OpenBSD Journal

OpenBSD In May 2005 issue of Sys Admin

Contributed by phessler on from the dead-tree-causes-paper-cuts dept.

Frequent reader Steve writes in to tell us that Jason Dixon has an article entitled Failover Firewalls with OpenBSD and CARP in the May 2005 issue of Sys Admin Magazine. Mr Dixon discusses how to install and configure redundant and stateful firewalling.

Update 2005/04/25: Mr Dixon worked with the publishers of Sys Admin Magazine, and they generously put a copy of his article avaliable online at http://www.samag.com/documents/s=9658/sam0505e/

(Comments are closed)


Comments
  1. By Anonymous Coward (200.5.117.242) on

    Unfourtunately it seems that the article is not available for non-subscribers...

    Comments
    1. By Jason Dixon (69.174.136.18) jason@dixongroup_NO_SPAM_.net on http://www.dixongroup.net

      Don't feel bad; I'm a subscriber and I don't have access to it online either. I think they only publish a few articles online each month, with summaries of the other articles. Go out and get your copy before they're sold out!   :)

      Seriously, I plan on publishing it online as soon as I'm legally allowed. According to the contributor's agreement, I cannot publish it until 3 months after they do. So, look for it sometime in July.

      -J.

      Comments
      1. By Anonymous Coward (200.5.117.242) on

        Jason, ok, thanks for your comments, waiting for your release...
        P.S.: anyway I'm planning to subscribe to SysAdmin)

        Comments
        1. By marco (but not marco@) (149.169.52.82) on

          a subscription is worth it, just for jason's article. very well written and very easily understood

          now, i can do without the seemingly every-issue solaris solaris & sans supplements ...

      2. By Kevin (66.92.34.80) on http://www.ebiinc.com

        Not sure quite what the deal was with this particular issue, but both my local (usually well-stocked) B&N and Borders both ran out of this issue early. :-\

        For those that usually might not normally pick up this magazine or who might consider skipping this issue, I really encourage you to go pick up a copy--especially if you're considering CARP.


        Kevin
        P.S. Solid article, Jason--nice work. :-)

  2. By JC (24.203.161.144) on

    I'm a subscriber and was delighted to see this article mentionned in this month's front page. And may I say, it's a really nice article that exposes very nicely OpenBSD's redundancy/failover capabilities, with just enough detail to show how easy it actually is to implement! One question though (if Jason or someone else can elighten me): in the advanced configuration mentionned, wouldn't the arpbalance always "resolve " to the same machine as it always comes from the MAC of the router and, as it is my understanding, arpbalance only does "balancing" based on the source MAC address? JC

    Comments
    1. By Jason Dixon (69.174.136.18) jason@dixongroup_NO_SPAM_.net on http://www.dixongroup.net

      According to carp (4), the CARP members agree on one of the virtual hosts (VHID) to be used based on the source address. It is unclear how it decides on the host, although I presume that it's a round-robin method. I don't think there is any stickiness to the assignment, hence a fairly even distribution across virtual hosts.

      Someone please correct me if I'm wrong on this. :)

      -J.

      Comments
      1. By Krunch (80.201.190.38) on http://krunch.servebeer.com/~krunch/

        I don't know how it's implemented but I think that doing it "round-robinly" is not very safe: what if one of the CARP hosts miss an ARP packet ?

  3. By Kiraly Zoltan (82.79.81.6) yo2lux@metawire.org on http://home.wplink.net/~yo2lux

    I want to obtain this article but i live in Romania, and i don't have VISA, Mastercard,American Express to buy this Magazine.

    Sorry for this stupid question please don't swear me. Anyone have this article (Failover Firewalls with OpenBSD and CARP) scanned, and want to send me in e-mail ?

    I don't want to publish this article on web pages, i appreciate Jason Dixon work.

    If anyone want to help me please send an e-mail to : yo2lux@metawire.org

    Thank you very much

  4. By Anonymous Coward (193.167.7.16) on

    I guess this would make a nice firewall. But how do you sell this system since each version of OpenBSD is supported for one year? After a year OpenBSD should be upgraded, since bugfixes are nolonger availabe to the older versions. Is this a problem?

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]