Bug 85209
| Summary: | pfsync(4) man page corrections | ||
|---|---|---|---|
| Product: | Documentation | Reporter: | Alexandre Snarskii <snar> |
| Component: | Books & Articles | Assignee: | Gleb Smirnoff <glebius> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | Latest | ||
| Hardware: | Any | ||
| OS: | Any | ||
State Changed From-To: open->patched Manual page updated in HEAD. Responsible Changed From-To: freebsd-doc->glebius my. State Changed From-To: patched->closed Merged to RELENG_6. |
manual page for pfsync clearly states that: State change messages are sent out on the synchronisation interface using IP multicast packets. The protocol is IP protocol 240, PFSYNC, and the multicast group used is 224.0.0.240. but, for ip multicast to work - interface need to be configured with ip address. (I spent over one hour to recognise, why it does not works without ip address). Another place in pfsync man that should be upgraded is the next one: pf(4) must also be configured to allow pfsync and carp(4) traffic through. The following should be added to the top of /etc/pf.conf: pass quick on { sis2 } proto pfsync pass on { sis0 sis1 } proto carp keep state That's ok, but if the user then uncomments next example in /etc/pf.conf block in log all - carp packets will be blocked by firewall.. And, as they will be blocked, both firewalls will become master and this usually leads to NAT'ed sessions drop... So, i propose to rewrite next line in example pass on { sis0 sis1 } proto carp keep state as pass quick on { sis0 sis1 } proto carp keep state Fix: Proposed changes is: after the phrase "The protocol is IP protocol 240, PFSYNC, and the multicast group used is 224.0.0.240." add note: "Note: for IP Multicast to work, syncronisation interface must be configured with IP address". Another change is to rewrite: pass on { sis0 sis1 } proto carp keep state as pass quick on { sis0 sis1 } proto carp keep state