I have done something similar with openwrt using "VRRP" an "contrackd"

VRRP provides the HA failover, and contrackd ensures that the state is the same on each firewall.

cheers
----------------------------------------------------------
Chris Martin
m: +61 419 812 371
e: chris@martin.cc
----------------------------------------------------------




On 21 June 2012 07:55, Dag Richards <dagrichards@speakeasy.net> wrote:
I am a long time Linux user ( since kernel .99 ).
I used to run our firewalls on redhat with ipchains, yes chains.
back in 2000 - 2002.


By far the easiest way to create a HA firewall that will provide
statefull seamless failover is to run OpenBSD.

I have been doing that to protect a busy healtcare network with over
5000 nodes using two IBM x3550's.

Carp and PF is wicked easy, simple reliable.

all you need is two servers and the default install.

We also use it for VPN's .... Check it out.

Works with fw builder ....
On 6/20/12 4:57 AM, Steve Campbell wrote:
> I'm starting the process all over again of considering clustered
> firewalls. I've two new servers to work with, and I'm going to use
> Centos 6.2 on these boxes.
>
> Each time I begin this consideration, I run into a brick wall due to the
> Centos High Availability packages' insistence on using power fencing.
> All I really want to do is test the theory of clustered firewalls, but
> that fencing problem is a show-stopper.
>
> The cookbook explains how it should be done with heartbeat and two
> servers, but the new Centos documentation on HA doesn't help much in the
> way of duplicating this setup, and the heartbeat web site now suggests
> that changes have been made to the way things should be done, things
> like using Pacemaker, and the like.
>
> Maybe I'm confusing things, and don't understand the functions provided
> by RedHat/Centos and their group packages. I realize that split-brain is
> the reason for all this fencing goo, but I just want to mimic what
> appears to be a simple heartbeat from the cookbook where I have two
> firewalls and a third server to provide odd-numbered quorum (or maybe
> just the two firewalls without the quorum). In my mind, I shouldn't need
> the third server, since the alternative to HA would just be two servers
> for firewalls, one being primary, and the second sitting there in
> waiting for some catastrophe to happen to the primary. I'd then do a
> manual startup of the firewall on the secondary.
>
> HA would be nice since our computer operations staff is not here around
> the clock any more to do the manual startup. Can anyone provide a clear
> explanation of how the two-server/HA solution might be accomplished
> using a Centos 6.2 OS and what packages/groups of packages they would use?
>
> An explanation of how this would work from the standpoint of failover
> would be nice. Again, I might be misunderstanding how all this SHOULD
> work, so if you see flaws in my conception, please point that out as well.
>
> Our current setup is supposed to do the trick, but the failover has
> never worked. It uses the third server setup along with heartbeat and
> I'm guessing it was a square hole/round peg installation.
>
> Thanks in advance.
>
> steve campbell
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Fwbuilder-discussion mailing list
> Fwbuilder-discussion@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion


--

IS-IS sleeps.
BGP peers are quiet.
Something must be wrong.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Fwbuilder-discussion mailing list
Fwbuilder-discussion@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion