[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf address pools
sorry, www.heise.de, not www.heisse.de !
----- Original Message -----
From: "Stefan Sonnenberg-Carstens" <[email protected]>
To: "Darren Reed" <[email protected]>
Cc: <[email protected]>; <[email protected]>
Sent: Friday, November 29, 2002 10:21 AM
Subject: Re: pf address pools
> So, do you think it might be better to use ipfilter than pf on OpenBSD in
> that case ?
> And the next question is, is it useful to have a wide spread (more than on
> IP subnet) servers
> to do load-balancing on ?
> After all, that is a feature, the BigIP supports and I know that atleast
> www.heisse.de is using this,
> to implement complete redundancy by location seperated servers.
> But for most users, that should be enough.
> @Daniel Hartmeyer : is auto-detection of down hosts implemented in the
> load-balancing code
> in pf ?
> By the way : my company is nearly 100% convinced to kick our Nokia /
> CheckPoint and to take a
> OpenBSD/pf box to replace, due to several problems with our ISP and their
> understanding of
> "Management" and "Support".
> ----- Original Message -----
> From: "Darren Reed" <[email protected]>
> To: "Jedi/Sector One" <[email protected]>
> Cc: <[email protected]>
> Sent: Friday, November 29, 2002 9:53 AM
> Subject: Re: pf address pools
> > In some mail from Jedi/Sector One, sie said:
> > >
> > > On Thu, Nov 28, 2002 at 11:59:37PM +0000, Ryan McBride wrote:
> > > > rdr on $ext_if from any to $public_ip port 80 -> \
> > > > 192.168.0.4/30 source-hash
> > >
> > > As a side note, source-hash (a feature called 'sticky balancing' on
> > > hardware load balancers) is very useful for web servers with PHP
> > >
> > > - by default, PHP save sessions in local files.
> > > - to speed up things, it's also possible to use shared memory.
> > > - poorly written PHP scripts (those that customers like to install)
> like to
> > > create temporary files in /tmp.
> > >
> > > Without sticky balancing, a typical syndrom is that users have to
> > > re-authenticate several times while browsing a web site.
> > Well I don't think the above is a good implementation of sticky
> > load balancing because it confines your destination IP addresses
> > to be a single subnet mask range.
> > I did sticky redirection for IPFilter last month, I think, and that
> > implementation does not have this problem. More importantly, the
> > stickiness can be mixed with any other redirection options.
> > If routers use the above for stickiness then said routers suck, IMHO.
> > Darren