Is it a good practice install pound and a firewall (iptables/netfilter)
on same machine?
Scenario: firewall manages only traffic for webservers and pound runs as
reverse proxy sever and load-balancer (bandwidth 128 MB/h, 35000 hits/h).

Any suggestions and considerations are well accepted.

Thanks.
Lorenzo Grio

On Thursday 25 November 2004 11.50, Lorenzo Grio wrote:[...]

The answer depends very much on your setup. On a small network it would be OK.

There is no issue of CPU or memory usage - both netfilter and Pound are 
light-weight. You should consider the security implications though: a Pound 
compromise could affect your firewall and vice-versa. If in doubt please talk 
to someone who understands IT security.[...]

> You should consider the security implications though: a Pound[...]

For example, I have a pound server running behind a corporate
firewall, but I still have a firewall running on the pound server
with raised securelevel so that firewall rules can't even be
changed by root. Just in case pound is compromised, and the attacker
gains root on the machine, she still only gets access to the farm
servers publicly accessible anyway.

Sincerely,
Dmitry Dvoinikov
http://www.targeted.org/

--- Original message follows ---
[...][...]
[...]
[...]

As of my experience, it is really only matter of security and not of
resources. My example:

iptables (about 40 rules) + pound (3 backends - 150 processes)
P4(at)2.8GHz (Linux 2.4)
more than 150req/sec
CPU time less than 25%

Pavel

On Thu, 2004-11-25 at 06:27, Robert Segall wrote:[...]
[...]