(trying freebsd-pf) Hello,
I have a pair of firewalls with carp, pf and pfsync and I see a large difference between the number of states (pfctl -si, current entries) on the firewalls. The pfsync link is a 10 GB link witht around 20 Kpps on load (don't think it's the issue). pf1 is the master with 807598 states, pf2 is the backup with 1696258 states There is only small traffic from / to the firewalls that can explain this difference. I'm looking on the states (but it's not easy on real traffic) and I've found some states not present in pf1, but still present in pf2. One states was in state tcp ESTABLISHED:ESTABLISHED with a expire age around 23:55:00 (the default of a tcp timeout) and I can confirm that the tcp session was ended (with netflow traces) and started 5 minutes ago. So it looks like sometimes pf2 misses (or pf1 does not send) some state updates. I say "sometimes" because with the rates of states inserts here, I think that if this is always the case, the states table on pf2 would have already exploded. I would like to know if someone is seeing this kind of difference. Even an "it works for me" will be helpful. Thanks, regards. _______________________________________________ freebsd-pf@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
