pf (distributed management)

[Philipp Buehler <lists_(_at_)_fips_(_dot_)_de>]

Hi,

(I had a short talk about that w/ dhartmei already, but since this is
not only his project any longer ..)

I really appreciate the (fast) development of pf, but there is stuff
missing, which is not "urgent" but should be considered from a design
point of view: Failover / Load Balancing.

Dhartmei pointed to altq, but he agreed the point 'syncing state table'
is missing at any point and should be done by pf internally. 
I know that this is really not trivial to implement it in a good manner,
say a better one than the most commercial stuff has for now.


Another point in there is management; I am actually about to design
a distributed management of several ipf packetfilters. 
Based on ssh/make/m4 for now. The rule generation is one point, the other
one is the actvivation of these rules. I could think of a cron/whatever
triggered activation (ipf -s) of new rules in a trusted place in the file-
system. But I would prefer something like `rndc' from BIND9 where I can
trigger some administrativa based on HMAC-MD5 [and src IP :P] authentication.

The 'cron' way wouldnt need that, but I dislike it for obvious reasons.

I know that there is more important stuff to do now and the trigger-part
could be done later, somewhat seperated. 
But the point about syncing state/rule tables between 2 or more hosts is
in my eyes something which should be at least considered now in the future
design of the pf codebase (?).

ciao
PS: if anyone is already working on some distributed management for [i]pf,
please contact me :>
-- 
Philipp Buehler, aka fips | sysfive.com GmbH | BOfH | NUCH | <double-p> 

#1: Break the clue barrier!
#2: Already had buzzword confuseritis ?