Re: [Fwbuilder-discussion] Clustered firewalls / Unclustered firewalls
Brought to you by:
mikehorn
Menu
▾
▴
Re: [Fwbuilder-discussion] Clustered firewalls / Unclustered firewalls
|
From: Vadim K. <va...@ne...> - 2012-08-08 14:53:15
|
On Wed, Aug 8, 2012 at 7:21 AM, Steve Campbell <cam...@cn...> wrote: > I've pretty much got all of the kinks worked out for testing my > clustered firewalls and I'm ready to move these to real machines. For > now, they're just on VMs and there's some things I can't test using > these VMs. > > We currently have a pair of firewalls that are semi-clustered. They're > highly available, but not using any normal clustering scheme. The rules > for the firewalls are non done using FWB clustering, so most of the node > movement and rules are done with home made scripts. > > One of the things that occurs on the current firewall pair is that they > go into a split-brain condition. I'm guessing this is because of the way > the person set them up as described above. The nice thing about that > setup is that when they do go haywire, and because the rules are not > done with FWB clustering, I can kill one machine and run the firewall > script. Since the IPs on the firewall are created by the script, I have > a working firewall until I can get HA running again. > > I'd like to know if there's a way to create this type of script/firewall > while working in cluster mode for each machine of a cluster without > having to duplicate the rules from the cluster to the individual FWB > firewall tree. Currently, in "cluster mode", the IPs on the cluster > firewalls are part of the HA software services, and are assumed to be > there when the firewall script is started, bypassing the creation of the > IP on the individual NICs. In normal, non-cluster mode, the virtual IPs > are added to the NICs when the script is run. > > I may never need this ability. The old firewall pairs do not use > fencing, and this may be a large part of why split-brain occurs. The new > pair will use fencing. > > Is there a "secret" way to do this that I'm not aware of already? In > summary, what I'd like to know is can I have two individual firewalls > and a cluster of those two firewall that have the same rules where the > new rules that are added are only added in one place without the need to > copy these rules to all three combinations? > > Now I'm sure this isn't clear to anyone but me, but if by chance someone > understands what I'm asking, I'd certainly like to hear your thoughts. > it sounds like you want script generated by fwbuilder to install virtual IP addresses under certain circumstances (when HA software has failed and machines went "split brain" and you want to fix the situation quickly without relying on the HA software). This is not supported in fwbuilder Note that if machines go split brain for whatever reason, you just shut down or disconnect one machine and the other will own virtual IPs. After all, split brain situation is when both own these ips. As long as your HA software is running and can not talk to the other cluster member, it will install virtual IPs and fwbuilder script does not need to do it. --vk |