High availabiliy firewall on Debian Etch ?
 

Hello,

I have an Active/Passive cluster running on Debian Etch, they provide an Internet connection to a LAN and I would like to do a transparent failover, ie no interruption of all the active connections after a failover, is it possible to do it on Debian ?

Regards,
Vianney

what do u mean by Active/passive cluster, is this not mean that active one down then passive will become active??

Hi,

If you have the cluster setup in an active/passive configuration, then you will always loose connectivity for a few seconds but most likely the users will never notice it. Depending the software you use for HighAvailability you can configure an active/active configuration and that way connections will always find their way out. In my opinion there is no active/passive configuration that will offer a completely transparent solution.

Kind regards,

Eric

Active/Passive cluster: one server serves all the requests and the other one is waiting for the first server to fail.

The problem is the connections are reseted if the primary server fails. Is it possible to transfer the firewall state table to the passive server in case of failover ?

What firewall are you running? And how is it configured? Where does it save its state table? To local file, MySQL, ...

Kind regards,

Eric

I just use iptables with a set of custom rules. I mean by firewall state file all the active connections, the current routing table, ipconntrack tracked connections and so on...

check about Linux high availability heartbeat and drbd for this. i think you can add same iptable rules on both machine and drbd will help you to build distributed storage system

DRBD and Heartbeat are already installed on this cluster, but I didn't find any clue about a HA Firewall on debian.

I am afraid that I don't know anything about HA, but I can forsee a problem.

If your firewall can effectively be stateless, it seems to me that there shouldn't be a big problem. If it is stateful, I can't really see how to transfer the state part.

You are probably using ipconntrack to do stuff that this configuration makes it difficult to transfer.

I can see how you might transfer things like the counters*, if you use those, up to a point, but whether a connection is, eg, established or related, in a straightforward way, I don't know. So, if you can write a useful ruleset that isn't dependant on those features, that would probably be a big step forwards.

Is firewalling all this box does? That seems a bit unlikely, unless you have a very high level of traffic. So, you could consider separating the firewalling function from whatever else the box does.

You could consider running the firewall in a VM and transfer the VM over wholesale, but that probably won't work once the first box has gone down, but if it was a case of something like the disk subsystem going down, you might be able to something about that. But I'm sure that you really want more out of HA than that.

Maybe there is the posssibilty of just ignoring the problem...some connections will be lost and have to be re-made, but is this such a big problem? It doesn't sound 'high availability', but for the conditions in which re-establishing connections happens automatically, is this a deal-breaker?

So, while I can see some options, my guess is that you won't like them. The more I think about this, the more I think that either running the firewall somewhere else, or doing firewalling in two phases with the stateless phase on the cluster and the stateful elsewhere are beginning to look attractive.

Sorry, maybe someone with actual cluster experience can help with some magic trick.

* When I think a bit more about it, I am not even sure that counters can be transferred reliably.