SLES 10 Tip: Clustering Shorewall


By: paulgear

August 24, 2006 12:00 am





I’m writing up my success story about implementing a cluster that load-balances our ADSL
connections to provide increased speed and reliability of Internet
access. You can find my efforts so far here:


High-availability firewalls with Shorewall have been asked for frequently on the Shorewall Users mailing list. This page documents my success stories on implementing this. Over time i hope that we will turn this into a library of solutions that users can draw upon to create their firewall solutions. – PaulGear


These instructions will not give you a 100% fault tolerant firewalls. That requires distributed connection tracking, which is still under heavy development (at least it was last time i checked).

Working configurations:

The following configurations are working in production on my network.


  • SUSE Linux Enterprise Server 10
  • Heartbeat 2.0 (in heartbeat 1 compatibility mode)
  • Shorewall 3.2.2

I have also used SUSE Linux Enterprise Server 9, heartbeat 1.2, and shorewall 2.4 to build a similar cluster (the Inner Guard shown in the diagram), and the configuration is almost the same, but simpler, because it doesn’t have to deal with DSL interfaces and the like.


* System 1:

  • o IBM x306
  • o P4 3.0 HT
  • o 1024 MB RAM
  • o 2 x 160 GB SATA HD
  • o 2 x Intel 82547GI/82541GI NIC (onboard)
  • o 4 x Broadcom BCM5704 NIC (2 x dual port PCI-X)

* System 2:

  • o Dell PE850
  • o P4 2.8 HT EM64T
  • o 1024 MB RAM
  • o 2 x 160 GB SATA HD
  • o 2 x Broadcom BCM5721 NIC (onboard)
  • o 4 x Intel 82546EB NIC (2 x dual port PCIe)

Note the choice of different hardware for each node – this is intentional. I want to protect against the possibility of identical hardware faults appearing in both nodes of the cluster, and using different models from different vendors is one of the ways i try to ensure this. I suspect that you could even run different Linux architectures (e.g. AMD64/EM64T, PowerPC, StrongARM, etc.) on each of the nodes. I haven’t tried this – both systems here run 32-bit x86 code.

Note also that this hardware is rather overspecified for the task. These were the cheapest 1RU servers i could buy from a tier 1 vendor. If you don’t have requirements for on-site vendor warranty, or you don’t need to fit in a confined space like i did, you could probably get away with much older, cheaper systems. The firewall these systems replaced was a Celeron 1200 tower PC with 256 MB RAM and 4 x recycled 100 Mbps NICs.


Read the full solution here

SUSE Linux Enterprise Server 10 Cool Stuff

Read other SUSE Linux Enterprise Server 10 Tips and Tricks here

Submit your SUSE Linux Enterprise Server 10 Tips and Tricks here

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Categories: Uncategorized

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.