Weblog entry #9 for lters
See all weblog entries made by lters.
#9
Debian Firewalls and Redundancy
Posted by lters on Thu 21 Jun 2007 at 14:26
For years I have used iptables on Debian as a firewalling/network protecting tool.
However, recently I am needing to have better redundancy, ie multiple hardware boxes.
But have the perhaps common problem of how do we handle redundancy.
Ideally of course, there is only one gateway ip on each vlan/realm etc.
When asking my peers what is the best solution, the only solution seems to be to use a bsd* variant with carp tools.
This is likely a very good idea, however, I don't know the bsd lingos.
So, do we need to learn openbsd commands to get real network/firewall redundancy or are there stable working solutions that you find with Debian/linux?
What solutions or routes do you take or suggest for redundant firewalling and ease of use without a complicated mess of addresses and routes?
However, recently I am needing to have better redundancy, ie multiple hardware boxes.
But have the perhaps common problem of how do we handle redundancy.
Ideally of course, there is only one gateway ip on each vlan/realm etc.
When asking my peers what is the best solution, the only solution seems to be to use a bsd* variant with carp tools.
This is likely a very good idea, however, I don't know the bsd lingos.
So, do we need to learn openbsd commands to get real network/firewall redundancy or are there stable working solutions that you find with Debian/linux?
What solutions or routes do you take or suggest for redundant firewalling and ease of use without a complicated mess of addresses and routes?
Comments on this Entry
We do all our hosting etc with Debian.
Recently we upgraded our complete platform to new hardware and Debian etch.
The same questions about redundancy for firewalling/routing were bugging us and after a lot of research and testing we decided to go with OpenBSD for our firewalls and loadbalancers. I have to say it's working wonderfull and the learning curve was not too bad. This OS really knows how to make manpages and online documentation.
My advice: go the OpenBSD route.
Recently we upgraded our complete platform to new hardware and Debian etch.
The same questions about redundancy for firewalling/routing were bugging us and after a lot of research and testing we decided to go with OpenBSD for our firewalls and loadbalancers. I have to say it's working wonderfull and the learning curve was not too bad. This OS really knows how to make manpages and online documentation.
My advice: go the OpenBSD route.
[ Parent | Reply to this comment ]
Posted by lters (69.176.xx.xx) on Thu 21 Jun 2007 at 16:13
[ Send Message | View lters's Scratchpad | View Weblogs ]
[ Send Message | View lters's Scratchpad | View Weblogs ]
What packages do you recommend?
Any openbsd getting started documents that you would recommend?
Any openbsd getting started documents that you would recommend?
[ Parent | Reply to this comment ]
<advertisement>
http://michiel.vanbaak.info/page/soekrisobsdcarp.htm
</advertisement>
or for a real book:
http://www.amazon.com/Building-Firewalls-OpenBSD-PF-2nd/dp/839166 5119
Real helpfull online faq: http://www.openbsd.org/faq/pf/index.html
once you are running OpenBSD try:
man pfctl
man pf.conf
The ftp site and the cd's have a very good installation howto. I specially love the booklet in the cd. It's very helpfull when you are setting up OpenBSD for the first time. All you have to do is ajust the partition sizes to meet your HD and that's it. That's how I learnt it.
Packages we use in our redundant load-balancing setup:
hoststated ifstated dnsmasq
dnsmasq is installed using packages, hoststated and ifstated are in base install.
http://michiel.vanbaak.info/page/soekrisobsdcarp.htm
</advertisement>
or for a real book:
http://www.amazon.com/Building-Firewalls-OpenBSD-PF-2nd/dp/839166 5119
Real helpfull online faq: http://www.openbsd.org/faq/pf/index.html
once you are running OpenBSD try:
man pfctl
man pf.conf
The ftp site and the cd's have a very good installation howto. I specially love the booklet in the cd. It's very helpfull when you are setting up OpenBSD for the first time. All you have to do is ajust the partition sizes to meet your HD and that's it. That's how I learnt it.
Packages we use in our redundant load-balancing setup:
hoststated ifstated dnsmasq
dnsmasq is installed using packages, hoststated and ifstated are in base install.
[ Parent | Reply to this comment ]
Posted by Anonymous (213.199.xx.xx) on Thu 21 Jun 2007 at 17:31
Though OpenBSD is a wonderful OS to build redudant firewall if you would remain on the Debian Way you could try ucarp, keepalived or vrrpd in combination with conntrackd.
Hope it helps.
P.S. Sorry for my bad english. :-)
Hope it helps.
P.S. Sorry for my bad english. :-)
[ Parent | Reply to this comment ]
Posted by Anonymous (84.45.xx.xx) on Thu 21 Jun 2007 at 20:48
Hmm, and there is a lot to be said for simplicity.
Our firewall had its disk die, and it carried on working fine till I saw the errors on the console and logged in - seems that login had a local log file (everything firewall related only went over the network to the log host).
Depends what acceptable failure rates are - but I wouldn't expect to do better in terms of uptime with a redundancy technology you aren't familiar with, than with a regular Linux box with flash instead of a disk drive. Basically down to waiting for the CPU fan to fail....
Our firewall "20:42:15 up 116 days" -- seems there has been no downtime since the UPS failed.
Sure there are circumstances where you really need better availability, and it can be done, but don't underestimate the difficulty. I've seen sites with prolonged downtime, debugging the mysteries of high availability systems, when a hot standby would have been cheaper, and caused less downtime.
Our firewall had its disk die, and it carried on working fine till I saw the errors on the console and logged in - seems that login had a local log file (everything firewall related only went over the network to the log host).
Depends what acceptable failure rates are - but I wouldn't expect to do better in terms of uptime with a redundancy technology you aren't familiar with, than with a regular Linux box with flash instead of a disk drive. Basically down to waiting for the CPU fan to fail....
Our firewall "20:42:15 up 116 days" -- seems there has been no downtime since the UPS failed.
Sure there are circumstances where you really need better availability, and it can be done, but don't underestimate the difficulty. I've seen sites with prolonged downtime, debugging the mysteries of high availability systems, when a hot standby would have been cheaper, and caused less downtime.
[ Parent | Reply to this comment ]
Posted by lters (12.162.xx.xx) on Fri 22 Jun 2007 at 00:15
[ Send Message | View lters's Scratchpad | View Weblogs ]
[ Send Message | View lters's Scratchpad | View Weblogs ]
I completely agree with this.
And I appreciate you pointing this out.
What is a mystery to me is, why Debian/Linux is so far behind the bsd* in
this type of application.
I looked at ucarp and it seems to not even have a related mailing list. And barely any inforation
included.
And I appreciate you pointing this out.
What is a mystery to me is, why Debian/Linux is so far behind the bsd* in
this type of application.
I looked at ucarp and it seems to not even have a related mailing list. And barely any inforation
included.
[ Parent | Reply to this comment ]
Posted by Anonymous (84.101.xx.xx) on Fri 22 Jun 2007 at 10:09
If you're looking for a well documented and easy to setup ucarp alternative, why don't you look at heartbeat?
As far as load balancing is concerned, you could also look at ldirectord.
As far as load balancing is concerned, you could also look at ldirectord.
[ Parent | Reply to this comment ]