Multiple Firewalls with ipfilter?

[etienne at unix.za.org (Etienne Ledoux)]

I guess this idea isn't as good but it worked for me.

I used ipf (ipfw or anything else should work too) with freevrrpd.

Both master and slave firewalls are exactly the same except for my
second firewall had to extra rules right at the top:

# Allow all established connections
pass in quick proto tcp all flags A/SA keep state keep frags
pass out quick proto tcp all flags A/SA keep state keep frags
#pass in quick proto udp all keep state keep frags
#pass out quick proto udp all keep state keep frags

This automatically created the state entries for established connections
as soon as the other firewall goes down. But I guess most people won't
like having those rules in their rulebase.


e.

On Wed, 2003-03-26 at 22:57, Michael Richards wrote:
> We're supposed to provide redundant firewall service. I'm wondering 
> if anyone has ever tried to do this and if it's realistic. Basically 
> 2 firewall machines hooked up so if one fails the other will 
> transparently step in. I've googled it to death without much luck.
> 
> The security issue here lies in that the 2 firewalls can't talk to 
> each other. So if I'm keeping state on a connection then the second 
> firewall has to know about that connection otherwise it will close if 
> that firewall dies.
> 
> Any ideas?
> 
> -Michael
> _________________________________________________________________
>     http://fastmail.ca/ - Fast Secure Web Email for Canadians
> ----
> 

> _______________________________________________
> freebsd-security_(_at_)_freebsd_(_dot_)_org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe_(_at_)_freebsd_(_dot_)_org"