[pfsync w/o carp] * Mark Felder <f...@feld.me> [2013-07-03 16:37]: > First of all, the states of node 1 being synced to node 2 and vice > versa is worthless because they have different IP addresses; the > states wont match anything.
orly. have you actually LOOKED at your state table? pfctl -vvss to the rescue. a tcp connection from 81.209.180.1 to 129.128.5.194 cares about wether the intermediate firewall has 80.86.183.252 or 80.86.183.253 how exactly? how do bridges work at all? miracles all over the place! > Secondly, you'll probably end up dealing with the nodes fighting > each other as they sync back and forth. If a state from node1 is > synced to node2 and node2 decides to expire that session because it > hasn't been used it will tell node1 to remove that session as well. sigh. this is completely wrong, too. > I've never even attempted to set this up in a lab and I know > nothing of the pfsync/pf code, yeah, you made that obvious. > but I assume aha. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/