Date: Wed, 26 Mar 2003 16:30:48 -0500 (EST) From: Matt Piechota <piechota@argolis.org> To: Michael Richards <michael@fastmail.ca> Cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? Message-ID: <20030326161559.P9110@cithaeron.argolis.org> In-Reply-To: <3E82142E.000017.64676@ns.interchange.ca> References: <3E82142E.000017.64676@ns.interchange.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 26 Mar 2003, Michael Richards wrote: > We're supposed to provide redundant firewall service. I'm wondering > if anyone has ever tried to do this and if it's realistic. Basically > 2 firewall machines hooked up so if one fails the other will > transparently step in. I've googled it to death without much luck. > > The security issue here lies in that the 2 firewalls can't talk to > each other. So if I'm keeping state on a connection then the second > firewall has to know about that connection otherwise it will close if > that firewall dies. Caveat: I haven't tried any of this, and there may be a canned solution I don't know about. If I were doing this, I'd do a serial connection between the two boxes (I assume they're in the same room). If you're just looking for failover (and not load balancing), you could designate one to be the master, and whenever it adds or deletes a dynamic rule, it prints it out to the serial port. The slave machine watches the serial port and adds rules when it sees them come over. That'll basically work, although you really need to do some sort of handshaking, heart beat, and sync (so when the master comes back, it can read in the new rules the slave created while it was minding the shop. I suspect matching 'expect' scripts tied to the serial lines could get the job done. Something like switch on: RULEADD - ipfw add $rest_of_line RULEDEL - this'll be a little tougher since you're have to match the rule to the number (unless you always add the rule with the number from the master) RULEDMP - ipfw list HRTBEAT - actually, you don't really need this, but it's nice to keep status. Just an idea. -- Matt Piechota
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030326161559.P9110>