|
In reality, many security audit advisors warn companies to
block ICMP message totally, either at their router or firewall.
So ICMP messages from clients will never get to servers anyway.
At 05:47 PM 6/14/00 +0300, Julian Anastasov wrote:
> Hello,
>
>On Wed, 14 Jun 2000, Kyle Sparger wrote:
>
> > I figured this might be on-topic. I don't think that LVS handles this
> > correctly, but I could be wrong. Anybody know? :) Is is it not even a
> > concern? It seems like it would be to me...
>
> Yes, it is not handled. ip_fw_unmasq_icmp is not changed
>from LVS. But the problem occurs when external_MTU > internal_MTU
>in the Director which is not an usual case for LVS. The other case
>when the client has little MTU is handled. The result is:
>
>- no problems for clients
>- the server works or don't works entirely. I think this
>could be visible. So, the problem is that the Director doesn't
>generate ICMP to the real servers. But the ICMP messages from
>clients are propagated to the real servers.
>
> Of course, this must be corrected in next versions.
>
> The only PMTUdisc problem in 2.2 in the server side
>is for the clients accessing 2.2 MASQ server which uses
>ports not in the reserved range (portfw, mfw, autofw). This
>is a known bug from long time ago which is not fixed yet.
>
> LVS at least don't hurts its clients, only the
>real servers in VS/NAT.
>
>Regards
>
>--
>Julian Anastasov <uli@xxxxxxxxxxxxxxxxxxxxxx>
>
>
|
