Ubuntu Wiki

Please check the status of this specification in Launchpad before editing it. If it is Approved, contact the Assignee or another knowledgeable person before making changes.

• Launchpad Entry: redundant-firewall

• Packages affected: libnfnetlink, libnetfilter-conntrack, conntrack-tools

Summary

Ubuntu should provide a way to set up a set of redundant firewalls by sharing conntrack tables.

Release Note

This release of Ubuntu provides updated firewall technology allowing you to set up redundant firewalls which is perfect for production environments.

Rationale

Redundancy and failover is key in any production environment. We have the bits in place to make virtually everything else redundant, but not firewalls as the in-memory list of connection state couldn't be shared between two (or more) machines. With recent changes to netfilter, this is now possible.

Use Cases

Assumptions

Design

Implementation

libnfnetlink, libnetfilter-conntrack, and conntrack-tools in their current version provide the basic tools to pull this off, so they should be updated to current versions. On top of that, we should provide simple means for creating a collection of firewalls that share their conntrack info (configurable in /etc/default/conntrack-tools ).

Test/Demo Plan

It's important that we are able to test new features, and demonstrate them to users. Use this section to describe a short plan that anybody can follow that demonstrates the feature is working. This can then be used during CD testing, and to show off after release.

This need not be added or completed until the specification is nearing beta.

Outstanding Issues

• This is all very cutting edge stuff and to my knowledge, no distribution has made a release with this software, so we need to test it really thoroughly.

BoF agenda and discussion

CategorySpec