Re: [lvs-users] Failover solution for Shorewall Firewall

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] Failover solution for Shorewall Firewall
From: David Lang <david.lang@xxxxxxxxxxxxxxxxxx>
Date: Fri, 5 Jun 2009 08:56:04 -0700 (PDT)
On Thu, 4 Jun 2009, Kaushal Shriyan wrote:

> Hi,
> I got the below reply from the shorewall firewall mailing list.
>> From my own experiment for failover solution (not loadbalancing), it's much
> better for you to >play with keepalived, rather than linux HA. Reason: linux
> HA tends to put the virtual IP on >aliased interface; where keepalived puts
> on the real interface. It's just a bit simpler to configure >in shorewall.
> And with keepalived, you can have shorewall runs on both nodes, while with
> linux >HA you have to make sure shorewall is turned on/off as the failover
> kicks in (I may be wrong in >this).
> Is there a Howto to setup failover solution for shorewall firewall
> using linux-ha or keepalived
> and also is there a mailing list for end users to discuss about keepalived.

with the default configuration they are right about needing to start/stop 

however if you set net.ipv4.ip_nonlocal_bind=1 in /etc/sysctl.conf it will let 
you run software that binds to interfaces that don't currently exist on the 

it's still possible that shorewall won't work, but it's pretty likely to work 
with this (they would have to do something like look at all the existing 
interfaces at startup time and bind to those explicitly to still have problems)

David Lang

Please read the documentation before posting - it's available at: mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to

<Prev in Thread] Current Thread [Next in Thread>