Linux Firewall Active/Active

Linux Firewall Active/Active

[Ricardo Klein]

Hi there,

I need to build a scenario with 2 linux servers (probably CentOS7)
acting as active/active firewall servers. What tools should I use?
I saw some articles with:
 - conntrackd + keepalived
 - conntrackd + corosync + pacemaker

But, what is the most used/stable?


AND, if there is a chance, I have 4 lan networks (each one in a
different VLAN) and it should be good if I can set something like
"preffered master" to each one for load distribution, because I will
run SQUID in those servers too.

I just need to know which way to go, so, I can learn the tools and
configure it all here.


regards,

Ricardo Felipe Klein
klein.rfk@gmail.com

Re: Linux Firewall Active/Active

[Michael Schwartzkopff]

[-- Attachment #1: Type: text/plain, Size: 1621 bytes --]

Am Mittwoch, 5. November 2014, 17:15:23 schrieben Sie:
> Hi there,
> 
> I need to build a scenario with 2 linux servers (probably CentOS7)
> acting as active/active firewall servers. What tools should I use?
> I saw some articles with:
>  - conntrackd + keepalived
>  - conntrackd + corosync + pacemaker

Why? There is not reasonable cause to build an active/active firewall from two 
nodes.

Any single hardware is fast enough to filter the speed of a WAN connection you 
can afford. No need for load balanceing.

If one server breaks, the other has to bear the whole load. So you have to 
design your hardware for the whole load.

So please build an active/passive system.

keealive makes the things very simple. If you have just the firewall, go for 
it. If you waht a little bit more, i.e. conntrackd and a squid with 
dependencies amongst all resources, go for pacemaker.

> But, what is the most used/stable?
> 
> 
> AND, if there is a chance, I have 4 lan networks (each one in a
> different VLAN) and it should be good if I can set something like
> "preffered master" to each one for load distribution, because I will
> run SQUID in those servers too.
> 
> I just need to know which way to go, so, I can learn the tools and
> configure it all here.

Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 230 bytes --]

Re: Linux Firewall Active/Active

[Ricardo Klein]

Michael,

thanks for your repply, I forgot to mention that each one are in
different places, so I wanted to set each local network to use the
nearest firewall. And yes, I will have a hardware that can handle the
whole network.

But, why not active/active?  (sorry for the silly question, if you can
just point me to any good source I can read about, its ok, no need to
waste your time with this)


--
Att...

Ricardo Felipe Klein
klein.rfk@gmail.com


On Wed, Nov 5, 2014 at 5:40 PM, Michael Schwartzkopff <ms@sys4.de> wrote:
> Am Mittwoch, 5. November 2014, 17:15:23 schrieben Sie:
>> Hi there,
>>
>> I need to build a scenario with 2 linux servers (probably CentOS7)
>> acting as active/active firewall servers. What tools should I use?
>> I saw some articles with:
>>  - conntrackd + keepalived
>>  - conntrackd + corosync + pacemaker
>
> Why? There is not reasonable cause to build an active/active firewall from two
> nodes.
>
> Any single hardware is fast enough to filter the speed of a WAN connection you
> can afford. No need for load balanceing.
>
> If one server breaks, the other has to bear the whole load. So you have to
> design your hardware for the whole load.
>
> So please build an active/passive system.
>
> keealive makes the things very simple. If you have just the firewall, go for
> it. If you waht a little bit more, i.e. conntrackd and a squid with
> dependencies amongst all resources, go for pacemaker.
>
>> But, what is the most used/stable?
>>
>>
>> AND, if there is a chance, I have 4 lan networks (each one in a
>> different VLAN) and it should be good if I can set something like
>> "preffered master" to each one for load distribution, because I will
>> run SQUID in those servers too.
>>
>> I just need to know which way to go, so, I can learn the tools and
>> configure it all here.
>
> Mit freundlichen Grüßen,
>
> Michael Schwartzkopff
>
> --
> [*] sys4 AG
>
> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> Franziskanerstraße 15, 81669 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein

Re: Linux Firewall Active/Active

[Michael Schwartzkopff]

[-- Attachment #1: Type: text/plain, Size: 1076 bytes --]

Am Mittwoch, 5. November 2014, 17:50:05 schrieb Ricardo Klein:
> Michael,
> 
> thanks for your repply, I forgot to mention that each one are in
> different places, so I wanted to set each local network to use the
> nearest firewall. And yes, I will have a hardware that can handle the
> whole network.

Do you have a layer 2 connection between both locations? Or do you do some 
dynamic routing changes in the case of a failover?
 
> But, why not active/active?  (sorry for the silly question, if you can
> just point me to any good source I can read about, its ok, no need to
> waste your time with this)

Source: Common sense.

A load-balancing firewall makes things complicated. Keep it simple, so it will 
work reliable.


Mit freundlichen Grüßen,

Michael Schwartzkopff

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 230 bytes --]

Re: Linux Firewall Active/Active

[Ricardo Klein]

Michael,

yes, I have layer2 between locations...
And, yes, I want to keep it simple, but, need to prove that
active/active is not a good way to go to my manager

--
Att...

Ricardo Felipe Klein
klein.rfk@gmail.com


On Wed, Nov 5, 2014 at 5:57 PM, Michael Schwartzkopff <ms@sys4.de> wrote:
> Am Mittwoch, 5. November 2014, 17:50:05 schrieb Ricardo Klein:
>> Michael,
>>
>> thanks for your repply, I forgot to mention that each one are in
>> different places, so I wanted to set each local network to use the
>> nearest firewall. And yes, I will have a hardware that can handle the
>> whole network.
>
> Do you have a layer 2 connection between both locations? Or do you do some
> dynamic routing changes in the case of a failover?
>
>> But, why not active/active?  (sorry for the silly question, if you can
>> just point me to any good source I can read about, its ok, no need to
>> waste your time with this)
>
> Source: Common sense.
>
> A load-balancing firewall makes things complicated. Keep it simple, so it will
> work reliable.
>
>
> Mit freundlichen Grüßen,
>
> Michael Schwartzkopff
>
> --
> [*] sys4 AG
>
> http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
> Franziskanerstraße 15, 81669 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein

Re: Linux Firewall Active/Active

[Arturo Borrero Gonzalez]

On 5 November 2014 20:15, Ricardo Klein <klein.rfk@gmail.com> wrote:
> Hi there,
>
> I need to build a scenario with 2 linux servers (probably CentOS7)
> acting as active/active firewall servers. What tools should I use?
> I saw some articles with:
>  - conntrackd + keepalived
>  - conntrackd + corosync + pacemaker
>
> But, what is the most used/stable?
>

I would recommend Debian, corosync + pacemaker.

I guess an active-passive cluster will do the job.

Setting up an active-active firewall cluster is very difficult and
presents some challenges hard to face (like proper statefull filtering
in two nodes simultaneously, and a consistent ruleset management
between nodes of the cluster).

-- 
Arturo Borrero Gonz√°lez

Re: Linux Firewall Active/Active

[shawn wilson]

So I was thinking to use tc on the second box to delay the second
packet and it should be dropped by the destination (really bad way to
do it) but a quick google gives this:
http://parkersamp.com/2010/03/howto-using-linux-as-a-simple-load-balancer-nat-router-firewall/#more-123

That said, idk you can actually do what you want within linux (I'm
pretty sure firewall vendors that support this either do it very badly
or have custom code)

On Wed, Nov 5, 2014 at 3:40 PM, Arturo Borrero Gonzalez
<arturo.borrero.glez@gmail.com> wrote:
> On 5 November 2014 20:15, Ricardo Klein <klein.rfk@gmail.com> wrote:
>> Hi there,
>>
>> I need to build a scenario with 2 linux servers (probably CentOS7)
>> acting as active/active firewall servers. What tools should I use?
>> I saw some articles with:
>>  - conntrackd + keepalived
>>  - conntrackd + corosync + pacemaker
>>
>> But, what is the most used/stable?
>>
>
> I would recommend Debian, corosync + pacemaker.
>
> I guess an active-passive cluster will do the job.
>
> Setting up an active-active firewall cluster is very difficult and
> presents some challenges hard to face (like proper statefull filtering
> in two nodes simultaneously, and a consistent ruleset management
> between nodes of the cluster).
>
> --
> Arturo Borrero González
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Linux Firewall Active/Active

[Paul Robert Marino]

[-- Attachment #1: Type: text/plain, Size: 3646 bytes --]

I've actually been doing this successfully with conntrakd, keepalived,
and quagga

Essentially I'm using quaga for OSPF and BGP externally with equal cost paths.

For conntrackd with FTFW and "DisableExternalCache On"

Do NOT use the howto's on the web or the examples that come with
conntrakd or keepalived for configuring keepalived they are outdated
and can cause major problems.
right now the only reliable documentation on keepalived is here
https://github.com/acassen/keepalived/blob/master/doc/keepalived.conf.SYNOPSIS
ignore any other docs you find on the web
Set both the instances in keepalived to "state BACKUP" and allow the
priority numbers to do ellections.

I do all of my VRRP heartbeats and syncing over dedicated bonded
interfaces. Short cables are better but a pair of fiber dedicated
cables to different rack rooms is acceptable. make sure you configure
keepalived not to monitor the croosover link or keepalived will thing
there is a FAULT when its peer is offline for say a reboot.

do not make the typical mistake of creating a new VRRP instance for
every vlan and connecting them in a sync group. that configuration can
have strange side effects. instead use one instance and specifiy the
the device the IP applies too under the hood keepalived is using
iproute2 and you can use its full add syntax. just truncate the "ip
addr add" portion of the command.

Also attached are two file which is a modified version oth the script
packaged in the examples which has been modified to work with
contrackd with "DisableExternalCache On" and a nice little upstream
router check script you can use in keepalived that uses fping.

I am planning to write a full howto on this in the near future as part
of HadrianWall project on git hub



On Wed, Nov 5, 2014 at 4:45 PM, shawn wilson <ag4ve.us@gmail.com> wrote:
> So I was thinking to use tc on the second box to delay the second
> packet and it should be dropped by the destination (really bad way to
> do it) but a quick google gives this:
> http://parkersamp.com/2010/03/howto-using-linux-as-a-simple-load-balancer-nat-router-firewall/#more-123
>
> That said, idk you can actually do what you want within linux (I'm
> pretty sure firewall vendors that support this either do it very badly
> or have custom code)
>
> On Wed, Nov 5, 2014 at 3:40 PM, Arturo Borrero Gonzalez
> <arturo.borrero.glez@gmail.com> wrote:
>> On 5 November 2014 20:15, Ricardo Klein <klein.rfk@gmail.com> wrote:
>>> Hi there,
>>>
>>> I need to build a scenario with 2 linux servers (probably CentOS7)
>>> acting as active/active firewall servers. What tools should I use?
>>> I saw some articles with:
>>>  - conntrackd + keepalived
>>>  - conntrackd + corosync + pacemaker
>>>
>>> But, what is the most used/stable?
>>>
>>
>> I would recommend Debian, corosync + pacemaker.
>>
>> I guess an active-passive cluster will do the job.
>>
>> Setting up an active-active firewall cluster is very difficult and
>> presents some challenges hard to face (like proper statefull filtering
>> in two nodes simultaneously, and a consistent ruleset management
>> between nodes of the cluster).
>>
>> --
>> Arturo Borrero González
>> --
>> To unsubscribe from this list: send the line "unsubscribe netfilter" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

[-- Attachment #2: keepalived-conntrack-manager.sh --]
[-- Type: application/x-sh, Size: 3590 bytes --]

[-- Attachment #3: fpingvrrpcheck.sh --]
[-- Type: application/x-sh, Size: 236 bytes --]

Re: Linux Firewall Active/Active

[Pablo Neira Ayuso]

On Wed, Nov 05, 2014 at 05:43:39PM -0500, Paul Robert Marino wrote:
> I've actually been doing this successfully with conntrakd, keepalived,
> and quagga
> 
> Essentially I'm using quaga for OSPF and BGP externally with equal cost paths.
> 
> For conntrackd with FTFW and "DisableExternalCache On"
>
> Do NOT use the howto's on the web or the examples that come with
> conntrakd or keepalived for configuring keepalived they are outdated
> and can cause major problems.

It would be great if you can contribute a patch to extend the
conntrack-tools manual to document this. The documentation is
available in docbook format in the git tree. People asks for this
configuration on the mailing list from time to time.

Thanks.

P.S: I think that update should also indicate that possible race
conditions may happen between the synchronization and packets in
active/active asymmetric path, so people are aware of it too.

Re: Linux Firewall Active/Active

[Robert Sander]

[-- Attachment #1: Type: text/plain, Size: 546 bytes --]

On 05.11.2014 21:40, Arturo Borrero Gonzalez wrote:
> 
> I would recommend Debian, corosync + pacemaker.

Keepalived easily outperforms corosync + pacemaker if all you need are
managed IP addresses and routes in your firewall cluster.

Regards
-- 
Robert Sander
Heinlein Support GmbH
Schwedter Str. 8/9b, 10119 Berlin

http://www.heinlein-support.de

Tel: 030 / 405051-43
Fax: 030 / 405051-19

Zwangsangaben lt. §35a GmbHG:
HRB 93818 B / Amtsgericht Berlin-Charlottenburg,
Geschäftsführer: Peer Heinlein -- Sitz: Berlin


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: Linux Firewall Active/Active

[Arturo Borrero Gonzalez]

On 6 November 2014 13:43, Robert Sander <r.sander@heinlein-support.de> wrote:
> On 05.11.2014 21:40, Arturo Borrero Gonzalez wrote:
>>
>> I would recommend Debian, corosync + pacemaker.
>
> Keepalived easily outperforms corosync + pacemaker if all you need are
> managed IP addresses and routes in your firewall cluster.

Maybe, but is not the case. He needs squid and other things.

I prefer using corosync + pacemaker better than manually write a bunch
of scripts to manage the HA of services. Is more scalable and robust
from the 'services in HA' point of view.

-- 
Arturo Borrero Gonz√°lez

Re: Linux Firewall Active/Active

[Paul Robert Marino]

I asked about update the documentation before and no one responded. I
was perfectly willing to do it I just didn't know the procedures.
I know its on the todo list and has been for quiet some time. I was
stunned that no one replied to my inquiry.


On Wed, Nov 5, 2014 at 6:55 PM, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Wed, Nov 05, 2014 at 05:43:39PM -0500, Paul Robert Marino wrote:
>> I've actually been doing this successfully with conntrakd, keepalived,
>> and quagga
>>
>> Essentially I'm using quaga for OSPF and BGP externally with equal cost paths.
>>
>> For conntrackd with FTFW and "DisableExternalCache On"
>>
>> Do NOT use the howto's on the web or the examples that come with
>> conntrakd or keepalived for configuring keepalived they are outdated
>> and can cause major problems.
>
> It would be great if you can contribute a patch to extend the
> conntrack-tools manual to document this. The documentation is
> available in docbook format in the git tree. People asks for this
> configuration on the mailing list from time to time.
>
> Thanks.
>
> P.S: I think that update should also indicate that possible race
> conditions may happen between the synchronization and packets in
> active/active asymmetric path, so people are aware of it too.

Re: Linux Firewall Active/Active

[Paul Robert Marino]

I saw no mention of squid in this string but its not that difficult
why not use a stock Nagios probe script with a wrapper. thats what I
usually do if need to get a check script working in a hurry.

Also different environment have different requirements as far as speed.
In broadcast video a a second is an eternity when millions of dollars
can be lost for every frame of video lost in a commercial.
In stock exchanges they care more about consistency than speed. while
speed is good they are more concerned that its reliable and the
latency is precise and equal to all the traders until it leaves the
exchanges network.
By contrast hedge funds want reliability but are primarily concerned
about speed (as in low latency not necessarily high bandwidth ) so
they are often willing to try bleeding edge technology even if it only
shaves a nanosecond off the latency when  getting to the exchange
gateways.
In web a user waiting a couple of seconds may not be great but its
usually hidden from the user by some sort of loading screen that makes
the user think that somethings happening. In addition if its a one
time unusual glitch in the session users will usually blame it on
thier device or internet provider.
In many standard desktop environment most IT departments wont care if
the internet is down for 30 seconds during a fail over event.

fail overs in keepalived are nearly immediate on a clean shutdown and
3 times the polling interval on a failure. The minimum interval is 1
second but there are several patches out there for faster intervals.

Using a version of keepalived I hacked I was able to get the VRRP
interval down to 1/10th of a second with no apreciable impact. My test
at 1/100th of a second basically ate a whole CPU core but worked. It
was funny at 1/100th of a second interval the VRRP heartbeats detected
a link down faster than the Kernel lol.

So it really all depends on what you are using the firewall for.






On Thu, Nov 6, 2014 at 8:21 AM, Arturo Borrero Gonzalez
<arturo.borrero.glez@gmail.com> wrote:
> On 6 November 2014 13:43, Robert Sander <r.sander@heinlein-support.de> wrote:
>> On 05.11.2014 21:40, Arturo Borrero Gonzalez wrote:
>>>
>>> I would recommend Debian, corosync + pacemaker.
>>
>> Keepalived easily outperforms corosync + pacemaker if all you need are
>> managed IP addresses and routes in your firewall cluster.
>
> Maybe, but is not the case. He needs squid and other things.
>
> I prefer using corosync + pacemaker better than manually write a bunch
> of scripts to manage the HA of services. Is more scalable and robust
> from the 'services in HA' point of view.
>
> --
> Arturo Borrero González
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Linux Firewall Active/Active

[Pablo Neira Ayuso]

On Thu, Nov 06, 2014 at 09:37:44AM -0500, Paul Robert Marino wrote:
> I asked about update the documentation before and no one responded. I
> was perfectly willing to do it I just didn't know the procedures.

You only have to prepare a patch for the .tmpl documentation in
docbook format that is available on the conntrack-tools git tree, then
send it to netfilter-devel.

You don't need to ask to improve codebase / documentation, the usual
procedure in FOSS is to send improvement in the form of patches.

Thank you.