Firewall Failover with pfsync and CARP

On most networks, the firewall is a single point of failure.

When the firewall goes down, inside users are unable to surf the web, the website goes dead to the outside world, and email grinds to a halt. Since version 3.5, OpenBSD has included a number of components which can be used to solve this problem, by placing two firewalls in parallel. All traffic passes through the primary firewall; when it fails the backup firewall assumes the identity of the primary firewall, and continues where it left off. Existing connections are preserved, and network traffic continues as if nothing had happened.

47 posted on 02/10/2009 11:21:02 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)

CARP (the Common Address Redundancy Protocol)

48 posted on 02/10/2009 11:23:34 AM PST by Ernest_at_the_Beach (No Burkas for my Grandaughters!)

To: Ernest_at_the_Beach

CARP is the load balancing. Pfsync lets the firewalls share state tables. If a firewall goes down the other firewall already knows what network traffic was passing and lets it continue.

The newer OpenBSD builds also include pflog which lets you combine your firewall logs into a single stream for traffic analysis and IDS functions, ifstated which lets you do for internal servers what CARP does for firewalls, p0f which pulls OS and application fingerprints out of network traffic, spamd which is the single most effective spam eliminator I've ever seen and OpenBGP which is a fully documented replacement for Cisco's buggy BGP.

Can you tell I like OpenBSD? ;)

50 posted on 02/10/2009 11:39:11 AM PST by Knitebane

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794