Multiple Firewalls with ipfilter?

[Matt Piechota]

On Wed, 26 Mar 2003, Michael Richards wrote:

> We're supposed to provide redundant firewall service. I'm wondering
> if anyone has ever tried to do this and if it's realistic. Basically
> 2 firewall machines hooked up so if one fails the other will
> transparently step in. I've googled it to death without much luck.
>
> The security issue here lies in that the 2 firewalls can't talk to
> each other. So if I'm keeping state on a connection then the second
> firewall has to know about that connection otherwise it will close if
> that firewall dies.

Caveat: I haven't tried any of this, and there may be a canned solution I
don't know about.

If I were doing this, I'd do a serial connection between the two boxes (I
assume they're in the same room).  If you're just looking for failover
(and not load balancing), you could designate one to be the master, and
whenever it adds or deletes a dynamic rule, it prints it out to the serial
port.  The slave machine watches the serial port and adds rules when it
sees them come over.

That'll basically work, although you really need to do some sort of
handshaking, heart beat, and sync (so when the master comes back, it can
read in the new rules the slave created while it was minding the shop.

I suspect matching 'expect' scripts tied to the serial lines could get the
job done.  Something like switch on:
RULEADD - ipfw add $rest_of_line
RULEDEL - this'll be a little tougher since you're have to match the rule
          to the number (unless you always add the rule with the
          number from the master)
RULEDMP - ipfw list
HRTBEAT - actually, you don't really need this, but it's nice to keep
          status.

Just an idea.

-- 
Matt Piechota