Monday, February 09, 2004
Firewalls and VRRP
I'm playing with the idea of using the virtual router redundancy protocol on
Rhodes' firewall to give us a redundant route out to Tenet.
We've got two firewalls, porcupine and hedgehog. On Friday I seperated the idea of a
machine and a gateway, creating indanda as the gateway which is currently
bound on porcupine. (indanda means porcupine in Xhosa, thanks Fez).
I tried setting up VRRP on saturday. I worked fine on the tenet interface,
but seemed to break things when I did it on the Rhodes interface. I'm not
sure why, it may be related to the general Tenet weirdness of this weekend.
Anyway I stopped playing because it was registration and people depended on
porcupine (actually indanda now) to talk to the database server (protea).
There would be some bleakness if I broke it ;-)
20040209
I mailed freebsd-questions today trying to find out if there is a way of
changing the source address of the ICMP TTL exceeded messages generated by
the firewalls. As it is, we see porcupine/hedgehog in a traceroute rather
than indanda because the admin interface is the first one bound. I don't
like that becuase 1/ you know there is more than one firewall, and 2/ we
listen for ssh on those IPs rather than indanda. The visible hostname
shouldn't offer any services at all.
It also appears that the nortel 8600 may do VRRP. This could be a useful
last-resort type default gateway, although it would leave rhodes completely
unprotected. We have to weigh up the SEALS SLA (worth R350K/year and paying
for resnet) against protecting J.Random Windows machine.
posted by guy at: 00:00 SAST |
path: /systems |
permanent link
