Add a complete pfsync+carp firewall failover example.

ok deraadt@

1 files changed, 82 insertions, 3 deletions

diff --git a/share/man/man4/pfsync.4 b/share/man/man4/pfsync.4
index 79c76825868..266137227c4 100644
--- a/share/man/man4/pfsync.4
+++ b/share/man/man4/pfsync.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pfsync.4,v 1.14 2004/03/21 19:47:59 miod Exp $
+.\"	$OpenBSD: pfsync.4,v 1.15 2004/03/22 07:44:39 mcbride Exp $
 .\"
 .\" Copyright (c) 2002 Michael Shalayeff
 .\" All rights reserved.
@@ -124,9 +124,87 @@ However, the actual packet contents may differ as the messages
 sent over the network are "compressed" where possible, containing
 only the necessary information.
 .Sh EXAMPLES
+.Nm
+and
+.Xr carp 4
+can be used together to provide automatic failover of a pair of firewalls
+configured in parallel. One firewall handles all traffic - if it dies or 
+is shut down, the second firewall takes over automatically. 
+.Pp
+Both firewalls in this example have three
+.Xr sis 4
+interfaces.
+sis0 is the external interface, on the 10.0.0.0/24 subnet, sis1 is the
+internal interface, on the 192.168.0.0/24 subnet, and sis2 is the
+.Nm
+interface, using the 192.168.254.0/24 subnet.
+A crossover cable connects the two firewalls via their sis2 interfaces.
+On all three interfaces, firewall A uses the .254 address, while firewall B
+uses .253. 
+The interfaces are configured as follows (firewall A unless otherwise
+indicated):
+.Pp
+.Pa /etc/hostname.sis0 :
+.Bd -literal -offset indent
+inet 10.0.0.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.sis1 :
+.Bd -literal -offset indent
+inet 192.168.0.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.sis2 :
+.Bd -literal -offset indent
+inet 192.168.254.254 255.255.255.0 NONE
+.Ed
+.Pp
+.Pa /etc/hostname.carp0 :
+.Bd -literal -offset indent
+inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo
+.Ed
+.Pp
+.Pa /etc/hostname.carp1 :
+.Bd -literal -offset indent
+inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar
+.Ed
+.Pp
+.Pa /etc/hostname.pfsync0 :
+.Bd -literal -offset indent
+up syncif sis2
+.Ed
+.Pp
+.Xr pf 4
+must also be configured to allow
+.Nm
+and
+.Xr carp 4
+traffic through.
+The following should be added to the top of
+.Pa /etc/pf.conf :
+.Bd -literal -offset indent
+pass quick on { sis2 } proto pfsync
+pass on { sis0 sis1 } proto carp keep state
+.Ed
+.Pp
+If it is preferable that one firewall be handling the traffic, 
+the
+.Ar advskew
+on the backup firewall's
+.Xr carp 4
+interfaces should be set to something higher than
+the primary's. For example if firewall B is the backup, it's
+.Pa /etc/hostname.carp1
+would look like this:
+.Bd -literal -offset indent
+inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar \e
+	advskew 100
+.Ed
+.Pp
+The following must also be added to
+.Pa /etc/sysctl.conf :
 .Bd -literal -offset indent
-# ifconfig pfsync0 up syncif fxp0 maxupd 64
-# tcpdump -s1500 -evtni pfsync0
+net.inet.carp.preempt=1
 .Ed
 .Sh SEE ALSO
 .Xr bpf 4 ,
@@ -134,6 +212,7 @@ only the necessary information.
 .Xr inet6 4 ,
 .Xr netintro 4 ,
 .Xr pf 4 ,
+.Xr hostname.if 5,
 .Xr pf.conf 5 ,
 .Xr protocols 5 ,
 .Xr ifconfig 8 ,