|
Hello
Do you know if you can do something like carp+pfsync with linux+ipvs.
My goal is to have two firewall, a master and a backup.
Both sharing the same IP: VIP
I can do it easily with keepalived and a VRRP method and same ruleset but it
means that all connections are lost when master comes down.
I want to know is ipvs is the solution.
I read the LVS Howto there:
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-
HOWTO.filter_rules.html
But it's more likely to put a firewall on top of the director.
I read then
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-
HOWTO.server_state_sync_demon.html
but I saw:"Note that the feature of connection synchronization is under
experiment now, and there is some performance penalty when connection
synchronization, because a highly loaded load balancer may need to multicast
a lot of connection information. If the daemon is not started, the performance
will not be affected. "
and from:
http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-
HOWTO.failover.html
Honestly, as good as LVS is for real server load balancing, for firewalls I
like
OpenBSD with CARP and pfsync. CARP+pfsync provides easy, scalable load
balancing and HA for firewalls. pf, the OpenBSD firewall, is very well written
and nicely designed. Give it a look, www.openbsd.com.
Note
Carp is available for Linux too. "
yes carp is available for linux but not pfsync which is what I need.
I have 2 questions:
First is it possible to use ipvs in this way?
.----FW backup---.
/ | \
INET--- | +---LAN
\ | /
`----FW master---'
a master, a backup, firewall scripts and update in real time of the
ip_conntrack?
Second: and what if I add load balancing of servers from the firewall?
Thanks
"Ce Caillou-là" un conte en téléchargement gratuit sur http://www.Manuscrit.com
|
