On 07/12/2008 04:12:14 PM, Karl O. Pinc wrote:
Hi,
I've two firewalls configured to synchronize state with pfsync
and failover transparently. The other day I was bringing
the firewalls up and down and was surprised to find that
when I did so some connections were dropped.
The one unusual thing about my configuration is that
I don't bring up pf with rc.conf.local. Pf is
started in rc.local so that it starts after
the (secondary, local ,caching) nameserver so that I can
use the dns names of my domain in pf.conf.
This is clearly going to cause a problem because
I also don't allow forwarding until after pf is up,
so as soon as the carp interfaces become master
the clients will start receiving icmp unreachable messages
in response to traffic.
Which brings me back to the question of how the demotion
counter works, so I can do something to use it to keep
the carp interfaces out of the master state until
pf is up and forwarding on. It seems the demotion counter
is the tool for that task. And, I'll be wanting
to keep the carp interfaces out of master until
pfsync has synchronized, so would appreciate help
regarding how to monitor pf's synchronization-ness.
Sorry for the long emails. I figure better more info
than less.
Thanks for the help.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
