[lug] Heartbeat and Firewalls
Dan Ferris
dan at usrsbin.com
Fri Jun 2 13:56:18 MDT 2006
OpenBSD uses carp and pfsync. I would much rather use iptables than pf,
because iptables is much easier (for me).
At the moment the way I'm thinking about doing it is to have one
administrative IP address per firewall on one interface. Then I can use
heartbeat to assign the gateway addresses to all 4 interfaces and do arp
takeover. After that I'll have it run a script that implements the
iptables rules.
I guess I'll do some playing and see what happens.
Dan
Zan Lynx wrote:
> On Thu, 2006-06-01 at 15:57 -0600, Dan Ferris wrote:
>
>> Has anyone on the list ever set up a HA firewall using Linux and
>> Heartbeat or keepalived?
>>
> [snip]
>
>> And yes, I know that the state tracking data isn't replicated and we're willing to deal.
>>
>
> You know, I thought I read about some way to make that work, involving
> having both systems up and running with the active IP and MAC address,
> but the offline system has a DROP rule last in the output/forward
> chains, and ARP response turned off. Supposed to keep the state info
> updated on the backup unit. Can't do anything for the failed primary,
> of course.
>
> Not sure if it works since I haven't tried it.
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
--
America! F*ck yeah!
More information about the LUG
mailing list