Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
PFSYNC(4)		 BSD Kernel Interfaces Manual		     PFSYNC(4)

NAME
     pfsync -- packet filter state table synchronisation interface

SYNOPSIS
     pseudo-device pfsync

DESCRIPTION
     The pfsync	interface is a pseudo-device which exposes certain changes to
     the state table used by pf(4).  State changes can be viewed by invoking
     tcpdump(8)	on the pfsync interface.  If configured	with a physical	syn-
     chronisation interface, pfsync will also send state changes out on	that
     interface,	and insert state changes received on that interface from other
     systems into the state table.

     By	default, all local changes to the state	table are exposed via pfsync.
     State changes from	packets	received by pfsync over	the network are	not
     rebroadcast.  Updates to states created by	a rule marked with the no-sync
     keyword are ignored by the	pfsync interface (see pf.conf(5) for details).

     The pfsync	interface will attempt to collapse multiple state updates into
     a single packet where possible.  The maximum number of times a single
     state can be updated before a pfsync packet will be sent out is con-
     trolled by	the maxupd parameter to	ifconfig (see ifconfig(8) and the ex-
     ample below for more details).  The sending out of	a pfsync packet	will
     be	delayed	by a maximum of	one second.

     Where more	than one firewall might	actively handle	packets, e.g. with
     certain ospfd(8), bgpd(8) or carp(4) configurations, it is	beneficial to
     defer transmission	of the initial packet of a connection.	The pfsync
     state insert message is sent immediately; the packet is queued until ei-
     ther this message is acknowledged by another system, or a timeout has ex-
     pired.  This behaviour is enabled with the	defer parameter	to
     ifconfig(8).

NETWORK	SYNCHRONISATION
     States can	be synchronised	between	two or more firewalls using this in-
     terface, by specifying a synchronisation interface	using ifconfig(8).
     For example, the following	command	configures an address on fxp0 and sets
     it	as the synchronisation interface:

	   # ifconfig fxp0 inet	172.19.13.1/28
	   # ifconfig pfsync0 syncdev fxp0

     By	default, state change messages are sent	out on the synchronisation in-
     terface using IP multicast	packets	to the 224.0.0.240 group address.  An
     alternative destination address for pfsync	packets	can be specified using
     the syncpeer keyword.

     It	is important that the pfsync traffic be	well secured as	there is no
     authentication on the protocol and	it would be trivial to spoof packets
     which create states, bypassing the	pf ruleset.  Only run the pfsync pro-
     tocol on a	trusted	network	- ideally a network dedicated to pfsync	mes-
     sages such	as a crossover cable between two firewalls.

EXAMPLES
     pfsync and	carp(4)	can be used together to	provide	automatic failover of
     a pair of firewalls configured in parallel.  One firewall will handle all
     traffic until it dies, is shut down, or is	manually demoted, at which
     point the second firewall will take over automatically.

     Both firewalls in this example have three sis(4) interfaces.  sis0	is the
     external interface, on the	10.0.0.0/24 subnet; sis1 is the	internal in-
     terface, on the 192.168.0.0/24 subnet; and	sis2 is	the pfsync interface,
     using the 192.168.254.0/24	subnet.	 A crossover cable connects the	two
     firewalls via their sis2 interfaces.  On all three	interfaces, firewall A
     uses the .254 address, while firewall B uses .253.	 The interfaces	are
     configured	as follows (firewall A unless otherwise	indicated):

     /etc/hostname.sis0:
	   inet	10.0.0.254 255.255.255.0 NONE

     /etc/hostname.sis1:
	   inet	192.168.0.254 255.255.255.0 NONE

     /etc/hostname.sis2:
	   inet	192.168.254.254	255.255.255.0 NONE

     /etc/hostname.carp0:
	   inet	10.0.0.1 255.255.255.0 10.0.0.255 \
		   vhid	1 carpdev sis0 pass foo

     /etc/hostname.carp1:
	   inet	192.168.0.1 255.255.255.0 192.168.0.255	\
		   vhid	2 carpdev sis1 pass bar

     /etc/hostname.pfsync0:
	   up syncdev sis2

     pf(4) must	also be	configured to allow pfsync and carp(4) traffic
     through.  The following should be added to	the top	of /etc/pf.conf:

	   pass	quick on { sis2	} proto	pfsync keep state (no-sync)
	   pass	on { sis0 sis1 } proto carp keep state (no-sync)

     It	is preferable that one firewall	handle the forwarding of all the traf-
     fic, therefore the	advskew	on the backup firewall's carp(4) interfaces
     should be set to something	higher than the	primary's.  For	example, if
     firewall B	is the backup, its /etc/hostname.carp1 would look like this:

	   inet	192.168.0.1 255.255.255.0 192.168.0.255	\
		   vhid	2 pass bar advskew 100

     The following must	also be	added to /etc/sysctl.conf:

	   net.inet.carp.preempt=1

SEE ALSO
     bpf(4), carp(4), inet(4), inet6(4), netintro(4), pf(4), hostname.if(5),
     pf.conf(5), protocols(5), ifconfig(8), ifstated(8), tcpdump(8)

HISTORY
     The pfsync	device first appeared in OpenBSD 3.3.

     The pfsync	protocol and kernel implementation were	significantly modified
     between OpenBSD 4.4 and OpenBSD 4.5.  The two protocols are incompatible
     and will not interoperate.

BUGS
     pfsync does not currently work with ipsec(4).

BSD				August 30, 2016				   BSD

NAME | SYNOPSIS | DESCRIPTION | NETWORK SYNCHRONISATION | EXAMPLES | SEE ALSO | HISTORY | BUGS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=pfsync&sektion=4&manpath=OpenBSD+6.5>

home | help