On Wed, Nov 9, 2011 at 5:24 AM, Nick Hilliard <nick@foobar.org> wrote:
On 09/11/2011 12:22, Richard Kulawiec wrote:
You will find it very difficult to beat pf on OpenBSD for efficiency, features, flexibility, robustness, and security. Maintenance is very easy: edit a configuration file, reload, done.
There are several areas where pf falls down. One is auto-synchronisation from primary to backup firewall (not really a pf problem, but it's important for production firewall systems).
I've found that this works decently well, via pfsync. It sends out multicast IP packets with multi-valued elements describing the state of the flows it has in its table. If you're having pf inspect TCP sequence numbers, there's a bit of a race condition in failover with frequently or fast-moving TCP streams. As the window of acceptable sequence numbers moves on the active firewall, they're slightly delayed in getting replicated to the backup(s) and installed in their state tables. Consequently, on failover, it's possible for some flows to get blocked and which have to be re-created. I've hit this and dug into it recently, so if you're having a problem, I'd be happy to chat offlist. Cheers, jof