Pablo,
--On 12. August 2008 13:40:18 +0200 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
wrote:
- snip -
The CacheWriteThrough clause should do that for you but with some
important considerations: higher CPU consumption and possible race
conditions - the time to transmit the state to the other firewall
replica should be smaller than the RTT between the firewall and the
end-peer.
That is why I tested with a long stream of pings and long consecutive http
requests. The result was not better.
This is generally true if your firewall is connected to a DSL
line or whatever that inherently inserts some latency in the
communications.
In this case it is 100 MBit uplinks with very low latency.
Anyhow, the multi-primary setup with asynchronous routing is really bad
design for stateful firewalls. The key problem is that stateful
firewalling works with at flow-level and OSPF only knows about packets.
The preferred way to go should be the multi-primary with symmetric
routing
I am not sure if this can be achieved with OSPF - there is many differing
posts on that out there but I also have an intensive look at that, of
course.
Thanks for your patience.
Dirk
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
