OpenBSDs firewall failover
Posted by creining | Filed under Security
Firewall Failover with pfsync and CARP. OpenBSD 3.5, to be released May 1st, is ready for enterprise deployments now? I’ve written about CARP and pfsync before. CARP is much like VRRP, although it improves on it in many ways: it supports IPv6 addresses, provides strong authentication via a SHA1 HMAC, and supports a degree of load balancing via an “arp balancing” feature. The pfsync protocol works by sending out state creations, updates, and deletions via multicast. Other firewalls listen for the messages and import the changes into their state table. The OpenBSD crew, and rightly so, is ticked at the Cisco patents in IETF standards whereby Cisco stated “it would be impossible for a free software group to produce a truly free implementation of the IETF standard protocol.”
Comments are closed.