[146324] in North American Network Operators' Group
Re: Firewalls - Ease of Use and Maintenance?
daemon@ATHENA.MIT.EDU (Jonathan Lassoff)
Wed Nov 9 10:19:57 2011
In-Reply-To: <4EBA7F04.6000105@foobar.org>
Date: Wed, 9 Nov 2011 07:18:45 -0800
From: Jonathan Lassoff <jof@thejof.com>
To: Nick Hilliard <nick@foobar.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Wed, Nov 9, 2011 at 5:24 AM, Nick Hilliard <nick@foobar.org> wrote:
> On 09/11/2011 12:22, Richard Kulawiec wrote:
>> You will find it very difficult to beat pf on OpenBSD for efficiency,
>> features, flexibility, robustness, and security. =A0Maintenance is very
>> easy: edit a configuration file, reload, done.
>
> There are several areas where pf falls down. =A0One is auto-synchronisati=
on
> from primary to backup firewall (not really a pf problem, but it's
> important for production firewall systems).
I've found that this works decently well, via pfsync. It sends out
multicast IP packets with multi-valued elements describing the state
of the flows it has in its table.
If you're having pf inspect TCP sequence numbers, there's a bit of a
race condition in failover with frequently or fast-moving TCP streams.
As the window of acceptable sequence numbers moves on the active
firewall, they're slightly delayed in getting replicated to the
backup(s) and installed in their state tables.
Consequently, on failover, it's possible for some flows to get blocked
and which have to be re-created.
I've hit this and dug into it recently, so if you're having a problem,
I'd be happy to chat offlist.
Cheers,
jof
