On Wed, Mar 10, 2010 at 9:40 AM, Michael Schwartzkopff
> Am Mittwoch, 10. März 2010 17:57:57 schrieb Vadim Kurland:
>> On Wed, Mar 10, 2010 at 12:19 AM, Michael Schwartzkopff
>> <misch@...> wrote:
>> > Am Mittwoch, 10. März 2010 01:24:42 schrieb Vadim Kurland:
>> >> I am pleased to announce availability of Firewall Builder 4.0 Beta. We
>> >> have been testing the new version internally and in limited beta
>> >> release for several months now and we believe it is ready for public
>> >> beta. The new version comes with support for high availability
>> >> firewall configurations, including heartbeat, vrrpd, keepalived,
>> >> conntrackd on Linux, CARP and pfsync on OpenBSD and PIX failover
>> >> configuration. It can generate configuration scripts to manage ip
>> >> addresses, VLAN, bridge and bonding interfaces on the firewall.
>> >> Drop-in support for OpenWRT firewall script is now available, as well
>> >> as experimental integration with IPCOP firewall appliances. The GUI
>> >> has supports undo/redo of unlimited depth and was generally
>> >> streamlined and improved.
>> >> Source tar.gz, binary rpm and deb packages have been uploaded to
>> >> SourceForge, in the directory Current_Packages/4.0.0/
>> >> https://sourceforge.net/projects/fwbuilder/files/
>> >> Release Notes can be found here:
>> >> http://www.fwbuilder.org/4.0/docs/firewall_builder_release_notes.html
>> >> rpm and deb "testing" repositories now serve fwbuilder 4.0 build 2704
>> >> packages.
>> >> This page explains how to configure apt and yum to use our
>> >> repositories:
>> >> http://www.fwbuilder.org/4.0/docs/firewall_builder_packages.html
>> >> We are working on the Firewall Builder Users Guide 4.0 right now. The
>> >> text is still work in progress, but updated Guide is being published
>> >> on the we site every night:
>> >> http://www.fwbuilder.org/4.0/docs/users_guide/ Both HTML and PDF
>> >> versions are available.
>> >> Chapters that describe configuration of ip addresses, vlan, bridge and
>> >> bonding interfaces are here:
>> >> http://www.fwbuilder.org/4.0/docs/users_guide/interfaces.html
>> >> Chapters that describe firewall cluster configurations are here:
>> >> http://www.fwbuilder.org/4.0/docs/users_guide/clusters.html
>> >> Examples of cluster configurations on Linux with vrrpd and heartbeat:
>> >> http://www.fwbuilder.org/4.0/docs/users_guide/cluster-cookbook.html
>> >> Please give it a try!
>> >> --vk
>> >> ------------------------------------------------------------------------
>> >>--- --- Download Intel® Parallel Studio Eval
>> >> Try the new software tools for yourself. Speed compiling, find bugs
>> >> proactively, and fine-tune applications for parallel performance.
>> >> See why Intel Parallel Studio got high marks during beta.
>> >> http://p.sf.net/sfu/intel-sw-dev
>> >> _______________________________________________
>> >> Fwbuilder-discussion mailing list
>> >> Fwbuilder-discussion@...
>> >> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion
>> > Hi,
>> > thanks for your efforts.
>> > Reading the cluster doc about the new version I see that one of the
>> > members of a cluster should be marked as "master". This was the concept
>> > of old heartbeat. This concept was abandond in 2005 with Linux-HA version
>> > 2 and the Cluster Resouce Manager. There is no dedicated master in such a
>> > cluster any more.
>> do they have priorities ? Even if there is no dedicated master, there
>> is probably a way to influence which unit in the HA pair will be
>> preferred. Or is it completely random and unpredictable ?
> You could introduce priorities, but why would you add additional complexity?
>> > Old heartbeat and also heartbeat version 2 is not mainainend since two or
>> > three years. Recent distributions and all future distributions use
>> > pacemaker / corosync. Please note that corosync is basically the same a
>> > OpenAIS.
>> Given that fwbuilder does not generate configuration files for the HA
>> agent and corosync is the same as OpenAIS, is it enough to just have
>> support for OpenAIS ?
> Yes, of course.
>> Caveat: fwbuilder generates vrrpd configuration for Secuwall
>> firewall, CARP interface configuration for BSD and HA configuration
>> for PIX. It does not generate configuration for heartbeat and other HA
>> agents at this time.
> That's ok. Since the cluster config is a littlte bit more complex.
>> > So I see no use a having a dedicated "master" in a "heartbeat" style
>> > cluster. Please consider removing this button for this setup. Please aso
>> > consider naming the "heartbeat" cluster to "pacemaker". Thanks.
>> heartbeat configuration already does not require setting "master". The
>> only place where "master" parameter surfaces is in the new cluster
>> dialog where user selects member firewall objects to form new cluster.
>> The dialog is universal and is the same for all platforms and on some
>> "master" setting is necessary. Even on the same firewall platform it
>> may be necessary to set "master" for some HA protocols, which are
>> configured later in the wizard. We need to look if it would be
>> possible to hide the "master" column or keep radiobuttons disabled in
>> this dialog depending on the target firewall platform.
>> http://www.fwbuilder.org/4.0/docs/users_guide/heartbeat_cluster.html does
>> not mention master requirement anywhere else.
>> As for the heartbeat being not maintained, it is still part of all
>> distributions and the document above describes configuration I built
>> with one of the latest Ubuntu distributions.
>> since fwbuilder does not require "master" for heartbeat, should there
>> be any difference in the configuration generated by fwbuilder between
>> setup described in the document above and the one using pacemaker ?
> Hiding the "master" column for heartbeat would be perfect.
> using heartbeat as included in the distros is, well, not very advisable. You
> get no support any more. And it will be removed from future releases.
> fwbuilder generated output should be identical regarding the policy. Of course
> the dedicated ip addresses should appear. So I think the output as it is is
> OK, Just the "master" column hit me in the screen shots.
the problem here is that when the first page of the wizard is shown,
it is unknown which failover protocol the user will choose on the
subsequent pages so we can;t hide the column.
for example for Secuwall, where they use vrrp and fwbuilder generates
vrrpd configs, it is necessary to know which machine is the master,
but the protocol is chosen later in the wizard.
Still the question about pacemaker and corosync: Do they have
priorities ? Like in vrrp, where you set up priorities to influence
the protocol and make it prefer one machine over the other.
Usually failover protocols offer some mechanism like that. I do not
know what version of heartbeat is considered "old" or "new", I know
that the one coming with Ubuntu Jaunty is 2.1.4 and it has this in the
form of the machine name in haresources file. Whichever machine name
is at the beginning of the line in this file becomes preferrable in
So the "master" in fwbuilder can be considered an indication of the
higher priority machine in the pair for protocols such as heartbeat,
vrrp and others. In case of PIX, where active unit fully takes over
all addresses and functions of the cluster, the "master" is really,
In fwbuilder "master" is overloaded term, it maps to slightly
different things in different HA configurations.
I guess I need to work this into documentation somehow.