On 2000-03-15T15:45:04,
"Christopher E. Brown" <[EMAIL PROTECTED]> said:
> Linux when used with the virtual server clustering system has
> this effect (with certain config types), but it does not do this in a
> transparent mode for non clustered servers like the PIX does.
No.
> In other words, for certain cluster types the cluster
> controllers SYN cookie mech kicks in,
This only protects the LVS system from running out of memory by randomly
dropping connections. This does NOT protect a real server from being SYN
flooded.
Of course, if you distribute the incoming connections to 10 servers, this
makes it ten times as hard to SYN flood that system, but still.
> as well as the linux firewall
> doing the randomization of Packet Sequence Numbers.
No. Unless you mean what happens with masquerading, but that is a side effect.
> There is another option with Linux however. The QoS system
> can be used to control *any* IP packets. It is fairly simple to limit
> SYN rates on a site wide or per server bases. Even per server per
> service.
Then you are _rate limiting_. This is different from a SYN protection like PIX
does.
> End all, systems like the PIX suck, they cause a double action for
> every connection, form a wonderful SPOF,
Thats why you have two of those in a failover configuration, as with any
firewall.
> and may screw things with
> interesting IP stacks (they *MUST* be the entry/exit for that
> network...).
As any other firewall.
Sincerely,
Lars Marowsky-Brée <[EMAIL PROTECTED]>
Development HA
--
Perfection is our goal, excellence will be tolerated. -- J. Yahl
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
