Chip Upsal [mailto:chip@cyberwolf.com] wrote:
>I am trying to use heartbeat to give us fallover on our netfilter/iptables
>firewall..
>
>However, I am not having any luck getting things to work consistently. Am I
>barking up the wrong tree...is it possible to use heartbeat to achieve these
>goals? Should I be looking at something else?
>
Chip,
Could you elaborate a little on what is going wrong ? Are you experiencing
problems with the heartbeat software, like resources/IP addresses not
failing over or appearing on both nodes ?
It's certainly possible to set up a poor man's failover firewall
with netfilter and heartbeat.
There's no state replication of the connection tracking information,
although, depending on the way your firewall rules are set up,
"transparent" failover should be possible. Problem areas I can think of,
due to lack of conntrack info replication between the nodes, are
RELATED connections of conntrack helpers, and NAT/MASQUEARDE issues
when a node fails over. But those issues have a fairly low impact
in most setups.
Regards,
Filip
