Shorewall users - Feb 2003 - redundant firewalls

Presently have a linux box that only runs as a firewall.

I''m wanting to set up a second linux box also as a firewall (with same
rules) but to automatically take over if the primary firewall fails thus
making my firewall redundant.

I think Shorewall only is an interface to make iptable rule administration
easier so on it''s own it doesn''t handle this.  Can this be
done?  Has anyone
done this?  If yes to either of those, can you point me in the right
direction of what I need to be looking at to make this a possibility?

Thanks to anyone who can help with this.

Jay

I am in the process of setting this up right now.  I am using Bering+uClibc 
with keepalived installed.  Keepalived is kind of a pain to configure at 
first, but it does just about everything you could ask for.  Right now I am 
stuck on how to get the two servers to communicate with shorewall stopped 
though.  I know that I can specify which ports and to what hosts each 
system can talk under the routestopped file.  It''s just a matter of how
I
want to set that part up.
At 12:46 PM 2/10/2003 -0700, you wrote:
>Presently have a linux box that only runs as a firewall.
>
>I''m wanting to set up a second linux box also as a firewall (with
same
>rules) but to automatically take over if the primary firewall fails thus
>making my firewall redundant.
>
>I think Shorewall only is an interface to make iptable rule administration
>easier so on it''s own it doesn''t handle this.  Can this be
done?  Has anyone
>done this?  If yes to either of those, can you point me in the right
>direction of what I need to be looking at to make this a possibility?
>
>Thanks to anyone who can help with this.
>
>Jay
>
>
>
>_______________________________________________
>Shorewall-users mailing list
>Shorewall-users@lists.shorewall.net
>http://lists.shorewall.net/mailman/listinfo/shorewall-users

Charles Holbrook wrote:
> I am in the process of setting this up right now.  I am using 
> Bering+uClibc with keepalived installed.  Keepalived is kind of a pain 
> to configure at first, but it does just about everything you could ask 
> for.  Right now I am stuck on how to get the two servers to communicate 
> with shorewall stopped though.  I know that I can specify which ports 
> and to what hosts each system can talk under the routestopped file.  
> It''s just a matter of how I want to set that part up.
There are no port/protocol specifications in the routestopped file. You 
just need to list the other firewall''s IP in the file.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

I''m working on this as well with heartbeat. If you guys want to
collaberate, maybe we could all get this accomplished.

Then we could possibly create a howto for Tom. 3 heads are better than
one ;-)

-Paul

On Mon, 10 Feb 2003 13:56:23 -0600
Charles Holbrook <cholbrook@hi-privacy.net> opened up to us and said:
> I am in the process of setting this up right now.  I am using
> Bering+uClibc with keepalived installed.  Keepalived is kind of a pain
> to configure at first, but it does just about everything you could ask
> for.  Right now I am stuck on how to get the two servers to
> communicate with shorewall stopped though.  I know that I can specify
> which ports and to what hosts each system can talk under the
> routestopped file.  It''s just a matter of how I want to set that
part
> up. At 12:46 PM 2/10/2003 -0700, you wrote:
> >Presently have a linux box that only runs as a firewall.
> >
> >I''m wanting to set up a second linux box also as a firewall
(with
> >same rules) but to automatically take over if the primary firewall
> >fails thus making my firewall redundant.
> >
> >I think Shorewall only is an interface to make iptable rule
> >administration easier so on it''s own it doesn''t
handle this.  Can
> >this be done?  Has anyone done this?  If yes to either of those, can
> >you point me in the right direction of what I need to be looking at
> >to make this a possibility?
> >
> >Thanks to anyone who can help with this.
> >
> >Jay
> >
> >
> >
> >_______________________________________________
> >Shorewall-users mailing list
> >Shorewall-users@lists.shorewall.net
> >http://lists.shorewall.net/mailman/listinfo/shorewall-users
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users

-- 
Paul Slinski
System Administrator
Global IQX
http://www.globaliqx.com/
pauls@globaliqx.com

Paul Slinski wrote:
> 
> Then we could possibly create a howto for Tom. 3 heads are better than
> one ;-)
> 
Particularly when none of the three is mine :-)

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

rofl

On Mon, 10 Feb 2003 12:16:00 -0800
Tom Eastep <teastep@shorewall.net> opened up to us and said:
> Paul Slinski wrote:
> 
> > 
> > Then we could possibly create a howto for Tom. 3 heads are better
> > than one ;-)
> > 
> 
> Particularly when none of the three is mine :-)
> 
> -Tom
> -- 
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users

-- 
Paul Slinski
System Administrator
Global IQX
http://www.globaliqx.com/
pauls@globaliqx.com

On Mon, 2003-02-10 at 12:02, Paul Slinski wrote:
> I''m working on this as well with heartbeat. If you guys want to
> collaberate, maybe we could all get this accomplished.
> 
> Then we could possibly create a howto for Tom. 3 heads are better than
> one ;-)
Paul,
I think network diagrams that illustrate secure topologies would be a
good addition to this howto.

-- 
Mike Noyes <mhnoyes @ users.sourceforge.net>
http://sourceforge.net/users/mhnoyes/
http://leaf-project.org/  http://sitedocs.sf.net/  http://ffl.sf.net/

Mike, no one expressed any interest in working with me. I''ll be on my
own but I will make sure to create the associated diagrams.

-Paul

On 10 Feb 2003 14:50:46 -0800
Mike Noyes <mhnoyes@users.sourceforge.net> opened up to us and said:
> On Mon, 2003-02-10 at 12:02, Paul Slinski wrote:
> > I''m working on this as well with heartbeat. If you guys want
to
> > collaberate, maybe we could all get this accomplished.
> > 
> > Then we could possibly create a howto for Tom. 3 heads are better
> > than one ;-)
> 
> Paul,
> I think network diagrams that illustrate secure topologies would be a
> good addition to this howto.
> 
> -- 
> Mike Noyes <mhnoyes @ users.sourceforge.net>
> http://sourceforge.net/users/mhnoyes/
> http://leaf-project.org/  http://sitedocs.sf.net/  http://ffl.sf.net/
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users

-- 
Paul Slinski
System Administrator
Global IQX
http://www.globaliqx.com/
pauls@globaliqx.com

> I''m working on this as well with heartbeat. If you guys want to
> collaberate, maybe we could all get this accomplished.
>
> Then we could possibly create a howto for Tom. 3 heads are better than
> one ;-)
Is heartbeat hardware, software or both?  Does it not just monitor things?
How does it "take over" the function of the down server.

With me being very new to redundant anything I''m not sure how much help
I
can offer to a howto except ensuring a complete newbie to HA systems can
understand it :)

Jay

> I am in the process of setting this up right now.  I am using
> Bering+uClibc
> with keepalived installed.  Keepalived is kind of a pain to configure at
> first, but it does just about everything you could ask for.
> Right now I am
> stuck on how to get the two servers to communicate with shorewall stopped
> though.  I know that I can specify which ports and to what hosts each
> system can talk under the routestopped file.  It''s just a matter
of how I
> want to set that part up.
> At 12:46 PM 2/10/2003 -0700, you wrote:
> >Presently have a linux box that only runs as a firewall.
Thanks for the reply.  I''m not really familar with Bering+uClibc.  Does
that
have something to do with embedded systems.  Will keepalived work on any
system (like a regular redhat linux box)?

Is keepalived all I need or is this on top of some clustering system?

Sorry, if I''m asking dumb questions.  I''m really new to the
whole high
availability thing.

Jay

Heartbeat does monitoring via a ''heartbeat'' using serial ports
and
ethernet (udp). It supports the watchdog device.

http://www.linux-ha.org/

-Paul

On Mon, 10 Feb 2003 21:27:46 -0700
"Jay" <jay1@swift-web.com> opened up to us and said:
> > I''m working on this as well with heartbeat. If you guys want
to
> > collaberate, maybe we could all get this accomplished.
> >
> > Then we could possibly create a howto for Tom. 3 heads are better
> > than one ;-)
> 
> Is heartbeat hardware, software or both?  Does it not just monitor
> things? How does it "take over" the function of the down server.
> 
> With me being very new to redundant anything I''m not sure how much
> help I can offer to a howto except ensuring a complete newbie to HA
> systems can understand it :)
> 
> Jay
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users

-- 
Paul Slinski
System Administrator
Global IQX
http://www.globaliqx.com/
pauls@globaliqx.com

A quick note and a wee bit off-topic but I have the initial setup
complete for heartbeat and tomorrow I will be implimenting the shorewall
parts.

I''ll keep you posted.

On Mon, 10 Feb 2003 12:46:09 -0700
"Jay" <jay1@swift-web.com> opened up to us and said:
> Presently have a linux box that only runs as a firewall.
> 
> I''m wanting to set up a second linux box also as a firewall (with
same
> rules) but to automatically take over if the primary firewall fails
> thus making my firewall redundant.
> 
> I think Shorewall only is an interface to make iptable rule
> administration easier so on it''s own it doesn''t handle
this.  Can this
> be done?  Has anyone done this?  If yes to either of those, can you
> point me in the right direction of what I need to be looking at to
> make this a possibility?
> 
> Thanks to anyone who can help with this.
> 
> Jay
> 
> 
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.shorewall.net
> http://lists.shorewall.net/mailman/listinfo/shorewall-users

-- 
Paul Slinski
System Administrator
Global IQX
http://www.globaliqx.com/
pauls@globaliqx.com

The information transmitted is intended only for the addressee and may
contain confidential, proprietary and/or privileged material.  Any
unauthorized review, distribution or other use of or the taking of any
action in reliance upon this information is prohibited.  If you received
this in error, please contact the sender and delete or destroy this
message and any copies.

Sorry it took so long to get back about this.  When I actually get my setup 
up and running.  I am going to be pulling the configs for everything off 
and attempt to come up with a HOWTO.  It might be bassackwards but who 
knows it might help someone else get though it.
At 05:52 PM 2/10/2003 -0500, you wrote:
>Mike, no one expressed any interest in working with me. I''ll be on
my
>own but I will make sure to create the associated diagrams.
>
>-Paul
>
>On 10 Feb 2003 14:50:46 -0800
>Mike Noyes <mhnoyes@users.sourceforge.net> opened up to us and said:
>
> > On Mon, 2003-02-10 at 12:02, Paul Slinski wrote:
> > > I''m working on this as well with heartbeat. If you guys
want to
> > > collaberate, maybe we could all get this accomplished.
> > >
> > > Then we could possibly create a howto for Tom. 3 heads are better
> > > than one ;-)
> >
> > Paul,
> > I think network diagrams that illustrate secure topologies would be a
> > good addition to this howto.
> >
> > --
> > Mike Noyes <mhnoyes @ users.sourceforge.net>
> > http://sourceforge.net/users/mhnoyes/
> > http://leaf-project.org/  http://sitedocs.sf.net/  http://ffl.sf.net/
> >
> >
> > _______________________________________________
> > Shorewall-users mailing list
> > Shorewall-users@lists.shorewall.net
> > http://lists.shorewall.net/mailman/listinfo/shorewall-users
>
>
>--
>Paul Slinski
>System Administrator
>Global IQX
>http://www.globaliqx.com/
>pauls@globaliqx.com
>_______________________________________________
>Shorewall-users mailing list
>Shorewall-users@lists.shorewall.net
>http://lists.shorewall.net/mailman/listinfo/shorewall-users

Any notes either of you can give on this would be extremely helpful.  Maybe
I should of started on something easier to make redundant like static
webservers.  ;)

Thanks for your willingness to share your experiences and findings.

Jay