Building a fault-tolerant firewall system with virtual machines: Configuring HA and conntrackd


Once the network topology has been established, configuring the HA and conntrackd becomes simple.

HA Configuration
Keepalived uses VRRP (Virtual Router Redundancy Protocol) protocol to provide HA system. We use the sample configuration file keepalived.conf in the doc/sync directory of the conntrack-tools package, copy it to the /etc/keepalived directory and modify the parameters accordingly. The actual configuration file is as follows:

# Simple script for primary-backup setups

vrrp_sync_group G1 {   # must be before vrrp_instance declaration
  group {
  notify_master "/etc/conntrackd/ primary"
  notify_backup "/etc/conntrackd/ backup"
  notify_fault "/etc/conntrackd/ fault"

vrrp_instance VI_1 {
    interface eth1
    state SLAVE
    virtual_router_id 61
    priority 80
    advert_int 3
    authentication {
      auth_type PASS
      auth_pass papas_con_tomate
    virtual_ipaddress {   # default CIDR mask is /32

vrrp_instance VI_2 {
    interface eth0
    state SLAVE
    virtual_router_id 62
    priority 80
    advert_int 3
    authentication {
      auth_type PASS
      auth_pass papas_con_tomate
    virtual_ipaddress {

First define a VRRP synchronization group named G1. This group has two members, VI_1 and VI_2, which are two VRRP instances. The instance VI_1 runs on the interface eth1 with virtual IP address and the instance VI_2 runs on the interface eth0 with the virtual IP address as shown in the detailed instance configurations. is a script file also located in the doc/sync directory, we copy it to the /etc/conntrackd directory. The notify_master, notify_backup, notify_fault declarations are for the keepalived to notify conntrackd to take actions in the script when the firewalls transition to primary, backup or fault, respectively.
When a firewall becomes primary, it recovers the connection in terms of packet filtering based on its previous backup property. For the backup situation, the backup firewall will require re-syncing with the primary firewall. And when a firewall fails, it can also clean up garbage when receiving notification. That is the capability of Keepalived. As a result, the firewall system works seamlessly with the HA system to perform the role of a fault-tolerant firewall system.

Configuring conntrackd
The configuration file is conntrackd.conf located in the /etc/conntrackd directory. The file contents are as follows:

Sync {
    Mode FTFW {
        ResendQueueSize 131072
        PurgeTimeout 60
        ACKWindowSize 300
        DisableExternalCache Off
    UDP {
        Port 3780
        Interface eth2
        SndSocketBuffer 1249280
        RcvSocketBuffer 1249280
        Checksum on
    Options {
        TCPWindowTracking Off
        # ExpectationSync On

General {
    Systemd on
    HashSize 32768
    HashLimit 131072

    # The default logfile is /var/log/conntrackd.log
    LogFile on
    LockFile /var/lock/conntrack.lock
    UNIX {
        Path /var/run/conntrackd.ctl
    NetlinkBufferSize 2097152
    NetlinkBufferSizeMaxGrowth 8388608
    NetlinkOverrunResync On
    NetlinkEventsReliable Off
    # PollSecs 15
    EventIterationLimit 100

    Filter From Kernelspace {
        Protocol Accept {
            # UDP
            # ICMP
            # IPv6-ICMP
        Address Ignore {
            IPv4_address # loopback
            IPv4_address # virtual IP 1
            IPv4_address # virtual IP 2
            IPv4_address # dedicated link ip
            IPv6_address ::1
        # State Accept {
        # }

Some parameters use default values. There are a few points worth noting:
    • conntrackd synchronizes firewalls in FTFW (Fault Tolerant Firewall) mode. In this mode conntrackd performs message tracking so this is a reliable synchronization mode.
    • Two firewalls use UDP protocol for synchronous communication, using interface eth2 as dedicated link with address for the firewall fw-1 and for the firewall fw-2.
    • Conntrackd has user-configurable event filtering function to monitor and synchronize tracking states for certain traffic flows. There are three types of filtering: by protocol, by IP address, and by flow state.
    • The above configuration file selects to filter the event messages from kernel space instead of user space. This reduces CPU consumption as there is no need to copy event messages from kernel space to user space.
    • Use only three layer 4 protocols: TCP, SCTP and DCCP. That doesn't mean other protocols are left floating. conntrackd is a userspace tool that provides a connection recovery utility from failure, it does not degrade the functionality of the kernel that comes with the ruleset in the firewall role to protect network.
    • Ignore local addresses because packets are only forwarded through the firewall.

Integrating conntrackd into the system
The integration of conntrackd into the system is done by running the conntrackd.service which has the following file contents:

Description=netfilter connection tracking user-space daemon

# ExecStartPre=/usr/sbin/nfct add helper ftp inet tcp
ExecStop=/usr/sbin/conntrackd -k


Right after it is run by the service at machine boot, the conntrackd is ready for its client commands in the HA system's the transition script.

Currently unrated


There are currently no comments

New Comment


required (not published)



What is 10 - 3?