From owner-freebsd-security Thu Oct 4 19:12:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 99DE737B401 for ; Thu, 4 Oct 2001 19:12:13 -0700 (PDT) Received: from chimp.sentex.net (cage.simianscience.com [64.7.134.1]) by smtp1.sentex.ca (8.11.6/8.11.6) with ESMTP id f952CBf42186; Thu, 4 Oct 2001 22:12:11 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20011004220840.04858b48@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 04 Oct 2001 22:12:10 -0400 To: Sean Lutner From: Mike Tancsa Subject: Re: HA/Failover options Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20011004220637.B525@rentul.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What do you have behind the firewall ? Are all the boxes capable of any sort of dynamic routing ? Using OSPF for example, you could have your 2 boxes advertising the default gateway, one with a more attractive cost that the other. Even Win2K has OSPF capabilities. It might be an easier way to go. ---Mike At 10:06 PM 10/4/2001 -0400, Sean Lutner wrote: >Hello... >I've recently been tasked with coming up with a redundant/failover >firewall solution to replace our managed firewalls. The goal is to have >more control, and spen dless money. So, after some research I decided >FreeBSD with ipfw and vrrp would do the trick. I set out to in stall and >configure everything. I noticed when trying to install vrrp from ports >that it's been tagged forbidden, and confirmed this after searching the >-security archives. The problem I'm running into is this. I grabbed the >code that /usr/ports/net/vrrp would have, and built it, but the >implementation has some problems. Once failed over (slave taking over for >master), it does not fail back without intervention. If you down an >interface with a vrid on it, somehow the vip stays in the interface >causing problems. My basic question is this. Is there anyone else out >there running redundant/failover firewalls using freebsd? If so, what are >you running? I found one other piece of software at http://linux-ha.org th! > at said would build on freebsd, but no such luck. If anyone has any > ideas, pointers, products, or thwaps in the right direction, i'd > appreciate them. > >Thanks > >Sean > >-- >Sean Lutner | www: http://www.rentul.net >e-mail: sean@rentul.net | gpg: http://www.rentul.net/sean.sig > >"Imagination is more important than knowledge." -- Albert Einstein > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message