Thank you thank you thank you :)
> Date: Wed, 15 Feb 2012 13:33:35 -0700 > From: Devin Reade <g...@gno.org> > To: pacemaker@oss.clusterlabs.org > Subject: Re: [Pacemaker] iptables cluster > Message-ID: <180d2fd0e014d9f01336b...@radelix.gno.org> > Content-Type: text/plain; charset=us-ascii > > --On Monday, February 13, 2012 11:21:14 AM +0200 Karlis Kisis > <karlis.ki...@gmail.com> wrote: > >> In most cluster tutorials, for simplicity, iptables is turned off. >> Funny thing is that iptables is what I want to configure in HA cluster >> (as redundant firewalls). > > I debated about answering this off-list, since it might be considered > inflammatory, but in the spirit of using the right tool for the > right job I'll post it anyway. Flames to /dev/null. > > If you're planning on having *just* a redundant firewall on those > machines, and your other network services are on different machines > anyway, your configuration would be a lot simpler and (IMO) more > robust using an alternate technology. > > In particular, I'd suggest running a pair of OpenBSD machines as a > clustered firewall using carp and pfsync. I often deploy these in pairs > as gateway routers, and in particular I have a few which are in front > of pacemaker clusters. I regularly exercise failover on the firewalls > and the cutover time is (qualitatively) faster than pacemaker, the > configuration is very clean, and as you would expect the cutover is > absolutely transparent to traffic traversing the firewalls (no > session stutter with either interactive protocols like ssh, or with > low-latency high-bandwidth multimedia applications, etc). > > Don't get me wrong; I really like pacemaker, I just wouldn't use > it for a firewall if I didn't have to. > > If your organization doesn't have a problem with using more than > one operating system in their environment, I'd strongly suggest it. > > However, this being a pacemaker list, I'd suggest any clarifying > questions be asked on the 'misc' OpenBSD mailing list after reading > <http://www.countersiege.com/doc/pfsync-carp/> and > <http://www.openbsd.org/faq/faq6.html#CARP>. > > Devin ******************* _______________________________________________ Pacemaker mailing list: Pacemaker@oss.clusterlabs.org http://oss.clusterlabs.org/mailman/listinfo/pacemaker Project Home: http://www.clusterlabs.org Getting started: http://www.clusterlabs.org/doc/Cluster_from_Scratch.pdf Bugs: http://bugs.clusterlabs.org
