[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
pf (distributed management)
- To: tech_(_at_)_openbsd_(_dot_)_org
- Subject: pf (distributed management)
- From: Philipp Buehler <lists_(_at_)_fips_(_dot_)_de>
- Date: Sun, 22 Jul 2001 12:22:21 +0200
- Mail-followup-to: tech_(_at_)_openbsd_(_dot_)_org
- Reply-to: Philipp Buehler <lists_(_at_)_fips_(_dot_)_de>
(I had a short talk about that w/ dhartmei already, but since this is
not only his project any longer ..)
I really appreciate the (fast) development of pf, but there is stuff
missing, which is not "urgent" but should be considered from a design
point of view: Failover / Load Balancing.
Dhartmei pointed to altq, but he agreed the point 'syncing state table'
is missing at any point and should be done by pf internally.
I know that this is really not trivial to implement it in a good manner,
say a better one than the most commercial stuff has for now.
Another point in there is management; I am actually about to design
a distributed management of several ipf packetfilters.
Based on ssh/make/m4 for now. The rule generation is one point, the other
one is the actvivation of these rules. I could think of a cron/whatever
triggered activation (ipf -s) of new rules in a trusted place in the file-
system. But I would prefer something like `rndc' from BIND9 where I can
trigger some administrativa based on HMAC-MD5 [and src IP :P] authentication.
The 'cron' way wouldnt need that, but I dislike it for obvious reasons.
I know that there is more important stuff to do now and the trigger-part
could be done later, somewhat seperated.
But the point about syncing state/rule tables between 2 or more hosts is
in my eyes something which should be at least considered now in the future
design of the pf codebase (?).
PS: if anyone is already working on some distributed management for [i]pf,
please contact me :>
Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | <double-p>
#1: Break the clue barrier!
#2: Already had buzzword confuseritis ?
Visit your host, monkey.org