On 7/29/10, Ryan McBride <mcbr...@openbsd.org> wrote: > On Wed, Jul 28, 2010 at 07:59:20PM -0700, Justin wrote: > > Sadly this means scalability (adding multiple synproxy boxes) is not > > possible, ... > synproxy works by completing the 3-way handshake with the source first, > then negotiating a separate 3-way handshake with the client. Because the > negotiations are separate and the two endpoints have no direct knowlege > of each other, there sequence numbers negotiated are different. PF > handles translation between the different sets of sequence numbers, and > has to be man-in-the middle for every packet on the connection in order > to do this translation.
maybe the scalability issue raised there may be solved with CARP and pfsync, so there may be two (or more?) gateways?
