Firewall Failover With pfsync And CARP 60
Daniel Hartmeier writes "OpenBSD developer Ryan McBride explains the new firewall redundancy features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP. CARP (Common Address Redundancy Protocol) is a free alternative to the patent-encumbered VRRP, responsible for electing masters in a firewall cluster, while pfsync syncronizes packet filter state information among nodes. The combination allows to replace single-point-of-failure firewalls with clusters of two (or more) nodes, which continue to filter ongoing and new connections when nodes fail. Additional features like arpbalance allow one to share a single IP address for multiple servers, transparently balancing load among them, and adapting to servers failing. Pre-order for OpenBSD 3.5 has started, CDs will ship May 1st."
That's really cool (Score:2, Informative)
Re:That's really cool (Score:3, Informative)
Except that our 50.000USD firewall solution fails to handle state sync (they've got problems enough with rules sync) and the the failover works so bad that the dudes that run it have failed over to manual fail over
I've been _soo_ tempted to suggest to replace the all the gunk with OpenBSD, since it has all the stuff we need, and it works
And it is a little bit cheaper.
HSRP (Score:4, Interesting)
Re:HSRP (Score:2)
I wonder... (Score:3, Interesting)
Re:I wonder... (Score:5, Informative)
For Gbps, the limiting factor is the NIC and its driver. Some cards/drivers are reported to reach more than 70% of the maximum throughput. The reason they don't (yet) go further is not packet filtering, though.
If you want specific names/models, the mailing list archives contain the reports.
Re:I wonder... (Score:5, Informative)
And I know that I've reached over 40Mb/s without any sign of problem with the firewall.
So unless you're running lots of IpSec stuff or have a high rate of connects I don't think the firewall (or OpenBSD) will be the problem.
I think the selecting a good NIC is more important.
Re:I wonder... (Score:1)
can you explain this?
Thanks
Re:I wonder... (Score:5, Insightful)
The grandparent wrote 40Mb/s, like in 40 mega bit, and a PII can handle this. However, you should have a good NIC and not one of those pisspor Realtek that offloads the work to the CPU.
Re:I wonder... (Score:2, Interesting)
First of all, I said Mb, not MB, call me conservative but I'm used to count bandwidth in bits, not bytes.
Second, as I stated, check your NIC and the drivers.
It means a lot when it comes to network handling.
(I remember how out old VAX 11/785 reacted when it shared an non-switched net with 2 sparc servers, the poor VAX was down on it's knees just by trying to ignore the traffic
And as a wider note, the performance of a system isn't only down to processor speed. There's tons of parameters, b
Mailto link? (Score:1, Offtopic)
The poor bastard is going to be flooded with spam ad crap now.
Re:Mailto link? (Score:5, Insightful)
The upside is that after a certain amount of spam received, people get really good at filtering it. That's where the motivation behind some of the anti-spam features in OpenBSD comes from, I guess :)
Re:Mailto link? (Score:1, Troll)
Re:Mailto link? (Score:1)
Spam an ordinary person until they
Re:This is awesome (Score:5, Informative)
For SQL, clustering is much more involved. One client might insert data that must propagate to the other server, or locks across all servers must be obtained, etc. This cannot be done transparently on IP level, the servers themselves must support it.
Search for replication, clustering or redundancy together with postgresql, you'll find erserver [erserver.com] etc. Except for very special cases (like read-only databases), this way beyond IP level packet filtering ;)
Re:This is awesome (Score:1)
You mean to say CARP, period.
pfsync is for synchronizing firewall state tables.
Sad. (Score:5, Insightful)
Re:Sad. (Score:4, Informative)
http://www.ucarp.org
/ hdw
Re:Sad. (Score:1)
I'm a firewall admin amongst other things.. (Score:3, Insightful)
However, as excellent as this looks, I can only shudder in horror at the thought of migrating any of our existing rulesets across to openbsd/pf, let alone distributed management of policies across several 'clusters' of firewalls we have.
Yes my friends. I'm asking for a GUI. FW Builder [fwbuilder.org] is a good start, but it still needs work (porting to Windows would be a good start). Migration tools from Checkpoint (or other commercial firewalls) would be another good addition.
PS, I ask for Windows support not for my sake, but so that my co-workers would be able to use it. However, this criticism is levelled at FW Builder.
OpenBSD/pf/CARP has provided a brilliant technical starting block, but it needs these additional tools to make inroads into enterprise organisations.
Re:I'm a firewall admin amongst other things.. (Score:5, Informative)
If you need a GUI and FW admin is your day job, I have to wonder why you're bothering with FW admin.
I do not need a GUI. My colleagues do not need one either (we previously used PIX... shudder). But when you start dealing with a large number of firewalls (we have over 25 deployed), and not simply firewall rules, but NAT, PAT, authentication and VPN's - having a GUI frontend that ties all that information up together and provides it in an easy to manage way, is a lot better than grepping and trawling through long configuration files to make additions or changes.
Yes any capable firewall admin should be able to implement rules once they read documentation for ipfilter/iptables/pf/ipfw/etc - but they shouldn't necessarily have to. The people I work with aren't stupid, they just don't want to have to work at the command-line across multiple systems to implement a single rule.
Re:I'm a firewall admin amongst other things.. (Score:1)
Re:I'm a firewall admin amongst other things.. (Score:1)
Re:I'm a firewall admin amongst other things.. (Score:5, Insightful)
This is a idotic comment. I've been a firewall admin for years. I admin CheckPoint, PIX, NetScreen, ipfw, ipf, and pf firewalls.
Have you ever tried to configure a fully meshed VPN topology between 30 sites by hand? Are you really going to sit there and write 900 rules by hand and expect to do it without making a mistake?
What about defining a group of objects on one firewall (say a cluster of web servers) and then going to implement a rule on a different firewall that uses that web server group? With a central GUI, you can define the object once and not worry about changing it in 5 places or making a mistake when you copy it over to another firewall. (Yes this can be done with scripts but if you are going to write a whole management interface, why not stick a GUI on top of it to make browsing rules easier?)
What about when you need to print out the rule sets for a compliance officer or your CEO?
What about when you have have 25 firewalls and you forgot to backup the rule set on a firewall that just died. Wouldn't it be nice to have a management box with all the rule sets stored locally?
There are about 50 good reasons to have a GUI and very few reasons not to have one. As long as you can configure the boxes from the command line and the GUI doesn't generate gibberish rules, then it is an excellent addition to a great firewall package.
-sirket
Re:I'm a firewall admin amongst other things.. (Score:2, Insightful)
GUI's can convey more information in less time and do so more accurately than a text based rule set can. If used correctly, it is a valuable asset.
You think apache isn't as good as IIS because they don't have a GUI too? Oh, wait, there are *THOUSANDS* of tools to manage, edit, and distribute text based config files. Its no more difficult to admin dozens of firewalls
Re:I'm a firewall admin amongst other things.. (Score:2, Insightful)
And its not that I am
Re:I'm a firewall admin amongst other things.. (Score:3, Insightful)
No. What he is saying is that unlike you, he is not an idiot. He recognizes how easy it is to make a typo when you have to enter the same rule and object definition on 25 firewalls. He recognizes the security advantages of a simple clean way to view firewall rules to help avoid a mistake in the ruleset.
The biggest information security threat to any company is the arrogance of its admins. Instead of bitching about a GUI a go
Reading isn't that hard. (Score:2, Insightful)
Re:Reading isn't that hard. (Score:3, Insightful)
Re:Reading isn't that hard. (Score:1)
Re:Reading isn't that hard. (Score:2)
When I speak to my colleagues about open source programs, their first questions are on - how easy is it to manage, and how easy is it to deploy. For something that requires configuration changes multiple times a day on multiple servers, responding that "you manage it from the command line" is not a valid option.
This i
Re:I'm a firewall admin amongst other things.. (Score:2, Insightful)
I have no problem understanding pf rules or distribution via scp (or cvs, works very well).
But it's not about understanding pf rules, it's about keeping track of, often hairy, network and system topology, of various security policies and in many cases a horde of users that need authentication (and that forget their PINs, break their tokens,
Conterpoint: Cisco PIX (Score:4, Informative)
Cisco PIXes are configured the old way thru SSH (ok, there's a Web interface, never heard of anyone using it) and they sell pretty well. Cisco do have a (laughable) management solution that includes a GUI but almost nobody use it as it plain sucks (simply installing it is a nightmare, plen,ty of dependencies...). The nice thing is that it provides a nice market for third party solutions to do that job...
So having a GUI is not a prerequisite for enterprise acceptance. Even if being Cisco sure helps...
Re:Conterpoint: Cisco PIX (Score:3, Interesting)
-sirket
Re:Conterpoint: Cisco PIX (Score:1)
Re:I'm a firewall admin amongst other things.. (Score:1)
CARP also works on Linux, NetBSD and OpenBSD 3.5 (Score:4, Informative)
Re:CARP also works on Linux, NetBSD and OpenBSD 3. (Score:2)
But supposedly it doesn't matter, because netfilter doesn't have TCP window tracking.
And because existing connections are considered new by netfilter, it should work in theory (if you allow new connections, for all the established-connections).
Balancing won't work however, because UCARP doesn't do that, if I understand it correctly.
As there is no replication, rules should be replicated an other way (somethi
CARP/pf song for 3.5 Release (Score:5, Interesting)
Interview with Ryan McBride (Score:3, Informative)