# $OpenBSD: ifstated.conf,v 1.2 2004/03/17 23:58:27 mcbride Exp $ # This is a sample config for a pair of firewalls with two interfaces # # carp0 and carp1 have ip addresses on 192.168.3.0/24 and 192.168.6.0/24 # respectively. # net.inet.carp.preempt must be enabled (set to 1) for this to work correctly. # Uncomment one of the following lines to force primary/backup status. # init state primary # init-state backup carp_up = "((carp0 link up) and (carp1 link up))" carp_down = "((! carp0 link up) and (! carp1 link up))" carp_sync = "((carp0 link up and carp1 link up) or \ ((!carp0 link up) and (!carp1 link up)))" # The "net" addresses are other addresses which can be used to determine # whether we have connectivity. Make sure the hosts are always up, or # test multiple ip's, 'or'-ing the tests. net = '( "ping -q -c 1 -w 1 192.168.6.8 > /dev/null" every 10 and \ "ping -q -c 1 -w 1 192.168.3.8 > /dev/null" every 10)' # The peer addresses below are the real ip addresses of the OTHER firewall peer = '( "ping -q -c 1 -w 1 192.168.6.7 > /dev/null" every 10 and \ "ping -q -c 1 -w 1 192.168.3.7 > /dev/null" every 10)' state auto { if $carp_up { set-state primary } if $carp_down { set-state backup } } state primary { init { run "ifconfig carp0 advskew 10" run "ifconfig carp1 advskew 10" } if ! $net { set-state demoted } } state demoted { init { run "ifconfig carp0 advskew 254" run "ifconfig carp1 advskew 254" } if $net { set-state primary } } state promoted { init { run "ifconfig carp0 advskew 0" run "ifconfig carp1 advskew 0" } if $peer or ! $net { set-state backup } } state backup { init { run "ifconfig carp0 advskew 100" run "ifconfig carp1 advskew 100" } # The "sleep 5" below is a hack to dampen the $carp_sync when we come # out of promoted state. Thinking about the correct fix... if ! $carp_sync and $net and "sleep 5" every 10 { if (! $carp_sync) and $net { set-state promoted } } }