Failover of FreeBSD firewall with ipfw/natd
dap99 at i-55.com
dap99 at i-55.com
Sat Jan 10 08:38:09 PST 2004
Apologies for the first empty post.
I am running FreeBSD 4.8-REL with ipfw and natd. My firewall has a primary
IP address and several other IP addresses aliased on the public interface.
This firewall serves as a gateway and performs NAT for a set of servers
offering web, email, and HTTPS. We have two machines that can serve as the
firewall: One is the primary firewall, and the second can be brought up
manually as the firewall in case of a failure of the first machine.
I would like to automate the process of failover for the firewall.
Counting the backup firewall, which is also the file and database server, we
have four internal servers, all FreeBSD 4.8-REL.
I am looking for suggestions on the best way to solve the failover problem.
In my mind, the following needs to happen if the primary firewall dies:
1. The backup firewall needs to recognize that the primary firewall is
2. The backup firewall needs to bring up the public IP addresses on it's
3. The backup firewall needs to activate the firewall ruleset.
4. The backup firewall needs to bring up natd.
5. The internal machines need to recognize the backup firewall as the
First of all, are there any tools available that will help automate this
process? I should be able to do availability checks between the primary and
backup firewalls using something like heartbeat, but I am open to other
Second, how are you solving this problem with FreeBSD and ipfw/natd?
The third questin concerns testing if a firewall is actually dead rather
than the backup firewall losing connectivity. I will be using something
along the lines of this test:
If the backup firewall cannot connect to the primary firewall
and the backup firewall can connect to the outside world
and the backup firewall can connect to the internal network
How are you solving this problem?
More information about the freebsd-isp