From owner-freebsd-pf@FreeBSD.ORG Thu Feb 17 02:07:19 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A74F106564A for ; Thu, 17 Feb 2011 02:07:19 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ww0-f50.google.com (mail-ww0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id DBCB08FC0A for ; Thu, 17 Feb 2011 02:07:16 +0000 (UTC) Received: by wwf26 with SMTP id 26so2035757wwf.31 for ; Wed, 16 Feb 2011 18:07:15 -0800 (PST) Received: by 10.227.41.204 with SMTP id p12mr1109506wbe.153.1297908435722; Wed, 16 Feb 2011 18:07:15 -0800 (PST) Received: from [192.168.0.20] (paris.c-mal.com [88.170.200.60]) by mx.google.com with ESMTPS id w25sm323294wbd.23.2011.02.16.18.07.13 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 16 Feb 2011 18:07:14 -0800 (PST) References: <00a401cbcd3d$fe313d10$fa93b730$@com> <4D5BD4E6.90605@my.gd> <00cf01cbcdf2$d54f6100$7fee2300$@com> <4D5BF6FE.8090704@my.gd> <017801cbce1c$5d99fc90$18cdf5b0$@com> In-Reply-To: <017801cbce1c$5d99fc90$18cdf5b0$@com> Mime-Version: 1.0 (iPhone Mail 8A293) Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Message-Id: <4B65A291-893E-4B5D-BE2F-E4A72A85C733@my.gd> X-Mailer: iPhone Mail (8A293) From: Damien Fleuriot Date: Thu, 17 Feb 2011 03:06:56 +0100 To: kevin Cc: "" Subject: Re: Questions about PF + Multiple gateways + CARP on a public ip network X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Feb 2011 02:07:19 -0000 On 16 Feb 2011, at 21:59, "kevin" wrote: >> If you only have one gateway, then you have nothing to worry about for >> this part. >=20 > They provide a gateway address for each subnet they allocate to me -- whic= h > probably is assigned to the same device for them, but I would need to > establish these rules in my freebsd firewall , correct? >=20 Then you have different paths for inbound traffic right ? This means you'll want to reply to any given packet via the same path it ori= ginally took, which was not necessarily your default gateway. So, IMO, this implies the use of source routing, impersonated by pf's reply-= to option rules. >=20 >> If you expect a lot of traffic, I recommend you do NOT use pfsync to >> synchronize existing sessions on the backup firewall. >=20 > Why not? Is this a generally accepted practice not to use pfsync because o= f > this? How much traffic is too much? The firewalls should average about 5,0= 00 > - 10,000 states on any given day, afaik. >=20 We had to disable pfsync here because it actually hogged way too many resour= ces. We're talking 100k+ states here with ~5k http requests per sec. > Im more worried about failover than I am about states being kept, but it > would be nice to utilize pfsync if it wouldn't be too risky. You will be fine, 5-10k states isn't much. Now I have absolutely no idea what kind of hardware you have, but this reall= y isn't much. We let go of pfsync only a few weeks ago and mostly as a precautionary measu= re with over 60k states at any given time.=