NAME
pfsync —
packet filter state table
logging interface
SYNOPSIS
pseudo-device pfsync
DESCRIPTION
The NetBSD version
of PF is obsolete, and its use is strongly discouraged. Use
npf(7) instead.
The
pfsync interface is a pseudo-device which exposes certain
changes to the state table used by
pf(4). State changes can be viewed
by invoking
tcpdump(8) on the
pfsync interface. If configured with a physical
synchronisation interface,
pfsync will also send state
changes out on that interface using IP multicast, and insert state changes
received on that interface from other systems into the state table.
By default, all local changes to the state table are exposed via
pfsync. However, state changes from packets received by
pfsync over the network are not rebroadcast. States created
by a rule marked with the
no-sync keyword are omitted
from the
pfsync interface (see
pf.conf(5) for details).
The
pfsync interface will attempt to collapse multiple updates
of the same state into one message where possible. The maximum number of times
this can be done before the update is sent out is controlled by the
maxupd parameter to ifconfig (see
ifconfig(8) and the example
below for more details).
Each packet retrieved on this interface has a header associated with it of
length
PFSYNC_HDRLEN
. The header indicates the version
of the protocol, address family, action taken on the following states, and the
number of state table entries attached in this packet. This structure is
defined in ⟨
net/if_pfsync.h⟩ as:
struct pfsync_header {
u_int8_t version;
u_int8_t af;
u_int8_t action;
u_int8_t count;
};
NETWORK SYNCHRONISATION
States can be synchronised between two or more firewalls using this interface,
by specifying a synchronisation interface using
ifconfig(8). For example, the
following command sets fxp0 as the synchronisation interface:
# ifconfig pfsync0 syncdev fxp0
By default, state change messages are sent out on the synchronisation interface
using IP multicast packets. The protocol is IP protocol 240, PFSYNC, and the
multicast group used is 224.0.0.240. When a peer address is specified using
the
syncpeer keyword, the peer address is used as a
destination for the pfsync traffic.
It is important that the pfsync traffic be well secured as there is no
authentication on the protocol and it would be trivial to spoof packets which
create states, bypassing the pf ruleset. Either run the pfsync protocol on a
trusted network - ideally a network dedicated to pfsync messages such as a
crossover cable between two firewalls, or specify a peer address and protect
the traffic with
ipsec(4) (it is
not supported at the moment on
NetBSD due to the lack
of any encapsulation pseudo-device).
There is a one-to-one correspondence between packets seen by
bpf(4) on the
pfsync interface, and packets sent out on the
synchronisation interface, i.e. a packet with 4 state deletion messages on
pfsync means that the same 4 deletions were sent out on the
synchronisation interface. However, the actual packet contents may differ as
the messages sent over the network are "compressed" where possible,
containing only the necessary information.
EXAMPLES
pfsync and
carp(4)
can be used together to provide automatic failover of a pair of firewalls
configured in parallel. One firewall handles all traffic - if it dies or is
shut down, the second firewall takes over automatically.
Both firewalls in this example have three
sis(4) interfaces. sis0 is the
external interface, on the 10.0.0.0/24 subnet; sis1 is the internal interface,
on the 192.168.0.0/24 subnet; and sis2 is the
pfsync
interface, using the 192.168.254.0/24 subnet. A crossover cable connects the
two firewalls via their sis2 interfaces. On all three interfaces, firewall A
uses the .254 address, while firewall B uses .253. The interfaces are
configured as follows (firewall A unless otherwise indicated):
/etc/ifconfig.sis0:
inet 10.0.0.254 255.255.255.0 NONE
/etc/ifconfig.sis1:
inet 192.168.0.254 255.255.255.0 NONE
/etc/ifconfig.sis2:
inet 192.168.254.254 255.255.255.0 NONE
/etc/ifconfig.carp0:
inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo
/etc/ifconfig.carp1:
inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar
/etc/ifconfig.pfsync0:
pf(4) must also be configured to allow
pfsync and
carp(4) traffic through. The
following should be added to the top of
/etc/pf.conf:
pass quick on { sis2 } proto pfsync
pass on { sis0 sis1 } proto carp
If it is preferable that one firewall handle the traffic, the
advskew on the backup firewall's
carp(4) interfaces should be set
to something higher than the primary's. For example, if firewall B is the
backup, its
/etc/ifconfig.carp1 would look like this:
inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar \
advskew 100
The following must also be added to
/etc/sysctl.conf:
SEE ALSO
bpf(4),
carp(4),
inet(4),
inet6(4),
ipsec(4),
netintro(4),
pf(4),
ifconfig.if(5),
pf.conf(5),
protocols(5),
ifconfig(8),
tcpdump(8)
HISTORY
The
pfsync device first appeared in
OpenBSD
3.3.
CAVEATS
pfsync is not available when using
pf(4) as a kernel module.