From owner-freebsd-security Fri Aug 10 18: 8:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from unlink.catpipe.net (unlink.catpipe.net [195.249.214.172]) by hub.freebsd.org (Postfix) with ESMTP id A394C37B401 for ; Fri, 10 Aug 2001 18:08:55 -0700 (PDT) (envelope-from voland@unlink.catpipe.net) Received: (from voland@localhost) by unlink.catpipe.net (8.11.3/8.11.3) id f7AAJPl53184 for freebsd-security@FreeBSD.ORG; Fri, 10 Aug 2001 12:19:25 +0200 (CEST) (envelope-from voland) Date: Fri, 10 Aug 2001 12:19:25 +0200 From: Vadim Belman To: freebsd-security@FreeBSD.ORG Subject: Re: distributed natd Message-ID: <20010810121922.E47532@unlink.catpipe.net> Mail-Followup-To: Vadim Belman , freebsd-security@FreeBSD.ORG References: <20010810032158.T3889@gnjilux.cc.fer.hr> <200108100225.MAA23117@tungsten.austclear.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108100225.MAA23117@tungsten.austclear.com.au>; from ahl@austclear.com.au on Fri, Aug 10, 2001 at 12:25:04PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Aug 10, 2001 at 12:25:04PM +1000, Tony Landells wrote: > > I'm not sure I understood correctly - what are you aiming for? The > > performance increase due to two firewalls simultaneously processing > > traffic or the reduncancy of having one firewall take over if the > > other fails? > > > If it's the latter, I believe there are simpler solutions than > > rewriting natd. > > Mostly the latter, with an additional (side benefit) of the former. > > We have several "long-term" connections for application services > that go through our firewall(s). At the moment if one of the firewalls > went down we'd have a major exercise to change DNS, restart services, > and so on to switch everything across. > > If we were using "virtual" addresses then the switchover would be > more or less transparent. > > However, we don't have a one-to-one mapping between internal addresses > and external addresses, so there is a chance that the mapping one > firewall would choose wouldn't be the same as that chosen by the > second. > > Hence my suggestion. > > The side benefit is that I could then look at, for example, using > dynamic routing to get equal cost paths through each box for load > sharing when they're both up. I would point you to http://www.f5.com. Price might be of some concern here, of course, but BIG-IP is really good solution here. -- /Voland Vadim Belman E-mail: voland@lflat.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message