[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF and a feauture I requested weeks ago

To: otto@drijf.net (Otto Moerbeek)
Subject: Re: PF and a feauture I requested weeks ago
From: van Helsing <vh@helith.net>
Date: Mon, 2 Aug 2004 10:14:54 +0200
Cc: misc@openbsd.org
Organization: Helith Network
References: <20040802005713.20812f98.vh@helith.net> <Pine.BSO.4.60.0408020914180.13845@iggy.intra.drijf.net>

On Mon, 2 Aug 2004 09:48:31 +0200 (CEST)
otto@drijf.net (Otto Moerbeek) wrote:

> On Mon, 2 Aug 2004, van Helsing wrote:
> 
> > PFSYNC is a usefull feauture of PF but it has one big disadvantage:
> > I need a direct cable connection to the other PC.
> >
> > The only way to sync. all FWs in my VPN is that I've a script wich
> > noticed when the PF.conf has changed (e.g. because SNORT) and wich
> > login all the other Servers/FWs replace the PF.conf and rebooting
> > the FW.
> 
> You are seriously confused. pfsync syncs FW states, not rulesets.
> Also, when loading a new ruleset, rebooting is not needed, just reload
> the new ruleset.

--
DESCRIPTION
     The pfsync interface is a pseudo-device which exposes certain
changes to
     the state table used by pf(4).  State changes can be viewed by
invoking
     tcpdump(8) on the pfsync interface.  If configured with a physical
syn-
     chronisation interface, pfsync will also send state changes out on
that
     interface using IP multicast, and insert state changes received on
that
     interface from other systems into the state table.
--

I think I understand it in the right way but maybe I explained it
wrongly, damn. :-(
That's the disadvantage here.. you speak to less english. :-)

I mean exactly THAT &decription_above.
Just over IPSec or something else because I've no 20km cable.....


> > Is there any solution wich allow PFSYNC to send the SYNC-Packetes
> > through an encrypted connection (SSH/SSL?) to other systems?
> > I think such a solution is easy to include because there could be a
> > host-authentication with the SSH-Keys.
> 
> pfsync is not UDP or TCP, it uses a different IP protocol number.
> Ipsec can probably be used (at least I am not aware of any reason why
> it could not be used for this).

Yes I know about the diffrent protocol... :-/

> For distribution of pf.conf files, any file copy mechanism can be
> used. But providing a general solution is not probably feasable, since
> in most cases, there will be differences between the various pf.conf
> files (for example, the interfaces available on the different
> firewalls may be different).
> 
>  	-Otto

I'm so sorry but you're completly right because I was a littlebit
confused. I've less time at the moment and a lot of stress so I mixed
serval things.
Sorry for that! I re-read the manpage but I miss exactly the same things
like before even it's NOT necessery to copy the pf.conf (ok...) nor to
reboot (even I mean just rebooting the FW (software reaload, load the
new PF.conf)).

So I'm sorry if somebody gets confused. :-)
But it's not possible to use PFSYNC e.g. via IPSec.
But IPSec is maybe the best solution to tunnel it...

vh

[demime 0.98d removed an attachment of type application/pgp-signature]

Follow-Ups:
- Re: PF and a feauture I requested weeks ago
  - From: Jon Landry <jl_email_lists@comcast.net>
- Re: PF and a feauture I requested weeks ago
  - From: Bill Marquette <billm@ucsecurity.com>

References:
- PF and a feauture I requested weeks ago
  - From: van Helsing <vh@helith.net>
- Re: PF and a feauture I requested weeks ago
  - From: Otto Moerbeek <otto@drijf.net>

Prev by Date: Re: PF and a feauture I requested weeks ago
Next by Date: Re: Compiling Asterisk
Prev by thread: Re: PF and a feauture I requested weeks ago
Next by thread: Re: PF and a feauture I requested weeks ago
Index(es):
- Date
- Thread