{"id":1059,"date":"2022-08-27T14:27:35","date_gmt":"2022-08-27T12:27:35","guid":{"rendered":"https:\/\/www.elwix.org\/site\/?page_id=1059"},"modified":"2022-08-28T00:18:04","modified_gmt":"2022-08-27T22:18:04","slug":"fwsync-document","status":"publish","type":"page","link":"http:\/\/www.elwix.org\/site\/documentation\/fwsync-document\/","title":{"rendered":"FWSync document"},"content":{"rendered":"\n<p><strong>FWSYNC driver<\/strong> <strong>installation and configuration<\/strong><\/p>\n\n\n\n<p>Currently the driver is not included in the kernel and we have to patch, compile and install according to the following procedure:<\/p>\n\n\n\n<p><strong><em>#Prepare work directory, checkout project, create the symlinks<\/em><\/strong><\/p>\n\n\n\n<p>cd ~<\/p>\n\n\n\n<p>mkdir work<\/p>\n\n\n\n<p>cd work<\/p>\n\n\n\n<p>cvs -d anoncvs@cvs.elwix.org:\/cvs checkout fwsync<\/p>\n\n\n\n<p>cd \/usr\/src&nbsp;<\/p>\n\n\n\n<p>sudo ln -s ~\/work\/fwsync\/patches\/sync.c \/usr\/src\/sbin\/ipfw<\/p>\n\n\n\n<p><strong><em>#Patches for \/usr\/src\/sbin\/ipfw tool<\/em><\/strong><\/p>\n\n\n\n<p>sudo patch &lt; ~\/work\/fwsync\/patches\/ipfw_Makefile.patch<\/p>\n\n\n\n<p>sudo patch &lt; ~\/work\/fwsync\/patches\/ipfw_main.patch<\/p>\n\n\n\n<p>sudo patch &lt; ~\/work\/fwsync\/patches\/ipfw_ipfw2_h.patch<\/p>\n\n\n\n<p><strong><em>#Patches for the ipfw filter driver<\/em><\/strong><\/p>\n\n\n\n<p>sudo patch &lt; ~\/work\/fwsync\/patches\/alias_db_h.patch<\/p>\n\n\n\n<p>sudo patch &lt; ~\/work\/fwsync\/patches\/alias_db.patch<\/p>\n\n\n\n<p>sudo patch &lt; ~\/work\/fwsync\/patches\/ip_fw2.patch<\/p>\n\n\n\n<p>sudo patch &lt; ~\/work\/fwsync\/patches\/ip_fw_private_h.patch<\/p>\n\n\n\n<p>sudo patch &lt; ~\/work\/fwsync\/patches\/ip_fw_nat.patch<\/p>\n\n\n\n<p>sudo patch &lt; ~\/work\/fwsync\/patches\/ip_fw_h.patch<\/p>\n\n\n\n<p>sudo patch &lt; ~\/work\/fwsync\/patches\/ip_fw_dynamic.patch<\/p>\n\n\n\n<p><strong><em>#Build and install the kernel<\/em><\/strong><\/p>\n\n\n\n<p>sudo make buildkernel<\/p>\n\n\n\n<p>sudo make installkernel<\/p>\n\n\n\n<p>reboot<\/p>\n\n\n\n<p><strong><em>#In case. If you aren\u2019t built Userland of the OS<\/em><\/strong><\/p>\n\n\n\n<p>cp \/usr\/src\/sys\/netinet\/ip_fw.h \/usr\/include\/netinet<\/p>\n\n\n\n<p><strong><em>#ipfw installation<\/em><\/strong><\/p>\n\n\n\n<p>cd \/usr\/src\/sbin\/ipfw<\/p>\n\n\n\n<p>sudo make obj<\/p>\n\n\n\n<p>sudo make depend<\/p>\n\n\n\n<p>sudo make<\/p>\n\n\n\n<p>sudo make install<\/p>\n\n\n\n<p><strong><em>#Driver installation<\/em><\/strong><\/p>\n\n\n\n<p>cd ~\/work\/fwsync\/driver<\/p>\n\n\n\n<p>make obj<\/p>\n\n\n\n<p>make depend<\/p>\n\n\n\n<p>make<\/p>\n\n\n\n<p>sudo make install<\/p>\n\n\n\n<p><strong>#RECHECK THE IPFW RULE SET ON BOTH DEVICES, IT SHOULD BE UNIFIED!<\/strong><\/p>\n\n\n\n<p><strong><em>#Driver load<\/em><\/strong><\/p>\n\n\n\n<p>kldload fwsync.ko<\/p>\n\n\n\n<p>vim \/boot\/loader.conf<\/p>\n\n\n\n<p>fwsync_load=&#8221;YES&#8221;<\/p>\n\n\n\n<p><strong><em>#Configuration:<\/em><\/strong><\/p>\n\n\n\n<p><strong><em>#Activate the listen state<\/em><\/strong><\/p>\n\n\n\n<p>sudo ipfw sync config edge 20611<\/p>\n\n\n\n<p><em>or<\/em><\/p>\n\n\n\n<p>sudo ipfw sync config edge port 20611<\/p>\n\n\n\n<p><em>*Remark1 &#8211; when we have only one option for the following word it can be skipped<\/em><\/p>\n\n\n\n<p><strong><em>#Configure the peer device as a collector<\/em><\/strong><\/p>\n\n\n\n<p>sudo ipfw sync config collector 172.17.0.254<\/p>\n\n\n\n<p><em>or<\/em><\/p>\n\n\n\n<p>sudo ipfw sync config collector 172.17.0.253 172.17.0.251,10000<\/p>\n\n\n\n<p><em>*Remark2 &#8211; If there is no specified port comma separated after the IP, the default port 20611 will be used. We can configure two collectors max per device<\/em><\/p>\n\n\n\n<p><strong><em>#Start the synchronization<\/em><\/strong><\/p>\n\n\n\n<p>sudo ipfw sync start<\/p>\n\n\n\n<p><strong><em>#Useful commands<\/em><\/strong><\/p>\n\n\n\n<p><strong><em>#List configuration<\/em><\/strong><\/p>\n\n\n\n<p>sudo ipfw sync show<\/p>\n\n\n\n<p><strong>#Stop the synchronization<\/strong><\/p>\n\n\n\n<p>sudo ipfw sync stop<\/p>\n\n\n\n<p><strong>#Disable the connectivity to the device&#8217;s network stack and clear the configuration (if we need to unload the driver for example for upgrade)<\/strong><\/p>\n\n\n\n<p>sudo ipfw sync flush<\/p>\n\n\n\n<p><strong><em>#Sample working setup (r1 and r2):<\/em><\/strong><\/p>\n\n\n\n<p>root@r1:~ # ipfw sync show<\/p>\n\n\n\n<p>ipfw sync config edge port 20611<\/p>\n\n\n\n<p>ipfw sync config collector 172.16.71.9,20611<\/p>\n\n\n\n<p>ipfw sync start edge<\/p>\n\n\n\n<p>ipfw sync start collector<\/p>\n\n\n\n<p>root@r2:~ # ipfw sync show<\/p>\n\n\n\n<p>ipfw sync config edge port 20611<\/p>\n\n\n\n<p>ipfw sync config collector 172.16.71.5,20611<\/p>\n\n\n\n<p>ipfw sync start edge<\/p>\n\n\n\n<p>ipfw sync start collector<\/p>\n\n\n\n<p><em>*Remark 3 &#8211; for production environments we will use the heartbeat VLAN<\/em><\/p>\n\n\n\n<p><strong><em>#Dynamic states after sync on r1<\/em><\/strong><\/p>\n\n\n\n<p>ipfw -dD show<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p>01100 &nbsp; &nbsp; 244 &nbsp; &nbsp; 126718 (263s) STATE tcp 172.16.71.51 58659 &lt;-&gt; 178.22.65.231 443 :default<\/p>\n\n\n\n<p>01100&nbsp; &nbsp; 1522&nbsp; &nbsp; &nbsp; 97910 (293s) STATE tcp 172.16.71.50 53129 &lt;-&gt; 74.125.143.188 5228 :default<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong><em>#Socket<\/em><\/strong><\/p>\n\n\n\n<p>netstat<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p>udp4 &nbsp; &nbsp; &nbsp; 0&nbsp; &nbsp; &nbsp; 0 *.20611&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; *.*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong><em>#Statistics via sysctl<\/em><\/strong><\/p>\n\n\n\n<p>sysctl net.inet.ip.fwsync<\/p>\n\n\n\n<p>net.inet.ip.fwsync.acct.edge_aliases: 3<\/p>\n\n\n\n<p>net.inet.ip.fwsync.acct.collector_aliases: 0<\/p>\n\n\n\n<p>net.inet.ip.fwsync.acct.edge_states: 11<\/p>\n\n\n\n<p>net.inet.ip.fwsync.acct.collector_states: 5<\/p>\n\n\n\n<p><strong><em>#Statistics via ipfw&nbsp;<\/em><\/strong><\/p>\n\n\n\n<p>sudo ipfw sync list<\/p>\n\n\n\n<p>sync edge states 11 aliases 3<\/p>\n\n\n\n<p>sync collector states 5 aliases 0<\/p>\n\n\n\n<p>sudo ipfw sync list edge<\/p>\n\n\n\n<p>sync edge states 14 aliases 3<\/p>\n\n\n\n<p>sudo ipfw sync list collector<\/p>\n\n\n\n<p>sync collector states 22 aliases 0<\/p>\n","protected":false},"excerpt":{"rendered":"<p>FWSYNC driver installation and configuration Currently the driver is not included in the kernel and we have to patch, compile and install according to the following procedure: #Prepare work directory, checkout project, create the symlinks cd ~ mkdir work cd &hellip; <a href=\"http:\/\/www.elwix.org\/site\/documentation\/fwsync-document\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"parent":46,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":[],"_links":{"self":[{"href":"http:\/\/www.elwix.org\/site\/wp-json\/wp\/v2\/pages\/1059"}],"collection":[{"href":"http:\/\/www.elwix.org\/site\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"http:\/\/www.elwix.org\/site\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"http:\/\/www.elwix.org\/site\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.elwix.org\/site\/wp-json\/wp\/v2\/comments?post=1059"}],"version-history":[{"count":8,"href":"http:\/\/www.elwix.org\/site\/wp-json\/wp\/v2\/pages\/1059\/revisions"}],"predecessor-version":[{"id":1075,"href":"http:\/\/www.elwix.org\/site\/wp-json\/wp\/v2\/pages\/1059\/revisions\/1075"}],"up":[{"embeddable":true,"href":"http:\/\/www.elwix.org\/site\/wp-json\/wp\/v2\/pages\/46"}],"wp:attachment":[{"href":"http:\/\/www.elwix.org\/site\/wp-json\/wp\/v2\/media?parent=1059"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}