On Fri, 16 Nov 2007, Joris Dobbelsteen wrote:

If you are looking for a highly available stateful firewall, check out
OpenBSD or FreeBSD with the PF firewall. It includes pfsync which allows
state synchronization. It also includes CARP for IP address failover.

I have found nothing equivalent on Linux that provides the same
capabilities for high availability.

there is a tool out there to sync the iptables conntrack state on Linux. unfortunantly I haven't had time to dig into it in the last year so my boxes are still running withut it (failover is rare enough, and the cost of interrupting connections low enough that it hasn't been a high priority)

David Lang

Perhaps a good 'distribution' is pfsense, which packages it all
(FreeBSD+PF+CARP+more) including a web interface. There is plenty of
documentation on the web avaiable for such a setup...

- Joris

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
North Country Boy
Sent: woensdag 14 november 2007 23:31
To: General Linux-HA mailing list
Subject: RE: [Linux-HA] HA Firewall

I will just bump this the once.  Does anybody have any
suggestions that may help?Thanks in advance

From: [EMAIL PROTECTED]> To:
[email protected]>
Subject: RE: [Linux-HA] HA Firewall> Date: Sun, 4 Nov 2007 21:59:13
+0000> > Sorry for the delay, > > Please find attached
configs. Its a
curious problem...> > > > > Subject: Re: [Linux-HA] HA
Firewall> From:
[EMAIL PROTECTED]> To: [email protected]> Date:
Mon, 29 Oct
2007 10:38:30 -0500> > On Thu, 2007-10-25 at 22:23 +0100, North
Country Boy wrote:> > Ok ok, I admit. I dont get it!!!!> > > > I am
trying to config a simple HA firewall and it just isnt
working to how
I had imagined.> > > > Ok here is the deal.> > > > The Firewall has
two interfaces> > > > 1) Internal interface eth1
192.168.0.254> > > >
2) External Interface eth0 195.63.63.100, 195.63.63.101,
195.63.63.102> > > > The plan would be that in the event of failure,
these IP addresses as well as an iptables script would be brought
online on the second box.> > > > The story so far....> > > >
Because I
am new to this, I wanted to take things nice and slowly and realise
the full solution in stages so that I could learn & understand. I
decided to test a simple failover with one ip just using the
external
interface.> > > > I added a second nic to both machines (node1 &
node2) and got heartbeat working no problem. Using the verison 1
haresource file, I added the following line> > > > node1
195.63.63.101> > > > In the ha.cf file I added> > > > ping
195.63.63.254 (an external router accessible by both nodes)> > > >
Also I added the ipfail command.> > > > Ok so heartbeat all
looks good
so far, the new address 195.63.63.101 is added as eth1:0 > >
No I
prevent access to the external router from node1, it recognises that
it can no longer reach 195.63.63.254 in the logs, whilst node 2 says
and does nothing. huh????> > I thought that at this point, ipfail
flags a failure and the failover process begins????> > > >
Conicidentally, pulling the heartbeat cable causes the failover to
happen perfectly (which is nice to know).> > > > So now I am left
wondering... If my external eth0 card fails, this isnt
enough to cause
failover?> > Yes, if things are configured correctly.> > I have been
dealing with v2 only, so I won't be able to help you with> your
configs, but I did play with v1 a tiny bit and I remember ipfail>
working fine.> > Speaking of configs, you should post your ha.cf and
haresources files> along with logs. I believe the list prefers
attachments rather than> inline.> > [...]> > -- > Matt Zagrabelny -
[EMAIL PROTECTED] - (218) 726 8844> University of Minnesota Duluth>
Information Technology Systems & Services> PGP key 1024D/84E22DA2
2005-11-07> Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7
887F 84E2
2DA2> > He is not a fool who gives up what he cannot keep to
gain what
he cannot> lose.> -Jim Elliot>

_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems

Reply via email to