States can be synchronised between two or more firewalls using this interface, by specifying a synchronisation interface using
ifconfig(8). For example, the following command sets fxp0 as the synchronisation interface:
# ifconfig pfsync0 syncdev fxp0
By default, state change messages are sent out on the synchronisation interface using IP multicast packets. The protocol is IP protocol 240, PFSYNC, and the multicast group used is 224.0.0.240. When a peer address is specified using the
syncpeer keyword, the peer address is used as a destination for the pfsync traffic.
It is important that the pfsync traffic be well secured as there is no authentication on the protocol and it would be trivial to spoof packets which create states, bypassing the pf ruleset. Either run the pfsync protocol on a trusted network - ideally a network dedicated to pfsync messages such as a crossover cable between two firewalls, or specify a peer address and protect the traffic with
ipsec(4) (it is not supported at the moment on
NetBSD due to the lack of any encapsulation pseudo-device).
There is a one-to-one correspondence between packets seen by
bpf(4) on the
pfsync interface, and packets sent out on the synchronisation interface, i.e. a packet with 4 state deletion messages on
pfsync means that the same 4 deletions were sent out on the synchronisation interface. However, the actual packet contents may differ as the messages sent over the network are "compressed" where possible, containing only the necessary information.