On 2012/04/23 11:49, Kyle Lanclos wrote:
> In order for our firewall to operate effectively, we use 'keep state'
> pf rules. We empirically determined that we must have CARP preemption
> enabled, otherwise pf cannot properly establish state for new TCP
> connections. If pfsync could be told to synchronize incomplete states,
> this issue might go away.

pfsync(4)'s "defer" option might help. there is a penalty but it might
be acceptable for your use case.

     Where more than one firewall might actively handle packets, e.g. with
     certain ospfd(8), bgpd(8) or carp(4) configurations, it is beneficial to
     defer transmission of the initial packet of a connection.  The pfsync
     state insert message is sent immediately; the packet is queued until
     either this message is acknowledged by another system, or a timeout has
     expired.  This behaviour is enabled with the defer parameter to

Reply via email to