[Shorewall-users] linux-ha heartbeat .. failover firewall

Robin Mordasiewicz robin at primustel.ca
Sun Aug 31 14:31:00 PDT 2003


I have searched your FAQ's and read the documentation on your site as well
as googling. I am not able to figure this out. If you have any ideas can
you please help.
I am using the linux-ha failover with redundant firewalls.
As part of the function of the linux-ha software consists a service called
heartbeat which is a connection from each failover node through a serial
cable or ethernet. When the heartbeat runs over an ethernet cable it
contacts the other node over udp on port 694. There is also some type of
broadcast ping sent across. In my ha-log I see the error....
heartbeat:ERROR: Error sending packet: Operation not permitted
heartbeat:ERROR: write failure on bcast eth2.: Operation not permitted

I am able to manually ping the broadcast address and the other node
replies.
[castor ~]# ping 192.168.6.255 -b
WARNING: pinging broadcast address
64 bytes from 192.168.6.3: icmp_seq=1 ttl=64 time=0.708 ms
64 bytes from 192.168.6.2: icmp_seq=1 ttl=64 time=0.988 ms (DUP!)

I have eth0 as an external interface and eth1 as an internal interface. I
have added a third nic dedicated for the heartbeat connection between the
failover nodes. The other failover node has an address of 192.168.6.2 on
its eth2. I have tried this without executing "shorewall clear" on the
other node. I have created a zone called crs for the crossover connection between the nodes on eth2.

I have in my /etc/shorewall/rules
ACCEPT  fw  crs  udp  ha-cluster
ACCEPT  crs fw   udp  ha-cluster
ACCEPT  fw  crs  icmp 0
ACCEPT  crs fw   icmp 0
ACCEPT  fw  crs  icmp 8
ACCEPT  crs fw   icmp 8
ACCEPT  fw  crs  icmp 17
ACCEPT  crs fw   icmp 17
ACCEPT  fw  crs  icmp 18
ACCEPT  crs fw   icmp 18

and in /etc/shorewall/policy I have added
fw      crs     ACCEPT
crs     fw      ACCEPT


[castor ~]# shorewall
version 1.4.6b

[castor ~]# ip addr show
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
  link/ether 00:01:03:34:a3:fc brd ff:ff:ff:ff:ff:ff
  inet 216.254.179.44/29 brd 216.254.179.47 scope global eth0
  inet 216.254.179.42/29 brd 216.254.179.47 scope global secondary eth0:0
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
  link/ether 00:60:08:16:2f:cf brd ff:ff:ff:ff:ff:ff
  inet 192.168.5.3/24 brd 192.168.5.255 scope global eth1
  inet 192.168.5.1/24 brd 192.168.5.255 scope global secondary eth1:2
4: eth2: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
  link/ether 00:50:ba:72:a8:f1 brd ff:ff:ff:ff:ff:ff
  inet 192.168.6.3/24 brd 192.168.6.255 scope global eth2

[castor ~]# ip route show
216.254.179.40/29 dev eth0  scope link
192.168.6.0/24 dev eth2  scope link
192.168.5.0/24 dev eth1  scope link
127.0.0.0/8 dev lo  scope link
default via 216.254.179.41 dev eth0

[castor ~]# mii-tool
eth0: negotiated 100baseTx-FD flow-control, link ok
eth1: negotiated 100baseTx-FD, link ok
eth2: negotiated 100baseTx-FD, link ok

[castor ~]# ping 192.168.6.2
PING 192.168.6.2 (192.168.6.2) from 192.168.6.3 : 56(84) bytes of data.
64 bytes from 192.168.6.2: icmp_seq=1 ttl=64 time=1.23 ms
64 bytes from 192.168.6.2: icmp_seq=2 ttl=64 time=0.646 ms




More information about the Shorewall-users mailing list