Comments on: Firewall HA with conntrackd and keepalived

By: waldner

waldner — Wed, 21 Jun 2017 11:30:17 +0000

In reply to James. It's difficult to tell. Make sure you have the correct rules configured in the firewall (that is, don't just set everything to ACCEPT).

By: James

James — Mon, 19 Jun 2017 14:09:25 +0000

In reply to waldner. That's perfect. Do you have any thoughts why on failover it is dropping tcp connections? I am testing your configuration. Only the addresses are changed. It works fine if I launch a ping from a test host but drops the session when I launch an ssh connection. Thanks.

By: waldner

waldner — Mon, 19 Jun 2017 12:08:14 +0000

In reply to James. Yes, you can configure LAN hosts to use the VIP as their gateway.

By: James

James — Mon, 19 Jun 2017 11:51:52 +0000

How do you configure your lan for the VIP? Does the default gateway point to the LAN VIP? Or is there some other way to route traffic from LAN to one of the two FWs?

By: waldner

waldner — Sat, 30 Nov 2013 12:19:56 +0000

In reply to Todd. Well, there's really no mystery, it's just the same normal iptables rules you'd use to do that, but with the added requirement that anything that is not accepted by a rule be dropped. In practice, you normally just set the default policies for the INPUT, OUTPUT and FORWARD chains to DROP and you're set. Alternatively, you can add a last rule to each chains that just DROPs everything that gets that far.