Dear Everyone,
I'm preparing to upgrade our firewall.
We're a small business with a fairly basic IP networking setup. Our
firewall's got three ports: outside, public DMZ and a privately
numbered inside. We have recently obtained a second uplink (internet
connectivity) and my first task would be to make use of it - which in
traditional IP theory is next to nonsense. Originally I thought of
using two firewalls, and shifting the default route of my internal LAN
stations via a DHCP configuration update. Then I discovered the
primers on IProute2-based policy routing, and decided that I could
achieve the same with a single box, steered by two routing tables. I
knew about policy routing from my past Cisco experience, and on Linux/
PC-based routers you don't even have to care about the CPU overhead,
so this was a
no-brainer.
http://www.fccps.cz/download/adv/frr/FW.gif
My current firewall uses some Netfilter-based stateful NAT and
filtering. It works pretty good and I've written the rules from
scratch, I understand the semantics fairly well.
After reading the somewhat bloated IProute2 primers, and after
understanding that Netfilter NAT doesn't mix well with IPR2 NAT, one
nagging idea/question remains on my mind:
I know that Netfilter can do seamless stateful filtering of traffic
returning back through NAT. If I set up two uplinks with a NAT
"horizon split" on each of them, it shouldn't be a problem to route
traffic to either interface by merely modifying the default route (for
manual fail-over), or even by using multiple default routes with IPR2
per-flow balancing mechanisms - and I won't create a routing loop, as
my public outbound source address will always belong to the respective
ISP, courtesy of the twin NAT outside's.
Now what about *inbound* traffic? Suppose I've got a web server in the
DMZ. I'm wondering about possible fail-over setups with the two ISP
uplinks. I could set up two SNAT rules in the Netfilter's PREROUTING
table, one rule for each outside interface, both of them pointing to
the internal IP address of my web server. This would work for the
inbound packets, but how would the FW box deal with the returning
outbound traffic? I know that the Netfilter NAT can observe the
stateful information for filtering, but will IPR2 be able to observe
that information for *routing*? Not likely, I'd say. Never heard of
stateful *routing*. The necessary kernel guts could actually be quite
similar to the existing IPR2 per-flow balancing stuff, but I doubt
that this (dual-path stateful routing on NAT return traffic) would
work somehow seamlessly, out of the box, in the current incarnation of
IPR2+Netfilter... Obviously I can do without it, but it would be a
nice final touch :-)
Any ideas are welcome :-)
Frank Rysanek
Similar Threads
Linear Mode
