Hi,
I'm away for today, Nov. 2, 1999 will return tomorrow, Nov. 3, 1999. If you have an
Unclaimed Balances matter requiring urgent attention please contact Peter Vanderwyst
at 7843.
Thank you.
Aaron
>>> "[EMAIL PROTECTED]" 11/03/99 04:40 >>>
Firewalls-Digest Wednesday, November 3 1999 Volume 08 : Number 669
In this issue:
RE: Port Redirection with Cisco Pix and Axent Raptor
See the end of the digest for information on subscribing to the Firewalls
or Firewalls-Digest mailing lists and on how to retrieve back issues.
----------------------------------------------------------------------
Date: Wed, 3 Nov 1999 16:53:30 +1030
From: Ben Nagy <[EMAIL PROTECTED]>
Subject: RE: Port Redirection with Cisco Pix and Axent Raptor
OK, so you want six different listeners all to be served by the same
machine. As a kicker, you'd like incoming connections to be load balanced,
if possible. Is that right?
I'm going to assume that connections are coming from outside your firewall.
I'm calling the machine that is offering the service the server .
Firstly, you say you're going to use virtual IP addresses (I guess that
means multihoming) on the server. Can you also multiplex by port - in other
words have daemon1 on port 1111 daemon2 on 2222, etc? This gives you more
flexibility.
So, you can either:
Simple solution: Create six NAT mappings on the outside of the firewall (so,
different IP addresses), all listening on the "standard" daemon port. You
then have ONE IP address on the server, with six daemons running on
different ports. Each of these mappings forwards to a different port on the
server. This is okay if you know that all the people that will connect will
only connect to their "normal" host to get the service.
Load balancing solution one: Have six NAT mappings on the firewall, with one
external DNS entry like "daemon-out.mysite.com". Have ONE IP address on the
server, with all the daemons on different ports. All incoming connections
get aimed at daemon-out.mysite.com, and you perform DNS round-robin on your
DNS server. This means that clients will get answers to their DNS queries in
a different order each time. This will affect which NAT mapping they try and
connect to, and therefore which port on the server they end up talking to.
Load balancing solution two: If the firewall can handle it, some
implementations of NAT let you do a similar round robin thing. Cisco routers
will do this for example. If you do it _this_ way, you go back to your
multi-homed server, and have a round-robin NAT mapping using a SINGLE IP
address for daemon-out on the firewall. Each connection to this mapping will
send you through to a different IP address on the server, and therefore a
different daemon. Uh...in theory. You may not get a new daemon for each
extra IP address - you may need to check that. 8)
None of these are "smart" solutions - they're just spreading incoming
connections evenly. You may have to get tricky and probably write some
software if you want intelligent load balancing for a custom app. You could
check out things like Cisco LocalDirector, but I have a feeling that they're
geared for webservers.
Oh, and I hammered this out pretty fast, so I reserve the right to be Wrong
as Hell. ;)
Cheers,
- --
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
> -----Original Message-----
> From: Igor Gashinsky [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, 3 November 1999 12:37 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Re: Port Redirection with Cisco Pix and Axent Raptor
>
>
> We are merging 6 servers into 1 MUCH more powerfull server,
> all of which ran
> the same daemon on the same port. This daemon is not
> multi-threaded, but is
> select() blocking I/O, and when we are going to merge the
> machines, this
> daemon won't be able to handle all the requests. Since we are
> mapping all of
> the IP's to the same machine (Virtual IP's), I was wondering
> if I could use
> a firewall to "load ballance the ports", where I could say
> that all the
> traffic destined for A.A.A.1 port 1111 goes to B.B.B.B port
> 1111, but all
> the traffic destined for A.A.A.2 port 1111 goes to B.B.B.B
> port 2222, etc...
>
> I am just wondering what FW software is capable of doing
> something like this
> (FW-1, Raptor, PIX..)?
>
> This is, also, probably the best way to justify implementing a $200K+
> security budget <G>
>
> -Igor Gashinsky
- -
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
------------------------------
End of Firewalls-Digest V8 #669
*******************************
To unsubscribe from Firewalls-Digest, send the following command
in the body of a message to "[EMAIL PROTECTED]":
unsubscribe firewalls-digest
If you want to subscribe or unsubscribe an address other than the
account the mail is coming from, such as a local redistribution list,
then append that address to the command; for example, to subscribe
"local-firewalls":
subscribe firewalls-digest [EMAIL PROTECTED]
A non-digest (direct mail) version of this list is also available; to
subscribe to that instead, replace all instances of "firewalls-digest"
in the commands above with "firewalls".
Compressed back issues are available for anonymous FTP from
Lists.GNAC.NET, in pub/firewalls/digest/vNN.nMMM.Z (where "NN"
is the volume number, and "MMM" is the issue number).
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
