Building a fault-tolerant firewall system with virtual machines: Configuring HA and conntrackd


(0 comments)

Once the network topology has been established, configuring the HA and conntrackd becomes simple.

HA Configuration
Keepalived uses VRRP (Virtual Router Redundancy Protocol) protocol to provide HA system. We use the sample configuration file keepalived.conf in the doc/sync directory of the conntrack-tools package, copy it to the /etc/keepalived directory and modify the parameters accordingly. The actual configuration file is as follows:

#
# Simple script for primary-backup setups
#

vrrp_sync_group G1 {   # must be before vrrp_instance declaration
  group {
    VI_1
    VI_2
  }
  notify_master "/etc/conntrackd/primary-backup.sh primary"
  notify_backup "/etc/conntrackd/primary-backup.sh backup"
  notify_fault "/etc/conntrackd/primary-backup.sh fault"
}

vrrp_instance VI_1 {
    interface eth1
    state SLAVE
    virtual_router_id 61
    priority 80
    advert_int 3
    authentication {
      auth_type PASS
      auth_pass papas_con_tomate
    }
    virtual_ipaddress {
        192.168.2.100   # default CIDR mask is /32
    }
}

vrrp_instance VI_2 {
    interface eth0
    state SLAVE
    virtual_router_id 62
    priority 80
    advert_int 3
    authentication {
      auth_type PASS
      auth_pass papas_con_tomate
    }
    virtual_ipaddress {
        192.168.0.100
    }
}

First define a VRRP synchronization group named G1. This group has two members, VI_1 and VI_2, which are two VRRP instances. The instance VI_1 runs on the interface eth1 with virtual IP address 192.168.2.100 and the instance VI_2 runs on the interface eth0 with the virtual IP address 192.168.0.100 as shown in the detailed instance configurations. primary-backup.sh is a script file also located in the doc/sync directory, we copy it to the /etc/conntrackd directory. The notify_master, notify_backup, notify_fault declarations are for the keepalived to notify conntrackd to take actions in the script when the firewalls transition to primary, backup or fault, respectively.
When a firewall becomes primary, it recovers the connection in terms of packet filtering based on its previous backup property. For the backup situation, the backup firewall will require re-syncing with the primary firewall. And when a firewall fails, it can also clean up garbage when receiving notification. That is the capability of Keepalived. As a result, the firewall system works seamlessly with the HA system to perform the role of a fault-tolerant firewall system.

Configuring conntrackd
The configuration file is conntrackd.conf located in the /etc/conntrackd directory. The file contents are as follows:

Sync {
    Mode FTFW {
        ResendQueueSize 131072
        PurgeTimeout 60
        ACKWindowSize 300
        DisableExternalCache Off
    }
    UDP {
        IPv4_address 192.168.100.100
        IPv4_Destination_Address 192.168.100.200
        Port 3780
        Interface eth2
        SndSocketBuffer 1249280
        RcvSocketBuffer 1249280
        Checksum on
    }
    Options {
        TCPWindowTracking Off
        # ExpectationSync On
    }
}

General {
    Systemd on
    HashSize 32768
    HashLimit 131072

    # The default logfile is /var/log/conntrackd.log
    LogFile on
    LockFile /var/lock/conntrack.lock
    UNIX {
        Path /var/run/conntrackd.ctl
    }
    NetlinkBufferSize 2097152
    NetlinkBufferSizeMaxGrowth 8388608
    NetlinkOverrunResync On
    NetlinkEventsReliable Off
    # PollSecs 15
    EventIterationLimit 100

    Filter From Kernelspace {
        Protocol Accept {
            TCP
            SCTP
            DCCP
            # UDP
            # ICMP
            # IPv6-ICMP
        }
        Address Ignore {
            IPv4_address 127.0.0.1 # loopback
            IPv4_address 192.168.2.100 # virtual IP 1
            IPv4_address 192.168.0.100 # virtual IP 2
            IPv4_address 192.168.2.1
            IPv4_address 192.168.0.1
            IPv4_address 192.168.100.100 # dedicated link ip
            IPv6_address ::1
        }
        # State Accept {
        #    ESTABLISHED CLOSED TIME_WAIT CLOSE_WAIT for TCP
        # }
    }
}

Some parameters use default values. There are a few points worth noting:
    • conntrackd synchronizes firewalls in FTFW (Fault Tolerant Firewall) mode. In this mode conntrackd performs message tracking so this is a reliable synchronization mode.
    • Two firewalls use UDP protocol for synchronous communication, using interface eth2 as dedicated link with address 192.168.100.100 for the firewall fw-1 and 192.168.100.200 for the firewall fw-2.
    • Conntrackd has user-configurable event filtering function to monitor and synchronize tracking states for certain traffic flows. There are three types of filtering: by protocol, by IP address, and by flow state.
    • The above configuration file selects to filter the event messages from kernel space instead of user space. This reduces CPU consumption as there is no need to copy event messages from kernel space to user space.
    • Use only three layer 4 protocols: TCP, SCTP and DCCP. That doesn't mean other protocols are left floating. conntrackd is a userspace tool that provides a connection recovery utility from failure, it does not degrade the functionality of the kernel that comes with the ruleset in the firewall role to protect network.
    • Ignore local addresses because packets are only forwarded through the firewall.

Integrating conntrackd into the system
The integration of conntrackd into the system is done by running the conntrackd.service which has the following file contents:

[Unit]
Description=netfilter connection tracking user-space daemon
After=network-online.target
Wants=network-online.target
Documentation=man:conntrackd(8)

[Service]
Type=notify
NotifyAccess=all
KillMode=control-group
# ExecStartPre=/usr/sbin/nfct add helper ftp inet tcp
ExecStart=/usr/sbin/conntrackd
ExecStop=/usr/sbin/conntrackd -k

[Install]
WantedBy=multi-user.target




Right after it is run by the service at machine boot, the conntrackd is ready for its client commands in the HA system's the transition script.

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required


What is 10 - 3?

required