2012/6/29 Matt Hamilton <ma...@netsight.co.uk>: > Hi All, > > Does pfsync require firewalls to have the same firewall rules on all > hosts in the sync group? May seem an odd thing to ask, but I have a > situation in which I have two firewalls on different sides of my > network, each one connected to a different external > network. Occasionally due to BGP weights etc we might get asymettric > packet flow and packets come into our network via one firewall and out > via the other. This is a problem for pf's state system and the only > way I've been able to work around it is to not keep state at all -- > obviously not a great idea.
Hi. pfsync only synchronizes states. Which rules created them is irrelevant. If you have a PI address space, you're probably fine. Don't forget to provide a stable and possibly separate link between the routers, IPsec tunnel or a VLAN, or don't rely on multicast and set syncpeers. On an open network it can sometimes bite, which is probably caused by others using similar multicast addresses, or I don't know. > But, I was wondering... could I use pfsync to sync states across from > one side of the network to the other? Do pfsync packets contain > reference to the firewall rule number or specific interface? Or does > it just have information specific to the packet itself (ie, src > address, dst address, sequence numbers etc)? http://www.openbsd.org/cgi-bin/cvsweb/src/sys/net/if_pfsync.h?rev=1.44 struct pfsync_upd_c { u_int64_t id; struct pfsync_state_peer src; struct pfsync_state_peer dst; u_int32_t creatorid; u_int32_t expire; u_int8_t timeout; u_int8_t state_flags; u_int8_t _pad[2]; } __packed; Imagine what would you gain if you forced people to use the same rules or even the same interface names. These are completely separate things. -- Martin Pelikan
