Firewall Builder: Generate The Web Server Firewall Cluster Running Linux or OpenBSD

by on March 25, 2009 · 7 comments· LAST UPDATED April 11, 2010

in , ,

Firewall Builder Logo

This article continues mini-series started with the post Introduction to Firewall Builder 4.0. This article is also available as a section in the "Firewall Builder Cookbook" chapter of Firewall Builder Users Guide 4.0.

Firewall Builder 4.0 is currently in beta testing phase. If you find it interesting after reading this post, please download and try it out. Source code archives, binary deb and rpm packages for popular Linux distributions and commercially distributed Windows and Mac OS X packages are available for download here.

In this post I demonstrate how Firewall Builder can be used to generate firewall configuration for a clustered web server with multiple virtual IP addresses. The firewall is running on each web server in the cluster. This example assumes the cluster is built with heartbeat using "old" style configuration files, but which high availability software is used to build the cluster is not really essential. I start with the setup that consists of two identical servers running Linux but in the end of the article I am going to demonstrate how this configuration can be converted to OpenBSD with CARP.

In this example I am working with redundant web server configuration where each machine has its own IP address, plus three additional virtual addresses that can be used for virtual hosts. Firewall Builder generates iptables script for both machines. Configuration of the HA agent should be handled either manually or using specialized configuration system such as pacemaker. When I convert the same setup from Linux to OpenBSD, I am going to show how fwbuilder can generate not only firewall configuration, but also the script that manages CARP and pfsync interfaces.

Linux HA configuration using two web servers

Fig.01: HA configuration using two web servers

Note

IPv6 addresses are not used in this example. Some interface objects in the screen shots have ipv6 addresses because firewall objects were "discovered" using snmp which finds ipv6 addresses. You can disregard these addresses while working with examples in this chapter.

Setting up heartbeat

Note

I am going to use an "old" heartbeat configuration files in this example just to demonstrate how the configuration looks like. You should probably use modern Cluster Resource Manager software such as Pacemaker.

As shown in Figure 1, machines linux-test-1 and linux-test-2 run heartbeat daemon (Linux-HA home page) to create virtual IP addresses. Heartbeat adds virtual IP address to the same interface eth0. One of the daemons becomes master and takes ownership of the virtual address by adding it to the interface with the label "eth0:0" or "eth0:1".

Note

Section "Linux cluster configuration with Firewall Builder" of Firewall Builder Users Guide explains that "eth0:0" is not an interface and should not be used as the name of the interface object in fwbuilder configuration.

In this example I am using heartbeat in multicast mode where it sends UDP datagram to the multicast address 225.0.0.1 every second or so to declare that it is up and running and owns the address.

If you are interested in more detailed explanation of the "old" style heartbeat configuration files used to set up example similar to this one, see Section "Linux cluster using heartbeat" of Firewall Builder Users Guide

Once heartbeat daemon is configured and started on both servers, their IP address configuration looks like shown in Figure 2 and Figure 3. Virtual addresses were highlighted to illustrate that the heartbeat is running in active/active configuration, that is, two virtual addresses are active on one machine and the third is active on another. If either machine dies, all three virtual addresses will move over to the one that is left working.

Figure 2. IP addresses of the web server linux-test-1

root@linux-test-1:/etc/ha.d# ip addr ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:1e:dc:aa brd ff:ff:ff:ff:ff:ff
    inet 10.3.14.108/24 brd 10.3.14.255 scope global eth0
    inet 10.3.14.150/24 brd 10.3.14.255 scope global secondary eth0:0
    inet 10.3.14.151/24 brd 10.3.14.255 scope global secondary eth0:1
    inet6 fe80::20c:29ff:fe1e:dcaa/64 scope link
       valid_lft forever preferred_lft forever
Figure 3. IP addresses of the web server linux-test-2

root@linux-test-2:/etc/ha.d# ip addr ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 00:0c:29:fc:67:8c brd ff:ff:ff:ff:ff:ff
    inet 10.3.14.109/24 brd 10.3.14.255 scope global eth0
    inet 10.3.14.152/24 brd 10.3.14.255 scope global secondary eth0:0
    inet6 fe80::20c:29ff:fefc:678c/64 scope link
       valid_lft forever preferred_lft forever
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 7 comments… read them below or add one }

1 CTRLC March 30, 2010 at 11:25 am

I don’t see FWB version 4.0 Windows vista binaries. Can anyone help me?

Reply

2 Vadim Kurland March 30, 2010 at 4:50 pm

windows binaries we provide for download from http://www.fwbuilder.org/4.0 work on Vista

Reply

3 CTRLC March 30, 2010 at 5:54 pm

It is not 100% open source project. I get it some one need to be get paid for hard work for writing software and all other stuff for your time. IMO, you should not put evaluation mode Windows package. Put full package, if it is good people will send money like Apache project.

Reply

4 Vadim Kurland March 30, 2010 at 6:03 pm

It is dual licensed project, distributed under GPL and EULA. If you do not like paid-for version, use the one distributed under GPL.

Evaluation package is not restricted function-wise, however it is limited to 30 days evaluation time.

Reply

5 Anonymous March 31, 2010 at 10:28 am

@CTRLC,

You don’t get open source, do you? “Free software” is a matter of liberty, not price. To understand the concept, you should think of “free” as in “free speech,” not as in “free beer.” If you don’t like pre built package download source code from their sourceforge page. Please educate yourself before posting, here is a good starting point for you:
http://www.gnu.org/philosophy/free-sw.html

@Vadim, keep it up good work. I do not use your software; I’m just a desktop user. But, ill give it a try, it may come handy if I decided to host my own webserver or something like that.

Reply

6 Anonymous April 3, 2010 at 10:34 am

Hi Vadim,

How do I install fwbuilder_4.0.0-b2792-ubuntu-karmic-1_amd64.deb file?

Reply

7 nixCraft April 3, 2010 at 10:37 am

Use dpkg -i command:
dpkg -i *.deb
OR
dpkg -i fwbuilder_4.0.0-b2792-ubuntu-karmic-1_amd64.deb

Reply

Leave a Comment

Tagged as: , , , , , , , , , , , , , , ,

Previous post:

Next post: