[ale] Linux certification guide

Transam@cavu.com transam at cavu.com
Wed Aug 8 03:24:58 EDT 2001


> From: "Michael Gregoire <Michael Gregoire" <gregoire at cimedia.com>
> Date: Tue, 7 Aug 2001 15:38:35 -0500
> To: ale at ale.org
> Subject: Re: [ale] High Availability Linux firewall solution?
> References: <20010807143006.A5454 at golliher.net>
> 	<3B70383E.DF7A5BEA at interland.net>

> Ned Williams writes:
> > Darrell Golliher wrote:

> > >   I'm familiar with Linux firewalls from home use, but would like to
> > > learn more about setting up a pair of them with automatic failover.
> > >
> > >   Are any of you running HA linux firewalls and if so can you share
> > > you experiece and perhaps recommend specific documentation?
> > >
> > >   Basically, I'm suffering from sticker shock on upgrading checkpoint
> > > to do HA and am exploring Linux as an alternative.  I want very much
> > > though to avoid having a single point of failure.
> > >
> > >   Any information welcome. :)

I'm building two of these for a client in Europe (with a VPN between them)
and likely will building several for a different client.  If you do not
have experience doing this, it is non-trivial to properly handle all of
the likely failure mode.  Specificially, if connectivity is lost, has
the primary failed or has an interface on the secondary failed, for one?

> > > tia,
> > > Darrell Golliher

> > Darrell,

> > Normally I would recommend a Foundry Server Iron to handle the load
> > balancing for an HA enviorment but since your worried about cost then
> > perhaps straight failover is better suited for you. Perhaps you should
> > set your firewalls up using the old Vinca model.

> > add a 3rd interface to each one, attach a Xover a cable between the third
> > interface on each and set up crons on the slave designated server to ping
> > the Primary, if the primary fails, issue scripts to change the ip address
> > of the slave servers primary and secondary interfaces to those of the
> > primary then via a ssh'd command over the third interface change the ips
> > of the original primary to slave's orignal ips.

> > Ned

> Couldn't you use the serial ports instead of third nic?  null modem cable,
> with a ppp connection doing keepalive pings?

Yes, this would work well.  In Digital's (a division of Compaq now)
Unix implementation, the backup communications method was via SCSI instead
of serial but any method will work.  The reason for at least two ways
(and preferably three) for the two systems to communicate is to avoid the
secondary thinking that the primary is down if the secondary's only
interface card has failed.

> Mike

Bob Toxen
transam at cavu.com                       [Bob's ALE Bulk email]
bob at cavu.com                           [Please use for email to me]
http://www.cavu.com
http://www.realworldlinuxsecurity.com/ [My 5* book:"Real World Linux Security"]
http://www.cavu.com/sunset.html        [Sunset Computer]
Fly-By-Day Consulting, Inc.      "Don't go with a fly-by-night outfit!"
Quality Linux & UNIX security and SysAdmin & software consulting since 1990.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list