On Wed, 2005-01-05 at 21:07 -0500, Thomas Simmons wrote: > John A. Sullivan III wrote: > > On Tue, 2005-01-04 at 20:28 -0500, Thomas Simmons wrote: > > > <snip> > Thanks for your suggestions, I like the sound of the iprange and the > NETMAP patches. As for the script, I have not used the iptables-restore > syntax, and am very comfortable with iptables commands. My intentions > are to actually have two firewall scripts. The default script would have > rules that would forward needed traffic to our primary webserver. The > second would have rules that would forward traffic to our failover > webserver. I would have the firewall verify that our primary server is > still online every 30 seconds or so with an echo. If not the second > script would execute, forwarding all traffic to the backup server. I am > going to have a rather complicated setup(30 web servers 30 mail servers, > IPsec VPN gateway + pptp roadwarrior access) and would like to use > iptables commands because im so comfortable with them. I also like the > idea of doing everything with one (technically two) scripts, as a > recovery after a disk failure would be as simple as installing Linux, > putting the script on the server and executing it. > > As for using iproute2 vs. aliases, why would you use iproute2? What are > the benefits of doing this? > > Again, thanks alot for the suggestions. > > Regards, > Thomas > > Honestly, I do not have any experience using aliases. iproute2 is a more contemporary way of handling the need for multiple addresses. It is also far, far more powerful than just a tool for adding more addresses. It is an extremely powerful policy routing tool so it is well worth learning. Look for a file in your distribution named ip- cref.ps. I do recall reading of problems using aliases on some list -- I do not recall if that is netfilter or openswan -- I suspect the latter. There is a small training slide show on using it in the training section of the ISCS web site (http://iscs.sourceforge.net). The failover scripting idea sounds quite nice and you can certainly do it with raw iptables commands. Time is your critical decision criterion. This may be especially critical in a failover scenario. Your times will vary based upon your processing power. For a very small rule set, smaller than you will probably have, the difference in time to load from iptables versus iptables-restore is only a second or two. For very large rule sets numbering in the thousands of rules, the difference may be in the many tens of minutes. Good luck with the project - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan@xxxxxxxxxxxxxxxxxxx Financially sustainable open source development http://www.opensourcedevel.com
