Firewall Failover With pfsync And CARP 60
Daniel Hartmeier writes "OpenBSD developer Ryan McBride explains the new firewall redundancy features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP. CARP (Common Address Redundancy Protocol) is a free alternative to the patent-encumbered VRRP, responsible for electing masters in a firewall cluster, while pfsync syncronizes packet filter state information among nodes. The combination allows to replace single-point-of-failure firewalls with clusters of two (or more) nodes, which continue to filter ongoing and new connections when nodes fail. Additional features like arpbalance allow one to share a single IP address for multiple servers, transparently balancing load among them, and adapting to servers failing. Pre-order for OpenBSD 3.5 has started, CDs will ship May 1st."
Re:Mailto link? (Score:5, Insightful)
The upside is that after a certain amount of spam received, people get really good at filtering it. That's where the motivation behind some of the anti-spam features in OpenBSD comes from, I guess :)
Sad. (Score:5, Insightful)
Re:I wonder... (Score:5, Insightful)
The grandparent wrote 40Mb/s, like in 40 mega bit, and a PII can handle this. However, you should have a good NIC and not one of those pisspor Realtek that offloads the work to the CPU.
I'm a firewall admin amongst other things.. (Score:3, Insightful)
However, as excellent as this looks, I can only shudder in horror at the thought of migrating any of our existing rulesets across to openbsd/pf, let alone distributed management of policies across several 'clusters' of firewalls we have.
Yes my friends. I'm asking for a GUI. FW Builder [fwbuilder.org] is a good start, but it still needs work (porting to Windows would be a good start). Migration tools from Checkpoint (or other commercial firewalls) would be another good addition.
PS, I ask for Windows support not for my sake, but so that my co-workers would be able to use it. However, this criticism is levelled at FW Builder.
OpenBSD/pf/CARP has provided a brilliant technical starting block, but it needs these additional tools to make inroads into enterprise organisations.
Re:I'm a firewall admin amongst other things.. (Score:2, Insightful)
I have no problem understanding pf rules or distribution via scp (or cvs, works very well).
But it's not about understanding pf rules, it's about keeping track of, often hairy, network and system topology, of various security policies and in many cases a horde of users that need authentication (and that forget their PINs, break their tokens, move between sites
All perfectly possible to handle by editing the rules by hand and push out with scp but only together with hordes others docs keeping track of all the needed fluff.
Then add that changes to the ruleset should be fully traceable and often have to pass thru several pairs of hands and eyes before we even reach the firewall admin. So we really need something easier to the eye than pf rules.
A good, database driven, firewall admin GUI is a very good thing, and it a vital part of enterprise security.
Any enterprise which hires network or firewall admin staff who can't understand pf.conf after reading the fine docco, needs to look into why their hiring policies are such a failure, so as to allow them to hire a fraud.
Oh, come on, step down to the land of the living.
People get shifted around at every reorganisation, suddenly all security is in one global department, 6 months later it's back to the local sites, then it's outsourced, then it's insourced again and 'firewall admins' aren't just carefully selected high profile security pros, they come from all over the place.
ps.
I think I'll go back and look one of my old projects again, OpenBSD/pf/altq/carp is really getting ready for primetime.
ds.
Re:I'm a firewall admin amongst other things.. (Score:5, Insightful)
This is a idotic comment. I've been a firewall admin for years. I admin CheckPoint, PIX, NetScreen, ipfw, ipf, and pf firewalls.
Have you ever tried to configure a fully meshed VPN topology between 30 sites by hand? Are you really going to sit there and write 900 rules by hand and expect to do it without making a mistake?
What about defining a group of objects on one firewall (say a cluster of web servers) and then going to implement a rule on a different firewall that uses that web server group? With a central GUI, you can define the object once and not worry about changing it in 5 places or making a mistake when you copy it over to another firewall. (Yes this can be done with scripts but if you are going to write a whole management interface, why not stick a GUI on top of it to make browsing rules easier?)
What about when you need to print out the rule sets for a compliance officer or your CEO?
What about when you have have 25 firewalls and you forgot to backup the rule set on a firewall that just died. Wouldn't it be nice to have a management box with all the rule sets stored locally?
There are about 50 good reasons to have a GUI and very few reasons not to have one. As long as you can configure the boxes from the command line and the GUI doesn't generate gibberish rules, then it is an excellent addition to a great firewall package.
-sirket
Re:I'm a firewall admin amongst other things.. (Score:3, Insightful)
No. What he is saying is that unlike you, he is not an idiot. He recognizes how easy it is to make a typo when you have to enter the same rule and object definition on 25 firewalls. He recognizes the security advantages of a simple clean way to view firewall rules to help avoid a mistake in the ruleset.
The biggest information security threat to any company is the arrogance of its admins. Instead of bitching about a GUI a good firewall admin would welcome additional tools to help manage his or her firewalls. As long as the GUI doesn't stop you from editing rules by hand, why not make use of its ability to display your rules in a different way?
-sirket
Reading isn't that hard. (Score:2, Insightful)
Re:I'm a firewall admin amongst other things.. (Score:2, Insightful)
GUI's can convey more information in less time and do so more accurately than a text based rule set can. If used correctly, it is a valuable asset.
You think apache isn't as good as IIS because they don't have a GUI too? Oh, wait, there are *THOUSANDS* of tools to manage, edit, and distribute text based config files. Its no more difficult to admin dozens of firewalls than it is to admin dozens of webservers.
Yeah because web servers and firewalls have lots of things in common. I am constantly making changes to my web server configuration (hasn't changed in over a year) whereas I am never asked to change my firewall configuration (3 times this week by one customer). You may be so arrogant as to believe you never make a mistake. I am not so deluded. I write my rule sets using the config files and I use the GUI to verify the changes. Other times I use the GUI to lay the groundwork for a more complex rule set and then I edit the resulting rules by hand to get exactly what I want. Ever try writing CheckPoint rules without the editor? I use to do it all the time but I always checked them with the GUI to be sure they were right.
No one here is talking about creating your typical useless Windows GUI. Ever use the Borderware firewall GUI? It was a masterpiece.
A GUI editor is a tool, and when used right it makes you more efficient. I can't help it if you have your head so far up your ass you can't recognize a good thing when you see it.
-sirket
Re:Reading isn't that hard. (Score:3, Insightful)
As long as the GUI doesn't prevent you from editing the raw rules, then it should be a welcome addition to any admins toolkit.
I am saying the parent poster is dumb for complaining about the lack of a GUI, when he hasn't even bothered to learn how the thing works, to see if he even needs one.
You don't know anything about the parent poster. You've never met him and you don't know what he or she knows and doesn't know. For all you know you've been insulting Bill Cheswick. Or perhaps he is just one of the many overworked admins out there who would like to see a tool that would make his job just a tiny bit quicker so that he can go home on time and actually see his family before sunset.
-sirket
Re:I'm a firewall admin amongst other things.. (Score:2, Insightful)
And its not that I am so arrogant that I never make a mistake, its that I *test* changes to see if they work, the new rulest is applied for 30 seconds to see if it works, and automatically reverted to the old rule set after that. If it did work, I update it for real. A GUI isn't going to help with this.