OpenBSD firewall failover with CARP and pfsync

Navigation

User login

GWT in Practice at Manning
GWT in Practice at Amazon
GWT Resources

Unlocking Android at Manning
Unlocking Android at Amazon
Android Resources

Quote

William Gibson

We seldom legislate new technologies into being. They emerge, and we plunge with them into whatever vortices of change they generate. We legislate after the fact, in a perpetual game of catch-up, as best we can, while our new technologies redefine us - as surely and perhaps as terribly as we've been redefined by broadcast television.

OpenBSD firewall failover with CARP and pfsync

Mon, 04/05/2004 - 09:16 — charlie.collins

Really cool article about failover firewalls with several OpenBSD utilities, CARP and pfsync. I am not very familiar with OpenBSD but the CARP portion of this technique sounds a bit similar to Linux-HA using Heartbeat. Basically CARP (Common Address Redundancy Protocol) allows a virtual MAC address and one or more virtual IP addresses, which hosts "share". If a primary host fails a secondary takes over. Very cool. The really interesting part is however pfsync. This is a utility to sync firewall state: "transfers state insertion, update, and deletion messages between firewalls. Each firewall sends these messages out via multicast on a specified interface, using the PFSYNC protocol". Combined you have failover firewalls.

For more see the linked article by Ryan McBride. Firewall Failover with pfsync and CARP