Build a Better Firewall-Linux HA Firewall Tutorial

(Additional output removed for brevity.)

For more information about configuring conntrackd, see the conntrackd configuration manual listed in the Resources for this article.

The keepalived dæmon allows two or more servers to share a virtual IP address. Only one server, called the master, will respond to packets sent to the virtual IP address. The other servers are in backup mode, ready to take over the virtual IP address if the master server fails.

By default, keepalived uses the configuration file /etc/keepalived/keepalived.conf. The following is a very basic keepalived.conf configuration:

lj-fw-1 /etc/keepalived/keepalived.conf file contents:

vrrp_sync_group {
 group {
  fw-cluster-eth0
  fw-cluster-eth1
 }
 notify_master "/etc/conntrackd/primary-backup.sh primary"
 notify_backup "/etc/conntrackd/primary-backup.sh backup"
 notify_fault "/etc/conntrackd/primary-backup.sh fault"
}
vrrp_instance fw-cluster-eth0 {
 state MASTER
 interface eth0
 virtual_router_id 20
 priority 100
 virtual_ipaddress {
  192.168.1.1/24 brd 192.168.1.255 dev eth0
 }
}
vrrp_instance fw-cluster-eth1 {
 state MASTER
 interface eth1
 virtual_router_id 30
 priority 100
 virtual_ipaddress {
  10.1.1.1/24 brd 10.1.1.255 dev eth1 
 }
}

Additional options, like neighbor authentication, are available. More information about advanced configuration options is available at the keepalived Web site (see Resources).

The configuration for lj-fw-2 is very similar, with only a few values changed to identify that this system is acting as a backup:

vrrp_sync_group {
 group {
  fw-cluster-eth0
  fw-cluster-eth1
 }
 notify_master "/etc/conntrackd/primary-backup.sh primary"
 notify_backup "/etc/conntrackd/primary-backup.sh backup"
 notify_fault "/etc/conntrackd/primary-backup.sh fault"
}
vrrp_instance fw-cluster-eth0 {
 state BACKUP
 interface eth0
 virtual_router_id 20
 priority 50
 virtual_ipaddress {
  192.168.1.1/24 brd 192.168.1.255 dev eth0
 }
}
vrrp_instance fw-cluster-eth1 {
 state BACKUP
 interface eth1
 virtual_router_id 30
 priority 50
 virtual_ipaddress {
  10.1.1.1/24 brd 10.1.1.255 dev eth1
 }
}

One of the benefits of keepalived is that it provides sync_groups—a feature to ensure that if one of the interfaces in the sync_group transitions from the master to the backup, all the other interfaces in the sync_group also transition to the backup. This is important for Active-Backup HA firewall deployments where all the traffic must flow in and out of the same firewall.

The sync_group configuration includes information about the scripts to call in the event of a VRRP transition on the local server to the master, backup or fault states. The primary-backup.sh script, which was copied to the /etc/conntrackd directory earlier, informs conntrackd of VRRP state transitions so that conntrackd knows which firewall is currently acting as the master.

VRRP uses priority numbering to determine which firewall should be the master when both firewalls are on-line. The firewall with the highest priority number is chosen as the master. Because the lj-fw-1 server has the highest priority number, as long as the lj-fw-1 server is “alive”, it will respond to traffic sent to the virtual IP addresses. If the lj-fw-1 server fails, the lj-fw-2 server automatically will take over the virtual IP addresses and respond to traffic sent to it.

When using VRRP, devices on the network should be configured to route through the virtual IP address. In this example, devices on the internal LAN that are going out through the HA firewall pair should be configured with a default gateway of 10.1.1.1.

Now that there are two servers configured and ready to act as HA firewalls, it's time to add rules. In most HA pairs, the rules should be identical on both firewalls. Although this can be done by manually entering iptables commands, it can be difficult to maintain and is easy for errors to occur. Firewall Builder makes it simple to configure and maintain a synchronized set of rules on both of the HA firewall servers.

Firewall Builder is a GUI-based firewall configuration management application that supports a wide range of firewalls, including iptables. Information about downloading and installing Firewall Builder can be found on the Firewall Builder Web site, including a Quick Start Guide (see Resources) that provides a high-level overview of the GUI layout and key concepts.

Multiple firewalls can be managed from a single workstation using Firewall Builder. SSH and SCP are used to transfer the generated firewall scripts to the remote firewalls, so it is recommended that the Firewall Builder application be run on a different workstation and not on one of the firewall servers.