Weblog entry #356 for simonw
See all weblog entries made by simonw.
#356
Death of a firewall
Posted by simonw on Mon 28 Dec 2009 at 11:47
The disk drive overheated, the screen was full of I/O errors and a panic message, but the kernel carried on routing packets for another 2 hours before it succumbed. By which time I was in the computer room, and had built a replacement server just in case the disk drive was dead.
I need a job where I get paid extra for a call out at 03:30 over the holiday period, preferably in extra sleep.
I need a job where I get paid extra for a call out at 03:30 over the holiday period, preferably in extra sleep.
Comments on this Entry
Posted by Anonymous (83.240.xx.xx) on Sat 9 Jan 2010 at 09:07
What about heartbeat, just in case one firewall is dead alll will be moved to another. As it is firewall you can also take a look at openBSD+CARP+PF ( sorry debian ). But definetelly you need some failover solution.
[ Parent | Reply to this comment ]
I could do failover with Debian fine, but I'm not sure it would add resilience. Failover is complex, and the current firewall config is simple and reliable except for hardware failure.
If we had the money for that, I'd plump for hot standby or fixing the underlying cause of this hardware failure, which keeps the simplicity and would at worst result in 30 mins downtime every time a firewall fails.
Probably the best cheap improvement would be getting rid of the hard disk. USB Flash perhaps, although I don't have figures. Given it simply doesn't access the hard disk in routine usage I think flash would probably work perfectly here.
The previous firewall was a floppy boot, which the boss didn't like, even though there was a backup floppy in my desk for the event of floppy read error.
If we had the money for that, I'd plump for hot standby or fixing the underlying cause of this hardware failure, which keeps the simplicity and would at worst result in 30 mins downtime every time a firewall fails.
Probably the best cheap improvement would be getting rid of the hard disk. USB Flash perhaps, although I don't have figures. Given it simply doesn't access the hard disk in routine usage I think flash would probably work perfectly here.
The previous firewall was a floppy boot, which the boss didn't like, even though there was a backup floppy in my desk for the event of floppy read error.
[ Parent | Reply to this comment ]
Posted by Anonymous (83.240.xx.xx) on Tue 12 Jan 2010 at 15:06
For HW failure, nothig will help you, if it is dead, it is dead. But if you have failover ( I wrote about it in first post ), in case of hardware problem on one machine all will be moved to new one. It can happen that second machine has some HW problem at same time , but this option is very less probabe.
It depends on bussines you run, but investing in firewall is never waste of money, and if there is not some connection rate 10000/sec, very likely some used P--IV will be enough.
Good luck
It depends on bussines you run, but investing in firewall is never waste of money, and if there is not some connection rate 10000/sec, very likely some used P--IV will be enough.
Good luck
[ Parent | Reply to this comment ]