On 05/05/2011, at 10:27 PM, Kapetanakis Giannis wrote: > On 05/05/11 13:37, David Gwynne wrote: >> i do this on my firewalls sometimes: >> >> root@passive ~# ssh master pfctl -S /dev/stdout | pfctl -L /dev/stdin >> >> its a bit faster... >> >> dlg > > > I've tried your trick and it took just a second to copy the states. > However it still took him > 10 minutes to show "pfsync bulk done" (75k states).
neither firewall knows you copied the states behind pfsyncs back, so the master will keep sending them, and the backup will wait for the bulk update complete message. after the pfctl magic both firewalls will have the same states though, so you can fail over safely. dlg
