Hi,
Sorry, but I just can't seem to get (all of)
net.inet.carp.preempt from the man pages.
I could set this up and test it, but I know that
somebody's done it already and a quick search of
the list archives fails me.
Suppose I have 2 firewalls, one failing over to the
other with carp. (net.inet.carp.preempt=1 on
both firewalls.) Each has 3 interfaces, internet,
lan, and dmz. The dmz has, say, a webserver.
Now to connect the 2 firewalls to the webserver
an additional switch/hub is required in the physical
topology.
Suppose the switch dies. (I'm thinking the link
goes down on both firewalls' dmz interface, but
I suppose there are other more spectacular
ways the switch could fail.) What is the state of
all the carp interfaces on the firewalls?
If the dmz interfaces go down, then does this
not shut off all the carp interfaces on both
firewalls as a group, turning off the parts
of both firewalls that are still functioning?
Is the solution to this to use ifstated to
check the opposite firewall and see if it's
master, and if not then shut down the dmz
carp interface? (If this is the answer it'd
be nice to have ifstated be able to examine
interfaces on other hosts, not just on the local
host.)
TIA.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
