[Linux-HA] HA Firewall

David Lang david.lang at digitalinsight.com
Fri Nov 16 08:48:15 MST 2007 

On Fri, 16 Nov 2007, Joris Dobbelsteen wrote:

> If you are looking for a highly available stateful firewall, check out
> OpenBSD or FreeBSD with the PF firewall. It includes pfsync which allows
> state synchronization. It also includes CARP for IP address failover.
>
> I have found nothing equivalent on Linux that provides the same
> capabilities for high availability.

there is a tool out there to sync the iptables conntrack state on Linux. 
unfortunantly I haven't had time to dig into it in the last year so my boxes are 
still running withut it (failover is rare enough, and the cost of interrupting 
connections low enough that it hasn't been a high priority)

David Lang

> Perhaps a good 'distribution' is pfsense, which packages it all
> (FreeBSD+PF+CARP+more) including a web interface. There is plenty of
> documentation on the web avaiable for such a setup...
>
> - Joris
>
>> -----Original Message-----
>> From: linux-ha-bounces at lists.linux-ha.org
>> [mailto:linux-ha-bounces at lists.linux-ha.org] On Behalf Of
>> North Country Boy
>> Sent: woensdag 14 november 2007 23:31
>> To: General Linux-HA mailing list
>> Subject: RE: [Linux-HA] HA Firewall
>>
>> I will just bump this the once.  Does anybody have any
>> suggestions that may help?Thanks in advance
>>
>>> From: northcountryboy79 at hotmail.com> To:
>> linux-ha at lists.linux-ha.org>
>>> Subject: RE: [Linux-HA] HA Firewall> Date: Sun, 4 Nov 2007 21:59:13
>>> +0000> > Sorry for the delay, > > Please find attached
>> configs. Its a
>>> curious problem...> > > > > Subject: Re: [Linux-HA] HA
>> Firewall> From:
>>> mzagrabe at d.umn.edu> To: linux-ha at lists.linux-ha.org> Date:
>> Mon, 29 Oct
>>> 2007 10:38:30 -0500> > On Thu, 2007-10-25 at 22:23 +0100, North
>>> Country Boy wrote:> > Ok ok, I admit. I dont get it!!!!> > > > I am
>>> trying to config a simple HA firewall and it just isnt
>> working to how
>>> I had imagined.> > > > Ok here is the deal.> > > > The Firewall has
>>> two interfaces> > > > 1) Internal interface eth1
>> 192.168.0.254> > > >
>>> 2) External Interface eth0 195.63.63.100, 195.63.63.101,
>>> 195.63.63.102> > > > The plan would be that in the event of failure,
>>> these IP addresses as well as an iptables script would be brought
>>> online on the second box.> > > > The story so far....> > > >
>> Because I
>>> am new to this, I wanted to take things nice and slowly and realise
>>> the full solution in stages so that I could learn & understand. I
>>> decided to test a simple failover with one ip just using the
>> external
>>> interface.> > > > I added a second nic to both machines (node1 &
>>> node2) and got heartbeat working no problem. Using the verison 1
>>> haresource file, I added the following line> > > > node1
>>> 195.63.63.101> > > > In the ha.cf file I added> > > > ping
>>> 195.63.63.254 (an external router accessible by both nodes)> > > >
>>> Also I added the ipfail command.> > > > Ok so heartbeat all
>> looks good
>>> so far, the new address 195.63.63.101 is added as eth1:0 > >
>>>> No I
>>> prevent access to the external router from node1, it recognises that
>>> it can no longer reach 195.63.63.254 in the logs, whilst node 2 says
>>> and does nothing. huh????> > I thought that at this point, ipfail
>>> flags a failure and the failover process begins????> > > >
>>> Conicidentally, pulling the heartbeat cable causes the failover to
>>> happen perfectly (which is nice to know).> > > > So now I am left
>>> wondering... If my external eth0 card fails, this isnt
>> enough to cause
>>> failover?> > Yes, if things are configured correctly.> > I have been
>>> dealing with v2 only, so I won't be able to help you with> your
>>> configs, but I did play with v1 a tiny bit and I remember ipfail>
>>> working fine.> > Speaking of configs, you should post your ha.cf and
>>> haresources files> along with logs. I believe the list prefers
>>> attachments rather than> inline.> > [...]> > -- > Matt Zagrabelny -
>>> mzagrabe at d.umn.edu - (218) 726 8844> University of Minnesota Duluth>
>>> Information Technology Systems & Services> PGP key 1024D/84E22DA2
>>> 2005-11-07> Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7
>> 887F 84E2
>>> 2DA2> > He is not a fool who gives up what he cannot keep to
>> gain what
>>> he cannot> lose.> -Jim Elliot>
>
> _______________________________________________
> Linux-HA mailing list
> Linux-HA at lists.linux-ha.org
> http://lists.linux-ha.org/mailman/listinfo/linux-ha
> See also: http://linux-ha.org/ReportingProblems
>

More information about the Linux-HA mailing list