On 15 October 2010 09:47, Marcel Hauser <marcel_hau...@gmx.ch> wrote:
> > But that is no problem. firewalling is no hard job any more. A reasonable >> machine can firewall 1 GBit/s traffic. >> > > valid point. my only "concern" is/was that i don't like the idea of a > passive firewall.... because when you need it to failover (maybe after 2 > years :-) ).... you may just realize that it's somehow broken too. > a monitor system should help you out on this. > > In an active-active like setup you basically know that both system are > actually working as expected. > > > - how would you guys detect a firewall failure on any node (pingd ??)... >>> and if a failure occurs... will the crm automatically unconfigure the >>> cloned ip's on that node ? >>> >> >> pingd to check the availability of the attached network. The cluste >> resource >> manager takes care for the failover. See the "from the scratch" doc. >> > > Yes i've read that in the docs. But is this really common practice for > firewall clusters ? i don't want the firewall to failover if i'm having > "internal problems with internal hosts/pingable addresses"!? > > otherwise i have to build an internal ping cluster ;-) > I have always believed that you should only trigger a failover when something that is needed to offer the service is not available (disk, a filesystem, a NIC etc) Having said that, I believe a firewall in order to be operational needs access to common elements like disk/fs/nic and on top of that to uplink routers or to any routers that are part of its routing table. Furthermore, a firewall needs access to any layer2 switch which gives him access to the attached LANs But, deciding which element should be part of the "health system" has to do with the network design and if layer 2 or layer 3 redundancy exists in your environment. If the layer 2 or layer 3 redundancy is not available, then make little sense to add them in your "health system", because in a case of failure this element wont be accessible by the standby firewall as well. > why did you choose to run conntrackd and heartbeat over a dedicated bonding > interface in your pdf, compared to the FW builder docs which say to run > heartbeat over every interface of the firewall, which therefore might enable > the cluster to detect network card failures... because the heartbeat is not > received over a given failed interface anymore ? > > > Rumors say that the is a good German book about clusters from O'Reilly. In >> the >> examples chapter the author exactly describes the setup you mentioned. ;-) >> > > :-).... i've seen that... but i hate reading books (no matter on what > topic)... and my learning curve is much more efficient if i learn it myself > :-) > I didn't quick search and I couldn't find it, what is the name of the book? > but thanks for the hint... any i really appreciate your and any other help! > >
_______________________________________________ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://developerbugs.linux-foundation.org/enter_bug.cgi?product=Pacemaker
