|
En réponse à Joseph Mack NA3T <jmack@xxxxxxxx> :
> > Do you know if you can do something like carp+pfsync with
> linux+ipvs.
>
> no-one has posted that they've done it.
>
has ever one tried?
> > I can do it easily with keepalived and a VRRP
> method and same ruleset but it means that all
> connections are lost when master comes down.
>
> you use the server synch state demon, which
> (as you state below) has overhead. Any protocol
> that updates state information on a backup machine
> is going to have overhead.
>
I don't care. I have a dedicated link to update these
informations. My upcoming link from internet is 20Mb
and the link beetween both PC will have 100Mb
> > Carp is available for Linux too. "
> > yes carp is available for linux but not pfsync which
> > is what I need.
>
> pfsync updates the firewall state (I believe) on the
> backup, but not the ipvs connection table. Even with
> carp, you still have to transfer the ipvs table.
>
yes but in the first place, I will not use virtual server
> > I have 2 questions:
> > First is it possible to use ipvs in this way?
> > .----FW backup---.
> > / | \
> > INET--- | +---LAN
> > \ | /
> > `----FW master---'
> > a master, a backup, firewall scripts and update
> > in real time of the ip_conntrack?
>
> yes, if the two FW machines are directors, that
> also have firewall rules on them.
>
What I want to do is update firewall state.
Scenario:
client from LAN accessinf a whatever server on the
internet.
The firewall master take yhis connection. It does
masquerading/natting/whatever with this connection.
Master firewall crash.
Backup firewall comes up. the connection beetween
the client on the LAN and the internet is not broken.
Master firewall comes back to life.
the connection from the client goes through the master
firewall without interruption.
So it means that both firewall (master and backup)
should updates their conntrack each other.
> > Second: and what if I add load balancing of
> > servers from the firewall?
>
> I don't understand this question. Do you mean
> updating the virtual services with ipvsadm on the
> two firewall/director machines?
>
In fact, in the first shema you have:
incoming link from internet, two firewall, and clients
on a LAN.
Nothing more. No services provided.
Then, If that works, I want to add a DMZ
To become a thing like that:
.----FW backup---.
/ | \ \
INET--- | | +---LAN
\ | | /
`----FW master---'
\ |
\|
\
DMZ
On the firewall(s), VIP of the services. Real
servers in the DMZ.
And with the same behavior:
A client on the internet ask for a service provided,
he passed through the master, master comes
down, and service continus without interruption
through the backup.
But that sort of thing is explained in
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-
HOWTO.failover.html
I think.
> Joe
>
> --
> Joseph Mack NA3T EME(B,D), FM05lw North Carolina
> jmack (at) wm7d (dot) net - azimuthal equidistant map
> generator at http://www.wm7d.net/azproj.shtml
> Homepage http://www.austintek.com/ It's GNU/Linux!
> _______________________________________________
> LinuxVirtualServer.org mailing list -
> lvs-users@xxxxxxxxxxxxxxxxxxxxxx
> Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
> or go to http://www.in-addr.de/mailman/listinfo/lvs-users
>
> ------------------- Fin du message d'origine ---------------------
"Ce Caillou-là" un conte en téléchargement gratuit sur http://www.Manuscrit.com
|
