blob: 7a3b326ee43f491e06267e9886feea0ab572e34e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
# $OpenBSD: ifstated.conf,v 1.2 2018/01/20 23:07:58 mpf Exp $
# This is a sample config for a pair of firewalls with three physical interfaces
#
# The two firefall interfaces are made redundant on each side using
# carp0 and carp1.
#
# A third interface em2 connects each firewall to the DMZ where it can
# reach a syslog server with the IP 192.168.1.10
#
# This config does two things:
# 1. Monitor the reachability of the syslog server and demote
# the carp interface group to provoke a failover if the syslog server
# is not reachable. We do that by using ping(1) and checking
# the link state of em2.
# 2. Log carp failovers
dmz_if_up = 'em2.link.up'
dmz_if_down = 'em2.link.down'
syslog_ok = '"ping -q -c 1 -w 1 192.168.1.10 >/dev/null 2>&1" every 10'
# ifstated starts up with the first defined state
state neutral {
if $dmz_if_down {
run "logger -st ifstated 'interface to syslog server em2 is down'"
set-state demoted
}
if ! $syslog_ok {
run "logger -st ifstated 'could not reach syslog server'"
set-state demoted
}
}
state demoted {
init {
run "ifconfig -g carp carpdemote"
}
if $dmz_if_up && $syslog_ok {
run "logger -st ifstated 'syslog server is ok again'"
# remove our carp demotion
run "ifconfig -g carp -carpdemote"
set-state neutral
}
}
# commands in the global scope are always run
if carp0.link.up
run "logger -st ifstated 'carp0 is master'"
if carp0.link.down
run "logger -st ifstated 'carp0 is backup'"
|
