"Kenneth E. Lussier" wrote:
>
> What separates web farms, and most other internet services, from
> firewalls is that most internet servers don't really care what
> there IP address is, and neither does a client of that service.
> With a firewall, IP addresses are extremely important. Sure, you
> can write an IPChains script using domain names for most things,
> but an internal machine needs to know the IP address of the
> firewall, or an internal router needs to know it. So, in order to
> cluster a firewall, you would need one node to assume all IP
> addresses of the hung system, and you would need some way to kill
> the hung box so that there is no way it can come back up
> unexpectedly. If two firewalls suddenly exist on the same network
> with all of the same IP addresses, you have just found the most
> efficient way of taking down both the internal and external
> networks ;-) Cisco has a box called the Local Director that
> handles this, but as with all things Cisco, it costs. As for Open
> Source systems that do it, the names that I have heard tossed
> around are Ultramonkey (VA), Pirhanna (RedHat), LVS (??), and
> Kimberlite (MCLX).
>
> Kenny
>
LVS was developed by Wensong Zhang <wensong at iinchina.net>, homed at
www.linuxvirtualserver.org, and is the basis of Ultramonkey and
Piranha. It's designed for doing redirection of web requests (let's
see how good my text drawing is):
------------
| firewall|
------------
|
------------
| |
------------- -------------
|lvs director1||lvs director2|
------------- -------------
| |
---------------------------------
| | |
------------- -------------- ---------------
|web server 1| |web server 2 | |web server 3 |
------------- -------------- ---------------
If I understand lvs right, it can do the takeover from lvs 1 to lvs
2. The LVS code can do a variety of ways of redirecting the load
between the webservers. I don't know if the LVS could do the
firewall, as it's mainly load redirection (i.e. you'd end up with
traffic to an external lvs, then redirected to the firewall). Another
thing to look at, since firewalls should be pretty static, is
heartbeat, from the linux-ha project (www.linux-ha.org). However, if
you want logs to fail over (dynamic content), you would have to put
together something that redirects the writes over the network between
the boxes (drdb is a module to do network disk mirroring). Or, use
shared SCSI to have the disks share the same raid array, so they both
see the same data (kimberlite solution, in my (biased, as I work
there, shameless plug like kenny) - oss.missioncriticallinux.com).
And, we kill the other node, so only one will write to the log,
guaranteed (I don't have to worry about sounding like marketing, I'm
in sales - want a support contract? ;-)
--
jeff smith
---------------------------------------------------------------------------------
thought for the day: Reality does not exist -- yet.
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
