Date: Thu, 27 Mar 2003 16:41:21 -0000 From: "Roger " <raqlist@fareham.org> To: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? Message-ID: <3E8329B1.23977.BBB6042@localhost> In-Reply-To: <20030327162137.GA16141@gothmog.gr> References: <20030327145525.GF24413@mitternachtsstun.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Forget the ipfw state, the ARP and TCP layers will are bigger problems if you want to keep existing connections alive. MAC layer:- If your 'primary' boxes fails then unless you fake the MAC addresses on the interfaces, the nearby IP routers won't have the IP->MAC routing tables set up for 2 minutes (ARP will cache it for 20 seconds, but if your packets keep retrying then only after 2 minutes will it eventually force and ARP request over the wire). Even if you fake the MAC addresses then you'll have to send a packet out from both interfaces so that the Ethernet switches know that the location of the MAC address has changed other wise you still wouldn't get the packets. TCP:- Unless you mirror the entire internal state of the connection you'll have problems, what happens one end of the connection asks your 'secondary' box to repeat a packet which got lost en-route from the 'primary' box ? What about sequence numbers ? You could use a non-statefull firewall and avoid all the firewall state problems (OK you get another set of problems instead), but if you want the existing connections to survive the handover, you got several other (more complex) layers to worry about ! Roger.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E8329B1.23977.BBB6042>