Hi, I run a redundant bridging firewall setup and have done for a long time. I have a write up here:
http://www.seattlecentral.edu/~dmartin/docs/bridge.html If you want to do this, make absolutely sure you're very familiar with how ethernet works and how switches and bridges figure out which port to use to contact a given host. In a redundant bridge setup, it's very easy to convince the switches and the bridges that traffic is coming from the wrong ports. In the end, I made a static table of the mac addresses of the machines behind my firewall. Recently, though, I've had problems where one of my firewalls will semi-crash. It's crashed enough that it can't make new state table entries, but not so crashed that old state table entries go away. That means the STP packets continue to pass while real traffic does not, and that means the failover mechanism does not kick in, and that means your boss yells at you. -Dylan > hi everyone > i have a new task for a hosting provider > there is a linux firewall filtering internet for all the servers > (someting like 100 servers). > last week the firewall broke down, cut the internet access to all the servers > and no alarm cause the nagios was behind the firewall. > the box had linux iptables and proxy arp. > > > ----[internet]---public IP--[linux box]-----all the servers(public ip's) > > the ip of the box, is in the same subnet that the servers > and all the interfaces on the linux has the same public ip. > > i was thinking at a bridge firewall with openbsd, and maybe carp to be > redundant > but carp is not working with bridge > maybe pf sync and stp ? > thank u for your advice on the situation
