Hi, Now that I have my policy-based routing NAT FW working as expected (thanks for everyone's previous comments!), I would like it to be resilient. The more I think about it the less I want to bother with true HA (so keeping track of connections). My solution can handle 20-30 seconds of downtime with no real problems. And if on the odd occasion it went up to 2-3 minutes it wouldn't actually be that much of a biggie either. Basically, I just don't want to be woken up at 3:54am on a Tuesday morning because of a kernel panic :-). If it can wait t'ill 7:30 then that is all the resilience I actually need. The keys here are simplicity and resources. It should be as simple as possible, and shouldn't require very much in terms of memory and processor resources. I could possibly even get away with scripting something up in bash but I would much rather not as I'm very lazy :-). Does anyone have experience with such a setup? It looks as though at a minimum there is keepalived and pacemaker+heartbeat. Is one better/worse for a specialised firewal box? Thanks Anton -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
