Re: [Shorewall-users] Hot Fallover

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello, Jack has got it 100% right with the 5 9's but you might try: http://www.linux-ha.org, http://www.linux-ha.org/download/GettingStarted.html and http://www.geocities.com/latompa/ha/apache_heartbeat.html.

BTW, assuming you are running shorewall on some type of Linux or FreeBSD OS what is the purpose of the Cisco 2690 or whatever is the upstream router? If this is supplied by the T1 provider you may be better off by telling the upstream provider to take it back.

David.

Jack Coates wrote ..
> Kirti S. Bajwa wrote:
> > Hello List:
> > 
> > Recently our shorewall FW server went dead (PS failure) & brought the
> entire
> > system down. Luckily we are testing the FW and other servers, so we did
> not
> > loose anything. Now we have decided to setup two Shorewall FW servers
> with a
> > primary & another fallover FW server.
> > 
> > I have done some research cruised the Internet and found that a product
> > 'UCARP' (http://www.ucarp.org/) might provide a solution. Our current
> setup
> > is (same as on Shorewall web site) as follows:
> > 
> > 
> >                                T1
> >                               ----
> >                                 |
> >                          Cisco 26xx Router
> >                          -----------------  
> >                                 |
> >                    Shorewall Firewall Server (FW)
> >                    ------------------------------
> >                                 |
> >                  -------------------------------
> >                  |       |      |      |       |
> >                 DNS1    DNS2  RADIUS   MAIL   DATA
> > 
> > After I deploy a fallover FW server, the setup will look like this:
> > 
> > 
> >                                T1
> >                               ----
> >                                 |
> >                          Cisco 26xx Router
> >                          -----------------  
> >                                 |
> >                      -----------------------
> >                       |                   |
> >                      FW1                 FW2
> >                      ----                ----
> >                        |                  |
> >                  -------------------------------
> >                  |       |      |      |       |
> >                 DNS1    DNS2  RADIUS   MAIL   DATA
> > 
> > Questions:
> > (1) Is somebody using 'UCARP' for fallover firewall server?
> >  If yes, please give your opinion!
> > (2) Is there another solution?
> > 
> 
> http://www.xenos.net/library/hafirewall.html, but you might find it a 
> lot simpler to just use a system with dual power supply support. What 
> you're talking about just moves the single point of failure problem 
> around to different parts of the network map. True redundancy is a very
> expensive and difficult goal to attain. I unfortunately can't find a 
> really good article I once read comparing 5 9's reliability to climbing
> a greased flagpole, so here's my own inferior paper on risk management:
> http://www.monkeynoodle.org/comp/risk
> 
> > My first preference is use a fallover module specially designed for
> > Shorewall FW. After checking the Internet, I have not found anything.
> 
> 
> -- 
> Jack at Monkeynoodle dot Org: It's a Scientific Venture...
> Riding the Emergency Third Rail Power Trip since 1996!
> _______________________________________________
> Shorewall-users mailing list
> Post: Sho...@li...
> Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm