On Friday 15 October 2010 09:47:50 Marcel Hauser wrote: > On 14.Oct 2010 22:31, Michael Schwartzkopff wrote: > >> i do know about fwbuilder and that it's possible to use fw builder in > >> order to build a cluster configuration. I've also read a pdf dated in > >> feb 2009 about ha firewalls by using heartbeat. > > > > Yes, I know I should update that paper ;-) > > That would be awesome! :-)
Please add two hours to my day. > > NO cloned IP addresss in a firewall. Cloning only works in the INPUT > > chain, not on the forward chain! So no chance for a load-balancing > > firewall. Please make it one virtual IP address. > > Thank you very much for that information... that clarifies a lot for me. > > Is was somehow hoping, that this might have become possible these days. No chance. > > But that is no problem. firewalling is no hard job any more. A reasonable > > machine can firewall 1 GBit/s traffic. > > valid point. my only "concern" is/was that i don't like the idea of a > passive firewall.... because when you need it to failover (maybe after 2 > years :-) ).... you may just realize that it's somehow broken too. > > In an active-active like setup you basically know that both system are > actually working as expected. You can exercise a failover test every Tuesday 13:00 if everybody is surfing. Or shift the exercise to Friday 6:00 > >> - how would you guys detect a firewall failure on any node (pingd ??)... > >> and if a failure occurs... will the crm automatically unconfigure the > >> cloned ip's on that node ? > > > > pingd to check the availability of the attached network. The cluste > > resource manager takes care for the failover. See the "from the scratch" > > doc. > > Yes i've read that in the docs. But is this really common practice for > firewall clusters ? i don't want the firewall to failover if i'm having > "internal problems with internal hosts/pingable addresses"!? > > otherwise i have to build an internal ping cluster ;-) Why. Failover occures only if the reachability of pingnodes differs severly, i.e. one node sees three pingnodes and the other one only one. Details depend on your config. > why did you choose to run conntrackd and heartbeat over a dedicated > bonding interface in your pdf, compared to the FW builder docs which say > to run heartbeat over every interface of the firewall, which therefore > might enable the cluster to detect network card failures... because the > heartbeat is not received over a given failed interface anymore ? network card failure should be detected by the monitor of the IPaddr2 resource. Of course your could run your corosync and conntrac traffic over the dedicated links. > > Rumors say that the is a good German book about clusters from O'Reilly. > > In the examples chapter the author exactly describes the setup you > > mentioned. ;-) > : > :-).... i've seen that... but i hate reading books (no matter on what > > topic)... and my learning curve is much more efficient if i learn it > myself :-) > > but thanks for the hint... any i really appreciate your and any other help! Another hint: Just read the interesting parts of the book. Basically the points I explained in my mails. Greetings, -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://developerbugs.linux-foundation.org/enter_bug.cgi?product=Pacemaker
