On 2008/09/10 14:26, Fredrik Widlund wrote: > No, of course, if both servers are alive and "online" at the same > time, you might as well not redirect the stream. However if you > need to take the older system offline, or if you need to only have > one system online at one given time, then redirecting the traffic > will catch the glitches in the redirection of DNS, and it is possible.
Assuming this is the case (i.e. needing to only have one online at a time) - HTTP redirects might be the least-overhead method and are usually pretty simple to setup... add a record "www2 A 5.6.7.8", and have the old server just redirect to www2 after the switch-over date to catch any late queries that arrive due to over-cached DNS. (an aside: modern browsers restrict minimum ttl to mitigate DNS rebinding attacks. also squid compiled to use system name lookup functions rather than their internal DNS functions, and some junkware proxies probably doing the same thing, don't honour TTL at all, just have their own "DNS cache time" setting). If you want to do this in PF you can use a nat+rdr combination, as described in the faq), but you'll be passing the traffic in both directions through the machine running PF and will lose the original source IP address. No way around that, you need to rewrite the packet headers back to the source address/port, and that information is only available to the box which natted it. (hmm, well maybe via pfsync, but I don't think you really want to go there...) Never tried this, but there could be another way... maybe you can use relayd from -current/4.4 configured for direct server return, with a tunnel (gif(4)/gre(4)/ssh tun forwarding) to get the packets sent across.
