|
> Thank you very much for the explanation! That really clear the fog for me.
How can there be fog in a country with so much sun? :)
> Anyways, I still have to enable the firewall rule since the customer
> will not be pleased if they acknowledge the absent of firewall.
Do you have the tcp window tracking enabled? If not, you can also
disable the firewall. Netfilter without tcp window tracking is about as
useful as ipchains regarding packet injection. Also the connection
tracking which is used for the tcp window tracking is not honoured by
IPVS, so the TCP flows matching the IPVS setup are unprotected by
default. There is a patch floating around which deals with this problem,
however then you have the performance issue again.
Please note, that my perception of performance might be significantly
different to yours. So for your setup netfilter might be performant enough.
> Somehow
> the connection/second is quite impressive already. Almost no overhead
> for 4 real servers.
Wensong once mentioned something along the lines of 60us additional
routing/packet rewriting overhead by IPVS, IIRC. Take this with a
tablespoon of salt, since I probably don't remember the correct number
anymore.
Best regards,
Roberto Nibali, ratz
--
-------------------------------------------------------------
addr://Kasinostrasse 30, CH-5001 Aarau tel://++41 62 823 9355
http://www.terreactive.com fax://++41 62 823 9356
-------------------------------------------------------------
10 Jahre Kompetenz in IT-Sicherheit. 1996 - 2006
Wir sichern Ihren Erfolg. terreActive AG
-------------------------------------------------------------
|
