diff options
author | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2004-08-03 06:02:45 +0000 |
---|---|---|
committer | Ryan Thomas McBride <mcbride@cvs.openbsd.org> | 2004-08-03 06:02:45 +0000 |
commit | a660c187998bcb15a4d9f63d0e0c901f96327e3b (patch) | |
tree | f97f34b07bfbce35c87ffeda6ac102edc33918a5 | |
parent | d0133c83cad3736227f802696685883d7c4d0c50 (diff) |
Document 'syncpeer'.
-rw-r--r-- | share/man/man4/pfsync.4 | 29 |
1 files changed, 23 insertions, 6 deletions
diff --git a/share/man/man4/pfsync.4 b/share/man/man4/pfsync.4 index a08ab5f5112..5137bf54689 100644 --- a/share/man/man4/pfsync.4 +++ b/share/man/man4/pfsync.4 @@ -1,6 +1,7 @@ -.\" $OpenBSD: pfsync.4,v 1.17 2004/03/31 08:28:36 jmc Exp $ +.\" $OpenBSD: pfsync.4,v 1.18 2004/08/03 06:02:44 mcbride Exp $ .\" .\" Copyright (c) 2002 Michael Shalayeff +.\" Copyright (c) 2003-2004 Ryan McBride .\" All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without @@ -100,16 +101,30 @@ interface: # ifconfig pfsync0 syncif fxp0 .Ed .Pp -State change messages are sent out on the synchronisation +By default, state change messages are sent out on the synchronisation interface using IP multicast packets. The protocol is IP protocol 240, PFSYNC, and the multicast group used is 224.0.0.240. +When a peer address is specified using the +.Em syncpeer +keyword, the peer address is used as a destination for the pfsync traffic, +and the traffic can then be protected using +.Xr ipsec 4 . +In such a configuration, the syncif should be set to the +.Xr enc +interface, as this is where the traffic arrives when it is decapsulated, +e.g.: +.Bd -literal -offset indent +# ifconfig pfsync0 syncpeer 10.0.0.2 syncif enc0 +.Ed .Pp -It is important that the synchronisation interface be on a trusted -network as there is no authentication on the protocol and it would +It is important that the pfsync traffic be well secured +as there is no authentication on the protocol and it would be trivial to spoof packets which create states, bypassing the pf ruleset. -Ideally, this is a network dedicated to pfsync messages, -i.e. a crossover cable between two firewalls. +Either run the pfsync protocol on a trusted network - ideally a network +dedicated to pfsync messages such as a crossover cable between two firewalls, +or specify a peer address and protect the traffic with +.Xr ipsec 4 . .Pp There is a one-to-one correspondence between packets seen by .Xr bpf 4 @@ -210,8 +225,10 @@ net.inet.carp.preempt=1 .Ed .Sh SEE ALSO .Xr bpf 4 , +.Xr enc 4, .Xr inet 4 , .Xr inet6 4 , +.Xr ipsec 4 , .Xr netintro 4 , .Xr pf 4 , .Xr hostname.if 5 , |