Establish a IPSEC bewteen this 2 pfsync points is a way to go.
On Sat, May 9, 2009 at 2:44 AM, David DeSimone <f...@verio.net> wrote:
> Sam Wun <swun2...@gmail.com> wrote:
>>
>> Have anyone tried pfsync over router or WAN?
>> I have read setup guide of CARP+pfsync, the pfsync interface is
>> connected through a crossover cable.  Can I connect 2 pfsync
>> interfaces through a router or WAN?
>
> pfsync(4) talks about this:
>
>    NETWORK SYNCHRONISATION
>         States can be synchronised between two or more firewalls using
>         this interface, by specifying a synchronisation interface using
>         ifconfig(8).  For example, the following command sets fxp0 as
>         the synchronisation interface:
>
>           # ifconfig pfsync0 syncdev fxp0
>
>         It is important that the underlying synchronisation interface
>         is up and has an IP address assigned.
>
>         By default, state change messages are sent out on the
>         synchronisation interface using IP multicast packets.  The
>         protocol is IP protocol 240, PFSYNC, and the multicast group
>         used is 224.0.0.240.  When a peer address is specified using
>         the syncpeer keyword, the peer address is used as a destination
>         for the pfsync traffic, and the traffic can then be protected
>         using ipsec(4).  In such a configuration, the syncdev should
>         be set to the enc(4) interface, as this is where the traffic
>         arrives when it is decapsulated, e.g.:
>
>           # ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0
>
>         It is important that the pfsync traffic be well secured as
>         there is no authentication on the protocol and it would be
>         trivial to spoof packets which create states, bypassing the
>         pf ruleset.  Either run the pfsync protocol on a trusted
>         network - ideally a network dedicated to pfsync messages such
>         as a crossover cable between two firewalls, or specify a peer
>         address and protect the traffic with ipsec(4).
>
>         For pfsync to start its operation automatically at the system
>         boot time, pfsync_enable and pfsync_syncdev variables should be
>         used in rc.conf(5).  It is not advisable to set up pfsync with
>         common network interface configuration variables of rc.conf(5)
>         because pfsync must start after its syncdev, which cannot be
>         always ensured in the latter case.
>
> Syncing over a WAN doesn't seem like it would make sense, offhand.
> Normally you psync between devices that will be able to provide routing
> for a firewalled connection.  A device far across a WAN doesn't seem
> like it would be able to provide redundant service.  But that's up to
> your design, I suppose.
>
> Syncing across a LAN could make sense, but you will want to take steps
> to secure the traffic.
>
> --
> David DeSimone == Network Admin == f...@verio.net
>  "I don't like spinach, and I'm glad I don't, because if I
>   liked it I'd eat it, and I just hate it." -- Clarence Darrow
>
>
> This email message is intended for the use of the person to whom it has been 
> sent, and may contain information that is confidential or legally protected. 
> If you are not the intended recipient or have received this message in error, 
> you are not authorized to copy, distribute, or otherwise use this message or 
> its attachments. Please notify the sender immediately by return e-mail and 
> permanently delete this message and any attachments. Verio, Inc. makes no 
> warranty that this email is error or virus free.  Thank you.
> _______________________________________________
> freebsd...@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
>
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"

Reply via email to