#Firewall failover pe FreeBSD 8.2 (carp, pfsync, pf) Ionel Mocanu Firewall failover pe FreeBSD 8.2 (carp, pfsync, pf) — Ionel Mocanu
Skip to content
 

Firewall failover pe FreeBSD 8.2 (carp, pfsync, pf)

Un firewall reprezinta o componenta critica a retelei, deoarece un esec al sau taie accesul utilizatorilor la Internet si/sau accesul din exterior la serverele publice.

Prin configurarea unui firewall redundant esecul va fi transparent pentru utilizatori.
Pe FreeBSD se poate construi un firewall redundant folosind Common Address Redundancy Protocol (CARP), pfsync si pf.
Protocolul CARP realizeaza redundanta sistemelor prin gruparea mai multor masini din acelasi segment de retea care partajeaza o adresa IP. Este o alternativa free la VRRP (Virtual Router Redundancy Protocol) si HSRP (Hot Standby Router Protocol). Una din masini are rolul “MASTER”, celelate sunt “BACKUP”.
Pfsync este un protocol folosit pentru sincronizarea starilor firewall-urilor PF de pe sistemele care fac parte din cluster.

Pentru a putea folosi carp si pfsync, trebuie recompilat kernel-ul FreeBSD:

[root@WAN1 ~]# cat /usr/src/sys/i386/conf/CARP
include GENERIC
ident CARP
device carp
device pfsync
[root@WAN1 /usr/src]# make buildkernel KERNCONF=CARP
[root@WAN1 /usr/src]# make installkernel KERNCONF=CARP
[root@WAN1 /usr/src]# shutdown -r now
 
[root@WAN1 ~]# sysctl net.inet.carp.allow
net.inet.carp.allow: 1

Configuarea CARP se face folosind sysctl si ifconfig pentru interfata de retea virtuala creata.

Variabila sysctl net.inet.carp.preempt trebuie sa ia valoarea 1:

[root@WAN1 ~]# sysctl -w net.inet.carp.allow=1
[root@WAN1 ~]# echo "net.inet.carp.preempt=1" >> /etc/sysctl.conf

Pentru perisitenta configurarii acestei interfete, se editeaza fisierele /etc/rc.conf de pe cele doua sisteme:

[root@WAN1 ~]# cat /etc/rc.conf
hostname="WAN1"
cloned_interfaces="carp0 carp1"
ifconfig_em0="inet 172.30.4.2/29"
ifconfig_em1="inet 10.0.0.2/24"
ifconfig_em2="inet 192.168.0.1/30"
ifconfig_carp0="inet 172.30.4.4/29 vhid 1 pass ionelmocanu advskew 1"
ifconfig_carp1="inet 10.0.0.4 netmask 255.255.255.0 vhid 2 pass ionelmocanu advskew 1"
defaultrouter="172.30.4.1"
nameserver="94.52.207.65"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pfsync_enable="YES"
pfsync_syncdev="em2"
pfsync_syncpeer="192.168.0.2"
 
[root@WAN2 ~]# cat /etc/rc.conf
hostname="WAN2"
cloned_interfaces="carp0 carp1"
ifconfig_em0="inet 172.30.4.3/29"
ifconfig_em1="inet 10.0.0.3/24"
ifconfig_em2="inet 192.168.0.2/30"
ifconfig_carp0="inet 172.30.4.4/29 vhid 1 pass ionelmocanu advskew 1"
ifconfig_carp1="inet 10.0.0.4 netmask 255.255.255.0 vhid 2 pass ionelmocanu advskew 1"
defaultrouter="172.30.4.1"
nameserver="94.52.207.65"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pfsync_enable="YES"
pfsync_syncdev="em2"
pfsync_syncpeer="192.168.0.1"

Pe cele doua masini se creaza interfetele carp si pfsync

[root@WAN1 ~]# ifconfig
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460
        pfsync: syncdev: em2 syncpeer: 192.168.0.2 maxupd: 128
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 172.30.4.4 netmask 0xfffffff8
        carp: MASTER vhid 1 advbase 1 advskew 1
carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 10.0.0.4 netmask 0xffffff00
        carp: MASTER vhid 2 advbase 1 advskew 1
 
[root@WAN2 ~]# ifconfig
pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460
        pfsync: syncdev: em2 syncpeer: 192.168.0.2 maxupd: 128
carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 172.30.4.4 netmask 0xfffffff8
        carp: BACKUP vhid 1 advbase 1 advskew 1
carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
        inet 10.0.0.4 netmask 0xffffff00
        carp: BACKUP vhid 2 advbase 1 advskew 1

Firewall-ul PF trebuie sa permita trecerea protocoalelor CARP si pfsync prin interfetele pe care sunt configurate. Urmatoarele reguli de firewall se adauga in /etc/pf.conf:
set skip on em2
pass quick on em2 proto pfsync keep state (no-sync)
pass on { em0, em1 } proto carp keep state (no-sync)

In reteaua locala, statiile au ca si gateway 10.0.0.4 (IP-ul de pe carp1). Pentru NAT se foloseste 172.30.4.4, IP-ul configurat pe carp0:
nat on em0 from 10.0.0.0/24-> 172.30.4.4

2 Comments

  1. alex says:

    Salut!

    De ce ai mai pus ‘gateway_enable=”YES”‘ in rc.conf?
    Pf-ul parca n-are nevoie de net.inet.ip.forwarding=1 ci doar IPFW si IPfilter.

  2. ionel says:

    cu gateway_enable=”YES” am
    sysctl net.inet.ip.forwarding: 1
    fara am
    sysctl net.inet.ip.forwarding: 0
    fara nu merge nat-ul

Leave a Reply