|
On Wed, 2005-05-04 at 19:09 -0400, Mack.Joseph@xxxxxxxxxxxxxxx wrote:
> > Most of the setups I see describe a layered approach:
> >
> > firewall
> > |
> > lb (lvs director)
> > /|\
> > http servers
> >
> > Is there any technical advantage to separating the
> > firewall and lb onto
> > different pieces of hardware? Is it a requirement?
>
> It was till recently. The director is a specialised router
> and its own idea of routing bypassed attempts by netfilter
> to affect the routing of packets. This has been mostly fixed
> so that the director looks like a normal node now, but you
> still have to keep your head on straight. See the howto for
> making your director a firewall
>
> Joe
I was looking at the lvs-howto in the section "18. LVS: Running a
firewall on the director: Interaction between LVS and netfilter
(iptables)."
Is this considered stable now? It looks like it was updated over a year
ago. I'd asked before if any firewall projects include LVS support in
their distribution, does anyone know?
|
