Firewall problem with ip takeover

David Lang david.lang@digitalinsight.com
Fri, 22 Feb 2002 10:55:00 -0800 (PST) 

one potential hassle with useing the shared IP configured the way you
describe is that you then have to start sendmail/postfix/whatever as part
of your takeover process but if you leave them listening to any IP you
don't have to worry about starting and stopping it, you can then also tell
from your other logs which machine is active.

David Lang


 On Fri, 22 Feb 2002, Alan Robertson wrote:

> Date: Fri, 22 Feb 2002 11:32:01 -0700
> From: Alan Robertson <alanr@unix.sh>
> To: Bernard Frit <bernard.frit@temperance.com>
> Cc: ha-linux List <linux-ha@muc.de>
> Subject: Re: Firewall problem with ip takeover
>
> Bernard Frit wrote:
> >
> > My problem is not strictly an heartbeat problem but I'd like
> > to know how people had solved it.
> >
> > We are running smoothly an active-active cluster acting as
> > the main internal smtp relay within the organization.
> >
> > Obviously it's located behind a firewall and we had to create
> > 4 rules to allow the smtp traffic passing through the firewall
> > and originated from either of the 4 ips :
> > - 1st node boot ip
> > - 2nd node boot ip
> > - 1st node prod ip
> > - 2nd node prod ip
> >
> > The firewall we are using doesn't allow rules based on machine
> > names. The security officer doesn't like we need 4 rules to allow
> > smtp traffic. So is there any way to force a service to use a specific
> > ip address ?
>
> Why do you allow the boot IPs to be accessed through the firewall?  If it's
> because they are sending their mail out using the boot IP source address by
> default, check your SMTP configuration.  For postfix, there's a directive
> that reads something like this:
> 	smtp_bind_address=111.222.333.444
> See the docs for your SMTP daemon for appropriate details ;-)
>
> As far as the production IPs, if you're doing an active/active with DNS
> round robin (or something like that), I don't see how you can get around the
> problem easily.  For a harder solution, read on ;-)
>
> If you want *lots* of mail servers, you could run LVS and let it route
> requests across the servers.  This is more trouble to set up, but it could
> cut you down to only one IP address for all the mail servers.  Of course,
> you also need to make your LVS service highly available.
>
> But it seems like a lot of work for just two mail servers...
>
> 	-- Alan Robertson
> 	   alanr@unix.sh
>
> ------------------------------------------------------------------------------
> Linux HA Web Site:
>   http://linux-ha.org/
> Linux HA HOWTO:
>   http://metalab.unc.edu/pub/Linux/ALPHA/linux-ha/High-Availability-HOWTO.html
> ------------------------------------------------------------------------------
>