I have two OpenBSD 4.7 firewalls. I have tried to take them down to the
most basic configuration possible in my pf.conf ruleset while still passing
carp and state rule as suggested in the OpenBSD FAQ/Guide, however when I
reboot the master, the backup does not seem to have kept any state since my
SSH connections to the outside world die.
I have used tcpdump on the pfsync device and I see packets flying from both
firewalls, and I also added the "defer" option to pfsync since this seemed
to require confirmation of the pf state packet being added to another
firewall before the rule would be added to the master firewall. That seemed
like a good idea.
Carp failover works fine.
Here is my pfsync config from the master and backup:
# cat /etc/hostname.pfsync0
up syncdev vr2 defer
Here is my pf.conf
ext_if="vr0"
int_if="vr1"
pfsync_if="vr2"
Lo_if="lo0"
set skip on lo
pass # to establish keep-state
block in on ! lo0 proto tcp to port 6000:6010
match out on $ext_if from $int_if:network to any nat-to ($ext_if)
pass out on { $ext_if $int_if } proto carp keep state
pass on $pfsync_if proto pfsync
