I recently setup a HA firewall/vpn gateway cluster using netfilter, freeswan, and keepalived. Keepalived uses VRRP to sync interfaces for failover and provides load balancing with LVS - very easy to install and configure. The problem of load balancing the firewalls is state synchronization between the firewall nodes. Unfortunately, I don't think Iptables/Netfilter has that functionality yet, but Iptables2 might... (?) Nonetheless, you should be able to load balance _stateless_ firewall nodes. Cheers, Bryan >I have a situation that i need to have firewall fail over >capability. 2 separate systems with identical rules with 3 >interfaces, (internet, DMZ, and LAN) > >Has anyone set up this situation and have any recommendations >on how it should be approached? I have looked into the linux >HA system (http://www.linux-ha.org/). is it possible to load >ballance between the two and shift on failure of the primary? > >Any info or direction would be appreciated. > >Drag0n >dragon@xxxxxxxxxxxxxx
