From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 13:37:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B5A037B404 for ; Wed, 26 Mar 2003 13:37:25 -0800 (PST) Received: from proverbs.outreachnetworks.com (proverbs.outreachnetworks.com [65.196.249.4]) by mx1.FreeBSD.org (Postfix) with SMTP id 5A8B143F75 for ; Wed, 26 Mar 2003 13:37:24 -0800 (PST) (envelope-from elh@outreachnetworks.com) Received: (qmail 2925 invoked from network); 26 Mar 2003 21:37:22 -0000 Received: from phoncella.outreachnetworks.com (HELO preacher) (65.196.249.11) by proverbs.outreachnetworks.com with SMTP; 26 Mar 2003 21:37:22 -0000 Received: (nullmailer pid 1228 invoked by uid 1000); Wed, 26 Mar 2003 21:37:21 -0000 Date: Wed, 26 Mar 2003 16:37:21 -0500 From: Eric L Howard To: freebsd-security@freebsd.org Message-ID: <20030326213721.GB524@outreachnetworks.com> Mail-Followup-To: freebsd-security@freebsd.org References: <3E82142E.000017.64676@ns.interchange.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E82142E.000017.64676@ns.interchange.ca> X-Favorite-Scripture: Romans 8:18 X-Theocratic-Rule-Advocate: http://www.crossmovement.com X-Registered-Secret-Agent: Agent Double-Naught Seven X-Operating-System: Linux 2.4.18-bf2.4 User-Agent: Mutt/1.5.3i X-Spam-Status: No, hits=-26.0 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 21:37:28 -0000 At a certain time, now past [Wed, Mar 26, 2003 at 03:57:18PM -0500], Michael Richards spake thusly: > We're supposed to provide redundant firewall service. I'm wondering > if anyone has ever tried to do this and if it's realistic. Basically > 2 firewall machines hooked up so if one fails the other will > transparently step in. I've googled it to death without much luck. > > The security issue here lies in that the 2 firewalls can't talk to > each other. So if I'm keeping state on a connection then the second > firewall has to know about that connection otherwise it will close if > that firewall dies. [admin@zechariah ports]# make search key=freevrrpd Port: freevrrpd-0.8.4_1 Path: /usr/ports/net/freevrrpd Info: This a VRRP RFC2338 Compliant implementation under FreeBSD Maint: spe@bsdfr.org Index: net B-deps: R-deps: http://redundancy.redundancy.org/fbsd_lb.html Though I've used VRRP quite a bit, I have not used the freevrrpd implementation. ~elh -- Eric L. Howard e l h @ o u t r e a c h n e t w o r k s . c o m ------------------------------------------------------------------------ www.OutreachNetworks.com 313.297.9900 ------------------------------------------------------------------------ JabberID: elh@jabber.org Advocate of the Theocratic Rule