Date: Thu, 31 May 2012 18:52:43 +0200 From: Damien Fleuriot <ml@my.gd> To: Nikos Vassiliadis <nvass@gmx.com> Cc: freebsd-stable@freebsd.org, Jim Ohlstein <jim@ohlste.in> Subject: Re: Why Are You Using FreeBSD? Message-ID: <4FC7A1DB.6040409@my.gd> In-Reply-To: <4FC79E45.4060505@gmx.com> References: <C480320C-0CD9-4B61-8AFB-37085C820AB7@FreeBSD.org> <4FC779C0.7020801@ohlste.in> <4FC77EAD.1090900@my.gd> <4FC78A94.8070008@ohlste.in> <4FC79136.6000205@my.gd> <4FC79E45.4060505@gmx.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/31/12 6:37 PM, Nikos Vassiliadis wrote: > On 5/31/2012 5:41 PM, Damien Fleuriot wrote: >> Furthermore, when upgrading the CARP Master firewall, we need to plan >> with the Project Manager a failover to the CARP Backup firewall. >> Yes, I know about pfsync, yes, we use it, no, it doesn't *instantly* >> sync sessions for PF. > > A bit offtopic on this thread, but isn't pfsync designed to do just > that? instantly? > > With instantly I really mean: > Communicate every change to the stable table to the other firewall > in order to let the stateful connections survive a firewall failover. > Obviously, some packets will be lost, but TCP connections should > survive, right? > > I am not arguing, I ask. > > Nikos Updates aren't instantaneous, they're sent in bundles. This means that when you failover, you lose the connections that have completed a SYN/SYNACK/ACK sequence on your main firewall but which aren't synched on your backup. These connections will continue with the peer sending regular non-syn packets, which your backup-now-master PF will drop. On topic, if anyone has an awesome idea around this, I'm all ears, this exact topic is causing us some level of discomfort at work, when we need to swap firewalls for updates.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4FC7A1DB.6040409>