On Wednesday 25 May 2005 10:06, Jaime Nebrera wrote:> Hi all,
Hi Jaime,
>
> We are investigating on firewall failover design. I have searched the
> net and found that projects like LVS have it mostly solved for their
> side but that netfilter lacks it.
>
> Of course, a simple failover of the firewall is available using things
> like VRRP (KeepAlive software) but without state syncronization, and
> that is preciselly the part we need to investigate.
there was an article in the german IX magazine about this topic, I read it
again for you. All what I tell you now is just based on this article (January
2005) , I haven''t tested anything by myself yet. Also I have no idea
how the
development process is going on.
There is a "proof of concept" implementation called ct_sync.
Written by netfilter core team developer Krisztian Kovacz.
Patches for 2.4.26 are available, 2.6.x is planned.
ct_sync can synchronize the connection tracking tables between the firewalls.
Additionally you need the keepalived from LVS project.
Conclusion of the author:
1. experimental
2. a lot of manual work
3. you have to patching the kernel
4. expects fast development during the next month
5. "expectations" not supported yet
6. he got it working in 2 clusters
references:
keepalived: www.keepalived.org
quilt (a needed patch tool?): savannah.nongnu.org/projects/quilt
an of course Netfilter itself: www.netfilter.org
>
> Is this issue solved in netfilter? How? Any ideas? Does it work with
> kernel 2.4? And of course, can it be managed with shorewall? :)))
As far as I know there is no support in shorewall yet.
>
> Bear in mind I''m not talking about ISP redundancy but the
firewall
> itself, if possible set as an active/active failover solution.
>
> Thanks in advance. Regards.
Hope I could give some useful Informations,
Alex