Firewall Failover With pfsync And CARP
Daniel Hartmeier writes "OpenBSD developer Ryan McBride explains the new firewall redundancy features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP. CARP (Common Address Redundancy Protocol) is a free alternative to the patent-encumbered VRRP, responsible for electing masters in a firewall cluster, while pfsync syncronizes packet filter state information among nodes. The combination allows to replace single-point-of-failure firewalls with clusters of two (or more) nodes, which continue to filter ongoing and new connections when nodes fail. Additional features like arpbalance allow one to share a single IP address for multiple servers, transparently balancing load among them, and adapting to servers failing. Pre-order for OpenBSD 3.5 has started, CDs will ship May 1st."
The upside is that after a certain amount of spam received, people get really good at filtering it. That's where the motivation behind some of the anti-spam features in OpenBSD comes from, I guess :)
It's kinda of sad that something this cool gets so little discussion on a site like Slashdot. I guess it will be news when CARP gets ported to linux and iptables gets ip state sync'ing across hosts.
The grandparent wrote 40Mb/s, like in 40 mega bit, and a PII can handle this. However, you should have a good NIC and not one of those pisspor Realtek that offloads the work to the CPU.
There is absolutely no benefit to a GUI at all
This is a idotic comment. I've been a firewall admin for years. I admin CheckPoint, PIX, NetScreen, ipfw, ipf, and pf firewalls.
Have you ever tried to configure a fully meshed VPN topology between 30 sites by hand? Are you really going to sit there and write 900 rules by hand and expect to do it without making a mistake?
What about defining a group of objects on one firewall (say a cluster of web servers) and then going to implement a rule on a different firewall that uses that web server group? With a central GUI, you can define the object once and not worry about changing it in 5 places or making a mistake when you copy it over to another firewall. (Yes this can be done with scripts but if you are going to write a whole management interface, why not stick a GUI on top of it to make browsing rules easier?)
What about when you need to print out the rule sets for a compliance officer or your CEO?
What about when you have have 25 firewalls and you forgot to backup the rule set on a firewall that just died. Wouldn't it be nice to have a management box with all the rule sets stored locally?
There are about 50 good reasons to have a GUI and very few reasons not to have one. As long as you can configure the boxes from the command line and the GUI doesn't generate gibberish rules, then it is an excellent addition to a great firewall package.
-sirket