OpenBSD Firewall Failover with pfsync and CARP

OpenBSD Firewall Failover with pfsync and CARP

[Herve Eychenne]

 Hi,

This is not stricly netfilter related, but it might be of some
interest for those who are working on this issue for Linux.
It's always good to stay tuned and see what others are doing.

OpenBSD Firewall Failover with pfsync and CARP:
http://www.countersiege.com/doc/pfsync-carp/

UCARP - Common Address Redundancy Protocol (CARP) for Unix:
http://www.ucarp.org/

 Herve

-- 
 _
(°=  Hervé Eychenne
//)
v_/_ WallFire project:  http://www.wallfire.org/

Re: OpenBSD Firewall Failover with pfsync and CARP, Netfilter solutions?

[Pasi Kärkkäinen]

On Tue, Mar 30, 2004 at 05:30:08PM +0200, Herve Eychenne wrote:
>  Hi,
> 
> This is not stricly netfilter related, but it might be of some
> interest for those who are working on this issue for Linux.
> It's always good to stay tuned and see what others are doing.
> 
> OpenBSD Firewall Failover with pfsync and CARP:
> http://www.countersiege.com/doc/pfsync-carp/
> 
> UCARP - Common Address Redundancy Protocol (CARP) for Unix:
> http://www.ucarp.org/
> 

I noticed this one too.. I'm wondering, if there is same functionality
available for Linux ?

ucarp runs on Linux too, as does vrrp, but the pfsync-part seems to be
missing.. ?

Is there any way to synchronize the state tables of two Linux/Netfilter
boxes?

box1: cat /proc/net/ip_conntrack > file
box2: cat file > /proc/net/ip_conntrack

That would be a good start.. :)

-- Pasi Kärkkäinen
       
                                   ^
                                .     .
                                 Linux
                              /    -    \
                             Choice.of.the
                           .Next.Generation.

Re: OpenBSD Firewall Failover with pfsync and CARP, Netfilter solutions?

[Cedric Blancher]

Le dim 04/04/2004 à 12:18, Pasi Kärkkäinen a écrit :
> I noticed this one too.. I'm wondering, if there is same functionality
> available for Linux ?

Not yet.

> ucarp runs on Linux too, as does vrrp, but the pfsync-part seems to be
> missing.. ?

It's pf specific. pf runs on BSD, not on Linux, the same way Netfilter
is specific to Linux.

> Is there any way to synchronize the state tables of two Linux/Netfilter
> boxes?

Harald seems to be working hard on this (libnfnetlink/libctnetlink). See
CVS.

-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

Re: OpenBSD Firewall Failover with pfsync and CARP, Netfilter solutions?

[Pasi Kärkkäinen]

On Sun, Apr 04, 2004 at 12:25:50PM +0200, Cedric Blancher wrote:
> Le dim 04/04/2004 à 12:18, Pasi Kärkkäinen a écrit :
> > I noticed this one too.. I'm wondering, if there is same functionality
> > available for Linux ?
> 
> Not yet.
> 
> > ucarp runs on Linux too, as does vrrp, but the pfsync-part seems to be
> > missing.. ?
> 
> It's pf specific. pf runs on BSD, not on Linux, the same way Netfilter
> is specific to Linux.
> 

Yep, I know this. Maybe I should have said "pfsync like thing for netfilter"
instead of "pfsync-part" :)

> > Is there any way to synchronize the state tables of two Linux/Netfilter
> > boxes?
> 
> Harald seems to be working hard on this (libnfnetlink/libctnetlink). See
> CVS.
> 

OK. Nice. I'll check the CVS. Any ideas about the current status of this
work?

-- Pasi Kärkkäinen
       
                                   ^
                                .     .
                                 Linux
                              /    -    \
                             Choice.of.the
                           .Next.Generation.