Hello,
I'm actually making a test to check my currently Firewall HA with VRRP
setup, and I have a BIG surprise when in this test, when my active Firewall
(POLLUX) get down and the swith-over process gets up the other netfilter
firewall (CASTOR), a pre-established TCP session (telnet) from ATHENA to
MINOS, that was establised across POLLUX, the firewall that was in passive
state when the conection started, gets the conecction and continue filtering
it... whoah!.
Someone can explain me how its possible without a process for copying
connection tables between each Firewall node?. CASTOR don't know nothing
about connection between ATHENA and MINOS, only knows that an ACK packet
cross the wire, not an SYN/ACK handshake.....mmmm, HELP :)
My firewalls have the same policy (Simplified, of course):
iptables -I FORWARD -p tcp --dport 23 -j ACCEPT
iptables -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
The setup is this:
ATHENA - 192.168.1.1
|
|
192.168.1.254
(Router)
192.168.5.1
|
|
192.168.5.100 (HA Virtual IP)
192.168.5.10 192.168.5.20
(ACT) (PASV)
POLLUX CASTOR
192.168.6.10 192.168.6.20
192.168.6.100 (HA Virtual IP)
|
|
MINOS - 192.168.6.50 (default gw 192.168.6.100)
Un saludo,
Sancho Lerena
[EMAIL PROTECTED]
GNUSec, the GNU Security Resource.
http://www.gnusec.com
