[Pacemaker] Active-Active HA Firewall

Michael Schwartzkopff misch at clusterbau.com
Thu Oct 14 20:31:32 UTC 2010 

On Thursday 14 October 2010 19:19:39 Marcel Hauser wrote:
>   Hi All
> 
> I'm very new to pacemaker... so please forgive me if i'm asking silly
> questions :-)

There are no silly questions, only silly answers. Or was it vice versa?

> I would like to build an HA Active-Active Firewall based on:
> - iptables
> - conntrack-tools
> - corosync
> - pacemaker
> 
> i do know about fwbuilder and that it's possible to use fw builder in
> order to build a cluster configuration. I've also read a pdf dated in
> feb 2009 about ha firewalls by using heartbeat.

Yes, I know I should update that paper ;-)

> i've read and tried to implement everything by reading the "cluster from
> scratch" guide.
> 
> Currently i have successfully build a 2 node cluster based on pacemaker
> with cloned ip's for the external network card and the internal network
> card.

NO cloned IP addresss in a firewall. Cloning only works in the INPUT chain, not 
on the forward chain! So no chance for a load-balancing firewall. Please make 
it one virtual IP address.

> basically my questions are now:
> 
> - are there any example configurations/"best practice guides" for an
> active-active iptables firewall using the above mentioned tools ? (in
> the end i will have about 50 public ip's... and 5 internal networks
> using vlan tags on the internal nic)

No active-active. Only active-passive. The virtual IP is located on one node 
at a given time. No cloning.

But that is no problem. firewalling is no hard job any more. A reasonable 
machine can firewall 1 GBit/s traffic.

> - am i on the right track to create cloned ip's for the internal ip's as
> well as the external ip's ? how about the "network flow" if using two
> active firewalls ?

No. See above. Make a group of the external and internal IP addresses.

> - how would you guys detect a firewall failure on any node (pingd ??)...
> and if a failure occurs... will the crm automatically unconfigure the
> cloned ip's on that node ?

pingd to check the availability of the attached network. The cluste resource 
manager takes care for the failover. See the "from the scratch" doc.

> i do know that my questions are not directly related to pacemaker... but
> i thought i might reach the most users with the same goal on this list.

Well, I feel the question are directly related to a cluster setup.
 
> any help hints and/or example scripts or configurations or links to how
> to guides would be very much appreciated!
> 
> Marcel

Rumors say that the is a good German book about clusters from O'Reilly. In the 
examples chapter the author exactly describes the setup you mentioned. ;-)

Please feel free to contact me for further questions.

Greetings,
-- 
Dr. Michael Schwartzkopff
Guardinistr. 63
81375 München

Tel: (0163) 172 50 98
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20101014/30131771/attachment-0004.sig>

More information about the Pacemaker mailing list