From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 08:41:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA7AD37B401 for ; Thu, 27 Mar 2003 08:41:24 -0800 (PST) Received: from avgw.vxserver.com (mail.ridgeway-sys.com [194.128.67.178]) by mx1.FreeBSD.org (Postfix) with SMTP id 86A0543F85 for ; Thu, 27 Mar 2003 08:41:23 -0800 (PST) (envelope-from raqlist@fareham.org) Received: from disney.internal.ridgewaysystems.com ([194.128.67.181]) by avgw.vxserver.com (NAVGW 2.5.2.12) with SMTP id M2003032716400003105 for ; Thu, 27 Mar 2003 16:40:00 GMT Received: from Unknown [10.1.1.113] by disney.internal.ridgewaysystems.com - SurfControl E-mail Filter (4.5); Thursday, 27 March 2003, 16:48:50 Message-ID: <3E8329B1.23977.BBB6042@localhost> From: "Roger " To: freebsd-security@freebsd.org Date: Thu, 27 Mar 2003 16:41:21 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT X-mailer: Pegasus Mail for Windows (v4.01) References: <20030327145525.GF24413@mitternachtsstun.de> Priority: normal In-reply-to: <20030327162137.GA16141@gothmog.gr> Content-description: Mail message body X-Spam-Status: No, hits=-14.8 required=5.0 tests=AWL,IN_REP_TO,REFERENCES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 16:41:25 -0000 Forget the ipfw state, the ARP and TCP layers will are bigger problems if you want to keep existing connections alive. MAC layer:- If your 'primary' boxes fails then unless you fake the MAC addresses on the interfaces, the nearby IP routers won't have the IP->MAC routing tables set up for 2 minutes (ARP will cache it for 20 seconds, but if your packets keep retrying then only after 2 minutes will it eventually force and ARP request over the wire). Even if you fake the MAC addresses then you'll have to send a packet out from both interfaces so that the Ethernet switches know that the location of the MAC address has changed other wise you still wouldn't get the packets. TCP:- Unless you mirror the entire internal state of the connection you'll have problems, what happens one end of the connection asks your 'secondary' box to repeat a packet which got lost en-route from the 'primary' box ? What about sequence numbers ? You could use a non-statefull firewall and avoid all the firewall state problems (OK you get another set of problems instead), but if you want the existing connections to survive the handover, you got several other (more complex) layers to worry about ! Roger.