> pfsync is a computer protocol used to synchronise firewall states between machines running Packet Filter (PF) for high availability. It is used along with CARP to make sure a backup firewall has the same information as the main firewall. When the main machine in the firewall cluster dies, the backup machine is able to accept current connections without loss.
Pf is included in FreeBSD and macOS, and by extension pfsense. But it's worth noting that they've all diverged to varying degrees so you've gotta be careful in terms of syntax and features.
For fun I've been monkeying around with a friendly pf library in everyone's favorite language, and the differences between bit me a few times… although it looks like FreeBSD-current is starting to work towards convergence. It's a really powerful tool, it'll let you write rules conditional on an OS fingerprint, handle a bunch of traffic normalization… but it's also been a reminder about how much I dislike C APIs (obviously most folks are going to be using pfctl which is just fine and dandy).
> the smart kids have moved onto opensense now though
Sadly OPNsense is just another highly opinionated mess, just like pfSense now. The are things what are done better in OPNsense but overall the UI is worse than atrocious.
I'm trying to use it for more than 3 years, but as soon as I need something more than a very basic ruleset - things go south.
Agreed. Personally, what {pf,open}sense add aren't worth not just running pf/pfsync/carp on straight OpenBSD. Yes...no flashy GUI, but it's all well documented.
Well, the thing is what I like what they have WebGUI, especially if I'm not the only one who would use it. But it's almost amusing on how they both overcomplicate the things, instead of (at least) giving me a checkmark to stop being 'user-friendly'.
The lack of necessities (eg pre-populated RFC1918 networks in the aliases, or extreamly common things, like AD ports list) or a 'session' view which defaults to seven states in OPNsense is just an icing on the top.
ADD: forgot, those stupid CSS animations in OPN. Not only they are stupid and slow, I'm almost never access the WebGUI directly, so I'm forced to watch every frame to be sent on the net.
It's like they are never ever dogfooding their own products, except their local, small labs.
ADD2: I hated ISA Server with a passion, for it being an overcomplicated mess. But 20 years later I would gave my month supply of pumpkin latte to just have an easy way to work with network groups and high level network abstractions.
Well, yeah...you made my point. I'll take a well documented, easy to work with and reason about, easy to debug, text configuration over a crappy GUI any day of the week.
http://man.openbsd.org/pfsync has more details. This is interesting, I also didn't know of its existence. That said, I've never had to administer multiple failover firewalls so my interest is purely out of curiosity.
"carp" should also be included in discoveries alongside pfsync. carp functions like cisco/juniper/etc VRRP to enable real-time failover. With pfsync being a stateful firewall a lot of care needs to happen with failovers. carp + pfsync allow you to run multiple hot pfsync firewalls that have synchronized state and have near-instant failover without state-related hiccups.
We use pf+pfsync+carp extensively over in FreeBSD.org as well. It's good stuff!
I understand telling people to "just google it" or "read the fine manual" on support forums where the same repetitive questions are asked a million times, but on hacker news? Why? What is wrong with asking a question that is of interest to the average reader of this thread? What's wrong with conversation?
