[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Request for opinions on Clustered Firewalls
- To: tech_(_at_)_openbsd_(_dot_)_org, misc_(_at_)_openbsd_(_dot_)_org
- Subject: Request for opinions on Clustered Firewalls
- From: Scott Wells <scott_(_at_)_shadowsystems_(_dot_)_tzo_(_dot_)_com>
- Date: Fri, 09 Aug 2002 15:15:25 -0500
I am soliciting opinions on the feasability of creating a active-passive
cluster configuration for firewalls running OpenBSD and pf, and help
putting it all together.
So far, I've come up with a few things that would have to be
incorporated to various areas within OpenBSD to get this to happen.
1. Some type of fault management /monitor that would run on each system
and monitor it's own as well as other machines health.
2. Modifications to the arp operations, so that interfaces on two
different machines can respond to the same MAC address (probably
manually assigned in the 10-00-00 OUI, which is defined as private by
3. Modifications to pf's state management routines to allow it to share
state with other machines. Preferrably via udp (so the changes can be
sent without the overhead of a tcp connection). Also, a mechanism to
allow a full state transfer (such as when a failed machine is brought
If you have comments, or are interested in trying to assist with any of
this, please contact me directly, as discussion of this topic on the
mailing list probably isn't appropriate at this time.