Where is it documented that in order for pfsync to properly synchronize
rule specific state timeouts that the rule sets on the systems being
synchronized must be *exactly* the same?
I have a pair of redundant firewalls synchronizing state, and recently
added a couple rules that increase the default timeout for a UDP connection:
pass out quick on $ext_if proto udp tagged VOIP_UDP keep state
(udp.multiple 360)
pass in quick on vlan110 proto udp from any to port = 9430 tag VOIP_UDP
keep state (udp.multiple 360)
Despite the timeout being set to six minutes, the states kept
disappearing after approximately a minute of idle time. After spending a
lot of time trying to debug it, I finally figured out that the states
replicated to the backup firewall received the default one minute
timeout rather than the six minute timeout specified by the rule, and
when they expired on the backup firewall, they were deleted from the
primary firewall.
After further debugging, I discovered that pfsync on the receiving
system only applies the rule specific timeout if the entire rule set is
exactly identical on both systems. While my rule set was functionally
identical on both systems, it was not exactly the same, having rules
such as:
pass in quick on $ext_if proto tcp from any to $ext_if port ssh
which had the primary IP address on each system substituted, resulting
in a rule set that was "different".
This seems overly strict. What if two systems being used as redundant
firewalls had different network cards? This would make the names of the
interfaces different, resulting in rule sets that were not the same,
preventing per-rule state timeouts from being properly applied.
I can understand you wouldn't want to apply the wrong timeout, but it
seems that validating a per rule checksum rather than an entire rule set
checksum would be more flexible. Both the rule number and the rule
content on both of these systems for these rules are exactly the same.
It is just other rules that have a different IP address given that each
system has its own separate IP address in addition to the virtual carp
address...
