Standby firewall
Jim Fleming
jfleming@anet.com
Fri, 28 Dec 2001 14:18:40 -0600
Note, RIFRAF also can be useful in the other direction.
You can reach across the global Internet to systems which
you own and set the marking engine. ARP is not routable
like that. That can also be viewed as a plus for ARP.
When you use RIFRAF to mark packets on the other side
of the Internet, you are essentially saying that you own some
/20 prefix and you want the machine over there to mark
traffic with that prefix randomly or in a fixed pattern. It is
a remote control marking mechanism.
Jim Fleming
http://www.IPv8.info
IPv16....One Better !!
----- Original Message -----
From: "SoulBlazer" <soul@lamp-post.net>
To: "Jim Fleming" <jfleming@anet.com>; "Phil Oester" <kernel@theoesters.com>
Cc: "The knights who formerly said .. neEEh" <netfilter@lists.samba.org>
Sent: Friday, December 28, 2001 1:34 PM
Subject: Re: Standby firewall
> No, Jim has it right .. nat IS being done on the machine called GW/NAT .. and
> the firewalls are doing that .. firewalling. One of the things tho .. im not
> too sure if sending ICMP echo's is the greatest way of telling that something
> is overloaded or dead. I sorta like the arp idea since it indicates a
> complete breakdown of communication between hosts. Rather then something that
> is somewhat subjective like icmp echo.
>
>
> On December 28, 2001 01:05 pm, Jim Fleming wrote:
> > I was assuming that the NAT was being done in the machine labeled NAT.
> > The FW#1 and FW#2 are really just managers of the expensive T1 WAN
> > connections.
> >
> > > > --> FW#1--
> > Intranet -> Linux (GW/NAT) - | |-> Router ->Internet
> > > > -- >FW#2--
>
> > >
> >
> > Jim Fleming
> > http://www.IPv8.info
> >
> > ----- Original Message -----
> > From: "Phil Oester" <kernel@theoesters.com>
> > To: "'Jim Fleming'" <jfleming@anet.com>
> > Cc: "'Netfilter Mailing List'" <netfilter@lists.samba.org>
> > Sent: Friday, December 28, 2001 11:19 AM
> > Subject: RE: Standby firewall
> >
> > > Load balancing stateful firewalls (read: conntrack) doesn't sound like a
> > > smart idea.
> > >
> > > -Phil
> > >
> > >
> > > -----Original Message-----
> > > From: netfilter-admin@lists.samba.org
> > > [mailto:netfilter-admin@lists.samba.org] On Behalf Of Jim Fleming
> > > Sent: Friday, December 28, 2001 9:28 AM
> > > To: SoulBlazer; Marcelo Moreira
> > > Cc: Netfilter Mailing List
> > > Subject: Re: Standby firewall
> > >
> > >
> > > Another approach, using RIFRAF Routing, is to have FW#1 and FW#2
> > > sending sonar-like pings to the GW/NAT. Those pings set the RIFRAF
> > > entries which are also used in the routing. If FW#1 dies, it will stop
> > > sending
> > > the pings and all of the traffic will steer to FW#2, when FW#1 comes
> > > back
> > > the pings re-appear and the RIFRAF table (which has shift registers)
> > > will
> > > start to get populated with FW#1 preferences and the traffic will flow
> > > 50/50
> > > to FW#1 and FW#2. In some sense, you can view the pings as "send to me"
> > > requests. Depending on the rate of the pings, the traffic flow can
> > > change in
> > > seconds. Another way to view this is sort of a token-net. The FWs send
> > > tokens (via pings) to the GW/NATs. The GW/NATs use the tokens to
> > > do load-balancing to the FWs. In theory, a weak FW could send the tokens
> > > at a low rate and get less traffic, because the tokens from the other FW
> > > would cause the GW/NATs to prefer the FW that sends more tokens.
> > >
> > > Jim Fleming
> > > http://www.IPv8.info
> > > IPv16....One Better !!
> > >
> > > ----- Original Message -----
> > > From: "SoulBlazer" <soul@lamp-post.net>
> > > To: "Marcelo Moreira" <marcelo.moreira@qualitau.com>
> > > Cc: "Netfilter Mailing List" <netfilter@lists.samba.org>
> > > Sent: Friday, December 28, 2001 10:29 AM
> > > Subject: Re: Standby firewall
> > >
> > > > In my setup I have fail over routing via my firewalls using the
> > >
> > > following
> > >
> > > > method :
> > > > --> FW#1--
> > > > Intranet -> Linux (GW/NAT) - | |-> Router ->
> > >
> > > Internet
> > >
> > > > -- >FW#2--
> > > >
> > > > The linux gw/nat box has its routing table setup to have fw#1 at lower
> > >
> > > metric
> > >
> > > > and fw#2 to have another higher metric. If the Linux GW/NAT box
> > >
> > > detects that
> > >
> > > > FW#1 is dead (dead gateway detection in linux .. I believe it is based
> > >
> > > on the
> > >
> > > > arp expiring every 180 seconds) it will default to the next route
> > >
> > > which is
> > >
> > > > FW#2.
> > > >
> > > > Anyhow nothing fancy here.. and I use iproute2 to .. but im sure the
> > > > venerable route/arp/ifconfig commands would work just as well.
> > > >
> > > > PS.. IMHO I think that doing packet filtering on a NAT/GW box is bad
> > >
> > > karma
> > >
> > > > anyhow .. since that box should only be doing routing/nat .. not
> > >
> > > packet
> > >
> > > > filtering. Proper resource management and diffrentiated
> > >
> > > servers/services
> > >
> > > > makes for smaller boxes and you get the satisfaction of not having all
> > >
> > > your
> > >
> > > > eggs in one basket anyhow.
> > > >
> > > > Cheers,
> > > >
> > > > On December 27, 2001 05:45 pm, Marcelo Moreira wrote:
> > > > > Do you have your system set up as this ?
> > > > > Maybe you can give me some light. I am completely *IN THE DARK*
> > >
> > > here.
> > >
> > > > > My idea is to set up a secondary cheap machine to be a secondary
> > >
> > > backup
> > >
> > > > > firewall in case the real one dies.
> > > > > It is just a matter of eliminating the single point of failure.
> > > > > All servers are on the internal network and the firewall forwards
> > >
> > > the
> > >
> > > > > service requests to the specific machines.
> > > > > Right now, if it dies, the whole company stops with it.
> > > > >
> > > > > Thanks,
> > > > > Marcelo Moreira
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "SoulBlazer" <soul@lamp-post.net>
> > > > > To: "Phil Oester" <kernel@theoesters.com>; "'Marcelo Moreira'"
> > > > > <marcelo.moreira@qualitau.com>; <netfilter@lists.samba.org>
> > > > > Sent: Thursday, December 27, 2001 1:49 PM
> > > > > Subject: Re: Standby firewall
> > > > >
> > > > > > Well in a scenario where you are using a linux box BEFORE the
> > >
> > > firewall as
> > >
> > > > > > well (eg server doing only NAT or a server connecting/bridging
> > >
> > > different
> > >
> > > > > > networks) why not just use the built in linux
> > >
> > > "dead-gateway-detection" ?
> > >
> > > > > > Just be sure to set metric accordingly and failover should work
> > >
> > > properly.
> > >
> > > > > > My $0.02
> > > > > >
> > > > > > On December 27, 2001 04:19 pm, Phil Oester wrote:
> > > > > > > Use heartbeat. Use 1 ip for each box, and a third shared ip
> > >
> > > which is
> > >
> > > > > > > the actual firewall IP.
> > > > > > >
> > > > > > > http://linux-ha.org/download/
> > > > > > >
> > > > > > >
> > > > > > > Phil Oester
> > > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: netfilter-admin@lists.samba.org
> > > > > > > [mailto:netfilter-admin@lists.samba.org] On Behalf Of Marcelo
> > >
> > > Moreira
> > >
> > > > > > > Sent: Thursday, December 27, 2001 1:16 PM
> > > > > > > To: netfilter@lists.samba.org
> > > > > > > Subject: Standby firewall
> > > > > > >
> > > > > > >
> > > > > > > Does anybody know how to set up a second firewall to act as a
> > >
> > > standby ?
> > >
> > > > > > > What I mean is if the primary one fails, the standby one will
> > >
> > > assume
> > >
> > > > > > > the traffic handling.
> > > > > > >
> > > > > > > Thanks,
> > > > > > > Marcelo Moreira
> > > > > >
> > > > > > --
> > > > > > Ex Ignis, Palam Tempestas, Electus Evasto
> > > >
> > > > --
> > > > Ex Ignis, Palam Tempestas, Electus Evasto