Shorewall users - Jan 2004 - setting up a failover server

Good afternoon,

    We have successfully implemented a Firewall running Shorewall
version1.4.6b on a Redhat Linux 9.0 server , i was hoping if someone could
give me some suggestions or insight on how to setup another Firewall running
as a failover. Any comments would greatly be appreciated.

James

On Thu, 2004-01-08 at 14:46, james lopez wrote:
> Good afternoon,
> 
>     We have successfully implemented a Firewall running Shorewall
> version1.4.6b on a Redhat Linux 9.0 server , i was hoping if someone could
> give me some suggestions or insight on how to setup another Firewall
running
> as a failover. Any comments would greatly be appreciated.
> 
> James
> 
The biggest shortcoming that currently exists is that netfilter does not
have any means for stateful failover.  What this means is that if/when
the firewall fails over to the backup, all TCP connections are dropped.
That big web or FTP download, SSH connections, etc all go to the bit
bucket up in the sky.  Otherwise, everything can work fine.  Look at
keepalived to handle the IP address failover via VRRP.  The last portion
would be some means to keep the configuration files in sync, most likely
via SCP or maybe an rsync.

-- 
David T Hollis <dhollis@davehollis.com>

* David T Hollis <dhollis@davehollis.com> 2004-01-09  (08:52:15AM):
> On Thu, 2004-01-08 at 14:46, james lopez wrote:
> > Good afternoon,
> > 
> >     We have successfully implemented a Firewall running Shorewall
> > version1.4.6b on a Redhat Linux 9.0 server , i was hoping if someone
could
> > give me some suggestions or insight on how to setup another Firewall
running
> > as a failover. Any comments would greatly be appreciated.
Have a look at heartbeat; it does the job just fine; if you are willing
to live with a interruption of some seconds and the loss of your current
connection this is the tool to use. 

nik