Hi All, Does pfsync require firewalls to have the same firewall rules on all hosts in the sync group? May seem an odd thing to ask, but I have a situation in which I have two firewalls on different sides of my network, each one connected to a different external network. Occasionally due to BGP weights etc we might get asymettric packet flow and packets come into our network via one firewall and out via the other. This is a problem for pf's state system and the only way I've been able to work around it is to not keep state at all -- obviously not a great idea.
I'm hoping I might be able to re-arrange my network to a point where this is not an issue and both external connections come into a single OpenBSD box so that pf states can work. But, I was wondering... could I use pfsync to sync states across from one side of the network to the other? Do pfsync packets contain reference to the firewall rule number or specific interface? Or does it just have information specific to the packet itself (ie, src address, dst address, sequence numbers etc)? -Matt
