From owner-freebsd-security@FreeBSD.ORG  Fri Mar 28 14:50:15 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9271D37B401
	for <freebsd-security@freebsd.org>;
	Fri, 28 Mar 2003 14:50:15 -0800 (PST)
Received: from fubar.adept.org (fubar.adept.org [63.147.172.249])
	by mx1.FreeBSD.org (Postfix) with ESMTP id D78E443FDD
	for <freebsd-security@freebsd.org>;
	Fri, 28 Mar 2003 14:50:14 -0800 (PST)	(envelope-from mike@adept.org)
Received: by fubar.adept.org (Postfix, from userid 1001)
	id 6C7411522A; Fri, 28 Mar 2003 14:49:51 -0800 (PST)
Received: from localhost (localhost [127.0.0.1])
	by fubar.adept.org (Postfix) with ESMTP id 6BAE215227
	for <freebsd-security@freebsd.org>;
	Fri, 28 Mar 2003 14:49:51 -0800 (PST)
Date: Fri, 28 Mar 2003 14:49:51 -0800 (PST)
From: Mike Hoskins <mike@adept.org>
To: freebsd-security@freebsd.org
In-Reply-To: <Pine.BSF.4.33.0303261317220.38085-100000@isber.ucsb.edu>
Message-ID: <20030328144454.A10259-100000@fubar.adept.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Status: No, hits=-19.5 required=5.0
	tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,
	      REPLY_WITH_QUOTES
	autolearn=ham	version=2.50
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp)
Subject: Re: Multiple Firewalls with ipfilter?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Mar 2003 22:50:16 -0000

On Wed, 26 Mar 2003, randall ehren wrote:
> > We're supposed to provide redundant firewall service. I'm wondering
> > if anyone has ever tried to do this and if it's realistic. Basically
> > 2 firewall machines hooked up so if one fails the other will
> > transparently step in. I've googled it to death without much luck.
> http://www.isber.ucsb.edu/~randall/firewall/redundant/
>  i have this setup in use at work, it's an automatic failover but does not
> keep existing connections, so things like SSH sessions would be dropped.

Nice setup...  If reliability is such a concern, the original poster could
also move the state 'in front' of the firewalls.  I.e. Invest in some
stateful load balancers.

I've asked a similar question in the past, and had the stateful (BSD)
firewall discussion a few times, and that's often the suggestion that gets
thrown around.  I agree an alternative would be nice if you're on a
budget, but you often get what you pay for.  Using something new and/or
experimental may not be the best option based upon the type of traffic
these firewalls will be passing.

-mrh