failover is fun.

I've been looking around for firewall failover solutions this past week and it seems openbsd has provided me with a very nice solution in CARP. It can operate ontop of ipv4 or ipv6 and is encrypted. It aparently fakes a MAC address to be shared between the failover machines. When one fails, the otherone assumes the MAC and takes on the firewall role. In openbsd this is aided through pfsync, which as the name implies syncs the packet filter rules. A nice explanation of the system is here.

Freebsd and openbsd aparently have integrated native support, on linux I'm going to have to use ucarp. This should be an interesting project.