Sunday, 28 August 2016

I'm Spartacus

Since I started making all these changes, several of my servers have been intermittently cut off, and I was wondering why. But I think I've worked it out.

These were all servers that were behind a second pix. Because instead of using a pix which has three ethernet connections (inside, outside and dmz), I was using two pixes that each had two ethernet connections. So packets that arrived in my dmz had to go through another pix before they were allowed to the innermost area. Why? Because A) it's easier to configure a two-headed firewall than a three, and B) two two-headed firewalls are  somewhat cheaper than a three-header, and C) I already had the two-headers.

So as part of the changes, I moved several servers (raspberry pis, actually, because I use them for light duties instead of a big heavy normal server, because they're really cheap and very economical on power - a proper server might pull 250 watts, whereas a pi takes about 10) from behind that second firewall, to connect directly to my big shiny pix525. But I didn't bother to switch off that second firewall.

So as a result, the second firewall was still announcing the IP addresses of the servers that it didn't actually control, while the servers themselves were also announcing themselves.

I'm Spartacus.

