Multiple Firewalls with ipfilter?
Etienne Ledoux
etienne at unix.za.org
Thu Mar 27 06:10:46 PST 2003
I guess this idea isn't as good but it worked for me.
I used ipf (ipfw or anything else should work too) with freevrrpd.
Both master and slave firewalls are exactly the same except for my
second firewall had to extra rules right at the top:
# Allow all established connections
pass in quick proto tcp all flags A/SA keep state keep frags
pass out quick proto tcp all flags A/SA keep state keep frags
#pass in quick proto udp all keep state keep frags
#pass out quick proto udp all keep state keep frags
This automatically created the state entries for established connections
as soon as the other firewall goes down. But I guess most people won't
like having those rules in their rulebase.
e.
On Wed, 2003-03-26 at 22:57, Michael Richards wrote:
> We're supposed to provide redundant firewall service. I'm wondering
> if anyone has ever tried to do this and if it's realistic. Basically
> 2 firewall machines hooked up so if one fails the other will
> transparently step in. I've googled it to death without much luck.
>
> The security issue here lies in that the 2 firewalls can't talk to
> each other. So if I'm keeping state on a connection then the second
> firewall has to know about that connection otherwise it will close if
> that firewall dies.
>
> Any ideas?
>
> -Michael
> _________________________________________________________________
> http://fastmail.ca/ - Fast Secure Web Email for Canadians
> ----
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security
mailing list