========================== Firewall High-Availability ========================== The following diagram depicts a simplified, hypothetical, physical connection diagram between a client and a server that are connected using routed networks, which are separated by a pair of firewalls. .. graphviz:: digraph firewall { splines = true; overlab = prism; edge [ color=gray50, fontname=Calibri, fontsize=11 ]; node [ style=filled, shape=record, fontname=Calibri, fontsize=11 ]; "grid1x1" [style=invis, shape=point]; "Client"; "grid1x3" [style=invis, shape=point]; { rank=same "grid1x1" "Client" "grid1x3" } "Firewall #1" [fontcolor="green"]; "grid2x2" [style=invis, shape=point]; "Firewall #2"; { rank=same "Firewall #1" "grid2x2" "Firewall #2" } "grid3x1" [style=invis, shape=point]; "Server"; "grid3x3" [style=invis, shape=point]; { rank=same "grid3x1" "Server" "grid3x3" } "grid1x1" -> "Client" -> "grid1x3" [style=invis]; "Firewall #1" -> "grid2x2" -> "Firewall #2" [style=invis]; "grid3x1" -> "Server" -> "grid3x3" [style=invis]; "Client" -> "Firewall #1" [dir="none"]; "Client" -> "Firewall #2" [dir="none"]; "Firewall #1" -> "Server" [dir="none"]; "Firewall #2" -> "Server" [dir="none"]; } If a client's connection to a server were to descend the first firewall, but the server uses the second firewall as its gateway for routed network traffic back to the client, it will not accept the traffic. This is depicted by the following diagram: .. graphviz:: digraph firewall { splines = true; overlab = prism; edge [ color=gray50, fontname=Calibri, fontsize=11 ]; node [ style=filled, shape=record, fontname=Calibri, fontsize=11 ]; "grid1x1" [style=invis, shape=point]; "Client"; "grid1x3" [style=invis, shape=point]; { rank=same "grid1x1" "Client" "grid1x3" } "Firewall #1" [fontcolor="green"]; "grid2x2" [style=invis, shape=point]; "Firewall #2" [fontcolor="red"]; { rank=same "Firewall #1" "grid2x2" "Firewall #2" } "grid3x1" [style=invis, shape=point]; "Server"; "grid3x3" [style=invis, shape=point]; { rank=same "grid3x1" "Server" "grid3x3" } "grid1x1" -> "Client" -> "grid1x3" [style=invis]; "Firewall #1" -> "grid2x2" -> "Firewall #2" [style=invis]; "grid3x1" -> "Server" -> "grid3x3" [style=invis]; "Client" -> "Firewall #1" [color="green"]; "Client" -> "Firewall #2" [dir="none"]; "Firewall #1" -> "Server" [color="green"]; "Firewall #2" -> "Server" [dir="back", color="green"]; } Therefore, the traffic from the server back to the client (the "response", if you will) will need to descend the same firewall as the inbound traffic; .. graphviz:: digraph firewall { splines = true; overlab = prism; edge [ color=gray50, fontname=Calibri, fontsize=11 ]; node [ style=filled, shape=record, fontname=Calibri, fontsize=11 ]; "grid1x1" [style=invis, shape=point]; "Client"; "grid1x3" [style=invis, shape=point]; { rank=same "grid1x1" "Client" "grid1x3" } "Firewall #1" [fontcolor="green"]; "grid2x2" [style=invis, shape=point]; "Firewall #2"; { rank=same "Firewall #1" "grid2x2" "Firewall #2" } "grid3x1" [style=invis, shape=point]; "Server"; "grid3x3" [style=invis, shape=point]; { rank=same "grid3x1" "Server" "grid3x3" } "grid1x1" -> "Client" -> "grid1x3" [style=invis]; "Firewall #1" -> "grid2x2" -> "Firewall #2" [style=invis]; "grid1x1" -> "grid2x2" -> "grid3x1" [style=invis]; "grid3x1" -> "Server" -> "grid3x3" [style=invis]; "Client" -> "Firewall #1" [color="green"]; "Client" -> "Firewall #1" [dir=back, color="green"]; "Client" -> "Firewall #2" [dir="none"]; "Firewall #1" -> "Server" [color="green"]; "Firewall #1" -> "Server" [dir="back", color="green"]; "Firewall #2" -> "Server" [dir="none"]; } For a fail over situation, both the traffic from the client to the server and the traffic from the server to the client will need to descend the second firewall: .. graphviz:: digraph firewall { splines = true; overlab = prism; edge [ color=gray50, fontname=Calibri, fontsize=11 ]; node [ style=filled, shape=record, fontname=Calibri, fontsize=11 ]; "grid1x1" [style=invis, shape=point]; "Client"; "grid1x3" [style=invis, shape=point]; { rank=same "grid1x1" "Client" "grid1x3" } "Firewall #1"; "grid2x2" [style=invis, shape=point]; "Firewall #2" [fontcolor="green"]; { rank=same "Firewall #1" "grid2x2" "Firewall #2" } "grid3x1" [style=invis, shape=point]; "Server"; "grid3x3" [style=invis, shape=point]; { rank=same "grid3x1" "Server" "grid3x3" } "grid1x1" -> "Client" -> "grid1x3" [style=invis]; "Firewall #1" -> "grid2x2" -> "Firewall #2" [style=invis]; "grid1x3" -> "grid2x2" -> "grid3x3" [style=invis]; "grid3x1" -> "Server" -> "grid3x3" [style=invis]; "Client" -> "Firewall #1" [dir=none]; "Client" -> "Firewall #2" [color="green"]; "Client" -> "Firewall #2" [dir=back, color="green"]; "Firewall #1" -> "Server" [dir="none"]; "Firewall #2" -> "Server" [color="green"]; "Firewall #2" -> "Server" [dir="back", color="green"]; } To ensure this happens, both firewalls have a system IP address configured on a failover network. This network should consist of dedicated links, preferrably physical ones; * *Firewall #1* and *Firewall #2* negotiate over this network, who holds the *active* role -- performing the actual duties of router, gateway and firewall. * Upon agreement that *Firewall #1* should have the active role, *Firewall #1* takes on two or more IP addresses; #. An inbound gateway IP address for the client to server traffic to be routed through, #. An outbound gateway IP address for the server to client traffic to be routed through. * The firewall with the *active* role distributes its kernel connection state tables with the *passive* firewall. .. graphviz:: digraph fwha { rankdir = LR; splines = true; overlab = prism; edge [ color=gray50, fontname=Calibri, fontsize=11, dir=none ]; node [ style=filled, shape=record, fontname=Calibri, fontsize=11 ]; "vlan0001" [ href="../appendices/firewall-high-availability.html#vlan0001", target="_top" ]; "vlan0002" [ href="../appendices/firewall-high-availability.html#vlan0002", target="_top" ]; "vlan0003" [ href="../appendices/firewall-high-availability.html#vlan0003", target="_top" ]; "Internet" -> "vlan0001"; subgraph cluster_fw_ext_out { "fw-ext-out001" [ href="../appendices/firewall-high-availability.html#fw-ext-out", target="_top" ]; "fw-ext-out002" [ href="../appendices/firewall-high-availability.html#fw-ext-out", target="_top" ]; } "vlan0001" -> "fw-ext-out001", "fw-ext-out002" [ label="eth0" ]; "fw-ext-out001", "fw-ext-out002" -> "vlan0003" [ label="eth1" ]; "vlan 4..7" [shape="point", size=0]; "fw-ext-out001", "fw-ext-out002" -> "vlan 4..7" [label="eth2.$x"]; subgraph cluster_perimeter { "vlan0004" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0004", target="_top" ]; "vlan0005" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0005", target="_top" ]; "vlan0006" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0006", target="_top" ]; "vlan0007" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0007", target="_top" ]; "vlan0104" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0104", target="_top" ]; "vlan0105" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0105", target="_top" ]; "vlan0106" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0106", target="_top" ]; "vlan0107" [ shape="point", size=0, href="../appendices/firewall-high-availability.html#vlan0107", target="_top" ]; subgraph cluster_ext_mx_in { "ext-mx-in001" [ href="../appendices/firewall-high-availability.html#ext-mx-in", target="_top" ]; "ext-mx-in002" [ href="../appendices/firewall-high-availability.html#ext-mx-in", target="_top" ]; } subgraph cluster_ext_mx_out { "ext-mx-out001" [ href="../appendices/firewall-high-availability.html#ext-mx-out", target="_top" ]; "ext-mx-out002" [ href="../appendices/firewall-high-availability.html#ext-mx-out", target="_top" ]; } subgraph cluster_ext_subm { "ext-subm001" [ href="../appendices/firewall-high-availability.html#ext-subm", target="_top" ]; "ext-subm002" [ href="../appendices/firewall-high-availability.html#ext-subm", target="_top" ]; } subgraph cluster_rev_prx_http { "rev-prx-http001" [ href="../appendices/firewall-high-availability.html#rev-prx-http", target="_top" ]; "rev-prx-http002" [ href="../appendices/firewall-high-availability.html#rev-prx-http", target="_top" ]; } "vlan 4..7" -> "vlan0004"; "vlan0004" -> "ext-mx-in001", "ext-mx-in002" [ label="eth0" ]; "ext-mx-in001", "ext-mx-in002" -> "vlan0104" [ label="eth1" ]; "vlan 4..7" -> "vlan0005" -> "ext-mx-out001", "ext-mx-out002" -> "vlan0105"; "vlan 4..7" -> "vlan0006" -> "ext-subm001", "ext-subm002" -> "vlan0106"; "vlan 4..7" -> "vlan0007" -> "rev-prx-http001", "rev-prx-http002" -> "vlan0107"; } "vlan 104..107" [shape="point", size=0]; "vlan0104", "vlan0105", "vlan0106", "vlan0107" -> "vlan 104..107"; subgraph cluster_fw_ext_inn { "fw-ext-inn001" [href="../appendices/firewall-high-availability.html#fw-ext-inn", target="_top"]; "fw-ext-inn002" [href="../appendices/firewall-high-availability.html#fw-ext-inn", target="_top"]; } "vlan 104..107" -> "fw-ext-inn001", "fw-ext-inn002"; "vlan0200" [href="../appendices/firewall-high-availability.html#vlan0200", target="_top"]; "vlan0201" [shape="point", size=0]; "vlan0300" [href="../appendices/firewall-high-availability.html#vlan0300", target="_top"]; "fw-ext-inn001", "fw-ext-inn002" -> "vlan0200", "vlan0201"; subgraph cluster_fw_int { "fw-int001" [href="../appendices/firewall-high-availability.html#fw-int", target="_top"]; "fw-int002" [href="../appendices/firewall-high-availability.html#fw-int", target="_top"]; } subgraph cluster_net_internal { "vlan0301" [shape="point", size=0]; "vlan0302" [shape="point", size=0]; "vlan0303" [shape="point", size=0]; "vlan0304" [shape="point", size=0]; "vlan0305" [shape="point", size=0]; "vlan0306" [shape="point", size=0]; "vlan0307" [shape="point", size=0]; "vlan0308" [shape="point", size=0]; "vlan0309" [shape="point", size=0]; "vlan0310" [shape="point", size=0]; "vlan0311" [shape="point", size=0]; "vlan0312" [shape="point", size=0]; "vlan0313" [shape="point", size=0]; "vlan0314" [shape="point", size=0]; "vlan0315" [shape="point", size=0]; "vlan0316" [shape="point", size=0]; subgraph cluster_int_mx { "int-mx001" [href="../appendices/firewall-high-availability.html#int-mx", target="_top"]; "int-mx002" [href="../appendices/firewall-high-availability.html#int-mx", target="_top"]; } subgraph cluster_dbr { "dbr001" [href="../appendices/firewall-high-availability.html#dbr", target="_top"]; "dbr002" [href="../appendices/firewall-high-availability.html#dbr", target="_top"]; } subgraph cluster_dbw { "dbw001" [href="../appendices/firewall-high-availability.html#dbw", target="_top"]; "dbw002" [href="../appendices/firewall-high-availability.html#dbw", target="_top"]; } subgraph cluster_ldapr { "ldapr001" [href="../appendices/firewall-high-availability.html#ldapr", target="_top"]; "ldapr002" [href="../appendices/firewall-high-availability.html#ldapr", target="_top"]; } subgraph cluster_ldapw { "ldapw001" [href="../appendices/firewall-high-availability.html#ldapw", target="_top"]; "ldapw002" [href="../appendices/firewall-high-availability.html#ldapw", target="_top"]; } subgraph cluster_memc_pub { "memc-pub001" [href="../appendices/firewall-high-availability.html#memc-pub", target="_top"]; "memc-pub002" [href="../appendices/firewall-high-availability.html#memc-pub", target="_top"]; } subgraph cluster_memc_pvt { "memc-pvt001" [href="../appendices/firewall-high-availability.html#memc-pvt", target="_top"]; "memc-pvt002" [href="../appendices/firewall-high-availability.html#memc-pvt", target="_top"]; } subgraph cluster_roundcube { "roundcube001" [href="../appendices/firewall-high-availability.html#roundcube", target="_top"]; "roundcube002" [href="../appendices/firewall-high-availability.html#roundcube", target="_top"]; } subgraph cluster_chwala { "chwala001" [href="../appendices/firewall-high-availability.html#chwala", target="_top"]; "chwala002" [href="../appendices/firewall-high-availability.html#chwala", target="_top"]; } subgraph cluster_activesync { "activesync001" [href="../appendices/firewall-high-availability.html#activesync", target="_top"]; "activesync002" [href="../appendices/firewall-high-availability.html#activesync", target="_top"]; } subgraph cluster_wap { "wap001" [href="../appendices/firewall-high-availability.html#wap", target="_top"]; "wap002" [href="../appendices/firewall-high-availability.html#wap", target="_top"]; } subgraph cluster_hkccp { "hkccp001" [href="../appendices/firewall-high-availability.html#hkccp", target="_top"]; "hkccp002" [href="../appendices/firewall-high-availability.html#hkccp", target="_top"]; } subgraph cluster_ext_imapf { "ext-imapf001" [href="../appendices/firewall-high-availability.html#ext-imapf", target="_top"]; "ext-imapf002" [href="../appendices/firewall-high-availability.html#ext-imapf", target="_top"]; } subgraph cluster_int_imapf { "int-imapf001" [href="../appendices/firewall-high-availability.html#int-imapf", target="_top"]; "int-imapf002" [href="../appendices/firewall-high-availability.html#int-imapf", target="_top"]; } subgraph cluster_imapb { "imapb001" [href="../appendices/firewall-high-availability.html#imapb", target="_top"]; "imapb002" [href="../appendices/firewall-high-availability.html#imapb", target="_top"]; } subgraph cluster_imapm { "imapm001" [href="../appendices/firewall-high-availability.html#imapm", target="_top"]; "imapm002" [href="../appendices/firewall-high-availability.html#imapm", target="_top"]; } } "vlan0201" -> "fw-int001", "fw-int002" -> "vlan0300", "vlan0301", "vlan0302", "vlan0303", "vlan0304", "vlan0305", "vlan0306", "vlan0307", "vlan0308", "vlan0309", "vlan0310", "vlan0311", "vlan0312", "vlan0313", "vlan0314", "vlan0315", "vlan0316"; "vlan0301" -> "int-mx001", "int-mx002"; "vlan0302" -> "dbr001", "dbr002"; "vlan0303" -> "dbw001", "dbw002"; "vlan0304" -> "ldapr001", "ldapr002"; "vlan0305" -> "ldapw001", "ldapw002"; "vlan0306" -> "memc-pub001", "memc-pub002"; "vlan0307" -> "memc-pvt001", "memc-pvt002"; "vlan0308" -> "roundcube001", "roundcube002"; "vlan0309" -> "chwala001", "chwala002"; "vlan0310" -> "activesync001", "activesync002"; "vlan0311" -> "wap001", "wap002"; "vlan0312" -> "hkccp001", "hkccp002"; "vlan0313" -> "ext-imapf001", "ext-imapf002"; "vlan0314" -> "int-imapf001", "int-imapf002"; "vlan0315" -> "imapb001", "imapb002"; "vlan0316" -> "imapm001", "imapm002"; } Systems ======= .. _fw-ext-out: ``fw-ext-out`` -------------- Connected to :ref:`vlan0001` on ``eth0``. This interface does not to be 802.1q encapsulated. Connected to :ref:`vlan0003` on ``eth1``. This link should either be 802.1q encapsulated natively, on the switch, or connect to ``eth1`` on :ref:`fw-ext-out`. Let the IP address on ``eth1`` be ``10.0.3.1/24``. Connected to :ref:`vlan0004` on ``eth2.4``. This link is 802.1q encapsulated by ``fw-ext-out``. The ``eth2`` interface can be connected to as many additional 802.1q encapsulated perimeter networks as necessary and appropriate. Routes are added for perimeter network vlans 7 through 11. .. _ext-mx-in: ``ext-mx-in`` ------------- .. _ext-mx-out: ``ext-mx-out`` -------------- .. _fw-ext-inn: ``fw-ext-inn`` -------------- VLANs ===== .. _vlan0001: vlan0001 -------- This network is associated with the Internet, and includes any IP space not your own. It may be associated with a router peering network. .. _vlan0002: vlan0002 -------- Let this be the IP space allocated by your ISP, or `1.2.3.0/24`. .. _vlan0003: vlan0003 -------- Let this be a segment of a Class A private IP space, or `10.0.3.0/24`. .. _vlan0004: vlan0004 -------- Let this be a segment of a Class A private IP space, or `10.0.4.0/24`. External Inbound Mail Exchangers ================================ .. _ext-mx-in001: ``ext-mx-in001`` ---------------- * IP Address: ``10.0.4.1/24`` * Default Gateway: ``10.0.4.254`` * DNS: .. _ext-mx-in002: ``ext-mx-in002`` ----------------