Hello Harald, I read your paper, and I'd love something like this. As I understand it, you imply a one master / multiple slaves model. However, what would prevent your protocol from being used in a master/master setup? That would be much better, sometimes one fast machine is not enough. Each master could have a lighter load, and therefore more ressources to communicate with the others. And when one master goes down, only a group of users will be bothered by the delay before the others catch up it's traffic. Simon ---------- Original Message ---------------------------------- From: Harald Welte <laforge@xxxxxxxxxxxxx> Date: Fri, 3 Oct 2003 13:05:43 +0200 >On Mon, Sep 22, 2003 at 09:04:49AM +0200, Marc Hansen wrote: >> Hello, >> how is it possible to have two firewalls in an HA-Enviroment? > >only if you do stateless packet filtering and no NAT. > >> Does somebody have a hint or a link for me? > >There is an ongoing implementation for conntrack state synchronization, >but it's not finished or public yet. > >For the design paper, please >see >http://cvs.gnumonks.org/presentation/netfilter-failover-ols2002/netfilter-failover-ols2002.tex?rev=1.1&content-type=text/x-cvsweb-markup > >> Marc > >-- >- Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ >============================================================================ > "Fragmentation is like classful addressing -- an interesting early > architectural error that shows how much experimentation was going > on while IP was being designed." -- Paul Vixie > >