|
On 2001-12-15T17:20:13,
Fabrice <fabrice@xxxxxxxxxx> said:
> If I use something like that:
>
> [Internet]
> |
> |
> [LVS Box]
> |
> +--------+-------+
> | |
> [Firewall 1] [Firewall 2]
Your firewall is slower than the LVS box? Don't you want to have two LVS boxes
too, for redundancy?
> As I understand, the SH scheduler let's you be
> sure that a connexion coming from the LAN and
> going through Firewall 2 will get the LVS-Box to
> redirect all receiving packets for that connection
> to Firewall 2.
Yes.
> What's wrong in having the returned packets to
> go trough Firewall 1, TCP/IP allows differents routes
> for the packets, and in both case the client will
> receive the packet (simply not from the same
> Firewall).
If the firewall is doing connection tracking and filtering on that, he might
not allow the packets through because it hasn't seen the full connection.
Sincerely,
Lars Marowsky-Brée <lmb@xxxxxxx>
--
Perfection is our goal, excellence will be tolerated. -- J. Yahl
|
