Hi, Shorewall Types, What is the recommended HA solution? I just want failover without loss of connection, not load balancing. I see mention of the NOTNEWSYS setting refering to HA so that exisiting connections aren''t lost. I see mention of Shorewall with Heartbeat from the LVS website. Am I going in the right direction? Richard ___________________________________________________________ First Option''s outgoing email policy is at http://www.firstoption.net/emailpolicy.html, but a short summary is :- - all email/attachments are confidential; do not use, circulate or release without our consent - email is not authorised unless it is on First Option business - email is not binding unless it is from an authorised person and is signed with a digital certificate First Option Ltd. - Switchboard +44 (0) 1962 738200 Signal House, Jacklyns Lane, Alresford, Hants, SO24 9JJ, United Kingdom ___________________________________________________________ ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Ok, any hints rather than recommendations. Even if it "read the ha
faq".
I''m happy to contribute a howto back to the project if I succeed...
Richard
-----Original Message-----
From: "Richard Turner"<rit@firstoption.net>
Sent: 13/04/06 16:22:26
To:
"shorewall-users@lists.sourceforge.net"<shorewall-users@lists.sourceforge.net>
Subject: [Shorewall-users] Shorewall and HA
Hi, Shorewall Types,
What is the recommended HA solution? I just want failover without loss
of connection, not load balancing.
I see mention of the NOTNEWSYS setting refering to HA so that exisiting
connections aren''t lost. I see mention of Shorewall with Heartbeat
from
the LVS website. Am I going in the right direction?
Richard
___________________________________________________________
First Option''s outgoing email policy is at
http://www.firstoption.net/emailpolicy.html, but a short summary is :-
- all email/attachments are confidential; do not use, circulate or release
without our consent
- email is not authorised unless it is on First Option business
- email is not binding unless it is from an authorised person
and is signed with a digital certificate
First Option Ltd. - Switchboard +44 (0) 1962 738200
Signal House, Jacklyns Lane, Alresford, Hants, SO24 9JJ, United Kingdom
___________________________________________________________
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
___________________________________________________________
First Option''s outgoing email policy is at
http://www.firstoption.net/emailpolicy.html, but a short summary is :-
- all email/attachments are confidential; do not use, circulate or release
without our consent
- email is not authorised unless it is on First Option business
- email is not binding unless it is from an authorised person
and is signed with a digital certificate
First Option Ltd. - Switchboard +44 (0) 1962 738200
Signal House, Jacklyns Lane, Alresford, Hants, SO24 9JJ, United Kingdom
___________________________________________________________
-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
On Friday 14 April 2006 10:25, Richard Turner wrote:> Ok, any hints rather than recommendations. Even if it "read the ha faq". > > I''m happy to contribute a howto back to the project if I succeed... >I understand that Paul Gear has implemented HA using heartbeat -- he has been promising a HOWTO for some time but time hasn''t been available to write one. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Richard, I don''t know if this is going to help you, but I have have shorewall running with heartbeat (active/active). It runs perfectly for me, heartbeat shares the external IP''s. You can use the proxyarp on shorewall if you prefer to do it that way, but I found that it requires more configuration on my part. As far as dropping, the only time it drops is when the primary goes back up again. cheers, Joshua On Fri, 2006-04-14 at 18:25 +0100, Richard Turner wrote:> Ok, any hints rather than recommendations. Even if it "read the ha faq". > > I''m happy to contribute a howto back to the project if I succeed... > > Richard > > -----Original Message----- > From: "Richard Turner"<rit@firstoption.net> > Sent: 13/04/06 16:22:26 > To: "shorewall-users@lists.sourceforge.net"<shorewall-users@lists.sourceforge.net> > Subject: [Shorewall-users] Shorewall and HA > > Hi, Shorewall Types, > > What is the recommended HA solution? I just want failover without loss > of connection, not load balancing. > I see mention of the NOTNEWSYS setting refering to HA so that exisiting > connections aren''t lost. I see mention of Shorewall with Heartbeat from > the LVS website. Am I going in the right direction? > > Richard > > ___________________________________________________________ > > First Option''s outgoing email policy is at > http://www.firstoption.net/emailpolicy.html, but a short summary is :- > > - all email/attachments are confidential; do not use, circulate or release > without our consent > > - email is not authorised unless it is on First Option business > > - email is not binding unless it is from an authorised person > and is signed with a digital certificate > > First Option Ltd. - Switchboard +44 (0) 1962 738200 > Signal House, Jacklyns Lane, Alresford, Hants, SO24 9JJ, United Kingdom > ___________________________________________________________ > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users > > > ___________________________________________________________ > > First Option''s outgoing email policy is at > http://www.firstoption.net/emailpolicy.html, but a short summary is :- > > - all email/attachments are confidential; do not use, circulate or release > without our consent > > - email is not authorised unless it is on First Option business > > - email is not binding unless it is from an authorised person > and is signed with a digital certificate > > First Option Ltd. - Switchboard +44 (0) 1962 738200 > Signal House, Jacklyns Lane, Alresford, Hants, SO24 9JJ, United Kingdom > ___________________________________________________________ > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting language > that extends applications into web and mobile media. Attend the live webcast > and join the prime developer group breaking into this new coding territory! > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
Tom Eastep wrote:> On Friday 14 April 2006 10:25, Richard Turner wrote: >>Ok, any hints rather than recommendations. Even if it "read the ha faq". >> >>I''m happy to contribute a howto back to the project if I succeed... >> > > I understand that Paul Gear has implemented HA using heartbeat -- he has been > promising a HOWTO for some time but time hasn''t been available to write one.It *is* coming... :-) I''m about to do my second cluster this way. Note, however (particularly for Richard''s benefit) that it is does not offer connection failover. For that you need one of the netfilter plugins that has been mentioned on the list previously (but whose name escapes me now). Paul
Paul Any other hints would be appreciated. :-) I''ve implemented Watchguard (which is a linux core) and Checkpoint/Nokia HA firewalls in the past, where this stuff is achieved with a couple clicks on a GUI. I''m just discovering that HA seems to be much less common in the netfilter world. I really like Shorewall, I''d like to see Shorewall-HA as a few additional config files with the same level of strength and simplicity that Thom has brought to IPtables. Main areas would be syncronisation of rules, sync of routes and maintaining connection after failover. Would the plugin be ct_sync? Richard Paul Gear wrote:>Tom Eastep wrote: > > >>On Friday 14 April 2006 10:25, Richard Turner wrote: >> >> >>>Ok, any hints rather than recommendations. Even if it "read the ha faq". >>> >>>I''m happy to contribute a howto back to the project if I succeed... >>> >>> >>I understand that Paul Gear has implemented HA using heartbeat -- he has been >>promising a HOWTO for some time but time hasn''t been available to write one. >> >> >It *is* coming... :-) > >I''m about to do my second cluster this way. Note, however (particularly >for Richard''s benefit) that it is does not offer connection failover. >For that you need one of the netfilter plugins that has been mentioned >on the list previously (but whose name escapes me now). > >Paul > > >___________________________________________________________ First Option''s outgoing email policy is at http://www.firstoption.net/emailpolicy.html, but a short summary is :- - all email/attachments are confidential; do not use, circulate or release without our consent - email is not authorised unless it is on First Option business - email is not binding unless it is from an authorised person and is signed with a digital certificate First Option Ltd. - Switchboard +44 (0) 1962 738200 Signal House, Jacklyns Lane, Alresford, Hants, SO24 9JJ, United Kingdom ___________________________________________________________
Hi Richard,> Ok, any hints rather than recommendations. Even if it "read the ha faq". > > I''m happy to contribute a howto back to the project if I succeed...Sorry for the dellay in my answer but I was traveling. Right now we are using keealived (VRRP) with iptables with great success. As you provably know, there is no current state sincronization between machines but at least you have active/passive & active/active stuff. Heartbeat is also a good choice. Also we are about to sponsor the development of state syncronization between machines. This job is being done by another person and we hope to find the funds to do it quite soon (actually we have a meeting with him next week and are quite confident on getting those funds). You should now that prior efforts (ct_sync) are kind of impossible to make to work and I really dont recommend you that way. Of course, all this will be available with our commercial interface, but also on the GPL system image (without interface). Kind regards -- Jaime Nebrera - jnebrera@eneotecnologia.com Consultor TI - ENEO Tecnologia SL Pol. PISA - C/ Manufactura 6, P1, 3B Mairena del Aljarafe - 41927 - Sevilla Telf.- 955 60 11 60 / 619 04 55 18 ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Hi again,> I''ve implemented Watchguard (which is a linux core) and > Checkpoint/Nokia HA firewalls in the past, where this stuff is > achieved with a couple clicks on a GUI.We have the GUI, we dont have state sync yet :)))> I''m just discovering that HA seems to be much less common in the > netfilter world.HA is eassy, the difficult part is state sync> Main areas would be syncronisation of rules, sync of routes and > maintaining connection after failover.Sync of rules can be done without interface with rsync.> Would the plugin be ct_sync?As I have recommended in a prioir email, IMHO this is a dead end, new alternatives are emerging much more powerful :) Regards -- Jaime Nebrera - jnebrera@eneotecnologia.com Consultor TI - ENEO Tecnologia SL Pol. PISA - C/ Manufactura 6, P1, 3B Mairena del Aljarafe - 41927 - Sevilla Telf.- 955 60 11 60 / 619 04 55 18 ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jaime, Thanks for taking the time to reply to my question.> Right now we are using keealived (VRRP) with iptables with great > success. As you provably know, there is no current state sincronization > between machines but at least you have active/passive & active/active > stuff. Heartbeat is also a good choice. >I was looking at Heartbeat, so now I have another choice to make! More reading... :-) Looking at the proposed traffic, most of it will be http with a few vpn''s, so in the main state sync is not so important as every page is a new connection. The VPN''s will have to reconnect.. Clearly sync is important but if you lose a server, reconnecting an session is a whole lot better than losing total connectivity. I''m going to have to start actually doing something soon so will start with a very basic Heartbeat - HA router (once the second server arrives). Then I can slowly add in NAT and the squid proxy.> Also we are about to sponsor the development of state syncronization > between machines. This job is being done by another person and we hope > to find the funds to do it quite soon (actually we have a meeting with > him next week and are quite confident on getting those funds). You > should now that prior efforts (ct_sync) are kind of impossible to make > to work and I really dont recommend you that way. > >Thanks for the advice there. Good luck with your funding. kind regards Richard ___________________________________________________________ First Option''s outgoing email policy is at http://www.firstoption.net/emailpolicy.html, but a short summary is :- - all email/attachments are confidential; do not use, circulate or release without our consent - email is not authorised unless it is on First Option business - email is not binding unless it is from an authorised person and is signed with a digital certificate First Option Ltd. - Switchboard +44 (0) 1962 738200 Signal House, Jacklyns Lane, Alresford, Hants, SO24 9JJ, United Kingdom ___________________________________________________________ ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
Jaime Nebrera wrote:> ... >>Would the plugin be ct_sync? > > As I have recommended in a prioir email, IMHO this is a dead end, new > alternatives are emerging much more powerful :)One caution on Jaime''s caution: "alternatives are emerging" and "it will work for you" are two different things, and it may be better for your requirements to put in something that''s obsolete in terms of architecture but works. It''s worth having a browse through these: http://lists.netfilter.org/pipermail/netfilter-failover/ http://netfilter.org/documentation/FAQ/netfilter-faq-1.html#ss1.9 Paul
Richard Turner wrote:> Paul > > Any other hints would be appreciated. :-) > > I''ve implemented Watchguard (which is a linux core) and Checkpoint/Nokia > HA firewalls in the past, where this stuff is achieved with a couple > clicks on a GUI. I''m just discovering that HA seems to be much less > common in the netfilter world.Did they perform true failover of TCP connections, or was it just that they were permissive about connections that they hadn''t seen a SYN for? That can be done with NEWNOTSYN=Yes with Shorewall.> I really like Shorewall, I''d like to see > Shorewall-HA as a few additional config files with the same level of > strength and simplicity that Thom has brought to IPtables.Well, that gives us something to aim for in the HOWTO. :-)> Main areas would be syncronisation of rules, sync of routes and > maintaining connection after failover.I use rsync and a repository on an administration machine for a number of cluster configurations, plus my shoregen script (http://gear.dyndns.org/~paulgear/linux/shoregen-0.1.1/) for keeping the rules in sync. Paul