On Thu, Feb 16, 2012 at 7:33 AM, Devin Reade <g...@gno.org> wrote: > --On Monday, February 13, 2012 11:21:14 AM +0200 Karlis Kisis > <karlis.ki...@gmail.com> wrote: > >> In most cluster tutorials, for simplicity, iptables is turned off. >> Funny thing is that iptables is what I want to configure in HA cluster >> (as redundant firewalls). > > I debated about answering this off-list, since it might be considered > inflammatory, but in the spirit of using the right tool for the > right job I'll post it anyway. Flames to /dev/null. > > If you're planning on having *just* a redundant firewall on those > machines, and your other network services are on different machines > anyway, your configuration would be a lot simpler and (IMO) more > robust using an alternate technology. > > In particular, I'd suggest running a pair of OpenBSD machines as a > clustered firewall using carp and pfsync. I often deploy these in pairs > as gateway routers, and in particular I have a few which are in front > of pacemaker clusters. I regularly exercise failover on the firewalls > and the cutover time is (qualitatively) faster than pacemaker, the > configuration is very clean, and as you would expect the cutover is > absolutely transparent to traffic traversing the firewalls (no > session stutter with either interactive protocols like ssh, or with > low-latency high-bandwidth multimedia applications, etc). > > Don't get me wrong; I really like pacemaker, I just wouldn't use > it for a firewall if I didn't have to.
People should do whatever makes sense for them. Pacemaker shouldn't be considered a silver bullet :-) > > If your organization doesn't have a problem with using more than > one operating system in their environment, I'd strongly suggest it. > > However, this being a pacemaker list, I'd suggest any clarifying > questions be asked on the 'misc' OpenBSD mailing list after reading > <http://www.countersiege.com/doc/pfsync-carp/> and > <http://www.openbsd.org/faq/faq6.html#CARP>. > > Devin > > > _______________________________________________ > Pacemaker mailing list: Pacemaker@oss.clusterlabs.org > http://oss.clusterlabs.org/mailman/listinfo/pacemaker > > Project Home: http://www.clusterlabs.org > Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf > Bugs: http://bugs.clusterlabs.org _______________________________________________ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
