At 2007-07-20 10:12:01 -0500, gtaylor@riverviewtech.net wrote:
>
> > I just want a hot standby for a single Linux firewall [...]
>
> I would use a pair of Linux boxen with vrrpd and conntrackd
OK, great. I didn't know about vrrpd. I'll check it out.
> As far as ucarp, I'm not familiar with it so I can't comment.
If I have the time, I'll try out ucarp and post a summary of my
experiences for the archives.
> If you want to know what to do in this situation read about SONITH
> (Shoot Other Node In The Head) to make sure that there is only one
> active node at a time.
("STONITH", for those asking Google.)
I have one other question. How does conntrackd interact with traffic
shaping? My firewall also uses HTB to impose various bandwidth limits
on clients. From what I've read so far, I have the impression that the
failover may lose some packets that are being delayed in a queue, but
existing connections should recover and be esentially unaffected.
Can anyone confirm that?
-- ams
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
|