Re: can LVS be run ON the firewall box?

To:	"K.W." <kathiw@xxxxxxxxx>
Subject:	Re: can LVS be run ON the firewall box?
Cc:	<lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
From:	Julian Anastasov <ja@xxxxxx>
Date:	Mon, 19 Feb 2001 23:52:32 +0000 (GMT)

        Hello,

On Mon, 19 Feb 2001, K.W. wrote:

> Hi,
>
> After a disappointing experience with iptables, which I can't get to do
> load-balancing at this point, I am turning to ipchains and LVS to
> firewall and load balance two web servers.
>
> I'm sorry if this is such a basic question, but I have not seen the
> answer in the LVS archives, and did not receive an answer from the
> ipchains list: can I run my ipchains firewall and LVS (piranha in this
> case) on the same box? It would seem that I cannot, since ipchains can't
> understand virtual interfaces such as eth0:1, etc.

        I'm not sure whether piranha already supports kernel 2.4, I
have to check it. ipchains does not understand interfaces aliase even
in Linux 2.2. Any setup that uses such aliases can be implemented
without using them. I don't know for routing restrictions that
require using aliases.

> I have a full ipchains firewall script, which works (includes port
> forwarding), and a stripped-down ipchains script just for LVS, and they
> each work fine separately. When I merge them, I can't reach even just
> the firewall box. As I mentioned, I suspect this is because of the
> virtual interfaces required by LVS.

        LVS does not require any (virtual) interfaces. LVS never
checks the devices nor any aliases. I'm not sure what is the port
forwarding support in ipchains too. Is that the support provided
from ipmasqadm: the portfw and mfw modules? If yes, they are not
implemented (yet). And this support is not related to ipchains
at all. Some good features are still not ported from Linux 2.2 to
2.4 including all these autofw useful things. But you can use LVS
in the places where use ipmasqadm portfw/mfw but not for the autofw
tricks. LVS can perfectly do the portfw job and even to extend it
after the NAT support: there are DR and TUN methods too.

> If running both services on one box is impossible, do I need two boxes
> with two NICs each? Seems like an awful lot of translation will be going
> on, which could impede performance.

        Yep, the transition can be complex but for load balancing with
firewall support I don't see problems. May be you will have some
problems with the ipchains -j MASQ support but I'm not sure. And
the firewall rules are simple to move to iptables commands.

> Any help and/or ideas are much appreciated. I will be happy to provide
> more details if necessary.

        Yes, without the details everything is theory.

> thanks,
>
> Kathi Whalen


Regards

--
Julian Anastasov <ja@xxxxxx>

<Prev in Thread]	Current Thread	[Next in Thread>
can LVS be run ON the firewall box?, K.W. Re: can LVS be run ON the firewall box?, Brian Edmonds Re: can LVS be run ON the firewall box?, Julian Anastasov <= Re: can LVS be run ON the firewall box?, F. Re: can LVS be run ON the firewall box?, Thierry Mallard Re: can LVS be run ON the firewall box?, Andy Gussie Re: can LVS be run ON the firewall box?, Brian Edmonds Re: Re: can LVS be run ON the firewall box?, Bart Locanthi Re: can LVS be run ON the firewall box?, Brian Edmonds Re: can LVS be run ON the firewall box?, Lorn Kay Re: can LVS be run ON the firewall box?, Brian Edmonds Re: can LVS be run ON the firewall box?, Lorn Kay

Previous by Date:	Re: can LVS be run ON the firewall box?, Brian Edmonds
Next by Date:	Re: kernel 2.4.1 with LVS patch & Netfilter, Julian Anastasov
Previous by Thread:	Re: can LVS be run ON the firewall box?, Brian Edmonds
Next by Thread:	Re: can LVS be run ON the firewall box?, F.
Indexes:	[Date] [Thread] [Top] [All Lists]