Standby firewall

Jim Fleming jfleming@anet.com
Fri, 28 Dec 2001 11:27:52 -0600 

Another approach, using RIFRAF Routing, is to have FW#1 and FW#2
sending sonar-like pings to the GW/NAT. Those pings set the RIFRAF
entries which are also used in the routing. If FW#1 dies, it will stop sending
the pings and all of the traffic will steer to FW#2, when FW#1 comes back
the pings re-appear and the RIFRAF table (which has shift registers) will
start to get populated with FW#1 preferences and the traffic will flow 50/50
to FW#1 and FW#2. In some sense, you can view the pings as "send to me"
requests. Depending on the rate of the pings, the traffic flow can change in
seconds. Another way to view this is sort of a token-net. The FWs send
tokens (via pings) to the GW/NATs. The GW/NATs use the tokens to
do load-balancing to the FWs. In theory, a weak FW could send the tokens
at a low rate and get less traffic, because the tokens from the other FW
would cause the GW/NATs to prefer the FW that sends more tokens.

Jim Fleming
http://www.IPv8.info
IPv16....One Better !!

----- Original Message ----- 
From: "SoulBlazer" <soul@lamp-post.net>
To: "Marcelo Moreira" <marcelo.moreira@qualitau.com>
Cc: "Netfilter Mailing List" <netfilter@lists.samba.org>
Sent: Friday, December 28, 2001 10:29 AM
Subject: Re: Standby firewall


> In my setup I have fail over routing via my firewalls using the following 
> method :
>                                                  --> FW#1--
> Intranet -> Linux (GW/NAT) - |                    |-> Router -> Internet
>                                                  -- >FW#2--
> 
> The linux gw/nat box has its routing table setup to have fw#1 at lower metric 
> and fw#2 to have another higher metric.  If the Linux GW/NAT box detects that 
> FW#1 is dead (dead gateway detection in linux .. I believe it is based on the 
> arp expiring every 180 seconds) it will default to the next route which is 
> FW#2.
> 
> Anyhow nothing fancy here.. and I use iproute2 to .. but im sure  the 
> venerable route/arp/ifconfig commands would work just as well.
> 
> PS.. IMHO I think that doing packet filtering on a NAT/GW box is bad karma 
> anyhow .. since that box should only be doing routing/nat .. not packet 
> filtering.  Proper resource management and diffrentiated servers/services 
> makes for smaller boxes and you get the satisfaction of not having all your 
> eggs in one basket anyhow.
> 
> Cheers,
> 
> On December 27, 2001 05:45 pm, Marcelo Moreira wrote:
> > Do you have your system set up as this ?
> > Maybe you can give me some light. I am completely *IN THE DARK* here.
> >
> > My idea is to set up a secondary cheap machine to be a secondary backup
> > firewall in case the real one dies.
> > It is just a matter of eliminating the single point of failure.
> > All servers are on the internal network and the firewall forwards the
> > service requests to the specific machines.
> > Right now, if it dies, the whole company stops with it.
> >
> > Thanks,
> > Marcelo Moreira
> >
> > ----- Original Message -----
> > From: "SoulBlazer" <soul@lamp-post.net>
> > To: "Phil Oester" <kernel@theoesters.com>; "'Marcelo Moreira'"
> > <marcelo.moreira@qualitau.com>; <netfilter@lists.samba.org>
> > Sent: Thursday, December 27, 2001 1:49 PM
> > Subject: Re: Standby firewall
> >
> > > Well in a scenario where you are using a linux box BEFORE the firewall as
> > > well (eg server doing only NAT or a server connecting/bridging different
> > > networks) why not just use the built in linux "dead-gateway-detection" ?
> > >
> > > Just be sure to set metric accordingly and failover should work properly.
> > >
> > > My $0.02
> > >
> > > On December 27, 2001 04:19 pm, Phil Oester wrote:
> > > > Use heartbeat.  Use 1 ip for each box, and a third shared ip which is
> > > > the actual firewall IP.
> > > >
> > > > http://linux-ha.org/download/
> > > >
> > > >
> > > > Phil Oester
> > > >
> > > > -----Original Message-----
> > > > From: netfilter-admin@lists.samba.org
> > > > [mailto:netfilter-admin@lists.samba.org] On Behalf Of Marcelo Moreira
> > > > Sent: Thursday, December 27, 2001 1:16 PM
> > > > To: netfilter@lists.samba.org
> > > > Subject: Standby firewall
> > > >
> > > >
> > > > Does anybody know how to set up a second firewall to act as a standby ?
> > > > What I mean is if the primary one fails, the standby one will assume
> > > > the traffic handling.
> > > >
> > > > Thanks,
> > > > Marcelo Moreira
> > >
> > > --
> > > Ex Ignis, Palam Tempestas, Electus Evasto
> 
> -- 
> Ex Ignis, Palam Tempestas, Electus Evasto
>