|
Am Dienstag, 15. April 2008 08:43 schrieb Sameer Garg:
> Hi All,
>
> We have been experiencing D/Dos on http. The LVS is uneffected by the
> D/Dos but the real servers are suffering. Beside the D/Dos the LVS is
> currently handling 5 subdomains and approximately 10QPS.
>
> We are using LVS-Tun configuration. Due to our distributed setup and
> service provider limitation we can't put a perimeter firewall so we
> are thinking of stopping them at or before the LVS.
>
> At the director I have tuned the route flush and route garbage
> collection variables but that is all I could figure out.After reading
> the howto and the mailing list I have concluded that it is possible
> to use iptalbles with LVS-DR and LVS-NAT. Is it advisable to put
> iptables on the director in a LVS-TUN setup?
Yes. It is even nescessary if you take LVS descisions based on the mangle
table.
> Unrelated question: Anybody using a opensource firewall Iptables/pf in
> production for 100M connection?
>
> Sameer
Not that I have seen on production, but shold be possible. Perhaps this helps:
http://lists.sans.org/pipermail/unisog/2005-August/025040.html
--
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75
mail: misch@xxxxxxxxxxx
web: www.multinet.de
Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens
---
PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42
|
