Un firewall reprezinta o componenta critica a retelei, deoarece un esec al sau taie accesul utilizatorilor la Internet si/sau accesul din exterior la serverele publice.
Prin configurarea unui firewall redundant esecul va fi transparent pentru utilizatori.
Pe FreeBSD se poate construi un firewall redundant folosind Common Address Redundancy Protocol (CARP), pfsync si pf.
Protocolul CARP realizeaza redundanta sistemelor prin gruparea mai multor masini din acelasi segment de retea care partajeaza o adresa IP. Este o alternativa free la VRRP (Virtual Router Redundancy Protocol) si HSRP (Hot Standby Router Protocol). Una din masini are rolul “MASTER”, celelate sunt “BACKUP”.
Pfsync este un protocol folosit pentru sincronizarea starilor firewall-urilor PF de pe sistemele care fac parte din cluster.
Pentru a putea folosi carp si pfsync, trebuie recompilat kernel-ul FreeBSD:
[root@WAN1 ~]# cat /usr/src/sys/i386/conf/CARP include GENERIC ident CARP device carp device pfsync [root@WAN1 /usr/src]# make buildkernel KERNCONF=CARP [root@WAN1 /usr/src]# make installkernel KERNCONF=CARP [root@WAN1 /usr/src]# shutdown -r now [root@WAN1 ~]# sysctl net.inet.carp.allow net.inet.carp.allow: 1 |
Configuarea CARP se face folosind sysctl si ifconfig pentru interfata de retea virtuala creata.
Variabila sysctl net.inet.carp.preempt trebuie sa ia valoarea 1:
[root@WAN1 ~]# sysctl -w net.inet.carp.allow=1 [root@WAN1 ~]# echo "net.inet.carp.preempt=1" >> /etc/sysctl.conf |
Pentru perisitenta configurarii acestei interfete, se editeaza fisierele /etc/rc.conf de pe cele doua sisteme:
[root@WAN1 ~]# cat /etc/rc.conf hostname="WAN1" cloned_interfaces="carp0 carp1" ifconfig_em0="inet 172.30.4.2/29" ifconfig_em1="inet 10.0.0.2/24" ifconfig_em2="inet 192.168.0.1/30" ifconfig_carp0="inet 172.30.4.4/29 vhid 1 pass ionelmocanu advskew 1" ifconfig_carp1="inet 10.0.0.4 netmask 255.255.255.0 vhid 2 pass ionelmocanu advskew 1" defaultrouter="172.30.4.1" nameserver="94.52.207.65" gateway_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pfsync_enable="YES" pfsync_syncdev="em2" pfsync_syncpeer="192.168.0.2" [root@WAN2 ~]# cat /etc/rc.conf hostname="WAN2" cloned_interfaces="carp0 carp1" ifconfig_em0="inet 172.30.4.3/29" ifconfig_em1="inet 10.0.0.3/24" ifconfig_em2="inet 192.168.0.2/30" ifconfig_carp0="inet 172.30.4.4/29 vhid 1 pass ionelmocanu advskew 1" ifconfig_carp1="inet 10.0.0.4 netmask 255.255.255.0 vhid 2 pass ionelmocanu advskew 1" defaultrouter="172.30.4.1" nameserver="94.52.207.65" gateway_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pfsync_enable="YES" pfsync_syncdev="em2" pfsync_syncpeer="192.168.0.1" |
Pe cele doua masini se creaza interfetele carp si pfsync
[root@WAN1 ~]# ifconfig
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460
pfsync: syncdev: em2 syncpeer: 192.168.0.2 maxupd: 128
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 172.30.4.4 netmask 0xfffffff8
carp: MASTER vhid 1 advbase 1 advskew 1
carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 10.0.0.4 netmask 0xffffff00
carp: MASTER vhid 2 advbase 1 advskew 1
[root@WAN2 ~]# ifconfig
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460
pfsync: syncdev: em2 syncpeer: 192.168.0.2 maxupd: 128
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 172.30.4.4 netmask 0xfffffff8
carp: BACKUP vhid 1 advbase 1 advskew 1
carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 10.0.0.4 netmask 0xffffff00
carp: BACKUP vhid 2 advbase 1 advskew 1 |
Firewall-ul PF trebuie sa permita trecerea protocoalelor CARP si pfsync prin interfetele pe care sunt configurate. Urmatoarele reguli de firewall se adauga in /etc/pf.conf:
set skip on em2
pass quick on em2 proto pfsync keep state (no-sync)
pass on { em0, em1 } proto carp keep state (no-sync)
In reteaua locala, statiile au ca si gateway 10.0.0.4 (IP-ul de pe carp1). Pentru NAT se foloseste 172.30.4.4, IP-ul configurat pe carp0:
nat on em0 from 10.0.0.0/24-> 172.30.4.4
Salut!
De ce ai mai pus ‘gateway_enable=”YES”‘ in rc.conf?
Pf-ul parca n-are nevoie de net.inet.ip.forwarding=1 ci doar IPFW si IPfilter.
cu gateway_enable=”YES” am
sysctl net.inet.ip.forwarding: 1
fara am
sysctl net.inet.ip.forwarding: 0
fara nu merge nat-ul