So, do you think it might be better to use ipfilter than pf on OpenBSD in that case ? And the next question is, is it useful to have a wide spread (more than on IP subnet) servers to do load-balancing on ? After all, that is a feature, the BigIP supports and I know that atleast www.heisse.de is using this, to implement complete redundancy by location seperated servers. But for most users, that should be enough. @Daniel Hartmeyer : is auto-detection of down hosts implemented in the load-balancing code in pf ? By the way : my company is nearly 100% convinced to kick our Nokia / CheckPoint and to take a OpenBSD/pf box to replace, due to several problems with our ISP and their understanding of "Management" and "Support".
----- Original Message ----- From: "Darren Reed" <[EMAIL PROTECTED]> To: "Jedi/Sector One" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, November 29, 2002 9:53 AM Subject: Re: pf address pools > In some mail from Jedi/Sector One, sie said: > > > > On Thu, Nov 28, 2002 at 11:59:37PM +0000, Ryan McBride wrote: > > > rdr on $ext_if from any to $public_ip port 80 -> \ > > > 192.168.0.4/30 source-hash > > > > As a side note, source-hash (a feature called 'sticky balancing' on some > > hardware load balancers) is very useful for web servers with PHP because: > > > > - by default, PHP save sessions in local files. > > - to speed up things, it's also possible to use shared memory. > > - poorly written PHP scripts (those that customers like to install) like to > > create temporary files in /tmp. > > > > Without sticky balancing, a typical syndrom is that users have to > > re-authenticate several times while browsing a web site. > > Well I don't think the above is a good implementation of sticky > load balancing because it confines your destination IP addresses > to be a single subnet mask range. > > I did sticky redirection for IPFilter last month, I think, and that > implementation does not have this problem. More importantly, the > stickiness can be mixed with any other redirection options. > > If routers use the above for stickiness then said routers suck, IMHO. > > Darren > > >