From owner-freebsd-security Thu Aug 9 19:25:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns2.austclear.com.au (ns2.austclear.com.au [192.43.185.70]) by hub.freebsd.org (Postfix) with ESMTP id 0497E37B405 for ; Thu, 9 Aug 2001 19:25:09 -0700 (PDT) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.166.65]) by ns2.austclear.com.au (8.11.2/8.11.3) with ESMTP id f7A2P4420991 for ; Fri, 10 Aug 2001 12:25:07 +1000 (EST) (envelope-from ahl@austclear.com.au) Received: from tungsten (tungsten [192.168.166.65]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id MAA23117; Fri, 10 Aug 2001 12:25:04 +1000 (EST) Message-Id: <200108100225.MAA23117@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: freebsd-security@FreeBSD.ORG Subject: Re: distributed natd In-Reply-To: Your message of "Fri, 10 Aug 2001 03:21:58 +0200." <20010810032158.T3889@gnjilux.cc.fer.hr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 10 Aug 2001 12:25:04 +1000 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ike@gnjilux.srk.fer.hr said: > I'm not sure I understood correctly - what are you aiming for? The > performance increase due to two firewalls simultaneously processing > traffic or the reduncancy of having one firewall take over if the > other fails? > If it's the latter, I believe there are simpler solutions than > rewriting natd. Mostly the latter, with an additional (side benefit) of the former. We have several "long-term" connections for application services that go through our firewall(s). At the moment if one of the firewalls went down we'd have a major exercise to change DNS, restart services, and so on to switch everything across. If we were using "virtual" addresses then the switchover would be more or less transparent. However, we don't have a one-to-one mapping between internal addresses and external addresses, so there is a chance that the mapping one firewall would choose wouldn't be the same as that chosen by the second. Hence my suggestion. The side benefit is that I could then look at, for example, using dynamic routing to get equal cost paths through each box for load sharing when they're both up. Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message