We're supposed to provide redundant firewall service. I'm wondering if anyone has ever tried to do this and if it's realistic. Basically 2 firewall machines hooked up so if one fails the other will transparently step in. I've googled it to death without much luck. The security issue here lies in that the 2 firewalls can't talk to each other. So if I'm keeping state on a connection then the second firewall has to know about that connection otherwise it will close if that firewall dies. Any ideas? -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Secure Web Email for Canadians
On Wed, 26 Mar 2003, Michael Richards wrote:> We're supposed to provide redundant firewall service. I'm wondering > if anyone has ever tried to do this and if it's realistic. Basically > 2 firewall machines hooked up so if one fails the other will > transparently step in. I've googled it to death without much luck. > > The security issue here lies in that the 2 firewalls can't talk to > each other. So if I'm keeping state on a connection then the second > firewall has to know about that connection otherwise it will close if > that firewall dies.Caveat: I haven't tried any of this, and there may be a canned solution I don't know about. If I were doing this, I'd do a serial connection between the two boxes (I assume they're in the same room). If you're just looking for failover (and not load balancing), you could designate one to be the master, and whenever it adds or deletes a dynamic rule, it prints it out to the serial port. The slave machine watches the serial port and adds rules when it sees them come over. That'll basically work, although you really need to do some sort of handshaking, heart beat, and sync (so when the master comes back, it can read in the new rules the slave created while it was minding the shop. I suspect matching 'expect' scripts tied to the serial lines could get the job done. Something like switch on: RULEADD - ipfw add $rest_of_line RULEDEL - this'll be a little tougher since you're have to match the rule to the number (unless you always add the rule with the number from the master) RULEDMP - ipfw list HRTBEAT - actually, you don't really need this, but it's nice to keep status. Just an idea. -- Matt Piechota
At a certain time, now past [Wed, Mar 26, 2003 at 03:57:18PM -0500], Michael Richards spake thusly:> We're supposed to provide redundant firewall service. I'm wondering > if anyone has ever tried to do this and if it's realistic. Basically > 2 firewall machines hooked up so if one fails the other will > transparently step in. I've googled it to death without much luck. > > The security issue here lies in that the 2 firewalls can't talk to > each other. So if I'm keeping state on a connection then the second > firewall has to know about that connection otherwise it will close if > that firewall dies.[admin@zechariah ports]# make search key=freevrrpd Port: freevrrpd-0.8.4_1 Path: /usr/ports/net/freevrrpd Info: This a VRRP RFC2338 Compliant implementation under FreeBSD Maint: spe@bsdfr.org Index: net B-deps: R-deps: http://redundancy.redundancy.org/fbsd_lb.html Though I've used VRRP quite a bit, I have not used the freevrrpd implementation. ~elh -- Eric L. Howard e l h @ o u t r e a c h n e t w o r k s . c o m ------------------------------------------------------------------------ www.OutreachNetworks.com 313.297.9900 ------------------------------------------------------------------------ JabberID: elh@jabber.org Advocate of the Theocratic Rule
The problem here is really 2 pronged: 1) I need some means of realising that the firewall just died and transparently switching over to the backup or load balancing the two so if one dies the other takes up the slack. 2) I need a means of syncing the state info so existing connections won't be torn down if they end up going through the other firewall. Sounds like a solution people would normally pay an obscene amount of money for but I'd be surprised if there isn't a way to do this. Maybe something with routing could do the balancing... -Michael>> -SNIP >> The security issue here lies in that the 2 firewalls can't talk >> to each other. So if I'm keeping state on a connection then the >> second firewall has to know about that connection otherwise it >> will close if that firewall dies. >> > what do you mean, can't talk to each other? > /usr/src/ports/net/freevrrpd/ might help you a little, but not > state awareness_________________________________________________________________ http://fastmail.ca/ - Fast Secure Web Email for Canadians
You would have to fake up the MAC addresses on the Ethernet ports (other wise the ARP tables will be wrong), and sync the TCP/IP stack's state for it to work. That would need more than a serial port to sync. Roger. Date sent: Wed, 26 Mar 2003 16:30:48 -0500 (EST) From: Matt Piechota <piechota@argolis.org> To: Michael Richards <michael@fastmail.ca> Copies to: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter?> On Wed, 26 Mar 2003, Michael Richards wrote: > > > We're supposed to provide redundant firewall service. I'm wondering > > if anyone has ever tried to do this and if it's realistic. Basically > > 2 firewall machines hooked up so if one fails the other will > > transparently step in. I've googled it to death without much luck. > > > > The security issue here lies in that the 2 firewalls can't talk to > > each other. So if I'm keeping state on a connection then the second > > firewall has to know about that connection otherwise it will close if > > that firewall dies. > > Caveat: I haven't tried any of this, and there may be a canned solution I > don't know about. > > If I were doing this, I'd do a serial connection between the two boxes (I > assume they're in the same room). If you're just looking for failover > (and not load balancing), you could designate one to be the master, and > whenever it adds or deletes a dynamic rule, it prints it out to the serial > port. The slave machine watches the serial port and adds rules when it > sees them come over. > > That'll basically work, although you really need to do some sort of > handshaking, heart beat, and sync (so when the master comes back, it can > read in the new rules the slave created while it was minding the shop.
I guess this idea isn't as good but it worked for me. I used ipf (ipfw or anything else should work too) with freevrrpd. Both master and slave firewalls are exactly the same except for my second firewall had to extra rules right at the top: # Allow all established connections pass in quick proto tcp all flags A/SA keep state keep frags pass out quick proto tcp all flags A/SA keep state keep frags #pass in quick proto udp all keep state keep frags #pass out quick proto udp all keep state keep frags This automatically created the state entries for established connections as soon as the other firewall goes down. But I guess most people won't like having those rules in their rulebase. e. On Wed, 2003-03-26 at 22:57, Michael Richards wrote:> We're supposed to provide redundant firewall service. I'm wondering > if anyone has ever tried to do this and if it's realistic. Basically > 2 firewall machines hooked up so if one fails the other will > transparently step in. I've googled it to death without much luck. > > The security issue here lies in that the 2 firewalls can't talk to > each other. So if I'm keeping state on a connection then the second > firewall has to know about that connection otherwise it will close if > that firewall dies. > > Any ideas? > > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Secure Web Email for Canadians > ---- >> _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
> We're supposed to provide redundant firewall service. I'm wondering > if anyone has ever tried to do this and if it's realistic. Basically > 2 firewall machines hooked up so if one fails the other will > transparently step in. I've googled it to death without much luck. > > The security issue here lies in that the 2 firewalls can't talk to > each other. So if I'm keeping state on a connection then the second > firewall has to know about that connection otherwise it will close if > that firewall dies.http://www.isber.ucsb.edu/~randall/firewall/redundant/ i have this setup in use at work, it's an automatic failover but does not keep existing connections, so things like SSH sessions would be dropped. -randall -- :// randall s. ehren :// voice 805.893.5632 :// systems administrator :// isber|survey|avss.ucsb.edu :// institute for social, behavioral, and economic research
On Wed, 26 Mar 2003, randall ehren wrote:> > We're supposed to provide redundant firewall service. I'm wondering > > if anyone has ever tried to do this and if it's realistic. Basically > > 2 firewall machines hooked up so if one fails the other will > > transparently step in. I've googled it to death without much luck. > http://www.isber.ucsb.edu/~randall/firewall/redundant/ > i have this setup in use at work, it's an automatic failover but does not > keep existing connections, so things like SSH sessions would be dropped.Nice setup... If reliability is such a concern, the original poster could also move the state 'in front' of the firewalls. I.e. Invest in some stateful load balancers. I've asked a similar question in the past, and had the stateful (BSD) firewall discussion a few times, and that's often the suggestion that gets thrown around. I agree an alternative would be nice if you're on a budget, but you often get what you pay for. Using something new and/or experimental may not be the best option based upon the type of traffic these firewalls will be passing. -mrh