-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Joerg Zinke wrote: | Hi David, | |> rdr on $int_if proto tcp from any to $webserver port $webports -> \ |> ~ <webpool> round-robin sticky-address | | ^^^ I think the second rule is not needed if hoststated is running. | AFAIK this second rule will never be "executed" if hoststaed is | running, because hoststated creates the "same" rule (before) on the | anchor position.
Previous resources we had looked at did not have the 'rdr' line in the pf.conf file if you were using hoststated either. And we had had the 'sticky-address' keyword in the 'service' block in the hoststated.conf file. With this setup, we were also seeing traffic jump between the two web servers. The book "The Book of PF" is a newer resource that I just got last week and it was the first document that refered to keeping the 'rdr' statement in the pf.conf file along with the 'sticky-address' keyword. Some of the prior resources I had referred to were: http://www.openbsd.org/papers/eurobsdcon07/pyr-loadbalancing/ The OpenBSD PF Packet Filter Book man hoststated.conf | Regards, | | Joerg - -- David Goldsmith SANS NOC Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHmqTC417vU8/9QfkRAiLZAJ0aZSZ3OJ2ZSDcUWkU9O/A2eW1O1ACeNDVl flCuiAuAqlXP9BR/OkBLEZA= =L3PU -----END PGP SIGNATURE-----