Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Operating Systems Security Software The Internet BSD

Firewall Failover With pfsync And CARP 60

Posted by timothy from the careful-acronym-arrangment dept.
Daniel Hartmeier writes "OpenBSD developer Ryan McBride explains the new firewall redundancy features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP. CARP (Common Address Redundancy Protocol) is a free alternative to the patent-encumbered VRRP, responsible for electing masters in a firewall cluster, while pfsync syncronizes packet filter state information among nodes. The combination allows to replace single-point-of-failure firewalls with clusters of two (or more) nodes, which continue to filter ongoing and new connections when nodes fail. Additional features like arpbalance allow one to share a single IP address for multiple servers, transparently balancing load among them, and adapting to servers failing. Pre-order for OpenBSD 3.5 has started, CDs will ship May 1st."
This discussion has been archived. No new comments can be posted.

Firewall Failover With pfsync And CARP More

Firewall Failover With pfsync And CARP

Comments Filter:

  • HSRP (Score:4, Interesting)

    by bolix ( 201977 ) <bolix.hotmail@com> on Tuesday March 30, 2004 @10:30AM (#8713503) Homepage Journal
    I love sniffing the Cisco equivalent to CARP. Lots of HSRP calls to 224.0.0.224 with no security built in. A simple ARP poison will fuck the switch. More advanced attack methods can be found c/o Phenolit [phenoelit.de]

  • I wonder... (Score:3, Interesting)

    by Yarn ( 75 ) on Tuesday March 30, 2004 @11:23AM (#8714065) Homepage
    What hardware would I need to do this on my 1000SX uplink. Admittedly, I've only peaked at 80Mbit/s so far, but I think even handling that will take some beefy hardware.

  • Re:I wonder... (Score:2, Interesting)

    by hdw ( 564237 ) on Tuesday March 30, 2004 @06:20PM (#8719399)
    yup, I can.

    First of all, I said Mb, not MB, call me conservative but I'm used to count bandwidth in bits, not bytes.

    Second, as I stated, check your NIC and the drivers.
    It means a lot when it comes to network handling.

    (I remember how out old VAX 11/785 reacted when it shared an non-switched net with 2 sparc servers, the poor VAX was down on it's knees just by trying to ignore the traffic :)).

    And as a wider note, the performance of a system isn't only down to processor speed. There's tons of parameters, both hard and soft, that come into play.

    Figuring out _what_ parameter to fiddle with is regarded as voodoo :)

    / hdw

    ps
    No, I'm no speed guru, neither did I wave a dead chicken and dance backwards while installing that firewall.
    I asked for a raw Internet feed to the labnet, and at that time we didn't have anything less then 100Mb/s to hand out. And the server played it nice.
    ds.

  • CARP/pf song for 3.5 Release (Score:5, Interesting)

    by RupertJ ( 520598 ) on Wednesday March 31, 2004 @08:28AM (#8724084)
    In keeping with OpenBSD's promo songs, the 3.5 release features a Monty Python-style sketch and song about CARP/pf and VRRP etc. Very funny stuff indeed. Lyrics and links to download the songs in MP3/OGG format at http://www.openbsd.org/lyrics.html [openbsd.org]

  • Re:Conterpoint: Cisco PIX (Score:3, Interesting)

    by sirket ( 60694 ) on Wednesday March 31, 2004 @09:29PM (#8732203)
    I configure PIX's all day long and I love the simplicity of a PIX config file. That said, Cisco has been losing market share for years because they don't have a GUI. Ever try to set up a ton of VPN's through the command line? Doable? Certainly. Fun? Not a chance.

    -sirket

Slashdot Top Deals

Our OS who art in CPU, UNIX be thy name. Thy programs run, thy syscalls done, In kernel as it is in user!

Close