Re: [Fwbuilder-discussion] Redundant firewalls

[John G. <Jo...@ga...>]

I have gotten the hot standby option working with the exact same rule set on
both firewalls. I create rules for one of the boxes and then copy the
firewall object and modify the interfaces.  I have also added all of the
addresses that float between the firewalls as addresses on the "outside"
interface.

Install keepalived on both boxes. 

Declare the global IP addresses on the LB so that it handles the transition
of the address from one box to the other.

vrrp_instance VI_1 {
# uncomment the line below to enable the master router on this system.
    state MASTER
    interface eth0
    track_interface {           # Interface state we monitor
      eth0
      eth1
    }
    garp_master_delay 10
    smtp_alert
    virtual_router_id 51
# Change the priority to 110 on secondary router
    priority 150
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 123456
    }
    virtual_ipaddress {
        x.x.x.13 #Defaut gtw in
        x.x.x.14 # Web Pool
        x.x.x.17 # Misc for ssh and other natted objects
    }
}

vrrp_instance VI_2 {
# uncomment the line below to enable the master router on this system
    state MASTER
    interface eth1
    track_interface {           # Interface state we monitor
      eth0
      eth1
    }
    smtp_alert
    virtual_router_id 52
# Change the priority to 110 on secondary router
    priority 150
    advert_int 1
    authentication {
        auth_type PASS
        auth_pass 654321
    }
    virtual_ipaddress {
        10.200.200.254
    }
}

Disable any scripts that fwbuilder might run to create addresses in IP
tables for nat objects (firewall:advanced settings). 

Make sure that you allow vrrp traffic between the lb boxes (Multicast,
Loobback...).

If you use a VIP for load balancing then do not enter a nat object in
fwbuilder and let the LB do the nat.  However, it seems that the access rule
in and out needs to be stateless for these rules.

You should track your interfaces (see above) and you can sync using
keeplaived
vrrp_sync_group VG1 {
  group {
  VI_1
  VI_2
}
}

John
-----Original Message-----
From: fwb...@li...
[mailto:fwb...@li...] On Behalf Of
Vincenzo Arena
Sent: Monday, March 12, 2007 7:52 AM
To: chr...@fr...; fwb...@li...
Subject: Re: [Fwbuilder-discussion] Redundant firewalls



Hi
I use an active passive configuration using HA. I put everything is needed
by the active node under /usr/local/firewall/  and then use rsync in cron to
keep both sides up to date ( the cron job will check on the virtual ip of
the cluster to decide who has to synk with whom ).
So hanode1 will have the following line in cron ....
*/5 * * * * ( ip addr | grep -w x.y.z.w   > /dev/null 2>&1) && rsync -pogurt
--exclude ".*" /usr/local/firewall/  hanod2:/usr/local/firewall/  || exit 0

The only "trick" you need is to put no IP address on the external ( and DMZ
)  interface(s); so the interface will be on but would not answer to any
reques. It is HA task to put the address as needed. In this way you use only
one ( or as many you like ) ip addresses on the fwnuilder and you'll be sure
it(they) will be on the machine that is up in any given time.

Hope it helps
Vincenzo 

-----Original Message-----
From: fwb...@li...
[mailto:fwb...@li...] On Behalf Of
chr...@fr...
Sent: sabato 10 marzo 2007 8:34
To: fwb...@li...
Subject: [Fwbuilder-discussion] Redundant firewalls

Hi all,

I'd like to setup 2 redundant firewalls using fwbuilder and I'd like to know
how you realise this.
I think there are at least 3 possibilities:
	Cold standby:	Both firewalls are identical configured and the
standby firewall will be switched on, if the primary fails. How could they
be synchronized, if some OS settings are
changed or if the policy 				changes?

	Warm standby:	Both firewalls are identically configured except
one interface is different to access both at the same time. But then there
is a problem with the policy, that the firewall object doesn't match
				both configurations. Maybe this could be
achieved with dynamical address at that interface?

	Hot standby:	Load balancing/sharing. It someone using this?
If yes which software do you use for HA?

Any information/documentation/howto is much appreciated.


One minor problem I'd like to get any info about is a problem with a D-Link
DFE-580TXE 4 port network interface. Suse Linux 10.2 detects 3 interfaces
(the first three) correct and the forth with MAC:
ff:ff:ff:ff:ff:ff and driver sundance but not DFE580-TXE as the first three.
Where could I fix this to use also the forth port?

I took an image of this installation and stored it on an identical server.
At the second server (where I installed the image) all interfaces have the
right driver/mac.

Thank you for your help.

Best regards

Christof
			


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's
Techsay panel and you'll get the chance to share your opinions on IT &
business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Fwbuilder-discussion mailing list
Fwb...@li...
https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion


-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's
Techsay panel and you'll get the chance to share your opinions on IT &
business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Fwbuilder-discussion mailing list
Fwb...@li...
https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion