Dear Everyone, I'm preparing to upgrade our firewall. We're a small business with a fairly basic IP networking setup. Our firewall's got three ports: outside, public DMZ and a privately numbered inside. We have recently obtained a second uplink (internet connectivity) and my first task would be to make use of it - which in traditional IP theory is next to nonsense. Originally I thought of using two firewalls, and shifting the default route of my internal LAN stations via a DHCP configuration update. Then I discovered the primers on IProute2-based policy routing, and decided that I could achieve the same with a single box, steered by two routing tables. I knew about policy routing from my past Cisco experience, and on Linux/ PC-based routers you don't even have to care about the CPU overhead, so this was a no- brainer. http://www.fccps.cz/download/adv/frr/FW.gif My current firewall uses some Netfilter-based stateful NAT and filtering. It works pretty good and I've written the rules from scratch, I understand the semantics fairly well. After reading the somewhat bloated IProute2 primers, and after understanding that Netfilter NAT doesn't mix well with IPR2 NAT, one nagging idea/question remains on my mind: I know that Netfilter can do seamless stateful filtering of traffic returning back through NAT. If I set up two uplinks with a NAT "horizon split" on each of them, it shouldn't be a problem to route traffic to either interface by merely modifying the default route (for manual fail-over), or even by using multiple default routes with IPR2 per-flow balancing mechanisms - and I won't create a routing loop, as my public outbound source address will always belong to the respective ISP, courtesy of the twin NAT outside's. Now what about *inbound* traffic? Suppose I've got a web server in the DMZ. I'm wondering about possible fail-over setups with the two ISP uplinks. I could set up two SNAT rules in the Netfilter's PREROUTING table, one rule for each outside interface, both of them pointing to the internal IP address of my web server. This would work for the inbound packets, but how would the FW box deal with the returning outbound traffic? I know that the Netfilter NAT can observe the stateful information for filtering, but will IPR2 be able to observe that information for *routing*? Not likely, I'd say. Never heard of stateful *routing*. The necessary kernel guts could actually be quite similar to the existing IPR2 per-flow balancing stuff, but I doubt that this (dual-path stateful routing on NAT return traffic) would work somehow seamlessly, out of the box, in the current incarnation of IPR2+Netfilter... Obviously I can do without it, but it would be a nice final touch :-) Any ideas are welcome :-) Frank Rysanek
Attachment:
WPM$45EA.PM$
Description: Mail message body
