Failover Firewalls with OpenBSD and CARP

Failover Firewalls with OpenBSD and CARP
Jason Dixon
Firewalls are a required component in commercial and residential computer networks. For many installations, the firewall is a single point of failure between client systems and external resources. It can also become a liability when hardware or applications fail, leaving potential customers unable to reach your servers. A properly designed and executed failover configuration for your primary firewall will address many of these concerns. This article introduces a proven method for installing redundant stateful firewalls using native OpenBSD features.
The OpenBSD project is known for creating a leading secure Unix-like operating system. They have always emphasized software robustness and security, while ensuring their code remains free for all purposes under the BSD license. A number of exciting features have been introduced to OpenBSD due to licensing disagreements. Many BSD users are familiar with the rift between Darren Reed, (the creator of IPFilter) and the OpenBSD developers. A change in the IPFilter license resulted in the rapid development of the OpenBSD PF firewall software. Not only is PF a competitor to expensive proprietary offerings, it is so successful that it has been ported to both FreeBSD and NetBSD distributions.
Within the past two years, OpenBSD recognized the need to support failover between OpenBSD firewalls. The pfsync protocol was completed, which sends state change messages via multicast over the pfsync interface. Using a secure connection (a crossover cable between systems is suggested), pfsync will notify other OpenBSD firewalls of changes to the local state table. If other firewalls are listening for the pfsync packets, they will update their own state tables with these announcements. This feature allows sessions to failover gracefully without losing connectivity or raising alerts in the firewall, providing the basic features required for stateful redundancy. However, the ability to dynamically failover to the stateful partners was still unavailable.
The Birth of CARP
The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure in a static network by assigning a virtual gateway between multiple physical routers. This allows two or more routers to cooperate as a dynamic gateway; one will perform as the "master", while the other system waits as a "backup". If the master becomes unavailable, the backup will begin advertising itself as the master, allowing traffic to continue uninterrupted over the new physical path. Unfortunately, although VRRP is an IETF-standard protocol, it is also encumbered by a patent held by its author, Cisco Systems, Inc. They claim to have no intention of asserting patent claims against anyone implementing VRRP, but publicly reserve the right to assert patent claims defensively. OpenBSD needed this functionality to support failover between hosts, but the looming patent issue made VRRP a poor choice.
Based on their dedication to free software, the OpenBSD team went to work on creating a patent-free replacement for VRRP. This was released in the form of the Common Address Resolution Protocol (CARP) in late 2003. CARP operates at the data-link and network OSI layers, using a virtual MAC and one or more virtual IP addresses. The master router of the CARP group responds to ARP requests for the virtual MAC with the shared IP address, allowing switches to quickly determine to which interface to forward traffic. CARP supports IPv4 and IPv6, load-balancing across the shared group, master preemption, and cryptographic hashing of the data-link announcements. Thanks to PF, pfsync, and CARP, users are now able to deploy truly redundant firewalls using free software and commodity hardware.

标签：

版权申明：本站文章部分自网络，如有侵权，请联系：west999com@outlook.com
特别注意：本站所有转载文章言论不代表本站观点，本站所提供的摄影照片，插画，设计作品，如需使用，请与原作者联系，版权归原作者所有