Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 10 Jan 2004 10:36:48 -0600
From:      dap99@i-55.com
To:        <freebsd-isp@freebsd.org>
Subject:   Failover of FreeBSD firewall with ipfw/natd
Message-ID:  <018e01c3d798$0de66670$6401a8c0@mybox>
next in thread | raw e-mail | index | archive | help 
Apologies for the first empty post.

I am running FreeBSD 4.8-REL with ipfw and natd. My firewall has a primary
IP address and several other IP addresses aliased on the public interface.
This firewall serves as a gateway and performs NAT for a set of servers
offering web, email, and HTTPS. We have two machines that can serve as the
firewall: One is the primary firewall, and the second can be brought up
manually as the firewall in case of a failure of the first machine.

I would like to automate the process of failover for the firewall.

Counting the backup firewall, which is also the file and database server, we
have four internal servers, all FreeBSD 4.8-REL.

I am looking for suggestions on the best way to solve the failover problem.

In my mind, the following needs to happen if the primary firewall dies:

1. The backup firewall needs to recognize that the primary firewall is
indeed dead.
2. The backup firewall needs to bring up the public IP addresses on it's
public interface.
3. The backup firewall needs to activate the firewall ruleset.
4. The backup firewall needs to bring up natd.
5. The internal machines need to recognize the backup firewall as the
default gateway.

First of all, are there any tools available that will help automate this
process? I should be able to do availability checks between the primary and
backup firewalls using something like heartbeat, but I am open to other
suggestions!

Second, how are you solving this problem with FreeBSD and ipfw/natd?

The third questin concerns testing if a firewall is actually dead rather
than the backup firewall losing connectivity. I will be using something
along the lines of this test:

If the backup firewall cannot connect to the primary firewall
and the backup firewall can connect to the outside world
and the backup firewall can connect to the internal network
then failover.

How are you solving this problem?

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?018e01c3d798$0de66670$6401a8c0>