Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firewall Failover With pfsync And CARP

Posted by timothy on from the careful-acronym-arrangment dept.

Daniel Hartmeier writes "OpenBSD developer Ryan McBride explains the new firewall redundancy features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP. CARP (Common Address Redundancy Protocol) is a free alternative to the patent-encumbered VRRP, responsible for electing masters in a firewall cluster, while pfsync syncronizes packet filter state information among nodes. The combination allows to replace single-point-of-failure firewalls with clusters of two (or more) nodes, which continue to filter ongoing and new connections when nodes fail. Additional features like arpbalance allow one to share a single IP address for multiple servers, transparently balancing load among them, and adapting to servers failing. Pre-order for OpenBSD 3.5 has started, CDs will ship May 1st."

5 of 60 comments (clear)

  1. Re:Mailto link? by dhartmei · · Score: 5, Insightful
    @openbsd.org addresses are already readily available for harvesters through cvsweb, mailing list archives and usenet gates, putting one in a /. posting couldn't make things any worse.

    The upside is that after a certain amount of spam received, people get really good at filtering it. That's where the motivation behind some of the anti-spam features in OpenBSD comes from, I guess :)

  2. Re:I wonder... by dhartmei · · Score: 5, Informative
    Filtering ordinary traffic (not extreme test-cases of minimal packets, average number of packets/connection) statefully at 100Mbps doesn't require much hardware. Even little Soekris boxes (embedded 486 133MHz) can do that.

    For Gbps, the limiting factor is the NIC and its driver. Some cards/drivers are reported to reach more than 70% of the maximum throughput. The reason they don't (yet) go further is not packet filtering, though.

    If you want specific names/models, the mailing list archives contain the reports.

  3. Re:I wonder... by hdw · · Score: 5, Informative

    I'm running an OpenBSD 3.4 firewall on a PII-400 with a 100Mb/s Internet feed.

    And I know that I've reached over 40Mb/s without any sign of problem with the firewall.

    So unless you're running lots of IpSec stuff or have a high rate of connects I don't think the firewall (or OpenBSD) will be the problem.

    I think the selecting a good NIC is more important. // hdw

    --
    Executive Pope (small) Kallisti Engineering
  4. Re:This is awesome by dhartmei · · Score: 5, Informative
    What CARP/pfsync does is transparent balancing on IP level. Each client connection is redirected to an arbitrary available server. This works for applications where each server can independantly handle a client request, like serving stateless HTTP or DNS from multiple servers.

    For SQL, clustering is much more involved. One client might insert data that must propagate to the other server, or locks across all servers must be obtained, etc. This cannot be done transparently on IP level, the servers themselves must support it.

    Search for replication, clustering or redundancy together with postgresql, you'll find erserver etc. Except for very special cases (like read-only databases), this way beyond IP level packet filtering ;)

  5. CARP/pf song for 3.5 Release by RupertJ · · Score: 5, Interesting

    In keeping with OpenBSD's promo songs, the 3.5 release features a Monty Python-style sketch and song about CARP/pf and VRRP etc. Very funny stuff indeed. Lyrics and links to download the songs in MP3/OGG format at http://www.openbsd.org/lyrics.html