1. Introduction

Firewalls are among the most critical components in a network infrastructure, since their failure may cause entire groups of machines to go offline. The damage may range from the public (web, mail, DNS, etc.) servers to become unreachable from the outside world up to being unable to surf this web site!

Using firewall clusters can dramatically reduce these risks, making the failure of a firewall completely transparent to users. Also, maintenance (patching, upgrading, rebooting...) becomes much easier and faster when relying on a backup machine, thus indirectly increasing systems security and reliability.

On the other hand, it's true that redundancy increases hardware costs and can't solve each and every problem, like transparent transfer of certain protocols (e.g. SSH or IRC) between systems or synchronizing data between clustered machines (in matter of fact, we will rely on two different protocols for failover and synchronization).

The tools we will use to build our failover cluster are:

OpenBSD

largely considered one of the most secure OSes around, with only two remote holes in the default install, in a heck of a long time!;

Packet Filter (PF)

OpenBSD's system for filtering TCP/IP traffic and doing Network Address Translation;

CARP (Common Address Redundancy Protocol)

the protocol that achieves system redundancy, by having multiple computers creating a single, virtual network interface between them;

pfsync

the protocol that allows PF state tables to be synchronized between multiple firewalls.

A good knowledge of OpenBSD and PF is assumed, since we won't cover topics like pfctl(8) and pf.conf(5) syntax. Anyway, the appendix contains some useful links for more on these topics.