Wednesday, November 23, 2016

Firewall HA with conntrackd and keepalived


As we are doing some keepalived work, and looking at groups of IPs, I came across a couple of links worth mentioning:

This link below shows an approach of using a vrrp_sync group for an internal and external network. This is very much along the lines of what we were thinking we wanted to achieve and it was nice to see reassurance that we might be using a sync group as it is intended to be used (given the dirth of use-case documentation on this).

http://manpages.ubuntu.com/manpages/precise/man5/keepalived.conf.5.html

Another link is this one below.

Up to this point I have only been testing the VIP assignment and reassignment by pulling cables and making firewall adjustments (to make sure the VRRP could get through the firewall).

This link below has me concerned that true client testing might (will?) fail. Because indeed, Firewalld and iptables on Linux are, indeed, stateful firewalls. So I may need this link to bail me out.

http://backreference.org/2013/04/03/firewall-ha-with-conntrackd-and-keepalived/

No comments:

Zabbix to BigPanda Webhook Integration

Background BigPanda has made its way into the organization. I wasn't sure at first why, given that there's no shortage of Network Mo...