On 2011-04-09, James Chase <[email protected]> wrote: > I have two OpenBSD 4.7 firewalls. I have tried to take them down to the > most basic configuration possible in my pf.conf ruleset while still passing > carp and state rule as suggested in the OpenBSD FAQ/Guide, however when I > reboot the master, the backup does not seem to have kept any state since my > SSH connections to the outside world die. > > I have used tcpdump on the pfsync device and I see packets flying from both > firewalls, and I also added the "defer" option to pfsync since this seemed > to require confirmation of the pf state packet being added to another > firewall before the rule would be added to the master firewall. That seemed > like a good idea.
Defer is only needed for active/active firewall clusters, using it when it's not needed will slow down opening connections. > Carp failover works fine. > > Here is my pfsync config from the master and backup: > > # cat /etc/hostname.pfsync0 > up syncdev vr2 defer You can confirm whether the state is being transferred by looking at pfctl -ss on both firewalls. (You can also do -ss -vv to see which firewall the state was created on; creatorid matching hostid as shown in "pfctl -si -v"). > Here is my pf.conf > > ext_if="vr0" > int_if="vr1" > pfsync_if="vr2" > Lo_if="lo0" > > set skip on lo > > pass # to establish keep-state > > block in on ! lo0 proto tcp to port 6000:6010 > > match out on $ext_if from $int_if:network to any nat-to ($ext_if) This is a problem. The address on ext_if is tied to the current firewall, you need to nat to an address which is handled by carp.
