There was a lengthy power failure here in Shoreline this morning and my firewall did not come back up when power was restored. The firewall is now up and service to the server has been restored. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Hi, I have a small problem. I have two firewalls, both shorewalls, each connected to a different provider with different IPs. I need to be able to route traffic in a falt tolerant way and sometimes that means a packet coming from one shorewall and exiting another.. Is there any recipe for that? Am I crazy? :) thanks. -- Eduardo Kaftanski eduardo@linuxcenterla.com Red Hat Certified Engineer/Instructor/Examiner Gerente Ingenieria LinuxCenter S.A. Mariano Sanchez Fontecilla 310, 2do piso, Edificio Birmann24, Las Condes, Chile http://www.linuxcenterla.com +56-2-4834000
Hi Eduardo, what you shoud do is : - Have both firewall handle each IP from each provider as a Virtual IP with a tool like keepalived (www.keepalived.org) - Use declaration in /etc/shorewall/providers to handle load balancing on each firewall (new feature of 2.4.0 : http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.0/releasenotes.txt) or do it by yourself with iproute : http://www.shorewall.net/FAQ.htm#faq32 This way you will have 1 firewall acting as master and load balacing the tranffic to both ISPs and a slave firewall for fail over. 2005/6/24, Eduardo Kaftanski <eduardo@linuxcenterla.com>:> > Hi, > > I have a small problem. I have two firewalls, both shorewalls, > each connected to a different provider with different IPs. > > I need to be able to route traffic in a falt tolerant way and > sometimes that means a packet coming from one shorewall and exiting > another.. > > Is there any recipe for that? Am I crazy? :) > > thanks. > > -- > Eduardo Kaftanski > eduardo@linuxcenterla.com > Red Hat Certified Engineer/Instructor/Examiner > Gerente Ingenieria LinuxCenter S.A. > Mariano Sanchez Fontecilla 310, 2do piso, Edificio Birmann24, Las Condes, Chile > http://www.linuxcenterla.com +56-2-4834000 > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
On Fri, Jun 24, 2005 at 07:47:07AM +0200, Nicolas Helleringer wrote:> Hi Eduardo, > > what you shoud do is : > > - Have both firewall handle each IP from each provider as a Virtual IP > with a tool like keepalived (www.keepalived.org)ok. I will try this. I now have BGP4 running with the providers, but that gets me a lot of cilcular routes and NAT fails.> - Use declaration in /etc/shorewall/providers to handle load balancing > on each firewall (new feature of 2.4.0 : > http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.0/releasenotes.txt) > or do it by yourself with iproute : > http://www.shorewall.net/FAQ.htm#faq32 > > This way you will have 1 firewall acting as master and load balacing > the tranffic to both ISPs and a slave firewall for fail over. > > > > 2005/6/24, Eduardo Kaftanski <eduardo@linuxcenterla.com>: > > > > Hi, > > > > I have a small problem. I have two firewalls, both shorewalls, > > each connected to a different provider with different IPs. > > > > I need to be able to route traffic in a falt tolerant way and > > sometimes that means a packet coming from one shorewall and exiting > > another.. > > > > Is there any recipe for that? Am I crazy? :) > > > > thanks. > > > > -- > > Eduardo Kaftanski > > eduardo@linuxcenterla.com > > Red Hat Certified Engineer/Instructor/Examiner > > Gerente Ingenieria LinuxCenter S.A. > > Mariano Sanchez Fontecilla 310, 2do piso, Edificio Birmann24, Las Condes, Chile > > http://www.linuxcenterla.com +56-2-4834000 > > _______________________________________________ > > Shorewall-users mailing list > > Post: Shorewall-users@lists.shorewall.net > > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > > Support: http://www.shorewall.net/support.htm > > FAQ: http://www.shorewall.net/FAQ.htm > > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm-- Eduardo Kaftanski eduardo@linuxcenterla.com Red Hat Certified Engineer/Instructor/Examiner Gerente Ingenieria LinuxCenter S.A. Mariano Sanchez Fontecilla 310, 2do piso, Edificio Birmann24, Las Condes, Chile http://www.linuxcenterla.com +56-2-4834000
On Friday 24 June 2005 23:50, Eduardo Kaftanski wrote:> On Fri, Jun 24, 2005 at 07:47:07AM +0200, Nicolas Helleringer wrote: > > Hi Eduardo, > > > > what you shoud do is : > > > > - Have both firewall handle each IP from each provider as a Virtual IP > > with a tool like keepalived (www.keepalived.org) > > ok. I will try this. I now have BGP4 running with the providers, but > that gets me a lot of cilcular routes and NAT fails. > > > - Use declaration in /etc/shorewall/providers to handle load balancing > > on each firewall (new feature of 2.4.0 : > > http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.0/releasenotes.txt) > > or do it by yourself with iproute : > > http://www.shorewall.net/FAQ.htm#faq32 > > > > This way you will have 1 firewall acting as master and load balacing > > the tranffic to both ISPs and a slave firewall for fail over.Hi Eduardo, IMHO the above solution is not enough. You will need the iptables/kernel enhancement called ct_sync for syncing the NAT/established/related table entries between firewalls. Otherwise you will loose established connections and a hot failover won''t work. There is no ct_sync integration (or something similar) in shorewall yet. So you will have to do it "by hand". The providers file is intended to handle 2 lines on the SAME box, but you are talking about 2 firewalls, isn''t it? As a start you could read: http://www.linuxsymposium.org/proceedings/reprints/Reprint-Welte-OLS2004.pdf https://svn.netfilter.org/netfilter/branches/netfilter-ha/linux-2.6/ HTH, Alex
2005/6/25, Alexander Wilms <alex.wilms@adminguru.org>:> On Friday 24 June 2005 23:50, Eduardo Kaftanski wrote: > > On Fri, Jun 24, 2005 at 07:47:07AM +0200, Nicolas Helleringer wrote: > > > Hi Eduardo, > > > > > > what you shoud do is : > > > > > > - Have both firewall handle each IP from each provider as a Virtual IP > > > with a tool like keepalived (www.keepalived.org) > > > > ok. I will try this. I now have BGP4 running with the providers, but > > that gets me a lot of cilcular routes and NAT fails. > > > > > - Use declaration in /etc/shorewall/providers to handle load balancing > > > on each firewall (new feature of 2.4.0 : > > > http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.0/releasenotes.txt) > > > or do it by yourself with iproute : > > > http://www.shorewall.net/FAQ.htm#faq32 > > > > > > This way you will have 1 firewall acting as master and load balacing > > > the tranffic to both ISPs and a slave firewall for fail over. > > Hi Eduardo, > > IMHO the above solution is not enough. You will need the iptables/kernel > enhancement called ct_sync for syncing the NAT/established/related table > entries between firewalls. Otherwise you will loose established connections > and a hot failover won''t work. > > There is no ct_sync integration (or something similar) in shorewall yet. So > you will have to do it "by hand".Actually Alex, there is such a thing (connection tracking) implemented into keepalived :)> The providers file is intended to handle 2 lines on the SAME box, but you are > talking about 2 firewalls, isn''t it? > > As a start you could read: > http://www.linuxsymposium.org/proceedings/reprints/Reprint-Welte-OLS2004.pdf > https://svn.netfilter.org/netfilter/branches/netfilter-ha/linux-2.6/ > > HTH, > Alex > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm >
Nicolas Helleringer wrote:>2005/6/25, Alexander Wilms <alex.wilms@adminguru.org>: > > >>On Friday 24 June 2005 23:50, Eduardo Kaftanski wrote: >> >> >>>On Fri, Jun 24, 2005 at 07:47:07AM +0200, Nicolas Helleringer wrote: >>> >>> >>>>Hi Eduardo, >>>> >>>>what you shoud do is : >>>> >>>>- Have both firewall handle each IP from each provider as a Virtual IP >>>>with a tool like keepalived (www.keepalived.org) >>>> >>>> >>>ok. I will try this. I now have BGP4 running with the providers, but >>>that gets me a lot of cilcular routes and NAT fails. >>> >>> >>> >>>>- Use declaration in /etc/shorewall/providers to handle load balancing >>>>on each firewall (new feature of 2.4.0 : >>>>http://shorewall.net/pub/shorewall/2.4/shorewall-2.4.0/releasenotes.txt) >>>>or do it by yourself with iproute : >>>>http://www.shorewall.net/FAQ.htm#faq32 >>>> >>>>This way you will have 1 firewall acting as master and load balacing >>>>the tranffic to both ISPs and a slave firewall for fail over. >>>> >>>> >>Hi Eduardo, >> >>IMHO the above solution is not enough. You will need the iptables/kernel >>enhancement called ct_sync for syncing the NAT/established/related table >>entries between firewalls. Otherwise you will loose established connections >>and a hot failover won''t work. >> >>There is no ct_sync integration (or something similar) in shorewall yet. So >>you will have to do it "by hand". >> >> >Actually Alex, there is such a thing (connection tracking) implemented >into keepalived :) > > >Do you run such a FW cluster? And/Or do you have a documentation for using only keepalived as a hot-standby iptables/netfilter cluster? AFAIK keepalived is just the userspace failover daemon for LVS virtual servers. You can use it to cluster tcp/ip servers such as http/ftp/smtp/etc. But to synchronize netfilters connection tracking you need a netfilter kernel module called ct_sync combined with keepalived. See https://svn.netfilter.org/netfilter/tags/netfilter-ha/ctsync_0_15/README Or what are we talking about?>>The providers file is intended to handle 2 lines on the SAME box, but you are >>talking about 2 firewalls, isn''t it? >> >>As a start you could read: >>http://www.linuxsymposium.org/proceedings/reprints/Reprint-Welte-OLS2004.pdf >>https://svn.netfilter.org/netfilter/branches/netfilter-ha/linux-2.6/ >> >>HTH, >>Alex >>_______________________________________________ >>Shorewall-users mailing list >>Post: Shorewall-users@lists.shorewall.net >>Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >>Support: http://www.shorewall.net/support.htm >>FAQ: http://www.shorewall.net/FAQ.htm >> >> >> >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >
>>>> Hi Eduardo, >>> >>> IMHO the above solution is not enough. You will need the >>> iptables/kernel >>> enhancement called ct_sync for syncing the NAT/established/related >>> table >>> entries between firewalls. Otherwise you will loose established >>> connections >>> and a hot failover won''t work. >>> >>> There is no ct_sync integration (or something similar) in shorewall >>> yet. So >>> you will have to do it "by hand". >>> >> >> Actually Alex, there is such a thing (connection tracking) implemented >> into keepalived :) >> >> >> > Do you run such a FW cluster? And/Or do you have a documentation for > using only keepalived as a hot-standby iptables/netfilter cluster? > > AFAIK keepalived is just the userspace failover daemon for LVS virtual > servers. You can use it to cluster tcp/ip servers such as > http/ftp/smtp/etc. > But to synchronize netfilters connection tracking you need a netfilter > kernel module called ct_sync combined with keepalived. > See > https://svn.netfilter.org/netfilter/tags/netfilter-ha/ctsync_0_15/README > >To answer my own last post: http://www.ssi.bg/~ja/nfct/HOWTO.txt But still a patch/kernel module is needed to sync the conntrack tables: NFCT. Same could be done by ct_sync. No idea which is better/easier/cooler. Alex
2005/6/27, Alexander Wilms <alex.wilms@adminguru.org>:> > Do you run such a FW cluster? And/Or do you have a documentation for > using only keepalived as a hot-standby iptables/netfilter cluster?Indeed I do I do not have a specific documentation but you can use keepalived without LVS functionnality and only VRRP stack up> AFAIK keepalived is just the userspace failover daemon for LVS virtual > servers. You can use it to cluster tcp/ip servers such as http/ftp/smtp/etc. > But to synchronize netfilters connection tracking you need a netfilter > kernel module called ct_sync combined with keepalived. > See https://svn.netfilter.org/netfilter/tags/netfilter-ha/ctsync_0_15/README > Or what are we talking about?My mistake. Your are absolutly right : keepalived does the sync for the LVS part only. I am relying on the NEWNOTSYN functionality not to break the existing connection on a master/slave transition (shouldn t I ?). Niko