Re: What's required for a stateful firewall + ipvs in 2.6 kernel?

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Brian Ghidinelli <brian@vfive.com>
To: Mail List - Netfilter <netfilter@vger.kernel.org>
Subject: Re: What's required for a stateful firewall + ipvs in 2.6 kernel?
Date: Wed, 10 Sep 2008 10:00:06 -0700	[thread overview]
Message-ID: <48C7FD16.301@vfive.com> (raw)
In-Reply-To: <48C7E4C2.9050500@riverviewtech.net>

Grant Taylor wrote:
>> 1. Stateful iptables firewall
>> 2. LVS director (keepalived)
>> 3. DNAT, SNAT and fwmarks
>> 4. Connection synchronization for failover
> 
 > ...
> synchronized / failed over (4) between multiple boxen.  This does not 
> mean that it can not be done, just that it is not going to be documented 
> in the usual locations if it is possible.

That's the issue... there are a lot of posts about LVS and netfilter on 
Austintek.com and other sites but the dates range from 2000 to 2006 or 
so making it hard to figure out what's current.

In sysadmining, I don't really like to be the pioneer. :)  No one else 
has turned an RHEL box into a Firewall + LVS Director?

> It is my (mis)understanding that keepalived does not do the 
> synchronization, rather just the monitoring of things.  Conntrackd will 
> do the synchronization for NetFilter.

I believe keepalived synchronizes the LVS connections between ipvs on 
the two boxes.  There is a config option "lvs_sync_daemon_inteface" for 
this (as I understand it).

This is only half the picture though, and conntrackd appears to solve 
the other half by also keeping netfilter in sync about which connections 
are already established or related so iptables rules don't kill valid 
sessions.

So in the end I suppose the real question is whether or not anyone has 
successfully used the Antefacto patches on RHEL?  I will try the 
lvs-users mailing list for that one...

Thanks for the help Grant,

Brian

next prev parent reply	other threads:[~2008-09-10 17:00 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-09-09 23:47 What's required for a stateful firewall + ipvs in 2.6 kernel? Brian Ghidinelli
2008-09-10 15:16 ` Grant Taylor
2008-09-10 17:00   ` Brian Ghidinelli [this message]
2008-09-10 17:03     ` Grant Taylor
2008-09-23 10:09 ` Pablo Neira Ayuso
2008-09-23 20:31   ` Grant Taylor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=48C7FD16.301@vfive.com \
    --to=brian@vfive.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox