From owner-freebsd-hackers Wed Oct 25 16:13: 3 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-99.zoominternet.net [24.154.28.99]) by hub.freebsd.org (Postfix) with ESMTP id 5497437B479 for ; Wed, 25 Oct 2000 16:12:59 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by topperwein.dyndns.org (8.11.0/8.11.1) with ESMTP id e9PNDe422236 for ; Wed, 25 Oct 2000 19:13:40 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Wed, 25 Oct 2000 19:13:40 -0400 (EDT) From: Chris BeHanna Reply-To: behanna@zbzoom.net To: freebsd-hackers@freebsd.org Subject: Re: question for the freebsd community In-Reply-To: <39F71657.8855C56D@polyserve.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, 25 Oct 2000, Michelle R. Sanchez, CNE wrote: > [...company makes high availability clustering software, and > supports FreeBSD...] > > we have had a lot of requests from customers wishing to make their > firewalls highly available by clustering them together and putting a > service monitor on the firewall port in case the firewall daemon should > hang. this is probably not very likely but they would like to be able to > do so in any case. > > my questions are these: > > 1] is it a good idea to try to put a service monitor on IPFW? If so, > does this compromise the firewall in any way? ipfw is not a daemon, and does not have a designated port to monitor--it's a kernel option to do packet filtering. If a kernel is built with the IPFIREWALL option, and the machine is running, then the firewall is also running, period. That should make the monitor as simple as asking the machine "Are you alive?". :-) I'd suggest "man ipfw" and also look at /sys/i386/conf/LINT for more details. -- Chris BeHanna Software Engineer (at yourfit.com) behanna@zbzoom.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message