From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 13:30:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E653D37B405 for ; Wed, 26 Mar 2003 13:30:55 -0800 (PST) Received: from gigatrex.com (graceland.gigatrex.com [209.10.113.211]) by mx1.FreeBSD.org (Postfix) with SMTP id 67B0043F3F for ; Wed, 26 Mar 2003 13:30:50 -0800 (PST) (envelope-from piechota@argolis.org) Received: (qmail 6713 invoked from network); 26 Mar 2003 21:35:00 -0000 Received: from unknown (HELO cithaeron.argolis.org) (138.88.83.93) by graceland.gigatrex.com with SMTP; 26 Mar 2003 21:35:00 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.8/8.12.7) with ESMTP id h2QLUmxN009251; Wed, 26 Mar 2003 16:30:48 -0500 (EST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)h2QLUm53009248; Wed, 26 Mar 2003 16:30:48 -0500 (EST) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 26 Mar 2003 16:30:48 -0500 (EST) From: Matt Piechota To: Michael Richards In-Reply-To: <3E82142E.000017.64676@ns.interchange.ca> Message-ID: <20030326161559.P9110@cithaeron.argolis.org> References: <3E82142E.000017.64676@ns.interchange.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-26.1 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_OSIRUSOFT_COM,REFERENCES,REPLY_WITH_QUOTES, X_AUTH_WARNING autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 21:30:59 -0000 On Wed, 26 Mar 2003, Michael Richards wrote: > We're supposed to provide redundant firewall service. I'm wondering > if anyone has ever tried to do this and if it's realistic. Basically > 2 firewall machines hooked up so if one fails the other will > transparently step in. I've googled it to death without much luck. > > The security issue here lies in that the 2 firewalls can't talk to > each other. So if I'm keeping state on a connection then the second > firewall has to know about that connection otherwise it will close if > that firewall dies. Caveat: I haven't tried any of this, and there may be a canned solution I don't know about. If I were doing this, I'd do a serial connection between the two boxes (I assume they're in the same room). If you're just looking for failover (and not load balancing), you could designate one to be the master, and whenever it adds or deletes a dynamic rule, it prints it out to the serial port. The slave machine watches the serial port and adds rules when it sees them come over. That'll basically work, although you really need to do some sort of handshaking, heart beat, and sync (so when the master comes back, it can read in the new rules the slave created while it was minding the shop. I suspect matching 'expect' scripts tied to the serial lines could get the job done. Something like switch on: RULEADD - ipfw add $rest_of_line RULEDEL - this'll be a little tougher since you're have to match the rule to the number (unless you always add the rule with the number from the master) RULEDMP - ipfw list HRTBEAT - actually, you don't really need this, but it's nice to keep status. Just an idea. -- Matt Piechota