i put no-sync on connections that are specific to a firewall. for example,
there is no point syncing states for tcp connections that have one end
terminated on the firewall, so on my firewalls i put no-sync on connections
going to and from relayd. if you have a network on one firewall but not the
other, there isnt much point syncing states to/from that network either.

cheers,
dlg

On 08/12/2010, at 2:15 PM, Devin Reade wrote:

quoted text
> I understand (from pf.conf(5)) what no-sync is supposed to do, however
> the only example I've seen of it in use is on the pfsync and carp
> examples in pfsync(4).
>
> I was wondering if anyone had some advice on some specific examples of
> when the use of no-sync is appropriate, specifically in a two-node
> firewall cluster that uses pfsync.  Assume that there are DMZ and
> internal network segments, some of which are routable and some of
> which are NAT'd private space.  Further assume that some services
> are hosted from the firewall nodes themselves.
>
> I understand that most pf rules under these circumstances would *not*
> use no-sync, but it's not clear if there's anything other than
> pfsync/carp that should/might.
>
> Thanks in advance.
>
> Devin