[nflug] Firewalls

Darin Perusich Darin.Perusich at cognigencorp.com
Wed Nov 21 10:19:10 EST 2007


For load-balancing/pooling your web servers you'll want to use 
ldirectord which is part of the linux-ha project. I set this is for a 
friend a few years ago and it's pretty simple and bomb proof. Take a 
look at the Ultra Monkey project  (http://www.ultramonkey.org) for a lot 
of really good information on combining linux-ha and LVS.

OpenBSD's pf (packet filter) has this capability built in with pools. 
You can combine this with OpenBSD's CARP (common address resolution 
protocol) and you have a truly redundant firewall/load-balancer.

Robert Meyer wrote:
> OK, my turn to ask a question.  I have a situation where our firewall 
> (seven or more years old) is no longer supported and it has been losing 
> connections on any box that I upgrade to a 2.6 kernel from a 2.4.  I 
> have Netscreen 100 firewalls and can't even get firmware updates.
> 
> So, the question that I post to the group:
> I have a fairly fast Internet connection to Vaspian.  I have an 
> environment with 30+ servers and less than 10 workstations that need to 
> be connected.  I need to be able to have the web servers (about 6 for 
> the moment) accessible on the Internet but I have to be able to use 
> stateful NAT to be able to have the firewall point to several web 
> servers for a single IP address for load balancing, etc.  If the 
> firewall did some monitoring to determine that a web server has failed 
> and can remove it from the  pool, that would be a bonus.
> 
> I intend to start monitoring the servers with Nagios so maybe Nagios 
> could be used to control the web server pools.
> 
> I have actually thought about building a Linux firewall to do all of 
> this, using shorewall but I don't know about the server pool thing.  I 
> haven't researched that at all.
> 
> So, I'm soliciting opinions.  I need to know as many options as I can so 
> that I can make an intelligent decision on this.  Note that we're 
> expecting significant growth in our traffic, here.  As always, cheaper 
> is better.
> 
> Thanks...
> 
> Cheers!
> 
> Bob
> 
> ------------------------------------------------------------------------
> Never miss a thing. Make Yahoo your homepage. 
> <http://us.rd.yahoo.com/evt=51438/*http://www.yahoo.com/r/hs>
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> nflug mailing list
> nflug at nflug.org
> http://www.nflug.org/mailman/listinfo/nflug

-- 
Darin Perusich
Unix Systems Administrator
Cognigen Corporation
395 Youngs Rd.
Williamsville, NY 14221
Phone: 716-633-3463
Email: darinper at cognigencorp.com


More information about the nflug mailing list