firewall with failover - ct_sync ?

firewall with failover - ct_sync ?

[octane indice]

Hello

I'm trying to experiment a firewall cluster under linux like 
carp+pfsync under openBSD.

1. does ct_sync works?
I asked on the netfilter-failover mailing list where someone tolds me not (but 
the mailing lists seems abandoned).

2. I found the web page:
http://svn.netfilter.org/netfilter/trunk/netfilter-ha/README
But it makes references to kernel 2.4.26 and CVS.
2. a) Must I use quilt? 
2. b) Where I grab the patch files?

3. Is there another documentation?

4. the site http://vvv.barbarossa.name/files/ct_sync/
gives two patch for the 2.6.16 kernel.
Which one have I to use? both?

5. The link beetween the two machines must be an ethernet link? 
I have old boxes with two PCI port only, but parrallel link is OK with plip. For 
testing would it be OK? (I just want to test functionnality, not the throughput)

Thanks

"Ce Caillou-là" un conte en téléchargement gratuit sur http://www.Manuscrit.com

Re: firewall with failover - ct_sync ?

[Maximilian Wilhelm]

Am Montag, den 24. April hub octane indice folgendes in die Tasten:

Hi!

> I'm trying to experiment a firewall cluster under linux like 
> carp+pfsync under openBSD.

> 1. does ct_sync works?

Yes, at least for me :)
See below.

> I asked on the netfilter-failover mailing list where someone tolds me not (but 
> the mailing lists seems abandoned).

> 2. I found the web page:
> http://svn.netfilter.org/netfilter/trunk/netfilter-ha/README
> But it makes references to kernel 2.4.26 and CVS.



> 2. a) Must I use quilt? 

quilt does just apply add the patch files listed in the series file in
the order listed there. You can do this manually if you like (or
dislike quilt).

> 2. b) Where I grab the patch files?

For 2.4:
http://svn.netfilter.org/netfilter/trunk/netfilter-ha/patches/

For 2.6:
http://svn.netfilter.org/netfilter/branches/netfilter-ha/

(My patches are against the "normal" ct_sync version found in the
 "linux-2.6" subdirectory of the link above.)

I did not get the linux-2.6-multigroup stuff running stable with the
latest kerne up to now. Maybe I'll put my lasting patches for a
running-but-unstable-version to the webpage these days.

> 3. Is there another documentation?

I only know of a german Linux-Magazin article at
http://www.linux-magazin.de/Artikel/ausgabe/2005/12/linux-ha-fw/linux-ha-fw.html

> 4. the site http://vvv.barbarossa.name/files/ct_sync/
> gives two patch for the 2.6.16 kernel.
> Which one have I to use? both?

I thought the description beneath the file list was clear :)

I split up the patch so everyone can easily see what I've done to get it
working (-fix one) and what I did to make the sourcecode "look and feel"
a bit nicer (-cleanup one).
So if you just want a working version of ct_sync with a kernel version
2.6.16 (does work with 2.6.16.9 for me) you only have to patch your svn
copy from http://svn.netfilter.org/netfilter/trunk/netfilter-ha/ with
http://vvv.barbarossa.name/files/ct_sync/ct_sync_2.6.16-fix.patch

> 5. The link beetween the two machines must be an ethernet link? 
> I have old boxes with two PCI port only, but parrallel link is OK with plip. 
> For testing would it be OK? (I just want to test functionnality,
> not the throughput)

ct_sync expects an ethernet interface for syncing.
You cannot use anything different.

If you have switches which allow vlans (802.1Q) you could set up two (or
more) vlans and configure virtual interfaces on the firewall using
vconfig. (I've done so on my first firewalls using ct_sync as they have
only two interfaces, too).

HTH
Ciao
Max
-- 
|           |                 Follow the white penguin.
|  |\/|  |  |-----------------------------------------------------------.
|  |  |/\|  |  Rechnerbetrieb Mathematik  |   Meine Baustellen:  TSM    |
|           |  Universitaet Paderborn     |   Hostmaster, Linux, LDAP   | 

Re: firewall with failover - ct_sync ?

[octane indice]

En réponse à Maximilian Wilhelm <max@rfc2324.org> :
> > 1. does ct_sync works?
> 
> Yes, at least for me :)
> 
good :)

> > 2. a) Must I use quilt? 
> 
> quilt does just apply add the patch files listed in the series
> file in the order listed there. You can do this manually if 
> you like (or dislike quilt).
> 
I just don't know quilt. I'll try it.

> > 2. b) Where I grab the patch files?
> 
> For 2.6:
> http://svn.netfilter.org/netfilter/branches/netfilter-ha/
> 
Ok. I have to learn subversion first.
I just know the CVS way or patch way to patch sources.

> (My patches are against the "normal" ct_sync version found in
> the  "linux-2.6" subdirectory of the link above.)
> 
I should patch _two_ times?
Let's take an example:
I download linux-2.6.16, then patch with 
http://svn.netfilter.org/netfilter/branches/netfilter-ha/
then patch with the 
http://vvv.barbarossa.name/files/ct_sync/ct_sync_2.6.16-fix.patch
?

> I did not get the linux-2.6-multigroup stuff running stable
> with the latest kerne up to now. Maybe I'll put my lasting 
> patches for a running-but-unstable-version to the webpage
> these days.
> 
> > 3. Is there another documentation?
> 
> I only know of a german Linux-Magazin article at
> http://www.linux-magazin.de/Artikel/ausgabe/2005/12/linux-ha-fw/linux-ha-
fw.html
>
I don't speak german, I'll try to get it with google translate
 
> > 5. The link beetween the two machines must be an ethernet
> > link? 
> > I have old boxes with two PCI port only, but parrallel link
>>  is OK with plip. 
> 
> ct_sync expects an ethernet interface for syncing.
> You cannot use anything different.
>
PLIP is an ethernet link (sort of). If name "plip" is a 
problem, is there a way to cheat it with udev?
 

> ------------------- Fin du message d'origine ---------------------




"Ce Caillou-là" un conte en téléchargement gratuit sur http://www.Manuscrit.com

Re: firewall with failover - ct_sync ?

[Maximilian Wilhelm]

Am Donnerstag, den 27. April hub octane indice folgendes in die Tasten:

Hi!

> > > 2. b) Where I grab the patch files?

> > For 2.6:
> > http://svn.netfilter.org/netfilter/branches/netfilter-ha/

> Ok. I have to learn subversion first.
> I just know the CVS way or patch way to patch sources.

svn co  http://svn.netfilter.org/netfilter/branches/netfilter-ha/
It does just copy the repository to your disk.

> I should patch _two_ times?
> Let's take an example:

> I download linux-2.6.16, then patch with 
> http://svn.netfilter.org/netfilter/branches/netfilter-ha/
> then patch with the 
> http://vvv.barbarossa.name/files/ct_sync/ct_sync_2.6.16-fix.patch

The other way around.

The patches from svn.netfilter.org do not apply on linux-2.6.16.

 1. get http://svn.netfilter.org/netfilter/branches/netfilter-ha/
 2. patch it with my patch
 3. run quilt / patch the kernel
 4. build kernel

> > I only know of a german Linux-Magazin article at
> > http://www.linux-magazin.de/Artikel/ausgabe/2005/12/linux-ha-fw/linux-ha-
> > fw.html

> I don't speak german, I'll try to get it with google translate

Ok.

> > ct_sync expects an ethernet interface for syncing.
> > You cannot use anything different.

> PLIP is an ethernet link (sort of). If name "plip" is a 
> problem, is there a way to cheat it with udev?

It don't know if this will work.
Just try it :)

Ciao
Max
-- 
|           |                 Follow the white penguin.
|  |\/|  |  |-----------------------------------------------------------.
|  |  |/\|  |  Rechnerbetrieb Mathematik  |   Meine Baustellen:  TSM    |
|           |  Universitaet Paderborn     |   Hostmaster, Linux, LDAP   |