summaryrefslogtreecommitdiff
path: root/share/man/man4
diff options
context:
space:
mode:
authorRyan Thomas McBride <mcbride@cvs.openbsd.org>2004-08-03 06:02:45 +0000
committerRyan Thomas McBride <mcbride@cvs.openbsd.org>2004-08-03 06:02:45 +0000
commita660c187998bcb15a4d9f63d0e0c901f96327e3b (patch)
treef97f34b07bfbce35c87ffeda6ac102edc33918a5 /share/man/man4
parentd0133c83cad3736227f802696685883d7c4d0c50 (diff)
Document 'syncpeer'.
Diffstat (limited to 'share/man/man4')
-rw-r--r--share/man/man4/pfsync.429
1 files changed, 23 insertions, 6 deletions
diff --git a/share/man/man4/pfsync.4 b/share/man/man4/pfsync.4
index a08ab5f5112..5137bf54689 100644
--- a/share/man/man4/pfsync.4
+++ b/share/man/man4/pfsync.4
@@ -1,6 +1,7 @@
-.\" $OpenBSD: pfsync.4,v 1.17 2004/03/31 08:28:36 jmc Exp $
+.\" $OpenBSD: pfsync.4,v 1.18 2004/08/03 06:02:44 mcbride Exp $
.\"
.\" Copyright (c) 2002 Michael Shalayeff
+.\" Copyright (c) 2003-2004 Ryan McBride
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
@@ -100,16 +101,30 @@ interface:
# ifconfig pfsync0 syncif fxp0
.Ed
.Pp
-State change messages are sent out on the synchronisation
+By default, state change messages are sent out on the synchronisation
interface using IP multicast packets.
The protocol is IP protocol 240, PFSYNC, and the multicast group
used is 224.0.0.240.
+When a peer address is specified using the
+.Em syncpeer
+keyword, the peer address is used as a destination for the pfsync traffic,
+and the traffic can then be protected using
+.Xr ipsec 4 .
+In such a configuration, the syncif should be set to the
+.Xr enc
+interface, as this is where the traffic arrives when it is decapsulated,
+e.g.:
+.Bd -literal -offset indent
+# ifconfig pfsync0 syncpeer 10.0.0.2 syncif enc0
+.Ed
.Pp
-It is important that the synchronisation interface be on a trusted
-network as there is no authentication on the protocol and it would
+It is important that the pfsync traffic be well secured
+as there is no authentication on the protocol and it would
be trivial to spoof packets which create states, bypassing the pf ruleset.
-Ideally, this is a network dedicated to pfsync messages,
-i.e. a crossover cable between two firewalls.
+Either run the pfsync protocol on a trusted network - ideally a network
+dedicated to pfsync messages such as a crossover cable between two firewalls,
+or specify a peer address and protect the traffic with
+.Xr ipsec 4 .
.Pp
There is a one-to-one correspondence between packets seen by
.Xr bpf 4
@@ -210,8 +225,10 @@ net.inet.carp.preempt=1
.Ed
.Sh SEE ALSO
.Xr bpf 4 ,
+.Xr enc 4,
.Xr inet 4 ,
.Xr inet6 4 ,
+.Xr ipsec 4 ,
.Xr netintro 4 ,
.Xr pf 4 ,
.Xr hostname.if 5 ,