[nflug] Firewalls

Christopher Hawkins chawkins at bplinux.com
Tue Nov 20 16:32:26 EST 2007 

I've used a lot of individual projects to accomplish those same goals, but
putting them all together and trying to make it "intelligent" is quite an
undertaking.    :-)  
 
For the record, the LVS project ( http://www.linuxvirtualserver.org/ ) is a
great load balancer. You could have a linux box running iptables and LVS,
and you'd be able to distribute inbound connections anywhere you want. For
adding automatic detection of what has failed, you can use a monitoring
system like Mon ( http:// <http://mon.wiki.kernel.org> mon.wiki.kernel.org )
and add your own custom checks and scripts. It has a two tiered
architecture: a service check which must exit 0 or 1, and an alert (script)
that gets called when the check fails. For example, you might have an http
service check and an alert that removes the node from the pool in the event
of a failure. 
 
The linux HA project (http://linux-ha.org ) is great for adding fault
tolerance - it can quickly move an IP address / start / stop services from a
failed system to a backup system. I'd recommend sticking with version 1
though... V2 is quite complicated. I avoid it unless I absolutely need it.
For monitoring, I prefer Ganglia. I saw a post the other day from someone
who liked a new project called zabbix... .It looked pretty cool, but I've
never used it.
 
So if it were me I'd probably build this using the projects mentioned above.
But as Brad said, the other problem here is how much are you willing to put
into this? You could build something really cool that does the job, but if
you can't really dedicate yourself to it, you may be better off buying a
piece of hardware pre-configured. Of course, if you do have the time to
invest, then you can probably build something even more advanced than what
you could buy. I've built a few systems like this, so if you have any
questions I'm happy to share. 
 
Chris

  _____  

From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
Robert Meyer
Sent: Tuesday, November 20, 2007 11:25 AM
To: nflug at nflug.org
Subject: [nflug] Firewalls


OK, my turn to ask a question.  I have a situation where our firewall (seven
or more years old) is no longer supported and it has been losing connections
on any box that I upgrade to a 2.6 kernel from a 2.4.  I have Netscreen 100
firewalls and can't even get firmware updates.

So, the question that I post to the group:
I have a fairly fast Internet connection to Vaspian.  I have an environment
with 30+ servers and less than 10 workstations that need to be connected.  I
need to be able to have the web servers (about 6 for the moment) accessible
on the Internet but I have to be able to use stateful NAT to be able to have
the firewall point to several web servers for a single IP address for load
balancing, etc.  If the firewall did some monitoring to determine that a web
server has failed and can remove it from the  pool, that would be a bonus.

I intend to start monitoring the servers with Nagios so maybe Nagios could
be used to control the web server pools.

I have actually thought about building a Linux firewall to do all of this,
using shorewall but I don't know about the server pool thing.  I haven't
researched that at all.

So, I'm soliciting opinions.  I need to know as many options as I can so
that I can make an intelligent decision on this.  Note that we're expecting
significant growth in our traffic, here.  As always, cheaper is better.

Thanks...

Cheers!

Bob


  _____  

Never miss a thing. Make Yahoo
<http://us.rd.yahoo.com/evt=51438/*http://www.yahoo.com/r/hs> your homepage.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.nflug.org/pipermail/nflug/attachments/20071120/2e8563a2/attachment.html

More information about the nflug mailing list