Re: authpf+CARP

Sun, 03 Apr 2011 08:34:52 -0700 

On 04/02/11 05:16, Eukasz Walczak wrote:
> hi,
> 
> Is it possible with OpenBSD's PF to set up redundant firewall using 
> authpf mechanism together. I mean users logging into firewall via ssh, 
> accounts with authpf shell, obtaining specific rule set, with redundancy 
> firewall based on CARP.

yes, but...

pfsync(4) only syncs active states, apparently not PF table entries (at
least, I couldn't find any reference to syncing tables in the man page).
 So when the secondary firewall takes over, the table entries are not
there to open the firewall as desired for the authpf user.

Also, your ssh session to activate authpf is to ONE of the firewalls,
the one that failed.  No authpf session currently exists, so the PF
table entries SHOULD NOT be active on the secondary firewall.

So yes, you can set this up, it will work, but in the event of a
failure, things may not work as you are currently thinking you wish it
to work.  It would go something like this:
You have your authpf'd firewall set, you have some people logged into
the active firewall and running authpf.  The active firewall fails, and
the secondary takes over.  Your users will drop their ssh/authpf
sessions, and the rules they activated will be deactivated (though both
as the effect of the firewall failure, not cause->effect).  Your users
will look at it and say, "Dang Internet, disconnected me again!" and log
back in, but this time to the backup firewall.  Assuming you sync'ed the
ssh keys and user accounts between the two machines, all should be
good...at least until you fix the primary and force down the secondary,
at which point your users will start to think their ISP is really
sucking tonight.

HOWEVER, if your users were doing something with the currently active
states, for example downloading a large file via http, the state that
permits the incoming file WOULD be sync'd to the standby system, and
that download would continue.

For most applications, your firewalls should be a lot more reliable than
your users home internet connections, so this really shouldn't be a big
problem.  90+% of the time when your users get kicked off and their
special rules are yanked, it will be because their (or your) Internet
connection burped (AGAIN).  If you can't tolerate people being kicked
off like this, ssh/authpf may not be the right choice, and has nothing
to do with CARP.

Nick.

Reply via email to