# $OpenBSD: ifstated.conf,v 1.2 2018/01/20 23:07:58 mpf Exp $ # This is a sample config for a pair of firewalls with three physical interfaces # # The two firefall interfaces are made redundant on each side using # carp0 and carp1. # # A third interface em2 connects each firewall to the DMZ where it can # reach a syslog server with the IP 192.168.1.10 # # This config does two things: # 1. Monitor the reachability of the syslog server and demote # the carp interface group to provoke a failover if the syslog server # is not reachable. We do that by using ping(1) and checking # the link state of em2. # 2. Log carp failovers dmz_if_up = 'em2.link.up' dmz_if_down = 'em2.link.down' syslog_ok = '"ping -q -c 1 -w 1 192.168.1.10 >/dev/null 2>&1" every 10' # ifstated starts up with the first defined state state neutral { if $dmz_if_down { run "logger -st ifstated 'interface to syslog server em2 is down'" set-state demoted } if ! $syslog_ok { run "logger -st ifstated 'could not reach syslog server'" set-state demoted } } state demoted { init { run "ifconfig -g carp carpdemote" } if $dmz_if_up && $syslog_ok { run "logger -st ifstated 'syslog server is ok again'" # remove our carp demotion run "ifconfig -g carp -carpdemote" set-state neutral } } # commands in the global scope are always run if carp0.link.up run "logger -st ifstated 'carp0 is master'" if carp0.link.down run "logger -st ifstated 'carp0 is backup'"