[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Request for opinions on Clustered Firewalls

I am soliciting opinions on the feasability of creating a active-passive cluster configuration for firewalls running OpenBSD and pf, and help putting it all together.

So far, I've come up with a few things that would have to be incorporated to various areas within OpenBSD to get this to happen.

1. Some type of fault management /monitor that would run on each system and monitor it's own as well as other machines health.
2. Modifications to the arp operations, so that interfaces on two different machines can respond to the same MAC address (probably manually assigned in the 10-00-00 OUI, which is defined as private by the IEEE).
3. Modifications to pf's state management routines to allow it to share state with other machines. Preferrably via udp (so the changes can be sent without the overhead of a tcp connection). Also, a mechanism to allow a full state transfer (such as when a failed machine is brought back online).

If you have comments, or are interested in trying to assist with any of this, please contact me directly, as discussion of this topic on the mailing list probably isn't appropriate at this time.