On Fri, 17 Mar 2000, Lars Marowsky-Bree wrote:
> This only protects the LVS system from running out of memory by randomly
> dropping connections. This does NOT protect a real server from being SYN
> flooded.
>
> Of course, if you distribute the incoming connections to 10 servers, this
> makes it ten times as hard to SYN flood that system, but still.
This as well.
> > as well as the linux firewall
> > doing the randomization of Packet Sequence Numbers.
>
> No. Unless you mean what happens with masquerading, but that is a side effect.
For a NAT style server group. Meaningless anyway if the
backend is Linux, as it has its own SYN protection.
> > There is another option with Linux however. The QoS system
> > can be used to control *any* IP packets. It is fairly simple to limit
> > SYN rates on a site wide or per server bases. Even per server per
> > service.
>
> Then you are _rate limiting_. This is different from a SYN protection like PIX
> does.
Listen to the whole solution. Running sanity rate limits,
combined with proper servers.
> > End all, systems like the PIX suck, they cause a double action for
> > every connection, form a wonderful SPOF,
>
> Thats why you have two of those in a failover configuration, as with any
> firewall.
But IIRC, even with 2 in a failover system, should one die,
the other can take over, but all current connections are lost.
> > and may screw things with
> > interesting IP stacks (they *MUST* be the entry/exit for that
> > network...).
>
> As any other firewall.
Depends on the firewall type, a paranoid filtering firewall
pair *can* handle asymetric paths/etc, and multiple entry/exit points,
a PIX group cannot.
---
As folks might have suspected, not much survives except roaches,
and they don't carry large enough packets fast enough...
--About the Internet and nuclear war.
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
