Re: ftp-proxy and carp
On Wed, Mar 12, 2008 at 12:28:00PM +, Joe Warren-Meeks wrote: Hey chaps, I have a pair of OpenBSD firewalls running CARP Thanks for your help guys. -- joe. Daddy, can we play a game of brinkmanship?
ftp-proxy and carp
Hey chaps, I have a pair of OpenBSD firewalls running CARP $ uname -a OpenBSD ns-gs-fw2.host.nativ-systems.com 4.2 NS-GS-FW#0 i386 They both have internal and external addresses and an internal carp and external carp address shared. Now, they are protecting an FTP server that I want to allow access to. Ideally, I'd have ftp-proxy bind to the CARP address, so that if there was a failover event, inbound ftp would still work. Is this possible, or do I have to bind it to the real address and let inbound ftp fail in the event of a failover? -- joe. Have you seen the syrup on that bloke? Unreal.
Re: ftp-proxy and carp
Am 12.03.2008 um 13:28 schrieb Joe Warren-Meeks: Hey chaps, Hey, Ideally, I'd have ftp-proxy bind to the CARP address, so that if there was a failover event, inbound ftp would still work. I set up an local ip address via interface lo1 and redirects all incoming ftp requests to ftp-proxy listening on this local address. Done this on both firewalls and configured pfsync between them, and everything is fine. -- joe. Falk
Re: ftp-proxy and carp
Joe, You can bind your reverse ftp-proxy to the carp addresses. BTW, a problem you might eventually see is when the firewalls fail over. Current connections to the ftp server will die when the backup firewall takes over because it does not have ftp-proxy anchors from the first firewall. The anchors are not pfsync states and thus are not transfered to the backup firewall through pfsync. But, if the users issue a reconnect to your ftp server after the firewall fail over they will connect without issue. -- Calomel @ http://calomel.org Open Source Research and Reference On Wed, Mar 12, 2008 at 12:28:00PM +, Joe Warren-Meeks wrote: Hey chaps, I have a pair of OpenBSD firewalls running CARP $ uname -a OpenBSD ns-gs-fw2.host.nativ-systems.com 4.2 NS-GS-FW#0 i386 They both have internal and external addresses and an internal carp and external carp address shared. Now, they are protecting an FTP server that I want to allow access to. Ideally, I'd have ftp-proxy bind to the CARP address, so that if there was a failover event, inbound ftp would still work. Is this possible, or do I have to bind it to the real address and let inbound ftp fail in the event of a failover? -- joe. Have you seen the syrup on that bloke? Unreal.