HA Firewalls on the Cheap OpenBSD / CARP / pfsync By: Adam Crosby Overview ¢ OpenBSD ¢ pf – IP Packet filter ¢ CARP – Redundancy protocol ¢ pfsync – State table sync ¢ Competition ¢ Production example ¢ FWBuilder (in case the CLI is not your ball of wax) ¢ Demo Architecture ¢ Demo ¢ Q&A OpenBSD ¢ Typically known for ‘security’ focus ¢ Increasing network-centric focus l pf, OpenBGP, ssh, OpenNTPD, etc ¢ Tiny (~140mb install) ¢ Simple ¢ Extremely well documented l ‘man’ pages for everything that are up to date and actually have useful info! pf – packet filter ¢ Packet filter for TCP/IP l NAT l QOS (w/ALTQ) l High Availability (w/pfsync + carp) ¢ Written to replace Darren Reed’s ‘ipf’ after a license change by Reed CARP (Common Address Redundancy Protocol) ¢ Allows mutiple hosts to share an IP ¢ Free, non-patent encumbered ¢ Secure (compared to VRRP/HSRP) ¢ IPv4 and IPv6 support pfsync ¢ Network interface that exposes pf state table changes ¢ Can be configured to share changes over the network ¢ Can be configured to listen for changes on the network ¢ Unsecure – use IPSEC or X-over cable Competition ¢ Cisco PIX l Friends don’t let friends use PIX ¢ Juniper Netscreen l Decent, not enough experience to judge ¢ Checkpoint Firewall NG l Excellent for large numbers of nodes, overkill for 1 or 2 locations/nodes ¢ Linux IPtables/heartbeat l No state table failover ¢ Linux pf/carp (ugh!) l It has been ported… In Production ¢ 2 VIA 1Ghz C3 1U rackmounts ¢ 20-30Mb/s average, peaks of ~70Mb/s ¢ Replaced CheckPoint Firewall NG ¢ pf/CARP Implementation: l 2 hours setup and install l 1 hour converting Checkpoint rules • Working on python script to automate this! l 1 week proof of concept / testing Fwbuilder ¢ GUI Ruleset builder ¢ Works with pf ¢ Works with iptables ¢ Runs on Linux and Windows ¢ Uses native configuration (ssh/scp to set stuff up – no config daemon!) ¢ No carp/pfsync support L Demo Architecture.