1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
|
Firewall Builder Clustering Add-On
==================================
Copyright (c) 2009 secunet Security Networks AG, Germany
Copyright (c) 2009 Adrian-Ken Rueegsegger <rueegsegger@swiss-it.ch>
Copyright (c) 2009 Reto Buerki <buerki@swiss-it.ch>
Index
-----
1 - Introduction
2 - Definition
3 - Usage
4 - Example
5 - Things to consider
6 - References
Introduction
------------
The Firewall Builder Clustering Add-On provides the possibility to manage
multiple firewall objects together as one Cluster object. Cluster objects are
used to configure HA (High Availability) features like conntrack [1] and VRRP [2]
(Virtual Router Redundancy Protocol).
Definition
----------
In the context of this Add-On a 'cluster' object is regarded as a meta-object
grouping multiple firewall objects. This allows for a much simpler and convenient
configuration of a HA scenario. The configuration is done once for the meta-object
'Cluster' and automatically compiled and distributed for each cluster member firewall.
[cluster] (meta-object)
|
|
+-----------------+-----------------+
| | |
[fw1] (object) [fw2] (object) [fwX] (object)
Usage
-----
To use the clustering feature, you need to create firewalls which will be part
of a HA cluster and create the cluster itself. The following two sections
describe the necessary steps.
Firewall configuration
~~~~~~~~~~~~~~~~~~~~~~
Make sure that all firewalls of a cluster use the same host OS and platform. The
host OS and platform of all cluster member firewalls must match the one
specified for the cluster itself.
The following diagram defines two firewalls configured appropriately as cluster
members:
[fw1] [OS: secunet wall, Platform: iptables]
|
+---o eth0: outside (ext)
| +---o IP: 172.24.0.2/255.255.0.0
|
+---o eth1: inside
+---o IP: 192.168.1.2/255.255.255.0
[fw2] [OS: secunet wall, Platform: iptables]
|
+---o eth0: outside (ext)
| +---o IP: 172.24.0.3/255.255.0.0
|
+---o eth1: inside
+---o IP: 192.168.1.3/255.255.255.0
Both firewalls have an outside and an inside interface. In a cluster scenario,
these interfaces will be combined to a redundant VRRP cluster interface.
VRRP requires all interfaces joined to a VRRP group to be in the same subnet,
with unique IP addresses.
Cluster configuration
~~~~~~~~~~~~~~~~~~~~~
Now it's time to create a Cluster object which will act as meta-object for fw1
and fw2:
[cluster1] [OS: secunet wall, Platform: iptables]
|
+---o eth0: outside (ext)
| +---o IP: 172.24.0.1/255.255.0.0
| +---o Failover group0 (vrrp)
|
+---o eth1: inside (mgmt)
| +---o IP: 192.168.1.1/255.255.255.0
| +---o Failover group1 (vrrp)
|
+---o State synchronization group (conntrack)
Use the 'Manage Members' button to add firewall interfaces to the failover and
state synchronization groups of the cluster. Additionally you need to specify
which firewall interface is to act as master of the group.
The firewall interfaces added to the state synchronization group will be used to
keep the state information of the cluster members in sync. Typically the
internal management interfaces are chosen as members of the conntrack group.
For all cluster groups the IP addresses of it's firewall member interfaces have
to be in the same subnet and the subnet mask must be identical to the one of the
cluster interface.
The following table shows the mapping of interfaces to cluster groups for our
example configuration:
+-----------------+--------------------+
| group | mapped interfaces |
+-----------------+--------------------+
| State sync | fw1:eth1, fw2:eth1 |
| Failover group0 | fw1:eth0, fw2:eth0 |
| Failover group1 | fw1:eth1, fw2:eth1 |
+-----------------+--------------------+
NAT/Policy/Routing Rules
~~~~~~~~~~~~~~~~~~~~~~~~
NAT, policy and routing rules are configured on the cluster meta-object. Rules
are specified in the usual manner. Use the cluster object or it's interfaces as
rule elements as you would for a regular firewall.
Compilation/Installation/Export
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
It's possible to compile and install firewalls which are part of a cluster by
selecting the cluster meta-object and the corresponding action
(Compile/Install).
If you perform such an action on the cluster meta-object, all member firewalls
will be selected automatically. Thus the cluster object provides a convenient
way to perform actions on all cluster member firewalls.
NOTE: If you compile/install a firewall which is part of a cluster by using the
compile/install action of the firewall directly, the cluster parts will be
omitted from the generated script.
Cluster template
~~~~~~~~~~~~~~~~
This Add-On includes Cluster templates which can be used as starting point for
complex cluster configurations. Enable the 'Use preconfigured template cluster
object' checkbox when creating a new cluster object to use these templates.
Example
-------
The scenario described in this README can be found as example Firewall Builder
file here [3]. For more examples on how to configure different cluster scenarios
see the Firewall Builder Cookbook.
Things to consider
------------------
* Host OS and platform of firewall members must match OS and platform of the
cluster.
* Cluster member firewalls must have at least one physical interface attached.
* All IP addresses of interfaces added to a cluster group must be in the same
subnet.
* All addresses of a cluster group must be unique.
* Cluster interface names must be unique per cluster.
References
----------
[1] - http://conntrack-tools.netfilter.org/
[2] - RFC3768 - Virtual Router Redundancy Protocol (VRRP)
[3] - doc/cluster_examples.fwb
|
