On 2012/04/23 11:49, Kyle Lanclos wrote: > In order for our firewall to operate effectively, we use 'keep state' > pf rules. We empirically determined that we must have CARP preemption > enabled, otherwise pf cannot properly establish state for new TCP > connections. If pfsync could be told to synchronize incomplete states, > this issue might go away.
pfsync(4)'s "defer" option might help. there is a penalty but it might be acceptable for your use case. Where more than one firewall might actively handle packets, e.g. with certain ospfd(8), bgpd(8) or carp(4) configurations, it is beneficial to defer transmission of the initial packet of a connection. The pfsync state insert message is sent immediately; the packet is queued until either this message is acknowledged by another system, or a timeout has expired. This behaviour is enabled with the defer parameter to ifconfig(8).