[ previous ] [ next ] [ threads ]
 
 From:  Peter Allgeyer <allgeyer at web dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] failover support?
 Date:  Tue, 20 Jan 2004 22:02:56 +0100
Hi Fred!

On Tue, Jan 20, 2004 at 10:46:06AM -0500, Fred Weston wrote:
> This is just out of curiosity, I don't have any need for this kind of 
> functionality, it's more of a how hard would that be kind of question.  

It depends.

> With talk of PIX firewalls earlier on the list I was thinking about how 
> much we paid for a pair of PIX 515s.  The second firewall we bought cost 
> us next to nothing, because it would function only as a failover device 
> in case the primary failed (it would refuse to load it's config if the 
> master wasn't present).
> 
Yes, the first one is the expensive one. I think Cisco PIX has a good
cost/performance ratio, not only in HA environments.

> I was just curios as to how hard it would be to implement something 
> similar in m0n0wall, and if anyone had ever inquired about it before?
> 
Ok. Let's talk about m0n0wall. I've had concerned myself with a HA solution
the last few days. This is what you will need:

a) a HA protocol (VRRP for example is really nice, Nokia uses this one)
   Look out for freevrrpd (has monitored circuit as well). Heartbeat is
   to slow for failover on a router (IMHO).
b) possibility to have more than one MAC address on an interface would
   be nice, too. Is this possible with freebsd? Have to take a close
   look at freevrrpd.
c) some kind of stateful failover would be nice. You have to share your
   connection and NAT tables. No solution for ipfilter today, but I have
   heard rumors, that something like this is planned for ipfilter 4.0.
   This would be a feature killer, because I don't know any non
   commercial firewall having stateful failover.
d) possibility to share configuration (not so difficult). You can use
   scp or rsync or something like this to copy the configuration from
   one node to another. You will have to change one or another option
   though.
e) a nice gui like the one on Nokia IP appliances (voyager). Sure, it
   should be ported to Manuels stylesheet. On Nokia you have to
   configure each node seperatly (rulebases a managed centrally by check
   point, of course).
f) configuration stored as xml and a little parser/interpreter for this
   one.
g) tcpdump, tcpdump, tcpdump !!! I can't state this enough.

Point b) is the critical one. Without this feature I won't develop a
solution for m0n0wall. Having to reconnect is a no-no.

Ciao ...
	... PIT ...

---------------------------------------------------------------------------
 copyleft(c) by |           "...[Linux's] capacity to talk via any medium
 Peter Allgeyer |   _-_     except smoke signals." (By Dr. Greg Wettstein,
                | 0(o_o)0   Roger Maris Cancer Center)
---------------oOO--(_)--OOo-----------------------------------------------