I used pf + carp on OpenBSD in 2004. It was really awesome to failover from 1 firewall to the other without losing tcp + udp states for all the servers and clients behind the cluster. pf is really powerful. pf on OpenBSD even more! Another nice features is to tweak some tcp options per rules. Let's say you want to fast expires tcp port 443 connections to your cdn servers but, still keep normal tcp timeouts for the rest. Nice article
