If you are looking for a highly available stateful firewall, check out OpenBSD or FreeBSD with the PF firewall. It includes pfsync which allows state synchronization. It also includes CARP for IP address failover.
I have found nothing equivalent on Linux that provides the same capabilities for high availability. Perhaps a good 'distribution' is pfsense, which packages it all (FreeBSD+PF+CARP+more) including a web interface. There is plenty of documentation on the web avaiable for such a setup... - Joris >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of >North Country Boy >Sent: woensdag 14 november 2007 23:31 >To: General Linux-HA mailing list >Subject: RE: [Linux-HA] HA Firewall > >I will just bump this the once. Does anybody have any >suggestions that may help?Thanks in advance > >> From: [EMAIL PROTECTED]> To: >[email protected]> >> Subject: RE: [Linux-HA] HA Firewall> Date: Sun, 4 Nov 2007 21:59:13 >> +0000> > Sorry for the delay, > > Please find attached >configs. Its a >> curious problem...> > > > > Subject: Re: [Linux-HA] HA >Firewall> From: >> [EMAIL PROTECTED]> To: [email protected]> Date: >Mon, 29 Oct >> 2007 10:38:30 -0500> > On Thu, 2007-10-25 at 22:23 +0100, North >> Country Boy wrote:> > Ok ok, I admit. I dont get it!!!!> > > > I am >> trying to config a simple HA firewall and it just isnt >working to how >> I had imagined.> > > > Ok here is the deal.> > > > The Firewall has >> two interfaces> > > > 1) Internal interface eth1 >192.168.0.254> > > > >> 2) External Interface eth0 195.63.63.100, 195.63.63.101, >> 195.63.63.102> > > > The plan would be that in the event of failure, >> these IP addresses as well as an iptables script would be brought >> online on the second box.> > > > The story so far....> > > > >Because I >> am new to this, I wanted to take things nice and slowly and realise >> the full solution in stages so that I could learn & understand. I >> decided to test a simple failover with one ip just using the >external >> interface.> > > > I added a second nic to both machines (node1 & >> node2) and got heartbeat working no problem. Using the verison 1 >> haresource file, I added the following line> > > > node1 >> 195.63.63.101> > > > In the ha.cf file I added> > > > ping >> 195.63.63.254 (an external router accessible by both nodes)> > > > >> Also I added the ipfail command.> > > > Ok so heartbeat all >looks good >> so far, the new address 195.63.63.101 is added as eth1:0 > > >> > No I >> prevent access to the external router from node1, it recognises that >> it can no longer reach 195.63.63.254 in the logs, whilst node 2 says >> and does nothing. huh????> > I thought that at this point, ipfail >> flags a failure and the failover process begins????> > > > >> Conicidentally, pulling the heartbeat cable causes the failover to >> happen perfectly (which is nice to know).> > > > So now I am left >> wondering... If my external eth0 card fails, this isnt >enough to cause >> failover?> > Yes, if things are configured correctly.> > I have been >> dealing with v2 only, so I won't be able to help you with> your >> configs, but I did play with v1 a tiny bit and I remember ipfail> >> working fine.> > Speaking of configs, you should post your ha.cf and >> haresources files> along with logs. I believe the list prefers >> attachments rather than> inline.> > [...]> > -- > Matt Zagrabelny - >> [EMAIL PROTECTED] - (218) 726 8844> University of Minnesota Duluth> >> Information Technology Systems & Services> PGP key 1024D/84E22DA2 >> 2005-11-07> Fingerprint: 78F9 18B3 EF58 56F5 FC85 C5CA 53E7 >887F 84E2 >> 2DA2> > He is not a fool who gives up what he cannot keep to >gain what >> he cannot> lose.> -Jim Elliot> _______________________________________________ Linux-HA mailing list [email protected] http://lists.linux-ha.org/mailman/listinfo/linux-ha See also: http://linux-ha.org/ReportingProblems
