Hi Tom, Shorewall, I've been working on a highly-available two-node server setup. I'm using Keepalived for its implementation of VRRP, and naturally also using shorewall. The two nodes send multicast packets back and forth, and if they get blocked by shorewall, VRRP doesn't work properly ;)
It seems the working configuration for /etc/shorewall/rules is: #ACTION SOURCE DEST PROTO ACCEPT $FW net:224.0.0.18 vrrp ACCEPT net $FW:224.0.0.18 vrrp ACCEPT $FW loc:224.0.0.18 vrrp ACCEPT loc $FW:224.0.0.18 vrrp I thought I'd document this here, because it took a bit of brain scratching to realize all this at first. Please let me know if it looks like I'm doing the right thing. I wasn't sure if there is a better way to do this or if it's too permissive (it does work though). I thought about adding the: mcast_src_ip keyword to my keepalived config, (and to the SOURCE column in the above rules) but I wasn't sure which IP I should actually choose. Secondly I tried to create all this as a macro, but I wasn't sure if there was a sane way to get it to include the :224.0.0.18 address. In my imagination I would have wanted to do something like: VRRP/ACCEPT $FW net VRRP/ACCEPT net $FW VRRP/ACCEPT $FW loc VRRP/ACCEPT loc $FW to produce the above. Wasn't sure if shorewall macros can support this. You'll notice there are two pairs of rules, because I have a public VIP and also a private VIP on the lan. Thanks, and HTH, James ------------------------------------------------------------------------------ Colocation vs. Managed Hosting A question and answer guide to determining the best fit for your organization - today and in the future. http://p.sf.net/sfu/internap-sfd2d _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
