(August 1997)
|
|
Firewalls (August 1997) |
Hello all....the way I solved this problem may be unique to our setup,
but may be of some use to you.
We had both firewalls' DMZ subnet attached to a common hub. Connected
to that hub was all of our DMZ servers (mail, web, etc)...there were no
routers between the DMZ servers and the two redundant firewalls.
We are running all Solaris 2.5.1 in this scenario. In the July issue of
UNIX review there was an article about routed and rdisc....that was
exactly the trick I needed.
On the primary firewall I changed a line in /etc/rc2.d/S69inet from
/usr/sbin/in.rdisc -r
to
/usr/sbin/in.rdisc -r -p 10 -T 10
On the failover firewall I changed the same line to be
/usr/sbin/in.rdisc -r -p 1 -T 10
The net effect is that each firewall will no activly advertise itself as
having the "default route"; the primary firewall will have the highest
preference so it will be used unless it stops advertising. The "-T 10"
will cause them to advertise this "default route" packet every 10
seconds..the default was 600 seconds. I wanted no more than a 10 second
latency between updates.
So this handles advertising the routes...
On the DMZ machine (also running Solaris 2.5.1) I removed
/etc/defaultrouter and /etc/gateways files. I changed the line in
/etc/rc2.d/S69inet from
if [ -f /usr/sbin/in.rdisc ] && /usr/sbin/in.rdisc -s;
then
echo "starting router discovery."
to
if [ -f /usr/sbin/in.rdisc ] && /usr/sbin/in.rdisc -s
-f; then
echo "starting router discovery (forever)."
so that the DMZ machines would never stop listening for router discovery
packets (in the off chance that connections with both firewalls was
broken).
The end result:
Now I can telnet into my web server and run "netstat -nr" in a loop and
watch the default route automagically flip to the redundant firewall as
soon as I kill the primary firewall.
I didn't try hardcoding two default routes into /etc/defaultrouter -- it
says you can do it, but I'm not sure how long it takes to switch over.
Plus, I like the ability of not having to hard code ANY default route on
my servers...makes installing them a lot easier.
I don't know how well all the vendors support rdisc, it's an RFC
supported protocol so bets are in its favor, but Solaris did and that's
all I needed.
I was also thinking of using routed or gated on the two firewalls and
advertising routes as well....but I didn't see how to do it with routed
and I wasn't sure I wanted to put another "unsupported" app on my
firewall with gated.
hope this helps,
bill
joe wrote:
> Hello Cihan,
>
> I'll be trying this one soon too... RIP may be your only hope even
> though
> it is crude...(via gated with higher/lower preferences)..unless you
> can
> do router discovery with AIX boxes... too bad you are not using all
> Sun
> workstations...(IMHO) :)
>
> Im very interested to see if anyone else has done this or has a good
> suggestion..
>
> Cheers,
> JP
>
> ==================================================================
> Joseph J. Pyle - Network Consultant _
> E-Mail Solutions @ PYLE.COM "<(o)>"
> ~
> joe @
pyle .
com - Its in the eye of the beholder
> ==================================================================
>
> On Sat, 2 Aug 1997, Cihan Subasi wrote:
>
> > We installed the Failover Gateway to backup our FW-1 3.0a, looks
> like
> > everything is fine but I have a problem with the machines on DMZ
> > interface...All our internet servers (other than firewall machines)
> are
> > running on a RS6000 with AIX 4.1.4 but in order to make them see
> > Failover Gateway when master firewall dies we have to give a second
> > default gateway to the AIXs, here is the problem looks like AIX do
> not
> > take a second default gateway with a higher metric...Anybody can
> help me
> > to solve the problem?
> >
> > Thanks,
> > --
> >
> >
> ****************************************************************************
>
> > Cihan Subasi,
> > Garanti Ticaret AS,Istanbul Turkey
> > email:csubasi @
garanti .
com .
tr tel: +902126570404 fax:
> +902126570473
> >
> ****************************************************************************
>
> >
Attachment:
smime.p7s Follow-Ups:
References:
|