Mailing List Archive

Neumann, Jens wrote:
> Dear Mailinglist,
>
> we try to use spread/wackamole for one of our linux firewalls. We managed to
> make both addresses (internel and external of the firewall) to change even
> in case of only one interface beeing down, but we still have a problem to
> find the right prefered parameter.
> We do have a class b network on the internal interface and a class c network
> on the outside interface . Our conf file looks like this:
>
> Spread = 4803
> SpreadRetryInterval = 5s
> Group = wack1
> Control = /var/run/wack.it
>
> # Die bevorzugte Netzwerkkarte
> Prefer {
> eth0:172.16.253.49/16
> eth1:193.17.4.200/24
> }

You are telling it to prefer every address in those spaces. You want /32 on
those. the CIDR format above represents and IP block in all configuration
directives except "VirtualInterface" where it represents the netmask of the
desired interface.

> # ALLE Virtuellen Interfaces
> VirtualInterfaces {
> eth0:172.16.253.51/16
> eth1:193.17.4.202/24
> }

There is a much easier way to do router configurations. Specify BOTH
interfaces in a single virtual interface:

VirtualInterfaces {
{
eth0:172.16.253.51/16
eth1:193.17.4.202/24
}
}

Note the extra grouping braces. This means that each machine will treat the
pair of interfaces as a single virtual interface. So, it is up (both) or it
is down (both) and never half up, half down.

This way you don't have the prefer setting -- which you don't want in the case
of a firewall anyway. If machine A goes down, you want machine B to take
responsibility. But when A comes back on, there is no reason to steal back
the VIF from B.

My router config is attached below:

> Arp-Cache = 90s
>
> # Beim Ausfall werden benachrichtigt
> Notify {
> # Let's notify our router:
> eth0:172.16.1.1/32
> eth0:172.16.253.50/32
> eth0:172.16.253.44/32
> eth0:195.145.130.24/32
> eth1:193.17.4.201/32
> Arp-cache
> }
>
> When we start the system we receive hundreds of errormessages "Only 254
> prefered allowed" and no preferation works at all. We need to define the
> main firewall as prefered machone to use, because the cpu power on this box
> allows us to run an ids system in addition (snort) to the firewalling
> activity. In case of using the backup hardware we can't run the ids, but all
> other functions will continue to work and this is more than acceptable for
> us.
>
> How is the right syntax for this prefered option or are there other ways to
> configure this prefered server scenario.
>
> Thanks for your help.
>
>
> Mit freundlichen Grüßen / Best regards
>
> Jens Neumann
>
> Jens Neumann
> ZEDA GmbH & Co. KG , Dept. ZDT
> Mühlenweg 17-37
> D - 42270 Wuppertal
> Email: jens.neumann@zeda.de <mailto:jens.neumann@zeda.de>


On our system, we have two machines on the network. We give them normal
unchanging IP addresses:
Machine A: { 10.77.52.2, 66.77.52.2, 63.236.106.103}
Machine B: { 10.77.52.3, 66.77.52.3, 63.236.106.104}

These IPs never change. But they wackamole cover the default routes on each
network which are:
Routes: { 10.77.52.1, 66.77.52.1, 63.236.106.102}


wackmole.conf excerpt:

Spread = 3777
Group = wack1
Control = /var/run/wack.it

Prefer None
VirtualInterfaces {
{ fxp2:10.77.52.1/32 fxp1:66.77.52.1/32 fxp0:63.236.106.102/32 }
}

arp-cache = 90s
mature = 5s


--
Theo Schlossnagle
Principal Consultant
OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
Phone: +1 410 872 4910 x201 Fax: +1 410 872 4911
1024D/82844984/95FD 30F1 489E 4613 F22E 491A 7E88 364C 8284 4984
2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7

Dear Theo,

thanks for your help. We changed the braces in the virtual interface
section. How can I manage during first initialisation of the cluster, =
that
my strongest server is the one with the working virtual IP.=20


Mit freundlichen Gr=FC=DFen / Best regards

Jens Neumann



Jens Neumann
ZEDA GmbH & Co. KG , Dept. ZDT
M=FChlenweg 17-37
D - 42270 Wuppertal
Tel.: +49 202 564-1175
Fax : +49 202 564-1384
Email: jens.neumann@zeda.de <mailto:jens.neumann@zeda.de>=20


-----Urspr=FCngliche Nachricht-----
Von: Theo E. Schlossnagle [SMTP:jesus@omniti.com]
Gesendet am: Mittwoch, 16. Juli 2003 16:33
An: wackamole-users@lists.backhand.org
Betreff: Re: [Wackamole-users] "Only 254 prefered allowed"

Neumann, Jens wrote:
> Dear Mailinglist,
>=20
> we try to use spread/wackamole for one of our linux firewalls. We
managed to
> make both addresses (internel and external of the firewall) to
change even
> in case of only one interface beeing down, but we still have a
problem to
> find the right prefered parameter.
> We do have a class b network on the internal interface and a class
c network
> on the outside interface . Our conf file looks like this:
>=20
> Spread =3D 4803
> SpreadRetryInterval =3D 5s
> Group =3D wack1
> Control =3D /var/run/wack.it
>=20
> # Die bevorzugte Netzwerkkarte
> Prefer {
> eth0:172.16.253.49/16
> eth1:193.17.4.200/24
> }

You are telling it to prefer every address in those spaces. You
want /32 on=20
those. the CIDR format above represents and IP block in all
configuration=20
directives except "VirtualInterface" where it represents the netmask
of the=20
desired interface.

> # ALLE Virtuellen Interfaces =20
> VirtualInterfaces {
> eth0:172.16.253.51/16
> eth1:193.17.4.202/24=09
> }

There is a much easier way to do router configurations. Specify
BOTH=20
interfaces in a single virtual interface:

VirtualInterfaces {
{
eth0:172.16.253.51/16
eth1:193.17.4.202/24
}
}

Note the extra grouping braces. This means that each machine will
treat the=20
pair of interfaces as a single virtual interface. So, it is up
(both) or it=20
is down (both) and never half up, half down.

This way you don't have the prefer setting -- which you don't want
in the case=20
of a firewall anyway. If machine A goes down, you want machine B to
take=20
responsibility. But when A comes back on, there is no reason to
steal back=20
the VIF from B.

My router config is attached below:

> Arp-Cache =3D 90s
>=20
> # Beim Ausfall werden benachrichtigt
> Notify {
> # Let's notify our router:
> eth0:172.16.1.1/32
> eth0:172.16.253.50/32
> eth0:172.16.253.44/32
> eth0:195.145.130.24/32
> eth1:193.17.4.201/32
> Arp-cache
> }
>=20
> When we start the system we receive hundreds of errormessages
"Only 254
> prefered allowed" and no preferation works at all. We need to
define the
> main firewall as prefered machone to use, because the cpu power on
this box
> allows us to run an ids system in addition (snort) to the
firewalling
> activity. In case of using the backup hardware we can't run the
ids, but all
> other functions will continue to work and this is more than
acceptable for
> us.
>=20
> How is the right syntax for this prefered option or are there
other ways to
> configure this prefered server scenario.
>=20
> Thanks for your help.
>=20
>=20
> Mit freundlichen Gr=FC=DFen / Best regards
>=20
> Jens Neumann
>=20
> Jens Neumann
> ZEDA GmbH & Co. KG , Dept. ZDT
> M=FChlenweg 17-37
> D - 42270 Wuppertal
> Email: jens.neumann@zeda.de <mailto:jens.neumann@zeda.de>=20


On our system, we have two machines on the network. We give them
normal=20
unchanging IP addresses:
Machine A: { 10.77.52.2, 66.77.52.2, 63.236.106.103}
Machine B: { 10.77.52.3, 66.77.52.3, 63.236.106.104}

These IPs never change. But they wackamole cover the default routes
on each=20
network which are:
Routes: { 10.77.52.1, 66.77.52.1, 63.236.106.102}


wackmole.conf excerpt:

Spread =3D 3777
Group =3D wack1
Control =3D /var/run/wack.it

Prefer None
VirtualInterfaces {
{ fxp2:10.77.52.1/32 fxp1:66.77.52.1/32
fxp0:63.236.106.102/32 }
}

arp-cache =3D 90s
mature =3D 5s


--=20
Theo Schlossnagle
Principal Consultant
OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
Phone: +1 410 872 4910 x201 Fax: +1 410 872 4911
1024D/82844984/95FD 30F1 489E 4613 F22E 491A 7E88 364C 8284 4984
2047R/33131B65/71 F7 95 64 49 76 5D BA 3D 90 B9 9F BE 27 24 E7


_______________________________________________
wackamole-users mailing list
wackamole-users@lists.backhand.org
http://lists.backhand.org/mailman/listinfo/wackamole-users