Re: [TCLUG:14127] temporary host reroute?

To: tclug-list@mn-linux.org
Subject: Re: [TCLUG:14127] temporary host reroute?
From: Peter Lukas <peter@math.umn.edu>
Date: Tue, 29 Feb 2000 10:03:24 -0600 (CST)
In-Reply-To: <200002290527.XAA15924@wisdom.geomtech.com>

What you're really after is a High Availability configuration on your
firewalls.  You should check the Linux HA project:
http://metalab.unc.edu/pub/Linux/ALPHA/linux-ha/High-Availability-HOWTO.html

You can accomplish some level of HA/Redundancy using a duct tape method by
running routing protocols on your firewalls and peering with your external
router.  This can be done with something like OSPF.  The routes will be
shared between your firewalls and routers so in the event of a failure,
the external router will effectively "Open Shortest Path First" and route
the traffic to the online firewall.

This can create a problem for your internal networks as you now have two
default gateways (FW1 and FW2).  You *should* be able to configure the
network configs of each host on the network to route to the secondary GW
in the event of a failure but if you've got any Win or Macs inside, I
wouldn't count on it actually working (of course, this won't be a problem
if your firewalls are sandwiched by routers).

I don't really like this method as running routing protocols on firewalls
adds another element to the mix which can fail.  What's more, your router
admin may not want to peer with you.  In that case, you'll want to
investigate the HA configuration.  I've designed and admin'd both types 
of firewall clouds and can say that the HA config scales much better
overall (despite the challenging initial setup).  

There's a number of security concerns with this type of setup as well
(specifically the configuration of anti-spoofing rules on your firewalls). 
The network architecture, security design and firewall configs for
this type of config require a little more attention span than e-mail can
provide.  Let me know if you're interested in discussing this elsewhere.

Peter Lukas

On Mon, 28 Feb 2000, Mark Phillips wrote:

> I wonder if anyone can tell me whether the following is possible, and
> if so, how?  My knowlege of routing & subnets isn't far enough along
> to know for sure myself:
> 
> I have two separate LANS in two different physical locations.  Each
> LAN is connected to the internet via a firewall that does IP
> filtering/forwarding.  In both cases the firewall is a Linux box that
> I control, and the internal network is a subnet.  There's a web server
> inside subnet #1:
> 
> 			 internet
> 		    ...            ...
> 		    /                \
> 		   /                  \
> 		  /                    \
> 	      ---------            ---------  
> 	      | fw #1 |		   | fw #2 |  
> 	      ---------		   ---------  
> 		  |		       |      
> 		  |		       |      
> 	        LAN #1   	     LAN #2
>               (subnet #1)          (subnet #2)
>                including
>               web  server
> 
> 
> Suppose the web server's IP address is '1.2.3.4'.  If the web server
> goes down, I'd like to reprogram a machine inside LAN #2 to take on
> IP address '1.2.3.4' and reprogram the firewalls to forward the
> packets to the new location.
> 
> I know how to make a new machine take on an additional (or different)
> IP address.  What I don't know is how to set up the routes in the firewalls,
> or even if it's possible.  I don't have control of any of the routers
> upstream from my firewalls, and normally they're configured to route
> IP address '1.2.3.4' through fw #1.  So I'd like to set up fw #1 to
> route packets it receieve for 1.2.3.4 over to fw #2, which would then
> send them on to the 'new' 1.2.3.4 in LAN #2.
> 
> I experimented with it unsuccessfully.  I did manage to get a machine
> inside LAN #2 to take on the IP address 1.2.3.4 (of course I used a
> real IP address when I did it; I'm just using 1.2.3.4 in this message
> as an example) and I got the routes on fw #2 set up so that fw #2
> could ping 1.2.3.4.  I then tried to set up a static host route on fw
> #1 specifying fw #2 as the gateway for reaching 1.2.3.4, but this
> didn't work.  fw #2 couldn't ping 1.2.3.4.
> 
> Can someone tell me if this is possible, and provide some hints
> on how to set up the routes?
> 
> Thanks in advance,
> 
> --Mark
> 
> Mark Phillips @ Geometry Technologies, Inc.
> 550 Gilbert Building, 413 Wacouta St., St. Paul, MN 55101
> Phone: 651-223-2884  Fax: 651-292-0014
> mbp@geomtech.com       http://www.geomtech.com
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tclug-list-unsubscribe@mn-linux.org
> For additional commands, e-mail: tclug-list-help@mn-linux.org
> 
>

References:
- temporary host reroute?
  - From: Mark Phillips <mbp@geomtech.com>

Prev by Date: SSH Help
Next by Date: Re: [TCLUG:14129] SSH Help
Prev by thread: temporary host reroute?
Next by thread: Re: [TCLUG:14127] temporary host reroute?
Index(es):
- Date
- Thread