Shorewall users - Sep 2012 - failover setup

Hi,

I would appreciate it if I could get some advice before setting up a firewall
with a failover procedure.

Network layout:

           loc1
            |
net1 --- Shorewall1 --- net2
|                        |
net1 --- Shorewall2 --- net2
            |
           loc2

loc1: 10.0.0.0/16
loc2: 10.1.0.0/16
net1: 172.16.0.0/24
net2: 172.16.1.0/24
Shorewall1: 3 NICs connected to loc1, net1 and net2
Shorewall2: 3 NICs connected to loc2, net1 and net2

Assumption:
Shorewall1,2 route loc1 and loc2 traffic via net1 by default and use net2 only
as a backup in case net1 fails. If net1 comes back on-line, packets should be
re-routed through net1.

Connection example:
HTTP or FTP data download from client in loc1 (10.0.0.1) and server in loc2
(10.1.0.1) through net1 (default route loc1->loc2).
While HTTP/FTP download in progress, net1 link fails.

I suppose Shorewall1 and Shorewall2 can be configured to re-route packets
automatically in case a link (net1 or net2) fails. However, changing the route
through a different physical interface should break active connections.

I don''t think there''s any way of "preserving" a
connection in this scenario and "moving it transparently" from, say,
net1 to net2, so that the user application (FTP/HTTP) isn''t
interrupted. Am I right?
ie. the connection must always be re-initiated/resumed by the client after
transient network failure and re-routing.

============================================
Other network layout:

                     loc1 ----------------- loc1
                          |               | 
(ucarp or keepalived) Shorewall1 --- Shorewall2 (conntrackd)
                          |               |
                        net1             net2
                          |               |
(ucarp or keepalived) Shorewall3 --- Shorewall4 (conntrackd)
                          |               |
                     loc2 ----------------- loc2

conntrackd: 192.168.100.0/24 (crossover cable)
loc1, loc2, net1, net2: same as in previous example

Assumptions:
Shorewall1 and Shorewall3 are "masters" and route traffic through net1
(default route).
Shorewall2 and Shorewall4 are "slaves" and route traffic through net2.
If net1 fails then all traffic from/to loc1/loc2 is sent through net2.
Conntrackd sync''s connection states between Shorewall1 and Shorewall2.
Same for Shorewall3 and Shorewall4.

Connection example:
Same as in previous example.
HTTP or FTP data download from client in loc1 (10.0.0.1) and server in loc2
(10.1.0.1) through masters Shorewall1 & Shorewall3 via net1.
While HTTP/FTP download in progress, net1 link fails and traffic should flow
through slaves Shorewall2 & Shorewall4 via net2.

Will the HTTP/FTP client in loc1 be able to continue downloading the file in
loc2 as if there weren''t any network disruptions?

Thanks for your time,

Vieri


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 09/17/2012 06:06 AM, Vieri Di Paola wrote:
> Hi,
>
> I would appreciate it if I could get some advice before setting up a
firewall with a failover procedure.
>
> Network layout:
>
>             loc1
>              |
> net1 --- Shorewall1 --- net2
> |                        |
> net1 --- Shorewall2 --- net2
>              |
>             loc2
>
> loc1: 10.0.0.0/16
> loc2: 10.1.0.0/16
> net1: 172.16.0.0/24
> net2: 172.16.1.0/24
> Shorewall1: 3 NICs connected to loc1, net1 and net2
> Shorewall2: 3 NICs connected to loc2, net1 and net2
>
> Assumption:
> Shorewall1,2 route loc1 and loc2 traffic via net1 by default and use net2
only as a backup in case net1 fails. If net1 comes back on-line, packets should
be re-routed through net1.
>
> Connection example:
> HTTP or FTP data download from client in loc1 (10.0.0.1) and server in loc2
(10.1.0.1) through net1 (default route loc1->loc2).
> While HTTP/FTP download in progress, net1 link fails.
>
> I suppose Shorewall1 and Shorewall2 can be configured to re-route packets
automatically in case a link (net1 or net2) fails. However, changing the route
through a different physical interface should break active connections.
>
> I don''t think there''s any way of "preserving" a
connection in this scenario and "moving it transparently" from, say,
net1 to net2, so that the user application (FTP/HTTP) isn''t
interrupted. Am I right?
> ie. the connection must always be re-initiated/resumed by the client after
transient network failure and re-routing.
It depends on how net1 fails. If an error ICMP is returned to either of 
the endpoints, then the connection will be broken.
>
> ============================================>
> Other network layout:
>
>                       loc1 ----------------- loc1
>                            |               |
> (ucarp or keepalived) Shorewall1 --- Shorewall2 (conntrackd)
>                            |               |
>                          net1             net2
>                            |               |
> (ucarp or keepalived) Shorewall3 --- Shorewall4 (conntrackd)
>                            |               |
>                       loc2 ----------------- loc2
>
> conntrackd: 192.168.100.0/24 (crossover cable)
> loc1, loc2, net1, net2: same as in previous example
>
> Assumptions:
> Shorewall1 and Shorewall3 are "masters" and route traffic through
net1 (default route).
> Shorewall2 and Shorewall4 are "slaves" and route traffic through
net2.
> If net1 fails then all traffic from/to loc1/loc2 is sent through net2.
> Conntrackd sync''s connection states between Shorewall1 and
Shorewall2. Same for Shorewall3 and Shorewall4.
>
> Connection example:
> Same as in previous example.
> HTTP or FTP data download from client in loc1 (10.0.0.1) and server in loc2
(10.1.0.1) through masters Shorewall1 & Shorewall3 via net1.
> While HTTP/FTP download in progress, net1 link fails and traffic should
flow through slaves Shorewall2 & Shorewall4 via net2.
>
> Will the HTTP/FTP client in loc1 be able to continue downloading the file
in loc2 as if there weren''t any network disruptions?
Same issue as above.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

--- On Mon, 9/17/12, Tom Eastep <teastep@shorewall.net> wrote:
> It depends on how net1 fails. If an error ICMP is returned
> to either of 
> the endpoints, then the connection will be broken.
Maybe I''m saying something completely absurd and wrong so please bear
with me.
Since both the client and server are right behind shorewall routers at both
ends, would it make sense to block/drop ICMP altogether in order to avoid error
messages and break connections?

Vieri


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On 9/17/12 1:21 PM, Vieri Di Paola wrote:
> Maybe I''m saying something completely absurd and wrong so please
bear with me.
> Since both the client and server are right behind shorewall routers at both
ends, would it make sense to block/drop ICMP altogether in order to avoid error
messages and break connections?
Let''s back up a little. How do you plan to detect link failures and
what
will you do when a failure is detected?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

--- On Tue, 9/18/12, Tom Eastep <teastep@shorewall.net> wrote:
> > Maybe I''m saying something completely absurd and wrong
> so please bear with me.
> > Since both the client and server are right behind
> shorewall routers at both ends, would it make sense to
> block/drop ICMP altogether in order to avoid error messages
> and break connections?
> 
> Let''s back up a little. How do you plan to detect link
> failures and what
> will you do when a failure is detected?
I would do something like:
http://www.shorewall.net/MultiISP.html#LinkMonitor
(''fallback'' provider)
I was thinking of detecting link failures with anything else but pings. Maybe
issuing ''arp -d <ip_addr_to_monitor> ; arp
<ip_addr_to_monitor>''.
If arp doesn''t resolve a MAC address (should be able to in my network
example) then I''m assuming that the ''net1'' link is
dead.

Vieri


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

On Mon, Sep 17, 2012 at 8:44 AM, Tom Eastep <teastep@shorewall.net> wrote:
> On 09/17/2012 06:06 AM, Vieri Di Paola wrote:
> > Hi,
> >
> > I would appreciate it if I could get some advice before setting up a
> firewall with a failover procedure.
> >
> > Network layout:
> >
> >             loc1
> >              |
> > net1 --- Shorewall1 --- net2
> > |                        |
> > net1 --- Shorewall2 --- net2
> >              |
> >             loc2
> >
> > loc1: 10.0.0.0/16
> > loc2: 10.1.0.0/16
> > net1: 172.16.0.0/24
> > net2: 172.16.1.0/24
> > Shorewall1: 3 NICs connected to loc1, net1 and net2
> > Shorewall2: 3 NICs connected to loc2, net1 and net2
> >
> > Assumption:
> > Shorewall1,2 route loc1 and loc2 traffic via net1 by default and use
> net2 only as a backup in case net1 fails. If net1 comes back on-line,
> packets should be re-routed through net1.
> >
> > Connection example:
> > HTTP or FTP data download from client in loc1 (10.0.0.1) and server in
> loc2 (10.1.0.1) through net1 (default route loc1->loc2).
> > While HTTP/FTP download in progress, net1 link fails.
> >
> > I suppose Shorewall1 and Shorewall2 can be configured to re-route
> packets automatically in case a link (net1 or net2) fails. However,
> changing the route through a different physical interface should break
> active connections.
> >
> > I don''t think there''s any way of
"preserving" a connection in this
> scenario and "moving it transparently" from, say, net1 to net2,
so that the
> user application (FTP/HTTP) isn''t interrupted. Am I right?
> > ie. the connection must always be re-initiated/resumed by the client
> after transient network failure and re-routing.
>
> It depends on how net1 fails. If an error ICMP is returned to either of
> the endpoints, then the connection will be broken.
>
FYI, if you are not tied to Linux, *BSD has pfsync/ucarp which provides a
stateful failover solution.  Search google for BSD ucarp pfsync.  Caveat:
I''ve not implemented this, but it seems a nice solution.

> >
> > ============================================> >
> > Other network layout:
> >
> >                       loc1 ----------------- loc1
> >                            |               |
> > (ucarp or keepalived) Shorewall1 --- Shorewall2 (conntrackd)
> >                            |               |
> >                          net1             net2
> >                            |               |
> > (ucarp or keepalived) Shorewall3 --- Shorewall4 (conntrackd)
> >                            |               |
> >                       loc2 ----------------- loc2
> >
> > conntrackd: 192.168.100.0/24 (crossover cable)
> > loc1, loc2, net1, net2: same as in previous example
> >
> > Assumptions:
> > Shorewall1 and Shorewall3 are "masters" and route traffic
through net1
> (default route).
> > Shorewall2 and Shorewall4 are "slaves" and route traffic
through net2.
> > If net1 fails then all traffic from/to loc1/loc2 is sent through net2.
> > Conntrackd sync''s connection states between Shorewall1 and
Shorewall2.
> Same for Shorewall3 and Shorewall4.
> >
> > Connection example:
> > Same as in previous example.
> > HTTP or FTP data download from client in loc1 (10.0.0.1) and server in
> loc2 (10.1.0.1) through masters Shorewall1 & Shorewall3 via net1.
> > While HTTP/FTP download in progress, net1 link fails and traffic
should
> flow through slaves Shorewall2 & Shorewall4 via net2.
> >
> > Will the HTTP/FTP client in loc1 be able to continue downloading the
> file in loc2 as if there weren''t any network disruptions?
>
> Same issue as above.
>
> -Tom
> --
> Tom Eastep        \ When I die, I want to go like my Grandfather who
> Shoreline,         \ died peacefully in his sleep. Not screaming like
> Washington, USA     \ all of the passengers in his car
> http://shorewall.net \________________________________________________
>
>
>
------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today''s security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

--- On Tue, 9/18/12, Lee Brown <leeb@ratnaling.org> wrote:
> FYI, if you are not tied to Linux, *BSD has pfsync/ucarp which provides 
> a stateful failover solution.  Search google for BSD ucarp pfsync. 
> Caveat: I''ve not implemented this, but it seems a nice solution.
Thanks. I''m aware of the BSD solution.
However, pfsync is to BSD as conntrackd is to Linux.
ucarp is a port of BSD''s carp.
So carp is to BSD as ucarp (or keepalived for that matter) is to Linux (or other
unix OS).
So basically, I think one should be able to do the same with both Linux and
*BSD. Unless netfilter/Linux kernel didn''t optimize their software for
this kind of application (seamless fail-over on dead gateway detection) whereas
BSD/pf on the other hand did.

I guess I''ll have to try and find out.

Thanks

Vieri

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today''s security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/