[Gllug] High Availability firewall
Nix
nix at esperi.org.uk
Fri Mar 31 23:04:21 UTC 2006
On Fri, 31 Mar 2006, Dan Kolb spake:
> On Fri, Mar 31, 2006 at 03:44:51PM +0100, Julian Somers wrote:
>> Hi All,
>>
>> I need a redundant firewall system that will failover in case of
>> hardware failure. A colleague recommends a couple of Cisco Pix 520s,
>> but in my opinion, we have better things to do with £5000.
> [snip]
>> Has anyone had experience with this? Is there an easier way to
>> achieve it than with linux-ha, for someone who has no experience
>> whatever in clustering?
>
> Take a look at OpenBSD's pf and CARP - these should do what you want, and pf is
> a hell of a lot nicer to deal with than iptables.
I'm not sure if OpenBSD's networking layer is as capable as Linux's, though:
you can really do a ridiculous number of things with the advanced routing
features. (If you're still stuck using ifconfig and route you probably
won't have noticed that these features even exist, but they've been there
since the 2.2 kernel days... they connect to iptables in that firewall-
marked packets can be routed differently and packets that came in via
specific routing tables can be firewalled differently, but they're not
in the same subsystem, nor maintained with the same tools.)
--
`Come now, you should know that whenever you plan the duration of your
unplanned downtime, you should add in padding for random management
freakouts.'
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list