--On Monday, February 13, 2012 11:21:14 AM +0200 Karlis Kisis <karlis.ki...@gmail.com> wrote:
> In most cluster tutorials, for simplicity, iptables is turned off. > Funny thing is that iptables is what I want to configure in HA cluster > (as redundant firewalls). I debated about answering this off-list, since it might be considered inflammatory, but in the spirit of using the right tool for the right job I'll post it anyway. Flames to /dev/null. If you're planning on having *just* a redundant firewall on those machines, and your other network services are on different machines anyway, your configuration would be a lot simpler and (IMO) more robust using an alternate technology. In particular, I'd suggest running a pair of OpenBSD machines as a clustered firewall using carp and pfsync. I often deploy these in pairs as gateway routers, and in particular I have a few which are in front of pacemaker clusters. I regularly exercise failover on the firewalls and the cutover time is (qualitatively) faster than pacemaker, the configuration is very clean, and as you would expect the cutover is absolutely transparent to traffic traversing the firewalls (no session stutter with either interactive protocols like ssh, or with low-latency high-bandwidth multimedia applications, etc). Don't get me wrong; I really like pacemaker, I just wouldn't use it for a firewall if I didn't have to. If your organization doesn't have a problem with using more than one operating system in their environment, I'd strongly suggest it. However, this being a pacemaker list, I'd suggest any clarifying questions be asked on the 'misc' OpenBSD mailing list after reading <http://www.countersiege.com/doc/pfsync-carp/> and <http://www.openbsd.org/faq/faq6.html#CARP>. Devin _______________________________________________ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
