[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: redundant firewall with openbsd



On Tue, 28 Aug 2001 22:59:22 +0200, you wrote:

>> Shriman Gurung wrote...
>> > How redundant do you want to be?  I have a pair of boxes set up 
>> > so that one can assume the identity of the other in about 30 seconds
>> > (including about 25 seconds for the reboot ;)) but it doesn't 
>> > do anything like on-the-fly state table maintenance or virtualised 
>> > MAC addressing or VRRP or...
>thanks a lot, actualy I was wondering if there are any projects around 
>which are working on something like a firewall with multiple active nodes.
>the active/standby modell does not realy scale that good...
>
>./alex

One option is routed but there seems to be bugs in the OBSD version
since it won't parse dot or CIDR notation on either the command line
or in it's conf file. You can work around this problem by assigning
names using your etc/hosts and ect/networks files but it isn't pretty.

Both zebra and gated exist in our ports tree. I've never used them but
it seems the former is OSPF and the latter is a different
implementation of RIP similar to routed.

It doesn't qualify as a real "project" yet but after a week of
research, I just started tinkering on a new implementation of VRRP
with a BSD license. 

VRRP will do what you need (multiple active & a whole pool of
standbys).  Check RFC 2338 and 2787, and yes, through _manual_
configuration of hosts you can do some do some degree of bandwidth
aggregation... -that part isn't automated but it exists.

There is a Linux/GPL implementation that is incomplete and there's
even a FreeBSD port of it but it's marked broken in their ports tree.
This implementation is no longer under active development as far as I
know and was never complete.

The version in the FreeBSD ports tree is v0.2, and seems to have a lot
of modifications from the original. I've found later v0.3 and v0.4
versions but they are also well over a year and a half old and seem to
have a lot more Linux specific code.

The FreeBSD port is here. I've never tried running it and it _IS_
marked "BROKEN" so using it in production might not be a good idea.
According to the logs, it was marked BROKEN because it is not a
complete implementation of the protocol...
http://www.freebsd.org/cgi/cvsweb.cgi/ports/net/vrrp/?sortby=log

Note: there are some legal wranglings going on over this protocol. It
seems some of the companies that worked on it, Cisco, IBM and
Microsoft have all filed patent claims against the open standard they
helped to create _after_ it was ratified as a standard.
http://www.foo.be/vrrp/

I tried posting this info earlier today but it never showed up on the
list... ?

If any of you want to help with coding or testing an "OpenVRRP" of
sorts, please contact me.

Best Regards,
JCR



Visit your host, monkey.org