Hello List:
Recently our shorewall FW server went dead (PS failure) & brought the entire
system down. Luckily we are testing the FW and other servers, so we did not
loose anything. Now we have decided to setup two Shorewall FW servers with a
primary & another fallover FW server.
I have done some research cruised the Internet and found that a product
''UCARP'' (http://www.ucarp.org/) might provide a solution. Our
current setup
is (same as on Shorewall web site) as follows:
T1
----
|
Cisco 26xx Router
-----------------
|
Shorewall Firewall Server (FW)
------------------------------
|
-------------------------------
| | | | |
DNS1 DNS2 RADIUS MAIL DATA
After I deploy a fallover FW server, the setup will look like this:
T1
----
|
Cisco 26xx Router
-----------------
|
-----------------------
| |
FW1 FW2
---- ----
| |
-------------------------------
| | | | |
DNS1 DNS2 RADIUS MAIL DATA
Questions:
(1) Is somebody using ''UCARP'' for fallover firewall server?
If yes, please give your opinion!
(2) Is there another solution?
My first preference is use a fallover module specially designed for
Shorewall FW. After checking the Internet, I have not found anything.
TOM: Thank you for a great product.
Kirti
Kirti S. Bajwa wrote:> Hello List: > > Recently our shorewall FW server went dead (PS failure) & brought the entire > system down. Luckily we are testing the FW and other servers, so we did not > loose anything. Now we have decided to setup two Shorewall FW servers with a > primary & another fallover FW server. > > I have done some research cruised the Internet and found that a product > ''UCARP'' (http://www.ucarp.org/) might provide a solution. Our current setup > is (same as on Shorewall web site) as follows: > > > T1 > ---- > | > Cisco 26xx Router > ----------------- > | > Shorewall Firewall Server (FW) > ------------------------------ > | > ------------------------------- > | | | | | > DNS1 DNS2 RADIUS MAIL DATA > > After I deploy a fallover FW server, the setup will look like this: > > > T1 > ---- > | > Cisco 26xx Router > ----------------- > | > ----------------------- > | | > FW1 FW2 > ---- ---- > | | > ------------------------------- > | | | | | > DNS1 DNS2 RADIUS MAIL DATA > > Questions: > (1) Is somebody using ''UCARP'' for fallover firewall server? > If yes, please give your opinion! > (2) Is there another solution? >http://www.xenos.net/library/hafirewall.html, but you might find it a lot simpler to just use a system with dual power supply support. What you''re talking about just moves the single point of failure problem around to different parts of the network map. True redundancy is a very expensive and difficult goal to attain. I unfortunately can''t find a really good article I once read comparing 5 9''s reliability to climbing a greased flagpole, so here''s my own inferior paper on risk management: http://www.monkeynoodle.org/comp/risk> My first preference is use a fallover module specially designed for > Shorewall FW. After checking the Internet, I have not found anything.-- Jack at Monkeynoodle dot Org: It''s a Scientific Venture... Riding the Emergency Third Rail Power Trip since 1996!
Kirti S. Bajwa wrote:> (1) Is somebody using ''UCARP'' for fallover firewall server? > If yes, please give your opinion! > (2) Is there another solution?You could look at VRRP and the many other pieces of LVS & Linux HA: Some links: http://keepalived.sourceforge.net/ http://www.linux-ha.org/ I suppose a hardware load balancer would work too. I have no idea of any pros/cons of the various approaches. A quick Google search uncovered this link: http://www.xenos.net/library/hafirewall.html Which seems to be particularly relevant. If you''re using any bridging or proxy-ARP, beware of ARP caches in hosts and switches. A.
Hello, Jack has got it 100% right with the 5 9''s but you might try: http://www.linux-ha.org, http://www.linux-ha.org/download/GettingStarted.html and http://www.geocities.com/latompa/ha/apache_heartbeat.html. BTW, assuming you are running shorewall on some type of Linux or FreeBSD OS what is the purpose of the Cisco 2690 or whatever is the upstream router? If this is supplied by the T1 provider you may be better off by telling the upstream provider to take it back. David. Jack Coates wrote ..> Kirti S. Bajwa wrote: > > Hello List: > > > > Recently our shorewall FW server went dead (PS failure) & brought the > entire > > system down. Luckily we are testing the FW and other servers, so we did > not > > loose anything. Now we have decided to setup two Shorewall FW servers > with a > > primary & another fallover FW server. > > > > I have done some research cruised the Internet and found that a product > > ''UCARP'' (http://www.ucarp.org/) might provide a solution. Our current > setup > > is (same as on Shorewall web site) as follows: > > > > > > T1 > > ---- > > | > > Cisco 26xx Router > > ----------------- > > | > > Shorewall Firewall Server (FW) > > ------------------------------ > > | > > ------------------------------- > > | | | | | > > DNS1 DNS2 RADIUS MAIL DATA > > > > After I deploy a fallover FW server, the setup will look like this: > > > > > > T1 > > ---- > > | > > Cisco 26xx Router > > ----------------- > > | > > ----------------------- > > | | > > FW1 FW2 > > ---- ---- > > | | > > ------------------------------- > > | | | | | > > DNS1 DNS2 RADIUS MAIL DATA > > > > Questions: > > (1) Is somebody using ''UCARP'' for fallover firewall server? > > If yes, please give your opinion! > > (2) Is there another solution? > > > > http://www.xenos.net/library/hafirewall.html, but you might find it a > lot simpler to just use a system with dual power supply support. What > you''re talking about just moves the single point of failure problem > around to different parts of the network map. True redundancy is a very > expensive and difficult goal to attain. I unfortunately can''t find a > really good article I once read comparing 5 9''s reliability to climbing > a greased flagpole, so here''s my own inferior paper on risk management: > http://www.monkeynoodle.org/comp/risk > > > My first preference is use a fallover module specially designed for > > Shorewall FW. After checking the Internet, I have not found anything. > > > -- > Jack at Monkeynoodle dot Org: It''s a Scientific Venture... > Riding the Emergency Third Rail Power Trip since 1996! > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
Kirti S. Bajwa wrote:>Hello List: > >Recently our shorewall FW server went dead (PS failure) & brought the entire >system down. Luckily we are testing the FW and other servers, so we did not >loose anything. Now we have decided to setup two Shorewall FW servers with a >primary & another fallover FW server. > > >Questions: >(1) Is somebody using ''UCARP'' for fallover firewall server? > If yes, please give your opinion! >(2) Is there another solution? > >My first preference is use a fallover module specially designed for >Shorewall FW. After checking the Internet, I have not found anything. > > >There is a netfilter module called ct_sync. It''s not in the kernel right now so if you want to test it you need to check it out with a subversion client: svn co http://svn.netfilter.org/netfilter/trunk/netfilter-ha According to an article I recently read (unfortunately it was in a german magazine) it does provide the functionality you''re looking for. The author of the article is presently using it on two clusters without any problems. The only limitation of the module is that it dosn''t support ''expectations'' yet. Peter
well, i''d do it like this: setup first fw inner IP 1.1.1.1 AND 10.0.0.1 outer IP 2.1.1.1 AND 10.1.1.1 second fw: inner IP 10.0.0.2 outer IP 10.1.1.2 then, i''d write a shell script to arping the other machines inner + outer interface''s address, in case it fails, assign both the public IP _AND_ MAC address to the interface(s) Not really a realtime (as it will take some time for the script to notice the unavailiability) but i think the simplest. Also, it doesn''t protect you in case of some sw failure (like deleting the public IP and keeping the private one intact - this could be solved by using public IP from the same subnet for arping-test (if the primary one is deleted, the secondary one disappears as well on linux) I think the heartbeat daemon can do this, but I haven''t investigated it further. Jan Peter Eis wrote:> Kirti S. Bajwa wrote: > >> Hello List: >> >> Recently our shorewall FW server went dead (PS failure) & brought the >> entire >> system down. Luckily we are testing the FW and other servers, so we >> did not >> loose anything. Now we have decided to setup two Shorewall FW servers >> with a >> primary & another fallover FW server. >> >> >> Questions: >> (1) Is somebody using ''UCARP'' for fallover firewall server? >> If yes, please give your opinion! >> (2) Is there another solution? >> >> My first preference is use a fallover module specially designed for >> Shorewall FW. After checking the Internet, I have not found anything. >> >> > There is a netfilter module called ct_sync. It''s not in the kernel right > now so if you want to test it you need to check it out with a subversion > client: > svn co http://svn.netfilter.org/netfilter/trunk/netfilter-ha > According to an article I recently read (unfortunately it was in a > german magazine) it does provide the functionality you''re looking for. > The author of the article is presently using it on two clusters without > any problems. The only limitation of the module is that it dosn''t > support ''expectations'' yet. > > Peter > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
(This was sent via GMANE on Friday and never arrived. Guess I''m going to stop using that.) Kirti S. Bajwa wrote:> (1) Is somebody using ''UCARP'' for fallover firewall server? > If yes, please give your opinion! > (2) Is there another solution?You could look at VRRP and the many other pieces of LVS & Linux HA: Some links: http://keepalived.sourceforge.net/ http://www.linux-ha.org/ I suppose a hardware load balancer would work too. I have no idea of any pros/cons of the various approaches. A quick Google search uncovered this link: http://www.xenos.net/library/hafirewall.html Which seems to be particularly relevant. If you''re using any bridging or proxy-ARP, beware of ARP caches in hosts and switches. A.
Adam Sherman wrote:> (This was sent via GMANE on Friday and never arrived. Guess I''m going to > stop using that.)Hmmm -- I already had a copy... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep wrote:> Adam Sherman wrote: > >>(This was sent via GMANE on Friday and never arrived. Guess I''m going to >>stop using that.) > > > Hmmm -- I already had a copy... >Never mind my prattling -- for some reason, Adam''s post showed up in my Shorewall folder as ''unread''. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Adam Sherman wrote:> Kirti S. Bajwa wrote: > >> (1) Is somebody using ''UCARP'' for fallover firewall server? >> If yes, please give your opinion! >> (2) Is there another solution? > > > You could look at VRRP and the many other pieces of LVS & Linux HA: > > Some links: > > http://keepalived.sourceforge.net/ > http://www.linux-ha.org/ >VRRP works fine up to two nodes, and is crap beyond two; if two''s all you need, you''re fine.> I suppose a hardware load balancer would work too. I have no idea of any > pros/cons of the various approaches. >Bad, bad, bad. This requires a "firewall sandwich", and if you want redundant load balancers too, you''ll end up spending a lot of money on buying and configuring gear.> A quick Google search uncovered this link: > > http://www.xenos.net/library/hafirewall.html > > Which seems to be particularly relevant. > > If you''re using any bridging or proxy-ARP, beware of ARP caches in hosts > and switches. > > A. > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Jack at Monkeynoodle dot Org: It''s a Scientific Venture... Riding the Emergency Third Rail Power Trip since 1996!