[Pacemaker] Active-Active HA Firewall

Marcel Hauser marcel_hauser at gmx.ch
Fri Oct 15 07:47:50 UTC 2010 

On 14.Oct 2010 22:31, Michael Schwartzkopff wrote:
>> i do know about fwbuilder and that it's possible to use fw builder in
>> order to build a cluster configuration. I've also read a pdf dated in
>> feb 2009 about ha firewalls by using heartbeat.
>
> Yes, I know I should update that paper ;-)

That would be awesome! :-)

> NO cloned IP addresss in a firewall. Cloning only works in the INPUT chain, not
> on the forward chain! So no chance for a load-balancing firewall. Please make
> it one virtual IP address.

Thank you very much for that information... that clarifies a lot for me.

Is was somehow hoping, that this might have become possible these days.

> But that is no problem. firewalling is no hard job any more. A reasonable
> machine can firewall 1 GBit/s traffic.

valid point. my only "concern" is/was that i don't like the idea of a 
passive firewall.... because when you need it to failover (maybe after 2 
years :-) ).... you may just realize that it's somehow broken too.

In an active-active like setup you basically know that both system are 
actually working as expected.

>> - how would you guys detect a firewall failure on any node (pingd ??)...
>> and if a failure occurs... will the crm automatically unconfigure the
>> cloned ip's on that node ?
>
> pingd to check the availability of the attached network. The cluste resource
> manager takes care for the failover. See the "from the scratch" doc.

Yes i've read that in the docs. But is this really common practice for 
firewall clusters ? i don't want the firewall to failover if i'm having 
"internal problems with internal hosts/pingable addresses"!?

otherwise i have to build an internal ping cluster ;-)

why did you choose to run conntrackd and heartbeat over a dedicated 
bonding interface in your pdf, compared to the FW builder docs which say 
to run heartbeat over every interface of the firewall, which therefore 
might enable the cluster to detect network card failures... because the 
heartbeat is not received over a given failed interface anymore ?

> Rumors say that the is a good German book about clusters from O'Reilly. In the
> examples chapter the author exactly describes the setup you mentioned. ;-)

:-).... i've seen that... but i hate reading books (no matter on what 
topic)... and my learning curve is much more efficient if i learn it 
myself :-)

but thanks for the hint... any i really appreciate your and any other help!

Marcel

More information about the Pacemaker mailing list