conntrack-tools
- conntrack-tools by Pablo Neira Ayuso The Connection Tracking System is an in-kernel subsystem that stores information about the state of the connections that the firewall is currently forwarding. Such extra information inherently enables a more intelligent way to define filtering policies that is also known as Stateful firewalling. In other words, this subsystem let us detect malformed packets, invalid sequences for OSI layer 3 and 4 protocol, eg. TCP reset attacks and portscans, and other rarities that are invalid in terms of the protocol specification.
On the other hand, existing opensource high availability solutions, like heartbeat [1] and keepalived [2], use replication techniques of single point of failures (SPOF) to avoid service disrupts. Basically, such
techniques consists on having a cluster of several hosts where one or more are active and the rest are in backup mode, eg. waiting for the failure of active hosts. Unfortunately, this solutions does not cover all the required aspects of Stateful Firewalls to ensure that the backup hosts can complete successfully the takeover of the connections that are being forwarded, in other words, the backup hosts does not have knowledge of the state of the forwarded connections, therefore they
cannot apply the appropiate filtering policy based on states anymore resulting in unexpected behaviours like connections halt and shutdown.Conntrackd: Netfilter's Connection Tracking System Userspace Daemon
Conntrackd is the userspace daemon for the Connection Tracking System. This daemon maintains a copy of the Connection Tracking System in userspace. It is entirely written in C and is highly configurable and easily extensible. Currently it covers the specific aspects of Stateful Linux firewalls to enable high availability solutions and can be used as statistics collector of the firewall use.
The software is available at: http://conntrack-tools.netfilter.org