SLES 10 Tip: Clustering Shorewall


I’m writing up my success story about implementing a cluster that load-balances our ADSL
connections to provide increased speed and reliability of Internet
access. You can find my efforts so far here:


High-availability firewalls with Shorewall have been asked for frequently on the Shorewall Users mailing list. This page documents my success stories on implementing this. Over time i hope that we will turn this into a library of solutions that users can draw upon to create their firewall solutions. – PaulGear


These instructions will not give you a 100% fault tolerant firewalls. That requires distributed connection tracking, which is still under heavy development (at least it was last time i checked).

Working configurations:

The following configurations are working in production on my network.


  • SUSE Linux Enterprise Server 10
  • Heartbeat 2.0 (in heartbeat 1 compatibility mode)
  • Shorewall 3.2.2

I have also used SUSE Linux Enterprise Server 9, heartbeat 1.2, and shorewall 2.4 to build a similar cluster (the Inner Guard shown in the diagram), and the configuration is almost the same, but simpler, because it doesn’t have to deal with DSL interfaces and the like.


* System 1:

  • o IBM x306
  • o P4 3.0 HT
  • o 1024 MB RAM
  • o 2 x 160 GB SATA HD
  • o 2 x Intel 82547GI/82541GI NIC (onboard)
  • o 4 x Broadcom BCM5704 NIC (2 x dual port PCI-X)

* System 2:

  • o Dell PE850
  • o P4 2.8 HT EM64T
  • o 1024 MB RAM
  • o 2 x 160 GB SATA HD
  • o 2 x Broadcom BCM5721 NIC (onboard)
  • o 4 x Intel 82546EB NIC (2 x dual port PCIe)

Note the choice of different hardware for each node – this is intentional. I want to protect against the possibility of identical hardware faults appearing in both nodes of the cluster, and using different models from different vendors is one of the ways i try to ensure this. I suspect that you could even run different Linux architectures (e.g. AMD64/EM64T, PowerPC, StrongARM, etc.) on each of the nodes. I haven’t tried this – both systems here run 32-bit x86 code.

Note also that this hardware is rather overspecified for the task. These were the cheapest 1RU servers i could buy from a tier 1 vendor. If you don’t have requirements for on-site vendor warranty, or you don’t need to fit in a confined space like i did, you could probably get away with much older, cheaper systems. The firewall these systems replaced was a Celeron 1200 tower PC with 256 MB RAM and 4 x recycled 100 Mbps NICs.


Read the full solution here

SUSE Linux Enterprise Server 10 Cool Stuff

Read other SUSE Linux Enterprise Server 10 Tips and Tricks here

Submit your SUSE Linux Enterprise Server 10 Tips and Tricks here

(Visited 1 times, 1 visits today)

Leave a Reply

Your email address will not be published. Required fields are marked *

No comments yet