[Pacemaker] iptables cluster

Karlis Kisis karlis.kisis at gmail.com
Thu Feb 16 11:20:43 CET 2012


Thank you thank you thank you :)


> Date: Wed, 15 Feb 2012 13:33:35 -0700
> From: Devin Reade <gdr at gno.org>
> To: pacemaker at oss.clusterlabs.org
> Subject: Re: [Pacemaker] iptables cluster
> Message-ID: <180D2FD0E014D9F01336B25A at radelix.gno.org>
> Content-Type: text/plain; charset=us-ascii
>
> --On Monday, February 13, 2012 11:21:14 AM +0200 Karlis Kisis
> <karlis.kisis at gmail.com> wrote:
>
>> In most cluster tutorials, for simplicity, iptables is turned off.
>> Funny thing is that iptables is what I want to configure in HA cluster
>> (as redundant firewalls).
>
> I debated about answering this off-list, since it might be considered
> inflammatory, but in the spirit of using the right tool for the
> right job I'll post it anyway.  Flames to /dev/null.
>
> If you're planning on having *just* a redundant firewall on those
> machines, and your other network services are on different machines
> anyway, your configuration would be a lot simpler and (IMO) more
> robust using an alternate technology.
>
> In particular, I'd suggest running a pair of OpenBSD machines as a
> clustered firewall using carp and pfsync.  I often deploy these in pairs
> as gateway routers, and in particular I have a few which are in front
> of pacemaker clusters.  I regularly exercise failover on the firewalls
> and the cutover time is (qualitatively) faster than pacemaker, the
> configuration is very clean, and as you would expect the cutover is
> absolutely transparent to traffic traversing the firewalls (no
> session stutter with either interactive protocols like ssh, or with
> low-latency high-bandwidth multimedia applications, etc).
>
> Don't get me wrong; I really like pacemaker, I just wouldn't use
> it for a firewall if I didn't have to.
>
> If your organization doesn't have a problem with using more than
> one operating system in their environment, I'd strongly suggest it.
>
> However, this being a pacemaker list, I'd suggest any clarifying
> questions be asked on the 'misc' OpenBSD mailing list after reading
> <http://www.countersiege.com/doc/pfsync-carp/> and
> <http://www.openbsd.org/faq/faq6.html#CARP>.
>
> Devin
*******************



More information about the Pacemaker mailing list