*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->OpenBSD man pages -> pfsync (4)              



NAME    [Toc]    [Back]

     pfsync - packet filter state table logging interface

SYNOPSIS    [Toc]    [Back]

     pseudo-device pfsync

DESCRIPTION    [Toc]    [Back]

     The pfsync interface is a pseudo-device which  exposes  certain changes to
     the  state table used by pf(4).  State changes can be viewed
by invoking
     tcpdump(8) on the pfsync interface.  If  configured  with  a
physical synchronisation
  interface, pfsync will also send state changes
out on that
     interface using IP multicast, and insert state  changes  received on that
     interface from other systems into the state table.

     By default, all local changes to the state table are exposed
via pfsync.
     However, state changes from packets received by pfsync  over
the network
     are  not  rebroadcast.  States created by a rule marked with
the no-sync
     keyword  are  omitted  from  the   pfsync   interface   (see
pf.conf(5) for details).

     The  pfsync  interface will attempt to collapse multiple updates of the
     same state into one message  where  possible.   The  maximum
number of times
     this can be done before the update is sent out is controlled
by the
     maxupd to ifconfig (see ifconfig(8) and  the  example  below
for more details).

     Each packet retrieved on this interface has a header associated with it
     of length PFSYNC_HDRLEN.  The header indicates  the  version
of the protocol,
  address  family, action taken on the following states,
and the number
     of state table entries attached in this packet.  This structure is defined
 in <net/if_pfsync.h> as:

           struct pfsync_header {
                   u_int8_t version;
                   u_int8_t af;
                   u_int8_t action;
                   u_int8_t count;


     States can be synchronised between two or more firewalls using this interface,
 by specifying a synchronisation interface using ifconfig(8).
     For example, the following command sets fxp0 as the synchronisation interface:

           # ifconfig pfsync0 syncif fxp0

     By default, state change messages are sent out on  the  synchronisation interface
 using IP multicast packets.  The protocol is IP protocol 240, PFSYNC,
 and the multicast group used is   When  a
peer address
     is specified using the syncpeer keyword, the peer address is
used as a
     destination for the pfsync traffic, and the traffic can then
be protected
     using  ipsec(4).  In such a configuration, the syncif should
be set to the
     enc(4) interface, as this is where the traffic arrives  when
it is decapsulated,

           # ifconfig pfsync0 syncpeer syncif enc0

     It  is  important that the pfsync traffic be well secured as
there is no
     authentication on the protocol and it would  be  trivial  to
spoof packets
     which  create  states, bypassing the pf ruleset.  Either run
the pfsync
     protocol on a trusted network - ideally  a network dedicated
to pfsync
     messages such as a crossover cable between two firewalls, or
specify a
     peer address and protect the traffic with ipsec(4).

     There is a one-to-one correspondence between packets seen by
bpf(4) on
     the pfsync interface, and packets sent out on the synchronisation interface,
 i.e. a packet with 4 state deletion messages on pfsync
means that
     the  same  4  deletions were sent out on the synchronisation
     However, the actual packet contents may differ as  the  messages sent over
     the network are "compressed" where possible, containing only
the necessary

EXAMPLES    [Toc]    [Back]

     pfsync and carp(4) can be used together to provide automatic
failover of
     a  pair  of  firewalls configured in parallel.  One firewall
handles all
     traffic - if it dies or is shut down,  the  second  firewall
takes over automatically.

     Both firewalls in this example have three sis(4) interfaces.
sis0 is the
     external interface, on the subnet; sis1  is  the
internal interface,
  on  the  subnet;  and  sis2 is the
pfsync interface,
     using the subnet.  A crossover  cable  connects the two
     firewalls  via  their  sis2 interfaces.  On all three interfaces, firewall A
     uses the .254 address, while firewall B uses .253.  The  interfaces are
     configured  as follows (firewall A unless otherwise indicated):


           inet NONE


           inet NONE


           inet NONE


           inet vhid 1 pass foo


           inet vhid 2
pass bar


           up syncif sis2

     pf(4) must also be configured to allow  pfsync  and  carp(4)
     through.   The  following  should  be  added  to  the top of

           pass quick on { sis2 } proto pfsync
           pass on { sis0 sis1 } proto carp keep state

     If it is preferable that one firewall  handle  the  traffic,
the advskew on
     the  backup  firewall's  carp(4) interfaces should be set to
something higher
 than the primary's.  For example, if firewall  B  is  the
backup, its
     /etc/hostname.carp1 would look like this:

           inet vhid 2
pass bar                    advskew 100

     The following must also be added to /etc/sysctl.conf:


SEE ALSO    [Toc]    [Back]

     bpf(4), enc(4), inet(4),  inet6(4),  ipsec(4),  netintro(4),
     hostname.if(5),  pf.conf(5), protocols(5), ifconfig(8), tcpdump(8)

HISTORY    [Toc]    [Back]

     The pfsync device first appeared in OpenBSD 3.3.

OpenBSD     3.6                        November     29,      2002
[ Back ]
 Similar pages
Name OS Title
pflog OpenBSD packet filter logging interface
pflogd OpenBSD packet filter logging daemon
pfil_remove_hook FreeBSD packet filter interface
pfil FreeBSD packet filter interface
pfil_add_hook FreeBSD packet filter interface
pfil NetBSD packet filter interface
pfil_hook_get NetBSD packet filter interface
pfil_add_hook NetBSD packet filter interface
pfil_remove_hook NetBSD packet filter interface
pfil_hook_get FreeBSD packet filter interface
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service