Hi, On Tue, 07 Dec 2010 21:15:13 -0700 Devin Reade <g...@gno.org> wrote:
> I understand (from pf.conf(5)) what no-sync is supposed to do, however > the only example I've seen of it in use is on the pfsync and carp > examples in pfsync(4). > > I was wondering if anyone had some advice on some specific examples of > when the use of no-sync is appropriate, specifically in a two-node > firewall cluster that uses pfsync. Assume that there are DMZ and > internal network segments, some of which are routable and some of > which are NAT'd private space. Further assume that some services > are hosted from the firewall nodes themselves. > > I understand that most pf rules under these circumstances would *not* > use no-sync, but it's not clear if there's anything other than > pfsync/carp that should/might. In my understanding any connection made to the firewall own address or service (so not through the firewall, no nated or redirected one) should be no-sync'ed, because that connection would simply be invalid when carp-master will change. -- Greetings Rafal Bisingier