On Thursday 14 October 2010 19:19:39 Marcel Hauser wrote: > Hi All > > I'm very new to pacemaker... so please forgive me if i'm asking silly > questions :-)
There are no silly questions, only silly answers. Or was it vice versa? > I would like to build an HA Active-Active Firewall based on: > - iptables > - conntrack-tools > - corosync > - pacemaker > > i do know about fwbuilder and that it's possible to use fw builder in > order to build a cluster configuration. I've also read a pdf dated in > feb 2009 about ha firewalls by using heartbeat. Yes, I know I should update that paper ;-) > i've read and tried to implement everything by reading the "cluster from > scratch" guide. > > Currently i have successfully build a 2 node cluster based on pacemaker > with cloned ip's for the external network card and the internal network > card. NO cloned IP addresss in a firewall. Cloning only works in the INPUT chain, not on the forward chain! So no chance for a load-balancing firewall. Please make it one virtual IP address. > basically my questions are now: > > - are there any example configurations/"best practice guides" for an > active-active iptables firewall using the above mentioned tools ? (in > the end i will have about 50 public ip's... and 5 internal networks > using vlan tags on the internal nic) No active-active. Only active-passive. The virtual IP is located on one node at a given time. No cloning. But that is no problem. firewalling is no hard job any more. A reasonable machine can firewall 1 GBit/s traffic. > - am i on the right track to create cloned ip's for the internal ip's as > well as the external ip's ? how about the "network flow" if using two > active firewalls ? No. See above. Make a group of the external and internal IP addresses. > - how would you guys detect a firewall failure on any node (pingd ??)... > and if a failure occurs... will the crm automatically unconfigure the > cloned ip's on that node ? pingd to check the availability of the attached network. The cluste resource manager takes care for the failover. See the "from the scratch" doc. > i do know that my questions are not directly related to pacemaker... but > i thought i might reach the most users with the same goal on this list. Well, I feel the question are directly related to a cluster setup. > any help hints and/or example scripts or configurations or links to how > to guides would be very much appreciated! > > Marcel Rumors say that the is a good German book about clusters from O'Reilly. In the examples chapter the author exactly describes the setup you mentioned. ;-) Please feel free to contact me for further questions. Greetings, -- Dr. Michael Schwartzkopff Guardinistr. 63 81375 München Tel: (0163) 172 50 98
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://developerbugs.linux-foundation.org/enter_bug.cgi?product=Pacemaker
