Joe, You can bind your reverse ftp-proxy to the carp addresses.
BTW, a problem you might eventually see is when the firewalls fail over. Current connections to the ftp server will die when the backup firewall takes over because it does not have ftp-proxy anchors from the first firewall. The anchors are not pfsync states and thus are not transfered to the backup firewall through pfsync. But, if the users issue a reconnect to your ftp server after the firewall fail over they will connect without issue. -- Calomel @ http://calomel.org Open Source Research and Reference On Wed, Mar 12, 2008 at 12:28:00PM +0000, Joe Warren-Meeks wrote: >Hey chaps, > >I have a pair of OpenBSD firewalls running CARP > >$ uname -a >OpenBSD ns-gs-fw2.host.nativ-systems.com 4.2 NS-GS-FW#0 i386 > >They both have internal and external addresses and an internal carp and >external carp address shared. > >Now, they are protecting an FTP server that I want to allow access to. >Ideally, I'd have ftp-proxy bind to the CARP address, so that if there >was a failover event, inbound ftp would still work. > >Is this possible, or do I have to bind it to the real address and let >inbound ftp fail in the event of a failover? > > > -- joe. > >Have you seen the syrup on that bloke? Unreal.
