Re: IPChains Firewall and Failover

Thu, 13 Jul 2000 10:23:15 -0700 


In a message dated: Thu, 13 Jul 2000 12:46:53 EDT
Jeffry Smith said:

>Yea, that's what I was trying to describe as possible in the paragraph
>below.  I just had a hard enough time doing the 1st picture.  The only
>issue would be if you're doing any kind of logging on the firewall,
>although I suppose (I haven't set up LVS, don't know if it can do
>this) you could do the logging to something on the internal LAN, so
>when the 1st FW failed, the 2nd could pick it up, & keep logging.  Or,
>you just accept that you could lose your log on the primary firewall
>if it goes down, and use the log on the second one.

Well, actually, I've realized you can't use LVS for this.  LVS is really more 
Load Balancing oriented and relies upon ethernet for node-status tracking.
This essentially removes LVS from the picture, and therefore Pirahna or 
UltraMonkey. Kimberlite is perfect for this scenario, since it has triple 
redundancy in this area in the form of:

        Serial line pings
        Ethernet Pings
        Shared SCSI quorum disk pings (this is really cool!)

As far as logging on the firewall, you could potentially log to the shared 
scsi bus on a different partition, that's not a problem.  Since we already know
how to do this with Oracle running out of a raw partition and we've already 
proved NFS clustering works this way as well, a simple shared ext2 partition
should be trivial (actually, I know it is, because we've done this too, the 
Oracle install was to a shared ext2 partition on our cluster).

Probably the better way to do it would be to use syslog and log to an internal 
syslog server.  That way, if your firewall got cracked, the logs are on a 
different system, and safe from the cracker.  Though logging to both places is 
also a doable scenario that you might want to consider.
-- 
Seeya,
Paul
----
        "I always explain our company via interpretive dance.
             I meet lots of interesting people that way."
                                          Niall Kavanagh, 10 April, 2000

         If you're not having fun, you're not doing it right!



**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************

Reply via email to