Date: Sat, 9 May 2009 10:54:23 +1000 From: Sam Wun <swun2010@gmail.com> To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org Subject: Re: Can pfsync be used over router or WAN? Message-ID: <736c47cb0905081754s32d9414fhe89f1920c8675869@mail.gmail.com> In-Reply-To: <20090508164432.GW2160@verio.net> References: <736c47cb0905080552r70f45368va5dfa5af24720c1c@mail.gmail.com> <20090508164432.GW2160@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Establish a IPSEC bewteen this 2 pfsync points is a way to go. On Sat, May 9, 2009 at 2:44 AM, David DeSimone <fox@verio.net> wrote: > Sam Wun <swun2010@gmail.com> wrote: >> >> Have anyone tried pfsync over router or WAN? >> I have read setup guide of CARP+pfsync, the pfsync interface is >> connected through a crossover cable. =A0Can I connect 2 pfsync >> interfaces through a router or WAN? > > pfsync(4) talks about this: > > =A0 =A0NETWORK SYNCHRONISATION > =A0 =A0 =A0 =A0 States can be synchronised between two or more firewalls = using > =A0 =A0 =A0 =A0 this interface, by specifying a synchronisation interface= using > =A0 =A0 =A0 =A0 ifconfig(8). =A0For example, the following command sets f= xp0 as > =A0 =A0 =A0 =A0 the synchronisation interface: > > =A0 =A0 =A0 =A0 =A0 # ifconfig pfsync0 syncdev fxp0 > > =A0 =A0 =A0 =A0 It is important that the underlying synchronisation inter= face > =A0 =A0 =A0 =A0 is up and has an IP address assigned. > > =A0 =A0 =A0 =A0 By default, state change messages are sent out on the > =A0 =A0 =A0 =A0 synchronisation interface using IP multicast packets. =A0= The > =A0 =A0 =A0 =A0 protocol is IP protocol 240, PFSYNC, and the multicast gr= oup > =A0 =A0 =A0 =A0 used is 224.0.0.240. =A0When a peer address is specified = using > =A0 =A0 =A0 =A0 the syncpeer keyword, the peer address is used as a desti= nation > =A0 =A0 =A0 =A0 for the pfsync traffic, and the traffic can then be prote= cted > =A0 =A0 =A0 =A0 using ipsec(4). =A0In such a configuration, the syncdev s= hould > =A0 =A0 =A0 =A0 be set to the enc(4) interface, as this is where the traf= fic > =A0 =A0 =A0 =A0 arrives when it is decapsulated, e.g.: > > =A0 =A0 =A0 =A0 =A0 # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0 > > =A0 =A0 =A0 =A0 It is important that the pfsync traffic be well secured a= s > =A0 =A0 =A0 =A0 there is no authentication on the protocol and it would b= e > =A0 =A0 =A0 =A0 trivial to spoof packets which create states, bypassing t= he > =A0 =A0 =A0 =A0 pf ruleset. =A0Either run the pfsync protocol on a truste= d > =A0 =A0 =A0 =A0 network - ideally a network dedicated to pfsync messages = such > =A0 =A0 =A0 =A0 as a crossover cable between two firewalls, or specify a = peer > =A0 =A0 =A0 =A0 address and protect the traffic with ipsec(4). > > =A0 =A0 =A0 =A0 For pfsync to start its operation automatically at the sy= stem > =A0 =A0 =A0 =A0 boot time, pfsync_enable and pfsync_syncdev variables sho= uld be > =A0 =A0 =A0 =A0 used in rc.conf(5). =A0It is not advisable to set up pfsy= nc with > =A0 =A0 =A0 =A0 common network interface configuration variables of rc.co= nf(5) > =A0 =A0 =A0 =A0 because pfsync must start after its syncdev, which cannot= be > =A0 =A0 =A0 =A0 always ensured in the latter case. > > Syncing over a WAN doesn't seem like it would make sense, offhand. > Normally you psync between devices that will be able to provide routing > for a firewalled connection. =A0A device far across a WAN doesn't seem > like it would be able to provide redundant service. =A0But that's up to > your design, I suppose. > > Syncing across a LAN could make sense, but you will want to take steps > to secure the traffic. > > -- > David DeSimone =3D=3D Network Admin =3D=3D fox@verio.net > =A0"I don't like spinach, and I'm glad I don't, because if I > =A0 liked it I'd eat it, and I just hate it." -- Clarence Darrow > > > This email message is intended for the use of the person to whom it has b= een sent, and may contain information that is confidential or legally prote= cted. If you are not the intended recipient or have received this message i= n error, you are not authorized to copy, distribute, or otherwise use this = message or its attachments. Please notify the sender immediately by return = e-mail and permanently delete this message and any attachments. Verio, Inc.= makes no warranty that this email is error or virus free. =A0Thank you. > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?736c47cb0905081754s32d9414fhe89f1920c8675869>