From owner-freebsd-security Fri Aug 10 5:47:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from purgatory.unfix.org (purgatory.xs4all.nl [194.109.237.229]) by hub.freebsd.org (Postfix) with ESMTP id D36AD37B401 for ; Fri, 10 Aug 2001 05:47:12 -0700 (PDT) (envelope-from jeroen@unfix.org) Received: from cyan (gateway.azr.nl [::ffff:156.83.254.8]) by purgatory.unfix.org (Postfix) with ESMTP id BCF3A313E; Fri, 10 Aug 2001 14:47:06 +0200 (CEST) From: "Jeroen Massar" To: "'Krzysztof Zaraska'" , "'Tony Landells'" Cc: Subject: RE: distributed natd Date: Fri, 10 Aug 2001 14:47:14 +0200 Organization: Unfix Message-ID: <000701c1219a$96206470$2a1410ac@kei.azr.nl> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-reply-to: Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Friday, 10 August 2001, Krzysztof Zaraska wrote: > > On Fri, 10 Aug 2001, Tony Landells wrote: > > > The idea is to run two (or more) firewalls in parallel in such a way > > that if one failed the other one would pick up the slack without users noticing. > Seems interesting. :) I thought of something like this before myself but with a different viewing point in that every gateway machine has an uplink to a separate provider, but still to the global internet (eg, telephone and gsm and satelite and cable linkups :) This though also implies that we got multiple external IP's and thus sessions would be lost if an uplink would go down. My idea was to do the following setup: Inet <-----> ISP1 <----> (a.a.a.a) Gate1 (10.0.0.1) <---> LAN <-----> ISP2 <----> (b.b.b.b) Gate2 (10.0.0.2) <---> <-----> ISP3 <----> (c.c.c.c) Gate3 (10.0.0.3) <---> GateNet <---> (192.168.0.1) Gate1 <---> (192.168.0.2) Gate2 <---> (192.168.0.3) Gate3 Whenever ISP1's uplink would go down Gate1 would bring down it's 10.0.0.1 IP and notify this to Gate2 and Gate3 over GateNet, the fastest of the two would then alias Gate1's LanIP (10.0.0.1) and takeover it's service and so on. If Gate1 gets it's uplink back it would simply notify Gate2&3 who would bring down their 10.0.0.1 alias and Gate1 would bring it up again.... et tada we got redundancy. Client boxes on the LAN could have a 'preferred' gateway either Gate1,2,3 making some users go over the slowest line etc. Packets could also be redirected over the Gatenet if needed... You could have PING's between the Gate's to check if the boxes itself are still alive etc... Ofcourse this basically comes down to routing though with BSD/* boxes and not redundant hardware routers (Cisco etc :) Instead of aliasing the Gate's LAN IP one could also send RouterRedirect ICMP's to the clients. If one has the same outside IP on the gates.... you could transfer states between the boxes and keep on doing stuff. But I would only use that for redundant linkups. The hardware and OS should be 'trusted' to keep on running then :) Greets, Jeroen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message