Subject: Re: pf status
To: Pavel Cahyna <>
From: Marcin Jessa <>
List: current-users
Date: 07/29/2005 22:00:09
On Fri, 29 Jul 2005 15:24:44 +0200
Pavel Cahyna <> wrote:

> On Fri, 29 Jul 2005 13:56:46 +0200, Marcin Jessa wrote:
> > On Fri, 29 Jul 2005 03:49:00 -0700
> > (John Nemeth) wrote:
> >>      From what I've read in the past, I don't believe that CARP is an
> >> implementation of VRRP, but rather a home brewed protocol designed to
> >> serve a similar purpose.
> > 
> > CARP works great.
> > Please read for more info.
> > You're of course entitled to have your own opinion, even based on some loose rumours,  
> > but I suggest you to test it yourself first and then make up your mind.
> Why should anybody test it just to tell if it is a home brewed protocol or
> not? And how is the fact that it "works great" relevant to this
> discussion? One might rather want to see some documentation, which is
> unfortunately missing.

Test it to realize how well it performs/works.
It works perfectly in every case I've used it so far as an opposite to OpenVRPR, "home brewed" or not.


> BTW if you have experience with CARP, could you please explain why a
> kernel implementation is desirable, 
Correct handling of arp i would say.

>and how is it related to the pf firewall?
"Additions to the pfsync(4) interface allow CARP to synchronise state table entries between two or more firewalls which are operating in parallel, allowing stateful connections to cross any of the firewalls regardless of where the state was initially created."

The pfsync interface is a pseudo-device which exposes certain changes to the state table used by pf(4). 

I hope provided information will help you to understand the subject you're discussing.

Marcin Jessa.