How to Replicate the Fire: HA for Netfilter Based Firewalls
Source: Astaro AG
With traditional, stateless firewalling (such as ipfwadm, ipchains) there is no need for special High Availability (HA) support in the firewalling subsystem. As long as all packet filtering rules and routing table entries are configured in exactly the same way, one can use any available tool for IP-Address takeover to accomplish the goal of failing over from one node to the other. With Linux 2.4.x netfilter/iptables, the Linux firewalling code moves beyond traditional packet filtering. Netfilter provides a modular connection tracking susbsystem which can be employed for stateful firewalling.