[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: pf sync



Hi,
> I have been given a spec to produce a set of redundant firewalls for
three DSL connections. These have to be three pairs of firewalls, two
for each connection.
Why six firewalls ? Do you think that 3 boxes will die at the same time
?
CARP can hande 255 adresses per box, so my suggestion is stay with 3
boxes. And use carp/pfsync to fail-over the diffrent DSL lines.
Use more NIC's instead of boxes if you don't want/can have DSL lines on
the same physical segment.
> However, I have done a couple of basic pf firewall configurations, but
I do not know anything about pfsync, despite reading Absolute OpenBSD
and Building Firewalls with OpenBSD and PF 2nd edt.
http://www.countersiege.com/doc/pfsync-carp/
Mini HOWTO (everything is mentioned on the page above)
In pf.conf:  Allow pfsync traffic
In /etc/sysctl.conf: 	enable carp
tell pfsync to use a specific NI in /etc/hostname.pfsync	
Establish your diffrent carp groups in /etc/hostname.carp[0-255]
I'm using 3 boxes with 19 diffrent carp interfaces failing over for
various resons, i'm not using the carp round-robin stuff.
-Thomas