Jérôme RICHARD
2005-Mar-15 10:33 UTC
shorewall restart with keepalived (redundant firewalls)
Hello, First , thanks to Tom for it''s great job ! Netfilter is really easy and powerfull with shorewall. So, I have configured two firewalls whith shorewall using keepalived for the redundant VRRP stuff. FW-a is MASTER and FW-b is BACKUP. Everything works correctly and FW-b upgrade to MASTER when FW-a is down or disconnected. FW-b downgrade to BACKUP when FW-a comes back. But when I do a "shorewall restart" on FW-a, FW-b become MASTER, then BACKUP, then MASTER and then BACKUP during the shorewall restart.... I suppose that during the restart, the VRRP frames between the two firewalls are rejected or dropped. I have try to add the FW-b IPs of all interfaces in "routestopped" file but it did''nt correct this pb. Thanks to anyone that can help me ! Jerome. -- Jerome RICHARD
Tom Eastep
2005-Mar-15 16:34 UTC
Re: shorewall restart with keepalived (redundant firewalls)
Jérôme RICHARD wrote:> > I have try to add the FW-b IPs of all interfaces in "routestopped" > file but it did''nt correct this pb. >It is a common mis-conception that the "routestopped" file has something to do with "restart" -- it doesn''t! What you can do is: a) In /etc/shorewall/initdone, add iptables commands that allow VRRP to/from the other firewall. b) In /etc/shorewall/start, add iptables commands that delete the rules added in /etc/shorewall/initdone. Example (assumes that the other FW has IP address 192.168.1.1 and is accessed through eth0): /etc/shorewall/initdone: run_iptables -A INPUT -s 192.168.1.1 -i eth0 -p vrrp -j ACCEPT run_iptables -A OUTPUT -d 192.168.1.1 -i eth0 -p vrrp -j ACCEPT /etc/shorewall/start run_iptables -D INPUT -s 192.168.1.1 -i eth0 -p vrrp -j ACCEPT run_iptables -D OUTPUT -d 192.168.1.1 -i eth0 -p vrrp -j ACCEPT In Shorewall 2.2.3, I''ll add a new extension script "/etc/shorewall/continue" that is invoked earlier than /etc/shorewall/initdone. When you have upgraded to 2.2.3, you can move the commands from ''initdone'' to ''continue. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Tom Eastep
2005-Mar-15 16:51 UTC
Re: shorewall restart with keepalived (redundant firewalls)
Tom Eastep wrote:> > Example (assumes that the other FW has IP address 192.168.1.1 and is > accessed through eth0): > > /etc/shorewall/initdone: > > run_iptables -A INPUT -s 192.168.1.1 -i eth0 -p vrrp -j ACCEPT > run_iptables -A OUTPUT -d 192.168.1.1 -i eth0 -p vrrp -j ACCEPT > > /etc/shorewall/start > > run_iptables -D INPUT -s 192.168.1.1 -i eth0 -p vrrp -j ACCEPT > run_iptables -D OUTPUT -d 192.168.1.1 -i eth0 -p vrrp -j ACCEPT > > In Shorewall 2.2.3, I''ll add a new extension script > "/etc/shorewall/continue" that is invoked earlier than > /etc/shorewall/initdone. When you have upgraded to 2.2.3, you can move > the commands from ''initdone'' to ''continue. >Copy and paste error: Let me try that again: /etc/shorewall/initdone run_iptables -A INPUT -s 192.168.1.1 -i eth0 -p vrrp -j ACCEPT run_iptables -A OUTPUT -d 192.168.1.1 -o eth0 -p vrrp -j ACCEPT -- /etc/shorewall/start run_iptables -D INPUT -s 192.168.1.1 -i eth0 -p vrrp -j ACCEPT run_iptables -D OUTPUT -d 192.168.1.1 -o eth0 -p vrrp -j ACCEPT -- -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key