[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pfsync and tables

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: pfsync and tables
From: Jeff Wilson <wilsonj_(_at_)_cs_(_dot_)_ecs_(_dot_)_baylor_(_dot_)_edu>
Date: Thu, 17 Jun 2004 11:01:08 -0500 (CDT)
Reply-to: wilsonj_(_at_)_cs_(_dot_)_ecs_(_dot_)_baylor_(_dot_)_edu

On Fri, 11 Jun 2004, Ryan McBride wrote:

> State entries created from a rule matching on a table will get
> transfered just fine, as will states from an anchor rule.

How do I verify this?  From what I can tell, this isn't true.  Here's what 
I tried:

On Firewall A, I've added x.y.112.10 to <auth_112> and from x.y.112.10 I'm
happily conducting all sorts of network activity (such as writing this
email in a terminal to a server on a different subnet).

On Firewall B, I have added the same IP to the same table (A and B are 
initialized by identical pf.conf) with the same pfctl command.

If I failover from A to B, all my connections are lost.  However, new
connections are immediately passed through.  In the paradigm of
authenticating firewalls, my IP is still authenticated (because the IP is
added to the same table on both firewalls outside of pfsync), but my state
is not preserved.

Here's the output of pfctl for the table in question (line-wrapped) --

Firewall A (running as primary):

# pfctl -vvvs rules|grep -A1 auth_112
@997 pass in quick on em1 proto icmp from \
     <auth_112:1> to any keep state
  [ Evaluations: 0         Packets: 0     \
    Bytes: 0           States: 0 ]
@1007 pass in quick on em1 proto tcp from \
<auth_112:1> to any flags S/SA keep state
  [ Evaluations: 159       Packets: 19727 \
    Bytes: 3593363     States: 5 ]
@1017 pass in quick on em1 proto udp from \
<auth_112:1> to any keep state
  [ Evaluations: 46        Packets: 121   \
    Bytes: 59825       States: 0 ]

Firewall B (backup, with pfsync to A):

# pfctl -vvvs rules|grep -A1 auth_112
@997 pass in quick on em1 proto icmp from \
<auth_112:1> to any keep state
  [ Evaluations: 0         Packets: 0     \
    Bytes: 0           States: 0 ]
@1007 pass in quick on em1 proto tcp from \
<auth_112:1> to any flags S/SA keep state
  [ Evaluations: 0         Packets: 0     \
    Bytes: 0           States: 0 ]
@1017 pass in quick on em1 proto udp from \
<auth_112:1> to any keep state
  [ Evaluations: 0         Packets: 0     \
    Bytes: 0           States: 0 ]

>From what Ryan said, I expect to see non-zero state for line 1007 on
firewall B.  Did I misunderstand?  If so, how can I get pfsync to
recognize these states and keep them sync'd?

Thanks for your time,

	jw

Prev by Date: Re: Fat32 woes
Next by Date: Re: Problem with routing on dedicated server [solved]
Previous by thread: Re: pfsync and tables
Next by thread: Re: pfsync and tables
Index(es):
- Date
- Thread

Visit your host, monkey.org