Hi Claudio,
This makes sense in terms of protecting the firewall hosts and is useful:
> If not I would normally use something like:
> set block-policy drop
>
> pass no state
> block all to <self>
> pass in proto tcp from <allowed> to <self> port { bgp ssh }
> # more rules using to <self> here
> # locally initiated connections should establish state
> pass out ! received-on any
..however you don't explain how you would do VLANs behind these hosts.
With ICMP, it can be allowed, so I can use `no state`. However, with TCP/UDP,
then some state tracking is required to allow replies. This is what i'm
struggling with, the best way to achieve that.
> pfsync(4) is at best eventually consistant and it is not fast enough to
> handle asymetric routing. Sure there is the option to defer packets until
> after a state has been synced but that is a bandaid introducing additional
> delays in all connections.
Yes... this is something i'm now starting to hit.
When I first set up pfsync, it all seemed fine. I am using defer and there was
a pause while it created/sync'd the state and it seemed to work as intended.
However, now I am seeing things like the first few packets missing on some
pings etc, which is not ideal.
Thanks,
Ian
