Firewall Failover With pfsync And CARP 60
Daniel Hartmeier writes "OpenBSD developer Ryan McBride explains the new firewall redundancy features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP. CARP (Common Address Redundancy Protocol) is a free alternative to the patent-encumbered VRRP, responsible for electing masters in a firewall cluster, while pfsync syncronizes packet filter state information among nodes. The combination allows to replace single-point-of-failure firewalls with clusters of two (or more) nodes, which continue to filter ongoing and new connections when nodes fail. Additional features like arpbalance allow one to share a single IP address for multiple servers, transparently balancing load among them, and adapting to servers failing. Pre-order for OpenBSD 3.5 has started, CDs will ship May 1st."
That's really cool (Score:2, Informative)
Re:I wonder... (Score:5, Informative)
For Gbps, the limiting factor is the NIC and its driver. Some cards/drivers are reported to reach more than 70% of the maximum throughput. The reason they don't (yet) go further is not packet filtering, though.
If you want specific names/models, the mailing list archives contain the reports.
Re:I wonder... (Score:5, Informative)
And I know that I've reached over 40Mb/s without any sign of problem with the firewall.
So unless you're running lots of IpSec stuff or have a high rate of connects I don't think the firewall (or OpenBSD) will be the problem.
I think the selecting a good NIC is more important.
Re:That's really cool (Score:3, Informative)
Except that our 50.000USD firewall solution fails to handle state sync (they've got problems enough with rules sync) and the the failover works so bad that the dudes that run it have failed over to manual fail over
I've been _soo_ tempted to suggest to replace the all the gunk with OpenBSD, since it has all the stuff we need, and it works
And it is a little bit cheaper.
Re:This is awesome (Score:5, Informative)
For SQL, clustering is much more involved. One client might insert data that must propagate to the other server, or locks across all servers must be obtained, etc. This cannot be done transparently on IP level, the servers themselves must support it.
Search for replication, clustering or redundancy together with postgresql, you'll find erserver [erserver.com] etc. Except for very special cases (like read-only databases), this way beyond IP level packet filtering ;)
Re:Sad. (Score:4, Informative)
http://www.ucarp.org
/ hdw
Re:I'm a firewall admin amongst other things.. (Score:5, Informative)
If you need a GUI and FW admin is your day job, I have to wonder why you're bothering with FW admin.
I do not need a GUI. My colleagues do not need one either (we previously used PIX... shudder). But when you start dealing with a large number of firewalls (we have over 25 deployed), and not simply firewall rules, but NAT, PAT, authentication and VPN's - having a GUI frontend that ties all that information up together and provides it in an easy to manage way, is a lot better than grepping and trawling through long configuration files to make additions or changes.
Yes any capable firewall admin should be able to implement rules once they read documentation for ipfilter/iptables/pf/ipfw/etc - but they shouldn't necessarily have to. The people I work with aren't stupid, they just don't want to have to work at the command-line across multiple systems to implement a single rule.
CARP also works on Linux, NetBSD and OpenBSD 3.5 (Score:4, Informative)
Conterpoint: Cisco PIX (Score:4, Informative)
Cisco PIXes are configured the old way thru SSH (ok, there's a Web interface, never heard of anyone using it) and they sell pretty well. Cisco do have a (laughable) management solution that includes a GUI but almost nobody use it as it plain sucks (simply installing it is a nightmare, plen,ty of dependencies...). The nice thing is that it provides a nice market for third party solutions to do that job...
So having a GUI is not a prerequisite for enterprise acceptance. Even if being Cisco sure helps...
Interview with Ryan McBride (Score:3, Informative)