Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
PFSYNC(4)	       FreeBSD Kernel Interfaces Manual		     PFSYNC(4)

     pfsync -- packet filter state table synchronisation interface

     pseudo-device pfsync

     The pfsync	interface is a pseudo-device which exposes certain changes to
     the state table used by pf(4).  State changes can be viewed by invoking
     tcpdump(8)	on the pfsync interface.  If configured	with a physical	syn-
     chronisation interface, pfsync will also send state changes out on	that
     interface,	and insert state changes received on that interface from other
     systems into the state table.

     By	default, all local changes to the state	table are exposed via pfsync.
     State changes from	packets	received by pfsync over	the network are	not
     rebroadcast.  Updates to states created by	a rule marked with the no-sync
     keyword are ignored by the	pfsync interface (see pf.conf(5) for details).

     The pfsync	interface will attempt to collapse multiple state updates into
     a single packet where possible.  The maximum number of times a single
     state can be updated before a pfsync packet will be sent out is con-
     trolled by	the maxupd parameter to	ifconfig (see ifconfig(8) and the ex-
     ample below for more details).  The sending out of	a pfsync packet	will
     be	delayed	by a maximum of	one second.

     Where more	than one firewall might	actively handle	packets, e.g. with
     certain ospfd(8), bgpd(8) or carp(4) configurations, it is	beneficial to
     defer transmission	of the initial packet of a connection.	The pfsync
     state insert message is sent immediately; the packet is queued until ei-
     ther this message is acknowledged by another system, or a timeout has ex-
     pired.  This behaviour is enabled with the	defer parameter	to

     States can	be synchronised	between	two or more firewalls using this in-
     terface, by specifying a synchronisation interface	using ifconfig(8).
     For example, the following	command	configures an address on fxp0 and sets
     it	as the synchronisation interface:

	   # ifconfig fxp0 inet
	   # ifconfig pfsync0 syncdev fxp0

     By	default, state change messages are sent	out on the synchronisation in-
     terface using IP multicast	packets	to the group address.  An
     alternative destination address for pfsync	packets	can be specified using
     the syncpeer keyword.

     It	is important that the pfsync traffic be	well secured as	there is no
     authentication on the protocol and	it would be trivial to spoof packets
     which create states, bypassing the	pf ruleset.  Only run the pfsync pro-
     tocol on a	trusted	network	- ideally a network dedicated to pfsync	mes-
     sages such	as a crossover cable between two firewalls.

     pfsync will increase the carp(4) demotion counter for any interface
     groups associated with the	interface by 32	during initialisation, and by
     1 if the pfsync link is down or if	a bulk update fails.

     pfsync and	carp(4)	can be used together to	provide	automatic failover of
     a pair of firewalls configured in parallel.  One firewall will handle all
     traffic until it dies, is shut down, or is	manually demoted, at which
     point the second firewall will take over automatically.

     Both firewalls in this example have three sis(4) interfaces.  sis0	is the
     external interface, on the subnet; sis1 is the	internal in-
     terface, on the subnet; and	sis2 is	the pfsync interface,
     using the	subnet.	 A crossover cable connects the	two
     firewalls via their sis2 interfaces.  On all three	interfaces, firewall A
     uses the .254 address, while firewall B uses .253.	 The interfaces	are
     configured	as follows (firewall A unless otherwise	indicated):

	   inet NONE

	   inet NONE

	   inet NONE

	   inet \
		   vhid	1 carpdev sis0 pass foo

	   inet	\
		   vhid	2 carpdev sis1 pass bar

	   up syncdev sis2

     pf(4) must	also be	configured to allow pfsync and carp(4) traffic
     through.  The following should be added to	the top	of /etc/pf.conf:

	   pass	quick on { sis2	} proto	pfsync keep state (no-sync)
	   pass	on { sis0 sis1 } proto carp keep state (no-sync)

     It	is preferable that one firewall	handle the forwarding of all the traf-
     fic, therefore the	advskew	on the backup firewall's carp(4) interfaces
     should be set to something	higher than the	primary's.  For	example, if
     firewall B	is the backup, its /etc/hostname.carp1 would look like this:

	   inet	\
		   vhid	2 pass bar advskew 100

     The following must	also be	added to /etc/sysctl.conf:


     bpf(4), carp(4), inet(4), inet6(4), netintro(4), pf(4), hostname.if(5),
     pf.conf(5), protocols(5), ifconfig(8), ifstated(8), tcpdump(8)

     The pfsync	device first appeared in OpenBSD 3.3.

     The pfsync	protocol and kernel implementation were	significantly modified
     between OpenBSD 4.4 and OpenBSD 4.5.  The two protocols are incompatible
     and will not interoperate.

     pfsync does not currently work with ipsec(4).

FreeBSD	13.0		       February	1, 2021			  FreeBSD 13.0


Want to link to this manual page? Use this URL:

home | help