This tool configures your system so that it can automatically replicate its firewall state to a different machine. In case of failure, it provides a highly available firewall service for your network. Please note that two firewall machines are needed, both configured similarly.
The firewall configuration for the master and slave should be similar, or at least have rules for common services configured identically, so that transparency (at least for those services) is achieved. The clients are configured to use the Virtual IP address of the replication pool.
Firewall replication automatically moves the connection state from the failing firewall to the replica, providing workstations with an uninterrupted firewall service in a transparent way. Workstations don't loose their already established network connections to the outside.
Open DrakInvictus choosing Advanced setup for network interfaces and firewall in the Security section of the Mandriva Control Center. At the top you configure network redundancy and at the bottom you configure firewall replication. Please note that this tool has to be run on each server which is part of the replication pool.
Fill the following fields for the interface corresponding to the network where the other server (the one providing network redundancy) is located, for example eth0:
- Real Address
-
IP address of the interface. This is the physical address of this server on the network.
- Virtual shared address
-
Virtual IP address shared by both servers. Fill with an unused, fixed, IP address on the network. This is the address clients will use as their Internet gateway. Please note that this address must be the same in both master and slave servers.
- Virtual ID
-
Shared identifier number (between 1 and 255). Please note that this ID must be the same on both master and slave servers.
- Password
-
Provide a password to be used by the replicated machines to identify themselves as being part of the same replication pool.
- Start as master
-
One of the servers must be declared as Master, to allow for proper recovery when the master returns to service. Check this box to override the default and recommended setting of having the system arbitrarily decide which server is the Master and which is the Slave.
Check Synchronize firewall conntrack tables to enable firewall replication and select the following:
- Synchronization network interface
-
Choose the interface connected to the network on which both firewalls communicate. Please note that this interface cannot be the same used for network redundancy.
- Connection mark bit
-
Bit number of the connection mark field used for connection tracking, you can leave it at the default value,
30.