|
On Friday 04 October 2002 17:19, Tim Cronin wrote:
> is having the director and the firewall on
> the same box not a valid configuration?
It sure is, but it won't protect the backend realservers if they have a
publicly reachable IP (AFAICS a requirement for LVS-DR to have the machine IP
in the same subnet as the VIPs, at least in our config win2k choked on it if
we didn't).
Therefore a frontend firewall that protects the whole network is rather nice
to have. OTOH, if it's an all-linux solution you have much better firewalling
available for the realservers of course ;-)
And as you are using LVS-NAT this is much less of an issue for you anyway. An
extra centralized security layer never hurts, but isn't as necessary for you
as it is for us.
--
Martijn
|
