Dear all We already setup a firewall based on ipf. To make failover easier we plan to run each of the two machines in the following scenario. Please note that this is a cold-standby solution and switch is currently done "by hand"
Both nodes use all of the four Intel NICs as interfaces to reach the node itself from the different networks the firewall connects to. Each interface on each node has an IP assigned to it which is of course tied to the machine. The machine acting as firewall, and only that one, uses 4 VNIcs created "on top" of the Intel NICs using dladm. The IP addresses assigned to these VNICs are the ones that "act" as firewall. What I'm saying is that those are the IP addresses configured in the coneccting routers routing table as gateway. For a simple failover without keeping the firewall state we plan to just take the VNICs down on one machine and bring them up on the other without changing the assigned IPs. Now the question: ipf allows you to specify an interface + direction in rules. So far I have found no documents that describe how ipf distinguishes between the physical NIC and the VNIc on top. Seems to be easy for incoming packets that are send to one of the IP addresses but how about routed packets that leave the box? Will they leave through e1000g0 or vnic0? Thanks for any help Thomas _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
