Linux firewall failover
2007-05-01 02:38:41 GMT
I'm looking at an option to deploy a couple of Linux boxes as our main router for HA (after the power supply of our SonicWall fried itself on the night of a non-working day). This morning I though it would be neat if the standby firewall node could replicate the connection tracking info from the primary node and a quick search shows that a couple of people have already beaten me to it - enter contrackd ( http://people.netfilter.org/pablo/conntrackd/, announcement in http://lists.netfilter.org/pipermail/netfilter-devel/2006-May/024548.html ) and ctsyncd (blog in http://gnumonks.org/~laforge/weblog/linux/netfilter/ct_sync/, SVN in https://svn.netfilter.org/netfilter/trunk/netfilter-ha/ct_sync/)
conntrackd came later but seems to be more active and feature complete than ctsyncd (e.g. using both firewall nodes at once to double the bandwidth), it's not packaged for Debian yet (it's in some ITP list and debian already has "conntrack") and appears to be still in experimental state.
Does anyone here have experience with anything like this?