 |
FirewallBuilder |
|
Search Users Guide
Firewall Builder 4.0 introduced support for firewall clusters. Firewall Builder helps you create configuration for iptables, PF, or PIX rules and in some cases cluster configuration as well. The following state synchronization and failover protocols are supported at this time:
Table 8.1. Supported State Synchronization and Failover Software
| OS | State Synchronization | Failover |
|---|---|---|
| Linux | conntrackd | vrrpd, heartbeat, keepalived, OpenAIS |
| OpenBSD/FreeBSD | pfsync | CARP |
| Cisco ASA (PIX) | PIX state sync protocol | PIX failover protocol |
| Cisco IOS Router | None | None |
Firewall Builder automatically generates policy rules to permit packets of these protocols when it sees firewall cluster configured with one of them. You can use cluster object and its interfaces instead of the member firewall objects or their interfaces in policy and NAT rules and the program will substitute correct addresses when it generates iptables script or PF or PIX configuration.
Note
Cisco IOS router firewall objects can be used in a cluster, but Firewall Builder does not support a failover protocol for IOS router clusters, so no rules are automatically created for this type of cluster.
Detailed description of the Cluster object is provided in Section 5.2.3.
Detailed walk-through examples for different Linux, BSD and PIX cluster configurations can be found in Firewall Builder Cookbook chapter Section 14.4
High Availability (HA) configurations on Linux can be built using different software packages, such as vrrpd (VRRPD home page) or heartbeat (Linux-HA home page). Firewall Builder focuses on the firewall configuration and provides independent way of configuring iptables rules for Linux HA clusters and can be used with any HA software package, including home-grown scripts and packages that will appear in the future. At this time Firewall Builder does not generate configuration or command line for the HA software.
Like with all other supported firewall platforms, interface objects that belong to a cluster object serve to establish association between actual interfaces of the member firewalls. Cluster interface object should have the same name as corresponding member firewall interfaces. It should have Failover Group child object configured with interfaces of the member firewalls. You can create Failover Group object using context menu item "Add Failover Group", the menu appears when you right mouse click on the cluster interface object. If you create new cluster using "New object" menu or toolbar button, the wizard that creates new cluster object will create Failober Group objects automatically. Here is how it should look like:
Note that the name of the cluster interface should match the name of the member interfaces exactly, even if it may appear that HA software running on the firewall creates new interface such as eth0:0. Heartbeat daemon creates what looks like interface "eth0:0" when it becomes active and assumes virtual ip address. The "eth0:0" is in fact a label on the secondary ip address on the interface "eth0" which you can see if you use command "ip addr show dev eth0". Here is an example of the output of this command taken on the firewall running heartbeat that was active at the moment:
# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
link/ether 00:0c:29:1e:dc:aa brd ff:ff:ff:ff:ff:ff
inet 10.3.14.108/24 brd 10.3.14.255 scope global eth0
inet 10.3.14.150/24 brd 10.3.14.255 scope global secondary eth0:0
inet6 fe80::20c:29ff:fe1e:dcaa/64 scope link
valid_lft forever preferred_lft forever
Secondary IP address 10.3.14.150 that was added by heartbeat is highlighted in red. The "eth0:0" at the very end of the output is the label assigned to this address, this label makes it appear as another inetrface in the output of ifconfig, however it is not real inetrface. Here is the output of ifconfig on the same machine at the same time when it was active in the HA pair:
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:1e:dc:aa
inet addr:10.3.14.108 Bcast:10.3.14.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe1e:dcaa/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:242381 errors:0 dropped:0 overruns:0 frame:0
TX packets:41664 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:40022382 (40.0 MB) TX bytes:5926417 (5.9 MB)
Interrupt:18 Base address:0x2000
eth0:0 Link encap:Ethernet HWaddr 00:0c:29:1e:dc:aa
inet addr:10.3.14.150 Bcast:10.3.14.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:18 Base address:0x2000
It is important to understand the distinction because iptables does not recognize eth0:0 as an interface and does not allow it in "-i" or "-o" clause. Firewall Builder follows the same rules as the target firewall platform it prepares configuration for. This means you should build configuration in fwbuilder using interface "eth0" and not "eth0:0".
Each cluster interface should have a Failover Group child object configured with corresponding interfaces of the member firewalls. Configuration of this object implements interface mapping illustrated by Figure 8.1 and is shown below:
Firewall Builder GUI proides a way to configure some parameters for the failover protocols heartbeat and OpenAIS. Click Edit protocol parameters button to open dialog for this:
Firewall Builder only supports multicast or unicast heartbeat configuration. You can enter the address and port number in the dialog. If you turn checkbox "Use unicast address" on, generated iptables commands will match source and destination addresses of the corresponding interface of both member firewalls. If this checkbox is off, it is assumed heartbeat is configured to use multicast and generated iptables commands will only match this multicast address in both INPUT and OUTPUT chains.
As with heartbeat, you can configure ip address and port number for the OpenAIS protocol. There is no unicast option here.
Cluster object should also have State Synchronization group child object. Create it using context menu "Add State Synchronization Group" item if this object does not exist. In this object you need to configure member interfaces that should be used for state synchronization. On Linux, state synchronization is done using conntrackd daemon (conntrack-tools home page). Configure State Synchronization group object with interfaces of the member firewalls used to pass conntrackd packets:
The State Synchronization group object should look like this:
Member firewalls and their inetrfaces appear in the panel in the right hand side of the dialog. Firewall Builder uses this information to automatically generate iptables rules to permit conntrackd packets. Firewall Builder assumes conntrackd is configured to send synchronization packets over dedicated interface (which generally is a good idea anyway). You may use internal inetrface of the firewall for this purpose as well. See examples of conntrackd configuration in Firewall Builder CookBook. You can configure ip address and port number for the conntrack as well.
Copyright © 2000-2012 NetCitadel, Inc. All rights reserved.
Using free CSS Templates.