Building a fault-tolerant firewall system with virtual machines: Introduction


Combining netfilter connection tracking tool conntrackd with HA (High Availability) service using keepalived we can build a fault tolerant firewall system. With qemu and spice, the system is built based on virtual machines that are almost as friendly as the physical ones. Users can use virtual machines remotely via the spice protocol and can perform copy and paste operations between virtual machines and the real machine and between virtual machines. We can also redirect USB from the real machine to the virtual machine and then use the USB devices on the virtual machine with the feeling of using them on a physical machine.
This series of articles introduces building and running a fault-tolerant firewall system through a real-world example. Among them are techniques for creating virtual network interfaces, designing virtual machines using qemu command input parameters, accessing and using remote virtual machines using spice, running spice agent on virtual machines to communicate with spice server on the host, configuring X to use the qxl video driver on the virtual machines, configuring network interfaces using systemd, routing, network address translation , configuring HA and running keepalived on the firewall machines, integrating conntrackd into the system and running conntrackd.service on firewall machines, etc. Finally, a set of stateful packet filtering rules are set up, precise to each specific network interface on the firewall machines to specify which services the client is allowed to access on the server.
In the figure below, when the machine client wants to access any service on the server omarine every packets must go through a firewall system consisting of two machines fw-1 and fw-2. This is the primary/backup model of the HA system. Only one firewall machine at a time is responsible for packet filtering. If fw-1 starts first it will be the primary firewall, machine fw-2 is the backup. When the client accesses omarine, a packet with a destination address of will go out at the interface eth0. It goes through the bridge br1 and then to the firewall fw-1 at the interface eth1. The packet does not go inside the firewall machine but is forwarded from the eth1 interface to eth0 interface. The packet filtering rule set is active from the moment eth1 receives the packet. It will decide to allow or drop the packet on the floor. If accepted, the packet is sent from the firewall's eth0 interface, across the bridge br0, and then into omarine at the eth0 interface

Although the firewall fw-2 does not perform packet filtering, it is replicated conntrack states through the eth2 interfaces between two firewalls connected via the br2 bridge.
If the firewall fw-1 fails, the firewall fw-2 immediately becomes active. Because of its full packet filtering tracking states, the firewall fw-2 from the moment of handover is able to distinguish a connection as established or a new one, and becomes primary firewall effectively

Here is a series of snapshots from the actual activity

Currently unrated


There are currently no comments

New Comment


required (not published)



What is 8 × 2?