OpenBSD developer Ryan McBride explains the new firewall redundancy features in the upcoming OpenBSD 3.5 release in his article Firewall Failover with pfsync and CARP.CARP (Common Address Redundancy Protocol) is a free alternative to the patent-encumbered VRRP, responsible for electing masters in a firewall cluster, while pfsync syncronizes packet filter state information among nodes.
The combination allows to replace single-point-of-failure firewalls with clusters of two (or more) nodes, which continue to filter ongoing and new connections when nodes fail. Additional features like arpbalance allow to share a single IP address for multiple servers, transparently balancing load among them, and adapting to servers failing.
Pre-order for OpenBSD 3.5 has started, CDs will ship May 1st.
that’s a very nice feature. Once OpenBSD has official SMP support, it will be the best OS.
We can see that OpenBSD has a nice future.
Nice to see the folks at OpenBSD still being innovative. I am waiting for the port of PF onto *BSD’s. I must admit that I am tempted to give OpenBSD a try, however, I need some more hardware.
Hmmm. OpenBSD and more hardware, sounds like 2 good things to me.
Number one: you stole my name =P
Number two: pf is the pretty much the reason why I gave OpenBSD a try and I haven’t regretted it.
I used to use FreeBSD has my gateway/firewall/router but now I use OpenBSD and it runs great. Pf is really nice and there seems to be more and more software being made to parse it’s logs, and do other stuff. It’s pretty cool.
Find some hardware and give it a try. Right now it’s running on my old AMD K6-2 400 Asus board with 3 NICS. Runs great!
The next thing for me to do with OpenBSD and pf is to finally find some time to mess with cflows and other traffic reporting tools. I also want to get into log analysis and stuff like that. I just haven’t found the time.
I am waiting for the port of PF onto *BSD’s.
FreeBSD, in the -CURRENT branch, already have the PF imported.
Which function is redundant in CARP ? Is it the firewall or the router ?
On an internal network, each client can be configured as a firewall. Therefore, if redundancy is needed, it would be simpler to place two routers and one firewall between the internet and the LAN.
It’s a router, a replacement of VRRP..
this feature may be needed in many large organisations…
Good going OpenBSD Team.
-sathish
i hope pf make it to the m0n0wall code-base. that would kick ass.
It was in the ports tree on FreeBSD 5.x, and just recently moved into the source tree.
And it’s available on NetBSD -current as well.
If only the poeple in Linuxland would get off their keesters and port PF or even IPF. Packet filters in Linux are a joke, even compared to IPFW.