Re: Firewall Failover with pfsync and CARP

From: Scoobynux (scoobynux_NOSPAM__at_virgilio.it)
Date: 04/02/04

• Next message: Dario2k: "Re: Newbie in need of help"
• Previous message: Bas Keur: "Re: PF to block milcious code - Worms?"
• Next in thread: Daniel Hartmeier: "Re: Firewall Failover with pfsync and CARP"
• Maybe reply: Daniel Hartmeier: "Re: Firewall Failover with pfsync and CARP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Thu, 01 Apr 2004 22:41:32 GMT

Hi,
we are using carp + pfsync + vlan in order to realize a cluster of firewall
and to prevent also the eventual breach of one net card.
A system has been revealed much stable although it has not still released in
stable version.

Andrea.

Daniel Hartmeier wrote:

> OpenBSD developer Ryan McBride <mcbride@openbsd.org> explains the new
> firewall redundancy features in the upcoming OpenBSD 3.5 release[1]
> in his article
>
> Firewall Failover with pfsync and CARP
> http://www.countersiege.com/doc/pfsync-carp/
>
> CARP (Common Address Redundancy Protocol) is a free alternative to the
> patent-encumbered VRRP, responsible for electing masters in a firewall
> cluster, while pfsync syncronizes packet filter state information among
> nodes.
>
> The combination allows to replace single-point-of-failure firewalls with
> clusters of two (or more) nodes, which continue to filter ongoing and new
> connections when nodes fail. Additional features like arpbalance allow to
> share a single IP address for multiple servers, transparently balancing
> load among them, and adapting to servers failing.
>
> Pre-order[2] for OpenBSD 3.5 has started, CDs will ship May 1st.
>
> Daniel
>
> [1] http://www.openbsd.org/35.html
> [2] http://www.openbsd.org/orders.html

-- 
++++++++++++++++++++++++++++++++++++
Scoobynux - scoobynux(AT)virgilio.it
Powered by SuSE Linux 9.0
Linux Registered User #286651
Linux Registered Machine #168409
++++++++++++++++++++++++++++++++++++

---

• Next message: Dario2k: "Re: Newbie in need of help"
• Previous message: Bas Keur: "Re: PF to block milcious code - Worms?"
• Next in thread: Daniel Hartmeier: "Re: Firewall Failover with pfsync and CARP"
• Maybe reply: Daniel Hartmeier: "Re: Firewall Failover with pfsync and CARP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Firewall Failover with pfsync and CARP ... OpenBSD developer Ryan McBride explains the new ... Firewall Failover with pfsync and CARP ... (comp.unix.bsd.openbsd.misc) Re: mpich and iptables firewall? ... to me it seems a very weird setup to have a firewall running ... on the cluster nodes. ... Using SGE you could disable rsh and ssh completely ... Chain FORWARD ... (comp.parallel.mpi) Re: firewall cluster ... I was thinking about installing one linux and one OpenBSD configured with HA in active-passive mode. ... Cluster with different OS: ... More complex in order to install, ... If a bug can drop one firewall, ... (Security-Basics) Re: firewall cluster ... I think you should take in account that the main reason to have a ha pair is for redundancy and availability and not to prevent firewall bugs. ... Deploy an ha solution with different OS could affect the effectiveness of the cluster itself. ... I was thinking about installing one linux and one OpenBSD configured with HA in active-passive mode. ... (Security-Basics) Re: mpich and iptables firewall? ... if I interpret the firewall config correctly, then you allow ssh ... to me it seems a very weird setup to have a firewall running ... on the cluster nodes. ... Chain FORWARD ... (comp.parallel.mpi)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Mailing-Lists
• Newsgroups
• About
• Privacy
• Search
• Imprint

unix.derkeiler.com  > Newsgroups  > comp.unix.bsd.openbsd.misc  > 2004-04