I understand (from pf.conf(5)) what no-sync is supposed to do, however
the only example I've seen of it in use is on the pfsync and carp
examples in pfsync(4).

I was wondering if anyone had some advice on some specific examples of
when the use of no-sync is appropriate, specifically in a two-node
firewall cluster that uses pfsync.  Assume that there are DMZ and
internal network segments, some of which are routable and some of 
which are NAT'd private space.  Further assume that some services
are hosted from the firewall nodes themselves.

I understand that most pf rules under these circumstances would *not*
use no-sync, but it's not clear if there's anything other than 
pfsync/carp that should/might.

Thanks in advance.

Devin

[ message continues ]

i put no-sync on connections that are specific to a firewall. for example,
there is no point syncing states for tcp connections that have one end
terminated on the firewall, so on my firewalls i put no-sync on connections
going to and from relayd. if you have a network on one firewall but not the
other, there isnt much point syncing states to/from that network either.

cheers,
dlg


[ message continues ]

Hi,

On Tue, 07 Dec 2010 21:15:13 -0700

In my understanding any connection made to the firewall own
address or service (so not through the firewall, no nated or redirected
one) should be no-sync'ed, because that connection would simply be
invalid when carp-master will change.

-- 
Greetings
Rafal Bisingier

[ message continues ]