|
> > IP's into a second box, behind the wall, running ipvsadm.
>
> I assume you mean the box is a director.
Yes, my terminology is less than normal today,
> > if it is and if so, what I should expect.
>
> sometimes it works OK and sometimes it doesn't.
So is this something you would recommend we explore, or just go back to
using a dual server system? When it does work, does it work reliably or
does it sometimes fail?
> > * Firewall would be 1.1.1.2 on eth0
> > * Firewall would also have aliases for 1.1.1.3, 1.1.1.4, and 1.1.1.5
on
> eth0
>
> use secondary IPs not aliases.
Sorry, again terminology, but then again, let me ask the question. We
add additiona IP's in to /etc/sysconfig/network-scripts/ifcfg-eth:<id>.
Is that considered secondary or alias?
Or should we be using ip addr add?
>
> > iptables would have this:
> >
> > -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
>
> accept nic:VIP:port, all else reject
>
We reject everything to begin with. I was wanted to make sure I was on
the right track. I still assume that I want to use IN and not FORWARD
(at least at this point) as the traffic is technically coming into the
firewall).
BTW, thanks for the quick response.
Gary
|
