Firewall Builder Clustering Add-On ================================== Copyright (c) 2009 secunet Security Networks AG, Germany Copyright (c) 2009 Adrian-Ken Rueegsegger Copyright (c) 2009 Reto Buerki Index ----- 1 - Introduction 2 - Definition 3 - Usage 4 - Example 5 - Things to consider 6 - References Introduction ------------ The Firewall Builder Clustering Add-On provides the possibility to manage multiple firewall objects together as one Cluster object. Cluster objects are used to configure HA (High Availability) features like conntrack [1] and VRRP [2] (Virtual Router Redundancy Protocol). Definition ---------- In the context of this Add-On a 'cluster' object is regarded as a meta-object grouping multiple firewall objects. This allows for a much simpler and convenient configuration of a HA scenario. The configuration is done once for the meta-object 'Cluster' and automatically compiled and distributed for each cluster member firewall. [cluster] (meta-object) | | +-----------------+-----------------+ | | | [fw1] (object) [fw2] (object) [fwX] (object) Usage ----- To use the clustering feature, you need to create firewalls which will be part of a HA cluster and create the cluster itself. The following two sections describe the necessary steps. Firewall configuration ~~~~~~~~~~~~~~~~~~~~~~ Make sure that all firewalls of a cluster use the same host OS and platform. The host OS and platform of all cluster member firewalls must match the one specified for the cluster itself. The following diagram defines two firewalls configured appropriately as cluster members: [fw1] [OS: secunet wall, Platform: iptables] | +---o eth0: outside (ext) | +---o IP: 172.24.0.2/255.255.0.0 | +---o eth1: inside +---o IP: 192.168.1.2/255.255.255.0 [fw2] [OS: secunet wall, Platform: iptables] | +---o eth0: outside (ext) | +---o IP: 172.24.0.3/255.255.0.0 | +---o eth1: inside +---o IP: 192.168.1.3/255.255.255.0 Both firewalls have an outside and an inside interface. In a cluster scenario, these interfaces will be combined to a redundant VRRP cluster interface. VRRP requires all interfaces joined to a VRRP group to be in the same subnet, with unique IP addresses. Cluster configuration ~~~~~~~~~~~~~~~~~~~~~ Now it's time to create a Cluster object which will act as meta-object for fw1 and fw2: [cluster1] [OS: secunet wall, Platform: iptables] | +---o eth0: outside (ext) | +---o IP: 172.24.0.1/255.255.0.0 | +---o Failover group0 (vrrp) | +---o eth1: inside (mgmt) | +---o IP: 192.168.1.1/255.255.255.0 | +---o Failover group1 (vrrp) | +---o State synchronization group (conntrack) Use the 'Manage Members' button to add firewall interfaces to the failover and state synchronization groups of the cluster. Additionally you need to specify which firewall interface is to act as master of the group. The firewall interfaces added to the state synchronization group will be used to keep the state information of the cluster members in sync. Typically the internal management interfaces are chosen as members of the conntrack group. For all cluster groups the IP addresses of it's firewall member interfaces have to be in the same subnet and the subnet mask must be identical to the one of the cluster interface. The following table shows the mapping of interfaces to cluster groups for our example configuration: +-----------------+--------------------+ | group | mapped interfaces | +-----------------+--------------------+ | State sync | fw1:eth1, fw2:eth1 | | Failover group0 | fw1:eth0, fw2:eth0 | | Failover group1 | fw1:eth1, fw2:eth1 | +-----------------+--------------------+ NAT/Policy/Routing Rules ~~~~~~~~~~~~~~~~~~~~~~~~ NAT, policy and routing rules are configured on the cluster meta-object. Rules are specified in the usual manner. Use the cluster object or it's interfaces as rule elements as you would for a regular firewall. Compilation/Installation/Export ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It's possible to compile and install firewalls which are part of a cluster by selecting the cluster meta-object and the corresponding action (Compile/Install). If you perform such an action on the cluster meta-object, all member firewalls will be selected automatically. Thus the cluster object provides a convenient way to perform actions on all cluster member firewalls. NOTE: If you compile/install a firewall which is part of a cluster by using the compile/install action of the firewall directly, the cluster parts will be omitted from the generated script. Cluster template ~~~~~~~~~~~~~~~~ This Add-On includes Cluster templates which can be used as starting point for complex cluster configurations. Enable the 'Use preconfigured template cluster object' checkbox when creating a new cluster object to use these templates. Example ------- The scenario described in this README can be found as example Firewall Builder file here [3]. For more examples on how to configure different cluster scenarios see the Firewall Builder Cookbook. Things to consider ------------------ * Host OS and platform of firewall members must match OS and platform of the cluster. * Cluster member firewalls must have at least one physical interface attached. * All IP addresses of interfaces added to a cluster group must be in the same subnet. * All addresses of a cluster group must be unique. * Cluster interface names must be unique per cluster. References ---------- [1] - http://conntrack-tools.netfilter.org/ [2] - RFC3768 - Virtual Router Redundancy Protocol (VRRP) [3] - doc/cluster_examples.fwb