pfsync - packet filter state table logging interface
pseudo-device pfsync
The pfsync interface is a pseudo-device which exposes certain changes to
the state table used by pf(4). State changes can be viewed
by invoking
tcpdump(8) on the pfsync interface. If configured with a
physical synchronisation
interface, pfsync will also send state changes
out on that
interface using IP multicast, and insert state changes received on that
interface from other systems into the state table.
By default, all local changes to the state table are exposed
via pfsync.
However, state changes from packets received by pfsync over
the network
are not rebroadcast. States created by a rule marked with
the no-sync
keyword are omitted from the pfsync interface (see
pf.conf(5) for details).
The pfsync interface will attempt to collapse multiple updates of the
same state into one message where possible. The maximum
number of times
this can be done before the update is sent out is controlled
by the
maxupd to ifconfig (see ifconfig(8) and the example below
for more details).
Each packet retrieved on this interface has a header associated with it
of length PFSYNC_HDRLEN. The header indicates the version
of the protocol,
address family, action taken on the following states,
and the number
of state table entries attached in this packet. This structure is defined
in <net/if_pfsync.h> as:
struct pfsync_header {
u_int8_t version;
u_int8_t af;
u_int8_t action;
u_int8_t count;
};
NETWORK SYNCHRONISATION [Toc] [Back] States can be synchronised between two or more firewalls using this interface,
by specifying a synchronisation interface using ifconfig(8).
For example, the following command sets fxp0 as the synchronisation interface:
# ifconfig pfsync0 syncif fxp0
By default, state change messages are sent out on the synchronisation interface
using IP multicast packets. The protocol is IP protocol 240, PFSYNC,
and the multicast group used is 224.0.0.240. When a
peer address
is specified using the syncpeer keyword, the peer address is
used as a
destination for the pfsync traffic, and the traffic can then
be protected
using ipsec(4). In such a configuration, the syncif should
be set to the
enc(4) interface, as this is where the traffic arrives when
it is decapsulated,
e.g.:
# ifconfig pfsync0 syncpeer 10.0.0.2 syncif enc0
It is important that the pfsync traffic be well secured as
there is no
authentication on the protocol and it would be trivial to
spoof packets
which create states, bypassing the pf ruleset. Either run
the pfsync
protocol on a trusted network - ideally a network dedicated
to pfsync
messages such as a crossover cable between two firewalls, or
specify a
peer address and protect the traffic with ipsec(4).
There is a one-to-one correspondence between packets seen by
bpf(4) on
the pfsync interface, and packets sent out on the synchronisation interface,
i.e. a packet with 4 state deletion messages on pfsync
means that
the same 4 deletions were sent out on the synchronisation
interface.
However, the actual packet contents may differ as the messages sent over
the network are "compressed" where possible, containing only
the necessary
information.
pfsync and carp(4) can be used together to provide automatic
failover of
a pair of firewalls configured in parallel. One firewall
handles all
traffic - if it dies or is shut down, the second firewall
takes over automatically.
Both firewalls in this example have three sis(4) interfaces.
sis0 is the
external interface, on the 10.0.0.0/24 subnet; sis1 is the
internal interface,
on the 192.168.0.0/24 subnet; and sis2 is the
pfsync interface,
using the 192.168.254.0/24 subnet. A crossover cable connects the two
firewalls via their sis2 interfaces. On all three interfaces, firewall A
uses the .254 address, while firewall B uses .253. The interfaces are
configured as follows (firewall A unless otherwise indicated):
/etc/hostname.sis0:
inet 10.0.0.254 255.255.255.0 NONE
/etc/hostname.sis1:
inet 192.168.0.254 255.255.255.0 NONE
/etc/hostname.sis2:
inet 192.168.254.254 255.255.255.0 NONE
/etc/hostname.carp0:
inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo
/etc/hostname.carp1:
inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2
pass bar
/etc/hostname.pfsync0:
up syncif sis2
pf(4) must also be configured to allow pfsync and carp(4)
traffic
through. The following should be added to the top of
/etc/pf.conf:
pass quick on { sis2 } proto pfsync
pass on { sis0 sis1 } proto carp keep state
If it is preferable that one firewall handle the traffic,
the advskew on
the backup firewall's carp(4) interfaces should be set to
something higher
than the primary's. For example, if firewall B is the
backup, its
/etc/hostname.carp1 would look like this:
inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2
pass bar advskew 100
The following must also be added to /etc/sysctl.conf:
net.inet.carp.preempt=1
bpf(4), enc(4), inet(4), inet6(4), ipsec(4), netintro(4),
pf(4),
hostname.if(5), pf.conf(5), protocols(5), ifconfig(8), tcpdump(8)
The pfsync device first appeared in OpenBSD 3.3.
OpenBSD 3.6 November 29, 2002
[ Back ] |
