Un firewall reprezinta o componenta critica a retelei, deoarece un esec al sau taie accesul utilizatorilor la Internet si/sau accesul din exterior la serverele publice.
Prin configurarea unui firewall redundant esecul va fi transparent pentru utilizatori.
Pe FreeBSD se poate construi un firewall redundant folosind Common Address Redundancy Protocol (CARP), pfsync si pf.
Protocolul CARP realizeaza redundanta sistemelor prin gruparea mai multor masini din acelasi segment de retea care partajeaza o adresa IP. Este o alternativa free la VRRP (Virtual Router Redundancy Protocol) si HSRP (Hot Standby Router Protocol). Una din masini are rolul “MASTER”, celelate sunt “BACKUP”.
Pfsync este un protocol folosit pentru sincronizarea starilor firewall-urilor PF de pe sistemele care fac parte din cluster.
Pentru a putea folosi carp si pfsync, trebuie recompilat kernel-ul FreeBSD:
[root@WAN1 ~]# cat /usr/src/sys/i386/conf/CARP include GENERIC ident CARP device carp device pfsync [root@WAN1 /usr/src]# make buildkernel KERNCONF=CARP [root@WAN1 /usr/src]# make installkernel KERNCONF=CARP [root@WAN1 /usr/src]# shutdown -r now [root@WAN1 ~]# sysctl net.inet.carp.allow net.inet.carp.allow: 1 |
Configuarea CARP se face folosind sysctl si ifconfig pentru interfata de retea virtuala creata.
Variabila sysctl net.inet.carp.preempt trebuie sa ia valoarea 1:
[root@WAN1 ~]# sysctl -w net.inet.carp.allow=1 [root@WAN1 ~]# echo "net.inet.carp.preempt=1" >> /etc/sysctl.conf |
Pentru perisitenta configurarii acestei interfete, se editeaza fisierele /etc/rc.conf de pe cele doua sisteme:
[root@WAN1 ~]# cat /etc/rc.conf hostname="WAN1" cloned_interfaces="carp0 carp1" ifconfig_em0="inet 172.30.4.2/29" ifconfig_em1="inet 10.0.0.2/24" ifconfig_em2="inet 192.168.0.1/30" ifconfig_carp0="inet 172.30.4.4/29 vhid 1 pass ionelmocanu advskew 1" ifconfig_carp1="inet 10.0.0.4 netmask 255.255.255.0 vhid 2 pass ionelmocanu advskew 1" defaultrouter="172.30.4.1" nameserver="94.52.207.65" gateway_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pfsync_enable="YES" pfsync_syncdev="em2" pfsync_syncpeer="192.168.0.2" [root@WAN2 ~]# cat /etc/rc.conf hostname="WAN2" cloned_interfaces="carp0 carp1" ifconfig_em0="inet 172.30.4.3/29" ifconfig_em1="inet 10.0.0.3/24" ifconfig_em2="inet 192.168.0.2/30" ifconfig_carp0="inet 172.30.4.4/29 vhid 1 pass ionelmocanu advskew 1" ifconfig_carp1="inet 10.0.0.4 netmask 255.255.255.0 vhid 2 pass ionelmocanu advskew 1" defaultrouter="172.30.4.1" nameserver="94.52.207.65" gateway_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pfsync_enable="YES" pfsync_syncdev="em2" pfsync_syncpeer="192.168.0.1" |
Pe cele doua masini se creaza interfetele carp si pfsync
[root@WAN1 ~]# ifconfig pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460 pfsync: syncdev: em2 syncpeer: 192.168.0.2 maxupd: 128 carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 inet 172.30.4.4 netmask 0xfffffff8 carp: MASTER vhid 1 advbase 1 advskew 1 carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 inet 10.0.0.4 netmask 0xffffff00 carp: MASTER vhid 2 advbase 1 advskew 1 [root@WAN2 ~]# ifconfig pfsync0: flags=41<UP,RUNNING> metric 0 mtu 1460 pfsync: syncdev: em2 syncpeer: 192.168.0.2 maxupd: 128 carp0: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 inet 172.30.4.4 netmask 0xfffffff8 carp: BACKUP vhid 1 advbase 1 advskew 1 carp1: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500 inet 10.0.0.4 netmask 0xffffff00 carp: BACKUP vhid 2 advbase 1 advskew 1 |
Firewall-ul PF trebuie sa permita trecerea protocoalelor CARP si pfsync prin interfetele pe care sunt configurate. Urmatoarele reguli de firewall se adauga in /etc/pf.conf:
set skip on em2
pass quick on em2 proto pfsync keep state (no-sync)
pass on { em0, em1 } proto carp keep state (no-sync)
In reteaua locala, statiile au ca si gateway 10.0.0.4 (IP-ul de pe carp1). Pentru NAT se foloseste 172.30.4.4, IP-ul configurat pe carp0:
nat on em0 from 10.0.0.0/24-> 172.30.4.4
Salut!
De ce ai mai pus ‘gateway_enable=”YES”‘ in rc.conf?
Pf-ul parca n-are nevoie de net.inet.ip.forwarding=1 ci doar IPFW si IPfilter.
cu gateway_enable=”YES” am
sysctl net.inet.ip.forwarding: 1
fara am
sysctl net.inet.ip.forwarding: 0
fara nu merge nat-ul