RE: [suse-security] SuSEfirewall2 on multiple servers but no "firewall"
Hi
From: Philipp Rusch [mailto:Philipp.Rusch@rusch-edv.de] Hi Peter, When you say "failsafe", did you intend to be redundant through that setup with multiple servers behind that router ? Then I would add to the setup that Stefan recommended (which is the same I would prefer over yours ...;-) ) as follows:
(|ISP-Router|) | ---------(|1st SWITCH|)------------ ... | | (|1st Firewall|) (|2nd Firewall|) | | ---------(|2nd SWITCH|)------------ ... | | | (|Server 1|)(|Server 2|)(|Server 3|) ...
what you have here is a redundant Setup of your firewall, if one goes down, the other is taking over the whole traffic. You don't need a complicated setup for this, in the simplest way you could do this by adding alternative routes and duplicate the DNS entries of your firewall (internal and external). The rest is done by the DNS and its "round robin" should give you a simple kind of load balancing, if both systems are up.
Be carefull with DNS doing the round robin - not every dns resolver can handle more than one ip-address for one name. E.g. Windows 9x/ME strips off all additional ip-addresses. It only uses the first ip-address it gets. Then there is such a thing called name cache. All resolved hosts are stored within this cache for performance reasons. If such a "bad" net-member (using just the first ip of an answer-section and storing this ip into the local resolver-cache) tries to access the "server-in-service", it will get an error like that: "timeout. could not access resource due to connection timeout."
I do this at two sites with very good success and I am able to do maintenance on that systems, while everybody keeps on working, without them even noticing my reboots ;-)
Same with heartbeat - and you don't have to wait for your ISP to enter another address for the same name ;o)
Regards, Philipp Rusch
regards, Stefan
--- SNIP --- Hi Stefan, okay you win :-) (comments inline)
Be carefull with DNS doing the round robin - not every dns resolver can handle more than one ip-address for one name. E.g. Windows 9x/ME strips off all additional ip-addresses. It only uses the first ip-address it gets. Then there is such a thing called name cache. All resolved hosts are stored within this cache for performance reasons. If such a "bad" net-member (using just the first ip of an answer-section and storing this ip into the local resolver-cache) tries to access the "server-in-service", it will get an error like that: "timeout. could not access resource due to connection timeout."
I'd rather think this is a server issue, not one of the clients ... if you dig for www.ibm.com, for example, there are at least 4 adresses given as answer. If you dig again, they shift. I find windows2000 server with its DNS service to fail with round robin as well ... But normally if a client cannot resolve the first time it tries again (at least 3 times) so what's the problem ?
I do this at two sites with very good success and I am able to do maintenance on that systems, while everybody keeps on working, without them even noticing my reboots ;-)
Same with heartbeat - and you don't have to wait for your ISP to enter another address for the same name ;o)
Okay, IP takeover is a fine thing, but you need additional software and cannot share the load (ok, you can do active/active clusters, but this needs shared disks and so on ...).
Regards, Philipp Rusch
regards, Stefan
We are getting more and more OT, so lets end with diplomacy: there is more than one way ... Regards, Philipp
* Peer Stefan wrote on Mon, Jan 20, 2003 at 13:07 +0100:
The rest is done by the DNS and its "round robin" should give you a simple kind of load balancing, if both systems are up.
And makes 50% of the requests/client fail if one of two systems is down. Load balancing, but not failsafe. I don't think that it's a good idea to try to dynamic update DNS since this wouldn't help much due to caching. I think, this could be better solved with some alias IPs - in case of a crash, the other server get's it's IP. In practice, sometimes the crashed server still replies ARP, so take care :)
Be carefull with DNS doing the round robin - not every dns resolver can handle more than one ip-address for one name. E.g. Windows 9x/ME strips off all additional ip-addresses. It only uses the first ip-address it gets.
Yes, and that's no problem since DNS servers should do roundrobbing by sending any of the RRs first. So the same client usually makes all requests to the same servers, but after all it's still pretty balanced even with 24 bit windows :)
Then there is such a thing called name cache. All resolved hosts are stored within this cache for performance reasons. If such a "bad" net-member [...] "timeout [...] "
Yes, that's why it isn't possible to change DNS entries in failure cases. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (3)
-
Peer Stefan
-
Philipp Rusch
-
Steffen Dettmer