Re: Redundant firewall

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sorry David for the offlist reply.

Le mer 12 oct 2005 14:26:01 EDT, David Coulson <david@xxxxxxxxxxxxxxxx> à écrit :
Sebastien Guay wrote:
> Maybe I understand it the wrong way (in that case it will be more a
> Linux-HA question) but I will have two fully functionnal firewall.  From
> the ROUTER pov, a packet destined to SERVER can pass through FW1 as well
> as FW2.  But it should only through FW1 OR FW2 (whichever is active).

Well, you have a VIP which is on either firewall (actually two VIPs, one
for the inside interface, one for the outside).

I think it would have been better if I had given more details in the first place. Sorry about that :(

Say x.x.x.141 is the public IP address of FW1 (same IP for eth0 and eth1) and x.x.x.140 of FW2 (eth0 and eth1). Heartbeat will be configured to create the VIP x.x.x.129 on both interfaces (you raised this point but it's more for the Linux-HA mailing list).

So 141, 140, 129 and the server's IP are all on the same subnet. Packets from the router may go through 141, 140 or 129. But they should only go through 129.

Packets to your inside
network are routed to that VIP, rather than to a specific firewall.

Yes but they can also be routed to the real IP of FW1 and FW2. And that's what I try to avoid.

The router has no comprehension of fw1 or fw2 - Only that there is an IP
it sends packets for your subnet to.

My bad.  I should have said "IP of FW1 or IP of FW2".

Thanks for the help so far David.  I really appreciate it.

Sébastien
--

_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc


[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux