Date: 14 Jun 2002 15:38:26 +0500 From: Andrey Sverdlichenko <blaze@infosec.ru> To: security@freebsd.org Subject: Re: firewall 'stateful failover' Message-ID: <1024051106.78535.11.camel@xen.infosec.ru> In-Reply-To: <20020610155455.Y96521-100000@snafu.adept.org> References: <20020610155455.Y96521-100000@snafu.adept.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 2002-06-11 at 04:10, Mike Hoskins wrote: > Is there a way to handle the state table in ipfw/ipf? I could write > scripts to do 'failover', but I'm wandering if there's a way to 'share' > the state table between active and standby units or to pass the state > table from one firewall to another over a crossover. It's a really hard thing to do. Our product implements failover with ipf, but it's ugly: each 5 seconds user-level program gets state table from kernel and transfers it to failover unit. But: a) some TCP connections transfer more data in this seconds than TCP window, so after switch ipf block new packets as "not fitting in window". I make an ugly patch: first packets after switch to failover unit are "trusted" and new sequence numbers set from them. b) while fetching state table from kernel, it's locked, so no new connections will be added and SYN's will be dropped. It is not important to our customers, but YMMV. Possibly the only way to do good stateful failover is made it in kernel, with instant state changes transfer. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1024051106.78535.11.camel>