similar to: shorewall restart with keepalived (redundant firewalls)

I am currently using shorewall on leaf-bering. I have set it up with keepalived to create a high availabilty firewall cluster. I have an odd question in regards to shorewall. Currently in production I have keepalived controlling shorewall starts and stops. If I remove this and leave shorewall running on the backup firewall, will I run into any problems with having the nat tables built out and

Hi Tom and other gurus, I modified SHOREWALL (version 2.0.15) for bridging and I cannot restart it. I got the following error ... Processing /etc/shorewall/policy... Policy ACCEPT for fw to net using chain fw2net Policy REJECT for fw to loc using chain all2all Policy DROP for net to fw using chain net2all Policy ACCEPT for loc to fw using chain loc2fw Policy ACCEPT for loc to net

Hey guys, I'm trying to install keepalived 1.2.19 on a centos 6.5 machine. I did an install from source. And when I start keepalived this is what I'm seeing in the logs. It's reporting that the VRRP_Instance(VI_1) Now in FAULT state. Here's more of that log entry: Sep 29 12:06:58 USECLSNDMNRDBA Keepalived_vrrp[44943]: VRRP Instance = VI_1 Sep 29 12:06:58 USECLSNDMNRDBA

I am trying to figure out a way to have the two packages running on the system. Is there a way to tell shorewall NOT to define IP addresses for a specific port so keepalived(vrrp) can create them and not cause a conflict. Or for that matter the other way around would work. Any help would be appreciated.

Hello I am looking for a way to have snort to dynamically update my shorewall config. I have seen software out there but I would like to see if anyone had tried this first. Aslo I would like to know if there is a way clear the Netfilter tables when I do a shorewall restart. The reason being is that when I make a change to my firewall setting I want all connections to have to re-establish

Hello Tom, I''ve been using Shorewall for years without problems. My previous version of shorewall was 1.4.6b-1. Everything worked just fine. Today I upgraded using rpm to 2.0.8-1. After update no one can connect to any interface from net. Server can connect to outside world fine and those described in routestopped have no problem connecting. Any help correcting this problem would be

Hello, I get this error when trying to build Keepalived 1.2.1 on a CentOS-4 box: # gcc -g -O2 (..) -D_WITH_LVS_ -D_WITH_VRRP_ -c smtp.c In file included from ../include/vrrp.h:31, from ../include/smtp.h:34, from smtp.c:27: *../include/vrrp_ipaddress.h:32:27: linux/if_addr.h: No such file or directory* In file included from ../include/vrrp.h:31,

Hi all, We are investigating on firewall failover design. I have searched the net and found that projects like LVS have it mostly solved for their side but that netfilter lacks it. Of course, a simple failover of the firewall is available using things like VRRP (KeepAlive software) but without state syncronization, and that is preciselly the part we need to investigate. Is this issue

Prior to upgrading to CentOS 7.4 everything was fine, after upgrade I'm seeing /etc/keepalived# keepalived -f /etc/keepalived/keepalived.conf --dont-fork --log-console --log-detail --dump-conf -m -v Starting VRRP child process, pid=17224 Registering Kernel netlink reflector Registering Kernel netlink command channel Registering gratuitous ARP shared channel Opening file

I am setting up 2 Vyatta routers that will serve as redundant failover core routers out to the backbone of our ISP. They will be serving for routing between other branches and the ISP and bandwidth management. I am trying to differentiate between the plethora of information about having redundant, automatic failover routers and pretty much decided on VRRP for the IP address failover mechanism. I

Hi, I''m trying to enable ssh (when that works, want to add:pop3s,smtp,web) from the internet to the firewall but it does not work. I managed to DNAT ftp to a host in the loc network (192.168.0.50) successful but I don''t know why SSH: Does not work for me: ACCEPT net fw tcp 22 Works from the loc network: ACCEPT loc fw tcp 22 I have tried also with (no success): AllowSSH

Can someone point me for good VRRPD (rfc2338) implementation on linux. Some stable and live project Thanks _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

Hi folks, A while back we had some discussions about integrating heartbeat and shorewall. Thanks to your help and the excellent state of Linux failover clustering, i''ve managed to install my high-availability firewall. I know there''s already a howto for it at http://www.xenos.net/library/hafirewall.html, but i thought i would document my setup for others, since it''s

Hi, I''m trying to add following iptables rules to shorewall: iptables -I INPUT -d 192.168.1.1 iptables -I OUTPUT -s 192.168.1.1 What should I put in my custom action or any ware else? I need these rules for munin accounting. iptables -L INPUT -v -n -x Chain INPUT (policy DROP 5 packets, 260 bytes) pkts bytes target prot opt in out source destination 7175

Em 29-09-2015 15:03, Gordon Messmer escreveu: > On 09/29/2015 09:14 AM, Tim Dunphy wrote: >> And if I do an ifconfig command I see no evidence of an eth1 existing. > > "ifconfig -a" will show you all of your interfaces. Maybe there is a confusion here. Sounds like Tim thought keepalived would create that eth1, like a tunnel interface, but it won't. You have to

Hi!I've a question: I've 2 asterisk, I want pull the ethernet wire and then reconnect it after 5 second, using the VRRP protocol, where must I set the IP for the connection goes on the second asterisk? I want this: I call to asterisk1, then I pull the ethernet wire down, vrrp makes up the other asterisk but not the audio streaming...the callers are always pointed to asterisk1, but for the

Hi, I''m a long time shorewall user and I like it very much. There is only one thing were I''m not always happy with: the config files. There has been discussion on the list about the comments in the files. My concern is that I loose overview over my configuration because of the many config files. Of course there are advantages too but I thinking wether another config format would

On 09/29/2015 09:14 AM, Tim Dunphy wrote: > And if I do an ifconfig command I see no evidence of an eth1 existing. "ifconfig -a" will show you all of your interfaces.

Hi. Is anyone using conntrack-tools to implement gateway failover on a network with windows clients? I set it up with ucarp and keepalived, and found that gratuitous ARP doesn''t always seem to update the cache on Windows machines. It works the first time, but if a second failover happens, the client continues to send stuff to the wrong MAC address. Linux machines work fine.

Shorewall 4.5.8 Beta 1 is now available for testing. ---------------------------------------------------------------------------- I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- 1) This release includes the defect repair from Shorewall 4.5.7.1. 2) The restriction that TTL and HL rules could