On Wed, 01 Nov 2006 00:21:17 +0200
Yiannis Kontekakis <ykontekakis@gmail.com> wrote:
Hello,
I am interested in implementing a load balancing and fail over
firewall( with connection tracking support ).
Currently the only non commercial solution that I know to be
working, is pfsync and carp in BSD unices. If I am not wrong this
combination allows load balancing and fail over between x firewalls
connected to the same subnet, where the rules added to one firewall
are propagated to the rest in the same subnet (pfsync) and the fail
over mechanism is implemented by carp. Also as far as I have
pfsync only syncs the state tables. it does not sync pass/block rules or
tables.
understood this configuration allows connection tracking information
to be shared between the participating firewalls in the above fail
over implementation. ( If I got it right "connection tracking" means
the characteristics - sequence numbers, etc... - that specify a socket
). As I am accustomed in using Linux(and netfilter), do you know
udp is not socket based, even if it does have 'keep state' in the rule,
it still isn't a socket. udp requires both directions of communication
to be included in rules.
if there is an alternative in the BSD(psfync & carp) configuration? I
tried to "google" this search but only got posts before 2005.
what is it that you're doing in linux that you cannot do in BSD? there
really is no substitute for pf/carp in linux, there's some old attempts
at porting it, but if you ask on the openbsd-misc list the general
response is that the kernel is not up to it.
it was only a year or two ago that freebsd got a pf port.
Any help would be appreciated. ( I would like to hear about a non
commercial/open source solution. )
let us know what you are trying to do. bsd is a good platform, dont
disregard it.
--
Regards, Ed :: http://www.s5h.net
proud unix system person
:%s/Open Source/Free Software/g
