Reknamorken wrote:

] They will both receive/process packets going through. Just
] block the packets on the secondary in and out. It will
] maintain it's own state. Roughly anyway.
]
] Failover by having the secondary just stop being blocked.

Thats a novel idea, but this tool doesn't help you do that.

You either put the firewalls on broadcast MACs ala stonebeat or you have hubs. Firewalls see all traffic and perform all functions. Offline firewall can't write anything to the network.

I think this is actually trickier then it sounds. The offline firewall is going to pick certain port numbers/sequence numbers for packets and the responding packets it sees on the network aren't going to correspond to that because the online firewall is making different choices for those things. So you have to coax the offline firewall to store its state information by spying on the online firewall and pulling these peices of information out. I think it probably ends up being easier to just have the online firewall TELL the offline firewall what it needs to know. No screwing around with parsing packets. No possibility that the two get out of sync.

This also doesn't work at all for stuff in encrypted tunnels nor for the actual key data for encrypted tunnels.

BTW, this is the best converstation on memestreams to date. Props. :)

RE: Slashdot | Black Ops of TCP/IP: Paketto Keiretsu 1.0 Release