Re: Pseudo-cluster firewall

To: debian-security@lists.debian.org
Subject: Re: Pseudo-cluster firewall
From: Dariush Pietrzak <eyck@forumakad.pl>
Date: Wed, 3 Nov 2004 08:48:19 +0100
Message-id: <20041103074819.GA6455@forumakad.pl>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <20041102200848.GA13491@cirrus.madduck.net>
References: <WorldClient-F200411022055.AA55240018@starcomitalia.com> <20041102200848.GA13491@cirrus.madduck.net>

> > Now the problem: I have only a cross-over cable from the router to
> > the firewall, so I cannot connect the backup firewall. Using
> > a switch is pointless: the switch may die too.
 Switches are relatively easy to set up in failover configuration ( most
cisco gear supports it ) (well, the problem would the be, how to connect
such setup to router with single ethernet jack ).
 As far as fail-over firewalls go, they're pretty easy to set up, 
apt-cache show vrrd 
(or maybe even better
apt-cache show ucarp
)
 This little daemon makes it easy to set up two firewalls, the only problem
would be that in case of failure all nat-ted connections get dropped and
you have to reconnect. If you want to avoid that, go for OpenBSD and their
firewall sync. ( btw, with ucarp you can create dual firewall with one
machine running Debain and the other running OpenBSD ).
 I used to set up such thingies with debian as primary and freebsd running
as backup ( which theoretically 'protects' you from critical failures in
debian ).

-- 
Dariush Pietrzak,
Key fingerprint = 40D0 9FFB 9939 7320 8294  05E0 BCC7 02C4 75CC 50D9

Reply to:

References:
- Pseudo-cluster firewall
  - From: "Raffaele D'Elia" <R.DElia@starcomitalia.com>
- Re: Pseudo-cluster firewall
  - From: martin f krafft <madduck@debian.org>

Prev by Date: Re: doing an ssh into a compromised host
Next by Date: Re: doing an ssh into a compromised host
Previous by thread: Re: Pseudo-cluster firewall
Next by thread: Re: Pseudo-cluster firewall
Index(es):
- Date
- Thread