Failover with CARP in PF: Part Five (Rule Set Config)

In the previous article, I covered configuration of the network interfaces of our hypothetical CARP configuration, including the two CARP interfaces and the pfsync interface. In this article, I will cover the rule set for our dual firewall system.

As far as PF is concerned, network traffic comes from the physical interface, not the CARP virtual interface (in our case, carp0, and carp1). Write your rule sets accordingly and don’t forget that an interface name in a PF rule can be either the name of a physical interface or an address associated with that interface. Thus:

pass in on if0 inet proto tcp from any to carp0 port 22

could be correct. Replacing if0 with carp0, however, will not work as intended. In addition, do not forget to pass both proto carp and proto pfsync.


We start by introducing a macro definition for the carp devices and an accompanying pass rule, such as:

pass on $carpdevs proto carp keep state

The most readable way is to introduce a macro definition for you syncdev and an accompanying pass rule, such as:

pass on $syncdev proto pfsync

If you want to take the pfsync device out of the filtering equation, use:

set skip on $syncdev

It may not always be necessary to synchronize every rule in your configuration in case of a failover because there are some rules in which it is not particularly crucial. One example would be the typical rule to allow ssh in for the administrator:

pass in on $int_if from $ssh_allowed to self

For those rules, you might consider using the state option no-sync to prevent synchronizing state changes for connections that are not relevant after the failover has happened, like so:

pass in on $int_if from $ssh_allowed to self keep state (no-sync)

With this in mind, we can create our hypothetical pf.conf file:

####################################
# Macro Defines
####################################
lop_int=”lo0″
hrt_int=”if2″
ext_int=”if0″
int_int=”if1″
carpdevs = “{ if0, if1, if2 }”

fw_addr=”50.87.147.42″

ftp_ports=”{ 21,60000:60049 }”
email_ports=”{ 25,110 }”
webmail_ports=”{ 32000,32001 }”

####################################
# Options – Set up global settings
####################################
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 30000, frags 15000 }
set block-policy drop
set optimization conservative

#####################################
# Normalization: reassemble
# fragments and resolve or reduce
# traffic ambiguities.
####################################
scrub in all

####################################
# Filtering Rules
####################################
# Set default policy
block all

# Log any connection attempt to the firewall
block in log on $ext_int from any to $fw_addr

# Allow all Loopback
pass quick on $lop_int all

# Allow pfsync Updates In/Out
pass quick on $hrt_int proto pfsync keep state

# Allow CARP Advertisements In/Out
pass quick on $carpdevs proto carp keep state

# Allow HTTP Through
pass in quick on $ext_int proto tcp from any to port 80 keep state
pass out quick on $int_int proto tcp from any to port 80 keep state

# Allow all outgoing traffic
pass in quick on $int_int all keep state
pass out quick on $ext_int all keep state

# Allow Pings
pass in quick on $ext_int proto icmp from any to keep state
pass out quick on $int_int proto icmp from any to keep state

# Allow Pings to Firewall
pass in quick on $ext_int proto icmp from any to $fw_addr keep state

# Allow Terminal Services
pass in quick on $ext_int proto tcp from to port 3389 keep state
pass out quick on $int_int proto tcp from to port 3389 keep state

# Allow SSL Through
pass in quick on $ext_int proto tcp from any to port 443 keep state
pass out quick on $int_int proto tcp from any to port 443 keep state

# Allow FTP Through
pass in quick on $ext_int proto tcp from any to port $ftp_ports keep state
pass out quick on $int_int proto tcp from any to port $ftp_ports keep state

# Allow Email Through
pass in quick on $ext_int proto tcp from any to port $email_ports keep state
pass out quick on $int_int proto tcp from any to port $email_ports keep state

# Allow Webmail Through
pass in quick on $ext_int proto tcp from any to port $webmail_ports keep state
pass out quick on $int_int proto tcp from any to port $webmail_ports keep state

# Allow DNS Through
pass in quick on $ext_int proto { tcp, udp } from any to port 53 keep state
pass out quick on $int_int proto { tcp, udp } from any to port 53 keep state

# Allow SSH Access From Trusted on External To The FW
pass in log quick on $ext_int proto tcp from to $fw_addr port 22 keep state


External Links:

Redundant Failover Firewall with pf, pfsync and CARP under FreeBSD

Be Sociable, Share!

Speak Your Mind

*

© 2013 David Zientara. All rights reserved. Privacy Policy