[Pacemaker] Active-Active HA Firewall

Pavlos Parissis pavlos.parissis at gmail.com
Fri Oct 15 04:07:07 EDT 2010 

On 15 October 2010 09:47, Marcel Hauser <marcel_hauser at gmx.ch> wrote:

>
> But that is no problem. firewalling is no hard job any more. A reasonable
>> machine can firewall 1 GBit/s traffic.
>>
>
> valid point. my only "concern" is/was that i don't like the idea of a
> passive firewall.... because when you need it to failover (maybe after 2
> years :-) ).... you may just realize that it's somehow broken too.
>

a monitor system should help you out on this.


>
> In an active-active like setup you basically know that both system are
> actually working as expected.
>
>
>  - how would you guys detect a firewall failure on any node (pingd ??)...
>>> and if a failure occurs... will the crm automatically unconfigure the
>>> cloned ip's on that node ?
>>>
>>
>> pingd to check the availability of the attached network. The cluste
>> resource
>> manager takes care for the failover. See the "from the scratch" doc.
>>
>
> Yes i've read that in the docs. But is this really common practice for
> firewall clusters ? i don't want the firewall to failover if i'm having
> "internal problems with internal hosts/pingable addresses"!?
>
> otherwise i have to build an internal ping cluster ;-)
>

I have always believed that you should only trigger a failover when
something that is needed to offer the service is not available (disk, a
filesystem, a NIC etc)

Having said that, I believe a firewall in order to be operational needs
access to common elements like disk/fs/nic and on top of that to uplink
routers or to any routers that are part of its routing table. Furthermore, a
firewall needs access to any layer2 switch which gives him access to the
attached LANs

But, deciding which element should be part of the "health system" has to do
with the network design and if layer 2 or layer 3 redundancy exists in your
environment. If the layer 2 or layer 3 redundancy is not available, then
make little sense to add them in your "health system", because in a case of
failure this element wont be accessible by the standby firewall as well.


> why did you choose to run conntrackd and heartbeat over a dedicated bonding
> interface in your pdf, compared to the FW builder docs which say to run
> heartbeat over every interface of the firewall, which therefore might enable
> the cluster to detect network card failures... because the heartbeat is not
> received over a given failed interface anymore ?
>
>
>  Rumors say that the is a good German book about clusters from O'Reilly. In
>> the
>> examples chapter the author exactly describes the setup you mentioned. ;-)
>>
>
> :-).... i've seen that... but i hate reading books (no matter on what
> topic)... and my learning curve is much more efficient if i learn it myself
> :-)
>

I didn't quick search and I couldn't find it, what is the name of the book?


> but thanks for the hint... any i really appreciate your and any other help!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/pacemaker/attachments/20101015/96d1e23a/attachment-0001.html>

More information about the Pacemaker mailing list