<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<STYLE type=text/css>DIV {
MARGIN: 0px
}
</STYLE>
<META content="MSHTML 6.00.6000.16544" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=125025920-20112007><FONT face=Arial
color=#0000ff size=2>I've used a lot of individual projects to accomplish those
same goals, but putting them all together and trying to make it "intelligent" is
quite an undertaking. :-) </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=125025920-20112007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=125025920-20112007><FONT face=Arial
color=#0000ff size=2>For the record, the LVS project ( <A
href="http://www.linuxvirtualserver.org/">http://www.linuxvirtualserver.org/</A> )
is a great load balancer. You could have a linux box running iptables and LVS,
and you'd be able to distribute inbound connections anywhere you want. For
adding automatic detection of what has failed, you can use a monitoring system
like Mon ( <A href="http://mon.wiki.kernel.org">http://<SPAN class=a><FONT
color=#008000><B>mon</B>.wiki.kernel.org</A> )</FONT></SPAN> and add your
own custom checks and scripts. It has a two tiered architecture: a service check
which must exit 0 or 1, and an alert (script) that gets called when
the check fails. For example, you might have an http service check and
an alert that removes the node from the pool in the event of a failure.
</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=125025920-20112007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=125025920-20112007><FONT face=Arial
color=#0000ff size=2>The linux HA project (<A
href="http://linux-ha.org">http://linux-ha.org</A> ) is great for adding
fault tolerance - it can quickly move an IP address / start / stop services from
a failed system to a backup system. I'd recommend sticking with version 1
though... V2 is quite complicated. I avoid it unless I absolutely need it. For
monitoring, I prefer Ganglia. I saw a post the other day from someone who liked
a new project called zabbix... .It looked pretty cool, but I've never used
it.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=125025920-20112007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=125025920-20112007><FONT face=Arial
color=#0000ff size=2>So if it were me I'd probably build this using the projects
mentioned above. But as Brad said, the other problem here is how much are you
willing to put into this? You could build something really cool that does the
job, but if you can't really dedicate yourself to it, you may be better off
buying a piece of hardware pre-configured. Of course, if you do have the time to
invest, then you can probably build something even more advanced than what you
could buy. I've built a few systems like this, so if you have any questions
I'm happy to share. </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=125025920-20112007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=125025920-20112007><FONT face=Arial
color=#0000ff size=2>Chris</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> nflug-bounces@nflug.org
[mailto:nflug-bounces@nflug.org] <B>On Behalf Of </B>Robert
Meyer<BR><B>Sent:</B> Tuesday, November 20, 2007 11:25 AM<BR><B>To:</B>
nflug@nflug.org<BR><B>Subject:</B> [nflug] Firewalls<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV>OK, my turn to ask a question. I have a situation where our firewall
(seven or more years old) is no longer supported and it has been losing
connections on any box that I upgrade to a 2.6 kernel from a 2.4. I have
Netscreen 100 firewalls and can't even get firmware updates.<BR><BR>So, the
question that I post to the group:<BR>I have a fairly fast Internet connection
to Vaspian. I have an environment with 30+ servers and less than 10
workstations that need to be connected. I need to be able to have the web
servers (about 6 for the moment) accessible on the Internet but I have to be
able to use stateful NAT to be able to have the firewall point to several web
servers for a single IP address for load balancing, etc. If the firewall
did some monitoring to determine that a web server has failed and can remove it
from the pool, that would be a bonus.<BR><BR>I intend to start monitoring
the servers with Nagios so maybe Nagios could be used to control the web server
pools.<BR><BR>I have actually thought about building a Linux firewall to do all
of this, using shorewall but I don't know about the server pool thing. I
haven't researched that at all.<BR><BR>So, I'm soliciting opinions. I need
to know as many options as I can so that I can make an intelligent decision on
this. Note that we're expecting significant growth in our traffic,
here. As always, cheaper is
better.<BR><BR>Thanks...<BR><BR>Cheers!<BR><BR>Bob<BR></DIV></DIV><BR>
<HR SIZE=1>
Never miss a thing. <A
href="http://us.rd.yahoo.com/evt=51438/*http://www.yahoo.com/r/hs">Make Yahoo
your homepage.</A> </BODY></HTML>