OpenBSD PF Cluster Firewall, CARP ve Pfsync ile
Firewall’lar ağ sınır güvenliğinin vazgeçilmezi ve en kritik seviyede çalışan sistemlerden biridir.Firewall donanımsal veya yazılımsal bir sorun yaşattığında, kabus senaryoları bir bir işlemeye başlar. Bu yazıda iki OpenBSD PF firewall arasında cluster yapısı ve failover anlatılmıştır.Bir firewall kapanınca, anında diğerinin devreye girmesi senaryosu ile pratikte nasıl yapıldığını bu yazıda bulabilirsiniz.
OpenBSD PF Master
# uname -a
OpenBSD master.cehturkiye.com 4.7 GENERIC#558 i386
# cat /etc/mygate
192.168.5.254
# cat /etc/myname
master.cehturkiye.com
Ağ Arabirimleri
lan:em0
wan:em1
pfsync:em2
Ağ Ayarlarını Yapılandırmak
# cat /etc/hostname.em0
inet 10.0.0.55 255.255.255.0 NONE
# cat /etc/hostname.em1
inet 192.168.5.55 255.255.255.0
# cat /etc/hostname.em2
inet 172.16.16.55 255.255.255.0 NONE
# cat /etc/hostname.pfsync0
up syncdev em2
Ağ Ayarları
# ifconfig
lo0: flags=8049 mtu 33200
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
em0: flags=8b43 mtu 1500
lladdr 00:0c:29:b4:d4:59
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet6 fe80::20c:29ff:feb4:d459%em0 prefixlen 64 scopeid 0x1
inet 10.0.0.55 netmask 0xffffff00 broadcast 10.0.0.255
em1: flags=8b43 mtu 1500
lladdr 00:0c:29:b4:d4:63
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet6 fe80::20c:29ff:feb4:d463%em1 prefixlen 64 scopeid 0x2
inet 192.168.5.55 netmask 0xffffff00 broadcast 192.168.5.255
em2: flags=8843 mtu 1500
lladdr 00:0c:29:b4:d4:6d
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet6 fe80::20c:29ff:feb4:d46d%em2 prefixlen 64 scopeid 0x3
inet 172.16.16.55 netmask 0xffffff00 broadcast 172.16.16.255
enc0: flags=0<> mtu 1536
priority: 0
pfsync0: flags=41 mtu 1500
priority: 0
pfsync: syncdev: em2 maxupd: 128 defer: off
groups: carp pfsync
pflog0: flags=141 mtu 33200
priority: 0
groups: pflog
carp1: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:01
priority: 0
carp: MASTER carpdev em1 vhid 1 advbase 20 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid 0x6
inet 192.168.5.100 netmask 0xffffff00 broadcast 192.168.5.255
carp2: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:02
priority: 0
carp: MASTER carpdev em0 vhid 2 advbase 20 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x7
inet 10.0.0.100 netmask 0xffffff00 broadcast 10.0.0.255
WAN arabirimine (em1) bağlı carp1 sanal interface
# cat /etc/hostname.carp1
inet 192.168.5.100 255.255.255.0 192.168.5.255 vhid 1 advbase 20 advskew 0 carpdev em1 pass benimgizliparolam
LAN arabirimine (em0) bağlı carp1 sanal interface
inet 10.0.0.100 255.255.255.0 10.0.0.255 vhid 2 advbase 20 advskew 0 carpdev em0 pass benimgizliparolam
# sysctl net.inet.ip.forwarding=1
net.inet.ip.forwarding: 0 -> 1
# sysctl -w net.inet.carp.allow=1
net.inet.carp.allow: 1 -> 1
# sysctl -w net.inet.carp.preempt=1
net.inet.carp.preempt: 0 -> 1
# sysctl -w net.inet.carp.log=1
net.inet.carp.log: 0 -> 1
########################################################################
OpenBSD PF Backup
# uname -a
OpenBSD backup.cehturkiye.com 4.7 GENERIC#558 i386
# cat /etc/mygate
192.168.5.254
# cat /etc/myname
backup.cehturkiye.com
Ağ Arabirimleri
lan:em0
wan:em1
pfsync:em2
Ağ Ayarlarını Yapılandırmak;
# cat /etc/hostname.em0
inet 10.0.0.66 255.255.255.0 NONE
# cat /etc/hostname.em1
inet 192.168.5.66 255.255.255.0
# cat /etc/hostname.em2
inet 172.16.16.66 255.255.255.0 NONE
# cat /etc/hostname.pfsync0
up syncdev em2
Ağ Ayarları
# ifconfig
lo0: flags=8049 mtu 33200
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
inet 127.0.0.1 netmask 0xff000000
em0: flags=8b02 mtu 1500
lladdr 00:0c:29:83:49:fc
priority: 0
media: Ethernet autoselect (none)
status: no carrier
inet 10.0.0.66 netmask 0xffffff00 broadcast 10.0.0.255
inet6 fe80::20c:29ff:fe83:49fc%em0 prefixlen 64 duplicated scopeid 0x1
em1: flags=8b43 mtu 1500
lladdr 00:0c:29:83:49:06
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet6 fe80::20c:29ff:fe83:4906%em1 prefixlen 64 scopeid 0x2
inet 192.168.5.66 netmask 0xffffff00 broadcast 192.168.5.255
em2: flags=8843 mtu 1500
lladdr 00:0c:29:83:49:10
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 172.16.16.66 netmask 0xffffff00 broadcast 172.16.16.255
inet6 fe80::20c:29ff:fe83:4910%em2 prefixlen 64 duplicated scopeid 0x3
enc0: flags=0<> mtu 1536
priority: 0
pflog0: flags=141 mtu 33200
priority: 0
groups: pflog
carp1: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:01
priority: 0
carp: BACKUP carpdev em1 vhid 1 advbase 20 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid 0x7
inet 192.168.5.100 netmask 0xffffff00 broadcast 192.168.5.255
carp2: flags=8803 mtu 1500
lladdr 00:00:5e:00:01:02
priority: 0
carp: INIT carpdev em0 vhid 2 advbase 20 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x8
inet 10.0.0.100 netmask 0xffffff00 broadcast 10.0.0.255
WAN arabirimine (em1) bağlı carp1 sanal interface
# cat /etc/hostname.carp1
inet 192.168.5.100 255.255.255.0 192.168.5.255 vhid 1 advbase 20 advskew 0 carpdev em1 pass benimgizliparolam
LAN arabirimine (em0) bağlı carp1 sanal interface
inet 10.0.0.100 255.255.255.0 10.0.0.255 vhid 2 advbase 20 advskew 0 carpdev em0 pass benimgizliparolam
# sysctl net.inet.ip.forwarding=1
net.inet.ip.forwarding: 0 -> 1
# sysctl -w net.inet.carp.allow=1
net.inet.carp.allow: 1 -> 1
# sysctl -w net.inet.carp.preempt=1
net.inet.carp.preempt: 0 -> 1
# sysctl -w net.inet.carp.log=1
net.inet.carp.log: 0 -> 1
Minimum pf.conf ayarları;
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
# C|EH TURKIYE
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
### Interfaces ###
IntIf=”em0″
ExtIf=”em1″
CarpIf=”em2″
PFSync=”em2″
CarpExt=”{192.168.5.55, 192.168.5.66}”
CarpInt=”{10.0.0.55, 10.0.0.66}”
IntNet=”10.0.0.0/24″
pf.conf kuralları
# CARP firewall failover
pass quick log on $PFSync proto pfsync keep state (no-sync)
pass in quick log on $ExtIf proto carp from $CarpExt to 224.0.0.18 keep state
pass in quick log on $IntIf proto carp from $CarpInt to 224.0.0.18 keep state
### Network Address Translation (NAT with outgoing source port randomization)
match out log on egress from (self) to any tag EGRESS nat-to ($ExtIf:0) port 1024:65535
match out log on egress from $IntNet to any received-on $IntIf tag EGRESS nat-to carp1 port 1024:65535
set skip on lo
# filter rules and anchor for ftp-proxy(8)
#anchor “ftp-proxy/*”
#pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
# anchor for relayd(8)
#anchor “relayd/*”
# NAT outgoing connections
#nat on $WanIf from $LanIf:network to any -> $WanIf
pass in log (all) all # to establish keep-state
pass out log (all) all
# rules for spamd(8)
#table persist
#table persist file “/etc/mail/nospamd”
#pass in on egress proto tcp from any to any port smtp \
# rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from to any port smtp
#pass in log on egress proto tcp from to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
Fail over cluster Sistemin Test Edilmesi
İstemciden www.cehturkiye.com adresine bağlantı kuruyoruz.Bağlantı istekleri MASTER sunucu tarafından yönlendiriliyor.
Şu an Master Firewall devrede ;
# ifconfig carp
carp1: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:01
priority: 0
carp: MASTER carpdev em1 vhid 1 advbase 20 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid 0x6
inet 192.168.5.100 netmask 0xffffff00 broadcast 192.168.5.255
carp2: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:02
priority: 0
carp: MASTER carpdev em0 vhid 2 advbase 20 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x7
inet 10.0.0.100 netmask 0xffffff00 broadcast 10.0.0.255
pfsync0: flags=41 mtu 1500
priority: 0
pfsync: syncdev: em2 maxupd: 128 defer: off
groups: carp pfsync
# tcpdump -nn -ttt -i em0 host 10.0.0.11 and tcp port 80
tcpdump: listening on em0, link-type EN10MB
Aug 16 17:20:16.736101 10.0.0.11.1477 > 83.66.140.10.80: P 3434076927:3434077718(791) ack 3491673519 win 64901 (DF)
Aug 16 17:20:16.736107 10.0.0.11.1477 > 83.66.140.10.80: P 0:791(791) ack 1 win 64901 (DF)
Aug 16 17:20:16.737067 83.66.140.10.80 > 10.0.0.11.1477: . ack 791 win 64909 (DF)
Aug 16 17:20:16.737074 83.66.140.10.80 > 10.0.0.11.1477: . ack 791 win 64909 (DF)
Aug 16 17:20:16.737079 83.66.140.10.80 > 10.0.0.11.1477: . ack 791 win 64909 (DF)
Aug 16 17:20:16.737092 83.66.140.10.80 > 10.0.0.11.1477: . ack 791 win 64909 (DF)
Aug 16 17:20:16.910783 83.66.140.10.80 > 10.0.0.11.1477: . 1:1461(1460) ack 791 win 65535 (DF)
Aug 16 17:20:16.910790 83.66.140.10.80 > 10.0.0.11.1477: P 1461:2158(697) ack 791 win 65535 (DF)
Aug 16 17:20:16.911164 83.66.140.10.80 > 10.0.0.11.1477: . 1:1461(1460) ack 791 win 65535 (DF)
Aug 16 17:20:16.911257 83.66.140.10.80 > 10.0.0.11.1477: P 1461:2158(697) ack 791 win 65535 (DF)
Aug 16 17:20:16.915074 83.66.140.10.80 > 10.0.0.11.1477: . 2158:3618(1460) ack 791 win 65535 (DF)
Aug 16 17:20:16.915081 83.66.140.10.80 > 10.0.0.11.1477: P 3618:4206(588) ack 791 win 65535 (DF)
Aug 16 17:20:16.915430 83.66.140.10.80 > 10.0.0.11.1477: . 2158:3618(1460) ack 791 win 65535 (DF)
Aug 16 17:20:16.915436 83.66.140.10.80 > 10.0.0.11.1477: P 3618:4206(588) ack 791 win 65535 (DF)
Aug 16 17:20:16.916531 10.0.0.11.1477 > 83.66.140.10.80: . ack 2158 win 65535 (DF)
Aug 16 17:20:16.916536 10.0.0.11.1477 > 83.66.140.10.80: . ack 2158 win 65535 (DF)
Aug 16 17:20:16.916543 10.0.0.11.1477 > 83.66.140.10.80: . ack 2158 win 65535 (DF)
Aug 16 17:20:16.916548 10.0.0.11.1477 > 83.66.140.10.80: . ack 2158 win 65535 (DF)
Aug 16 17:20:16.916555 10.0.0.11.1477 > 83.66.140.10.80: . ack 4206 win 65535 (DF)
Şimdi Master Firewall kapatıp, BACKUP Firewall durumunu gözlemleyelim. Master Firewall devre dışı kalınca, Backup firewall otomotik olarak devreye girip carp: MASTER olarak istemciye hizmet verecek.
# ifconfig em0 down
# ifconfig em1 down
backup.cehturkiye.com
# ifconfig carp
carp1: flags=8843 mtu 1500
lladdr 00:00:5e:00:01:01
priority: 0
carp: MASTER carpdev em1 vhid 1 advbase 20 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:101%carp1 prefixlen 64 scopeid 0x7
inet 192.168.5.100 netmask 0xffffff00 broadcast 192.168.5.255
carp2: flags=8803 mtu 1500
lladdr 00:00:5e:00:01:02
priority: 0
carp: INIT carpdev em0 vhid 2 advbase 20 advskew 0
groups: carp
inet6 fe80::200:5eff:fe00:102%carp2 prefixlen 64 scopeid 0x8
inet 10.0.0.100 netmask 0xffffff00 broadcast 10.0.0.255
# tcpdump -nn -ttt -i em0 host 10.0.0.11 and tcp port 80
tcpdump: listening on em0, link-type EN10MB
Aug 16 17:20:16.736101 10.0.0.11.1477 > 83.66.140.10.80: P 3434076927:3434077718(791) ack 3491673519 win 64901 (DF)
Aug 16 17:20:16.736107 10.0.0.11.1477 > 83.66.140.10.80: P 0:791(791) ack 1 win 64901 (DF)
Aug 16 17:20:16.737067 83.66.140.10.80 > 10.0.0.11.1477: . ack 791 win 64909 (DF)
Aug 16 17:20:16.737074 83.66.140.10.80 > 10.0.0.11.1477: . ack 791 win 64909 (DF)
Aug 16 17:20:16.737079 83.66.140.10.80 > 10.0.0.11.1477: . ack 791 win 64909 (DF)
Görüldüğü gibi trafik artık, Backup Firewall üzerinden devam ediyor.
Cluster yapımız failover olarak muhteşem çalışıyor, bir firewall gidince yerini diğeri alıyor.
Eklenecekler:
OpenBSD PF Layer 2 Firewall ile CARP, pfsync atraksiyonları