RE: Linux and firewall load balancing
From: Peter Mueller (pmueller_at_sidestep.com)
Date: 09/23/03
- Previous message: Nick Lopez: "Re: Kerberos + OpenLDAP help needed."
- Maybe in reply to: John Kunkel: "RE: Linux and firewall load balancing"
- Next in thread: Callum D. Campbell: "Re: FW: Linux and firewall load balancing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Keith T. Morgan'" <keith.morgan@terradon.com>, focus-linux@securityfocus.com Date: Tue, 23 Sep 2003 14:38:43 -0700
Hello Keith,
> For some time, I've been considering writing a daemon to
> synchronize Linux state tables and firewall rulesets, and a
> bunch of other stuff to create a firewall load-balancing
> solution for Linux. However, I don't want to re-invent the
> wheel. Is anyone aware of a good open source
> HA/Load-balancing solution for Linux? IMO, this is one of
> the biggest features that separates Linux from the big
> commercial firewall vendors at the mid and high end.
There is no solution that will failover state as of yet. The closest
solution is Keepalived, which IMHO is quite a good solution on its own.
There is a feature 'LVS Synch Daemon' which might be a good enough solution
for you, depending on your setup..
Speaking of state tables: AFAIK LVS's Julian Anastasov and some of the other
guys are working on full integration to Netfilter / the kernel. A patch has
already been released a few months ago to do this functionality; it is out
of date now but it was called the `Antefacto patch`. Maybe they are also
working on full state table transition during an unexpected failover.
(Chances are they aren't, go write up some code!)
> We're able to make Linux do 90-95% of the stuff the big
> commercial vendors can do, but we can't offer an open-source
> solution to the high-end customers that require redundancy
> and failover.
HA/failover is certainly around and has been around, but AFAIK the
state-transition is still a little flakey. So if you have 500 http
connections on your LVS server and your primary LVS box dies in NAT mode it
could be a big problem. Anyway it's only one piece of code to write, I bet
it would be cheaper to write than purchasing an "enterprise" solution.
> Sure would be nice if......
>
> I know, I know, get off my *** and write it.
8-)
Peter
- Previous message: Nick Lopez: "Re: Kerberos + OpenLDAP help needed."
- Maybe in reply to: John Kunkel: "RE: Linux and firewall load balancing"
- Next in thread: Callum D. Campbell: "Re: FW: Linux and firewall load balancing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
