Date: Thu, 27 Mar 2003 09:08:00 -0000 From: "Roger " <raqlist@fareham.org> To: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? Message-ID: <3E82BF70.25089.A1C525A@localhost> In-Reply-To: <20030326161559.P9110@cithaeron.argolis.org> References: <3E82142E.000017.64676@ns.interchange.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
You would have to fake up the MAC addresses on the Ethernet ports (other wise the ARP tables will be wrong), and sync the TCP/IP stack's state for it to work. That would need more than a serial port to sync. Roger. Date sent: Wed, 26 Mar 2003 16:30:48 -0500 (EST) From: Matt Piechota <piechota@argolis.org> To: Michael Richards <michael@fastmail.ca> Copies to: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? > On Wed, 26 Mar 2003, Michael Richards wrote: > > > We're supposed to provide redundant firewall service. I'm wondering > > if anyone has ever tried to do this and if it's realistic. Basically > > 2 firewall machines hooked up so if one fails the other will > > transparently step in. I've googled it to death without much luck. > > > > The security issue here lies in that the 2 firewalls can't talk to > > each other. So if I'm keeping state on a connection then the second > > firewall has to know about that connection otherwise it will close if > > that firewall dies. > > Caveat: I haven't tried any of this, and there may be a canned solution I > don't know about. > > If I were doing this, I'd do a serial connection between the two boxes (I > assume they're in the same room). If you're just looking for failover > (and not load balancing), you could designate one to be the master, and > whenever it adds or deletes a dynamic rule, it prints it out to the serial > port. The slave machine watches the serial port and adds rules when it > sees them come over. > > That'll basically work, although you really need to do some sort of > handshaking, heart beat, and sync (so when the master comes back, it can > read in the new rules the slave created while it was minding the shop.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E82BF70.25089.A1C525A>