Date: Fri, 10 Aug 2001 12:25:04 +1000 From: Tony Landells <ahl@austclear.com.au> To: freebsd-security@FreeBSD.ORG Subject: Re: distributed natd Message-ID: <200108100225.MAA23117@tungsten.austclear.com.au> In-Reply-To: Your message of "Fri, 10 Aug 2001 03:21:58 %2B0200." <20010810032158.T3889@gnjilux.cc.fer.hr>
next in thread | previous in thread | raw e-mail | index | archive | help
ike@gnjilux.srk.fer.hr said: > I'm not sure I understood correctly - what are you aiming for? The > performance increase due to two firewalls simultaneously processing > traffic or the reduncancy of having one firewall take over if the > other fails? > If it's the latter, I believe there are simpler solutions than > rewriting natd. Mostly the latter, with an additional (side benefit) of the former. We have several "long-term" connections for application services that go through our firewall(s). At the moment if one of the firewalls went down we'd have a major exercise to change DNS, restart services, and so on to switch everything across. If we were using "virtual" addresses then the switchover would be more or less transparent. However, we don't have a one-to-one mapping between internal addresses and external addresses, so there is a chance that the mapping one firewall would choose wouldn't be the same as that chosen by the second. Hence my suggestion. The side benefit is that I could then look at, for example, using dynamic routing to get equal cost paths through each box for load sharing when they're both up. Tony -- Tony Landells <ahl@austclear.com.au> Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108100225.MAA23117>