[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf/carp for redundant production use
The firewall failover pretty works well as long as the traffic from internal
machine to an outside machine is not a continuous TCP stream. An example TCP
stream is ssh or telnet. So if I am only web surfing which is an HTTP
traffic, and I remove the cable from either internal or external interface
of the master firewall, the browsing will not be affected. All my traffic is
immediatelly handled by the backup firewall. Also, from an outside machine
that connects to a internal machine via that redundant firewall, the tcp
stream traffic does not get disconnected which is awesome.
So, I was hoping that pf will behave the same but unfortunately, it's pf's
weaknesses for now that it cannot handle NAT well(quote from the guy in #pf
Michiel van Baak writes:
On 07:30, Sun 25 Sep 05, Neil wrote:
Yep, the same behavior when the master dies. The solution that the person
in #pf told me is use routing but I don't know how to implement. He told me
that it's an issue in pf's NAT.
Does this mean you cannot failover an office NAT firewall ?
Pretty useless then if you ask me
Michiel van Baak
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D
"Why is it drug addicts and computer afficionados are both called users?"