* LeviaComm Networks NOC <[email protected]> [2010-06-02 05:59]: > You do not want the systems seeing each other before they are both > upgraded. I learned this after seeing the havoc that can be wrecked > with Cisco Firewalls when they are not the same version, but sharing > the same config. It isn't pretty, and neither are the e-mail you > get from the users. Believe, the 5 minutes the firewall is down > pales in comparison to the time wasted when both firewalls are > over-writing the others configs.
OpenBSD isn't as stupid and bad as cisco. I upgrade all my carped firewall pairs without downtime. yes, 4.6 and 4.7 require you to adopt your pf config. 4.5->4.6 is trivial. 4.6->4.7 isn't black magic either but admittedly not trivial any more. also, due to pfsync changes, the failover isn't perfect (pfsync is out of the equation), so you'll lose your sessions. given how often I lose perfectly valid tcp sessions that just idle a bit when I am at foreign networks (conferences, especially at universities, hotels, ...) users must be used to that :) -- Henning Brauer, [email protected], [email protected] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
