FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 06-22-2010, 02:33 PM
James
 
Default HA firewall (conntrack-tools)

Hello,

Conntrack-tools
Look here:
http://conntrack-tools.netfilter.org/testcase.html

Is anyone doing this, and willing to share configs, answer questions,
or point to other examples?


Lots of new kernel stuff for ip tables, since I sank deeply into the
abyss of minutia of IP tables. Further reading references on how to
build an HA or fail-over firewall are most welcome.



James
 
Old 06-22-2010, 04:07 PM
Mick
 
Default HA firewall (conntrack-tools)

On 22 June 2010 15:33, James <wireless@tampabay.rr.com> wrote:
> Hello,
>
> Conntrack-tools
> Look here:
> http://conntrack-tools.netfilter.org/testcase.html
>
> Is anyone doing this, and willing to share configs, answer questions,
> or point to other examples?
>
>
> Lots of new kernel stuff for ip tables, since I sank deeply into the
> abyss of minutia of IP tables. Further reading references on how to
> build an HA or fail-over firewall are most welcome.

I can't add anything about conntrackd, because I have not used it, but
I'd recommend to use the limit module and set it to something sensible
(e.g. 3/minute) when logging invalid packets, if you want to avoid
bogging down your fw. So use something like:

-m limit --limit 1/minute

You could also add --limit-burst in the same fashion again to limit
DoS attacks, at least on the Internet facing NICs/ports.
--
Regards,
Mick
 
Old 06-22-2010, 05:46 PM
James
 
Default HA firewall (conntrack-tools)

Mick <michaelkintzios <at> gmail.com> writes:

Howdy Mick!

> I can't add anything about conntrackd, because I have not used it, but
> I'd recommend to use the limit module and set it to something sensible
> (e.g. 3/minute) when logging invalid packets, if you want to avoid
> bogging down your fw. So use something like:

Well, between needing a firewall that does not fail (HA via redundancy),
and a need to get 'up 2 speed' on the latest with iptables, I'm taking the
plunge here...

conntrackd provide what looks like a cool roll over mechanism similar
to OpenBSD's carp and pfsync.

http://www.openbsd.org/faq/pf/carp.html

You may get a few private email, if I do not find a forum for ideas and
experimentation......

> -m limit --limit 1/minute

> You could also add --limit-burst in the same fashion again to limit
> DoS attacks, at least on the Internet facing NICs/ports.

Nice to know.


Thanks Mick,

James
 

Thread Tools




All times are GMT. The time now is 05:53 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org