View Single Post
  #2   (View Single Post)  
Old 11th March 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

If one firewall needs to be able to take over from a failing one, it needs the same states.

Have you tried to increase the logging level? From the carp man page:

Code:
net.inet.carp.log	       Value of 0 disables any logging.  Value of 1
			       enables logging of bad carp packets.  Values
			       above 1 enable logging state changes of carp
			       interfaces.  Default value is 1.
From the FreeBSD 7.3 man page of pfsync:

Code:
BUGS
     Possibility to view state changes using tcpdump(1) has not been ported
     from OpenBSD yet.
Unfortunately for you

You could ask on the OpenBSD misc list, but you will be surely told to drop FreeBSD and try the latest and greatest OpenBSD. The OpenBSD pf devs, usually have no idea which pf version FreeBSD 7.x is using.

Have you seen http://www.mail-archive.com/misc@ope.../msg83651.html ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote