pfsync & carp on linux
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
pfsync & carp on linux
by Yiannis Kontekakis
::
Rate this Message:
Hello,
I am interested in implementing a load balancing and fail over firewall( with connection tracking support ). Currently the only non commercial solution that I know to be working, is pfsync and carp in BSD unices. If I am not wrong this combination allows load balancing and fail over between x firewalls connected to the same subnet, where the rules added to one firewall are propagated to the rest in the same subnet (pfsync) and the fail over mechanism is implemented by carp. Also as far as I have understood this configuration allows connection tracking information to be shared between the participating firewalls in the above fail over implementation. ( If I got it right "connection tracking" means the characteristics - sequence numbers, etc... - that specify a socket ). As I am accustomed in using Linux(and netfilter), do you know if there is an alternative in the BSD(psfync & carp) configuration? I tried to "google" this search but only got posts before 2005. Any help would be appreciated. ( I would like to hear about a non commercial/open source solution. ) Regards Yiannis |
|
|
Re: pfsync & carp on linux
by Harald Nesland
::
Rate this Message:
Yiannis Kontekakis wrote:
> Hello, > > I am interested in implementing a load balancing and fail over firewall( > _with connection tracking support_ ). > > Currently the only non commercial solution that I know to be > working, is pfsync and carp in BSD unices. If I am not wrong this > combination allows load balancing and fail over between x firewalls > connected to the same subnet, where the rules added to one firewall are > propagated to the rest in the same subnet (pfsync) and the fail over > mechanism is implemented by carp. Also as far as I have understood this > configuration allows connection tracking information to be shared > between the participating firewalls in the above fail over > implementation. ( If I got it right "connection tracking" means the > characteristics - sequence numbers, etc... - that specify a socket ). > As I am accustomed in using Linux(and netfilter), do you know if > there is an alternative in the BSD(psfync & carp) configuration? I tried > to "google" this search but only got posts before 2005. > > Any help would be appreciated. ( I would like to hear about a non > commercial/open source solution. ) > > Regards > > Yiannis Hi, You should take a look at http://www.keepalived.org/ and VRRP. However, VRRP is patented, and there's some effort going on to port CARP to Linux. (http://www.ucarp.org/project/ucarp). http://tips.linux.com/tips/05/05/10/1436254.shtml?tid=100 Cheers, -- Harald Nesland |
|
|
Re: pfsync & carp on linux
by andy ashley
::
Rate this Message:
http://www.pfsense.com/ Yes I know you said linux. It uses pf and a stripped down bsd but it works amazingly well and has a very usable web frontend for config making shell access (which is available too) unecessary. It does firewalling with firewall rules sync between units, vpn's, ipsec, load balancing, carp/ha failover , dns cache, captive portal, and a host of other useful stuff that just works. It can be booted off compact flash or a disk/raid and makes a good appliance type fiirewall. My uptimes are over 70 days so far on a busy site.. Otherwise ucarp on linux (I use it on a production DNS cluster - gentoo linux) works very well too! Andy. Harald Nesland wrote: Yiannis Kontekakis wrote: |
|
|
Re: pfsync & carp on linux
by ed-70
::
Rate this Message:
On Wed, 01 Nov 2006 00:21:17 +0200
Yiannis Kontekakis <ykontekakis@...> wrote: > Hello, > > I am interested in implementing a load balancing and fail over > firewall( with connection tracking support ). > > Currently the only non commercial solution that I know to be > working, is pfsync and carp in BSD unices. If I am not wrong this > combination allows load balancing and fail over between x firewalls > connected to the same subnet, where the rules added to one firewall > are propagated to the rest in the same subnet (pfsync) and the fail > over mechanism is implemented by carp. Also as far as I have pfsync only syncs the state tables. it does not sync pass/block rules or tables. > understood this configuration allows connection tracking information > to be shared between the participating firewalls in the above fail > over implementation. ( If I got it right "connection tracking" means > the characteristics - sequence numbers, etc... - that specify a socket > ). As I am accustomed in using Linux(and netfilter), do you know udp is not socket based, even if it does have 'keep state' in the rule, it still isn't a socket. udp requires both directions of communication to be included in rules. > if there is an alternative in the BSD(psfync & carp) configuration? I > tried to "google" this search but only got posts before 2005. what is it that you're doing in linux that you cannot do in BSD? there really is no substitute for pf/carp in linux, there's some old attempts at porting it, but if you ask on the openbsd-misc list the general response is that the kernel is not up to it. it was only a year or two ago that freebsd got a pf port. > Any help would be appreciated. ( I would like to hear about a non > commercial/open source solution. ) let us know what you are trying to do. bsd is a good platform, dont disregard it. -- Regards, Ed :: http://www.s5h.net proud unix system person :%s/Open Source/Free Software/g |
| Free embeddable forum powered by Nabble | Forum Help |
