[ale] High Availability Linux firewall solution?

Tue Aug 7 18:12:56 EDT 2001

Jeff Hubbs wrote:

> My issue here is that your good/broken determination mechanism might not
> catch certain failure modes.  Might the serial cable idea  make that more
> likely?  It wouldn't catch a broken NIC as readily, for instance.  Going
> back to the third-NIC idea, could you have your slave ping the "red" and
> "black" NICs on the master, i.e., slave's third NIC uses master's third NIC
> as a gateway?
>
> - Jeff
>
> > -----Original Message-----
> > From: Michael Gregoire <Michael Gregoire [mailto:gregoire at cimedia.com]
> > Sent: Tuesday, August 07, 2001 4:39 PM
> > To: ale at ale.org
> > Subject: Re: [ale] High Availability Linux firewall solution?
> >
> >
> > Ned Williams writes:
> >  > Darrell Golliher wrote:
> >  >
> >  > >   I'm familiar with Linux firewalls from home use, but
> > would like to
> >  > > learn more about setting up a pair of them with
> > automatic failover.
> >  > >
> >  > >   Are any of you running HA linux firewalls and if so
> > can you share
> >  > > you experiece and perhaps recommend specific documentation?
> >  > >
> >  > >   Basically, I'm suffering from sticker shock on
> > upgrading checkpoint
> >  > > to do HA and am exploring Linux as an alternative.  I
> > want very much
> >  > > though to avoid having a single point of failure.
> >  > >
> >  > >   Any information welcome. :)
> >  > >
> >  > > tia,
> >  > > Darrell Golliher
> >  > > --
> >  > > To unsubscribe: mail majordomo at ale.org with "unsubscribe
> > ale" in message
> >  > > body.Da
> >  >
> >  > Darrell,
> >  >
> >  > Normally I would recommend a Foundry Server Iron to handle
> > the load balancing for
> >  > an HA enviorment but since your worried about cost then
> > perhaps straight failover
> >  > is better suited for you. Perhaps you should set your
> > firewalls up using the old
> >  > Vinca model.
> >  >
> >  > add a 3rd interface to each one, attach a Xover a cable
> > between the third
> >  > interface on each and set up crons on the slave designated
> > server to ping the
> >  > Primary, if the primary fails, issue scripts to change the
> > ip address of the
> >  > slave servers primary and secondary interfaces to those of
> > the primary then via a
> >  > ssh'd command over the third interface change the ips of
> > the original primary to
> >  > slave's orignal ips.
> >  >
> >  > Ned
> >  >
> >
> >
> > Couldn't you use the serial ports instead of third nic?  null
> > modem cable,
> > with a ppp connection doing keepalive pings?
> >
> >
> > Mike
> >
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale"
> > in message body.
> >
>
> ___________________NOTICE____________________________
>
> This electronic mail transmission contains confidential information intended
> only for the person(s) named.  Any use, distribution, copying or disclosure
> by any other person is strictly prohibited. If you received this
> transmission in error, please notify the sender by reply e-mail and then
> destroy the message.  Opinions, conclusions, and other information in this
> message that do not relate to the official business of NIIT shall be
> understood to be neither given nor endorsed by NIIT. When addressed to NIIT
> clients, any information contained in this e-mail is subject to the terms
> and conditions in the governing client contract.
> --
> To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

Of course it could its all just a matter of proper route statements.
This is exactly how Netware does their HA failover solutions.

Ned

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.