Shorewall users - Mar 2003 - leafbering-uclibc/shorewall/keepalived/IPSEC project

Just a little notice to let everyone know that I have finished the last big 
configuration part of this firewall plan.  As I get ready  to go into 
testing and writing the HOWTO, are there any situations in particular you 
would be interested in me testing out while I have it in R&D?  Also are 
there any specific points or obscure points you might want me to cover in 
the HOWTO?


Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum saxum 
immane mittam.

--On Thursday, March 06, 2003 07:04:00 PM -0600 Charles Holbrook 
<lamdamu@jump.net> wrote:
> Just a little notice to let everyone know that I have finished the last
> big configuration part of this firewall plan.  As I get ready  to go into
> testing and writing the HOWTO, are there any situations in particular you
> would be interested in me testing out while I have it in R&D?  Also are
> there any specific points or obscure points you might want me to cover in
> the HOWTO?
>
Charles,

By this time, you know a lot more about this subject than I do -- I''ll 
trust your judgment about the HOWTO.

Having said that though, I have worked with fault-tolerant computers for 
22+ years so I can advise you about several things to try:

a) Split Brain -- break the communications links between the two routers 
and determine if sane behavior results. If not, document the limitations.
b) After a fail-over, reboot the failed system and when it is almost up, 
kill the other router. Does the router being rebooted come up and assume 
control properly or does it still think that it is the backup router?
c) While the routers are under load, spend several hours killing either the 
primary or the backup router at random intervals then rebooting them. There 
should be no anomalies but if there are and if they are unavoidable then 
they must be documented.
d) Simulate power failures - while they are under load, power off both 
routers then power them back on. What happens? Is that acceptable given 
that the routers might be unattended? If not, document the limitation.
e) Same as d) only power off the routers at different times varying which 
router (primary or backup) fails first.

With our NonStop (tm) systems, we do this type of testing and much more -- 
unfortunately, when the results are unacceptable, we can''t simply
"document
the limitation"; we have to fix it :-)

-Tom
--
Tom Eastep   \ Shorewall - iptables made easy
Shoreline,    \ http://www.shorewall.net
Washington USA \ teastep@shorewall.net

On 6 Mar 2003 at 19:04, Charles Holbrook wrote:
> Just a little notice to let everyone know that I have finished the
> last big configuration part of this firewall plan.  As I get ready  to
> go into testing and writing the HOWTO, are there any situations in
> particular you would be interested in me testing out while I have 
it
> in R&D?  Also are there any specific points or obscure points you
> might want me to cover in the HOWTO?
> 
> 
> Catapultam habeo. Nisi pecuniam omnem mihi dabis, ad caput tuum 
saxum
> immane mittam.
> 
Yes...
Integration with a DHCP address on both ends...Perhaps
using something like DynDns.org or some such.

Iligitimi Non Carborundem


______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386_______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/