Firewall Wizards mailing list archives
pix and ssh
From: Boni Bruno <bbruno () dsw net>
Date: Fri, 19 Apr 2002 20:51:24 -0400
I've seen certain version of Pix and Cisco Firewall Feature Set have memory leaks with their ssh implementation which has caused their devices to crash. A software upgraded fixed the problem. -boni bruno firewall-wizards-request () nfr com wrote:
Send firewall-wizards mailing list submissions to firewall-wizards () nfr com To subscribe or unsubscribe via the World Wide Web, visit http://list.nfr.com/mailman/listinfo/firewall-wizards or, via email, send a message with subject or body 'help' to firewall-wizards-request () nfr com You can reach the person managing the list at firewall-wizards-admin () nfr com When replying, please edit your Subject line so it is more specific than "Re: Contents of firewall-wizards digest..." Today's Topics: 1. pix and ssh (swapbox10467 () yahoo com) 2. Re: RES: [fw-wiz] Firewall Load Balance (paul) --__--__-- Message: 1 Date: 18 Apr 2002 16:56:00 -0000 From: <swapbox10467 () yahoo com> To: firewall-wizards () nfr net Subject: [fw-wiz] pix and ssh Anyone seen where you can crash a pix via ssh? I've been able to successfully crash a pix fw via an ssh client and am curious if anyone else has seen this. --__--__-- Message: 2 Date: Thu, 18 Apr 2002 14:58:36 -0400 (EDT) From: paul <paul () hessels ca> To: <firewall-wizards () nfr com> Cc: mahhy <mahhy () undertow ca>, Marcelo Barbosa Lima <mblima () opencs com br> Subject: Re: RES: [fw-wiz] Firewall Load Balance The routing protocol doesn't really have anything to do with the actual load balancing. The routing engine is what will tell you if you can do this or not. Most routing engines, the routing in the Linux kernel for instance, use ECMP[1]. Equal Cost Multi Pathing. Basically the load balancing is done based on a src/dst ip pair, sometimes with src/dst port thrown in. ECMP is cheap vs per-packet load balancing, so its likely your router will use ECMP. If your router does ECMP with src/dst ip then your stateful firewall should work without any problems. If it uses src/dst port you can get into problems with things like active ftp. If it doesn't use ECMP, but uses per-packet load balancing, you are SOL. With ECMP the firewalls don't have to have the same connection tracking table. SIMPLE EXAMPLE: ECMP Should always chose the same paths. ----firewallA---WebFarmA (ECMP)/ internet---router \ ----firewallB---WebFarmB COMPLEX EXAMPLE: There are, of course, more complex examples. You can run into problems with dynamic load balancing and stateful firewalls... assuming you have two firewalls between four routers... a six pack if you will. In this example I will assume all 6 machines are running Linux with zebra-ospf(including the firewalls). i\ n \BGPpeerA t }---------routerA---firewallA---routerC--WebFarmA e } | \ / \ / r } | / \ / \ n }---------routerB---firewallB---routerD--WebFarmB r /BGPpeerB t/ This gives you a load balanced, highly available connection... the problem arises if the different routers decide on different than expected return paths. For instance, if the traffic path looks like this then your firewall won't be able to be stateful: BGPpeerB > routerB > firewallB > routerD > WebFarmB > routerD > firewallArouterBWhat we did to solve this, hackish I'll admit, is to run NAT on the firewalls with the right of the diagram being internal address space. This ensures that the return path is the correct. You could also force paths through network by setting local-prefs.... less hackish, but less load balanced... depending on what your two internet connections are sized too. DISCLAIMER: I haven't had my coffee yet today... nor my donut. [1] There is a RFC about this.... done by the people at merit. On Thu, 18 Apr 2002, Marcelo Barbosa Lima wrote:Thanks Rob, but I think that this doesn´t work very well. It´s important that both Linux box have the same connection tracking table. OSPF does load balance in packet traffic. It doen´t pay attetion in connection before forward packets. I believe that some packets can be rejected in the stateful firewall. -----Mensagem original----- De: mahhy [mailto:mahhy () undertow ca] Enviada em: quinta-feira, 18 de abril de 2002 09:18 Para: Marcelo Barbosa Lima Cc: firewall-wizards () nfr com Assunto: Re: [fw-wiz] Firewall Load Balance On Tue, 16 Apr 2002, Marcelo Barbosa Lima wrote:Is it possible to implement an architecture of firewallloadbalance using only two Linux Boxes? LVS permits to implement load balance to services. I want to offer load balance and highavailibilityusing Linux. Did anybody do it? Thanks,I currently do this at work. Two Linux iptables firewalls, using the High Availability package from www.linux-ha.org. This allows the Primary Firewall to fail and the Secondary to take over. I know this isnt quite what you are looking for, as you would like to load balance over the two machines. My solution to this was to use OSPF on the firewalls, and a fairly intelligent router behind the firewall. It basically round robins any outbound connections to the two machines (since in OSPF terms there are two default routes). I'm sure there are other ways to achieve this as well.-- yow --__--__-- _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards End of firewall-wizards Digest
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- pix and ssh swapbox10467 (Apr 19)
- Re: pix and ssh Chris Lonvick (Apr 20)
- <Possible follow-ups>
- pix and ssh Boni Bruno (Apr 20)