Another issue I havn't found a solution for yet...

A small network, consisting of a couple of servers and a couple of clients. The clients are to be masqueraded, the servers have real IPs.

The network of real IPs isn't a proper subnet, since it's shared with others. The uplink connection is switched, the old setup was to have all the servers directly on the switched network.

The new setup we have is one firewall, a DMZ network and an internal network. The firewall is connected to all three of them, and has arp_proxy enabled for the DMZ and external networks. That way, no configuration changes were necessary when moving the machines into the DMZ (except for a host route on the firewall). Note that the firewall box also is responsible for both the access of the internal network to the external and the DMZ network. Oh, and I'm talking of a stateful firewall.

Everything is working as expected and reliable. Level completed.

Next level: make it high available - add another gateway. And now it gets really nasty... I guess I'll skip the idea of load balancing... That becomes really messy, won't it? HA fail-over should be okay, when the other gateway is down, the new gateway enables proxy-arp. For the internal network, I have to take over the gateway IP.

Maybe I should switch to static NAT... I could then split the hosts onto both firewalls, and migrate rules to one if the other one goes down...

Does anyone have experience with similar setups? Which solution did you choose, which did you try that did not work? Please send me an email at erich AT debian (.) org

I like to keep the configuration files of a set of servers in version control, mostly to be able to document changes, to keep boxes in sync and to be able to undo changes, of course.

I'd like to keep as much of my configuration shared as possible, obviously. And I'd like to be able to modify files in all "branches" at the same time.

If I forget everything I know of revision control systems, I would describe it as: I have a base configuration database I can use the same way as I do it for sourcecode. Then I'd like to have a set of "diversions", of course also in revision control. This is machine specific, and changes I do here only apply to that specific machine.

You could also call this copy-on-write branches - as long as I havn't modified the file in the branch, I'd like it to auto-merge the changes done to the revision I forked from...

Of course I could do that using regular branches and then merging changes to the trunk into my branches. But this means I'd have to merge these into each of my machines branch, then go to each of the machines and checkout... That's kind of annoying... :-(

Well, any expert here with a nice solution for me (and especially one I can explain to others in a few sentences...)