I have two routers in active/passive carp mode that share three pairs of carp interfaces: bge1 - DMZ em0 - ISP1 em1 - ISP2
They are also syncing pf states over syncdev bge0. Both routers are in BGP sessions with two upstream providers (via /29 networks), and I am achieving graceful failover by means of bgpd.conf: ... network MY.NET.WO.RK/24 set nexthop <carp ip to isp1> network MY.NET.WO.RK/24 set nexthop <carp ip to isp2> ... I noticed ssh login attempts to one of my DMZ servers even though this server is not in table of hosts for which ssh login is permitted: $pass in on $if_isp1 inet proto tcp from any to <ssh> port ssh \ modulate state \ ( max-src-conn-rate 5/60, overload <badsshlogins> flush global) \ set queue (isp1-run,isp1-ack) Question #1: How can I troubleshoot this? Is it possible that some ancient state is keeping ssh to that host possible (eg. if I enabled it in past, and later reloaded pf.conf but without flushing states)? I have source track rule which should drop all traffic with any host that fails to login 5 times over 60 seconds period by dynamically updating <badsshlogins>, as I have: block log quick from <badsshlogins> block log quick to <badsshlogins> ...early in the ruleset. Question #2: how come that, even though table <badsshlogins> is filling up over time, I see some host violating this in security logs of my DMZ servers but not being put in <badsshlogins> table Question #3: <badsshlogins> on 2nd firewall is empty. Can they be synced like states, or violators need to violate the rule on 2nd firewall in order to have all the traffic with them blocked? Question #4: Is there a better way of connecting to 2 upstream providers with graceful failover ability? Thank you in advance, -- Marko Cupać