From owner-freebsd-security@FreeBSD.ORG  Wed Mar 26 13:18:55 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9429137B404
	for <freebsd-security@freebsd.org>;
	Wed, 26 Mar 2003 13:18:55 -0800 (PST)
Received: from isber.ucsb.edu (research.isber.ucsb.edu [128.111.147.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 2431F43F3F
	for <freebsd-security@freebsd.org>;
	Wed, 26 Mar 2003 13:18:55 -0800 (PST)
	(envelope-from randall@isber.ucsb.edu)
Received: from research.isber.ucsb.edu ([128.111.147.5])
	by isber.ucsb.edu with esmtp (Exim 3.36 #2)
	id 18yIIK-0009wu-00; Wed, 26 Mar 2003 13:18:48 -0800
Date: Wed, 26 Mar 2003 13:18:48 -0800 (PST)
From: randall ehren <randall@ucsb.edu>
To: Michael Richards <michael@fastmail.ca>
In-Reply-To: <3E82142E.000017.64676@ns.interchange.ca>
Message-ID: <Pine.BSF.4.33.0303261317220.38085-100000@isber.ucsb.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Scanner: exiscan *18yIIK-0009wu-00*V7xKhgQYadM* (ISBER - Institute for
	Social, Behavioral, and Economic Research)
X-Spam-Status: No, hits=-12.3 required=5.0
	tests=IN_REP_TO,QUOTED_EMAIL_TEXT,USER_AGENT_PINE
	autolearn=ham	version=2.50
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)
X-Mailman-Approved-At: Thu, 27 Mar 2003 23:46:41 -0800
cc: freebsd-security@freebsd.org
Subject: Re: Multiple Firewalls with ipfilter?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Mar 2003 21:18:56 -0000

> We're supposed to provide redundant firewall service. I'm wondering
> if anyone has ever tried to do this and if it's realistic. Basically
> 2 firewall machines hooked up so if one fails the other will
> transparently step in. I've googled it to death without much luck.
>
> The security issue here lies in that the 2 firewalls can't talk to
> each other. So if I'm keeping state on a connection then the second
> firewall has to know about that connection otherwise it will close if
> that firewall dies.

http://www.isber.ucsb.edu/~randall/firewall/redundant/

 i have this setup in use at work, it's an automatic failover but does not
keep existing connections, so things like SSH sessions would be dropped.

 -randall

--
        :// randall s. ehren         :// voice 805.893.5632
        :// systems administrator    :// isber|survey|avss.ucsb.edu
        :// institute for social, behavioral, and economic research