From owner-freebsd-stable@FreeBSD.ORG Thu Jul 17 20:20:24 2008 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 85445106566C for ; Thu, 17 Jul 2008 20:20:24 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from asmtpout019.mac.com (asmtpout019.mac.com [17.148.16.94]) by mx1.freebsd.org (Postfix) with ESMTP id 66C348FC1C for ; Thu, 17 Jul 2008 20:20:18 +0000 (UTC) (envelope-from cswiger@mac.com) MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Received: from cswiger1.apple.com ([17.227.140.124]) by asmtp019.mac.com (Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 32bit)) with ESMTPSA id <0K460091A0CZ6SE2@asmtp019.mac.com> for stable@freebsd.org; Thu, 17 Jul 2008 12:19:49 -0700 (PDT) Sender: cswiger@mac.com Message-id: From: Chuck Swiger To: Eugene Grosbein In-reply-to: <20080717140018.GA91530@svzserv.kemerovo.su> Date: Thu, 17 Jul 2008 12:19:47 -0700 References: <20080716162042.GA27666@svzserv.kemerovo.su> <487E312E.9090307@infracaninophile.co.uk> <20080717035155.GA81536@svzserv.kemerovo.su> <8DFF6DCD-6619-4251-9944-59CED8DF1B19@mac.com> <20080717140018.GA91530@svzserv.kemerovo.su> X-Mailer: Apple Mail (2.928.1) Cc: stable@freebsd.org Subject: Using IP aliases, was: named.conf: query-source address X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Jul 2008 20:20:24 -0000 On Jul 17, 2008, at 7:00 AM, Eugene Grosbein wrote: >> About the only common reason to set up multiple aliases on an >> interface is when you're doing something like hosting multiple SSL >> webservers on a single box which actually need to have distinct IPs >> as >> a consequence. Other than that, using public IPs for aliases is >> usually wasteful of IP address space. YMMV... > > Think about multiple IP-based services (not HTTP "virtual" servers) > at one physical host that should use distinct IP addresses > for some reasons (local policy/billing/monitoring/etc.) I'll reply to this particular message, but let me generalize against some of the other responses as well. If your organization does billing based on traffic, or wants to do traffic shaping or bandwidth limitation, great; but IPFW+Dummynet or PF +ALTQ don't care whether you recognize traffic by IP alone or by IP +port(s), so long as the ports are distinct for each billing category or packet queue you want to run. If you want to organize specific services on specific ports which have different backend hosts handling them to distribute load or allow you to rebalance your hardware to meet changing demand, by all means. You can have a hardware load-balancer like a NetScaler, or even use the RFC-2391 capabilities of IPFW+natd or "RDR ROUND ROBIN" with PF. But if you do that, you might as well put the actual backend machines on a RFC-1918 subnet and you might well end up using fewer public IPs than you would if all machines had public IPs. I don't have any problem with people deciding for themselves how they want to manage their services and their networks. It's just that, too often, people use IP aliases to do things like make a single physical machine appear as two so they don't actually bother to provide two actual machines for hosting DNS services with proper redundancy. Even for the shared webhosting case, where you need separate IPs per SSL cert as HTTPS doesn't support name-based virtual hosts, I'm a little dubious about the notion that having a single machine hosting lots of distinct websites, probably for different clients, is a good idea from the standpoint of security. Regards, -- -Chuck