[LARTC] Routing + Proxying

2003-03-07 Thread A. Peter Mee 
Hi all,

I am hoping to set up a pair of web servers that sit behind a firewall.  The 
firewall will have a single live ip address and the web servers will be 
internal.  So my question is a simple one, which I doubt there is a simple 
solution to (if any) but that's why I'm asking. ;-)

In a simple setup of one firewall + one web server, the firewall would map 
port 80 to the web server's port 80.

Would there be a way of 'splitting' or 'load balancing' the requests between 
the two web servers such that one of the two following scenarios is possible 
(or any others that you can think of):

1) Each web server hosts a limited number of web sites  the firewall 
intelligently distributes the packets based on the requested url to the 
respective web server.

2) Each web server hosts all web sites  the firewall intelligently 
distributes whole requests to an individual web server.

I've looked into a proxy sitting on the firewall, but this seems to pose an 
additional problem: if the DNS points at the firewall as the IP address for 
the individual web site and the proxy is sitting at that address, how does it 
know to relay the request internally (this is the part that I realise is not 
LARTC-based).

Cheers,

Pete Mee.
___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Allowing CVS, RCP SCP

2002-07-04 Thread A. Peter Mee 

Hi all,

Could someone give me some pointers to achieving stable cvs and rcp access
through a fairly restrictive firewall.  I'm using a 2.4.18 kernel which
defaults to dropping everthing, then punching holes where needed and
SNATting the internal network.  Single-socket protocols (http, smtp, pop3)
do currently function correctly through the firewall so I'm assuming the cvs
and rcp/scp protocols are not single-socket.  The ftp and irc protocols also
function correctly through the firewall.

If something more specific about my configuration is needed, I'll be happy
to oblige. ;-)

TIA

Cheers,

Pete Mee


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

[LARTC] Lack of filtering?

2002-07-02 Thread A. Peter Mee 

Hi all,

I have been attempting to get to know the basics of CBQ.  Having followed
the example at http://lartc.org/HOWTO//cvs/2.4routing/lartc.html in Section
9.5.4.4, I find myself somewhat baffled.

I have checked  double-checked the commands entered and they conform to the
above (though my bandwidth limits are different).  What I fail to see, using
`tc -s class show dev eth0  tc -s qdisc show`, is any filtering being
performed:

[root@gw rc.d]# tc -s class show dev eth0  tc -s qdisc show
class cbq 1: root rate 10Mbit (bounded,isolated) prio no-transmit
 Sent 253851 bytes 3784 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 624 undertime 0
class cbq 1:1 parent 1: rate 40Kbit (bounded) prio no-transmit
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 4.52356e+06 undertime 0
class cbq 1:3 parent 1:1 leaf 30: rate 30Kbit prio 5
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 6.03733e+06 undertime 0
class cbq 1:4 parent 1:1 leaf 40: rate 3Kbit prio 5
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 6.0533e+07 undertime 0
qdisc sfq 40: dev eth0 quantum 1514b
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)

 qdisc sfq 30: dev eth0 quantum 1514b
 Sent 0 bytes 0 pkts (dropped 0, overlimits 0)

 qdisc cbq 1: dev eth0 rate 10Mbit (bounded,isolated) prio no-transmit
 Sent 253851 bytes 3784 pkts (dropped 0, overlimits 0)
  borrowed 0 overactions 0 avgidle 624 undertime 0

Using `tc filter show dev eth0`, I get the following:

filter parent 1: protocol ip pref 1 u32
filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1
filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht 800
bkt 0 flowid 1:3
  match 0050/ at 20
filter parent 1: protocol ip pref 1 u32 fh 800::801 order 2049 key ht 800
bkt 0 flowid 1:2
  match 0a03/ at 12

There is one change to the filter rule given in the example: the second
filter matches against the ip address 10.0.0.3 (my box).  I did this to
ensure all my traffic would get matched.

Should I be expecting to see something from the stats (it makes sense to me
that I should!)?  If so, could someone point me in the direction of where I
may be going wrong?  If not, where should I be looking?

To be clear, here are the commands I used:
[root@gw rc.d]# tc qdisc add dev eth0 root handle 1:0 cbq bandwidth 10Mbit
avpkt 1000 cell 8
[root@gw rc.d]# tc class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth
10Mbit rate 40kbit weight 0.4kbit prio 8 allot 1514 cell 8 maxburst 20 avpkt
1000 bounded
[root@gw rc.d]# tc class add dev eth0 parent 1:1 classid 1:3 cbq bandwidth
10Mbit rate 30kbit weight 0.3kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt
1000
[root@gw rc.d]# tc class add dev eth0 parent 1:1 classid 1:4 cbq bandwidth
10Mbit rate 3kbit weight 0.03kbit prio 5 allot 1514 cell 8 maxburst 20 avpkt
1000
[root@gw rc.d]# tc qdisc add dev eth0 parent 1:3 handle 30: sfq
[root@gw rc.d]# tc qdisc add dev eth0 parent 1:4 handle 40: sfq
[root@gw rc.d]# tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32
match ip sport 80 0x flowid 1:3
[root@gw rc.d]# tc filter add dev eth0 parent 1:0 protocol ip prio 1 u32
match ip src 10.0.0.3 flowid 1:2

Kernel is v2.4.18.

Cheers,

Pete Mee


___
LARTC mailing list / [EMAIL PROTECTED]
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/