From owner-freebsd-pf@FreeBSD.ORG Wed Feb 16 20:59:29 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9BC79106564A for ; Wed, 16 Feb 2011 20:59:29 +0000 (UTC) (envelope-from k@kevinkevin.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 38F908FC25 for ; Wed, 16 Feb 2011 20:59:28 +0000 (UTC) Received: by wyf19 with SMTP id 19so1778451wyf.13 for ; Wed, 16 Feb 2011 12:59:28 -0800 (PST) Received: by 10.216.164.69 with SMTP id b47mr851022wel.79.1297889968276; Wed, 16 Feb 2011 12:59:28 -0800 (PST) Received: from kkPC (not.enough.unixsluts.com [76.10.166.187]) by mx.google.com with ESMTPS id r80sm73893wei.39.2011.02.16.12.59.25 (version=SSLv3 cipher=OTHER); Wed, 16 Feb 2011 12:59:27 -0800 (PST) From: "kevin" To: "'Damien Fleuriot'" References: <00a401cbcd3d$fe313d10$fa93b730$@com> <4D5BD4E6.90605@my.gd> <00cf01cbcdf2$d54f6100$7fee2300$@com> <4D5BF6FE.8090704@my.gd> In-Reply-To: <4D5BF6FE.8090704@my.gd> Date: Wed, 16 Feb 2011 15:59:11 -0500 Message-ID: <017801cbce1c$5d99fc90$18cdf5b0$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcvN9A6MU5sHEFjNQqS4aQ2yo/ALtQAJ/FrQ Content-Language: en-us Cc: freebsd-pf@freebsd.org Subject: RE: Questions about PF + Multiple gateways + CARP on a public ip network X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Feb 2011 20:59:29 -0000 >If you only have one gateway, then you have nothing to worry about for >this part. They provide a gateway address for each subnet they allocate to me -- which probably is assigned to the same device for them, but I would need to establish these rules in my freebsd firewall , correct? >If you expect a lot of traffic, I recommend you do NOT use pfsync to >synchronize existing sessions on the backup firewall. Why not? Is this a generally accepted practice not to use pfsync because of this? How much traffic is too much? The firewalls should average about 5,000 - 10,000 states on any given day, afaik. Im more worried about failover than I am about states being kept, but it would be nice to utilize pfsync if it wouldn't be too risky. Thanks, Kevin