diff options
Diffstat (limited to 'static/freebsd/man4/pfsync.4 3.html')
| -rw-r--r-- | static/freebsd/man4/pfsync.4 3.html | 208 |
1 files changed, 208 insertions, 0 deletions
diff --git a/static/freebsd/man4/pfsync.4 3.html b/static/freebsd/man4/pfsync.4 3.html new file mode 100644 index 00000000..fe429d7b --- /dev/null +++ b/static/freebsd/man4/pfsync.4 3.html @@ -0,0 +1,208 @@ +<table class="head"> + <tr> + <td class="head-ltitle">PFSYNC(4)</td> + <td class="head-vol">Device Drivers Manual</td> + <td class="head-rtitle">PFSYNC(4)</td> + </tr> +</table> +<div class="manual-text"> +<section class="Sh"> +<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1> +<p class="Pp"><code class="Nm">pfsync</code> — <span class="Nd">packet + filter state table synchronisation interface</span></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1> +<p class="Pp"><code class="Cd">device pfsync</code></p> +<p class="Pp">In <a class="Xr">loader.conf(5)</a>: + <br/> + <code class="Cd">net.pfsync.pfsync_buckets</code></p> +<p class="Pp">In <a class="Xr">sysctl.conf(5)</a>: + <br/> + <code class="Cd">net.pfsync.carp_demotion_factor</code></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1> +<p class="Pp">The <code class="Nm">pfsync</code> interface is a pseudo-device + which exposes certain changes to the state table used by + <a class="Xr">pf(4)</a>. State changes can be viewed by invoking + <a class="Xr">tcpdump(1)</a> on the <code class="Nm">pfsync</code> + interface. If configured with a physical synchronisation interface, + <code class="Nm">pfsync</code> will also send state changes out on that + interface, and insert state changes received on that interface from other + systems into the state table.</p> +<p class="Pp">By default, all local changes to the state table are exposed via + <code class="Nm">pfsync</code>. State changes from packets received by + <code class="Nm">pfsync</code> over the network are not rebroadcast. Updates + to states created by a rule marked with the <var class="Ar">no-sync</var> + keyword are ignored by the <code class="Nm">pfsync</code> interface (see + <a class="Xr">pf.conf(5)</a> for details).</p> +<p class="Pp">The <code class="Nm">pfsync</code> interface will attempt to + collapse multiple state updates into a single packet where possible. The + maximum number of times a single state can be updated before a + <code class="Nm">pfsync</code> packet will be sent out is controlled by the + <var class="Ar">maxupd</var> parameter to ifconfig (see + <a class="Xr">ifconfig(8)</a> and the example below for more details). The + sending out of a <code class="Nm">pfsync</code> packet will be delayed by a + maximum of one second.</p> +</section> +<section class="Sh"> +<h1 class="Sh" id="NETWORK_SYNCHRONISATION"><a class="permalink" href="#NETWORK_SYNCHRONISATION">NETWORK + SYNCHRONISATION</a></h1> +<p class="Pp">States can be synchronised between two or more firewalls using + this interface, by specifying a synchronisation interface using + <a class="Xr">ifconfig(8)</a>. For example, the following command sets fxp0 + as the synchronisation interface:</p> +<div class="Bd Pp Bd-indent Li"> +<pre># ifconfig pfsync0 syncdev fxp0</pre> +</div> +<p class="Pp">By default, state change messages are sent out on the + synchronisation interface using IP multicast packets to the 224.0.0.240 + group address. An alternative destination address for + <code class="Nm">pfsync</code> packets can be specified using the + <code class="Ic">syncpeer</code> keyword. This can be used in combination + with <a class="Xr">ipsec(4)</a> to protect the synchronisation traffic. In + such a configuration, the syncdev should be set to the + <a class="Xr">enc(4)</a> interface, as this is where the traffic arrives + when it is decapsulated, e.g.:</p> +<div class="Bd Pp Bd-indent Li"> +<pre># ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0</pre> +</div> +<p class="Pp">It is important that the pfsync traffic be well secured as there + is no authentication on the protocol and it would be trivial to spoof + packets which create states, bypassing the pf ruleset. Either run the pfsync + protocol on a trusted network - ideally a network dedicated to pfsync + messages such as a crossover cable between two firewalls, or specify a peer + address and protect the traffic with <a class="Xr">ipsec(4)</a>.</p> +<p class="Pp">Support for <code class="Nm">pfsync</code> transport over IPv6 was + introduced in <span class="Ux">FreeBSD 14.0</span>. To set up + <code class="Nm">pfsync</code> using multicast with IPv6 link-local + addresses, the <code class="Ic">syncpeer</code> must be set to the + <code class="Nm">pfsync</code> multicast address and the + <code class="Ic">syncdev</code> to the interface where + <code class="Nm">pfsync</code> traffic is expected.</p> +<div class="Bd Pp Bd-indent Li"> +<pre># ifconfig pfsync0 syncpeer ff12::f0 syncdev vtnet0</pre> +</div> +<p class="Pp">When new features are introduced to <a class="Xr">pf(4)</a> the + format of messages used by <code class="Nm">pfsync</code> might change. + <code class="Nm">pfsync</code> will by default use the latest format. If + synchronization with a peer running an older version of FreeBSD is needed + the <var class="Ar">version</var> parameter can be used. E.g.:</p> +<div class="Bd Pp Bd-indent Li"> +<pre># ifconfig pfsync0 version 1301</pre> +</div> +<p class="Pp">Currently the following versions are supported:</p> +<dl class="Bl-tag"> + <dt id="1301"><a class="permalink" href="#1301"><code class="Cm">1301</code></a></dt> + <dd>FreeBSD releases 13.2 and older. Compatibility with FreeBSD 13.1 has been + verified.</dd> + <dt id="1400"><a class="permalink" href="#1400"><code class="Cm">1400</code></a></dt> + <dd>FreeBSD release 14.0.</dd> + <dt id="1500"><a class="permalink" href="#1500"><code class="Cm">1500</code></a></dt> + <dd>FreeBSD release 15.0.</dd> +</dl> +</section> +<section class="Sh"> +<h1 class="Sh" id="SYSCTL_VARIABLES"><a class="permalink" href="#SYSCTL_VARIABLES">SYSCTL + VARIABLES</a></h1> +<p class="Pp">The following variables can be entered at the + <a class="Xr">loader(8)</a> prompt, set in <a class="Xr">loader.conf(5)</a>, + or changed at runtime with <a class="Xr">sysctl(8)</a>:</p> +<dl class="Bl-tag"> + <dt id="net.pfsync.carp_demotion_factor"><var class="Va">net.pfsync.carp_demotion_factor</var></dt> + <dd>Value added to <var class="Va">net.inet.carp.demotion</var> while + <code class="Nm">pfsync</code> tries to perform its bulk update. See + <a class="Xr">carp(4)</a> for more information. Default value is 240.</dd> +</dl> +</section> +<section class="Sh"> +<h1 class="Sh" id="LOADER_TUNABLES"><a class="permalink" href="#LOADER_TUNABLES">LOADER + TUNABLES</a></h1> +<p class="Pp">The following tunable may be set in + <a class="Xr">loader.conf(5)</a> or at the <a class="Xr">loader(8)</a> + prompt:</p> +<dl class="Bl-tag"> + <dt id="net.pfsync.pfsync_buckets"><var class="Va">net.pfsync.pfsync_buckets</var></dt> + <dd>The number of <code class="Nm">pfsync</code> buckets. This affects the + performance and memory tradeoff. Defaults to twice the number of CPUs. + Change only if benchmarks show this helps on your workload.</dd> +</dl> +</section> +<section class="Sh"> +<h1 class="Sh" id="EXAMPLES"><a class="permalink" href="#EXAMPLES">EXAMPLES</a></h1> +<p class="Pp"><code class="Nm">pfsync</code> and <a class="Xr">carp(4)</a> can + be used together to provide automatic failover of a pair of firewalls + configured in parallel. One firewall will handle all traffic until it dies, + is shut down, or is manually demoted, at which point the second firewall + will take over automatically.</p> +<p class="Pp">Both firewalls in this example have three <a class="Xr">sis(4)</a> + interfaces. sis0 is the external interface, on the 10.0.0.0/24 subnet; sis1 + is the internal interface, on the 192.168.0.0/24 subnet; and sis2 is the + <code class="Nm">pfsync</code> interface, using the 192.168.254.0/24 subnet. + A crossover cable connects the two firewalls via their sis2 interfaces. On + all three interfaces, firewall A uses the .254 address, while firewall B + uses .253. The interfaces are configured as follows (firewall A unless + otherwise indicated):</p> +<p class="Pp">Interfaces configuration in + <span class="Pa">/etc/rc.conf</span>:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>network_interfaces="lo0 sis0 sis1 sis2" +ifconfig_sis0="10.0.0.254/24" +ifconfig_sis0_alias0="inet 10.0.0.1/24 vhid 1 pass foo" +ifconfig_sis1="192.168.0.254/24" +ifconfig_sis1_alias0="inet 192.168.0.1/24 vhid 2 pass bar" +ifconfig_sis2="192.168.254.254/24" +pfsync_enable="YES" +pfsync_syncdev="sis2"</pre> +</div> +<p class="Pp"><a class="Xr">pf(4)</a> must also be configured to allow + <code class="Nm">pfsync</code> and <a class="Xr">carp(4)</a> traffic + through. The following should be added to the top of + <span class="Pa">/etc/pf.conf</span>:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>pass quick on { sis2 } proto pfsync keep state (no-sync) +pass on { sis0 sis1 } proto carp keep state (no-sync)</pre> +</div> +<p class="Pp">It is preferable that one firewall handle the forwarding of all + the traffic, therefore the <var class="Ar">advskew</var> on the backup + firewall's <a class="Xr">carp(4)</a> vhids should be set to something higher + than the primary's. For example, if firewall B is the backup, its carp1 + configuration would look like this:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>ifconfig_sis1_alias0="inet 192.168.0.1/24 vhid 2 pass bar advskew 100"</pre> +</div> +<p class="Pp">The following must also be added to + <span class="Pa">/etc/sysctl.conf</span>:</p> +<div class="Bd Pp Bd-indent Li"> +<pre>net.inet.carp.preempt=1</pre> +</div> +</section> +<section class="Sh"> +<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE + ALSO</a></h1> +<p class="Pp"><a class="Xr">tcpdump(1)</a>, <a class="Xr">bpf(4)</a>, + <a class="Xr">carp(4)</a>, <a class="Xr">enc(4)</a>, + <a class="Xr">inet(4)</a>, <a class="Xr">inet6(4)</a>, + <a class="Xr">ipsec(4)</a>, <a class="Xr">netintro(4)</a>, + <a class="Xr">pf(4)</a>, <a class="Xr">pf.conf(5)</a>, + <a class="Xr">protocols(5)</a>, <a class="Xr">rc.conf(5)</a>, + <a class="Xr">ifconfig(8)</a></p> +</section> +<section class="Sh"> +<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1> +<p class="Pp">The <code class="Nm">pfsync</code> device first appeared in + <span class="Ux">OpenBSD 3.3</span>. It was first imported to + <span class="Ux">FreeBSD 5.3</span>.</p> +<p class="Pp">The <code class="Nm">pfsync</code> protocol and kernel + implementation were significantly modified in <span class="Ux">FreeBSD + 9.0</span>. The newer protocol is not compatible with older one and will not + interoperate with it.</p> +</section> +</div> +<table class="foot"> + <tr> + <td class="foot-date">November 8, 2023</td> + <td class="foot-os">FreeBSD 15.0</td> + </tr> +</table> |