Giancarlo Razzolini <[EMAIL PROTECTED]> wrote:
Hi all,
[.. cut ..]
Then, when i putted the sticky-address in the main firewall, strange
things happened. The source-tracking states were created, but the
machines, sometimes, were directed to the other link, not the one in the
source-track. For example, when pinging an external address from an
internal machine, the initial source track directed it to one of the
links. The packets went right. Then, if i stopped the ping, and tried it
again, the packets were directed to the other link. I confirmed this
with tcpdump in the firewall's interfaces.
> [.. cut ..]
Did you try to read the man page pf.conf(5)?
I'm pasting the related paragraph below.
Additionally, the sticky-address option can be specified to help ensure
that multiple connections from the same source are mapped to the same
redirection address. This option can be used with the random and
round-robin pool options. Note that by default these associations are
destroyed as soon as there are no longer states which refer to them; in
order to make the mappings last beyond the lifetime of the states,
increase the global options with set timeout source-track
See STATEFUL TRACKING OPTIONS for more ways to control the source
tracking.
So setting "src.track" timeout to sane values (say 320 or 640 seconds)
will make things work as expected.
Reading man pages from head-to-toe will sharpen your skills and decrease
your mail traffic.
bdd
