Re: Firewalls - Ease of Use and Maintenance?

[Jonathan Lassoff <jof () thejof com>]

On Wed, Nov 9, 2011 at 5:24 AM, Nick Hilliard <nick () foobar org> wrote:
> On 09/11/2011 12:22, Richard Kulawiec wrote:
> > You will find it very difficult to beat pf on OpenBSD for efficiency,
> > features, flexibility, robustness, and security.  Maintenance is very
> > easy: edit a configuration file, reload, done.
>
> There are several areas where pf falls down.  One is auto-synchronisation
> from primary to backup firewall (not really a pf problem, but it's
> important for production firewall systems).

I've found that this works decently well, via pfsync. It sends out
multicast IP packets with multi-valued elements describing the state
of the flows it has in its table.

If you're having pf inspect TCP sequence numbers, there's a bit of a
race condition in failover with frequently or fast-moving TCP streams.
As the window of acceptable sequence numbers moves on the active
firewall, they're slightly delayed in getting replicated to the
backup(s) and installed in their state tables.
Consequently, on failover, it's possible for some flows to get blocked
and which have to be re-created.

I've hit this and dug into it recently, so if you're having a problem,
I'd be happy to chat offlist.

Cheers,
jof