Chapter 8. Cluster configuration

Firewall Builder 4.0 introduced support for firewall clusters. Firewall Builder helps you create configuration for iptables, PF, or PIX rules and in some cases cluster configuration as well. The following state synchronization and failover protocols are supported at this time:

Table 8.1. Supported State Synchronization and Failover Software

OS State Synchronization Failover
Linux conntrackd vrrpd, heartbeat, keepalived, OpenAIS
OpenBSD/FreeBSD pfsync CARP
Cisco ASA (PIX) PIX state sync protocol PIX failover protocol
Cisco IOS Router None None

Firewall Builder automatically generates policy rules to permit packets of these protocols when it sees firewall cluster configured with one of them. You can use cluster object and its interfaces instead of the member firewall objects or their interfaces in policy and NAT rules and the program will substitute correct addresses when it generates iptables script or PF or PIX configuration.

Note

Cisco IOS router firewall objects can be used in a cluster, but Firewall Builder does not support a failover protocol for IOS router clusters, so no rules are automatically created for this type of cluster.

Detailed description of the Cluster object is provided in Section 5.2.3.

8.1. Linux cluster configuration with Firewall Builder

Detailed walk-through examples for different Linux, BSD and PIX cluster configurations can be found in Firewall Builder Cookbook chapter Section 14.4

High Availability (HA) configurations on Linux can be built using different software packages, such as vrrpd (VRRPD home page) or heartbeat (Linux-HA home page). Firewall Builder focuses on the firewall configuration and provides independent way of configuring iptables rules for Linux HA clusters and can be used with any HA software package, including home-grown scripts and packages that will appear in the future. At this time Firewall Builder does not generate configuration or command line for the HA software.

Like with all other supported firewall platforms, interface objects that belong to a cluster object serve to establish association between actual interfaces of the member firewalls. Cluster interface object should have the same name as corresponding member firewall interfaces. It should have Failover Group child object configured with interfaces of the member firewalls. You can create Failover Group object using context menu item "Add Failover Group", the menu appears when you right mouse click on the cluster interface object. If you create new cluster using "New object" menu or toolbar button, the wizard that creates new cluster object will create Failober Group objects automatically. Here is how it should look like:

Figure 8.1. Failover group objects and mapping between cluster and member interfaces

Failover group objects and mapping between cluster and member interfaces


Note that the name of the cluster interface should match the name of the member interfaces exactly, even if it may appear that HA software running on the firewall creates new interface such as eth0:0. Heartbeat daemon creates what looks like interface "eth0:0" when it becomes active and assumes virtual ip address. The "eth0:0" is in fact a label on the secondary ip address on the interface "eth0" which you can see if you use command "ip addr show dev eth0". Here is an example of the output of this command taken on the firewall running heartbeat that was active at the moment:

# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:1e:dc:aa brd ff:ff:ff:ff:ff:ff
    inet 10.3.14.108/24 brd 10.3.14.255 scope global eth0
    inet 10.3.14.150/24 brd 10.3.14.255 scope global secondary eth0:0
    inet6 fe80::20c:29ff:fe1e:dcaa/64 scope link 
       valid_lft forever preferred_lft forever
        

Secondary IP address 10.3.14.150 that was added by heartbeat is highlighted in red. The "eth0:0" at the very end of the output is the label assigned to this address, this label makes it appear as another inetrface in the output of ifconfig, however it is not real inetrface. Here is the output of ifconfig on the same machine at the same time when it was active in the HA pair:

# ifconfig 
eth0      Link encap:Ethernet  HWaddr 00:0c:29:1e:dc:aa  
          inet addr:10.3.14.108  Bcast:10.3.14.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe1e:dcaa/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:242381 errors:0 dropped:0 overruns:0 frame:0
          TX packets:41664 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:40022382 (40.0 MB)  TX bytes:5926417 (5.9 MB)
          Interrupt:18 Base address:0x2000 

eth0:0    Link encap:Ethernet  HWaddr 00:0c:29:1e:dc:aa  
          inet addr:10.3.14.150  Bcast:10.3.14.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:18 Base address:0x2000 
        

It is important to understand the distinction because iptables does not recognize eth0:0 as an interface and does not allow it in "-i" or "-o" clause. Firewall Builder follows the same rules as the target firewall platform it prepares configuration for. This means you should build configuration in fwbuilder using interface "eth0" and not "eth0:0".

Each cluster interface should have a Failover Group child object configured with corresponding interfaces of the member firewalls. Configuration of this object implements interface mapping illustrated by Figure 8.1 and is shown below:

Figure 8.2. Failover Group object configuration

Failover Group object configuration


Firewall Builder GUI proides a way to configure some parameters for the failover protocols heartbeat and OpenAIS. Click Edit protocol parameters button to open dialog for this:

Table 8.2. 

Figure 8.3. Editing parameters for the heartbeat protocol

Editing parameters for the heartbeat protocol


Figure 8.4. Editing parameters for the OpenAIS protocol

Editing parameters for the OpenAIS protocol



Firewall Builder only supports multicast or unicast heartbeat configuration. You can enter the address and port number in the dialog. If you turn checkbox "Use unicast address" on, generated iptables commands will match source and destination addresses of the corresponding interface of both member firewalls. If this checkbox is off, it is assumed heartbeat is configured to use multicast and generated iptables commands will only match this multicast address in both INPUT and OUTPUT chains.

As with heartbeat, you can configure ip address and port number for the OpenAIS protocol. There is no unicast option here.

Cluster object should also have State Synchronization group child object. Create it using context menu "Add State Synchronization Group" item if this object does not exist. In this object you need to configure member interfaces that should be used for state synchronization. On Linux, state synchronization is done using conntrackd daemon (conntrack-tools home page). Configure State Synchronization group object with interfaces of the member firewalls used to pass conntrackd packets:

Figure 8.5. State synchronization group object in the tree

State synchronization group object in the tree


The State Synchronization group object should look like this:

Figure 8.6. State synchronization group object parameters

State synchronization group object parameters


Member firewalls and their inetrfaces appear in the panel in the right hand side of the dialog. Firewall Builder uses this information to automatically generate iptables rules to permit conntrackd packets. Firewall Builder assumes conntrackd is configured to send synchronization packets over dedicated interface (which generally is a good idea anyway). You may use internal inetrface of the firewall for this purpose as well. See examples of conntrackd configuration in Firewall Builder CookBook. You can configure ip address and port number for the conntrack as well.

Figure 8.7. Editing parameters for the Conntrack state synchronization protocol

Editing parameters for the Conntrack state synchronization protocol


 

Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
 Using free CSS Templates.