you could try using sloppy states like henning suggested. you'll still get to write stateful rules and get the tcp state machine checks but not the tcp window checks.
if it works with sloppy states it narrows the issue down to the pfsync state merge code. at the moment im kind of guessing thats where the problem is. dlg On 05/07/2013, at 5:30 AM, Loïc BLOT <loic.b...@unix-experience.fr> wrote: > Hello all, > thanks for this interesting debate about pf syncing. > To remember my initial question: > > pfsync seems to sync states but not correctly on my BGP+OSPF routers. > Because each BGP router is master/standby to 2 neighbors (full meshed > bgp) packets which are outgoing by one router can income by the other > router, then if i want to use pf as a stateful firewall i must use > pfsync to sync created states from router A to router B. > > If you tell me it's not possible, then i will use pf as a stateless > firewall. > > -- > Best regards, > Loïc BLOT, > UNIX systems, security and network expert > http://www.unix-experience.fr > > > Le jeudi 04 juillet 2013 à 13:17 -0500, Mark Felder a écrit : >> My apologies for just being noise; I missed his first full post with >> much more detail. I was picturing him trying to run redundant servers >> without CARP and running into issues of states disappearing. > > [demime 1.01d removed an attachment of type application/pgp-signature which > had a name of signature.asc]
