Re: PF and a feauture I requested weeks ago

[Otto Moerbeek <otto@drijf.net>]

On Mon, 2 Aug 2004, van Helsing wrote:

> PFSYNC is a usefull feauture of PF but it has one big disadvantage:
> I need a direct cable connection to the other PC.
>
> The only way to sync. all FWs in my VPN is that I've a script wich
> noticed when the PF.conf has changed (e.g. because SNORT) and wich login
> all the other Servers/FWs replace the PF.conf and rebooting the FW.

You are seriously confused. pfsync syncs FW states, not rulesets. Also, 
when loading a new ruleset, rebooting is not needed, just reload the new 
ruleset.
>
> Is there any solution wich allow PFSYNC to send the SYNC-Packetes
> through an encrypted connection (SSH/SSL?) to other systems?
> I think such a solution is easy to include because there could be a
> host-authentication with the SSH-Keys.

pfsync is not UDP or TCP, it uses a different IP protocol number. Ipsec 
can probably be used (at least I am not aware of any reason why it could 
not be used for this).

For distribution of pf.conf files, any file copy mechanism can be used. 
But providing a general solution is not probably feasable, since in most 
cases, there will be differences between the various pf.conf files (for 
example, the interfaces available on the different firewalls may be 
different).

 	-Otto