[Gllug] IPv6 and firewalls
Robert McKay
robert at mckay.com
Tue Aug 11 12:21:16 UTC 2009
On Tue, Aug 11, 2009 at 12:57 PM, Chris Bell <chrisbell at 3966.ukfsn.org>wrote:
> On Tue 11 Aug, Bruce Richardson wrote:
> > On Tue, Aug 11, 2009 at 10:01:45AM +0000, Chris wrote:
> >
> > >
> > > I was also considering bridge control, where a box silently passes
> > > selected packets between connections without itself being generally
> > > accessible or even visible except via specified route(s).
> >
> > This is my preferred approach to firewalling. It used to require a lot
> > of patching and building of custom utilities but everything you need is
> > in the default kernels for most distributions these days.
> >
> I assume that it would not be possible to install a pair of boxes for
> fail-safe operation because they would send streams of duplicate packets,
> even when set for established links only.
>
>
It's perfectly possible to have a pair of boxes doing fail safe routing even
if they are 'hidden' (which fundamentally just means they aren't
decrementing the ttl of the packets they route and aren't directly
accessible from the internet on a public IP). You'd basically have one of
the machines sending some sort of a heartbeat that suppressed the failover
node from routing packets. If the heartbeat goes away then it starts
routing. I can think of a few ways of rigging this up (heartbeat,
netfilter-failover, keepalived etc).
Rob.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20090811/97fd29d5/attachment.html>
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list