-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joerg Zinke wrote:
| Hi David,
|
|> rdr on $int_if proto tcp from any to $webserver port $webports -> \
|> ~        <webpool> round-robin sticky-address
|
| ^^^ I think the second rule is not needed if hoststated is running.
| AFAIK this second rule will never be "executed" if hoststaed is
| running, because hoststated creates the "same" rule (before) on the
| anchor position.

Previous resources we had looked at did not have the 'rdr' line in the
pf.conf file if you were using hoststated either.  And we had had the
'sticky-address' keyword in the 'service' block in the hoststated.conf file.

With this setup, we were also seeing traffic jump between the two web
servers.  The book "The Book of PF" is a newer resource that I just got
last week and it was the first document that refered to keeping the
'rdr' statement in the pf.conf file along with the 'sticky-address' keyword.

Some of the prior resources I had referred to were:

http://www.openbsd.org/papers/eurobsdcon07/pyr-loadbalancing/
The OpenBSD PF Packet Filter Book
man hoststated.conf

| Regards,
|
| Joerg

- --
David Goldsmith
SANS NOC
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHmqTC417vU8/9QfkRAiLZAJ0aZSZ3OJ2ZSDcUWkU9O/A2eW1O1ACeNDVl
flCuiAuAqlXP9BR/OkBLEZA=
=L3PU
-----END PGP SIGNATURE-----

Reply via email to