Re: carp with different versions of OpenBSD
is it possibile to have a dual firewall setup with carp using (temporarly) 2 different versions of OpenBSD? I've to setup some new firewalls and upgrade old one and I'd like to keep redudancy while upgrading but during the process some firewalls will run the 5.0, some still the old version. carp and pfsync compatibility between releases is poor. There is some effort put into allowing an advance from one release to another, but anything further is probably going to fail. But there are also efforts to improve carp and pfsync, so...
Re: carp with different versions of OpenBSD
* rik rikc...@gmail.com [2011-12-06 21:40]: is it possibile to have a dual firewall setup with carp using (temporarly) 2 different versions of OpenBSD? I've to setup some new firewalls and upgrade old one and I'd like to keep redudancy while upgrading but during the process some firewalls will run the 5.0, some still the old version. in general that works as long as all of these are true: 1) the two are just one release apart, all bets off if more 2) the upgradeXX.html doesn't mention an incompatibility 3) we didn't screw up that is the pfsync centric view. carp's on-the-wire format hasn't changed in ages. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: carp with different versions of OpenBSD
Hi all, thanks for your replies and your help. I did try yesterday and today on some test boxes and it looks working pretty well between a very old version (3.9) and the most recent one (5.0). I just had for few minutes problems with states (increasing up to 10k until I flushed them, but it could be a problem with my pf.conf due to the big differences between the two versions of pf). My setup is not that complex and so the pf rules (approx 300 rows); I think I'll run the upgrade in the production env creating a simple pf.conf on purpose that doesn't use states. Thanks again for your support and the great work (you definitely didn't screw it up :) ) Alessandro On Thu, Dec 8, 2011 at 6:01 PM, Henning Brauer lists-open...@bsws.dewrote: * rik rikc...@gmail.com [2011-12-06 21:40]: is it possibile to have a dual firewall setup with carp using (temporarly) 2 different versions of OpenBSD? I've to setup some new firewalls and upgrade old one and I'd like to keep redudancy while upgrading but during the process some firewalls will run the 5.0, some still the old version. in general that works as long as all of these are true: 1) the two are just one release apart, all bets off if more 2) the upgradeXX.html doesn't mention an incompatibility 3) we didn't screw up that is the pfsync centric view. carp's on-the-wire format hasn't changed in ages. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: carp with different versions of OpenBSD
On Thu, Dec 8, 2011 at 6:49 PM, rik rikc...@gmail.com wrote: Hi all, thanks for your replies and your help. I did try yesterday and today on some test boxes and it looks working pretty well between a very old version (3.9) and the most recent one (5.0). I just had for few minutes problems with states (increasing up to 10k until I flushed them, but it could be a problem with my pf.conf due to the big differences between the two versions of pf). My setup is not that complex and so the pf rules (approx 300 rows); I think I'll run the upgrade in the production env creating a simple pf.conf on purpose that doesn't use states. Thanks again for your support and the great work (you definitely didn't screw it up :) ) Alessandro On Thu, Dec 8, 2011 at 6:01 PM, Henning Brauer lists-open...@bsws.dewrote: * rik rikc...@gmail.com [2011-12-06 21:40]: is it possibile to have a dual firewall setup with carp using (temporarly) 2 different versions of OpenBSD? I've to setup some new firewalls and upgrade old one and I'd like to keep redudancy while upgrading but during the process some firewalls will run the 5.0, some still the old version. in general that works as long as all of these are true: 1) the two are just one release apart, all bets off if more 2) the upgradeXX.html doesn't mention an incompatibility 3) we didn't screw up that is the pfsync centric view. carp's on-the-wire format hasn't changed in ages. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
carp with different versions of OpenBSD
Hi all, is it possibile to have a dual firewall setup with carp using (temporarly) 2 different versions of OpenBSD? I've to setup some new firewalls and upgrade old one and I'd like to keep redudancy while upgrading but during the process some firewalls will run the 5.0, some still the old version. Thanks! Alessandro