From owner-freebsd-stable@FreeBSD.ORG Thu May 31 16:52:46 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C43B81065670 for ; Thu, 31 May 2012 16:52:46 +0000 (UTC) (envelope-from ml@my.gd) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4B50E8FC08 for ; Thu, 31 May 2012 16:52:46 +0000 (UTC) Received: by eeke49 with SMTP id e49so587742eek.13 for ; Thu, 31 May 2012 09:52:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding :x-gm-message-state; bh=d7URC1KvlSIt9l9i663knSTJBhysv585ID4uGZsrUxA=; b=k9a4vXch9JZAiCfxLnhL5QhdujltFO/UN90Xaucw02JbYc6hobt0h+OhR89/LEkBba hJQSwUqEUKqqx/rtdnKqeMIR/jHC6MjkfTlCwLDX0cKw8IDeJ0kY1XaDV0frTLV0H2GQ e/tVFnY0FGgqPQgOdvysDbBd+LD3LEaUDZvWTY5EwRaba+dlwyVpqn/P+KM/kgsqI+g5 9vqvFcm/L1vBWviEYh5CuCRmpXxM0cRvlfuZKn9uimuJPCNMxACeyThE0FiNlnMdgyVZ NNRIo5M/iPyNtnfXfnPEu6sshzOh8zeD3iA8IVecJLvkX5ph+KgiYYvd8cAfruWwQkEe iGeQ== Received: by 10.14.28.202 with SMTP id g50mr8560731eea.51.1338483165174; Thu, 31 May 2012 09:52:45 -0700 (PDT) Received: from dfleuriot-at-hi-media.com ([83.167.62.196]) by mx.google.com with ESMTPS id y54sm12394454eef.10.2012.05.31.09.52.43 (version=SSLv3 cipher=OTHER); Thu, 31 May 2012 09:52:44 -0700 (PDT) Message-ID: <4FC7A1DB.6040409@my.gd> Date: Thu, 31 May 2012 18:52:43 +0200 From: Damien Fleuriot User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: Nikos Vassiliadis References: <4FC779C0.7020801@ohlste.in> <4FC77EAD.1090900@my.gd> <4FC78A94.8070008@ohlste.in> <4FC79136.6000205@my.gd> <4FC79E45.4060505@gmx.com> In-Reply-To: <4FC79E45.4060505@gmx.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQn2AmNgDPgmWAnZmgL0reMO0JLUslsUVBZWg9ibtNk8gmfB+prEL7iP2bUxMuhgR7Y1fqPw Cc: freebsd-stable@freebsd.org, Jim Ohlstein Subject: Re: Why Are You Using FreeBSD? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 31 May 2012 16:52:46 -0000 On 5/31/12 6:37 PM, Nikos Vassiliadis wrote: > On 5/31/2012 5:41 PM, Damien Fleuriot wrote: >> Furthermore, when upgrading the CARP Master firewall, we need to plan >> with the Project Manager a failover to the CARP Backup firewall. >> Yes, I know about pfsync, yes, we use it, no, it doesn't *instantly* >> sync sessions for PF. > > A bit offtopic on this thread, but isn't pfsync designed to do just > that? instantly? > > With instantly I really mean: > Communicate every change to the stable table to the other firewall > in order to let the stateful connections survive a firewall failover. > Obviously, some packets will be lost, but TCP connections should > survive, right? > > I am not arguing, I ask. > > Nikos Updates aren't instantaneous, they're sent in bundles. This means that when you failover, you lose the connections that have completed a SYN/SYNACK/ACK sequence on your main firewall but which aren't synched on your backup. These connections will continue with the peer sending regular non-syn packets, which your backup-now-master PF will drop. On topic, if anyone has an awesome idea around this, I'm all ears, this exact topic is causing us some level of discomfort at work, when we need to swap firewalls for updates.