Hi, thanks for response! But I like to known what were your experiences. You already made active/active configurations? How you handled the traffic to the two firewalls? Worked with multicast arp or port mirroring? I believe that working with multicast arp is better. But, I must confirm that the gateways with firewall support this feature as well. A few years ago I tested pfsync + carp from a unix Openbsd. There is a feature called arp balance - there is something in Linux? I was impressed, but i prefer the netfilter resources (i think most flexible) . What do you have configured? What wasn't good? And what was cool? I've read several documentations for linux. I'm opening this thread to help me to define the best methodology and make my scripts more expert! 2012/12/10 Arnoud Tijssen <ATijssen@xxxxxx>: > For IPTables have a look at: > > http://www.linuxjournal.com/article/10964 > > > ________________________________________ > From: netfilter-owner@xxxxxxxxxxxxxxx [netfilter-owner@xxxxxxxxxxxxxxx] On Behalf Of Humberto Jucá [betolj@xxxxxxxxx] > Sent: Friday, December 07, 2012 5:27 PM > To: netfilter@xxxxxxxxxxxxxxx > Subject: About cluster deployments. > > Hi all, > > I'd like to know the group opnion about available GPL cluster > solutions. At the moment I'm working with a solution based on ucarp > (vip address) and rsync (conf > syncs) without synchronizing the conntrack table - im using active / > passive model. > > I'm adopting a configuration with two ucarp groups. One group > determines which firewall will be dedicated to Internet control and > other is for internal control. > > The most suitable configuration into Internet has been keepalived + conntrackd. > I think it's a great alternative, but ... I'm having some doubts. > > What do you think of implementations with CLUSTERIP? > I did some tests, but found it a bit unstable. Maybe for my mistakes. > I found articles criticizing and others saying that the target > CLUSTERIP will sync the conntrack table too. It's true? > > To synchronize the configuration i thought about using the DRDB, but i > found it very complex to manage - increases the difficulty in adding > or removing nodes. In tests that i did, I prefer GlusterFS. But i'm > undecided. I still think rsync the most simple, secure and fast way > to synchronize settings. In my opinion the other methods amplify the > complexity unnecessarily (for firewalls). > > I found articles defending the cluster configuration with corosync + pacemaker. > It seems a fairly complete solution, but thought is not ideal for firewall. > > I intend to test models with active/active, but there isn't much > documentation on the subject. > > What opinion do you have about it (cluster solutions)? > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
