[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
pfsync and tables
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: pfsync and tables
- From: Jeff Wilson <wilsonj_(_at_)_cs_(_dot_)_ecs_(_dot_)_baylor_(_dot_)_edu>
- Date: Thu, 10 Jun 2004 16:40:26 -0500 (CDT)
- Reply-to: wilsonj_(_at_)_cs_(_dot_)_ecs_(_dot_)_baylor_(_dot_)_edu
To the pfsync gurus,
I have two identical OpenBSD 3.5 boxes in a CARP/pfsync setup. By
identical, I mean same OS versions, same hardware, etc. Congratulations
on an amazing job of putting together CARP! I was impressed at how easily
it came together.
Pardon my ASCII art:
MAIN CAMPUS ROUTER x.y.126.1
|
^
/ \ CARP: x.y.126.2
A B
\ / CARP: x.y.127.1
v
| x.y.127.5
UNTRUSTED NETWORK ROUTER
|
|
^
/// \\\ x.y.100.0, x.y.102.0, etc
VARIOUS SUBNETS
The configuration as shown functions well -- kudos to CARP!! My question
is about setting up dynamic rules for hosts in the x.y.100.*, x.y.102.*,
etc. Right now I have persistent tables set up in pf.conf so that I can
authenticate a downstream user by running
pfctl -t table_100 -T add x.y.100.28
at the command prompt on Firewall A (master). I watch and cross my
fingers, but the table entry never makes the jump across the pfsync0
interface to Firewall B. Now that I've gone back and RTFM, I see that's
not yet a supported feature of pfsync. So I work around it by manually
adding to table_100 on BOTH firewalls. Then I take down carp0 and carp1
on Firewall A to see if state propagates across pfsync0, but there's no
state on Firewall B for my dynamic rule. I can initiate new TCP sessions,
but all state on existing Firewall A (for my table entry) is lost when
Firewall B takes over master.
How would you keep state for dynamically added/deleted rules across
redundant firewalls? I have verified that a static rule's state syncs
just fine across pfsync0, but the table stuff doesn't. Any suggestions?
--
Jeff Wilson Senior Analyst/Programmer
Baylor University Network Services Group
Waco, TX Information Technology Services
Visit your host, monkey.org