Slashdot Mirror
Firewall Failover With pfsync And CARP
Daniel Hartmeier writes "OpenBSD developer Ryan McBride explains the new firewall redundancy features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP. CARP (Common Address Redundancy Protocol) is a free alternative to the patent-encumbered VRRP, responsible for electing masters in a firewall cluster, while pfsync syncronizes packet filter state information among nodes. The combination allows to replace single-point-of-failure firewalls with clusters of two (or more) nodes, which continue to filter ongoing and new connections when nodes fail. Additional features like arpbalance allow one to share a single IP address for multiple servers, transparently balancing load among them, and adapting to servers failing. Pre-order for OpenBSD 3.5 has started, CDs will ship May 1st."
I think my office implemented such functionality for like $120k, and it doesn't even work too well.
I love sniffing the Cisco equivalent to CARP. Lots of HSRP calls to 224.0.0.224 with no security built in. A simple ARP poison will fuck the switch. More advanced attack methods can be found c/o Phenolit
At least in *BSD. Just think of the smell !
Oh, the beauty of OpenBSD! Sweet stuff OpenBSD...
What hardware would I need to do this on my 1000SX uplink. Admittedly, I've only peaked at 80Mbit/s so far, but I think even handling that will take some beefy hardware.
-Yarn - Rio Karma: Excellent
Will this help me close off access to this always-open, always-sniffed, always-0wn3d port?
Why would a /. editor include a mailto link to an OpenBSD developer in a story?
The poor bastard is going to be flooded with spam ad crap now.
Conformity is the jailer of freedom and enemy of growth. -JFK
Any relation to Darl?
I found an interesting picture of the CARP hardware they're using for this here.
Netcraft now confirms: *BSD is dying.
Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house. All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dead
But, how can I loadbalance/failover a postgresql using openbsd?
It's kinda of sad that something this cool gets so little discussion on a site like Slashdot. I guess it will be news when CARP gets ported to linux and iptables gets ip state sync'ing across hosts.
However, as excellent as this looks, I can only shudder in horror at the thought of migrating any of our existing rulesets across to openbsd/pf, let alone distributed management of policies across several 'clusters' of firewalls we have.
Yes my friends. I'm asking for a GUI. FW Builder is a good start, but it still needs work (porting to Windows would be a good start). Migration tools from Checkpoint (or other commercial firewalls) would be another good addition.
PS, I ask for Windows support not for my sake, but so that my co-workers would be able to use it. However, this criticism is levelled at FW Builder.
OpenBSD/pf/CARP has provided a brilliant technical starting block, but it needs these additional tools to make inroads into enterprise organisations.
Man watching 6 MSCE's around a sun box, looks alot like the opening scene's of 2001:space odyssey...
From Improving
Passive Packet Capture: Beyond Device Polling.
"Linux, a very popular OS used for running network appliances,
performs very poorly with respect to other OSs used in the same
test" (FreeBSD and Win2k).
"The Linux kernel module is almost as fast as the userspace
FreeBSD application".
Percentage of packets captured (in user space), using device polling, at
80,000 packets per second? Linux 5.6%, FreeBSD 99.9%. Linux manages
99.5% only using a kernel module.
SO LINUX MUST GO TO KERNEL SPACE TO ALMOST BE AS FAST AS FREEBSD
WITHIN USER SPACE!
Maybe if you BSD is dying trolls stopped crapping on here about BSD
dying and instead actually learned a language apt for your OS of choice,
you might actually be able to bring Linux up to "dead status" with the
BSD's.
But wait, it gets worse! While trying to capture packets from a
DoS application, Linux could only manage capture rates of 0.8% in user
space and 9.7% in kernel space, while FreeBSD managed 74.7% in user
space!
"FreeBSD performs much better than Linux"
"it is obvious that a vanilla FreeBSD systems is much more
efficient than a vanilla Linux system when used for packet
capture."
no one actually believes the crap that they post.
they just do it to piss people like you off into posting this garbage.
why is this so hard for you people to understand? you are just feeding them! they will now post more because of you. if you had just shut up, they would stop because they have no point in posting if no one is going to reply.
Try UCARP a portable userland implementation.
{{.sig}}
In keeping with OpenBSD's promo songs, the 3.5 release features a Monty Python-style sketch and song about CARP/pf and VRRP etc. Very funny stuff indeed. Lyrics and links to download the songs in MP3/OGG format at http://www.openbsd.org/lyrics.html
Cisco PIXes are configured the old way thru SSH (ok, there's a Web interface, never heard of anyone using it) and they sell pretty well. Cisco do have a (laughable) management solution that includes a GUI but almost nobody use it as it plain sucks (simply installing it is a nightmare, plen,ty of dependencies...). The nice thing is that it provides a nice market for third party solutions to do that job...
So having a GUI is not a prerequisite for enterprise acceptance. Even if being Cisco sure helps...
CERT SecAD NBSD4536A746
Advisory: Olfactory disturbance during *BSD use
Affected: NetBSD all versions
FreeBSD all versions
OpenBSD all versions
Description: The dead corpse of a *BSD operating system emits a foul, disgusting smell which reduces the productivity of the users.
Recommended activities: - use nose plugs
- removal of *BSD operating system, replace with Linux or Windows XP
Just, when i was installing it on my Pentium 200 MHz, 48MiB RAM, it never did end the installation because it was installing at rate 9 KB per second!!!.
Why 9 KiB/s?
I don't know why, but i did a # top and i did see that the CPU was 90% idle and 10% running of cpio, gzip and others programs.
Why 90% cpu-idle for the slower and slower installation?
I don't know why, i believe that FreeBSD's president is hurting us and he wants money with worse and worse code.
open4free
try not being so fucking redundant. you BSDtard
Seriously, aren't listening. You don't have to enter the same rule and object definitions over and over, that's exactly what I am saying. You make a single template, and then any firewall from there is just changing some variables like $ext_if or $local_net. Plus there are lots of things you don't have to do with pf, like making a whole set of rules to stop spoofing, with pf you can just do antispoof on $ext_if. I am not complaining about a GUI tool, I am saying the parent poster is dumb for complaining about the lack of a GUI, when he hasn't even bothered to learn how the thing works, to see if he even needs one.
Jeremy Andrews from kerneltrap.org has just published an Interview with Ryan McBride, which makes for an excellent read on CARP and pfsync.
However there is no pfsync (or similair) for netfilter (if you'd like to have failover-firewalls).
But supposedly it doesn't matter, because netfilter doesn't have TCP window tracking.
And because existing connections are considered new by netfilter, it should work in theory (if you allow new connections, for all the established-connections).
Balancing won't work however, because UCARP doesn't do that, if I understand it correctly.
As there is no replication, rules should be replicated an other way (something like rules from LDAP for example would be a usefull way).
New things are always on the horizon
Some trolls told me the other day that Slashdot deletes posts scored 0 or -1 after a while. I don't know if I believe them, because trolls tend to lie a lot, but I have decided to repost all of this story's comments just in case. Usually, in the BSD section, it's the most important comments that get modded down.
// hdw
That's really cool (Score:2, Informative)
by Anonymous Coward on Tuesday March 30, @10:09AM (#8713264)
I think my office implemented such functionality for like $120k, and it doesn't even work too well.
[ Reply to This ]
Re:That's really cool by hdw (Score:3) Tuesday March 30, @03:33PM
Re: FreeBSD's burocracy? by Anonymous Coward (Score:-1) Wednesday March 31, @01:55PM
HSRP (Score:4, Interesting)
by bolix (201977) on Tuesday March 30, @10:30AM (#8713503)
(http://attrition.org | Last Journal: Thursday November 28, @01:43PM)
I love sniffing the Cisco equivalent to CARP. Lots of HSRP calls to 224.0.0.224 with no security built in. A simple ARP poison will fuck the switch. More advanced attack methods can be found c/o Phenolit [phenoelit.de]
[ Reply to This ]
Re:HSRP by Anonymous Coward Tuesday March 30, @09:53PM
Re:HSRP by bolix (Score:2) Friday April 09, @11:18AM
Redundancy IS bad. (Score:-1, Flamebait)
by Anonymous Coward on Tuesday March 30, @10:30AM (#8713506)
At least in *BSD. Just think of the smell !
[ Reply to This ]
OpenBSD does it again! (Score:-1, Redundant)
by Anonymous Coward on Tuesday March 30, @11:12AM (#8713949)
Oh, the beauty of OpenBSD! Sweet stuff OpenBSD...
[ Reply to This ]
I wonder... (Score:3, Interesting)
by Yarn (75) on Tuesday March 30, @11:23AM (#8714065)
(http://www.yarn.org.uk/)
What hardware would I need to do this on my 1000SX uplink. Admittedly, I've only peaked at 80Mbit/s so far, but I think even handling that will take some beefy hardware.
[ Reply to This ]
Re:I wonder... (Score:5, Informative)
by dhartmei (664843) on Tuesday March 30, @03:18PM (#8717259)
(http://www.benzedrine.cx/)
Filtering ordinary traffic (not extreme test-cases of minimal packets, average number of packets/connection) statefully at 100Mbps doesn't require much hardware. Even little Soekris boxes (embedded 486 133MHz) can do that.
For Gbps, the limiting factor is the NIC and its driver. Some cards/drivers are reported to reach more than 70% of the maximum throughput. The reason they don't (yet) go further is not packet filtering, though.
If you want specific names/models, the mailing list archives contain the reports.
[ Reply to This | Parent ]
Re:I wonder... (Score:5, Informative)
by hdw (564237) on Tuesday March 30, @03:23PM (#8717364)
I'm running an OpenBSD 3.4 firewall on a PII-400 with a 100Mb/s Internet feed.
And I know that I've reached over 40Mb/s without any sign of problem with the firewall.
So unless you're running lots of IpSec stuff or have a high rate of connects I don't think the firewall (or OpenBSD) will be the problem.
I think the selecting a good NIC is more important.
[ Reply to This | Parent ]
Re:I wonder... by peripatetic_bum (Score:1) Tuesday March 30, @05:46PM
Re:I wonder... (Score:5, Insightful)
by Homology (639438) on Tuesday March 30, @05:54PM (#8719127)
I wonder how a "little" p2 can filter 40MB/s of packets. when it seems like the same p2 will bog down in other stuff (im not talking about a gui)
can you explain this?
The grandparent wrote 40Mb/s, like in 40 mega bit, and a PII can handle this. However, you should have a good NIC and not one of those pisspor Realtek that offloads the work to the CPU.
[ Reply to This | Parent ]
Re:I wonder... by hdw (Score:2) Tuesday March 30, @06:20PM
Will this help... (Score:-1, Troll)
by Anonymous Coward on Tuesday March 30, @11:32AM (#8714157)
Will this help me close off access to this always-open, always-sniffed, always-0wn3d port [goatse.cx]?
[ Reply to This ]