On Mon, May 08, 2006 at 05:58:08PM +0300, Hisham Mardam Bey wrote: > Can this be achieved using pfsync? If so, what do I need to do to get > this working? If not, can pfsync be extended to allow for this or > should we look into something different altogether?
This currently won't work. pfsync does only synchronize state table entries, not rules. Since the firewalls can have different rules, no attempt is made to associate a state entry with a particular rule of the recipient's ruleset. Instead, such state entries are associated with the default pass rule. Because of that, many rule options (like source tracking in your case) are lost on the recipient node. Both firewalls would insert the other's state entries, but those would not be counted towards the limit. Ryan had plans to work on this, but I don't know about any progress. It's not something trivial, and may only work with completely equal ruleset (or at least well-defined mappings between rules on both nodes). Even if it did work, in your case it's not clear whether this would be a good idea. If you synchronize state entries for the sole purpose of increasing source tracking counters, you still get fully functional state entries on the recipient, with all the implications, i.e. those states would ALSO allow traffic on the recipient, which may or may not be a problem. Also, the limit would never be perfectly precise. Say, there's is one connection left to be openend, and both firewalls get one new connection at the same time. There is no (networked!) locking or such, so they would just both create a state entry, sync them, and end up exceeding the limit by one. If somewhat inprecise limits are acceptable, the most simple solution is to only guarantee X + Y <= 2*N by limiting both firewalls to N connections. You guarantee the client N connections (no matter where they flow through), and count the difference between N and 2*N as imprecision. That might sound awfully imprecise at first, but in most cases, is good enough. Maybe you can explain why you need precisely N, what value N would typically have, and why 2*N would be unacceptable. Daniel
