Multiple Firewalls with ipfilter?
Roger
raqlist at fareham.org
Thu Mar 27 01:17:23 PST 2003
You would have to fake up the MAC addresses on the Ethernet ports (other
wise the ARP tables will be wrong), and sync the TCP/IP stack's state for it
to work. That would need more than a serial port to sync.
Roger.
Date sent: Wed, 26 Mar 2003 16:30:48 -0500 (EST)
From: Matt Piechota <piechota at argolis.org>
To: Michael Richards <michael at fastmail.ca>
Copies to: freebsd-security at freebsd.org
Subject: Re: Multiple Firewalls with ipfilter?
> On Wed, 26 Mar 2003, Michael Richards wrote:
>
> > We're supposed to provide redundant firewall service. I'm wondering
> > if anyone has ever tried to do this and if it's realistic. Basically
> > 2 firewall machines hooked up so if one fails the other will
> > transparently step in. I've googled it to death without much luck.
> >
> > The security issue here lies in that the 2 firewalls can't talk to
> > each other. So if I'm keeping state on a connection then the second
> > firewall has to know about that connection otherwise it will close if
> > that firewall dies.
>
> Caveat: I haven't tried any of this, and there may be a canned solution I
> don't know about.
>
> If I were doing this, I'd do a serial connection between the two boxes (I
> assume they're in the same room). If you're just looking for failover
> (and not load balancing), you could designate one to be the master, and
> whenever it adds or deletes a dynamic rule, it prints it out to the serial
> port. The slave machine watches the serial port and adds rules when it
> sees them come over.
>
> That'll basically work, although you really need to do some sort of
> handshaking, heart beat, and sync (so when the master comes back, it can
> read in the new rules the slave created while it was minding the shop.
More information about the freebsd-security
mailing list