC age 10:21:40, expires in 00:00:30, 0:0 pkts, 0:0 bytes, rule 1 id: 4a582b5900000002 creatorid: 1801692c all pfsync 192.168.0.2 -> 224.0.0.240 SINGLE:NO_TRAFFIC age 10:04:47, expires in 00:00:30, 20354:0 pkts, 2605544:0 bytes, rule 0 id: 4a582cf200000003 creatorid: 3b64bdb5 (no-sync) all carp 224.0.0.18 <- 10.222.5.159 NO_TRAFFIC:SINGLE age 10:04:21, expires in 00:00:29, 20337:0 pkts, 1138872:0 bytes, rule 1 id: 4a582cf200000004 creatorid: 3b64bdb5 *pftop output* pfTop: Up State 1-4/4, View: default, Order: none, Cache: 10000 12:16:18 PR DIR SRC DEST STATE AGE EXP PKTS BYTES pfsync In 192.168.0.1:0 224.0.0.240:0 NO_TRAFFIC:SINGLE 10:05:15 00:00:29 20377 2608424 carp Out 10.222.5.159:0 224.0.0.18:0 SINGLE:NO_TRAFFIC 10:22:07 00:00:29 0 0 pfsync Out 192.168.0.2:0 224.0.0.240:0 SINGLE:NO_TRAFFIC 10:05:14 00:00:29 20369 2607464 carp In 10.222.5.159:0 224.0.0.18:0 NO_TRAFFIC:SINGLE 10:04:48 00:00:30 20353 1139768 As you can see from pf.conf on firewall1, I have added spacing and the additional "scrub in all" line and on firewall2 these are not present. I guess I am curious, based on what I have presented, is if I am not doing something wrong (must be) or if I have something mis-configured or if pfsync doesn't really sync the two files, just the state table. Thanks in advance for any help! -- Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3228ef7c0907111044i55b965d3me10ad146314517bf>