1
Op e n BSD
Fir e w a ll Clu st e r
b y Lu cy
W h a t is t h is a ll a b ou t ?
OpenBSD Securit y
Hist ory
Clust er
CARP Prot ocol
Failover Configurat ion
Loadbalancing Configurat ion
Pfsync
PF Rule Set
Lessons learnt
Op e n BSD Se cu r it y
Mem ory Prot ect ion
Crypt ography
Address Space Layout Random izat ion
Securit y Levels
Privileges separat ion and revocat ion
Sandboxing (chroot )
Securit y Code Audit
ICMP redirect prevent ion (since 5.0)
Pat ches for Securit y Problem s
X11 rest rict ions
H ist or y
HSRP (Hot St andby Rout er Prot ocol)
VRRP (Virt ual Rout er Redundancy Prot ocol)
→ CARP (Com m on Address Resolut ion Prot ocol)
Michael Shalayeff, Ryan McBride & Gleb Sm irnoff
Fir e w a ll Clu st e r
Act iva t e CARP
sysct l & /et c/sysct l.conf
net .inet .carp.allow= 1
net .inet .carp.preem pt = 1
net .inet .carp.log= 1
CARP Pr ot ocol
ICANN Prot ocol Num ber 112
Mult icast Prot ocol
IP 224.0.0.18
TTL 255
VHID (Virt ual Host ID)
not encrypt ed
wit hout password no aut hent ificat ion
RFC 3768 (VRRP)
Ca r p Pr ot ocol H e a d e r
Fa ilove r Clu st e r
In t e r fa ce Con fig ur a t ion
zile /et c/host nam e.em [ 1-4]
up descript ion t r unk int e r f a ce
zile /et c/host nam e.t runk1
up t runkprot o lacp
t runkport em 1 t runkport em 2
descript ion e xt e r na l t r u nk
zile /et c/host nam e.t runk2
1 9 2 . 1 6 8 . 0 .2 /2 4 t runkprot o lacp
Trunkport em 3 t runkport em 4
descript ion in t e r n a l t r u nk
/e t c/ne t st a r t
CARP Op t ion s
IP & net m ask
vhid < host id>
advbase < n> (default 1)
advkew < n> (default 0)
pass < password>
group < groupnam e> (default carp)
carpdev < device>
carppeer < peer_address>
st at e < st at e>
Fa ilove r Conf ig u r a t ion
# M a st e r
10.10.10.1/24 vhid 2 advskew 2 0 carpdev t runk1 pass ppppp
descript ion ext ernal carp m ast er
192.168.0.1/24 vhid 1 advskew 2 0 carpdev t runk2 pass PPPPP
descript ion int ernal carp m ast er
# Sla ve
10.10.10.1/24 vhid 2 advskew 1 2 0 carpdev t runk1 pass ppppp
descript ion ext ernal carp backup
192.168.0.1/24 vhid 1 advskew 1 2 0 carpdev t runk2 pass PPPPP
descript ion int ernal carp backup
CARP d e m ot e cou n t e r
Show and set t he carp group count er
ifconfig -g carp
ifconfig -g carp carpdem ot e 20
ifconfig -g carp -carpdem ot e 20
Loa d b a la n cin g Clu st e r
In t e r fa ce Con fig ur a t ion
zile /et c/host nam e.em [ 1-4]
up descript ion t r unk int e r f a ce
zile /et c/host nam e.t runk1
1 0 . 1 0 . 1 0 . 2 up t runkprot o lacp
t runkport em 1 t runkport em 2
descript ion e xt e r na l t r unk
zile /et c/host nam e.t runk2
1 9 2 . 1 6 8 . 0 . 2 /2 4 t runkprot o lacp
Trunkport em 3 t runkport em 4
descript ion int e r na l t r unk
/e t c/ne t st a r t
CARP Op t ion s
IP & net m ask
vhid < host id>
pass < password>
group < groupnam e> (default carp)
carpnodes < vhid:advkew, vhid:advkew>
carpdev < device>
carppeer < peer_address>
st at e < st at e>
Loa d b a la n cin g Con fig u r a t ion
# M a st e r 1
10.10.10.1/24 b a la n cin g carpdev t runk1 carpnodes 1 :1 0 0 , 2 :0
descript ion ext ernal carp m ast er1
192.168.0.1/24 b a la n cin g carpdev t runk2 carpnodes 3 :1 0 0 , 4 :0
descript ion int ernal carp m ast er2
# M a st e r 2
10.10.10.1/24 b a la n cin g carpdev t runk1 carpnodes 1 :0 ,2 :1 0 0
descript ion ext ernal carp m ast er2
192.168.0.1/24 b a la n cin g carpdev t runk2 carpnodes 3 :0 ,4 :1 0 0
descript ion int ernal carp m ast er2
PFsyn c
TCP St at e synchronisat ion
pfsync syncpeer 172.16.0.2 syncdev bnx0
sysat st at es
no aut horisat ion no encrypt ion
PF Ru le se t
syncif= vr0
ext if= vr1
int if= vr2
# CARP rule
pass quick log on { $ext if, $int if} prot o carp
# PFSYNC rule
pass quick log on $syncif prot o pfsync
# SSH from int ernal rule
pass quick log on $int if t o self prot o ssh keep st at e (no-sync)
Le sson s le a r n t
Pros
Failover / Loadbalancing
OpenBSD Securit y Feat ures
PF Feat ures
Updat e t est s
Con
Synchronisat ion
Single Point of Failure
wit hout password no aut hent ificat ion
No encrypt ion
Fr a g e n ?
Re f e r e n ze n
The Book of PF
Openbsd.org/faq
net worksorcery.com
dat ent errorist .de/cgi-bin/wiki.pl/PF_(OpenBSD)
© Copyright 2026 Paperzz