<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>4. Network Interface and Firewall Failover</title>
<link rel="stylesheet" href="images/mdk-doc.css" type="text/css">
<meta name="generator" content="DocBook XSL Stylesheets V1.73.2">
<link rel="start" href="index.html" title="Mastering Mandriva Linux">
<link rel="up" href="mcc-security.html" title="Chapter 14. “Security” Section">
<link rel="prev" href="tinyfirewall.html" title="3. Securing your Internet Access via DrakFirewall">
<link rel="next" href="mcc-boot.html" title="Chapter 15. Boot Device Configuration">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr>
<th colspan="3" align="center">4. Network Interface and Firewall Failover</th>
</tr>
<tr>
<td width="20%" align="left"><a accesskey="p" href="tinyfirewall.html">Prev</a>
</td>
<th width="60%" align="center">Chapter 14. “<span class="quote">Security</span>” Section
</th>
<td width="20%" align="right"> <a accesskey="n" href="mcc-boot.html">Next</a></td>
</tr>
</table>
<hr>
</div>
<div class="section" lang="en">
<div class="titlepage">
<div>
<div>
<h2 class="title" style="clear: both"><a name="drakinvictus"></a>4. Network Interface and Firewall Failover
</h2>
</div>
</div>
</div>
<a class="indexterm" name="d5e9119"></a>
<a class="indexterm" name="d5e9122"></a>
<p><span class="inlinemediaobject"><img src="images/drakinvictus-icon.png"></span>This tool configures your system so that it can
automatically replicate its firewall state to a different machine. In case
of failure, it provides a highly available firewall service for your
network. Please note that two firewall machines are needed, both configured
similarly.
</p>
<div class="figure"><a name="d5e9129"></a><p class="title"><b>Figure 14.9. Highly Available Firewall</b></p>
<div class="figure-contents">
<div class="mediaobject" align="center"><img src="images/drakinvictus.png" align="middle" alt="Highly Available Firewall"></div>
</div>
</div><br class="figure-break">
<p>The firewall configuration for the master and slave should be similar,
or at least have rules for common services configured identically, so that
transparency (at least for those services) is achieved. The clients are
configured to use the Virtual IP address of the replication pool.
</p>
<p>Firewall replication automatically moves the connection state from the
failing firewall to the replica, providing workstations with an
uninterrupted firewall service in a transparent way. Workstations don't
loose their already established network connections to the outside.
</p>
<p>Open <span class="application">DrakInvictus</span> choosing
<span class="guilabel">Advanced setup for network interfaces and firewall</span> in
the <span class="guilabel">Security</span> section of the <span class="application">Mandriva
Control Center</span>. At the top you configure network redundancy
and at the bottom you configure firewall replication. Please note that this
tool has to be run on each server which is part of the replication
pool.
</p>
<div class="figure"><a name="d5e9143"></a><p class="title"><b>Figure 14.10. The DrakInvictus Window</b></p>
<div class="figure-contents">
<div class="mediaobject" align="center"><img src="images/drakinvictus-main.png" align="middle" alt="The DrakInvictus Window"></div>
</div>
</div><br class="figure-break">
<div class="section" lang="en">
<div class="titlepage">
<div>
<div>
<h3 class="title"><a name="d5e9150"></a>4.1. Network Redundancy Configuration
</h3>
</div>
</div>
</div>
<p>Fill the following fields for the interface corresponding to the
network where the other server (the one providing network redundancy) is
located, for example <span class="guilabel">eth0</span>:
</p>
<div class="variablelist">
<dl>
<dt><span class="term">Real Address</span></dt>
<dd>
<p>IP address of the interface. This is the physical address of
this server on the network.
</p>
</dd>
<dt><span class="term">Virtual shared address</span></dt>
<dd>
<p>Virtual IP address shared by both servers. Fill with an
unused, fixed, IP address on the network. This is the address
clients will use as their Internet gateway. Please note that this
address must be the same in both master and slave servers.
</p>
</dd>
<dt><span class="term">Virtual ID</span></dt>
<dd>
<p>Shared identifier number (between 1 and 255). Please note that
this ID must be the same on both master and slave servers.
</p>
</dd>
<dt><span class="term">Password</span></dt>
<dd>
<p>Provide a password to be used by the replicated machines to
identify themselves as being part of the same replication
pool.
</p>
</dd>
<dt><span class="term">Start as master</span></dt>
<dd>
<p>One of the servers must be declared as Master,
to allow for proper recovery when the master returns to
service. Check this box to override the default and
recommended setting of having the system arbitrarily
decide which server is the Master and which is the Slave.
</p>
</dd>
</dl>
</div>
</div>
<div class="section" lang="en">
<div class="titlepage">
<div>
<div>
<h3 class="title"><a name="d5e9175"></a>4.2. Firewall Replication Configuration
</h3>
</div>
</div>
</div>
<p>Check <span class="guilabel">Synchronize firewall conntrack tables</span> to
enable firewall replication and select the following:
</p>
<div class="variablelist">
<dl>
<dt><span class="term">Synchronization network interface</span></dt>
<dd>
<p>Choose the interface connected to the network on which both
firewalls communicate. Please note that this interface cannot be the
same used for network redundancy.
</p>
</dd>
<dt><span class="term">Connection mark bit</span></dt>
<dd>
<p>Bit number of the connection mark field used for connection
tracking, you can leave it at the default value,
<code class="literal">30</code>.
</p>
</dd>
</dl>
</div>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left"><a accesskey="p" href="tinyfirewall.html">Prev</a>
</td>
<td width="20%" align="center"><a accesskey="u" href="mcc-security.html">Up</a></td>
<td width="40%" align="right"> <a accesskey="n" href="mcc-boot.html">Next</a></td>
</tr>
<tr>
<td width="40%" align="left" valign="top">3. Securing your Internet
Access via DrakFirewall
</td>
<td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td>
<td width="40%" align="right" valign="top"> Chapter 15. Boot Device Configuration</td>
</tr>
</table>
</div>
</body>
</html>
distrib
>
Mandriva
>
2008.1
>
x86_64
>
media
>
main-release
>
by-pkgid
>
275bc5f884d593fea8c87799d871d7f1
>
files
>
50
