Redundancy on FreeBSD with PF and CARP

PF
OpenBSD's firewall software Packet Filter (PF) has been part of FreeBSD since version 5.3.

It replaced the old firewall software IPFilter in OpenBSD at the end of 2001,
and is being actively developed since.
PF is available for all BSDs and is held in high esteem.

A lot of functionality of PF make it one of the most versatile
software firewalls, surpassing commercially available hardware firewalls.

Together with pfsync and CARP, PF enables you to protect networks in unique ways.
With quite small effort a corporate network can be connected
to the Internet with high connectivity and redundancy.

PF handles NAT and IPv6 in a simple and easy way.
The simple and mighty syntax of the PF rulesets are
easy to learn and maintain. Few lines can express complex
combinations and even load-balancing and maintenance of
large IP address lists (SPAM) is easy.



pfsync
PF is a stateful firewall. That means that for each connection
(TCP and all other IP-based protocols) PF keeps status information
in a so-called "state-entry". All properties of that connection
are kept there and PF can stop many attacks with this information.
Clients with a "weak" TCP stack can be protected from "Initial Sequence Number"-attacks.

If you want redundant firewalls this information needs to be
available to all of them, otherwise the connection is lost.
Pfsync was developed to enable redundant firewalls to synchronise
their state-entries and thereby give full redundancy.

Since PF also stores NAT information in state-entries it's also
possible to redundantly connect clients behind a NAT-firewall
to the Internet.



CARP
The Common Address Redundancy Protocol (CARP) was developed 2004
as a free replacement for Cisco's patented VRRP, and is available to OpenBSD and FreeBSD.
It has the same functionality as VRRP but adds more features
VRRP's designer seem to have forgotten.
CARP support IPv6 and is encrypted, protecting it from many
attacks VRRP is vulnerable to.

Simply put, CARP enables you to hide many machines behind the same IP address.
If one machine fails the other one takes over.
Additionally it is possible to distribute the load over all
machines and sustain correct functioning even when multiple machines fail.

The configuration of CARP is surprisingly simple.
CARP is presented to the user a virtual interface and is therefore
as simple to use as a VLAN adapter.