redundant linux firewall

We have designed a custom ip-tables based linux firewall. This firewall
guards 3 web servers and a mail server. Recently it died on us due to a
faulty RAM module (in the hindsight we should have tested it). This prompted
us to look for a failover firewall which will eventually lead to a higly
available setup. This failover machine need not be identical in
configuration but the sessions and iptables etc need to be synced. I did
some research in to tools that'll help me do this and I came across a few
projects which address this in one way or the other. Linux-ha
(http://linux-ha.org/), Fake (http://www.vergenet.net/linux/fake/) and
UltraMonkey (http://www.ultramonkey.org/).

Any suggestions on which one might be a better solution for our situation or
are there any other projects which are better? Any light on some pros and
cons (from real world experience and not what is written on the web page)
would be great. Thanks.

--Turi

On Thu, 10 Jun 2004 09:56:39 -0500, Aditya Ivaturi wrote:

> [ ... ] sessions and iptables etc need to be synced.

http://cvs.netfilter.org/netfilter-ha/

[ Snip: Linux-HA ]

Look for "The failover of the load balancer" here:
http://www.linux-vs.org/HighAvailability.html

You need an aditional connection between the firewalls,
(for the "heartbeat"). In this kind of a setup though.

> Any suggestions on which one might be a better solution for our
> situation or are there any other projects which are better?

http://www.ucarp.org/

> Any light on some pros and cons (from real world experience and not what
> is written on the web page) would be great. Thanks.

Well, i guess this followup isn't great then ...

Why one would want to use: CARP rather then VRRP / HSRP :
http://www.openbsd.org/lyrics.html

--
-Menno.