Multiple Firewalls with ipfilter?
Mike Hoskins
mike at adept.org
Fri Mar 28 14:50:16 PST 2003
On Wed, 26 Mar 2003, randall ehren wrote:
> > We're supposed to provide redundant firewall service. I'm wondering
> > if anyone has ever tried to do this and if it's realistic. Basically
> > 2 firewall machines hooked up so if one fails the other will
> > transparently step in. I've googled it to death without much luck.
> http://www.isber.ucsb.edu/~randall/firewall/redundant/
> i have this setup in use at work, it's an automatic failover but does not
> keep existing connections, so things like SSH sessions would be dropped.
Nice setup... If reliability is such a concern, the original poster could
also move the state 'in front' of the firewalls. I.e. Invest in some
stateful load balancers.
I've asked a similar question in the past, and had the stateful (BSD)
firewall discussion a few times, and that's often the suggestion that gets
thrown around. I agree an alternative would be nice if you're on a
budget, but you often get what you pay for. Using something new and/or
experimental may not be the best option based upon the type of traffic
these firewalls will be passing.
-mrh
More information about the freebsd-security
mailing list