From owner-freebsd-isp@FreeBSD.ORG Sat Jan 10 08:38:09 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DD7816A4CE for ; Sat, 10 Jan 2004 08:38:09 -0800 (PST) Received: from exit1.i-55.com (exit1.i-55.com [208.231.96.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1AEA43D5A for ; Sat, 10 Jan 2004 08:37:44 -0800 (PST) (envelope-from dap99@i-55.com) Received: from mybox (dsl-209-205-185-56.i-55.com [209.205.185.56]) by exit1.i-55.com (8.11.7/8.11.4) with SMTP id i0AGbkH06673 for ; Sat, 10 Jan 2004 10:37:46 -0600 From: dap99@i-55.com Message-ID: <018e01c3d798$0de66670$6401a8c0@mybox> To: Date: Sat, 10 Jan 2004 10:36:48 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Failover of FreeBSD firewall with ipfw/natd X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jan 2004 16:38:09 -0000 Apologies for the first empty post. I am running FreeBSD 4.8-REL with ipfw and natd. My firewall has a primary IP address and several other IP addresses aliased on the public interface. This firewall serves as a gateway and performs NAT for a set of servers offering web, email, and HTTPS. We have two machines that can serve as the firewall: One is the primary firewall, and the second can be brought up manually as the firewall in case of a failure of the first machine. I would like to automate the process of failover for the firewall. Counting the backup firewall, which is also the file and database server, we have four internal servers, all FreeBSD 4.8-REL. I am looking for suggestions on the best way to solve the failover problem. In my mind, the following needs to happen if the primary firewall dies: 1. The backup firewall needs to recognize that the primary firewall is indeed dead. 2. The backup firewall needs to bring up the public IP addresses on it's public interface. 3. The backup firewall needs to activate the firewall ruleset. 4. The backup firewall needs to bring up natd. 5. The internal machines need to recognize the backup firewall as the default gateway. First of all, are there any tools available that will help automate this process? I should be able to do availability checks between the primary and backup firewalls using something like heartbeat, but I am open to other suggestions! Second, how are you solving this problem with FreeBSD and ipfw/natd? The third questin concerns testing if a firewall is actually dead rather than the backup firewall losing connectivity. I will be using something along the lines of this test: If the backup firewall cannot connect to the primary firewall and the backup firewall can connect to the outside world and the backup firewall can connect to the internal network then failover. How are you solving this problem?