[Linux-HA] HA Firewall

Joris Dobbelsteen Joris at familiedobbelsteen.nl
Thu Nov 15 17:14:58 MST 2007


If you are looking for a highly available stateful firewall, check out
OpenBSD or FreeBSD with the PF firewall. It includes pfsync which allows
state synchronization. It also includes CARP for IP address failover.

I have found nothing equivalent on Linux that provides the same
capabilities for high availability.

Perhaps a good 'distribution' is pfsense, which packages it all
(FreeBSD+PF+CARP+more) including a web interface. There is plenty of
documentation on the web avaiable for such a setup...

- Joris

>-----Original Message-----
>From: linux-ha-bounces at lists.linux-ha.org 
>[mailto:linux-ha-bounces at lists.linux-ha.org] On Behalf Of 
>North Country Boy
>Sent: woensdag 14 november 2007 23:31
>To: General Linux-HA mailing list
>Subject: RE: [Linux-HA] HA Firewall
>
>I will just bump this the once.  Does anybody have any 
>suggestions that may help?Thanks in advance
>
>> From: northcountryboy79 at hotmail.com> To: 
>linux-ha at lists.linux-ha.org> 
>> Subject: RE: [Linux-HA] HA Firewall> Date: Sun, 4 Nov 2007 21:59:13 
>> +0000> > Sorry for the delay, > > Please find attached 
>configs. Its a 
>> curious problem...> > > > > Subject: Re: [Linux-HA] HA 
>Firewall> From: 
>> mzagrabe at d.umn.edu> To: linux-ha at lists.linux-ha.org> Date: 
>Mon, 29 Oct 
>> 2007 10:38:30 -0500> > On Thu, 2007-10-25 at 22:23 +0100, North 
>> Country Boy wrote:> > Ok ok, I admit. I dont get it!!!!> > > > I am 
>> trying to config a simple HA firewall and it just isnt 
>working to how 
>> I had imagined.> > > > Ok here is the deal.> > > > The Firewall has 
>> two interfaces> > > > 1) Internal interface eth1 
>192.168.0.254> > > > 
>> 2) External Interface eth0 195.63.63.100, 195.63.63.101, 
>> 195.63.63.102> > > > The plan would be that in the event of failure, 
>> these IP addresses as well as an iptables script would be brought 
>> online on the second box.> > > > The story so far....> > > > 
>Because I 
>> am new to this, I wanted to take things nice and slowly and realise 
>> the full solution in stages so that I could learn & understand. I 
>> decided to test a simple failover with one ip just using the 
>external 
>> interface.> > > > I added a second nic to both machines (node1 & 
>> node2) and got heartbeat working no problem. Using the verison 1 
>> haresource file, I added the following line> > > > node1 
>> 195.63.63.101> > > > In the ha.cf file I added> > > > ping 
>> 195.63.63.254 (an external router accessible by both nodes)> > > > 
>> Also I added the ipfail command.> > > > Ok so heartbeat all 
>looks good 
>> so far, the new address 195.63.63.101 is added as eth1:0 > > 
>> > No I 
>> prevent access to the external router from node1, it recognises that 
>> it can no longer reach 195.63.63.254 in the logs, whilst node 2 says 
>> and does nothing. huh????> > I thought that at this point, ipfail 
>> flags a failure and the failover process begins????> > > > 
>> Conicidentally, pulling the heartbeat cable causes the failover to 
>> happen perfectly (which is nice to know).> > > > So now I am left 
>> wondering... If my external eth0 card fails, this isnt 
>enough to cause 
>> failover?> > Yes, if things are configured correctly.> > I have been 
>> dealing with v2 only, so I won't be able to help you with> your 
>> configs, but I did play with v1 a tiny bit and I remember ipfail> 
>> working fine.> > Speaking of configs, you should post your ha.cf and 
>> haresources files> along with logs. I believe the list prefers 
>> attachments rather than> inline.> > [...]> > -- > Matt Zagrabelny - 
>> mzagrabe at d.umn.edu - (218) 726 8844> University of Minnesota Duluth> 
>> Information Technology Systems & Services> PGP key 1024D/84E22DA2 
>> 2005-11-07> Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 
>887F 84E2 
>> 2DA2> > He is not a fool who gives up what he cannot keep to 
>gain what 
>> he cannot> lose.> -Jim Elliot> 




More information about the Linux-HA mailing list