Multiple Firewalls with ipfilter?

[Roger]

You would have to fake up the MAC addresses on the Ethernet ports (other 
wise the ARP tables will be wrong), and sync the TCP/IP stack's state for it 
to work.  That would need more than a serial port to sync.

Roger.


Date sent:      	Wed, 26 Mar 2003 16:30:48 -0500 (EST)
From:           	Matt Piechota <piechota at argolis.org>
To:             	Michael Richards <michael at fastmail.ca>
Copies to:      	freebsd-security at freebsd.org
Subject:        	Re: Multiple Firewalls with ipfilter?

> On Wed, 26 Mar 2003, Michael Richards wrote:
> 
> > We're supposed to provide redundant firewall service. I'm wondering
> > if anyone has ever tried to do this and if it's realistic. Basically
> > 2 firewall machines hooked up so if one fails the other will
> > transparently step in. I've googled it to death without much luck.
> >
> > The security issue here lies in that the 2 firewalls can't talk to
> > each other. So if I'm keeping state on a connection then the second
> > firewall has to know about that connection otherwise it will close if
> > that firewall dies.
> 
> Caveat: I haven't tried any of this, and there may be a canned solution I
> don't know about.
> 
> If I were doing this, I'd do a serial connection between the two boxes (I
> assume they're in the same room).  If you're just looking for failover
> (and not load balancing), you could designate one to be the master, and
> whenever it adds or deletes a dynamic rule, it prints it out to the serial
> port.  The slave machine watches the serial port and adds rules when it
> sees them come over.
> 
> That'll basically work, although you really need to do some sort of
> handshaking, heart beat, and sync (so when the master comes back, it can
> read in the new rules the slave created while it was minding the shop.