Firewall Failover With pfsync And CARP

← Back to Stories (view on slashdot.org)

Firewall Failover With pfsync And CARP

Posted by timothy on Tuesday March 30, 2004 @02:00AM from the careful-acronym-arrangment dept.

Daniel Hartmeier writes "OpenBSD developer Ryan McBride explains the new firewall redundancy features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP. CARP (Common Address Redundancy Protocol) is a free alternative to the patent-encumbered VRRP, responsible for electing masters in a firewall cluster, while pfsync syncronizes packet filter state information among nodes. The combination allows to replace single-point-of-failure firewalls with clusters of two (or more) nodes, which continue to filter ongoing and new connections when nodes fail. Additional features like arpbalance allow one to share a single IP address for multiple servers, transparently balancing load among them, and adapting to servers failing. Pre-order for OpenBSD 3.5 has started, CDs will ship May 1st."

5 of 60 comments (clear)

Min score:

Reason:

Sort:

HSRP by bolix · 2004-03-30 02:30 · Score: 3, Interesting

I love sniffing the Cisco equivalent to CARP. Lots of HSRP calls to 224.0.0.224 with no security built in. A simple ARP poison will fuck the switch. More advanced attack methods can be found c/o Phenolit
I wonder... by Yarn · 2004-03-30 03:23 · Score: 2, Interesting

What hardware would I need to do this on my 1000SX uplink. Admittedly, I've only peaked at 80Mbit/s so far, but I think even handling that will take some beefy hardware.

--
-Yarn - Rio Karma: Excellent
1. Re:I wonder... by hdw · 2004-03-30 10:20 · Score: 2, Interesting
  
  yup, I can.
  
  First of all, I said Mb, not MB, call me conservative but I'm used to count bandwidth in bits, not bytes.
  
  Second, as I stated, check your NIC and the drivers.
  It means a lot when it comes to network handling.
  
  (I remember how out old VAX 11/785 reacted when it shared an non-switched net with 2 sparc servers, the poor VAX was down on it's knees just by trying to ignore the traffic :)).
  
  And as a wider note, the performance of a system isn't only down to processor speed. There's tons of parameters, both hard and soft, that come into play.
  
  Figuring out _what_ parameter to fiddle with is regarded as voodoo :)
  
  / hdw
  
  ps
  No, I'm no speed guru, neither did I wave a dead chicken and dance backwards while installing that firewall.
  I asked for a raw Internet feed to the labnet, and at that time we didn't have anything less then 100Mb/s to hand out. And the server played it nice.
  ds.
  
  --
  Executive Pope (small) Kallisti Engineering
CARP/pf song for 3.5 Release by RupertJ · 2004-03-31 00:28 · Score: 5, Interesting

In keeping with OpenBSD's promo songs, the 3.5 release features a Monty Python-style sketch and song about CARP/pf and VRRP etc. Very funny stuff indeed. Lyrics and links to download the songs in MP3/OGG format at http://www.openbsd.org/lyrics.html
Re:Conterpoint: Cisco PIX by sirket · 2004-03-31 13:29 · Score: 2, Interesting

I configure PIX's all day long and I love the simplicity of a PIX config file. That said, Cisco has been losing market share for years because they don't have a GUI. Ever try to set up a ton of VPN's through the command line? Doable? Certainly. Fun? Not a chance.

-sirket