From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 01:17:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C82A537B40E for ; Thu, 27 Mar 2003 01:17:03 -0800 (PST) Received: from avgw.vxserver.com (mail.ridgeway-sys.com [194.128.67.178]) by mx1.FreeBSD.org (Postfix) with SMTP id 0143044108 for ; Thu, 27 Mar 2003 01:08:04 -0800 (PST) (envelope-from raqlist@fareham.org) Received: from disney.internal.ridgewaysystems.com ([194.128.67.181]) by avgw.vxserver.com (NAVGW 2.5.2.12) with SMTP id M2003032709064002480 for ; Thu, 27 Mar 2003 09:06:40 GMT Received: from Unknown [10.1.1.113] by disney.internal.ridgewaysystems.com - SurfControl E-mail Filter (4.5); Thursday, 27 March 2003, 09:15:29 Message-ID: <3E82BF70.25089.A1C525A@localhost> From: "Roger " To: freebsd-security@freebsd.org Date: Thu, 27 Mar 2003 09:08:00 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT X-mailer: Pegasus Mail for Windows (v4.01) References: <3E82142E.000017.64676@ns.interchange.ca> Priority: normal In-reply-to: <20030326161559.P9110@cithaeron.argolis.org> Content-description: Mail message body X-Spam-Status: No, hits=-19.6 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 09:17:23 -0000 You would have to fake up the MAC addresses on the Ethernet ports (other wise the ARP tables will be wrong), and sync the TCP/IP stack's state for it to work. That would need more than a serial port to sync. Roger. Date sent: Wed, 26 Mar 2003 16:30:48 -0500 (EST) From: Matt Piechota To: Michael Richards Copies to: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? > On Wed, 26 Mar 2003, Michael Richards wrote: > > > We're supposed to provide redundant firewall service. I'm wondering > > if anyone has ever tried to do this and if it's realistic. Basically > > 2 firewall machines hooked up so if one fails the other will > > transparently step in. I've googled it to death without much luck. > > > > The security issue here lies in that the 2 firewalls can't talk to > > each other. So if I'm keeping state on a connection then the second > > firewall has to know about that connection otherwise it will close if > > that firewall dies. > > Caveat: I haven't tried any of this, and there may be a canned solution I > don't know about. > > If I were doing this, I'd do a serial connection between the two boxes (I > assume they're in the same room). If you're just looking for failover > (and not load balancing), you could designate one to be the master, and > whenever it adds or deletes a dynamic rule, it prints it out to the serial > port. The slave machine watches the serial port and adds rules when it > sees them come over. > > That'll basically work, although you really need to do some sort of > handshaking, heart beat, and sync (so when the master comes back, it can > read in the new rules the slave created while it was minding the shop.