Firewall Routing Setup
My goal here is to have two firewalls, one active, one passive. This involves a few things: the basic layout of the ethernet devices (via udev rules), Heartbeat, TCP tuning, and (maybe) some basic routing rules.
Ethernet Device + Udev setup
[root@fw01 ~]# cat /etc/udev/rules.d/60-net.rules
#ACTION=="add", SUBSYSTEM=="net", IMPORT{program}="/lib/udev/rename_device"
ACTION=="add", SUBSYSTEM=="net", IMPORT{program}="/lib/udev/rename_device", SYSFS{address}=="00:30:48:cf:31:8c", NAME="eth0"
ACTION=="add", SUBSYSTEM=="net", IMPORT{program}="/lib/udev/rename_device", SYSFS{address}=="00:30:48:cf:31:8d", NAME="eth1"
ACTION=="add", SUBSYSTEM=="net", IMPORT{program}="/lib/udev/rename_device", SYSFS{address}=="00:1b:21:4f:4d:78", NAME="eth2"
ACTION=="add", SUBSYSTEM=="net", IMPORT{program}="/lib/udev/rename_device", SYSFS{address}=="00:1b:21:4f:4d:79", NAME="eth3"
ACTION=="add", SUBSYSTEM=="net", IMPORT{program}="/lib/udev/rename_device", SYSFS{address}=="00:0e:1e:03:06:72", NAME="eth4"
ACTION=="add", SUBSYSTEM=="net", IMPORT{program}="/lib/udev/rename_device", SYSFS{address}=="00:0e:1e:03:06:73", NAME="eth5"
SUBSYSTEM=="net", RUN+="/etc/sysconfig/network-scripts/net.hotplug"
[root@fw02 ha.d]# cat /etc/udev/rules.d/60-net.rules
#ACTION=="add", SUBSYSTEM=="net", IMPORT{program}="/lib/udev/rename_device"
ACTION=="add", SUBSYSTEM=="net", IMPORT{program}="/lib/udev/rename_device", SYSFS{address}=="00:30:48:cf:31:8a", NAME="eth0"
ACTION=="add", SUBSYSTEM=="net", IMPORT{program}="/lib/udev/rename_device", SYSFS{address}=="00:30:48:cf:31:8b", NAME="eth1"
ACTION=="add", SUBSYSTEM=="net", IMPORT{program}="/lib/udev/rename_device", SYSFS{address}=="00:1b:21:34:65:21", NAME="eth2"
ACTION=="add", SUBSYSTEM=="net", IMPORT{program}="/lib/udev/rename_device", SYSFS{address}=="00:1b:21:34:65:20", NAME="eth3"
ACTION=="add", SUBSYSTEM=="net", IMPORT{program}="/lib/udev/rename_device", SYSFS{address}=="00:60:dd:46:c7:58", NAME="eth4"
SUBSYSTEM=="net", RUN+="/etc/sysconfig/network-scripts/net.hotplug"
With these systems, I am using the following layout:
fw01:
eth1 - 1Gb heartbeat connection - 10.187.66.78
eth2 - 10Gb copper to Force 10 - 148.187.66.78
eth4 - 10Gb fiber connection to gateway (outside world) - 148.187.73.4
ib0 - infiniband connection to IB network - 148.187.68.3
fw02:
eth1 - 1Gb heartbeat connection - 10.187.66.79
eth2 - 10Gb copper to Force 10 - 148.187.66.79
eth4 - 10Gb fiber connection to gateway (outside world) - 148.187.73.5
ib0 - infiniband connection to IB network - 148.187.68.4
routing IP addresses (the gateway addresses that clients will use, and that are controlled by heartbeat):
148.187.66.2 (64 eth gateway)
148.187.68.2 (64 ib gateway)
148.187.73.3 (gateway to outside world)
Heartbeat
Here's the basic setup of my heartbeat
TCP Tuning
Basic Routing
--
JasonTemple - 2010-12-16