Hi folks, Last year on the shorewall list there was some talk about redundant firewalls, but there doesn''t seem to be any conclusion or any link to howtos, etc. Can anyone update me on this? My target environment will likely be two Dell PE750 servers with around 6-10 network interfaces per system, running Fedora Core 1 or Red Hat Enterprise Linux 3.0, with whatever failover/clustering software is most appropriate. Thanks, Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
On Thu, 10 Jun 2004 13:45:01 +1000 Paul Gear <pgear@redlands.qld.edu.au> wrote:> Last year on the shorewall list there was some talk about redundant > firewalls, but there doesn''t seem to be any conclusion or any link to > howtos, etc. Can anyone update me on this?I had it working here with heartbeat, only it was not fully implemented and my project was put on the back burner (way, way in the back). We switched to UltraDNS (called SiteBacker) and that covered our production site. As far as outgoing, I''m pushing to bring the project back. The heartbeat guys made provisions (as did Tom; maybe unknowingly) that allows it to work. The heartbeat guys have picked the development back up and the system works very nice. -- Paul Slinski -o) Network Administrator /\ Global IQX, Inc. _\_v The information transmitted is intended only for the addressee and may contain confidential, proprietary and/or privileged material. Any unauthorized review, distribution or other use of or the taking of any action in reliance upon this information is prohibited. If you received this in error, please contact the sender and delete or destroy this message and any copies.
Paul Slinski wrote:> On Thu, 10 Jun 2004 13:45:01 +1000 > Paul Gear <pgear@redlands.qld.edu.au> wrote: > > >>Last year on the shorewall list there was some talk about redundant >>firewalls, but there doesn''t seem to be any conclusion or any link to >>howtos, etc. Can anyone update me on this? > ... > The heartbeat guys made provisions (as did Tom; maybe unknowingly) that > allows it to work. The heartbeat guys have picked the development back > up and the system works very nice.Where can i find details? -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
On Fri, 11 Jun 2004 10:14:05 +1000 Paul Gear <pgear@redlands.qld.edu.au> wrote:> > allows it to work. The heartbeat guys have picked the development > > back up and the system works very nice. > > Where can i find details?http://www.linux-ha.org/ -- Paul Slinski -o) Network Administrator /\ Global IQX, Inc. _\_v
Paul Gear wrote:>Paul Slinski wrote: > > >>On Thu, 10 Jun 2004 13:45:01 +1000 >>Paul Gear <pgear@redlands.qld.edu.au> wrote: >> >> >> >> >>>Last year on the shorewall list there was some talk about redundant >>>firewalls, but there doesn''t seem to be any conclusion or any link to >>>howtos, etc. Can anyone update me on this? >>> >>> >>... >>The heartbeat guys made provisions (as did Tom; maybe unknowingly) that >>allows it to work. The heartbeat guys have picked the development back >>up and the system works very nice. >> >> > >Where can i find details? > >I have a firewall set set up to work like this. Basically, I have two three-interface firewalls. Each interface on each box has a "real" address (that is box-specific), and a "service" address, which is controlled by heartbeat. heartbeat handles bringing up and down the service addresses on the appropriate boxes as needed. I just keep shorewall running all the time on both boxes, and everything works fine during failover. [active NATed sessions need to reconnect, though, as might some other sessions depending on your rules]. There''s really nothing special that you need to do for this, though, other than add rules to allow the UDP heartbeat probes to work back and forth. It also helps to use something like CVS to keep your shorewall config in; I use CVS for my whole /etc/shorewall tree, so that I can keep track of changes, and then do CVS update to bring them over from one machine to another. -SteveK> > >------------------------------------------------------------------------ > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm >
On Fri, 11 Jun 2004 10:55:25 -0400 Steve Kann <stevek@stevek.com> wrote:> It also helps to use something like CVS to keep your shorewall config > in; I use CVS for my whole /etc/shorewall tree, so that I can keep > track of changes, and then do CVS update to bring them over from one > machineYes, we just used rsync to sync the files when there was a change. I preferred to leave my seconday interface off until a failure on the primary. I think we could all put together a howto on this topic. Any takers? -- Paul Slinski -o) Network Administrator /\ Global IQX, Inc. _\_v Global IQX is the leader in integrated e-business automation solutions for the group life and health insurance industry. We provide web based solutions for quoting, procurement, distribution and enrollment both on a SEMCI and private labeled basis. The information transmitted is intended only for the addressee and may contain confidential, proprietary and/or privileged material. If you received this in error, please contact the sender and delete or destroy this message and any copies.
Paul Slinski wrote:> On Fri, 11 Jun 2004 10:14:05 +1000 > Paul Gear <pgear@redlands.qld.edu.au> wrote: > > >>>allows it to work. The heartbeat guys have picked the development >>>back up and the system works very nice. >> >>Where can i find details? > > > http://www.linux-ha.org/I meant about the integration of shorewall with heartbeat. :-) Come to think of it, there''s nothing really special about it, though, is there? It''s just another cluster resource which happens to have only IP addresses and nothing more... I want to use a couple of servers as core routers & DHCP servers for my network. Thus they will need several IP addresses to act as a default gateway for each of the LANs (about 6 at this stage). Does this make sense to you? Paul
Steve Kann wrote:> ... > I have a firewall set set up to work like this. > > Basically, I have two three-interface firewalls. Each interface on each > box has a "real" address (that is box-specific), and a "service" > address, which is controlled by heartbeat. > > heartbeat handles bringing up and down the service addresses on the > appropriate boxes as needed. > I just keep shorewall running all the time on both boxes, and everything > works fine during failover. [active NATed sessions need to reconnect, > though, as might some other sessions depending on your rules]. > > There''s really nothing special that you need to do for this, though, > other than add rules to allow the UDP heartbeat probes to work back and > forth.Sounds like exactly the arrangement i''d like to have. Do you use shared disk storage, or does heartbeat allow you to have an IP address as a resource that doesn''t require anything else? I''d really like to be able to do this without shared disk, as that adds a lot of cost and complexity that i don''t need on a firewall. What services do you actually run on the service address? I''m planning to use it for DHCP and that''s about it.> It also helps to use something like CVS to keep your shorewall config > in; I use CVS for my whole /etc/shorewall tree, so that I can keep track > of changes, and then do CVS update to bring them over from one machine > to another.I use a little tool i wrote called shoregen (you can get it at http://paulgear.webhop.net/linux), which centralises the configuration of multiple firewalls. I keep the configuration files for shoregen in CVS. Paul
> > I think we could all put together a howto on this topic. Any takers? > >Hey if anyone has any notes on this topic you could add them to the shorewall wiki: http://wiki.rettc.com/wiki.phtml?title=Wiki_Shorewall_FAQ Thanks, Alex
Paul Gear wrote:> Steve Kann wrote: > >>... >>I have a firewall set set up to work like this. >> >>Basically, I have two three-interface firewalls. Each interface on each >>box has a "real" address (that is box-specific), and a "service" >>address, which is controlled by heartbeat. >> >>heartbeat handles bringing up and down the service addresses on the >>appropriate boxes as needed. >>I just keep shorewall running all the time on both boxes, and everything >>works fine during failover. [active NATed sessions need to reconnect, >>though, as might some other sessions depending on your rules]. >> >>There''s really nothing special that you need to do for this, though, >>other than add rules to allow the UDP heartbeat probes to work back and >>forth. > > > Sounds like exactly the arrangement i''d like to have. Do you use > shared disk storage, or does heartbeat allow you to have an IP address > as a resource that doesn''t require anything else? > > I''d really like to be able to do this without shared disk, as that > adds a lot of cost and complexity that i don''t need on a firewall. > > What services do you actually run on the service address? I''m > planning to use it for DHCP and that''s about it.Any comments on the above, Steve? I''m keen to know more about your (or others'') experience. -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
You might try UCARP. I am planning on playing around with a redundant shorewall solution using UCARP between two machines soon for our departmental gateway. http://www.ucarp.org/ Thanks, John H. Nyhuis Computer Specialist I Cell Systems Initiative Dept. of BioEngineering University of Washington Desk: (206)-732-6148 Fax: (206)-732-6033 cabal@u.washington.edu On Thu, 17 Jun 2004, Paul Gear wrote:> Paul Gear wrote: > > Steve Kann wrote: > > > >>... > >>I have a firewall set set up to work like this. > >> > >>Basically, I have two three-interface firewalls. Each interface on each > >>box has a "real" address (that is box-specific), and a "service" > >>address, which is controlled by heartbeat. > >> > >>heartbeat handles bringing up and down the service addresses on the > >>appropriate boxes as needed. > >>I just keep shorewall running all the time on both boxes, and everything > >>works fine during failover. [active NATed sessions need to reconnect, > >>though, as might some other sessions depending on your rules]. > >> > >>There''s really nothing special that you need to do for this, though, > >>other than add rules to allow the UDP heartbeat probes to work back and > >>forth. > > > > > > Sounds like exactly the arrangement i''d like to have. Do you use > > shared disk storage, or does heartbeat allow you to have an IP address > > as a resource that doesn''t require anything else? > > > > I''d really like to be able to do this without shared disk, as that > > adds a lot of cost and complexity that i don''t need on a firewall. > > > > What services do you actually run on the service address? I''m > > planning to use it for DHCP and that''s about it. > > Any comments on the above, Steve? I''m keen to know more about your > (or others'') experience. > > -- > Paul Gear, Manager IT Operations, Redlands College > 38 Anson Road, Wellington Point 4160, Australia > (Please send attachments in portable formats such as PDF, HTML, or > OpenOffice.) > -- > The information contained in this message is copyright by Redlands > College. Any use for direct sales or marketing purposes is expressly > forbidden. This message does not represent the views of Redlands > College. >
Paul Gear wrote:>Paul Gear wrote: > > >>Steve Kann wrote: >> >> >> >>>... >>>I have a firewall set set up to work like this. >>> >>>Basically, I have two three-interface firewalls. Each interface on each >>>box has a "real" address (that is box-specific), and a "service" >>>address, which is controlled by heartbeat. >>> >>>heartbeat handles bringing up and down the service addresses on the >>>appropriate boxes as needed. >>>I just keep shorewall running all the time on both boxes, and everything >>>works fine during failover. [active NATed sessions need to reconnect, >>>though, as might some other sessions depending on your rules]. >>> >>>There''s really nothing special that you need to do for this, though, >>>other than add rules to allow the UDP heartbeat probes to work back and >>>forth. >>> >>> >>Sounds like exactly the arrangement i''d like to have. Do you use >>shared disk storage, or does heartbeat allow you to have an IP address >>as a resource that doesn''t require anything else? >> >>No shared disks. All heartbeat does is turn up the "service" IP addresses on all the interfaces.>>I''d really like to be able to do this without shared disk, as that >>adds a lot of cost and complexity that i don''t need on a firewall. >> >>What services do you actually run on the service address? I''m >>planning to use it for DHCP and that''s about it. >> >>We don''t run dhcp on this box, just firewall stuff. So, ssh, and stunnel I think are the only actual services, and I think they are running on INADDR_ANY..>Any comments on the above, Steve? I''m keen to know more about your >(or others'') experience. > > >As I said, it seems to work fine, except that during failover, NATed connections are lost (so, e.g. TCP sessions need to re-establish themselves). -SteveK
Steve Kann wrote:> ... >>> Sounds like exactly the arrangement i''d like to have. Do you use >>> shared disk storage, or does heartbeat allow you to have an IP address >>> as a resource that doesn''t require anything else? >>> > > No shared disks. All heartbeat does is turn up the "service" IP > addresses on all the interfaces.Excellent - i think that will be just what i need.>>> I''d really like to be able to do this without shared disk, as that >>> adds a lot of cost and complexity that i don''t need on a firewall. >>> >>> What services do you actually run on the service address? I''m >>> planning to use it for DHCP and that''s about it. >>> > > > We don''t run dhcp on this box, just firewall stuff. So, ssh, and > stunnel I think are the only actual services, and I think they are > running on INADDR_ANY..OK - thanks. I think i''ll just run DHCP in parallel on both boxes and rsync/mangle the configs from another system (external to the cluster).> ... > > As I said, it seems to work fine, except that during failover, NATed > connections are lost (so, e.g. TCP sessions need to re-establish > themselves).I''m not planning to use NAT, so i don''t think that will be a drama. Thanks for your time. -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
Hi Paul Can you give me some more info on this Redundant Firewall. Regards Paul -----Original Message----- From: Paul Gear [mailto:pgear@redlands.qld.edu.au] Sent: Friday, June 18, 2004 2:02 AM To: Mailing List for Shorewall Users Subject: Re: [Shorewall-users] Redundant firewalls / failover status? Steve Kann wrote:> ... >>> Sounds like exactly the arrangement i''d like to have. Do you use >>> shared disk storage, or does heartbeat allow you to have an IP address >>> as a resource that doesn''t require anything else? >>> > > No shared disks. All heartbeat does is turn up the "service" IP > addresses on all the interfaces.Excellent - i think that will be just what i need.>>> I''d really like to be able to do this without shared disk, as that >>> adds a lot of cost and complexity that i don''t need on a firewall. >>> >>> What services do you actually run on the service address? I''m >>> planning to use it for DHCP and that''s about it. >>> > > > We don''t run dhcp on this box, just firewall stuff. So, ssh, and > stunnel I think are the only actual services, and I think they are > running on INADDR_ANY..OK - thanks. I think i''ll just run DHCP in parallel on both boxes and rsync/mangle the configs from another system (external to the cluster).> ... > > As I said, it seems to work fine, except that during failover, NATed > connections are lost (so, e.g. TCP sessions need to re-establish > themselves).I''m not planning to use NAT, so i don''t think that will be a drama. Thanks for your time. -- Paul Gear, Manager IT Operations, Redlands College 38 Anson Road, Wellington Point 4160, Australia (Please send attachments in portable formats such as PDF, HTML, or OpenOffice.) -- The information contained in this message is copyright by Redlands College. Any use for direct sales or marketing purposes is expressly forbidden. This message does not represent the views of Redlands College.
> Basically, I have two three-interface firewalls. Each interface on each > box has a "real" address (that is box-specific), and a "service" > address, which is controlled by heartbeat. > > heartbeat handles bringing up and down the service addresses on the > appropriate boxes as needed. > I just keep shorewall running all the time on both boxes, and everything > works fine during failover. [active NATed sessions need to reconnect, > though, as might some other sessions depending on your rules].Sounds a lot like CARP, available in OpenBSD 3.5. http://software.newsforge.com/software/04/04/13/1842214.shtml?tid=132&tid=82&tid=91&tid=92 http://www.countersiege.com/doc/pfsync-carp/ http://kerneltrap.org/node/view/2873 There is also a group working on porting CARP to Linux. Seems like its in an early beta stage. I have no experience with it. http://www.ucarp.org/ CARP is looking _damn_ sexy. I never thought our Debian Shorewall setup would have to compete with anyone. :) -- Nick F. Silkey 512.475.8284 Sysadmin / BOFH silkey@ece.utexas.edu Dept. of Electrical and Computer Engineering The University of Texas at Austin ENS 526W 1024-bit DSA Key ID via GPG 0x35EB31E2