Shorewall users - Mar 2009 - shorewall, ucarp & conntrackd on debian

hi 

i''ve not found many hints on shorewall/ucarp/conntrackd topic.
i''m
sharing this with the list, so that i''m able to search and find it the 
next time. :)

i''ve setup 2 identical systems with shorewall, ucarp and conntrackd in 
an active/backup way.  ucarp just calls ifup/ifdown, all network configuration 
is maintained in /etc/network/interfaces (Debian), also starting/stopping
ucarp/conntrackd/openvpn/etc. 

here is what i''ve needed to configure in shorewall:

shorewall.conf
ADD_IP_ALIASES=No
# if yes, you kill all connections on restarting shorewall

rules:
# ucarp
ACCEPT          $FW             net:224.0.0.22  igmp
ACCEPT          $FW             net:224.0.0.18  vrrp
# conntrackd
ACCEPT          $FW             vl20:224.0.0.22  igmp
ACCEPT          $FW             vl20:225.0.0.50 udp      3780

vl20 ist a vlan for "management" data, replace with whatever you have 
configured in conntrackd.conf .


here is the sample etc/network/interfaces stuff:

# real ip (automatically started)
iface eth2 inet static
        address x.x.x.x
        netmask x.x.x.x
        gateway x.x.x.x
        up /etc/ucarp/start
        up /etc/init.d/conntrackd start
        pre-down /etc/ucarp/stop
        down /etc/init.d/conntrackd stop

# virtual ip (started/stopped by ucarp vip-up/vip-down script)
iface eth2:ucarp inet static
        address x.x.x.x
        netmask x.x.x.x
        pre-up /usr/sbin/conntrackd -C /etc/conntrackd.conf -c # commit the
cache
        pre-up /usr/sbin/conntrackd -C /etc/conntrackd.conf -f # flush the
caches
        pre-up /usr/sbin/conntrackd -C /etc/conntrackd.conf -R # resync with
kernel conntrack table
        pre-up /sbin/ifup interface1 interface2 [..]
        up /etc/init.d/<whateverservice> start
        down /etc/init.d/<whateverservice> down
        post-down /sbin/ifdown interface1 interface2 [..]
        post-down /usr/sbin/conntrackd -C /etc/conntrackd.conf -n # request a
resync from other nodes via multicast

what i don''t know, is which the accurate order of the conntrackd and 
ifup command. does anybody know if it the order is important?

- Thomas

 




------------------------------------------------------------------------------
Apps built with the Adobe(R) Flex(R) framework and Flex Builder(TM) are
powering Web 2.0 with engaging, cross-platform capabilities. Quickly and
easily build your RIAs with Flex Builder, the Eclipse(TM)based development
software that enables intelligent coding and step-through debugging.
Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com