[Linux-HA] HA Firewall
Joris Dobbelsteen
Joris at familiedobbelsteen.nl
Thu Nov 15 17:14:58 MST 2007
If you are looking for a highly available stateful firewall, check out
OpenBSD or FreeBSD with the PF firewall. It includes pfsync which allows
state synchronization. It also includes CARP for IP address failover.
I have found nothing equivalent on Linux that provides the same
capabilities for high availability.
Perhaps a good 'distribution' is pfsense, which packages it all
(FreeBSD+PF+CARP+more) including a web interface. There is plenty of
documentation on the web avaiable for such a setup...
- Joris
>-----Original Message-----
>From: linux-ha-bounces at lists.linux-ha.org
>[mailto:linux-ha-bounces at lists.linux-ha.org] On Behalf Of
>North Country Boy
>Sent: woensdag 14 november 2007 23:31
>To: General Linux-HA mailing list
>Subject: RE: [Linux-HA] HA Firewall
>
>I will just bump this the once. Does anybody have any
>suggestions that may help?Thanks in advance
>
>> From: northcountryboy79 at hotmail.com> To:
>linux-ha at lists.linux-ha.org>
>> Subject: RE: [Linux-HA] HA Firewall> Date: Sun, 4 Nov 2007 21:59:13
>> +0000> > Sorry for the delay, > > Please find attached
>configs. Its a
>> curious problem...> > > > > Subject: Re: [Linux-HA] HA
>Firewall> From:
>> mzagrabe at d.umn.edu> To: linux-ha at lists.linux-ha.org> Date:
>Mon, 29 Oct
>> 2007 10:38:30 -0500> > On Thu, 2007-10-25 at 22:23 +0100, North
>> Country Boy wrote:> > Ok ok, I admit. I dont get it!!!!> > > > I am
>> trying to config a simple HA firewall and it just isnt
>working to how
>> I had imagined.> > > > Ok here is the deal.> > > > The Firewall has
>> two interfaces> > > > 1) Internal interface eth1
>192.168.0.254> > > >
>> 2) External Interface eth0 195.63.63.100, 195.63.63.101,
>> 195.63.63.102> > > > The plan would be that in the event of failure,
>> these IP addresses as well as an iptables script would be brought
>> online on the second box.> > > > The story so far....> > > >
>Because I
>> am new to this, I wanted to take things nice and slowly and realise
>> the full solution in stages so that I could learn & understand. I
>> decided to test a simple failover with one ip just using the
>external
>> interface.> > > > I added a second nic to both machines (node1 &
>> node2) and got heartbeat working no problem. Using the verison 1
>> haresource file, I added the following line> > > > node1
>> 195.63.63.101> > > > In the ha.cf file I added> > > > ping
>> 195.63.63.254 (an external router accessible by both nodes)> > > >
>> Also I added the ipfail command.> > > > Ok so heartbeat all
>looks good
>> so far, the new address 195.63.63.101 is added as eth1:0 > >
>> > No I
>> prevent access to the external router from node1, it recognises that
>> it can no longer reach 195.63.63.254 in the logs, whilst node 2 says
>> and does nothing. huh????> > I thought that at this point, ipfail
>> flags a failure and the failover process begins????> > > >
>> Conicidentally, pulling the heartbeat cable causes the failover to
>> happen perfectly (which is nice to know).> > > > So now I am left
>> wondering... If my external eth0 card fails, this isnt
>enough to cause
>> failover?> > Yes, if things are configured correctly.> > I have been
>> dealing with v2 only, so I won't be able to help you with> your
>> configs, but I did play with v1 a tiny bit and I remember ipfail>
>> working fine.> > Speaking of configs, you should post your ha.cf and
>> haresources files> along with logs. I believe the list prefers
>> attachments rather than> inline.> > [...]> > -- > Matt Zagrabelny -
>> mzagrabe at d.umn.edu - (218) 726 8844> University of Minnesota Duluth>
>> Information Technology Systems & Services> PGP key 1024D/84E22DA2
>> 2005-11-07> Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7
>887F 84E2
>> 2DA2> > He is not a fool who gives up what he cannot keep to
>gain what
>> he cannot> lose.> -Jim Elliot>
More information about the Linux-HA
mailing list