Firewall Wizards mailing list archives
GATED Question
From: Colin Campbell <sgcccdc () citec qld gov au>
Date: Mon, 1 Mar 1999 10:56:24 +1000 (EST)
Hi, One of my colleagues has a question regarding the use of GATED for failover of firewalls. We have tried Merit but got no answers. The question and answer may be of interest to others on this list. The following picture is a simplified version of the setup involved: hostile network | | router | ------ / \ / \ fw-1 fw-1 (one production, the other standby) \ / \ / ------ | router | | friendly network The idea is that the firewalls and the router interfaces on the firewall LANs are in one OSPF area. Within about a minute of the "production" firewall dying the routers switch to the standby firewall. Anyway, here's the question: ------------------------------------------------------------ I am looking for information about gated's operation. I have a firewall configuration of two Firewall-1 firewalls between two routers providing some firewall redundancy by using OSPF and gated on the firewalls to enable the routers to direct traffic to either the primary or secondary firewall, depending upon who's running at the time. Recently a flaw in this configuration was discovered when one of the routers was mis-configured, and the routing information was published to the firewall resulting in a denial of service as anti-spoofing rules prevented packets being transmitted from the wrong interface. I have noticed that there is a -n option for the gated command line that seems to indicate that gated will take part in OSPF conversations but will not alter it's own, already existing, routing table entries. Is this true? My intention is to set up static routes on the firewall and start gated with the -n option so that the routers can perform the failover function in the event that the firewall dies but prevent the routers from modifying the firewall's routing tables. Am I correctly interpreting the function of the -n option? The man page is not very forthcoming on the subject and I have found no other mention of this option. I will appreciate any information you can give me. ------------------------------------------------------------ So will I, Colin -- Colin Campbell Unix Support CITEC +61 7 3227 7112
Current thread:
- GATED Question Colin Campbell (Mar 01)