[ale] High Availability Linux firewall solution?

Jeff Hubbs Jhubbs at niit.com
Tue Aug 7 18:09:40 EDT 2001


My issue here is that your good/broken determination mechanism might not
catch certain failure modes.  Might the serial cable idea  make that more
likely?  It wouldn't catch a broken NIC as readily, for instance.  Going
back to the third-NIC idea, could you have your slave ping the "red" and
"black" NICs on the master, i.e., slave's third NIC uses master's third NIC
as a gateway?

- Jeff

> -----Original Message-----
> From: Michael Gregoire <Michael Gregoire [mailto:gregoire at cimedia.com]
> Sent: Tuesday, August 07, 2001 4:39 PM
> To: ale at ale.org
> Subject: Re: [ale] High Availability Linux firewall solution?
> 
> 
> Ned Williams writes:
>  > Darrell Golliher wrote:
>  > 
>  > >   I'm familiar with Linux firewalls from home use, but 
> would like to
>  > > learn more about setting up a pair of them with 
> automatic failover.
>  > >
>  > >   Are any of you running HA linux firewalls and if so 
> can you share
>  > > you experiece and perhaps recommend specific documentation?
>  > >
>  > >   Basically, I'm suffering from sticker shock on 
> upgrading checkpoint
>  > > to do HA and am exploring Linux as an alternative.  I 
> want very much
>  > > though to avoid having a single point of failure.
>  > >
>  > >   Any information welcome. :)
>  > >
>  > > tia,
>  > > Darrell Golliher
>  > > --
>  > > To unsubscribe: mail majordomo at ale.org with "unsubscribe 
> ale" in message
>  > > body.Da
>  > 
>  > Darrell,
>  > 
>  > Normally I would recommend a Foundry Server Iron to handle 
> the load balancing for
>  > an HA enviorment but since your worried about cost then 
> perhaps straight failover
>  > is better suited for you. Perhaps you should set your 
> firewalls up using the old
>  > Vinca model.
>  > 
>  > add a 3rd interface to each one, attach a Xover a cable 
> between the third
>  > interface on each and set up crons on the slave designated 
> server to ping the
>  > Primary, if the primary fails, issue scripts to change the 
> ip address of the
>  > slave servers primary and secondary interfaces to those of 
> the primary then via a
>  > ssh'd command over the third interface change the ips of 
> the original primary to
>  > slave's orignal ips.
>  > 
>  > Ned
>  > 
> 
> 
> Couldn't you use the serial ports instead of third nic?  null 
> modem cable,
> with a ppp connection doing keepalive pings?
> 
> 
> Mike
> 
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" 
> in message body.
> 


___________________NOTICE____________________________ 

This electronic mail transmission contains confidential information intended
only for the person(s) named.  Any use, distribution, copying or disclosure
by any other person is strictly prohibited. If you received this
transmission in error, please notify the sender by reply e-mail and then
destroy the message.  Opinions, conclusions, and other information in this
message that do not relate to the official business of NIIT shall be
understood to be neither given nor endorsed by NIIT. When addressed to NIIT
clients, any information contained in this e-mail is subject to the terms
and conditions in the governing client contract.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list