cluster — Kernun firewall cluster support
Firewalls can be grouped into clusters consisting of one master and one or more hot-standby backups. Under the standard circumstances, the communication is handled solely by the master. If the master fails, one of the backups takes over all the services after a brief interval of several seconds. One physical cluster of firewalls can provide several logical clusters. In such a case, each cluster has a different master, which handles a certain subset of services. The advantage of such setup is that when all firewalls are functional, the workload is distributed among them.
The signalling and switching of states between the master and the backup is
implemented using carp(4). Virtual CARP network interfaces
and scripts for testing communication failures are configured in
cml(8) in section
system.cluster; see also
system(5).