On 6/1/2010 2:30 PM, Devin Reade wrote:
Ignoring aspects common to all OpenBSD upgrades, and the ideosyncracies
that get mentioned in the release notes for specific upgrades, does anyone
have general comments, suggestions, warnings, etc regarding upgrading
a pair of firewalls that are running in a typical redundant config
using carp, pfsync, et al?
It is not the case that I'm part way through an upgrade and have a
problem. It's more that I'm interested in what I can expect when
I run into this situation.
Devin
The first obstacle you'll encounter is the changes in pf between 4.6 and
4.7. The best thing you could do is to replicate your network with
Virtual machines and do a couple cycles of upgrade, revert to snapshot
until you are confident in the upgrade. Then I wouod recommend taking
one of the systems down completely (remove all network connections)
upgrade it, then wait until the other system is ready for upgrade and
take it down before reconnecting the upgraded machine.
You do not want the systems seeing each other before they are both
upgraded. I learned this after seeing the havoc that can be wrecked
with Cisco Firewalls when they are not the same version, but sharing the
same config. It isn't pretty, and neither are the e-mail you get from
the users. Believe, the 5 minutes the firewall is down pales in
comparison to the time wasted when both firewalls are over-writing the
others configs.
-Christopher
