Re: Advice on pf no-sync
Hi, On Tue, 07 Dec 2010 21:15:13 -0700 Devin Reade wrote: > I understand (from pf.conf(5)) what no-sync is supposed to do, however > the only example I've seen of it in use is on the pfsync and carp > examples in pfsync(4). > > I was wondering if anyone had some advice on some specific examples of > when the use of no-sync is appropriate, specifically in a two-node > firewall cluster that uses pfsync. Assume that there are DMZ and > internal network segments, some of which are routable and some of > which are NAT'd private space. Further assume that some services > are hosted from the firewall nodes themselves. > > I understand that most pf rules under these circumstances would *not* > use no-sync, but it's not clear if there's anything other than > pfsync/carp that should/might. In my understanding any connection made to the firewall own address or service (so not through the firewall, no nated or redirected one) should be no-sync'ed, because that connection would simply be invalid when carp-master will change. -- Greetings Rafal Bisingier
Re: Advice on pf no-sync
i put no-sync on connections that are specific to a firewall. for example, there is no point syncing states for tcp connections that have one end terminated on the firewall, so on my firewalls i put no-sync on connections going to and from relayd. if you have a network on one firewall but not the other, there isnt much point syncing states to/from that network either. cheers, dlg On 08/12/2010, at 2:15 PM, Devin Reade wrote: > I understand (from pf.conf(5)) what no-sync is supposed to do, however > the only example I've seen of it in use is on the pfsync and carp > examples in pfsync(4). > > I was wondering if anyone had some advice on some specific examples of > when the use of no-sync is appropriate, specifically in a two-node > firewall cluster that uses pfsync. Assume that there are DMZ and > internal network segments, some of which are routable and some of > which are NAT'd private space. Further assume that some services > are hosted from the firewall nodes themselves. > > I understand that most pf rules under these circumstances would *not* > use no-sync, but it's not clear if there's anything other than > pfsync/carp that should/might. > > Thanks in advance. > > Devin
Advice on pf no-sync
I understand (from pf.conf(5)) what no-sync is supposed to do, however the only example I've seen of it in use is on the pfsync and carp examples in pfsync(4). I was wondering if anyone had some advice on some specific examples of when the use of no-sync is appropriate, specifically in a two-node firewall cluster that uses pfsync. Assume that there are DMZ and internal network segments, some of which are routable and some of which are NAT'd private space. Further assume that some services are hosted from the firewall nodes themselves. I understand that most pf rules under these circumstances would *not* use no-sync, but it's not clear if there's anything other than pfsync/carp that should/might. Thanks in advance. Devin