In some mail from Stefan Sonnenberg-Carstens, sie said: > > So, do you think it might be better to use ipfilter than pf on OpenBSD in > that case ?
My answer to that question is likely to be biased so I won't answer it. > And the next question is, is it useful to have a wide spread (more than on > IP subnet) servers to do load-balancing on ? The answer to this is not so much "is it useful" but how have you built your environment with redundant things that need to be load balanced between ? If they're already on the same subnet and consecuritively numbered in a power-of-two range, you are fine. Anything that doesn't match that and you cannot meaninfully use pf, it seems. I don't view the src-hash with rdr in pf as being sticky redirection at all. It might behave like that but in reality, I would hope that wasn't the design goal, just an artifact of being able to use src-hash with rdr rules whereas src-hash was designed for nat rules (and kind of makes sense there.) Darren
