Load Balancing Firewalls

[Scot L. Harris]

On Wed, 2005-10-26 at 15:28, Nathaniel Hall wrote:
> I am looking to load balance two or three linux servers running
> iptables.  Each of these firewalls will separate another network segment
> and will perform load balancing to the servers behind them.  My biggest
> problem with this setup is the possibility of the firewall going down,
> causing the entire system to stop.  Does anybody have a good idea for
> this?  Here is an idea of how I would like to make the system:
> 
> Internet
>     |
>     |
>  FW1                   |--Server1
>     |--------FW2--|--Server2
>     |--------FW3--|--Server3
>     |--------FW4--|--Server4
>                             |--Server5
> 
> I want to be able to use each firewall to load balance between
> Server1-5, but I also want to be able to load balance between FW2-4. 
> Any ideas?
> 
> --
> Nathaniel Hall, GSEC

The problem is how are you going to share the state tables between the
firewalls?  Typically an application establishes a connection through a
particular firewall.  If that firewall goes down the application has to
re-establish the connection through an alternate firewall.  Most
applications will simply hang until the user restarts them.

Nokia with Checkpoint had an HA setup that use VRRP to fail over between
two systems.  These systems shared state table information along with
the heart beat info so if one system failed the other was able to take
over the connections that were routing through the primary.

This does depend on the particular application and protocols you are
using.  If they are UDP based then you don't have this issue.  But most
interesting protocols are TCP based.

If your application can restart when it times out due to a failed
firewall you might be able to work around this.