copied from OpenBSD Site (http://www.openbsd.org/35.html#new): New tools for filtering gateway failover:
* CARP (the Common Address Redundancy Protocol) carp(4)
<http://www.openbsd.org/cgi-bin/man.cgi?query=carp> allows
multiple machines to share responsibility for a given IP address
or addresses. If the owner of the address fails, another member of
the group will take over for it. A discussion of the history of
CARP can be found here <http://www.openbsd.org/lyrics.html>.
* Additions to the pfsync(4)
<http://www.openbsd.org/cgi-bin/man.cgi?query=pfsync> interface
allow it to synchronise state table entries between two or more
firewalls which are operating in parallel, allowing stateful
connections to cross any of the firewalls regardless of where the
state was initially created.I think this is the only realy full redundant opensource firewall available.
lg Günter
B. McAninch schrieb:
Check out KeepAliveD (keepalived.sourceforge.net)- it uses VRRP for
failover. It does not, however, provide /stateful/ firewall failover. IIRC, work is (was) being done for Netfilter's own state syncing.
On Thu, 2004-06-17 at 15:52, Patrick Ahler wrote:
I am looking for info on creating a redundant gateway/firewall. I currently have my network setup with 1 working iptables gateway/firewall and 1 backup gateway. If the first gateway goes down, I change the IP's and spoof the MAC addresses (I change the external MAC address because my internal network is masqueraded through the gateway and just switching the external IP messes with the arp tables on the router... That's a whole other issue though) on the backup gateway and it takes over. This is not redundancy and is dirty. Does anyone have any suggestions on how to do this better?
Patrick Ahler
Systems Administrator
Vikus Corporation
