From owner-freebsd-hackers Wed Oct 25 10:22:55 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from MLNOVPS0142.nacio.com (ns1.m-l.net [167.160.192.5]) by hub.freebsd.org (Postfix) with ESMTP id 48B7137B4C5 for ; Wed, 25 Oct 2000 10:22:53 -0700 (PDT) Received: from polyserve.com ([167.160.187.80]) by MLNOVPS0142.nacio.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com for ; Wed, 25 Oct 2000 10:20:26 -0700 Message-ID: <39F71657.8855C56D@polyserve.com> Date: Wed, 25 Oct 2000 10:20:23 -0700 From: "Michelle R. Sanchez, CNE" X-Mailer: Mozilla 4.7 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-hackers@freebsd.org Subject: question for the freebsd community Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG hello, i work for a software company in berkeley that makes high availability server clustering software. we have a distribution for freebsd. our software is distributed and runs as a daemon on one's existing servers which are to be clustered together. in addition to making servers highly available, we also have the ability to monitor services such as http, smtp, and generic tcp apps by utilizing their ports and trying to make a tcp connection to them or sending an http head request if http is the one being monitored. if our software doesn't receive the anticipated reply - it will failover to the backup machine even though the primary machine is still physically running. we have had a lot of requests from customers wishing to make their firewalls highly available by clustering them together and putting a service monitor on the firewall port in case the firewall daemon should hang. this is probably not very likely but they would like to be able to do so in any case. my questions are these: 1] is it a good idea to try to put a service monitor on IPFW? If so, does this compromise the firewall in any way? i am not a firewall expert by any means but i think that you would not want to take this approach. our service monitor tries to connect to the application once per second or by some user-definable interval. 2] someone once suggested to monitor the port that the 'console' uses to talk to the firewall if you are trying to configure it remotely. would this be recommended? does it mean leaving the 'console' up all the time? 3] is there a configuration that could be made where the firewall would allow a tcp connection to be made by a specific IP address only - without any compromise? if so, how can this be done. the books i have purchased on firewalls and IPFW documentation unfortunately do not provide enough information for us to make a sound decision on this issue. i have researched this to the best of my ability and now i realize that i must ask the freebsd community for assistance. if anyone has any insight to provide on this issue - we would be most appreciative. kindest regards, michelle r. sanchez, cne/rhce polyserve technical support msanchez@polyserve.com 1 510 649 3554 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message