[Pacemaker] Active-Active HA Firewall

Marcel Hauser marcel_hauser at gmx.ch
Thu Oct 14 17:19:39 UTC 2010


  Hi All

I'm very new to pacemaker... so please forgive me if i'm asking silly 
questions :-)

I would like to build an HA Active-Active Firewall based on:
- iptables
- conntrack-tools
- corosync
- pacemaker

i do know about fwbuilder and that it's possible to use fw builder in 
order to build a cluster configuration. I've also read a pdf dated in 
feb 2009 about ha firewalls by using heartbeat.

i've read and tried to implement everything by reading the "cluster from 
scratch" guide.

Currently i have successfully build a 2 node cluster based on pacemaker 
with cloned ip's for the external network card and the internal network 
card.

basically my questions are now:

- are there any example configurations/"best practice guides" for an 
active-active iptables firewall using the above mentioned tools ? (in 
the end i will have about 50 public ip's... and 5 internal networks 
using vlan tags on the internal nic)
- am i on the right track to create cloned ip's for the internal ip's as 
well as the external ip's ? how about the "network flow" if using two 
active firewalls ?
- how would you guys detect a firewall failure on any node (pingd ??)... 
and if a failure occurs... will the crm automatically unconfigure the 
cloned ip's on that node ?

i do know that my questions are not directly related to pacemaker... but 
i thought i might reach the most users with the same goal on this list.

any help hints and/or example scripts or configurations or links to how 
to guides would be very much appreciated!

Marcel




More information about the Pacemaker mailing list