* [gentoo-user] HA firewall (conntrack-tools)
@ 2010-06-22 14:33 James
2010-06-22 16:07 ` Mick
0 siblings, 1 reply; 3+ messages in thread
From: James @ 2010-06-22 14:33 UTC (permalink / raw
To: gentoo-user
Hello,
Conntrack-tools
Look here:
http://conntrack-tools.netfilter.org/testcase.html
Is anyone doing this, and willing to share configs, answer questions,
or point to other examples?
Lots of new kernel stuff for ip tables, since I sank deeply into the
abyss of minutia of IP tables. Further reading references on how to
build an HA or fail-over firewall are most welcome.
James
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] HA firewall (conntrack-tools)
2010-06-22 14:33 [gentoo-user] HA firewall (conntrack-tools) James
@ 2010-06-22 16:07 ` Mick
2010-06-22 17:46 ` [gentoo-user] " James
0 siblings, 1 reply; 3+ messages in thread
From: Mick @ 2010-06-22 16:07 UTC (permalink / raw
To: gentoo-user
On 22 June 2010 15:33, James <wireless@tampabay.rr.com> wrote:
> Hello,
>
> Conntrack-tools
> Look here:
> http://conntrack-tools.netfilter.org/testcase.html
>
> Is anyone doing this, and willing to share configs, answer questions,
> or point to other examples?
>
>
> Lots of new kernel stuff for ip tables, since I sank deeply into the
> abyss of minutia of IP tables. Further reading references on how to
> build an HA or fail-over firewall are most welcome.
I can't add anything about conntrackd, because I have not used it, but
I'd recommend to use the limit module and set it to something sensible
(e.g. 3/minute) when logging invalid packets, if you want to avoid
bogging down your fw. So use something like:
-m limit --limit 1/minute
You could also add --limit-burst in the same fashion again to limit
DoS attacks, at least on the Internet facing NICs/ports.
--
Regards,
Mick
^ permalink raw reply [flat|nested] 3+ messages in thread
* [gentoo-user] Re: HA firewall (conntrack-tools)
2010-06-22 16:07 ` Mick
@ 2010-06-22 17:46 ` James
0 siblings, 0 replies; 3+ messages in thread
From: James @ 2010-06-22 17:46 UTC (permalink / raw
To: gentoo-user
Mick <michaelkintzios <at> gmail.com> writes:
Howdy Mick!
> I can't add anything about conntrackd, because I have not used it, but
> I'd recommend to use the limit module and set it to something sensible
> (e.g. 3/minute) when logging invalid packets, if you want to avoid
> bogging down your fw. So use something like:
Well, between needing a firewall that does not fail (HA via redundancy),
and a need to get 'up 2 speed' on the latest with iptables, I'm taking the
plunge here...
conntrackd provide what looks like a cool roll over mechanism similar
to OpenBSD's carp and pfsync.
http://www.openbsd.org/faq/pf/carp.html
You may get a few private email, if I do not find a forum for ideas and
experimentation......
> -m limit --limit 1/minute
> You could also add --limit-burst in the same fashion again to limit
> DoS attacks, at least on the Internet facing NICs/ports.
Nice to know.
Thanks Mick,
James
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-06-22 18:05 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-06-22 14:33 [gentoo-user] HA firewall (conntrack-tools) James
2010-06-22 16:07 ` Mick
2010-06-22 17:46 ` [gentoo-user] " James
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox