32 lines
1.7 KiB
Plaintext
32 lines
1.7 KiB
Plaintext
How to replicate the fire - HA for netfilter based firewalls.
|
|
|
|
With traditional, stateless firewalling (such as ipfwadm, ipchains) there is
|
|
no need for special HA support in the firewalling subsystem. As long as all
|
|
packet filtering rules and routing table entries are configured in exactly the
|
|
same way, one can use any available tool for IP-Address takeover to accomplish
|
|
the goal of failing over from one node to the other.
|
|
|
|
With Linux 2.4.x netfilter/iptables, the Linux firewalling code moves beyond
|
|
traditional packet filtering. Netfilter provides a modular connection tracking
|
|
susbsystem which can be employed for stateful firewalling. The connection
|
|
tracking subsystem gathers information about the state of all current network
|
|
flows (connections). Packet filtering decisions and NAT information is
|
|
associated with this state information.
|
|
|
|
In a high availability scenario, this connection tracking state needs to be
|
|
replicated from the currently active firewall node to all standby slave
|
|
firewall nodes. Only when all connection tracking state is replicated, the
|
|
slave node will have all necessarry state information at the time a failover
|
|
event occurs.
|
|
|
|
The netfilter/iptables does currently not have any functionality for
|
|
replicating connection tracking state accross multiple nodes. However,
|
|
the author of this presentation, Harald Welte, has started a project for
|
|
connection tracking state replication with netfilter/iptables.
|
|
|
|
The presentation will cover the architectural design and implementation
|
|
of the connection tracking failover sytem. With respect to the date of
|
|
the conference, it is to be expected that the project is still a
|
|
work-in-progress at that time.
|
|
|