I have been using shorewall for several years and wish to express my thanks to Tom for his excellent work. I am now looking to add redundancy to one of the firewalls I manage. The system is a three interface system set up to provide proxy arp for systems in the DMZ. It also provides VPN for road wariors vis poptop. I want to configure an essentially duplicate system to provide backup in the event of failure on the main firewall. I have been looking at the failover method listed in the book "Linux ServerHacks" and it looks like it will do the trick, except I am not surte how to handle the proxy arps. Any guideance or suggestions will be greatly appreciated. --Richard ---------- Richard Pyne rpyne@shopsite.com Software Engineer ShopSite, Inc http://www.ShopSite.com
I have not high availability requirements and do not want a failover method to backup my firewalls. Then I can have a minimal downtime. For this reason I have another firewall box off-line, unpluged and powered-off and implemented a simple diskette backup of /etc/shorewall files (at the on-line firewall) and a simple restore script (at the off-line firewall). In case of failures, I plug the powered-off fw, boot it and restore the lastest backup disquette configuration. Simple, cheap and no more than 5 minutes of downtime. On Sun, 04 Jul 2004 10:02:10 -0600, Richard Pyne <rpyne@shopsite.com> wrote:> I have been using shorewall for several years and wish to express my > thanks to Tom for his excellent work. > > I am now looking to add redundancy to one of the firewalls I manage. > The system is a three interface system set up to provide proxy arp for > systems in the DMZ. It also provides VPN for road wariors vis poptop. > > I want to configure an essentially duplicate system to provide backup > in the event of failure on the main firewall. > > I have been looking at the failover method listed in the book "Linux > ServerHacks" and it looks like it will do the trick, except I am not > surte how to handle the proxy arps. > > Any guideance or suggestions will be greatly appreciated. > > --Richard > > ---------- > Richard Pyne > rpyne@shopsite.com > Software Engineer > ShopSite, Inc > http://www.ShopSite.com >
On Jul 4, 2004, at 6:02 PM, Richard Pyne wrote:> I have been using shorewall for several years and wish to express my > thanks to Tom for his excellent work. > > I am now looking to add redundancy to one of the firewalls I manage. > The system is a three interface system set up to provide proxy arp for > systems in the DMZ. It also provides VPN for road wariors vis poptop. > > I want to configure an essentially duplicate system to provide backup > in the event of failure on the main firewall. > > I have been looking at the failover method listed in the book "Linux > ServerHacks" and it looks like it will do the trick, except I am not > surte how to handle the proxy arps.Do you mean proxy arp, or gratuitous arp? If you use heartbeat, then it will send gratuitous arp for you when it takes over IP addresses. -SteveK> Any guideance or suggestions will be greatly appreciated.> > --Richard > > ---------- > Richard Pyne > rpyne@shopsite.com > Software Engineer > ShopSite, Inc > http://www.ShopSite.com > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Mon, 2004-07-05 at 09:45 -0300, Rodolfo Pilas wrote:> I have not high availability requirements and do not want a failover > method to backup my firewalls. Then I can have a minimal downtime. > > For this reason I have another firewall box off-line, unpluged and > powered-off and implemented a simple diskette backup of /etc/shorewall > files (at the on-line firewall) and a simple restore script (at the > off-line firewall). > > In case of failures, I plug the powered-off fw, boot it and restore > the lastest backup disquette configuration. > > Simple, cheap and no more than 5 minutes of downtime.What if you are not around when the failure happens? These kinds of things always happen when you are out on vacation in some far reach of the planet where there are no cell phones or anything! -- David T Hollis <dhollis@davehollis.com>
On Mon, 05 Jul 2004 09:29:52 -0400, David T Hollis <dhollis@davehollis.com> wrote:> > > > Simple, cheap and no more than 5 minutes of downtime. > > What if you are not around when the failure happens? These kinds of > things always happen when you are out on vacation in some far reach of > the planet where there are no cell phones or anything!Yes, you are right. This solution it is not HA, and must be carefully consider in accordance to each situation. In my case, the datacenter allways has people there and my applications do not require high availability. -- Rodolfo Pilas (Ysidoro con ''Y'')
I mean proxy arp. The systems in the DMZ are configured with their real IP addresses and are included in the proxyarp list in shorewall. --Richard On 5 Jul 2004 at 15:05, Steve Kann wrote:> > On Jul 4, 2004, at 6:02 PM, Richard Pyne wrote: > > > I have been using shorewall for several years and wish to express my > > thanks to Tom for his excellent work. > > > > I am now looking to add redundancy to one of the firewalls I manage. > > The system is a three interface system set up to provide proxy arp for > > systems in the DMZ. It also provides VPN for road wariors vis poptop. > > > > I want to configure an essentially duplicate system to provide backup > > in the event of failure on the main firewall. > > > > I have been looking at the failover method listed in the book "Linux > > ServerHacks" and it looks like it will do the trick, except I am not > > surte how to handle the proxy arps. > > Do you mean proxy arp, or gratuitous arp? If you use heartbeat, then > it will send gratuitous arp for you when it takes over IP addresses. > > -SteveK > > > > > Any guideance or suggestions will be greatly appreciated. > > > > > > --Richard > > > > ---------- > > Richard Pyne > > rpyne@shopsite.com > > Software Engineer > > ShopSite, Inc > > http://www.ShopSite.com > > > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: > > https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >---------- Richard Pyne rpyne@shopsite.com Software Engineer ShopSite, Inc http://www.ShopSite.com
This is fine if you are right there all the time. I am dealing with a location that would take more than an hour to reach if I were ready and waiting to leave the minute it went down. I need a solution that at worst requires a remote login to activate the failover, and at best does it automatically. --Richard On 5 Jul 2004 at 9:45, Rodolfo Pilas wrote:> I have not high availability requirements and do not want a failover > method to backup my firewalls. Then I can have a minimal downtime. > > For this reason I have another firewall box off-line, unpluged and > powered-off and implemented a simple diskette backup of /etc/shorewall > files (at the on-line firewall) and a simple restore script (at the > off-line firewall). > > In case of failures, I plug the powered-off fw, boot it and restore > the lastest backup disquette configuration. > > Simple, cheap and no more than 5 minutes of downtime. > > > On Sun, 04 Jul 2004 10:02:10 -0600, Richard Pyne <rpyne@shopsite.com> wrote: > > I have been using shorewall for several years and wish to express my > > thanks to Tom for his excellent work. > > > > I am now looking to add redundancy to one of the firewalls I manage. > > The system is a three interface system set up to provide proxy arp for > > systems in the DMZ. It also provides VPN for road wariors vis poptop. > > > > I want to configure an essentially duplicate system to provide backup > > in the event of failure on the main firewall. > > > > I have been looking at the failover method listed in the book "Linux > > ServerHacks" and it looks like it will do the trick, except I am not > > surte how to handle the proxy arps. > > > > Any guideance or suggestions will be greatly appreciated. > > > > --Richard---------- Richard Pyne rpyne@shopsite.com Software Engineer ShopSite, Inc http://www.ShopSite.com