From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 15:35:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADEA837B404 for ; Wed, 26 Mar 2003 15:35:00 -0800 (PST) Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AFF143F93 for ; Wed, 26 Mar 2003 15:35:00 -0800 (PST) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id B8BB18675B6; Wed, 26 Mar 2003 18:31:56 -0500 (EST) Received: from 24.114.6.105 by www.fastmail.ca with HTTP; Wed, 26 Mar 2003 23:31:56 +0000 (UTC) MIME-Version: 1.0 Message-Id: <3E82386C.000003.20487@ns.interchange.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_8PQDULUXFQQMYJ0CCJD0" To: elliot@cs.montana.edu Date: Wed, 26 Mar 2003 18:31:56 -0500 (EST) From: "Michael Richards" X-Fastmail-IP: [24.114.6.105] X-Spam-Status: No, hits=-1.6 required=5.0 tests=AWL,QUOTED_EMAIL_TEXT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 23:35:01 -0000 --------------Boundary-00=_8PQDULUXFQQMYJ0CCJD0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit The problem here is really 2 pronged: 1) I need some means of realising that the firewall just died and transparently switching over to the backup or load balancing the two so if one dies the other takes up the slack. 2) I need a means of syncing the state info so existing connections won't be torn down if they end up going through the other firewall. Sounds like a solution people would normally pay an obscene amount of money for but I'd be surprised if there isn't a way to do this. Maybe something with routing could do the balancing... -Michael >> -SNIP >> The security issue here lies in that the 2 firewalls can't talk >> to each other. So if I'm keeping state on a connection then the >> second firewall has to know about that connection otherwise it >> will close if that firewall dies. >> > what do you mean, can't talk to each other? > /usr/src/ports/net/freevrrpd/ might help you a little, but not > state awareness _________________________________________________________________ http://fastmail.ca/ - Fast Secure Web Email for Canadians --------------Boundary-00=_8PQDULUXFQQMYJ0CCJD0--