Am Mittwoch, den 08.08.2007, 01:48 +0200 schrieb Herbert Poetzl:
> > That was like the first thing i've tried. Routing to anything thats
> > not locally hosted works just fine. But once you try to reach another
> > vserver on another subnet that happens to be hosted on the same host
> > it will route internally and not hit the wire at all - which is bad
>
> which is actually quite good, as it avoids flooding
> the net (even a local network) with unnecessary
> packets ...
don't try to sell me this as a feature :-)
If I could opt in/out I'd agree.
>From inside the vserver you just see your one interface and wouldn't
expect certain packets to be routed completely different than the rest.
> > and actually makes vservers unusable if you want to move vservers among
> > different hosts.
>
> why do you think so? at least exactly this setup
> works perfectly fine here ...
>
> > Firewalling between the vserver clients for example is not manageable.
>
> you just make the firewall rules for ethX _and_ lo
> and you are perfectly fine, wherever the guest is
3 hosts, 2 production, one for development/testing, later maybe more.
I'd have to manage firewalling rules on the GW and on 3 hosts. The one
responsible for the GW is not the one responsible for the vserver hosts.
Managing 3 different systems (GW, production,development) with their own
firewalling semantics for the same rules on 4+ boxes is asking for
trouble.
Don't you think that'd be bad design?
> > IDS would be another issue.
>
> assuming that IDS stands for Intrusion-Detection System
> what problem do you see with that?
IDS setup on the GW won't see all vserver-vserver traffic.
Same with accounting etc.
In case of an incident when one of the production machines goes down and
the other hosts all vservers, accounting would show less traffic and the
IDS wouldn't see anything at all.
Tom
Received on Wed Aug 8 02:26:24 2007