Cluster Software for HA/LB FreeBSD IPFilter Firewalls

Andy Sporner sporner at
Mon Aug 11 02:54:00 PDT 2003

Hi Matt,

Thanks for the complement!

As I have been saying for some time now :-( I will be having a new
version coming out.  (promises... Promises... :-)  It has some additional
flexibility in terms of scheduling.  There is a load balancer and a
directory shadowing utility (which I worked on in a paradise on the
south of France -- Thanks Mike!)  I hope 1.9.03 is reasonable as a
release date--I should have support for FreeBSD 4.7 4.8 and 5.0 5.1
In the moment there are no plans for NetBSD.  If there is interest
somebody speak up--but since this is a FreeBSD list there probably
isn't any.

The short answer is two create two resources.  As I recall correctly that
as the schedule starts to find nodes to assign the resources to it will
look at already running resources and calculate their mass on the machine
and choose the machine with the least mass (or usage--sorry in a physics
rut!) to assign the 2nd resource.  VERY IMPORTANT-- you must assign
a weight to the resource--otherwise all things will look equal and both
resources will start on the same node.

Hope this helps.


Matthew Swinbourne wrote:

>Hi All,
>I've been looking around for a HA/Load Balancing solution for my FreeBSD
>based ipfilter firewalls.  I would like to have two (or more) physically
>separate servers performing filtering on multiple networks.  All systems
>(nodes) in this cluster would have a common ipfilter rule set, and would be
>able to bring up and down vlan interfaces as the cluster state dictated.
>After a little net trawling I came across Andy Sporner's FreeBSD cluster
>software. (Thanks Andy if you're listening)  I've had this running for a
>while now and it works almost perfectly.  However, with one caveat, that is,
>it only appears to allow Active/Passive cluster setups.
>In the ultimate solution to my problem, the cluster would be Active/Active.
>Obviously for load, and bandwidth balancing reasons.
>The question therefore is, has anybody either grown their own solution to
>this problem, found other open source software to do so, or hacked up Andy
>Sporner's code to do so.  The later is what I'm thinking of doing.
>Many thanks
>Matthew Swinbourne
>Manager, Network Services
>University of Queensland Cybrary
>St Lucia, QLD 4072
>m.swinbourne at
>freebsd-cluster at mailing list
>To unsubscribe, send any mail to "freebsd-cluster-unsubscribe at"

More information about the freebsd-cluster mailing list