From owner-freebsd-security  Fri Jun 14  3:34:44 2002
Delivered-To: freebsd-security@freebsd.org
Received: from nt_server.infosec.ru (es.infosec.ru [194.135.141.101])
	by hub.freebsd.org (Postfix) with ESMTP id D4A1937B41A
	for <security@freebsd.org>; Fri, 14 Jun 2002 03:34:32 -0700 (PDT)
Received: from xen.infosec.ru ([200.0.0.51]) by nt_server.infosec.ru with Microsoft SMTPSVC(5.0.2195.4453);
	 Fri, 14 Jun 2002 14:33:56 +0400
Subject: Re: firewall 'stateful failover'
From: Andrey Sverdlichenko <blaze@infosec.ru>
To: security@freebsd.org
In-Reply-To: <20020610155455.Y96521-100000@snafu.adept.org>
References: <20020610155455.Y96521-100000@snafu.adept.org>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Ximian Evolution 1.0.3 
Date: 14 Jun 2002 15:38:26 +0500
Message-Id: <1024051106.78535.11.camel@xen.infosec.ru>
Mime-Version: 1.0
X-OriginalArrivalTime: 14 Jun 2002 10:33:56.0358 (UTC) FILETIME=[FC932260:01C2138E]
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, 2002-06-11 at 04:10, Mike Hoskins wrote:
 
> Is there a way to handle the state table in ipfw/ipf?  I could write
> scripts to do 'failover', but I'm wandering if there's a way to 'share'
> the state table between active and standby units or to pass the state
> table from one firewall to another over a crossover.

It's a really hard thing to do. Our product implements failover with
ipf, but it's ugly: each 5 seconds user-level program gets state table
from kernel and transfers it to failover unit. But:

a) some TCP connections transfer more data in this seconds than TCP
window, so after switch ipf block new packets as "not fitting in
window". I make an ugly patch: first packets after switch to failover
unit are "trusted" and new sequence numbers set from them.

b) while fetching state table from kernel, it's locked, so no new
connections will be added and SYN's will be dropped. It is not important
to our customers, but YMMV.

Possibly the only way to do good stateful failover is made it in kernel,
with instant state changes transfer.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message