Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: pfsync & carp on linux

from [andy ashley] Network Security [Permanent Link]
Subject: Re: pfsync & carp on linux
Date: Mon, 06 Nov 2006 19:56:59 +0000 
Have a look at :

http://www.pfsense.com/

Yes I know you said linux. It uses pf and a stripped down bsd but it works amazingly well and has a very usable web frontend for config making shell access (which is available too) unecessary.
It does firewalling with firewall rules sync between units, vpn's, ipsec, load balancing, carp/ha failover , dns cache, captive portal, and a host of other useful stuff that just works.
It can be booted off compact flash or a disk/raid and makes a good appliance type fiirewall. My uptimes are over 70 days so far on a busy site..

Otherwise ucarp on linux (I use it on a production DNS cluster - gentoo linux) works very well too!

Andy.

Harald Nesland wrote:

Yiannis Kontekakis wrote:


Hello,

I am interested in implementing a load balancing and fail over firewall(
_with connection tracking support_ ).

   Currently the only non commercial solution that I know to be
working, is pfsync and carp in BSD unices. If I am not wrong this
combination allows load balancing and fail over between x firewalls
connected to the same subnet, where the rules added to one firewall are
propagated to the rest in the same  subnet (pfsync) and the fail over
mechanism is implemented by carp. Also as far as I have understood this
configuration allows connection tracking information to be shared
between the participating firewalls in the above fail over
implementation. ( If I got it right "connection tracking" means the
characteristics - sequence numbers, etc... - that specify a socket ).
    As I am accustomed in using Linux(and netfilter), do you know if
there is an alternative in the BSD(psfync & carp) configuration? I tried
to "google" this search but only got posts before 2005.

Any help would be appreciated. ( I would like to hear about a non
commercial/open source solution. )

Regards

Yiannis 


Hi,

You should take a look at http://www.keepalived.org/ and VRRP.

However, VRRP is patented, and there's some effort going on to port CARP
to Linux. (http://www.ucarp.org/project/ucarp).

http://tips.linux.com/tips/05/05/10/1436254.shtml?tid=100

Cheers,

--
Harald Nesland



[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  PIX 515E Crashing Same Time Each Day, Al Cooper
Next by Date:  RE: PIX 515E Crashing Same Time Each Day, Dan Bogda
Previous by Thread:  Re: pfsync & carp on linux, Harald Nesland
Next by Thread:  Re: pfsync & carp on linux, ed
Indexes:  [Date] [Thread] [Top] [All Lists]