1# $OpenBSD: ifstated.conf,v 1.3 2024/02/11 01:31:28 jsg Exp $ 2# This is a sample config for a pair of firewalls with three physical interfaces 3# 4# The two firewall interfaces are made redundant on each side using 5# carp0 and carp1. 6# 7# A third interface em2 connects each firewall to the DMZ where it can 8# reach a syslog server with the IP 192.168.1.10 9# 10# This config does two things: 11# 1. Monitor the reachability of the syslog server and demote 12# the carp interface group to provoke a failover if the syslog server 13# is not reachable. We do that by using ping(1) and checking 14# the link state of em2. 15# 2. Log carp failovers 16 17 18dmz_if_up = 'em2.link.up' 19dmz_if_down = 'em2.link.down' 20 21syslog_ok = '"ping -q -c 1 -w 1 192.168.1.10 >/dev/null 2>&1" every 10' 22 23# ifstated starts up with the first defined state 24state neutral { 25 if $dmz_if_down { 26 run "logger -st ifstated 'interface to syslog server em2 is down'" 27 set-state demoted 28 } 29 if ! $syslog_ok { 30 run "logger -st ifstated 'could not reach syslog server'" 31 set-state demoted 32 } 33} 34 35state demoted { 36 init { 37 run "ifconfig -g carp carpdemote" 38 } 39 if $dmz_if_up && $syslog_ok { 40 run "logger -st ifstated 'syslog server is ok again'" 41 # remove our carp demotion 42 run "ifconfig -g carp -carpdemote" 43 set-state neutral 44 } 45} 46 47# commands in the global scope are always run 48if carp0.link.up 49 run "logger -st ifstated 'carp0 is master'" 50if carp0.link.down 51 run "logger -st ifstated 'carp0 is backup'" 52 53