On 5/31/12 6:37 PM, Nikos Vassiliadis wrote:
> On 5/31/2012 5:41 PM, Damien Fleuriot wrote:
>> Furthermore, when upgrading the CARP Master firewall, we need to plan
>> with the Project Manager a failover to the CARP Backup firewall.
>> Yes, I know about pfsync, yes, we use it, no, it doesn't *instantly*
>> sync sessions for PF.
>
> A bit offtopic on this thread, but isn't pfsync designed to do just
> that? instantly?
>
> With instantly I really mean:
> Communicate every change to the stable table to the other firewall
> in order to let the stateful connections survive a firewall failover.
> Obviously, some packets will be lost, but TCP connections should
> survive, right?
>
> I am not arguing, I ask.
>
> Nikos

Updates aren't instantaneous, they're sent in bundles.

This means that when you failover, you lose the connections that have
completed a SYN/SYNACK/ACK sequence on your main firewall but which
aren't synched on your backup.

These connections will continue with the peer sending regular non-syn
packets, which your backup-now-master PF will drop.


On topic, if anyone has an awesome idea around this, I'm all ears, this
exact topic is causing us some level of discomfort at work, when we need
to swap firewalls for updates.
_______________________________________________
freebsd-stable@free... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@free..."