From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 06:10:15 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A13B037B401 for ; Thu, 27 Mar 2003 06:10:15 -0800 (PST) Received: from smtp.datapro.co.za (mail.uskonet.com [196.3.164.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6756043FA3 for ; Thu, 27 Mar 2003 06:10:12 -0800 (PST) (envelope-from etienne@unix.za.org) Received: from madcow.datapro.co.za ([196.35.242.87]) by smtp.datapro.co.za (8.12.8/8.12.8) with ESMTP id h2REA77K013119; Thu, 27 Mar 2003 16:10:08 +0200 From: Etienne Ledoux To: Michael Richards In-Reply-To: <3E82142E.000017.64676@ns.interchange.ca> References: <3E82142E.000017.64676@ns.interchange.ca> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/1.0.2 Date: 27 Mar 2003 16:08:23 +0200 Message-Id: <1048774105.27599.15.camel@madcow> Mime-Version: 1.0 X-Spam-Status: No, hits=-32.4 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_XIMIAN autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 14:10:46 -0000 I guess this idea isn't as good but it worked for me. I used ipf (ipfw or anything else should work too) with freevrrpd. Both master and slave firewalls are exactly the same except for my second firewall had to extra rules right at the top: # Allow all established connections pass in quick proto tcp all flags A/SA keep state keep frags pass out quick proto tcp all flags A/SA keep state keep frags #pass in quick proto udp all keep state keep frags #pass out quick proto udp all keep state keep frags This automatically created the state entries for established connections as soon as the other firewall goes down. But I guess most people won't like having those rules in their rulebase. e. On Wed, 2003-03-26 at 22:57, Michael Richards wrote: > We're supposed to provide redundant firewall service. I'm wondering > if anyone has ever tried to do this and if it's realistic. Basically > 2 firewall machines hooked up so if one fails the other will > transparently step in. I've googled it to death without much luck. > > The security issue here lies in that the 2 firewalls can't talk to > each other. So if I'm keeping state on a connection then the second > firewall has to know about that connection otherwise it will close if > that firewall dies. > > Any ideas? > > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Secure Web Email for Canadians > ---- > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"