[Pacemaker] iptables cluster
Andrew Beekhof
andrew at beekhof.net
Mon Feb 20 06:14:11 EST 2012
On Thu, Feb 16, 2012 at 7:33 AM, Devin Reade <gdr at gno.org> wrote:
> --On Monday, February 13, 2012 11:21:14 AM +0200 Karlis Kisis
> <karlis.kisis at gmail.com> wrote:
>
>> In most cluster tutorials, for simplicity, iptables is turned off.
>> Funny thing is that iptables is what I want to configure in HA cluster
>> (as redundant firewalls).
>
> I debated about answering this off-list, since it might be considered
> inflammatory, but in the spirit of using the right tool for the
> right job I'll post it anyway. Flames to /dev/null.
>
> If you're planning on having *just* a redundant firewall on those
> machines, and your other network services are on different machines
> anyway, your configuration would be a lot simpler and (IMO) more
> robust using an alternate technology.
>
> In particular, I'd suggest running a pair of OpenBSD machines as a
> clustered firewall using carp and pfsync. I often deploy these in pairs
> as gateway routers, and in particular I have a few which are in front
> of pacemaker clusters. I regularly exercise failover on the firewalls
> and the cutover time is (qualitatively) faster than pacemaker, the
> configuration is very clean, and as you would expect the cutover is
> absolutely transparent to traffic traversing the firewalls (no
> session stutter with either interactive protocols like ssh, or with
> low-latency high-bandwidth multimedia applications, etc).
>
> Don't get me wrong; I really like pacemaker, I just wouldn't use
> it for a firewall if I didn't have to.
People should do whatever makes sense for them.
Pacemaker shouldn't be considered a silver bullet :-)
>
> If your organization doesn't have a problem with using more than
> one operating system in their environment, I'd strongly suggest it.
>
> However, this being a pacemaker list, I'd suggest any clarifying
> questions be asked on the 'misc' OpenBSD mailing list after reading
> <http://www.countersiege.com/doc/pfsync-carp/> and
> <http://www.openbsd.org/faq/faq6.html#CARP>.
>
> Devin
>
>
> _______________________________________________
> Pacemaker mailing list: Pacemaker at oss.clusterlabs.org
> http://oss.clusterlabs.org/mailman/listinfo/pacemaker
>
> Project Home: http://www.clusterlabs.org
> Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf
> Bugs: http://bugs.clusterlabs.org
More information about the Pacemaker
mailing list