On 23/02/2018 18:34, Tim S wrote: > [...] > If you do run out, simply > spawning another Shorewall VM and trunking the policy pools between > Shorewall VMs takes care of that.
Hi Tim, could you slightly elaborate on the above point? I mean: the policy-pooling (that, as far as I understand, is required to "sync" shorewall configuration), is something you achieve by some shorewall-supported utilities/approaches? Or is something you self-implemented with "automation" (externally to shorewall, I mean)? > [...] > I have two Shorewall VMs, and two stacked > 48-port switches Each switch has a 10Gbe uplink to each of two of my > VM hosts for redundancy, and one Shorewall VM is on each VM host. The > VM hosts are trunked with redundant isolated Infiniband networks. > This way single point of failure does not mean I lose a chunk of my > network, or any of my services. I had to go this way when my wife's > tolerance for network outage dropped to zero, even for patching. Can you add something regarding "connection tracking"? I mean, if your setup is providing 100% availability (in "single-failure" scenarios) I've some trouble in figuring out how you're replicating connection-tracking between the two shorewall nodes, so that should one of them go down, the other will be able to continue handling existing connections (in addition to new ones, obviously). I'm asking 'cause as my wife is "much inline" with yours (in terms of "network availability requirements") I'm _REALLY_ interested in "100% network firewalling availability" (shorewall-based, obviously!) :-) Jokes aside: you really described an amazing infrastructure! Thanks for reporting it here. Cheers, DV <mode jokes="on"> > I have a hyper-paranoid least-privilege security design on my network. Actually you just set a new "maximum", well beyond the previous one, in the "paranoid-implementations" I've kept track of, up to now :-) </mode> -- Damiano Verzulli e-mail: dami...@verzulli.it --- possible?ok:while(!possible){open_mindedness++} --- "Technical people tend to fall into two categories: Specialists and Generalists. The Specialist learns more and more about a narrower and narrower field, until he eventually, in the limit, knows everything about nothing. The Generalist learns less and less about a wider and wider field, until eventually he knows nothing about everything." - William Stucke - AfrISPA http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users