Date: 27 Mar 2003 16:08:23 +0200 From: Etienne Ledoux <etienne@unix.za.org> To: Michael Richards <michael@fastmail.ca> Cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? Message-ID: <1048774105.27599.15.camel@madcow> In-Reply-To: <3E82142E.000017.64676@ns.interchange.ca> References: <3E82142E.000017.64676@ns.interchange.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
I guess this idea isn't as good but it worked for me. I used ipf (ipfw or anything else should work too) with freevrrpd. Both master and slave firewalls are exactly the same except for my second firewall had to extra rules right at the top: # Allow all established connections pass in quick proto tcp all flags A/SA keep state keep frags pass out quick proto tcp all flags A/SA keep state keep frags #pass in quick proto udp all keep state keep frags #pass out quick proto udp all keep state keep frags This automatically created the state entries for established connections as soon as the other firewall goes down. But I guess most people won't like having those rules in their rulebase. e. On Wed, 2003-03-26 at 22:57, Michael Richards wrote: > We're supposed to provide redundant firewall service. I'm wondering > if anyone has ever tried to do this and if it's realistic. Basically > 2 firewall machines hooked up so if one fails the other will > transparently step in. I've googled it to death without much luck. > > The security issue here lies in that the 2 firewalls can't talk to > each other. So if I'm keeping state on a connection then the second > firewall has to know about that connection otherwise it will close if > that firewall dies. > > Any ideas? > > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Secure Web Email for Canadians > ---- > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1048774105.27599.15.camel>