building a iptables-firewallcluster

building a iptables-firewallcluster

[Marc Schoechlin]

Hi !

As i remember at linuxtag 2004 (karlsruhe/germany) Harald Welte gave
a speech about a facility in the linux-kernel which allows the
synchronization of conntrack-tables between the different machines
of a firewall-cluster.

I searched for some documentation and the state of this project, but i was not
able to get any useful information about this issue.

Is this now part of the linux-kernel or are there now other strategies
to build firewallclusters for load-balancing and/or 
high-availability ?

Where can i get detailed information about the installation of a 
iptables-based firewall-cluster ?

Best regards

Marc Schoechlin

-- 
I prefer non-proprietary document-exchange.
http://sector7g.wurzel6.de/pdfcreator/
http://www.prooo-box.org/

Re: building a iptables-firewallcluster

[Marc Schoechlin]

Hi !

On Tue, Aug 02, 2005 at 02:03:09PM +0200, Marc Schoechlin wrote:

> As i remember at linuxtag 2004 (karlsruhe/germany) Harald Welte gave
> a speech about a facility in the linux-kernel which allows the
> synchronization of conntrack-tables between the different machines
> of a firewall-cluster.
> 
> I searched for some documentation and the state of this project, but i was not
> able to get any useful information about this issue.
> 
> Is this now part of the linux-kernel or are there now other strategies
> to build firewallclusters for load-balancing and/or 
> high-availability ?
> 
> Where can i get detailed information about the installation of a 
> iptables-based firewall-cluster ?

No resonse for two weeks - am i right to assume that this 
project is dead ?

Are there any other ways ?

Best regards

Marc Schoechlin
-- 
I prefer non-proprietary document-exchange.
http://sector7g.wurzel6.de/pdfcreator/
http://www.prooo-box.org/

Re: building a iptables-firewallcluster

[Grant Taylor]

> No resonse for two weeks - am i right to assume that this 
> project is dead ?
> 
> Are there any other ways ?

The only thing that I know of that will even remotely come close to synchronizing some firewall state is the Linux Director (load balancer) part of a Linux Virtual Server.  You may want to look there.



Grant. . . .

Re: building a iptables-firewallcluster

[KOVACS Krisztian]

  Hi,

On Sunday 21 August 2005 15.37, Marc Schoechlin wrote:
> > Is this now part of the linux-kernel or are there now other
> > strategies to build firewallclusters for load-balancing and/or
> > high-availability ?
> >
> > Where can i get detailed information about the installation of a
> > iptables-based firewall-cluster ?
>
> No resonse for two weeks - am i right to assume that this
> project is dead ?

  Almost, but not completely dead.

  Current code can be found in the netfilter SVN repository, take a look 
at these URLs:
 
http://svn.netfilter.org/cgi-bin/viewcvs.cgi/branches/netfilter-ha/linux-2.6/
http://svn.netfilter.org/cgi-bin/viewcvs.cgi/branches/netfilter-ha/linux-2.6-actact/

  The linux-2.6 branch is the current (actually quite old) code for 
2.6.10; the linux-2.6-actact branch is Harald's latest development 
version (configurable through sysfs, capable of participating in 
multiple sync groups, etc.). This latter branch is even more 
experimental than the linux-2.6 branch, of course...

  Some of the infrastructure necessary for this code (namely conntrack 
events) will be part of Linux 2.6.14 (it's already in David Miller's 
2.6.14 networking branch). Unfortunately Harald's -actact branch is far 
from being complete, and porting this code for the (slightly changed) 
Linux-2.6.14 infrastructure is to be done. Slightly more information 
can be found in the netfilter-ha mailing list archive (yes, I know, 
that list seems to be dead as well).

  Unfortunately Harald does not seem to have the time necessary to work 
on this project right now, and neither do I. (Apart from this, I also 
don't have the devices necessary to do _any_ testing apart from 
compiling the code...)

  Sorry for the late answer, but the case is that I very rarely read the 
'netfilter' mailing list.

-- 
 Regards,
  Krisztian Kovacs

Re: building a iptables-firewallcluster

[/dev/rob0]

On Monday 2005-August-22 06:50, KOVACS Krisztian wrote:
> On Sunday 21 August 2005 15.37, Marc Schoechlin wrote:
> > No resonse for two weeks - am i right to assume that this
> > project is dead ?
>
>   Almost, but not completely dead.

Did we not just have 2 iptables releases last month? Slow perhaps, but 
the rumours of the death of netfilter would appear to be greatly 
exaggerated. :)

>   Unfortunately Harald does not seem to have the time necessary to
> work on this project right now, and neither do I. (Apart from this, I
> also don't have the devices necessary to do _any_ testing apart from
> compiling the code...)

I can't suggest anything to help with making more hours in the day, 
other than take a lot of westbound jet flights, and always continue 
westbound. ;) But I have a couple of ideas for the device shortage:

1. Skip surfing / dumpster diving
   Old "useless" machines are excellent netfilterers.
2. User-mode Linux
   Set up an entire network on one physical machine.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Re: building a iptables-firewallcluster

[KOVACS Krisztian]

  Hi,

On Monday 22 August 2005 15.15, /dev/rob0 wrote:
> >   Almost, but not completely dead.
>
> Did we not just have 2 iptables releases last month? Slow perhaps,
> but the rumours of the death of netfilter would appear to be greatly
> exaggerated. :)

  I was referring to netfiler HA, not netfilter itself.

-- 
 Regards,
  Krisztian Kovacs

Re: building a iptables-firewallcluster

[Taylor, Grant]

>   Unfortunately Harald does not seem to have the time necessary to work 
> on this project right now, and neither do I. (Apart from this, I also 
> don't have the devices necessary to do _any_ testing apart from 
> compiling the code...)

I might have devices to do some testing as well as an ISP that will work with me (give me the IPs that I need to test with) so I'd be more than happy to help in that regard.  I'd also love to see such things come about.



Grant. . . .

Re: building a iptables-firewallcluster

[Taylor, Grant]

> I can't suggest anything to help with making more hours in the day, 
> other than take a lot of westbound jet flights, and always continue 
> westbound. ;) But I have a couple of ideas for the device shortage:
> 
> 1. Skip surfing / dumpster diving
>    Old "useless" machines are excellent netfilterers.
> 2. User-mode Linux
>    Set up an entire network on one physical machine.

There are a lot of things that can be done with UML, but more can be done with said low end boxen.  I personally have at present more than a dozen unallocated P-II 233 MHz 64 MB RAM systems (read GREAT routers!) and an 8 port KVM switch box with cables that I'd be more than willing to hook up to some boxen to work with.



Grant. . . .