Re: PFSYNC - pf.conf best practice

2011-10-31 Thread Maxim Bourmistrov
I have this diff running on the failover-side currently. I'v disabled all extra "set timeout"-settings on failover-side which I used to hold down the exp. time. The replication of exp. time seems to work. I have a long-lived tcp connection which used to show up with double exp. time on the failove

Re: PFSYNC - pf.conf best practice

2011-10-28 Thread Mike Belopuhov
On Fri, Oct 28, 2011 at 11:25 AM, Mike Belopuhov wrote: > On Thu, Oct 27, 2011 at 11:18 AM, Mike Belopuhov wrote: On 26-10-2011 20:32, Maxim Bourmistrov wrote: > The side question, after observing 'systat -s1 states', is WHY "failover"-side > doubles exp. time?? > I'm more expect

Re: PFSYNC - pf.conf best practice

2011-10-28 Thread Mike Belopuhov
On Thu, Oct 27, 2011 at 11:18 AM, Mike Belopuhov wrote: >>> On 26-10-2011 20:32, Maxim Bourmistrov wrote: The side question, after observing 'systat -s1 states', is WHY "failover"-side doubles exp. time?? I'm more expected to have it like a "copy" of the current state of the >

Re: PFSYNC - pf.conf best practice

2011-10-27 Thread Mike Belopuhov
On Wed, Oct 26, 2011 at 9:51 PM, Maxim Bourmistrov wrote: > > Well, it is idle so far as it is not able to take care of dhcp-clients - dhcpd listens on CARP which is not available at the moment. > This box is a slave to the named too, but updates of zone are not so frequent due to the LAN-side. >

Re: PFSYNC - pf.conf best practice

2011-10-26 Thread Maxim Bourmistrov
Well, it is idle so far as it is not able to take care of dhcp-clients - dhcpd listens on CARP which is not available at the moment. This box is a slave to the named too, but updates of zone are not so frequent due to the LAN-side. I'll try to boot back origin bsd, but as of my knowledge, lager up

Re: PFSYNC - pf.conf best practice

2011-10-26 Thread Camiel Dobbelaar
On 26-10-2011 20:32, Maxim Bourmistrov wrote: > The side question, after observing 'systat -s1 states', is WHY "failover"-side > doubles exp. time?? > I'm more expected to have it like a "copy" of the current state of the > master. Yes, the number of states should be roughly in sync on both firewa

PFSYNC - pf.conf best practice

2011-10-26 Thread Maxim Bourmistrov
Hi list, I have faced an interesting problem in active-failover setup for two OpenBSD firewalls with CARP. I'm not sure if this is my fault or if there is something else I just miss. Two 5.0-current in active-failover setup share the same pf.conf. Both are setup with CARP ext/int. pf.conf is setup