Jens.Neumann at zeda
Jul 16, 2003, 8:15 AM
Post #3 of 3
(627 views)
Permalink
|
Dear Theo,
thanks for your help. We changed the braces in the virtual interface
section. How can I manage during first initialisation of the cluster, =
that
my strongest server is the one with the working virtual IP.=20
Mit freundlichen Gr=FC=DFen / Best regards
Jens Neumann
Jens Neumann
ZEDA GmbH & Co. KG , Dept. ZDT
M=FChlenweg 17-37
D - 42270 Wuppertal
Tel.: +49 202 564-1175
Fax : +49 202 564-1384
Email: jens.neumann[at]zeda.de <mailto:jens.neumann[at]zeda.de>=20
-----Urspr=FCngliche Nachricht-----
Von: Theo E. Schlossnagle [SMTP:jesus[at]omniti.com]
Gesendet am: Mittwoch, 16. Juli 2003 16:33
An: wackamole-users[at]lists.backhand.org
Betreff: Re: [Wackamole-users] "Only 254 prefered allowed"
Neumann, Jens wrote:
> Dear Mailinglist,
>=20
> we try to use spread/wackamole for one of our linux firewalls. We
managed to
> make both addresses (internel and external of the firewall) to
change even
> in case of only one interface beeing down, but we still have a
problem to
> find the right prefered parameter.
> We do have a class b network on the internal interface and a class
c network
> on the outside interface . Our conf file looks like this:
>=20
> Spread =3D 4803
> SpreadRetryInterval =3D 5s
> Group =3D wack1
> Control =3D /var/run/wack.it
>=20
> # Die bevorzugte Netzwerkkarte
> Prefer {
> eth0:172.16.253.49/16
> eth1:193.17.4.200/24
> }
You are telling it to prefer every address in those spaces. You
want /32 on=20
those. the CIDR format above represents and IP block in all
configuration=20
directives except "VirtualInterface" where it represents the netmask
of the=20
desired interface.
> # ALLE Virtuellen Interfaces =20
> VirtualInterfaces {
> eth0:172.16.253.51/16
> eth1:193.17.4.202/24=09
> }
There is a much easier way to do router configurations. Specify
BOTH=20
interfaces in a single virtual interface:
VirtualInterfaces {
{
eth0:172.16.253.51/16
eth1:193.17.4.202/24
}
}
Note the extra grouping braces. This means that each machine will
treat the=20
pair of interfaces as a single virtual interface. So, it is up
(both) or it=20
is down (both) and never half up, half down.
This way you don't have the prefer setting -- which you don't want
in the case=20
of a firewall anyway. If machine A goes down, you want machine B to
take=20
responsibility. But when A comes back on, there is no reason to
steal back=20
the VIF from B.
My router config is attached below:
> Arp-Cache =3D 90s
>=20
> # Beim Ausfall werden benachrichtigt
> Notify {
> # Let's notify our router:
> eth0:172.16.1.1/32
> eth0:172.16.253.50/32
> eth0:172.16.253.44/32
> eth0:195.145.130.24/32
> eth1:193.17.4.201/32
> Arp-cache
> }
>=20
> When we start the system we receive hundreds of errormessages
"Only 254
> prefered allowed" and no preferation works at all. We need to
define the
> main firewall as prefered machone to use, because the cpu power on
this box
> allows us to run an ids system in addition (snort) to the
firewalling
> activity. In case of using the backup hardware we can't run the
ids, but all
> other functions will continue to work and this is more than
acceptable for
> us.
>=20
> How is the right syntax for this prefered option or are there
other ways to
> configure this prefered server scenario.
>=20
> Thanks for your help.
>=20
>=20
> Mit freundlichen Gr=FC=DFen / Best regards
>=20
> Jens Neumann
>=20
> Jens Neumann
> ZEDA GmbH & Co. KG , Dept. ZDT
> M=FChlenweg 17-37
> D - 42270 Wuppertal
> Email: jens.neumann[at]zeda.de <mailto:jens.neumann[at]zeda.de>=20
On our system, we have two machines on the network. We give them
normal=20
unchanging IP addresses:
Machine A: { 10.77.52.2, 66.77.52.2, 63.236.106.103}
Machine B: { 10.77.52.3, 66.77.52.3, 63.236.106.104}
These IPs never change. But they wackamole cover the default routes
on each=20
network which are:
Routes: { 10.77.52.1, 66.77.52.1, 63.236.106.102}
wackmole.conf excerpt:
Spread =3D 3777
Group =3D wack1
Control =3D /var/run/wack.it
Prefer None
VirtualInterfaces {
{ fxp2:10.77.52.1/32 fxp1:66.77.52.1/32
fxp0:63.236.106.102/32 }
}
arp-cache =3D 90s
mature =3D 5s
--=20
Theo Schlossnagle
Principal Consultant
OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
Phone: +1 410 872 4910 x201 Fax: +1 410 872 4911
1024D/82844984/95FD 30F1 489E 4613 F22E 491A 7E88 364C 8284 4984
2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7
_______________________________________________
wackamole-users mailing list
wackamole-users[at]lists.backhand.org
http://lists.backhand.org/mailman/listinfo/wackamole-users
|
