Redundant netfilter gateway

Redundant netfilter gateway

[Patrick Ahler]

I am looking for info on creating a redundant gateway/firewall. I
currently have my network setup with 1 working iptables gateway/firewall
and 1 backup gateway. If the first gateway goes down, I change the IP's
and spoof the MAC addresses (I change the external MAC address because
my internal network is masqueraded through the gateway and just
switching the external IP messes with the arp tables on the router...
That's a whole other issue though) on the backup gateway and it takes
over. This is not redundancy and is dirty. Does anyone have any
suggestions on how to do this better?

Patrick Ahler
Systems Administrator
Vikus Corporation 

Re: Redundant netfilter gateway

[B. McAninch]

Check out KeepAliveD (keepalived.sourceforge.net)- it uses VRRP for
failover. It does not, however, provide /stateful/ firewall failover. 
IIRC, work is (was) being done for Netfilter's own state syncing.

On Thu, 2004-06-17 at 15:52, Patrick Ahler wrote:
> I am looking for info on creating a redundant gateway/firewall. I
> currently have my network setup with 1 working iptables gateway/firewall
> and 1 backup gateway. If the first gateway goes down, I change the IP's
> and spoof the MAC addresses (I change the external MAC address because
> my internal network is masqueraded through the gateway and just
> switching the external IP messes with the arp tables on the router...
> That's a whole other issue though) on the backup gateway and it takes
> over. This is not redundancy and is dirty. Does anyone have any
> suggestions on how to do this better?
> 
> Patrick Ahler
> Systems Administrator
> Vikus Corporation 

-- 
Bryan McAninch
Network Security Engineer
Penson Financial Services, Inc.

Re: Redundant netfilter gateway

[Günter Zimmermann]

Check out OpenBSD with  CARP (the Common Address Redundancy Protocol)  
and pfsync

copied from OpenBSD Site (http://www.openbsd.org/35.html#new):
New tools for filtering gateway failover:

    * CARP (the Common Address Redundancy Protocol) carp(4)
      <http://www.openbsd.org/cgi-bin/man.cgi?query=carp> allows
      multiple machines to share responsibility for a given IP address
      or addresses. If the owner of the address fails, another member of
      the group will take over for it. A discussion of the history of
      CARP can be found here <http://www.openbsd.org/lyrics.html>.
    * Additions to the pfsync(4)
      <http://www.openbsd.org/cgi-bin/man.cgi?query=pfsync> interface
      allow it to synchronise state table entries between two or more
      firewalls which are operating in parallel, allowing stateful
      connections to cross any of the firewalls regardless of where the
      state was initially created.

I think this is the only realy full redundant opensource firewall available.

lg
Günter

B. McAninch schrieb:

>Check out KeepAliveD (keepalived.sourceforge.net)- it uses VRRP for
>failover. It does not, however, provide /stateful/ firewall failover. 
>IIRC, work is (was) being done for Netfilter's own state syncing.
>
>On Thu, 2004-06-17 at 15:52, Patrick Ahler wrote:
>  
>
>>I am looking for info on creating a redundant gateway/firewall. I
>>currently have my network setup with 1 working iptables gateway/firewall
>>and 1 backup gateway. If the first gateway goes down, I change the IP's
>>and spoof the MAC addresses (I change the external MAC address because
>>my internal network is masqueraded through the gateway and just
>>switching the external IP messes with the arp tables on the router...
>>That's a whole other issue though) on the backup gateway and it takes
>>over. This is not redundancy and is dirty. Does anyone have any
>>suggestions on how to do this better?
>>
>>Patrick Ahler
>>Systems Administrator
>>Vikus Corporation 
>>    
>>
>
>  
>

Re: Redundant netfilter gateway

[Primero]

On Thu, 17 Jun 2004 16:52:06 -0400
"Patrick Ahler" <patrick@vikus.com> wrote:


> over. This is not redundancy and is dirty. Does anyone have any
> suggestions on how to do this better?
> 

First of all i never tried what i'm gonna suggest, but you dould document and try it out if you like it :)

When i was documenting about Linux Virtual Server i found very interesting information about redundancy of Firewall with Director funcionts managed with an "Active-Active" solution.

you can take a look at http://www.linuxvirtualserver.org
and http://www.ultramonkey.org/papers/active_active/active_active.shtml
In this configuration the 2 firewalls share the same IP and MAC Address. Then , using a daemon called "saru", they divide the load in two parts and handle them in a load balanced - fault tolerant way.

It seemed very interesting and i think i'm gonna try it as early as i can.

check it out :)

Bye

RE: Redundant netfilter gateway

[Daniel Chemko]

> I think this is the only realy full redundant opensource firewall
> available. 

I've used linux-ha's heartbeatd in the past. I've had mixed results, so I can't recommend it before you try it. It does perform  automatic MAC failover with gratuitous arp's. I used it on a 5 net homed setup and I found issues with the takeover. Maybe a 2 network link would behave better.

SARU I believe was never actually implemented, or at least not yet. The Linux Virtual Server seems to have 'something' but I can't say that I know what it does. The netfilter module listed in their download page seems to indicate that its an active state failover.

Harald Welte is also developing a netfilter failover module, but I haven't heard much of that in the past 6 months.

RE: Redundant netfilter gateway

[Patrick Ahler]

 
I will definitely check out the linux virtual server. I'm surprised
there hasn't been more demand for a netfilter failover module though, I
know I would sleep better at night if there was. =)


Patrick Ahler
Systems Administrator
Vikus Corporation 

M 423.314.8910
W 423.954.3378
F 423.954.3375

RE: Redundant netfilter gateway

[Cedric Blancher]

Le ven 18/06/2004 à 01:50, Patrick Ahler a écrit :
> I'm surprised there hasn't been more demand for a netfilter failover
> module though, I know I would sleep better at night if there was. =)

There's definitly a strong demand. But there's not much offer yet...
Things seems to be on the way.


-- 
http://www.netexit.com/~sid/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

RE: Redundant netfilter gateway

[KOVACS Krisztian]

  Hi,

2004-06-18, p keltezéssel 01:56-kor Cedric Blancher ezt írta:
> Le ven 18/06/2004 à 01:50, Patrick Ahler a écrit :
> > I'm surprised there hasn't been more demand for a netfilter failover
> > module though, I know I would sleep better at night if there was. =)
> 
> There's definitly a strong demand. But there's not much offer yet...
> Things seems to be on the way.

  Netfilter failover is progressing silently... Harald has done a lot of
work based on my crappy proof-of-concept implementation, and things are
really getting to take off. This week I've spent a few days testing the
code, with somewhat mixed results. Certainly, there are a lot of
problems, It's not usable in its current form. However, I think that the
whole ct_sync code could be fixed and made into a _working_ piece of
long-awaited software in not more than a few weeks, if somebody with
enough knowledge _and_ free time would be able to help Harald. (I plan
to do so if I'll find the time.) Most of the code necessary for basic
synchronization is there, just contains bugs. So, come on dear Netfilter
hackers, we're not that far from providing a solution!

  Moreover, I think that a somewhat more open development model could
help. Currently, only the core ct_sync code can be found in the
Netfilter CVS (I don't know if it's up-to-date), the patchset needed to
be able to even compile the code is missing. (It took me a lot of time
just to gather the patches and make ct_sync compile.) There is not too
much information regarding the basic concepts of the proposed solution,
so publishing an easy-to-test package along with some instructions would
be an absolute must.

-- 
 Regards,
   Krisztian KOVACS

Re: Redundant netfilter gateway

[Luis Pacheco]

Hi KOVACS,

could you make an brief description, what you have done to make it
working ?
Another questions, the libctnetlink is only to syncronize connection
track. And about rules syncronization should it be an issue of
high-avaibility ? 

Best Regards,
Luis Pacheco

________________________________________________________________________
> From: KOVACS Krisztian <hidden@balabit.hu>
> To: Cedric Blancher <blancher@cartel-securite.fr>
> Cc: Patrick Ahler <patrick@vikus.com>, Harald Welte <laforge@netfilter.org>, netfilter@lists.netfilter.org, netfilter-devel <netfilter-devel@lists.netfilter.org>
> Subject: RE: Redundant netfilter gateway
> Date: Fri, 18 Jun 2004 11:56:45 +0200
> 
>   Hi,
> 
> 2004-06-18, p keltezéssel 01:56-kor Cedric Blancher ezt írta:
> > Le ven 18/06/2004 à 01:50, Patrick Ahler a écrit :
> > > I'm surprised there hasn't been more demand for a netfilter failover
> > > module though, I know I would sleep better at night if there was. =)
> > 
> > There's definitly a strong demand. But there's not much offer yet...
> > Things seems to be on the way.
> 
>   Netfilter failover is progressing silently... Harald has done a lot of
> work based on my crappy proof-of-concept implementation, and things are
> really getting to take off. This week I've spent a few days testing the
> code, with somewhat mixed results. Certainly, there are a lot of
> problems, It's not usable in its current form. However, I think that the
> whole ct_sync code could be fixed and made into a _working_ piece of
> long-awaited software in not more than a few weeks, if somebody with
> enough knowledge _and_ free time would be able to help Harald. (I plan
> to do so if I'll find the time.) Most of the code necessary for basic
> synchronization is there, just contains bugs. So, come on dear Netfilter
> hackers, we're not that far from providing a solution!
> 
>   Moreover, I think that a somewhat more open development model could
> help. Currently, only the core ct_sync code can be found in the
> Netfilter CVS (I don't know if it's up-to-date), the patchset needed to
> be able to even compile the code is missing. (It took me a lot of time
> just to gather the patches and make ct_sync compile.) There is not too
> much information regarding the basic concepts of the proposed solution,
> so publishing an easy-to-test package along with some instructions would
> be an absolute must.

Re: Redundant netfilter gateway

[KOVACS Krisztian]

  Hi,

2004-06-21, h keltezéssel 17:12-kor Luis Pacheco ezt írta:
> could you make an brief description, what you have done to make it
> working ?

  You should read Harald's paper on the basic architecture, and have a
look at the second Netfilter Workshop's page, where you can find some
more info on the proof-of-concept implementation.

> Another questions, the libctnetlink is only to syncronize connection
> track. And about rules syncronization should it be an issue of
> high-avaibility ?

  This is a completely unrelated problem, thus it should be solved
administratively. ct_sync is only one low-level component of the
architecture, not even covering the election process of master sites.

-- 
 Regards,
   Krisztian KOVACS