Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/dist/pf/share/man/man4 Improve the pfsync(4) man page
details: https://anonhg.NetBSD.org/src/rev/bf0de7972534
branches: trunk
changeset: 747420:bf0de7972534
user: degroote <degroote%NetBSD.org@localhost>
date: Mon Sep 14 11:45:01 2009 +0000
description:
Improve the pfsync(4) man page
hostname.if(5) is ifconfig.if(5) on NetBSD
Don't speak about enc, as we don't support it at the moment
Make clear that we don't support ipsec protection of pfsync traffic (as long we
doesn't support enc, or similar thing)
Catched by wiz@
diffstat:
dist/pf/share/man/man4/pfsync.4 | 43 +++++++++++++++++++++-------------------
1 files changed, 23 insertions(+), 20 deletions(-)
diffs (107 lines):
diff -r b32bb26e9960 -r bf0de7972534 dist/pf/share/man/man4/pfsync.4
--- a/dist/pf/share/man/man4/pfsync.4 Mon Sep 14 11:38:29 2009 +0000
+++ b/dist/pf/share/man/man4/pfsync.4 Mon Sep 14 11:45:01 2009 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: pfsync.4,v 1.2 2009/09/14 11:17:42 wiz Exp $
+.\" $NetBSD: pfsync.4,v 1.3 2009/09/14 11:45:01 degroote Exp $
.\" $OpenBSD: pfsync.4,v 1.25 2007/05/31 19:19:51 jmc Exp $
.\"
.\" Copyright (c) 2002 Michael Shalayeff
@@ -108,16 +108,16 @@
used is 224.0.0.240.
When a peer address is specified using the
.Ic syncpeer
-keyword, the peer address is used as a destination for the pfsync traffic,
-and the traffic can then be protected using
-.Xr ipsec 4 .
-In such a configuration, the syncdev should be set to the
-.Xr enc 4
-interface, as this is where the traffic arrives when it is decapsulated,
-e.g.:
-.Bd -literal -offset indent
-# ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0
-.Ed
+keyword, the peer address is used as a destination for the pfsync traffic.
+.\"and the traffic can then be protected using
+.\".Xr ipsec 4 .
+.\"In such a configuration, the syncdev should be set to the
+.\".Xr enc 4
+.\"interface, as this is where the traffic arrives when it is decapsulated,
+.\"e.g.:
+.\".Bd -literal -offset indent
+.\"# ifconfig pfsync0 syncpeer 10.0.0.2 syncdev enc0
+.\".Ed
.Pp
It is important that the pfsync traffic be well secured
as there is no authentication on the protocol and it would
@@ -125,7 +125,9 @@
Either run the pfsync protocol on a trusted network \- ideally a network
dedicated to pfsync messages such as a crossover cable between two firewalls,
or specify a peer address and protect the traffic with
-.Xr ipsec 4 .
+.Xr ipsec 4 (it is not supported at the moment on
+.Nx
+due to the lack of any encapsulation pseudo-device).
.Pp
There is a one-to-one correspondence between packets seen by
.Xr bpf 4
@@ -161,32 +163,32 @@
The interfaces are configured as follows (firewall A unless otherwise
indicated):
.Pp
-.Pa /etc/hostname.sis0 :
+.Pa /etc/ifconfig.sis0 :
.Bd -literal -offset indent
inet 10.0.0.254 255.255.255.0 NONE
.Ed
.Pp
-.Pa /etc/hostname.sis1 :
+.Pa /etc/ifconfig.sis1 :
.Bd -literal -offset indent
inet 192.168.0.254 255.255.255.0 NONE
.Ed
.Pp
-.Pa /etc/hostname.sis2 :
+.Pa /etc/ifconfig.sis2 :
.Bd -literal -offset indent
inet 192.168.254.254 255.255.255.0 NONE
.Ed
.Pp
-.Pa /etc/hostname.carp0 :
+.Pa /etc/ifconfig.carp0 :
.Bd -literal -offset indent
inet 10.0.0.1 255.255.255.0 10.0.0.255 vhid 1 pass foo
.Ed
.Pp
-.Pa /etc/hostname.carp1 :
+.Pa /etc/ifconfig.carp1 :
.Bd -literal -offset indent
inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar
.Ed
.Pp
-.Pa /etc/hostname.pfsync0 :
+.Pa /etc/ifconfig.pfsync0 :
.Bd -literal -offset indent
up syncdev sis2
.Ed
@@ -212,7 +214,7 @@
interfaces should be set to something higher than
the primary's.
For example, if firewall B is the backup, its
-.Pa /etc/hostname.carp1
+.Pa /etc/ifconfig.carp1
would look like this:
.Bd -literal -offset indent
inet 192.168.0.1 255.255.255.0 192.168.0.255 vhid 2 pass bar \e
@@ -232,9 +234,10 @@
.Xr ipsec 4 ,
.Xr netintro 4 ,
.Xr pf 4 ,
-.Xr hostname.if 5 ,
+.Xr ifconfig.if 5 ,
.Xr pf.conf 5 ,
.Xr protocols 5 ,
+.\" enc 8,
.Xr ifconfig 8 ,
.Xr tcpdump 8
.Sh HISTORY
Home |
Main Index |
Thread Index |
Old Index