On Fri, Jun 29, 2012 at 01:20:49PM +0200, Martin Pelikan wrote: > 2012/6/29 Matt Hamilton <ma...@netsight.co.uk>: > > Does pfsync require firewalls to have the same firewall rules on all > > hosts in the sync group? > > pfsync only synchronizes states. Which rules created them is > irrelevant.
This absolutely incorrect (see below) > > But, I was wondering... could I use pfsync to sync states across > > from one side of the network to the other? How well this will work depends a lot on the nature of your traffic and the latency between the two firewalls. You will probably need to use the 'defer' option for the pfsync interface, which will cause delays on connection setup if the firewalls are too far apart. > > Do pfsync packets contain reference to the firewall rule number or > > specific interface? Or does it just have information specific to the > > packet itself (ie, src address, dst address, sequence numbers etc)? If the firewall rulesets are the same, pfsync will link the state entries to the matching rules. this is necessary to get timeouts, max-* limits and overload table behavior, per-rule src node tracking, etc. If the rulesets are different, all states will be associated with the 'default' rule and as such will get the defaults for these items, regardless of the options on the rule which matched when the state was created. It's not impossible to get the same ruleset across two very different firewalls though, as long as the general policy is the same you can probably make it work by using interface groups rather than the actual interface names, and tables where ip addresses need to be different. > > http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pfsync.h?rev=1.44 > > struct pfsync_upd_c { This is only used for state updates, state creations are done with struct pfsync_state in pfvar.h.
