[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf address pools

In some mail from Stefan Sonnenberg-Carstens, sie said:
> So, do you think it might be better to use ipfilter than pf on OpenBSD in
> that case ?
My answer to that question is likely to be biased so I won't answer it.
> And the next question is, is it useful to have a wide spread (more than on
> IP subnet) servers to do load-balancing on ?
The answer to this is not so much "is it useful" but how have you built
your environment with redundant things that need to be load balanced
between ?  If they're already on the same subnet and consecuritively
numbered in a power-of-two range, you are fine.  Anything that doesn't
match that and you cannot meaninfully use pf, it seems.
I don't view the src-hash with rdr in pf as being sticky redirection at
all.  It might behave like that but in reality, I would hope that wasn't
the design goal, just an artifact of being able to use src-hash with rdr
rules whereas src-hash was designed for nat rules (and kind of makes
sense there.)