Re: Making a firewall redundant
From: al dav (dav.1_at_bigfoot.com)
Date: Tue, 3 Jun 2003 14:41:18 +0200
"Maarten" <email@example.com> wrote in message
> We want to make a firewall redundant in the following way: we have two
> server with exact the same firewall on it.
> When for example, the outside NIC of the first firewall goes down (not the
> whole system, where talking about linux here ... :-)) then we have to
> instantly switch over to the backup firewall server ...
> How can one accomplish this? Constantly polling if that outside nic is
> online? are there tools for monitoring this on a nearly realtime basis?
Is it really likely that your outside nic is going to go down but not the
lets look at a couple of sinarios
1) The leased line, ADSL, ISDN etc.... what ever you use goes down
switching to a different firewall will make no difference unless you
have another connection to the internet and if you did I would use a router
to provide redundancy and your firewall sits behind the router.
2) the actual firewall machine freezes up ............. I know it is
Linux so this will never happen right :-)
use Linux-ha to setup a failover cluster and connect a serial cable
between the two firewalls, when the primary one fails the secondary will
automatically acquire the ip address of the primary and function in its
3) the actual nic stops working on your firewall but the system is
actually fine ??? i have never heard of this in my life but you never know i
install 2 nics and use bonding to allow them to both function as one the
load will be balanced and in the result of one failing the other will
continue with the full load.
hope some of this helps