i put no-sync on connections that are specific to a firewall. for example, there is no point syncing states for tcp connections that have one end terminated on the firewall, so on my firewalls i put no-sync on connections going to and from relayd. if you have a network on one firewall but not the other, there isnt much point syncing states to/from that network either.
cheers, dlg On 08/12/2010, at 2:15 PM, Devin Reade wrote: > I understand (from pf.conf(5)) what no-sync is supposed to do, however > the only example I've seen of it in use is on the pfsync and carp > examples in pfsync(4). > > I was wondering if anyone had some advice on some specific examples of > when the use of no-sync is appropriate, specifically in a two-node > firewall cluster that uses pfsync. Assume that there are DMZ and > internal network segments, some of which are routable and some of > which are NAT'd private space. Further assume that some services > are hosted from the firewall nodes themselves. > > I understand that most pf rules under these circumstances would *not* > use no-sync, but it's not clear if there's anything other than > pfsync/carp that should/might. > > Thanks in advance. > > Devin