Date: Thu, 17 Jul 2008 12:19:47 -0700 From: Chuck Swiger <cswiger@mac.com> To: Eugene Grosbein <eugen@kuzbass.ru> Cc: stable@freebsd.org Subject: Using IP aliases, was: named.conf: query-source address Message-ID: <DF39D824-86BF-4581-A4EF-8B445E0763EA@mac.com> In-Reply-To: <20080717140018.GA91530@svzserv.kemerovo.su> References: <20080716162042.GA27666@svzserv.kemerovo.su> <487E312E.9090307@infracaninophile.co.uk> <20080717035155.GA81536@svzserv.kemerovo.su> <8DFF6DCD-6619-4251-9944-59CED8DF1B19@mac.com> <20080717140018.GA91530@svzserv.kemerovo.su>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jul 17, 2008, at 7:00 AM, Eugene Grosbein wrote: >> About the only common reason to set up multiple aliases on an >> interface is when you're doing something like hosting multiple SSL >> webservers on a single box which actually need to have distinct IPs >> as >> a consequence. Other than that, using public IPs for aliases is >> usually wasteful of IP address space. YMMV... > > Think about multiple IP-based services (not HTTP "virtual" servers) > at one physical host that should use distinct IP addresses > for some reasons (local policy/billing/monitoring/etc.) I'll reply to this particular message, but let me generalize against some of the other responses as well. If your organization does billing based on traffic, or wants to do traffic shaping or bandwidth limitation, great; but IPFW+Dummynet or PF +ALTQ don't care whether you recognize traffic by IP alone or by IP +port(s), so long as the ports are distinct for each billing category or packet queue you want to run. If you want to organize specific services on specific ports which have different backend hosts handling them to distribute load or allow you to rebalance your hardware to meet changing demand, by all means. You can have a hardware load-balancer like a NetScaler, or even use the RFC-2391 capabilities of IPFW+natd or "RDR ROUND ROBIN" with PF. But if you do that, you might as well put the actual backend machines on a RFC-1918 subnet and you might well end up using fewer public IPs than you would if all machines had public IPs. I don't have any problem with people deciding for themselves how they want to manage their services and their networks. It's just that, too often, people use IP aliases to do things like make a single physical machine appear as two so they don't actually bother to provide two actual machines for hosting DNS services with proper redundancy. Even for the shared webhosting case, where you need separate IPs per SSL cert as HTTPS doesn't support name-based virtual hosts, I'm a little dubious about the notion that having a single machine hosting lots of distinct websites, probably for different clients, is a good idea from the standpoint of security. Regards, -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DF39D824-86BF-4581-A4EF-8B445E0763EA>