[Pacemaker] iptables cluster

Devin Reade gdr at gno.org
Wed Feb 15 20:33:35 UTC 2012


--On Monday, February 13, 2012 11:21:14 AM +0200 Karlis Kisis
<karlis.kisis at gmail.com> wrote:

> In most cluster tutorials, for simplicity, iptables is turned off.
> Funny thing is that iptables is what I want to configure in HA cluster
> (as redundant firewalls).

I debated about answering this off-list, since it might be considered
inflammatory, but in the spirit of using the right tool for the 
right job I'll post it anyway.  Flames to /dev/null.

If you're planning on having *just* a redundant firewall on those
machines, and your other network services are on different machines 
anyway, your configuration would be a lot simpler and (IMO) more
robust using an alternate technology.

In particular, I'd suggest running a pair of OpenBSD machines as a
clustered firewall using carp and pfsync.  I often deploy these in pairs
as gateway routers, and in particular I have a few which are in front
of pacemaker clusters.  I regularly exercise failover on the firewalls
and the cutover time is (qualitatively) faster than pacemaker, the
configuration is very clean, and as you would expect the cutover is
absolutely transparent to traffic traversing the firewalls (no
session stutter with either interactive protocols like ssh, or with
low-latency high-bandwidth multimedia applications, etc).

Don't get me wrong; I really like pacemaker, I just wouldn't use
it for a firewall if I didn't have to.

If your organization doesn't have a problem with using more than 
one operating system in their environment, I'd strongly suggest it.

However, this being a pacemaker list, I'd suggest any clarifying 
questions be asked on the 'misc' OpenBSD mailing list after reading
<http://www.countersiege.com/doc/pfsync-carp/> and
<http://www.openbsd.org/faq/faq6.html#CARP>.

Devin





More information about the Pacemaker mailing list