High performance HA Firewall

We realized for a Computing Centre a redundant high performance firewall using two Linux servers equipped with multiport ethernet cards.

We realized a redundant high performance firewall using free software (iptables, ucarp, openvpn) and two rack servers equipped with multiport ethernet cards (for a total of 10 interfaces). Interfaces were bonded, so that each firewall was connected to two switches in trunk mode, gaining redundancy for each component of the system.

The realization of this system presented two different obstacles:

the high complexity of the rules due to a big number of ip addresses,
the lack of reliable information on the system we were substituting.

The first difficulty was resolved with the modularization of the rules, while the second one was solved in an original way, by exploiting virtual servers with the Jenkins software. Each Jenkins server tested a pool of connections, and each different functionality of the whole system was testable in isolation. This setup allowed us to switch from a legacy solution to a more efficient one, which both minimizes downtime and automatically checks for changes in the system.

A set of Check_MK controls on a remote server completes the testing environment by checking the availability of the services exposed to the internet.

Use cases

High performance HA Firewall